#ParsedReport
23-12-2022
Godfather Android banking malware is on the rise
https://www.malwarebytes.com/blog/news/2022/12/godfather-android-banking-malware-is-on-the-rise
Threats:
Godfather
Anubis
Industry:
Financial
Geo:
Spain, France, Belarusian, Germany, Azerbaijani, Canada, Turkish, Turkey, Russian
IOCs:
Hash: 1
Softs:
android, telegram
23-12-2022
Godfather Android banking malware is on the rise
https://www.malwarebytes.com/blog/news/2022/12/godfather-android-banking-malware-is-on-the-rise
Threats:
Godfather
Anubis
Industry:
Financial
Geo:
Spain, France, Belarusian, Germany, Azerbaijani, Canada, Turkish, Turkey, Russian
IOCs:
Hash: 1
Softs:
android, telegram
Malwarebytes
Godfather Android banking malware is on the rise
Researchers have uncovered a new campaign of the Godfather banking Trojan, that comes with some new tricks.
#ParsedReport
23-12-2022
Python crawling on your keys. Source Code Extraction
https://labs.k7computing.com/index.php/python-crawling-on-your-keys
IOCs:
File: 3
Hash: 1
Softs:
pyinstaller, chrome, internet explorer
Functions:
createStartup
Languages:
python
Links:
23-12-2022
Python crawling on your keys. Source Code Extraction
https://labs.k7computing.com/index.php/python-crawling-on-your-keys
IOCs:
File: 3
Hash: 1
Softs:
pyinstaller, chrome, internet explorer
Functions:
createStartup
Languages:
python
Links:
https://github.com/rocky/python-decompile3https://github.com/extremecoders-re/pyinstxtractorK7 Labs
Python crawling on your keys - K7 Labs
Python is extensively being used for developing software, testing, automating tasks and for data interpretation. Similar to how it is […]
#ParsedReport
23-12-2022
New RisePro Stealer distributed by the prominent PrivateLoader. Context
https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader
Actors/Campaigns:
Lapsus
Dev-0960
Threats:
Risepro
Privateloader
Redline_stealer
Raccoon_stealer
Dead_drop_technique
Cobalt_strike
Bumblebee
Mixloader
Vidar_stealer
Industry:
Financial
TTPs:
Tactics: 6
Technics: 16
IOCs:
Hash: 63
File: 8
Url: 3
Domain: 37
Path: 1
IP: 3
Softs:
telegram, google chrome, nichrome, chromodo, torch, orbitum, coowon, chromium, vivaldi, chedot, have more...
Algorithms:
xor, zip
Functions:
GetModuleHandle
Win API:
GetProcAddress, RtlGetVersion
Languages:
php
YARA: Found
23-12-2022
New RisePro Stealer distributed by the prominent PrivateLoader. Context
https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader
Actors/Campaigns:
Lapsus
Dev-0960
Threats:
Risepro
Privateloader
Redline_stealer
Raccoon_stealer
Dead_drop_technique
Cobalt_strike
Bumblebee
Mixloader
Vidar_stealer
Industry:
Financial
TTPs:
Tactics: 6
Technics: 16
IOCs:
Hash: 63
File: 8
Url: 3
Domain: 37
Path: 1
IP: 3
Softs:
telegram, google chrome, nichrome, chromodo, torch, orbitum, coowon, chromium, vivaldi, chedot, have more...
Algorithms:
xor, zip
Functions:
GetModuleHandle
Win API:
GetProcAddress, RtlGetVersion
Languages:
php
YARA: Found
Sekoia.io Blog
New RisePro Stealer distributed by the prominent PrivateLoader
RisePro is a new undocumented stealer. According to SEKOIA.IO analysts, it has similarities with PrivateLoader.
#ParsedReport
23-12-2022
New YouTube Bot Malware Spotted Stealing Users Sensitive Information
https://blog.cyble.com/2022/12/23/new-youtube-bots-malware-spotted-stealing-users-sensitive-information
Threats:
Antivm
Beacon
Process_injection_technique
TTPs:
Tactics: 8
Technics: 15
IOCs:
Hash: 12
File: 6
Path: 1
Softs:
virtualbox, task scheduler, chromium, chrome
Functions:
DetectVM, DeleteProcessesByMutexName, RegisterScheduledTask, Grab, CookieRecovery, AutofillRecovery, PassRecovery, ClickAsync, ConnectToServer, OnServerMessageReceived, have more...
