#ParsedReport
23-12-2022
Trade with caution - bad guys arestealing. Trade with caution - bad guys are stealing
https://www.zscaler.com/blog/security-research/trade-with-caution
Threats:
Redline_stealer
Record_breaker_stealer
Arkei_stealer
Vidar_stealer
Legionloader
Batloader
Smokeloader
Minebridge_rat
Dll_sideloading_technique
Industry:
Financial
Geo:
Usa
TTPs:
Tactics: 3
Technics: 14
IOCs:
IP: 2
Domain: 2
Url: 1
Hash: 8
File: 12
Softs:
windows installer, macos, nginx, mozilla firefox, visual studio, windows explorer
Algorithms:
zip
Platforms:
intel
23-12-2022
Trade with caution - bad guys arestealing. Trade with caution - bad guys are stealing
https://www.zscaler.com/blog/security-research/trade-with-caution
Threats:
Redline_stealer
Record_breaker_stealer
Arkei_stealer
Vidar_stealer
Legionloader
Batloader
Smokeloader
Minebridge_rat
Dll_sideloading_technique
Industry:
Financial
Geo:
Usa
TTPs:
Tactics: 3
Technics: 14
IOCs:
IP: 2
Domain: 2
Url: 1
Hash: 8
File: 12
Softs:
windows installer, macos, nginx, mozilla firefox, visual studio, windows explorer
Algorithms:
zip
Platforms:
intel
Zscaler
Trade with caution - bad guys are stealing | Zscaler
Fake TradingView site distributing backdoored TradingView application dropping SmokeLoader malware
#ParsedReport
26-12-2022
Caution! Malware Signed With Microsoft Certificate
https://asec.ahnlab.com/en/44726
Threats:
Trojan/win32.agent.c114064
Trojan/win.rootkitdrv.c5311744
Trojan/win.rootkitdrv.c5311748
Trojan/win.rootkitdrv.c5311745
Trojan/win.rootkitdrv.c5313281
Trojan/win.rootkitdrv.c5313299
Trojan/win.rootkitdrv.c5313267
Trojan/win.rootkitdrv.c5313273
Trojan/win.rootkitdrv.c5313261
Trojan/win.rootkitdrv.c5313014
Trojan/win.rootkitdrv.c5313271
Trojan/win.rootkitdrv.c5313304
Trojan/win.rootkitdrv.c5313297
Trojan/win.rootkitdrv.c5313257
Trojan/win.rootkitdrv.c5311743
Trojan/win.rootkitdrv.c5313262
Trojan/win.rootkitdrv.c5311747
Trojan/win.rootkitdrv.c5313269
Trojan/win.rootkitdrv.c5313259
Trojan/win.rootkitdrv.c5313278
Trojan/win.rootkitdrv.c5313296
Trojan/win.rootkitdrv.c5311742
Trojan/win.rootkitdrv.c5311746
Trojan/win.rootkitdrv.c5313303
Trojan/win.rootkitdrv.c5313265
Trojan/win.rootkitdrv.c5311749
Trojan/win.rootkitdrv.c5313295
Trojan/win.rootkitdrv.c5313263
Trojan/win.rootkitdrv.c5313260
Trojan/win.rootkitdrv.c5313302
Burntcigar_tool
Poortry
Stonestop
Softs:
(microsoft defender, windows security
26-12-2022
Caution! Malware Signed With Microsoft Certificate
https://asec.ahnlab.com/en/44726
Threats:
Trojan/win32.agent.c114064
Trojan/win.rootkitdrv.c5311744
Trojan/win.rootkitdrv.c5311748
Trojan/win.rootkitdrv.c5311745
Trojan/win.rootkitdrv.c5313281
Trojan/win.rootkitdrv.c5313299
Trojan/win.rootkitdrv.c5313267
Trojan/win.rootkitdrv.c5313273
Trojan/win.rootkitdrv.c5313261
Trojan/win.rootkitdrv.c5313014
Trojan/win.rootkitdrv.c5313271
Trojan/win.rootkitdrv.c5313304
Trojan/win.rootkitdrv.c5313297
Trojan/win.rootkitdrv.c5313257
Trojan/win.rootkitdrv.c5311743
Trojan/win.rootkitdrv.c5313262
Trojan/win.rootkitdrv.c5311747
Trojan/win.rootkitdrv.c5313269
Trojan/win.rootkitdrv.c5313259
Trojan/win.rootkitdrv.c5313278
Trojan/win.rootkitdrv.c5313296
Trojan/win.rootkitdrv.c5311742
Trojan/win.rootkitdrv.c5311746
Trojan/win.rootkitdrv.c5313303
Trojan/win.rootkitdrv.c5313265
Trojan/win.rootkitdrv.c5311749
Trojan/win.rootkitdrv.c5313295
