#ParsedReport
27-12-2022
BlueNoroff introduces new methods bypassing MoTW
https://securelist.com/bluenoroff-methods-bypass-motw/108383
Actors/Campaigns:
Lazarus (motivation: financially_motivated)
Threats:
Motw_bypass_technique
Lotl_technique
Lolbin_technique
Perseus
Process_injection_technique
Industry:
Financial
Geo:
Japan, Japanese, America, Taiwan, Usa
TTPs:
Tactics: 6
Technics: 16
IOCs:
File: 22
Path: 2
Url: 8
Hash: 13
Command: 1
IP: 3
Softs:
windows installer, microsoft office, microsoft powerpoint, windows defender, curl, windows scheduled task
Algorithms:
zip, rc4
Languages:
visual_basic
Platforms:
intel
27-12-2022
BlueNoroff introduces new methods bypassing MoTW
https://securelist.com/bluenoroff-methods-bypass-motw/108383
Actors/Campaigns:
Lazarus (motivation: financially_motivated)
Threats:
Motw_bypass_technique
Lotl_technique
Lolbin_technique
Perseus
Process_injection_technique
Industry:
Financial
Geo:
Japan, Japanese, America, Taiwan, Usa
TTPs:
Tactics: 6
Technics: 16
IOCs:
File: 22
Path: 2
Url: 8
Hash: 13
Command: 1
IP: 3
Softs:
windows installer, microsoft office, microsoft powerpoint, windows defender, curl, windows scheduled task
Algorithms:
zip, rc4
Languages:
visual_basic
Platforms:
intel
Securelist
BlueNoroff introduces new methods bypassing MoTW
We continue to track the BlueNoroff group’s activities and this October we observed the adoption of new malware strains in its arsenal.
#ParsedReport
27-12-2022
ZetaNile: Open source software trojans from North Korea
https://www.reversinglabs.com/blog/zetanile-open-source-software-trojans-from-north-korea
Actors/Campaigns:
Lazarus
Threats:
Zetanile
Putty_tool
Tightvnc_tool
Dll_hijacking_technique
Industry:
Energy
Geo:
Korea, Korean, Japanese
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 4
Url: 2
Path: 2
Command: 3
IP: 1
Hash: 8
Softs:
sumatra pdf, wordpress
Algorithms:
aes, base64
Languages:
php
Platforms:
x64
27-12-2022
ZetaNile: Open source software trojans from North Korea
https://www.reversinglabs.com/blog/zetanile-open-source-software-trojans-from-north-korea
Actors/Campaigns:
Lazarus
Threats:
Zetanile
Putty_tool
Tightvnc_tool
Dll_hijacking_technique
Industry:
Energy
Geo:
Korea, Korean, Japanese
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 4
Url: 2
Path: 2
Command: 3
IP: 1
Hash: 8
Softs:
sumatra pdf, wordpress
Algorithms:
aes, base64
Languages:
php
Platforms:
x64
ReversingLabs
ZetaNile: Open source software trojans from North Korea
ReversingLabs Malware Researcher Joseph Edwards takes a deep dive into ZetaNile, a set of open-source software trojans being used by Lazarus/ZINC.
#ParsedReport
27-12-2022
W4SP continues to nest in PyPI: Same supply chain attack, different distribution method
https://www.reversinglabs.com/blog/w4sp-continues-to-nest-in-pypi-same-supply-chain-attack-different-distribution-method
Actors/Campaigns:
Iconburst
Threats:
W4sp
Climax_loader
Typosquatting_technique
IOCs:
Url: 1
File: 3
IP: 2
Hash: 33
Softs:
discord, telegram, flask
Algorithms:
lzma, base64, zip
Languages:
rust, python
YARA: Found
Links:
27-12-2022
W4SP continues to nest in PyPI: Same supply chain attack, different distribution method
https://www.reversinglabs.com/blog/w4sp-continues-to-nest-in-pypi-same-supply-chain-attack-different-distribution-method
Actors/Campaigns:
Iconburst
Threats:
W4sp
Climax_loader
Typosquatting_technique
IOCs:
Url: 1
File: 3
IP: 2
Hash: 33
Softs:
discord, telegram, flask
Algorithms:
lzma, base64, zip
Languages:
rust, python
YARA: Found
Links:
https://github.com/liftoff/pyminifierhttps://github.com/reversinglabs/reversinglabs-yara-ruleshttps://github.com/cloudflare/cloudflared/releasesReversingLabs
W4SP continues to nest in PyPI: Same supply chain attack, different distribution method
Here's ReversingLabs' discoveries and indicators of compromise (IOCs) for W4SP, as well as links to our YARA rule that can be used to detect the malicious Python packages in your environment.