23-12-2022
New YouTube Bot Malware Spotted Stealing Users Sensitive Information
https://blog.cyble.com/2022/12/23/new-youtube-bots-malware-spotted-stealing-users-sensitive-information
Threats:
Antivm
Beacon
Process_injection_technique
TTPs:
Tactics: 8
Technics: 15
IOCs:
Hash: 12
File: 6
Path: 1
Softs:
virtualbox, task scheduler, chromium, chrome
Functions:
DetectVM, DeleteProcessesByMutexName, RegisterScheduledTask, Grab, CookieRecovery, AutofillRecovery, PassRecovery, ClickAsync, ConnectToServer, OnServerMessageReceived, have more...
Cyble
New YouTube Bot Malware Steals User Info
CRIL analyzes how Threat Actors are using YouTube bot malware to increase the views of YouTube videos and how it communicates with C&C server.
#ParsedReport
23-12-2022
ASEC (20221211 \~ 20221217). ASEC Weekly phishing email threat trend (20221211 \~ 20221217)
https://asec.ahnlab.com/ko/44684
Threats:
Agent_tesla
Formbook
Amadey
Beamwinhttp_loader
Industry:
Transport, Financial
Geo:
Korean
TTPs:
IOCs:
File: 38
Url: 5
Algorithms:
zip
23-12-2022
ASEC (20221211 \~ 20221217). ASEC Weekly phishing email threat trend (20221211 \~ 20221217)
https://asec.ahnlab.com/ko/44684
Threats:
Agent_tesla
Formbook
Amadey
Beamwinhttp_loader
Industry:
Transport, Financial
Geo:
Korean
TTPs:
IOCs:
File: 38
Url: 5
Algorithms:
zip
ASEC BLOG
ASEC 주간 피싱 이메일 위협 트렌드 (20221211 ~ 20221217) - ASEC BLOG
ASEC 분석팀에서는 샘플 자동 분석 시스템(RAPIT)과 허니팟을 활용하여 피싱 이메일 위협을 모니터링하고 있다. 본 포스팅에서는 2022년 12월 11일부터 12월 17일까지 한 주간 확인된 피싱 이메일 공격의 유포 사례와 이를 유형별로 분류한 통계 정보를 제공한다. 일반적으로 피싱은 공격자가 사회공학 기법을 이용하여 주로 이메일을 통해 기관, 기업, 개인 등으로 위장하거나 사칭함으로써 사용자의 로그인 계정(크리덴셜) 정보를 유출하는 공격을 의미한다.…
#ParsedReport
23-12-2022
New STEPPY#KAVACH Attack Campaign Likely Targeting Indian Government: Technical Insights and Detection Using Securonix
https://www.securonix.com/blog/new-steppykavach-attack-campaign
Actors/Campaigns:
Steppy_kavach
Sidecopy
Transparenttribe
Threats:
Lotl_technique
Lolbin_technique
Lolbas_technique
Industry:
Government
Geo:
Germany, Indian, Pakistan, India, Indias
TTPs:
Tactics: 6
Technics: 12
IOCs:
File: 23
Path: 10
Url: 6
Registry: 2
IP: 6
Domain: 2
Hash: 16
Softs:
net framework
Algorithms:
base64
Functions:
prparingsiej, bndkrknwakro
Win API:
WmiCreateProcess
Languages:
jscript, visual_basic, csharp, javascript
23-12-2022
New STEPPY#KAVACH Attack Campaign Likely Targeting Indian Government: Technical Insights and Detection Using Securonix
https://www.securonix.com/blog/new-steppykavach-attack-campaign
Actors/Campaigns:
Steppy_kavach
Sidecopy
Transparenttribe
Threats:
Lotl_technique
Lolbin_technique
Lolbas_technique
Industry:
Government
Geo:
Germany, Indian, Pakistan, India, Indias
TTPs:
Tactics: 6
Technics: 12
IOCs:
File: 23
Path: 10
Url: 6
Registry: 2
IP: 6
Domain: 2
Hash: 16
Softs:
net framework
Algorithms:
base64
Functions:
prparingsiej, bndkrknwakro
Win API:
WmiCreateProcess
Languages:
jscript, visual_basic, csharp, javascript
Securonix
New STEPPY#KAVACH Attack Campaign Likely Targeting Indian Government: Technical Insights and Detection Using Securonix
#ParsedReport
23-12-2022
IcedID Botnet Distributors Abuse Google PPC to Distribute Malware
https://www.trendmicro.com/en_us/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html
Threats:
Icedid