Trojan/win.rootkitdrv.c5313263
Trojan/win.rootkitdrv.c5313260
Trojan/win.rootkitdrv.c5313302
Burntcigar_tool
Poortry
Stonestop
Softs:
(microsoft defender, windows security
ASEC BLOG
Caution! Malware Signed With Microsoft Certificate - ASEC BLOG
Microsoft announced details on the distribution of malware signed with a Microsoft certificate.[1] According to the announcement, a driver authenticated with the Windows Hardware Developer Program had been abused due to the leakage of multiple Windows developer…
#ParsedReport
26-12-2022
Distribution of Magniber Ransomware Stops (Since November 29th)
https://asec.ahnlab.com/en/43858
Threats:
Magniber
Typosquatting_technique
Ransomware/win.magniberxg20
Ransom/mdp.edit.m1947
26-12-2022
Distribution of Magniber Ransomware Stops (Since November 29th)
https://asec.ahnlab.com/en/43858
Threats:
Magniber
Typosquatting_technique
Ransomware/win.magniberxg20
Ransom/mdp.edit.m1947
ASEC BLOG
Distribution of Magniber Ransomware Stops (Since November 29th) - ASEC BLOG
Through a continuous monitoring process, the AhnLab ASEC analysis team is swiftly responding to Magniber, the main malware that is actively being distributed using the typosquatting method which exploits typos in domain address input. Through such continuous…
#ParsedReport
26-12-2022
ASEC Weekly Malware Statistics (December 12th, 2022 December 18th, 2022)
https://asec.ahnlab.com/en/44732
Threats:
Smokeloader
Beamwinhttp_loader
Garbage_cleaner
Agent_tesla
Amadey
Lockbit
Formbook
Clipboard_grabbing_technique
Geo:
Korea
IOCs:
File: 7
Domain: 8
Url: 20
Email: 4
Softs:
telegram
26-12-2022
ASEC Weekly Malware Statistics (December 12th, 2022 December 18th, 2022)
https://asec.ahnlab.com/en/44732
Threats:
Smokeloader
Beamwinhttp_loader
Garbage_cleaner
Agent_tesla
Amadey
Lockbit
Formbook
Clipboard_grabbing_technique
Geo:
Korea
IOCs:
File: 7
Domain: 8
Url: 20
Email: 4
Softs:
telegram
ASEC BLOG
ASEC Weekly Malware Statistics (December 12th, 2022 – December 18th, 2022) - ASEC BLOG
ContentsTop 1 – SmokeLoaderTop 2 – BeamWinHTTPTop 3 – AgentTeslaTop 4 – AmadeyTop 5 – Formbook The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected…
#ParsedReport
26-12-2022
RedDelta Targets European Government Organizations and Continues to Iterate Custom PlugX Variant
https://www.recordedfuture.com/reddelta-targets-european-government-organizations-continues-iterate-custom-plugx-variant
Actors/Campaigns:
Red_delta (motivation: cyber_espionage)
Threats:
Plugx_rat
Industry:
Government
Geo:
Tibetan, Vietnam, Asia, Ukraine, Myanmar, Russia, China, Chinese
IOCs:
IP: 57
Domain: 3
Hash: 24
File: 19
26-12-2022
RedDelta Targets European Government Organizations and Continues to Iterate Custom PlugX Variant
https://www.recordedfuture.com/reddelta-targets-european-government-organizations-continues-iterate-custom-plugx-variant
Actors/Campaigns:
Red_delta (motivation: cyber_espionage)
Threats:
Plugx_rat
Industry:
Government
Geo:
Tibetan, Vietnam, Asia, Ukraine, Myanmar, Russia, China, Chinese
IOCs:
IP: 57
Domain: 3
Hash: 24
File: 19
Recordedfuture
RedDelta Targets European Government Organizations and Continues to Iterate Custom PlugX Variant | Recorded Future
Insikt Group® examines operations conducted by likely Chinese state-sponsored threat activity group RedDelta targeting organizations across Asia and Europe.