#ParsedReport
27-12-2022
Shc. SHC Linux malware installing coin minor
https://asec.ahnlab.com/ko/44885
Threats:
Xmrig_miner
Perlbot
Geo:
Korea
IOCs:
File: 7
Hash: 12
IP: 2
Url: 9
Softs:
ubuntu)
Algorithms:
rc4
Languages:
perl
27-12-2022
Shc. SHC Linux malware installing coin minor
https://asec.ahnlab.com/ko/44885
Threats:
Xmrig_miner
Perlbot
Geo:
Korea
IOCs:
File: 7
Hash: 12
IP: 2
Url: 9
Softs:
ubuntu)
Algorithms:
rc4
Languages:
perl
ASEC BLOG
코인 마이너를 설치하는 Shc 리눅스 악성코드 - ASEC BLOG
ASEC 분석팀은 최근 Shc로 개발된 리눅스 악성코드가 코인 마이너 악성코드를 설치하고 있는 것을 확인하였다. 공격자는 부적절하게 관리되고 있는 리눅스 SSH 서버를 대상으로 사전 공격을 통해 인증에 성공한 뒤 다양한 악성코드들을 설치한 것으로 추정되며, Shc 다운로더 악성코드와 이를 통해 설치되는 XMRig 코인 마이너 그리고 Perl로 개발된 DDoS IRC Bot이 확인된다. 1. Shc (Shell Script Compiler) Shc는 Shell…
#ParsedReport
27-12-2022
New wave of Financial Fraud: Scammers Monitoring Social Media Complaints
https://blog.cyble.com/2022/12/27/new-wave-of-finacial-fraud-scammers-monitoring-social-media-complaints
Industry:
Transport, Financial
Geo:
Indian, India
TTPs:
Tactics: 4
Technics: 5
IOCs:
File: 4
Url: 3
IP: 1
Hash: 1
Softs:
razorpay, truecaller, android
27-12-2022
New wave of Financial Fraud: Scammers Monitoring Social Media Complaints
https://blog.cyble.com/2022/12/27/new-wave-of-finacial-fraud-scammers-monitoring-social-media-complaints
Industry:
Transport, Financial
Geo:
Indian, India
TTPs:
Tactics: 4
Technics: 5
IOCs:
File: 4
Url: 3
IP: 1
Hash: 1
Softs:
razorpay, truecaller, android
Cyble
New wave of Financial Fraud: Scammers Monitoring Social Media Complaints
CRIL analyzes the financial fraud campaign where scammers are monitoring complaint posts on social media to target users of IRCTC, and Indian Banks.