Anydesk_tool
Teamviewer_tool
Cobalt_strike
Industry:
Government, Financial
TTPs:
Tactics: 1
Technics: 3
IOCs:
File: 7
Hash: 4
Domain: 68
IP: 1
Softs:
discord, microsoft office, slack, windows installer, curl
Algorithms:
zip
Links:
23-12-2022
IcedID Botnet Distributors Abuse Google PPC to Distribute Malware
https://www.trendmicro.com/en_us/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html
Threats:
Icedid
Anydesk_tool
Teamviewer_tool
Cobalt_strike
Industry:
Government, Financial
TTPs:
Tactics: 1
Technics: 3
IOCs:
File: 7
Hash: 4
Domain: 68
IP: 1
Softs:
discord, microsoft office, slack, windows installer, curl
Algorithms:
zip
Links:
https://github.com/struppigel/PortExTrend Micro
IcedID Botnet Distributors Abuse Google PPC to Distribute Malware
We analyze the latest changes in IcedID botnet from a campaign that abuses Google pay per click (PPC) ads to distribute IcedID via malvertising attacks.
#ParsedReport
23-12-2022
Threat Brief: OWASSRF Vulnerability Exploitation
https://unit42.paloaltonetworks.com/threat-brief-owassrf
Threats:
Owassrf
Proxynotshell_vuln
Silverarrow
Anydesk_tool
Putty_tool
Industry:
E-commerce
Geo:
Apac, Japan, Emea, America, Japanese
CVEs:
CVE-2022-41080 [Vulners]
Vulners: Score: Unknown, CVSS: 3.4,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
IOCs:
File: 7
Email: 2
IP: 7
Coin: 1
Softs:
microsoft exchange server, windows remote desktop protocol, microsoft exchange, windows remote desktop
Algorithms:
base64
Languages:
python
23-12-2022
Threat Brief: OWASSRF Vulnerability Exploitation
https://unit42.paloaltonetworks.com/threat-brief-owassrf
Threats:
Owassrf
Proxynotshell_vuln
Silverarrow
Anydesk_tool
Putty_tool
Industry:
E-commerce
Geo:
Apac, Japan, Emea, America, Japanese
CVEs:
CVE-2022-41080 [Vulners]
Vulners: Score: Unknown, CVSS: 3.4,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
IOCs:
File: 7
Email: 2
IP: 7
Coin: 1
Softs:
microsoft exchange server, windows remote desktop protocol, microsoft exchange, windows remote desktop
Algorithms:
base64
Languages:
python
Unit 42
Threat Brief: OWASSRF Vulnerability Exploitation
We analyze the new exploit method for Microsoft Exchange Server, OWASSRF, noting that all exploit attempts we've observed use the same PowerShell backdoor, which we track as SilverArrow. Read the details and learn how to mitigate.
#technique
Elastic IP Hijacking — A New Attack Vector in AWS
https://www.mitiga.io/blog/elastic-ip-hijacking-a-new-attack-vector-in-aws
Elastic IP Hijacking — A New Attack Vector in AWS
https://www.mitiga.io/blog/elastic-ip-hijacking-a-new-attack-vector-in-aws
www.mitiga.io
Elastic IP Hijacking — A New Attack Vector in AWS
Read Mitiga research about a new post-exploitation attack method, a new way that enables adversaries to hijack public IP addresses for malicious purposes.
#technique
Divide And Bypass: A new Simple Way to Bypass AMSI
https://x4sh3s.github.io/posts/Divide-and-bypass-amsi/
Divide And Bypass: A new Simple Way to Bypass AMSI
https://x4sh3s.github.io/posts/Divide-and-bypass-amsi/
x4sh3s
Divide And Bypass: A new Simple Way to Bypass AMSI
This post is about a new simple way to bypass AMSI (Antimalware Scan Interface), that can be applied on small scripts, specially the popular AMSI bypasses.