#ParsedReport
26-12-2022
W4SP Stealer Discovered in Multiple PyPI Packages Under Various Names
https://thehackernews.com/2022/12/w4sp-stealer-discovered-in-multiple.html
Threats:
W4sp
Billythegoat_actor
IOCs:
Domain: 1
Softs:
discord
Languages:
python
Links:
26-12-2022
W4SP Stealer Discovered in Multiple PyPI Packages Under Various Names
https://thehackernews.com/2022/12/w4sp-stealer-discovered-in-multiple.html
Threats:
W4sp
Billythegoat_actor
IOCs:
Domain: 1
Softs:
discord
Languages:
python
Links:
https://github.com/billythegoat356/pystyle#ParsedReport
26-12-2022
APT41 The spy who failed to encrypt me. Timeline
https://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1
Actors/Campaigns:
Axiom
Cuckoobees
Threats:
Proxylogon_exploit
Chinachopper
Bestcrypt
Natbypass_tool
Procdump_tool
Nltest_tool
Miping_tool
Cobalt_strike
Beacon
Bitlocker
Ransom:bat/bljammer.a
Industry:
Financial
Geo:
China, German
CVEs:
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
TTPs:
Tactics: 9
Technics: 20
IOCs:
File: 29
Path: 10
IP: 3
Registry: 1
Command: 1
Hash: 10
Softs:
microsoft defender for endpoint, microsoft exchange server, bitlocker, msexchange, sysinternals, pyinstaller, active directory, component object model
SIGMA: Found
Links:
26-12-2022
APT41 The spy who failed to encrypt me. Timeline
https://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1
Actors/Campaigns:
Axiom
Cuckoobees
Threats:
Proxylogon_exploit
Chinachopper
Bestcrypt
Natbypass_tool
Procdump_tool
Nltest_tool
Miping_tool
Cobalt_strike
Beacon
Bitlocker
Ransom:bat/bljammer.a
Industry:
Financial
Geo:
China, German
CVEs:
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
TTPs:
Tactics: 9
Technics: 20
IOCs:
File: 29
Path: 10
IP: 3
Registry: 1
Command: 1
Hash: 10
Softs:
microsoft defender for endpoint, microsoft exchange server, bitlocker, msexchange, sysinternals, pyinstaller, active directory, component object model
SIGMA: Found
Links:
https://github.com/cw1997/NATBypassMedium
APT41 — The spy who failed to encrypt me
This blog post is based on our recent investigation into one of APT41’s operations against an unnamed German company from the financial…
#ParsedReport
26-12-2022
New info-stealer malware infects software pirates via fake cracks sites
https://www.bleepingcomputer.com/news/security/new-info-stealer-malware-infects-software-pirates-via-fake-cracks-sites
Actors/Campaigns:
Dev-0960
Threats:
Risepro
Privateloader
Vidar_stealer
Netdooka
Redline_stealer
Raccoon_stealer
Industry:
Financial
Geo:
Russian
Softs:
telegram, google chrome, maxthon3, nichrome, chromodo, netbox, torch, orbitum, coowon, have more...
Algorithms:
zip
26-12-2022
New info-stealer malware infects software pirates via fake cracks sites
https://www.bleepingcomputer.com/news/security/new-info-stealer-malware-infects-software-pirates-via-fake-cracks-sites
Actors/Campaigns:
Dev-0960
Threats:
Risepro
Privateloader
Vidar_stealer
Netdooka
Redline_stealer
Raccoon_stealer
Industry:
Financial
Geo:
Russian
Softs:
telegram, google chrome, maxthon3, nichrome, chromodo, netbox, torch, orbitum, coowon, have more...