#ParsedReport
27-12-2022
ASEC (20221219 \~ 20221225). ASEC Weekly Malware Statistics (20221219 \~ 20221225)
https://asec.ahnlab.com/ko/44946
Threats:
Beamwinhttp_loader
Garbage_cleaner
Agent_tesla
Azorult
Tofsee
Stop_ransomware
Smokeloader
Vidar_stealer
Nemty
Ryuk
Revil
Raccoon_stealer
Predator
Formbook
Clipboard_grabbing_technique
Snake_keylogger
Industry:
Transport, Financial
Geo:
Korea
IOCs:
File: 25
Email: 9
Domain: 2
Url: 11
Softs:
telegram, discord
Languages:
php
27-12-2022
ASEC (20221219 \~ 20221225). ASEC Weekly Malware Statistics (20221219 \~ 20221225)
https://asec.ahnlab.com/ko/44946
Threats:
Beamwinhttp_loader
Garbage_cleaner
Agent_tesla
Azorult
Tofsee
Stop_ransomware
Smokeloader
Vidar_stealer
Nemty
Ryuk
Revil
Raccoon_stealer
Predator
Formbook
Clipboard_grabbing_technique
Snake_keylogger
Industry:
Transport, Financial
Geo:
Korea
IOCs:
File: 25
Email: 9
Domain: 2
Url: 11
Softs:
telegram, discord
Languages:
php
ASEC BLOG
ASEC 주간 악성코드 통계 (20221219 ~ 20221225) - ASEC BLOG
ContentsTop 1 – BeamWinHTTPTop 2 – AgentTeslaTop 3 – TofseeTop 4 – FormbookTop 5 – SnakeKeylogger ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2022년 12월 19일 월요일부터 12월 25일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 인포스틸러가 37.3%로…
#ParsedReport
27-12-2022
Pure coder offers multiple malware for sale in Darkweb forums
https://blog.cyble.com/2022/12/27/pure-coder-offers-multiple-malware-for-sale-in-darkweb-forums
Threats:
Purecoder_actor
Purelogs
Purecryptor
Pureminer
Blueloader
Purehvnc_tool
Hvnc_tool
Industry:
Financial
Geo:
Italy
TTPs:
Tactics: 6
Technics: 9
IOCs:
File: 2
Hash: 4
Softs:
winscp, bitcoincore, dashcore, electrum, telegram, jaxx, litecoincore, zcash, tronlink, coinbase, have more...
Algorithms:
zip
Functions:
InternetDM, OpenVPN, InvokeMember
27-12-2022
Pure coder offers multiple malware for sale in Darkweb forums
https://blog.cyble.com/2022/12/27/pure-coder-offers-multiple-malware-for-sale-in-darkweb-forums
Threats:
Purecoder_actor
Purelogs
Purecryptor
Pureminer
Blueloader
Purehvnc_tool
Hvnc_tool
Industry:
Financial
Geo:
Italy
TTPs:
Tactics: 6
Technics: 9
IOCs:
File: 2
Hash: 4
Softs:
winscp, bitcoincore, dashcore, electrum, telegram, jaxx, litecoincore, zcash, tronlink, coinbase, have more...
Algorithms:
zip
Functions:
InternetDM, OpenVPN, InvokeMember
Cyble
Pure coder offers multiple malware for sale in Darkweb forums
Cyble Research and Intelligence Labs analyzes a spam campaign dropping PureLogs stealer aimed at Italian users.