#ParsedReport
23-12-2022
Trade with caution - bad guys arestealing. Trade with caution - bad guys are stealing
https://www.zscaler.com/blog/security-research/trade-with-caution
Threats:
Redline_stealer
Record_breaker_stealer
Arkei_stealer
Vidar_stealer
Legionloader
Batloader
Smokeloader
Minebridge_rat
Dll_sideloading_technique
Industry:
Financial
Geo:
Usa
TTPs:
Tactics: 3
Technics: 14
IOCs:
IP: 2
Domain: 2
Url: 1
Hash: 8
File: 12
Softs:
windows installer, macos, nginx, mozilla firefox, visual studio, windows explorer
Algorithms:
zip
Platforms:
intel
23-12-2022
Trade with caution - bad guys arestealing. Trade with caution - bad guys are stealing
https://www.zscaler.com/blog/security-research/trade-with-caution
Threats:
Redline_stealer
Record_breaker_stealer
Arkei_stealer
Vidar_stealer
Legionloader
Batloader
Smokeloader
Minebridge_rat
Dll_sideloading_technique
Industry:
Financial
Geo:
Usa
TTPs:
Tactics: 3
Technics: 14
IOCs:
IP: 2
Domain: 2
Url: 1
Hash: 8
File: 12
Softs:
windows installer, macos, nginx, mozilla firefox, visual studio, windows explorer
Algorithms:
zip
Platforms:
intel
Zscaler
Trade with caution - bad guys are stealing | Zscaler
Fake TradingView site distributing backdoored TradingView application dropping SmokeLoader malware
#ParsedReport
26-12-2022
Caution! Malware Signed With Microsoft Certificate
https://asec.ahnlab.com/en/44726
Threats:
Trojan/win32.agent.c114064
Trojan/win.rootkitdrv.c5311744
Trojan/win.rootkitdrv.c5311748
Trojan/win.rootkitdrv.c5311745
Trojan/win.rootkitdrv.c5313281
Trojan/win.rootkitdrv.c5313299
Trojan/win.rootkitdrv.c5313267
Trojan/win.rootkitdrv.c5313273
Trojan/win.rootkitdrv.c5313261
Trojan/win.rootkitdrv.c5313014
Trojan/win.rootkitdrv.c5313271
Trojan/win.rootkitdrv.c5313304
Trojan/win.rootkitdrv.c5313297
Trojan/win.rootkitdrv.c5313257
Trojan/win.rootkitdrv.c5311743
Trojan/win.rootkitdrv.c5313262
Trojan/win.rootkitdrv.c5311747
Trojan/win.rootkitdrv.c5313269
Trojan/win.rootkitdrv.c5313259
Trojan/win.rootkitdrv.c5313278
Trojan/win.rootkitdrv.c5313296
Trojan/win.rootkitdrv.c5311742
Trojan/win.rootkitdrv.c5311746
Trojan/win.rootkitdrv.c5313303
Trojan/win.rootkitdrv.c5313265
Trojan/win.rootkitdrv.c5311749
Trojan/win.rootkitdrv.c5313295
Trojan/win.rootkitdrv.c5313263
Trojan/win.rootkitdrv.c5313260
Trojan/win.rootkitdrv.c5313302
Burntcigar_tool
Poortry
Stonestop
Softs:
(microsoft defender, windows security
26-12-2022
Caution! Malware Signed With Microsoft Certificate
https://asec.ahnlab.com/en/44726
Threats:
Trojan/win32.agent.c114064
Trojan/win.rootkitdrv.c5311744
Trojan/win.rootkitdrv.c5311748
Trojan/win.rootkitdrv.c5311745
Trojan/win.rootkitdrv.c5313281
Trojan/win.rootkitdrv.c5313299
Trojan/win.rootkitdrv.c5313267
Trojan/win.rootkitdrv.c5313273
Trojan/win.rootkitdrv.c5313261
Trojan/win.rootkitdrv.c5313014
Trojan/win.rootkitdrv.c5313271
Trojan/win.rootkitdrv.c5313304
Trojan/win.rootkitdrv.c5313297
Trojan/win.rootkitdrv.c5313257
Trojan/win.rootkitdrv.c5311743
Trojan/win.rootkitdrv.c5313262
Trojan/win.rootkitdrv.c5311747
Trojan/win.rootkitdrv.c5313269
Trojan/win.rootkitdrv.c5313259
Trojan/win.rootkitdrv.c5313278
Trojan/win.rootkitdrv.c5313296
Trojan/win.rootkitdrv.c5311742
Trojan/win.rootkitdrv.c5311746
Trojan/win.rootkitdrv.c5313303
Trojan/win.rootkitdrv.c5313265
Trojan/win.rootkitdrv.c5311749
Trojan/win.rootkitdrv.c5313295