Algorithms:
zip
BleepingComputer
New info-stealer malware infects software pirates via fake cracks sites
A new information-stealing malware named 'RisePro' is being distributed through fake cracks sites operated by the PrivateLoader pay-per-install (PPI) malware distribution service.
#ParsedReport
23-12-2022
MCCrash Malware: A Cross-Platform Botnet Targeting SSH-Enabled Devices
https://www.secureblink.com/threat-research/mc-crash-malware-a-cross-platform-botnet-targeting-ssh-enabled-devices
Actors/Campaigns:
Dev-1028
Threats:
Mccrash_botnet
Industry:
Iot
Geo:
Russia
IOCs:
File: 3
Domain: 1
Softs:
debian, ubuntu, pyinstaller
Languages:
python
Platforms:
raspbian
23-12-2022
MCCrash Malware: A Cross-Platform Botnet Targeting SSH-Enabled Devices
https://www.secureblink.com/threat-research/mc-crash-malware-a-cross-platform-botnet-targeting-ssh-enabled-devices
Actors/Campaigns:
Dev-1028
Threats:
Mccrash_botnet
Industry:
Iot
Geo:
Russia
IOCs:
File: 3
Domain: 1
Softs:
debian, ubuntu, pyinstaller
Languages:
python
Platforms:
raspbian
Secureblink
MCCrash Malware: A Cross-Platform Botnet Targeting SSH-Enabled Devices | Secure Blink
Analysis of MCCrash cross-platform botnet that targets Windows & Linux devices, as well as IoT devices, via insecure SSH settings. It launches DDoS attacks against private Minecraft servers...
#ParsedReport
27-12-2022
SentinelSneak: Malicious PyPI module poses as security software development kit
https://www.reversinglabs.com/blog/sentinelsneak-malicious-pypi-module-poses-as-security-sdk
Actors/Campaigns:
Iconburst
Threats:
Sentinelsneak
Typosquatting_technique
W4sp
Geo:
German
IOCs:
IP: 1
Hash: 48
Languages:
python, javascript, ruby
YARA: Found
Links:
27-12-2022
SentinelSneak: Malicious PyPI module poses as security software development kit
https://www.reversinglabs.com/blog/sentinelsneak-malicious-pypi-module-poses-as-security-sdk
Actors/Campaigns:
Iconburst
Threats:
Sentinelsneak
Typosquatting_technique
W4sp
Geo:
German
IOCs:
IP: 1
Hash: 48
Languages:
python, javascript, ruby
YARA: Found
Links:
https://github.com/javascript-obfuscator/javascript-obfuscatorReversingLabs
SentinelSneak: Malicious PyPI module poses as security software development kit
A malicious Python file found on the PyPI repo adds backdoor and data exfiltration features to what appears to be a legitimate SDK client from SentinelOne.
#ParsedReport
27-12-2022
BlueNoroff introduces new methods bypassing MoTW
https://securelist.com/bluenoroff-methods-bypass-motw/108383
Actors/Campaigns:
Lazarus (motivation: financially_motivated)
Threats:
Motw_bypass_technique
Lotl_technique
Lolbin_technique
Perseus
Process_injection_technique
Industry:
Financial
Geo:
Japan, Japanese, America, Taiwan, Usa
TTPs:
Tactics: 6
Technics: 16
IOCs:
File: 22
Path: 2
Url: 8
Hash: 13
Command: 1
IP: 3
Softs:
windows installer, microsoft office, microsoft powerpoint, windows defender, curl, windows scheduled task
Algorithms:
zip, rc4
Languages:
visual_basic
Platforms:
intel
27-12-2022
BlueNoroff introduces new methods bypassing MoTW
https://securelist.com/bluenoroff-methods-bypass-motw/108383
Actors/Campaigns:
Lazarus (motivation: financially_motivated)
Threats:
Motw_bypass_technique
Lotl_technique
Lolbin_technique
Perseus
Process_injection_technique
Industry:
Financial
Geo:
Japan, Japanese, America, Taiwan, Usa
TTPs:
Tactics: 6
Technics: 16
IOCs:
File: 22
Path: 2
Url: 8
Hash: 13
Command: 1
IP: 3
Softs:
windows installer, microsoft office, microsoft powerpoint, windows defender, curl, windows scheduled task
Algorithms:
zip, rc4
Languages:
visual_basic
Platforms:
intel
Securelist
BlueNoroff introduces new methods bypassing MoTW
We continue to track the BlueNoroff group’s activities and this October we observed the adoption of new malware strains in its arsenal.