#ParsedReport
27-12-2022
PSA: YITH WooCommerce Gift Cards Premium Plugin Exploited in the Wild
https://www.wordfence.com/blog/2022/12/psa-yith-woocommerce-gift-cards-premium-plugin-exploited-in-the-wild
Threats:
Marijuana
CVEs:
CVE-2022-45359 [Vulners]
Vulners: Score: Unknown, CVSS: 2.7,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- yithemes yith woocommerce gift cards (le3.19.0)
IOCs:
File: 3
Domain: 1
Hash: 3
IP: 2
Softs:
wordpress
Functions:
import_actions_from_settings_panel
Languages:
php
27-12-2022
PSA: YITH WooCommerce Gift Cards Premium Plugin Exploited in the Wild
https://www.wordfence.com/blog/2022/12/psa-yith-woocommerce-gift-cards-premium-plugin-exploited-in-the-wild
Threats:
Marijuana
CVEs:
CVE-2022-45359 [Vulners]
Vulners: Score: Unknown, CVSS: 2.7,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- yithemes yith woocommerce gift cards (le3.19.0)
IOCs:
File: 3
Domain: 1
Hash: 3
IP: 2
Softs:
wordpress
Functions:
import_actions_from_settings_panel
Languages:
php
Wordfence
PSA: YITH WooCommerce Gift Cards Premium Plugin Exploited in the Wild
The Wordfence Threat Intelligence team has been tracking exploits targeting a Critical Severity Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards Premium, a plugin with over 50,000 installations according to the vendor. The vulnerability…
#ParsedReport
27-12-2022
SlowMist: Investigation of North Korean APTs Large-Scale Phishing Attack on NFT Users
https://slowmist.medium.com/slowmist-our-in-depth-investigation-of-north-korean-apts-large-scale-phishing-attack-on-nft-users-362117600519
Industry:
Financial
Geo:
Korean
IOCs:
File: 1
Url: 3
Softs:
slowmist, misttrack
Functions:
OpenSea
Languages:
php
Links:
27-12-2022
SlowMist: Investigation of North Korean APTs Large-Scale Phishing Attack on NFT Users
https://slowmist.medium.com/slowmist-our-in-depth-investigation-of-north-korean-apts-large-scale-phishing-attack-on-nft-users-362117600519
Industry:
Financial
Geo:
Korean
IOCs:
File: 1
Url: 3
Softs:
slowmist, misttrack
Functions:
OpenSea
Languages:
php
Links:
https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/blob/main/README.mdMedium
SlowMist: Our In-Depth Investigation of North Korean APT’s Large-Scale Phishing Attack on NFT Users
The North Korean hackers and Eastern Europe seem to be cooperating to phishing NFT users. What do you think?
#ParsedReport
28-12-2022
Types of Recent .NET Packers and Their Distribution Trends in Korea
https://asec.ahnlab.com/en/44809
Threats:
Agent_tesla
Snake_keylogger
Formbook
Lokibot_stealer
Asyncrat_rat
Majorcrypter
Darktortilla
Variantcrypter
Purecryptor
Confuserex_tool
Remcos_rat
Trojan/win.msilkrypt.r478738
Trojan/win.msilkrypt.r479010
Trojan/win.malwarex-gen.c4922823
Trojan/win.msilkrypt.c5020026
Trojan/win.msil.r503383
Trojan/win.msil.r510208
Trojan/win.msil.r492640
Trojan/win.msilkrypt.r478746
Trojan/win.msil.r491654
Trojan/win.msil.r479032
Trojan/win.msil.r536135
Trojan/win.loader.c5020045
Trojan/win.msilkrypt.r479033
Trojan/win.generic.c5197697
Trojan/win.msilkrypt.r479202
Trojan/win.msil.r5288800
Trojan/win.msil.c5134406
Trojan/win.msil.r498082
Trojan/win.msil.c5198300
Trojan/win.msil.r510204
Geo:
Korea
IOCs:
File: 52
Hash: 33
Url: 27
Algorithms:
xor, base64
Functions:
Sleep, Loader, Runn
Win API:
GetPixel
28-12-2022
Types of Recent .NET Packers and Their Distribution Trends in Korea
https://asec.ahnlab.com/en/44809
Threats:
Agent_tesla
Snake_keylogger
Formbook
Lokibot_stealer
Asyncrat_rat
Majorcrypter
Darktortilla
Variantcrypter
Purecryptor
Confuserex_tool
Remcos_rat
Trojan/win.msilkrypt.r478738
Trojan/win.msilkrypt.r479010
Trojan/win.malwarex-gen.c4922823
Trojan/win.msilkrypt.c5020026
Trojan/win.msil.r503383
Trojan/win.msil.r510208
Trojan/win.msil.r492640
Trojan/win.msilkrypt.r478746
Trojan/win.msil.r491654
Trojan/win.msil.r479032
Trojan/win.msil.r536135
Trojan/win.loader.c5020045
Trojan/win.msilkrypt.r479033
Trojan/win.generic.c5197697
Trojan/win.msilkrypt.r479202
Trojan/win.msil.r5288800
Trojan/win.msil.c5134406
Trojan/win.msil.r498082
Trojan/win.msil.c5198300
Trojan/win.msil.r510204
Geo:
Korea
IOCs:
File: 52
Hash: 33
Url: 27
Algorithms:
xor, base64
Functions:
Sleep, Loader, Runn
Win API:
GetPixel
ASEC
Types of Recent .NET Packers and Their Distribution Trends in Korea - ASEC
Types of Recent .NET Packers and Their Distribution Trends in Korea ASEC
#ParsedReport
28-12-2022
RCE Vulnerability (CVE-2022-45359) in Yith WooCommerce Gift Cards Plugin Exploited in Attacks
https://socradar.io/rce-vulnerability-cve-2022-45359-in-yith-woocommerce-gift-cards-plugin-exploited-in-attacks
Industry:
E-commerce, Financial
CVEs:
CVE-2022-45359 [Vulners]
Vulners: Score: Unknown, CVSS: 2.7,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- yithemes yith woocommerce gift cards (le3.19.0)
IOCs:
IP: 2
Softs:
wordpress
Languages:
php
28-12-2022
RCE Vulnerability (CVE-2022-45359) in Yith WooCommerce Gift Cards Plugin Exploited in Attacks
https://socradar.io/rce-vulnerability-cve-2022-45359-in-yith-woocommerce-gift-cards-plugin-exploited-in-attacks
Industry:
E-commerce, Financial
CVEs:
CVE-2022-45359 [Vulners]
Vulners: Score: Unknown, CVSS: 2.7,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- yithemes yith woocommerce gift cards (le3.19.0)
IOCs:
IP: 2
Softs:
wordpress
Languages:
php
SOCRadar® Cyber Intelligence Inc.
RCE Vulnerability (CVE-2022-45359) in Yith WooCommerce Gift Cards Plugin Exploited in Attacks - SOCRadar® Cyber Intelligence Inc.
In late November, security researchers found a critical vulnerability in Yith’s WooCommerce Gift Cards plugin. Attackers can gain remote code
#ParsedReport
29-12-2022
. Typical mining family series analysis 2 \| TeamTNT mining organization
https://www.antiy.cn/research/notice&report/research_report/20221207.html
Actors/Campaigns:
Teamtnt
Threats:
Hezb
Kthmimu
Tsunami_botnet
Masscan_tool
Zgrab_scanner_tool
Conti
Libprocesshider_rootkit
Tmate_tool
Pnscan_tool
Mimipy
Diamorphine_rootkit
Hildegard
Kangaroo
Mimipenguin_tool
Industry:
Energy, Government, Financial, Education
Geo:
Germany, German
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 13
Url: 48
Domain: 23
IP: 35
Hash: 138
Softs:
docker, redis
Algorithms:
aes, base64
29-12-2022
. Typical mining family series analysis 2 \| TeamTNT mining organization
https://www.antiy.cn/research/notice&report/research_report/20221207.html
Actors/Campaigns:
Teamtnt
Threats:
Hezb
Kthmimu
Tsunami_botnet
Masscan_tool
Zgrab_scanner_tool
Conti
Libprocesshider_rootkit
Tmate_tool