Trojan/win.rootkitdrv.c5313263
Trojan/win.rootkitdrv.c5313260
Trojan/win.rootkitdrv.c5313302
Burntcigar_tool
Poortry
Stonestop
Softs:
(microsoft defender, windows security
ASEC BLOG
Caution! Malware Signed With Microsoft Certificate - ASEC BLOG
Microsoft announced details on the distribution of malware signed with a Microsoft certificate.[1] According to the announcement, a driver authenticated with the Windows Hardware Developer Program had been abused due to the leakage of multiple Windows developer…
#ParsedReport
26-12-2022
Distribution of Magniber Ransomware Stops (Since November 29th)
https://asec.ahnlab.com/en/43858
Threats:
Magniber
Typosquatting_technique
Ransomware/win.magniberxg20
Ransom/mdp.edit.m1947
26-12-2022
Distribution of Magniber Ransomware Stops (Since November 29th)
https://asec.ahnlab.com/en/43858
Threats:
Magniber
Typosquatting_technique
Ransomware/win.magniberxg20
Ransom/mdp.edit.m1947
ASEC BLOG
Distribution of Magniber Ransomware Stops (Since November 29th) - ASEC BLOG
Through a continuous monitoring process, the AhnLab ASEC analysis team is swiftly responding to Magniber, the main malware that is actively being distributed using the typosquatting method which exploits typos in domain address input. Through such continuous…
#ParsedReport
26-12-2022
ASEC Weekly Malware Statistics (December 12th, 2022 December 18th, 2022)
https://asec.ahnlab.com/en/44732
Threats:
Smokeloader
Beamwinhttp_loader
Garbage_cleaner
Agent_tesla
Amadey
Lockbit
Formbook
Clipboard_grabbing_technique
Geo:
Korea
IOCs:
File: 7
Domain: 8
Url: 20
Email: 4
Softs:
telegram
26-12-2022
ASEC Weekly Malware Statistics (December 12th, 2022 December 18th, 2022)
https://asec.ahnlab.com/en/44732
Threats:
Smokeloader
Beamwinhttp_loader
Garbage_cleaner
Agent_tesla
Amadey
Lockbit
Formbook
Clipboard_grabbing_technique
Geo:
Korea
IOCs:
File: 7
Domain: 8
Url: 20
Email: 4
Softs:
telegram
ASEC BLOG
ASEC Weekly Malware Statistics (December 12th, 2022 – December 18th, 2022) - ASEC BLOG
ContentsTop 1 – SmokeLoaderTop 2 – BeamWinHTTPTop 3 – AgentTeslaTop 4 – AmadeyTop 5 – Formbook The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected…
#ParsedReport
26-12-2022
RedDelta Targets European Government Organizations and Continues to Iterate Custom PlugX Variant
https://www.recordedfuture.com/reddelta-targets-european-government-organizations-continues-iterate-custom-plugx-variant
Actors/Campaigns:
Red_delta (motivation: cyber_espionage)
Threats:
Plugx_rat
Industry:
Government
Geo:
Tibetan, Vietnam, Asia, Ukraine, Myanmar, Russia, China, Chinese
IOCs:
IP: 57
Domain: 3
Hash: 24
File: 19
26-12-2022
RedDelta Targets European Government Organizations and Continues to Iterate Custom PlugX Variant
https://www.recordedfuture.com/reddelta-targets-european-government-organizations-continues-iterate-custom-plugx-variant
Actors/Campaigns:
Red_delta (motivation: cyber_espionage)
Threats:
Plugx_rat
Industry:
Government
Geo:
Tibetan, Vietnam, Asia, Ukraine, Myanmar, Russia, China, Chinese
IOCs:
IP: 57
Domain: 3
Hash: 24
File: 19
Recordedfuture
RedDelta Targets European Government Organizations and Continues to Iterate Custom PlugX Variant | Recorded Future
Insikt Group® examines operations conducted by likely Chinese state-sponsored threat activity group RedDelta targeting organizations across Asia and Europe.