#ParsedReport
27-12-2022
ZetaNile: Open source software trojans from North Korea
https://www.reversinglabs.com/blog/zetanile-open-source-software-trojans-from-north-korea
Actors/Campaigns:
Lazarus
Threats:
Zetanile
Putty_tool
Tightvnc_tool
Dll_hijacking_technique
Industry:
Energy
Geo:
Korea, Korean, Japanese
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 4
Url: 2
Path: 2
Command: 3
IP: 1
Hash: 8
Softs:
sumatra pdf, wordpress
Algorithms:
aes, base64
Languages:
php
Platforms:
x64
27-12-2022
ZetaNile: Open source software trojans from North Korea
https://www.reversinglabs.com/blog/zetanile-open-source-software-trojans-from-north-korea
Actors/Campaigns:
Lazarus
Threats:
Zetanile
Putty_tool
Tightvnc_tool
Dll_hijacking_technique
Industry:
Energy
Geo:
Korea, Korean, Japanese
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 4
Url: 2
Path: 2
Command: 3
IP: 1
Hash: 8
Softs:
sumatra pdf, wordpress
Algorithms:
aes, base64
Languages:
php
Platforms:
x64
ReversingLabs
ZetaNile: Open source software trojans from North Korea
ReversingLabs Malware Researcher Joseph Edwards takes a deep dive into ZetaNile, a set of open-source software trojans being used by Lazarus/ZINC.
#ParsedReport
27-12-2022
W4SP continues to nest in PyPI: Same supply chain attack, different distribution method
https://www.reversinglabs.com/blog/w4sp-continues-to-nest-in-pypi-same-supply-chain-attack-different-distribution-method
Actors/Campaigns:
Iconburst
Threats:
W4sp
Climax_loader
Typosquatting_technique
IOCs:
Url: 1
File: 3
IP: 2
Hash: 33
Softs:
discord, telegram, flask
Algorithms:
lzma, base64, zip
Languages:
rust, python
YARA: Found
Links:
27-12-2022
W4SP continues to nest in PyPI: Same supply chain attack, different distribution method
https://www.reversinglabs.com/blog/w4sp-continues-to-nest-in-pypi-same-supply-chain-attack-different-distribution-method
Actors/Campaigns:
Iconburst
Threats:
W4sp
Climax_loader
Typosquatting_technique
IOCs:
Url: 1
File: 3
IP: 2
Hash: 33
Softs:
discord, telegram, flask
Algorithms:
lzma, base64, zip
Languages:
rust, python
YARA: Found
Links:
https://github.com/liftoff/pyminifierhttps://github.com/reversinglabs/reversinglabs-yara-ruleshttps://github.com/cloudflare/cloudflared/releasesReversingLabs
W4SP continues to nest in PyPI: Same supply chain attack, different distribution method
Here's ReversingLabs' discoveries and indicators of compromise (IOCs) for W4SP, as well as links to our YARA rule that can be used to detect the malicious Python packages in your environment.