Pnscan_tool
Mimipy
Diamorphine_rootkit
Hildegard
Kangaroo
Mimipenguin_tool
Industry:
Energy, Government, Financial, Education
Geo:
Germany, German
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 13
Url: 48
Domain: 23
IP: 35
Hash: 138
Softs:
docker, redis
Algorithms:
aes, base64
www.antiy.cn
典型挖矿家族系列分析二 | TeamTNT挖矿组织
安天CERT将近几年历史跟踪储备的典型流行挖矿木马家族组织梳理形成专题报告,本期介绍TeamTNT挖矿组织
#ParsedReport
29-12-2022
. "Eternity" organization: continuous and active commercial arsenal
https://www.antiy.cn/research/notice&report/research_report/20221223.html
Actors/Campaigns:
Eternity
Threats:
Jester_stealer
Lightm4n_actor
Userpro9_actor
Savethekiddes_actor
Ransomware.exe
Geo:
Ukraine
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 6
Hash: 2
Url: 2
Softs:
telegram, pyinstaller, discord
Algorithms:
aes, zip
Languages:
python
Platforms:
intel
29-12-2022
. "Eternity" organization: continuous and active commercial arsenal
https://www.antiy.cn/research/notice&report/research_report/20221223.html
Actors/Campaigns:
Eternity
Threats:
Jester_stealer
Lightm4n_actor
Userpro9_actor
Savethekiddes_actor
Ransomware.exe
Geo:
Ukraine
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 6
Hash: 2
Url: 2
Softs:
telegram, pyinstaller, discord
Algorithms:
aes, zip
Languages:
python
Platforms:
intel
www.antiy.cn
“Eternity”组织:持续活跃的商业武器库
安天CERT在本篇报告中除了对Jester黑客团伙黑客团伙进行更多介绍之外,还会对其开发的蠕虫及勒索软件进行详细分析,帮助用户了解其恶意功能,以便进行更好的防护。
#ParsedReport
29-12-2022
New CatB Ransomware Employs 2-Year Old DLL Hijacking Technique To Evade Detection
https://minerva-labs.com/blog/new-catb-ransomware-employs-2-year-old-dll-hijacking-technique-to-evade-detection
Threats:
CatB_ransomware
Dll_hijacking_technique
Pandora
Upx_tool
Industry:
Financial, Transport
TTPs:
IOCs:
File: 4
Path: 1
Hash: 2
Email: 1
Softs:
windows service
Win API:
GetSystemInfo, GlobalMemoryStatusEx, DeviceIoControl
29-12-2022
New CatB Ransomware Employs 2-Year Old DLL Hijacking Technique To Evade Detection
https://minerva-labs.com/blog/new-catb-ransomware-employs-2-year-old-dll-hijacking-technique-to-evade-detection
Threats:
CatB_ransomware
Dll_hijacking_technique
Pandora
Upx_tool
Industry:
Financial, Transport
TTPs:
IOCs:
File: 4
Path: 1
Hash: 2
Email: 1
Softs:
windows service
Win API:
GetSystemInfo, GlobalMemoryStatusEx, DeviceIoControl
Rapid7
Rapid7 Managed Cybersecurity: Outpace Attackers
#ParsedReport
29-12-2022
Hackers abuse Google Ads to spread malware in legit software
https://www.bleepingcomputer.com/news/security/hackers-abuse-google-ads-to-spread-malware-in-legit-software
Threats:
Anydesk_tool
Teamviewer_tool
Raccoon_stealer
Vidar_stealer
Icedid
Typosquatting_technique
Redline_stealer
Softs:
slack
Algorithms:
zip
29-12-2022
Hackers abuse Google Ads to spread malware in legit software
https://www.bleepingcomputer.com/news/security/hackers-abuse-google-ads-to-spread-malware-in-legit-software
Threats:
Anydesk_tool
Teamviewer_tool
Raccoon_stealer
Vidar_stealer
Icedid
Typosquatting_technique
Redline_stealer
Softs:
slack
Algorithms:
zip
BleepingComputer
Hackers abuse Google Ads to spread malware in legit software
Malware operators have been increasingly abusing the Google Ads platform to spread malware to unsuspecting users searching for popular software products.