#ParsedReport
26-12-2022
W4SP Stealer Discovered in Multiple PyPI Packages Under Various Names
https://thehackernews.com/2022/12/w4sp-stealer-discovered-in-multiple.html
Threats:
W4sp
Billythegoat_actor
IOCs:
Domain: 1
Softs:
discord
Languages:
python
Links:
26-12-2022
W4SP Stealer Discovered in Multiple PyPI Packages Under Various Names
https://thehackernews.com/2022/12/w4sp-stealer-discovered-in-multiple.html
Threats:
W4sp
Billythegoat_actor
IOCs:
Domain: 1
Softs:
discord
Languages:
python
Links:
https://github.com/billythegoat356/pystyle#ParsedReport
26-12-2022
APT41 The spy who failed to encrypt me. Timeline
https://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1
Actors/Campaigns:
Axiom
Cuckoobees
Threats:
Proxylogon_exploit
Chinachopper
Bestcrypt
Natbypass_tool
Procdump_tool
Nltest_tool
Miping_tool
Cobalt_strike
Beacon
Bitlocker
Ransom:bat/bljammer.a
Industry:
Financial
Geo:
China, German
CVEs:
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
TTPs:
Tactics: 9
Technics: 20
IOCs:
File: 29
Path: 10
IP: 3
Registry: 1
Command: 1
Hash: 10
Softs:
microsoft defender for endpoint, microsoft exchange server, bitlocker, msexchange, sysinternals, pyinstaller, active directory, component object model
SIGMA: Found
Links:
26-12-2022
APT41 The spy who failed to encrypt me. Timeline
https://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1
Actors/Campaigns:
Axiom
Cuckoobees
Threats:
Proxylogon_exploit
Chinachopper
Bestcrypt
Natbypass_tool
Procdump_tool
Nltest_tool
Miping_tool
Cobalt_strike
Beacon
Bitlocker
Ransom:bat/bljammer.a
Industry:
Financial
Geo:
China, German
CVEs:
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
TTPs:
Tactics: 9
Technics: 20
IOCs:
File: 29
Path: 10
IP: 3
Registry: 1
Command: 1
Hash: 10
Softs:
microsoft defender for endpoint, microsoft exchange server, bitlocker, msexchange, sysinternals, pyinstaller, active directory, component object model
SIGMA: Found
Links:
https://github.com/cw1997/NATBypassMedium
APT41 — The spy who failed to encrypt me
This blog post is based on our recent investigation into one of APT41’s operations against an unnamed German company from the financial…
#ParsedReport
26-12-2022
New info-stealer malware infects software pirates via fake cracks sites
https://www.bleepingcomputer.com/news/security/new-info-stealer-malware-infects-software-pirates-via-fake-cracks-sites
Actors/Campaigns:
Dev-0960
Threats:
Risepro
Privateloader
Vidar_stealer
Netdooka
Redline_stealer
Raccoon_stealer
Industry:
Financial
Geo:
Russian
Softs:
telegram, google chrome, maxthon3, nichrome, chromodo, netbox, torch, orbitum, coowon, have more...
Algorithms:
zip
26-12-2022
New info-stealer malware infects software pirates via fake cracks sites
https://www.bleepingcomputer.com/news/security/new-info-stealer-malware-infects-software-pirates-via-fake-cracks-sites
Actors/Campaigns:
Dev-0960
Threats:
Risepro
Privateloader
Vidar_stealer
Netdooka
Redline_stealer
Raccoon_stealer
Industry:
Financial
Geo:
Russian
Softs:
telegram, google chrome, maxthon3, nichrome, chromodo, netbox, torch, orbitum, coowon, have more...
Algorithms:
zip
BleepingComputer
New info-stealer malware infects software pirates via fake cracks sites
A new information-stealing malware named 'RisePro' is being distributed through fake cracks sites operated by the PrivateLoader pay-per-install (PPI) malware distribution service.