#ParsedReport
27-12-2022
Shc. SHC Linux malware installing coin minor
https://asec.ahnlab.com/ko/44885
Threats:
Xmrig_miner
Perlbot
Geo:
Korea
IOCs:
File: 7
Hash: 12
IP: 2
Url: 9
Softs:
ubuntu)
Algorithms:
rc4
Languages:
perl
27-12-2022
Shc. SHC Linux malware installing coin minor
https://asec.ahnlab.com/ko/44885
Threats:
Xmrig_miner
Perlbot
Geo:
Korea
IOCs:
File: 7
Hash: 12
IP: 2
Url: 9
Softs:
ubuntu)
Algorithms:
rc4
Languages:
perl
ASEC BLOG
코인 마이너를 설치하는 Shc 리눅스 악성코드 - ASEC BLOG
ASEC 분석팀은 최근 Shc로 개발된 리눅스 악성코드가 코인 마이너 악성코드를 설치하고 있는 것을 확인하였다. 공격자는 부적절하게 관리되고 있는 리눅스 SSH 서버를 대상으로 사전 공격을 통해 인증에 성공한 뒤 다양한 악성코드들을 설치한 것으로 추정되며, Shc 다운로더 악성코드와 이를 통해 설치되는 XMRig 코인 마이너 그리고 Perl로 개발된 DDoS IRC Bot이 확인된다. 1. Shc (Shell Script Compiler) Shc는 Shell…
#ParsedReport
27-12-2022
New wave of Financial Fraud: Scammers Monitoring Social Media Complaints
https://blog.cyble.com/2022/12/27/new-wave-of-finacial-fraud-scammers-monitoring-social-media-complaints
Industry:
Transport, Financial
Geo:
Indian, India
TTPs:
Tactics: 4
Technics: 5
IOCs:
File: 4
Url: 3
IP: 1
Hash: 1
Softs:
razorpay, truecaller, android
27-12-2022
New wave of Financial Fraud: Scammers Monitoring Social Media Complaints
https://blog.cyble.com/2022/12/27/new-wave-of-finacial-fraud-scammers-monitoring-social-media-complaints
Industry:
Transport, Financial
Geo:
Indian, India
TTPs:
Tactics: 4
Technics: 5
IOCs:
File: 4
Url: 3
IP: 1
Hash: 1
Softs:
razorpay, truecaller, android
Cyble
New wave of Financial Fraud: Scammers Monitoring Social Media Complaints
CRIL analyzes the financial fraud campaign where scammers are monitoring complaint posts on social media to target users of IRCTC, and Indian Banks.
#ParsedReport
27-12-2022
ASEC (20221219 \~ 20221225). ASEC Weekly Malware Statistics (20221219 \~ 20221225)
https://asec.ahnlab.com/ko/44946
Threats:
Beamwinhttp_loader
Garbage_cleaner
Agent_tesla
Azorult
Tofsee
Stop_ransomware
Smokeloader
Vidar_stealer
Nemty
Ryuk
Revil
Raccoon_stealer
Predator
Formbook
Clipboard_grabbing_technique
Snake_keylogger
Industry:
Transport, Financial
Geo:
Korea
IOCs:
File: 25
Email: 9
Domain: 2
Url: 11
Softs:
telegram, discord
Languages:
php
27-12-2022
ASEC (20221219 \~ 20221225). ASEC Weekly Malware Statistics (20221219 \~ 20221225)
https://asec.ahnlab.com/ko/44946
Threats:
Beamwinhttp_loader
Garbage_cleaner
Agent_tesla
Azorult
Tofsee
Stop_ransomware
Smokeloader
Vidar_stealer
Nemty
Ryuk
Revil
Raccoon_stealer
Predator
Formbook
Clipboard_grabbing_technique
Snake_keylogger
Industry:
Transport, Financial
Geo:
Korea
IOCs:
File: 25
Email: 9
Domain: 2
Url: 11
Softs:
telegram, discord
Languages:
php
ASEC BLOG
ASEC 주간 악성코드 통계 (20221219 ~ 20221225) - ASEC BLOG
ContentsTop 1 – BeamWinHTTPTop 2 – AgentTeslaTop 3 – TofseeTop 4 – FormbookTop 5 – SnakeKeylogger ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2022년 12월 19일 월요일부터 12월 25일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 인포스틸러가 37.3%로…
#ParsedReport
27-12-2022
Pure coder offers multiple malware for sale in Darkweb forums
https://blog.cyble.com/2022/12/27/pure-coder-offers-multiple-malware-for-sale-in-darkweb-forums
Threats:
Purecoder_actor
Purelogs
Purecryptor
Pureminer
Blueloader
Purehvnc_tool
Hvnc_tool
Industry:
Financial
Geo:
Italy
TTPs:
Tactics: 6
Technics: 9
IOCs:
File: 2
Hash: 4
Softs:
winscp, bitcoincore, dashcore, electrum, telegram, jaxx, litecoincore, zcash, tronlink, coinbase, have more...