#ParsedReport
29-12-2022
. Hidden teeth hidden in South Asia Slang snake tissue recent attack activity briefing
https://ti.qianxin.com/blog/articles/sidewinder-group%27s-recent-attack-activity-briefing
Actors/Campaigns:
Sidewinder
Threats:
Dll_sideloading_technique
Dotnettojscript_technique
Industry:
Government, Maritime, Education
Geo:
Bangladesh, Pakistan, China, Afghanistan, Asia, Pakistani, Nepal
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
IOCs:
File: 11
Hash: 14
Softs:
slack, android
Algorithms:
base64, xor
Languages:
javascript
29-12-2022
. Hidden teeth hidden in South Asia Slang snake tissue recent attack activity briefing
https://ti.qianxin.com/blog/articles/sidewinder-group%27s-recent-attack-activity-briefing
Actors/Campaigns:
Sidewinder
Threats:
Dll_sideloading_technique
Dotnettojscript_technique
Industry:
Government, Maritime, Education
Geo:
Bangladesh, Pakistan, China, Afghanistan, Asia, Pakistani, Nepal
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
IOCs:
File: 11
Hash: 14
Softs:
slack, android
Algorithms:
base64, xor
Languages:
javascript
Qianxin
奇安信威胁情报中心
Nuxt.js project
#ParsedReport
29-12-2022
APT-C-36. 1. Analysis of attack activities
https://mp.weixin.qq.com/s/mTmJLHYC9bJDnphf_52JmA
Actors/Campaigns:
Blindeagle
Threats:
Njrat_rat
Syncrat
Asyncrat_rat
Industry:
Financial, Government
Geo:
Spanish, America, Ecuador, Colombia, Colombian
IOCs:
Hash: 14
File: 26
Url: 6
Softs:
virtualbox
Algorithms:
base64, aes
Functions:
Settings
Languages:
c_language, csharp
29-12-2022
APT-C-36. 1. Analysis of attack activities
https://mp.weixin.qq.com/s/mTmJLHYC9bJDnphf_52JmA
Actors/Campaigns:
Blindeagle
Threats:
Njrat_rat
Syncrat
Asyncrat_rat
Industry:
Financial, Government
Geo:
Spanish, America, Ecuador, Colombia, Colombian
IOCs:
Hash: 14
File: 26
Url: 6
Softs:
virtualbox
Algorithms:
base64, aes
Functions:
Settings
Languages:
c_language, csharp
Weixin Official Accounts Platform
APT-C-36(盲眼鹰)近期攻击活动分析
APT-C-36近期常采用鱼叉攻击,以PDF文件作为入口点,诱导用户点击文档里面的恶意链接下载RAR压缩包文件
#ParsedReport
29-12-2022
Operation Dragon Dance
https://ti.qianxin.com/blog/articles/operation-dragon-dance-the-sword-of-damocles-hanging-over-the-gaming-industry
Actors/Campaigns:
Dragon_dance
Miuuti
Dragon_breath
Threats:
Powerkatz_stealer
Industry:
Entertainment
CVEs:
CVE-2021-21220 [Vulners]
Vulners: Score: 6.8, CVSS: 3.1,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- google chrome (<89.0.4389.128)
- fedoraproject fedora (32, 33, 34)
IOCs:
File: 8
Softs:
node.js, curl, chrome, telegram
Languages:
delphi
29-12-2022
Operation Dragon Dance
https://ti.qianxin.com/blog/articles/operation-dragon-dance-the-sword-of-damocles-hanging-over-the-gaming-industry
Actors/Campaigns:
Dragon_dance
Miuuti
Dragon_breath
Threats:
Powerkatz_stealer
Industry:
Entertainment
CVEs:
CVE-2021-21220 [Vulners]
Vulners: Score: 6.8, CVSS: 3.1,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- google chrome (<89.0.4389.128)