#ParsedReport
23-12-2022
MCCrash Malware: A Cross-Platform Botnet Targeting SSH-Enabled Devices
https://www.secureblink.com/threat-research/mc-crash-malware-a-cross-platform-botnet-targeting-ssh-enabled-devices
Actors/Campaigns:
Dev-1028
Threats:
Mccrash_botnet
Industry:
Iot
Geo:
Russia
IOCs:
File: 3
Domain: 1
Softs:
debian, ubuntu, pyinstaller
Languages:
python
Platforms:
raspbian
23-12-2022
MCCrash Malware: A Cross-Platform Botnet Targeting SSH-Enabled Devices
https://www.secureblink.com/threat-research/mc-crash-malware-a-cross-platform-botnet-targeting-ssh-enabled-devices
Actors/Campaigns:
Dev-1028
Threats:
Mccrash_botnet
Industry:
Iot
Geo:
Russia
IOCs:
File: 3
Domain: 1
Softs:
debian, ubuntu, pyinstaller
Languages:
python
Platforms:
raspbian
Secureblink
MCCrash Malware: A Cross-Platform Botnet Targeting SSH-Enabled Devices | Secure Blink
Analysis of MCCrash cross-platform botnet that targets Windows & Linux devices, as well as IoT devices, via insecure SSH settings. It launches DDoS attacks against private Minecraft servers...
#ParsedReport
27-12-2022
SentinelSneak: Malicious PyPI module poses as security software development kit
https://www.reversinglabs.com/blog/sentinelsneak-malicious-pypi-module-poses-as-security-sdk
Actors/Campaigns:
Iconburst
Threats:
Sentinelsneak
Typosquatting_technique
W4sp
Geo:
German
IOCs:
IP: 1
Hash: 48
Languages:
python, javascript, ruby
YARA: Found
Links:
27-12-2022
SentinelSneak: Malicious PyPI module poses as security software development kit
https://www.reversinglabs.com/blog/sentinelsneak-malicious-pypi-module-poses-as-security-sdk
Actors/Campaigns:
Iconburst
Threats:
Sentinelsneak
Typosquatting_technique
W4sp
Geo:
German
IOCs:
IP: 1
Hash: 48
Languages:
python, javascript, ruby
YARA: Found
Links:
https://github.com/javascript-obfuscator/javascript-obfuscatorReversingLabs
SentinelSneak: Malicious PyPI module poses as security software development kit
A malicious Python file found on the PyPI repo adds backdoor and data exfiltration features to what appears to be a legitimate SDK client from SentinelOne.
#ParsedReport
27-12-2022
BlueNoroff introduces new methods bypassing MoTW
https://securelist.com/bluenoroff-methods-bypass-motw/108383
Actors/Campaigns:
Lazarus (motivation: financially_motivated)
Threats:
Motw_bypass_technique
Lotl_technique
Lolbin_technique
Perseus
Process_injection_technique
Industry:
Financial
Geo:
Japan, Japanese, America, Taiwan, Usa
TTPs:
Tactics: 6
Technics: 16
IOCs:
File: 22
Path: 2
Url: 8
Hash: 13
Command: 1
IP: 3
Softs:
windows installer, microsoft office, microsoft powerpoint, windows defender, curl, windows scheduled task
Algorithms:
zip, rc4
Languages:
visual_basic
Platforms:
intel
27-12-2022
BlueNoroff introduces new methods bypassing MoTW
https://securelist.com/bluenoroff-methods-bypass-motw/108383
Actors/Campaigns:
Lazarus (motivation: financially_motivated)
Threats:
Motw_bypass_technique
Lotl_technique
Lolbin_technique
Perseus
Process_injection_technique
Industry:
Financial
Geo:
Japan, Japanese, America, Taiwan, Usa
TTPs:
Tactics: 6
Technics: 16
IOCs:
File: 22
Path: 2
Url: 8
Hash: 13
Command: 1
IP: 3
Softs:
windows installer, microsoft office, microsoft powerpoint, windows defender, curl, windows scheduled task
Algorithms:
zip, rc4
Languages:
visual_basic
Platforms:
intel
Securelist
BlueNoroff introduces new methods bypassing MoTW
We continue to track the BlueNoroff group’s activities and this October we observed the adoption of new malware strains in its arsenal.