Algorithms:
zip
Functions:
InternetDM, OpenVPN, InvokeMember
27-12-2022
Pure coder offers multiple malware for sale in Darkweb forums
https://blog.cyble.com/2022/12/27/pure-coder-offers-multiple-malware-for-sale-in-darkweb-forums
Threats:
Purecoder_actor
Purelogs
Purecryptor
Pureminer
Blueloader
Purehvnc_tool
Hvnc_tool
Industry:
Financial
Geo:
Italy
TTPs:
Tactics: 6
Technics: 9
IOCs:
File: 2
Hash: 4
Softs:
winscp, bitcoincore, dashcore, electrum, telegram, jaxx, litecoincore, zcash, tronlink, coinbase, have more...
Algorithms:
zip
Functions:
InternetDM, OpenVPN, InvokeMember
Cyble
Pure coder offers multiple malware for sale in Darkweb forums
Cyble Research and Intelligence Labs analyzes a spam campaign dropping PureLogs stealer aimed at Italian users.
#ParsedReport
27-12-2022
PSA: YITH WooCommerce Gift Cards Premium Plugin Exploited in the Wild
https://www.wordfence.com/blog/2022/12/psa-yith-woocommerce-gift-cards-premium-plugin-exploited-in-the-wild
Threats:
Marijuana
CVEs:
CVE-2022-45359 [Vulners]
Vulners: Score: Unknown, CVSS: 2.7,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- yithemes yith woocommerce gift cards (le3.19.0)
IOCs:
File: 3
Domain: 1
Hash: 3
IP: 2
Softs:
wordpress
Functions:
import_actions_from_settings_panel
Languages:
php
27-12-2022
PSA: YITH WooCommerce Gift Cards Premium Plugin Exploited in the Wild
https://www.wordfence.com/blog/2022/12/psa-yith-woocommerce-gift-cards-premium-plugin-exploited-in-the-wild
Threats:
Marijuana
CVEs:
CVE-2022-45359 [Vulners]
Vulners: Score: Unknown, CVSS: 2.7,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- yithemes yith woocommerce gift cards (le3.19.0)
IOCs:
File: 3
Domain: 1
Hash: 3
IP: 2
Softs:
wordpress
Functions:
import_actions_from_settings_panel
Languages:
php
Wordfence
PSA: YITH WooCommerce Gift Cards Premium Plugin Exploited in the Wild
The Wordfence Threat Intelligence team has been tracking exploits targeting a Critical Severity Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards Premium, a plugin with over 50,000 installations according to the vendor. The vulnerability…
#ParsedReport
27-12-2022
SlowMist: Investigation of North Korean APTs Large-Scale Phishing Attack on NFT Users
https://slowmist.medium.com/slowmist-our-in-depth-investigation-of-north-korean-apts-large-scale-phishing-attack-on-nft-users-362117600519
Industry:
Financial
Geo:
Korean
IOCs:
File: 1
Url: 3
Softs:
slowmist, misttrack
Functions:
OpenSea
Languages:
php
Links:
27-12-2022
SlowMist: Investigation of North Korean APTs Large-Scale Phishing Attack on NFT Users
https://slowmist.medium.com/slowmist-our-in-depth-investigation-of-north-korean-apts-large-scale-phishing-attack-on-nft-users-362117600519
Industry:
Financial
Geo:
Korean
IOCs:
File: 1
Url: 3
Softs:
slowmist, misttrack
Functions:
OpenSea
Languages:
php
Links:
https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/blob/main/README.mdMedium
SlowMist: Our In-Depth Investigation of North Korean APT’s Large-Scale Phishing Attack on NFT Users
The North Korean hackers and Eastern Europe seem to be cooperating to phishing NFT users. What do you think?