- fedoraproject fedora (32, 33, 34)
IOCs:
File: 8
Softs:
node.js, curl, chrome, telegram
Languages:
delphi
Qianxin
奇安信威胁情报中心
Nuxt.js project
#ParsedReport
30-12-2022
. Analysis of the CNC organization "Ferry" of the CNC organization of the military and education industry
https://www.antiy.cn/research/notice&report/research_report/20221229.html
Actors/Campaigns:
Darkhotel
Industry:
Education
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 7
Hash: 2
IP: 2
Algorithms:
xxtea, base64
Platforms:
amd64
30-12-2022
. Analysis of the CNC organization "Ferry" of the CNC organization of the military and education industry
https://www.antiy.cn/research/notice&report/research_report/20221229.html
Actors/Campaigns:
Darkhotel
Industry:
Education
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 7
Hash: 2
IP: 2
Algorithms:
xxtea, base64
Platforms:
amd64
www.antiy.cn
针对军工和教育行业的CNC组织“摆渡”木马分析
安天应急响应中心(安天CERT)在梳理攻击活动时发现CNC组织使用的两个下载器,其中一个下载器具有摆渡攻击的能力,利用移动存储设备作为“渡船”,间接从隔离网中窃取攻击者感兴趣的文件;另一个下载器使用欺骗性的具有不可信数字证书的C2节点进行通信。
#ParsedReport
31-12-2022
ASEC (20221218 \~ 20221224). ASEC Weekly phishing email threat trend (20221218 \~ 20221224)
https://asec.ahnlab.com/ko/45061
Threats:
Agent_tesla
Formbook
Industry:
Transport, Financial
Geo:
Chile, Korean
TTPs:
IOCs:
File: 40
Url: 3
31-12-2022
ASEC (20221218 \~ 20221224). ASEC Weekly phishing email threat trend (20221218 \~ 20221224)
https://asec.ahnlab.com/ko/45061
Threats:
Agent_tesla
Formbook
Industry:
Transport, Financial
Geo:
Chile, Korean
TTPs:
IOCs:
File: 40
Url: 3
ASEC BLOG
ASEC 주간 피싱 이메일 위협 트렌드 (20221218 ~ 20221224) - ASEC BLOG
Contents피싱 이메일 위협 유형첨부파일 확장자유포 사례사례: 가짜 로그인 페이지 (FakePage)사례: 악성코드 (Infostealer, Downloader 등)주의 키워드: ‘RAR 압축파일’ 가짜 페이지 (FakePage) C2 주소피싱 이메일 공격 예방 ASEC 분석팀에서는 샘플 자동 분석 시스템(RAPIT)과 허니팟을 활용하여 피싱 이메일 위협을 모니터링하고 있다. 본 포스팅에서는 2022년 12월 18일부터 12월 24일까지 한 주간 확인된…
#ParsedReport
31-12-2022
NetSupport RAT. Netsupport RAT disguised as a Pokemon game
https://asec.ahnlab.com/ko/45073
Threats:
Netsupportmanager_rat
Ammyyadmin_tool
Anydesk_tool
Teamviewer_tool
Tmate_tool
Malware/win.generic.c5339867
Malware/win.generic.c5335414
Malware/win.generic.c5333592
Malware/win.malware-gen.c5331507
IOCs:
File: 13
Hash: 11
Domain: 1
Url: 6
Softs:
visual studio
31-12-2022
NetSupport RAT. Netsupport RAT disguised as a Pokemon game
https://asec.ahnlab.com/ko/45073
Threats:
Netsupportmanager_rat
Ammyyadmin_tool
Anydesk_tool
Teamviewer_tool
Tmate_tool
Malware/win.generic.c5339867
Malware/win.generic.c5335414
Malware/win.generic.c5333592
Malware/win.malware-gen.c5331507
IOCs:
File: 13
Hash: 11
Domain: 1
Url: 6
Softs:
visual studio
ASEC BLOG
포켓몬 게임으로 위장한 NetSupport RAT 악성코드 유포 중 - ASEC BLOG
NetSupport Manager는 원격 제어 도구로서 일반 사용자나 기업 사용자들이 원격으로 시스템을 제어하기 위한 목적으로 설치하고 사용할 수 있다. 하지만 외부에서 특정 시스템을 제어할 수 있다는 기능으로 인해 다수의 공격자들에 의해 악용되고 있다. 원격 제어 도구(Remote Administration Tool)들은 대부분 커맨드 라인 기반인 백도어 및 RAT(Remote Access Trojan) 악성코드들과 달리 사용자 편의가 중요하기 때문에…