#ParsedReport
28-12-2022
Types of Recent .NET Packers and Their Distribution Trends in Korea
https://asec.ahnlab.com/en/44809
Threats:
Agent_tesla
Snake_keylogger
Formbook
Lokibot_stealer
Asyncrat_rat
Majorcrypter
Darktortilla
Variantcrypter
Purecryptor
Confuserex_tool
Remcos_rat
Trojan/win.msilkrypt.r478738
Trojan/win.msilkrypt.r479010
Trojan/win.malwarex-gen.c4922823
Trojan/win.msilkrypt.c5020026
Trojan/win.msil.r503383
Trojan/win.msil.r510208
Trojan/win.msil.r492640
Trojan/win.msilkrypt.r478746
Trojan/win.msil.r491654
Trojan/win.msil.r479032
Trojan/win.msil.r536135
Trojan/win.loader.c5020045
Trojan/win.msilkrypt.r479033
Trojan/win.generic.c5197697
Trojan/win.msilkrypt.r479202
Trojan/win.msil.r5288800
Trojan/win.msil.c5134406
Trojan/win.msil.r498082
Trojan/win.msil.c5198300
Trojan/win.msil.r510204
Geo:
Korea
IOCs:
File: 52
Hash: 33
Url: 27
Algorithms:
xor, base64
Functions:
Sleep, Loader, Runn
Win API:
GetPixel
28-12-2022
Types of Recent .NET Packers and Their Distribution Trends in Korea
https://asec.ahnlab.com/en/44809
Threats:
Agent_tesla
Snake_keylogger
Formbook
Lokibot_stealer
Asyncrat_rat
Majorcrypter
Darktortilla
Variantcrypter
Purecryptor
Confuserex_tool
Remcos_rat
Trojan/win.msilkrypt.r478738
Trojan/win.msilkrypt.r479010
Trojan/win.malwarex-gen.c4922823
Trojan/win.msilkrypt.c5020026
Trojan/win.msil.r503383
Trojan/win.msil.r510208
Trojan/win.msil.r492640
Trojan/win.msilkrypt.r478746
Trojan/win.msil.r491654
Trojan/win.msil.r479032
Trojan/win.msil.r536135
Trojan/win.loader.c5020045
Trojan/win.msilkrypt.r479033
Trojan/win.generic.c5197697
Trojan/win.msilkrypt.r479202
Trojan/win.msil.r5288800
Trojan/win.msil.c5134406
Trojan/win.msil.r498082
Trojan/win.msil.c5198300
Trojan/win.msil.r510204
Geo:
Korea
IOCs:
File: 52
Hash: 33
Url: 27
Algorithms:
xor, base64
Functions:
Sleep, Loader, Runn
Win API:
GetPixel
ASEC
Types of Recent .NET Packers and Their Distribution Trends in Korea - ASEC
Types of Recent .NET Packers and Their Distribution Trends in Korea ASEC
#ParsedReport
28-12-2022
RCE Vulnerability (CVE-2022-45359) in Yith WooCommerce Gift Cards Plugin Exploited in Attacks
https://socradar.io/rce-vulnerability-cve-2022-45359-in-yith-woocommerce-gift-cards-plugin-exploited-in-attacks
Industry:
E-commerce, Financial
CVEs:
CVE-2022-45359 [Vulners]
Vulners: Score: Unknown, CVSS: 2.7,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- yithemes yith woocommerce gift cards (le3.19.0)
IOCs:
IP: 2
Softs:
wordpress
Languages:
php
28-12-2022
RCE Vulnerability (CVE-2022-45359) in Yith WooCommerce Gift Cards Plugin Exploited in Attacks
https://socradar.io/rce-vulnerability-cve-2022-45359-in-yith-woocommerce-gift-cards-plugin-exploited-in-attacks
Industry:
E-commerce, Financial
CVEs:
CVE-2022-45359 [Vulners]
Vulners: Score: Unknown, CVSS: 2.7,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- yithemes yith woocommerce gift cards (le3.19.0)
IOCs:
IP: 2
Softs:
wordpress
Languages:
php
SOCRadar® Cyber Intelligence Inc.
RCE Vulnerability (CVE-2022-45359) in Yith WooCommerce Gift Cards Plugin Exploited in Attacks - SOCRadar® Cyber Intelligence Inc.
In late November, security researchers found a critical vulnerability in Yith’s WooCommerce Gift Cards plugin. Attackers can gain remote code