#ParsedReport
28-12-2022
Types of Recent .NET Packers and Their Distribution Trends in Korea
https://asec.ahnlab.com/en/44809
Threats:
Agent_tesla
Snake_keylogger
Formbook
Lokibot_stealer
Asyncrat_rat
Majorcrypter
Darktortilla
Variantcrypter
Purecryptor
Confuserex_tool
Remcos_rat
Trojan/win.msilkrypt.r478738
Trojan/win.msilkrypt.r479010
Trojan/win.malwarex-gen.c4922823
Trojan/win.msilkrypt.c5020026
Trojan/win.msil.r503383
Trojan/win.msil.r510208
Trojan/win.msil.r492640
Trojan/win.msilkrypt.r478746
Trojan/win.msil.r491654
Trojan/win.msil.r479032
Trojan/win.msil.r536135
Trojan/win.loader.c5020045
Trojan/win.msilkrypt.r479033
Trojan/win.generic.c5197697
Trojan/win.msilkrypt.r479202
Trojan/win.msil.r5288800
Trojan/win.msil.c5134406
Trojan/win.msil.r498082
Trojan/win.msil.c5198300
Trojan/win.msil.r510204
Geo:
Korea
IOCs:
File: 52
Hash: 33
Url: 27
Algorithms:
xor, base64
Functions:
Sleep, Loader, Runn
Win API:
GetPixel
28-12-2022
Types of Recent .NET Packers and Their Distribution Trends in Korea
https://asec.ahnlab.com/en/44809
Threats:
Agent_tesla
Snake_keylogger
Formbook
Lokibot_stealer
Asyncrat_rat
Majorcrypter
Darktortilla
Variantcrypter
Purecryptor
Confuserex_tool
Remcos_rat
Trojan/win.msilkrypt.r478738
Trojan/win.msilkrypt.r479010
Trojan/win.malwarex-gen.c4922823
Trojan/win.msilkrypt.c5020026
Trojan/win.msil.r503383
Trojan/win.msil.r510208
Trojan/win.msil.r492640
Trojan/win.msilkrypt.r478746
Trojan/win.msil.r491654
Trojan/win.msil.r479032
Trojan/win.msil.r536135
Trojan/win.loader.c5020045
Trojan/win.msilkrypt.r479033
Trojan/win.generic.c5197697
Trojan/win.msilkrypt.r479202
Trojan/win.msil.r5288800
Trojan/win.msil.c5134406
Trojan/win.msil.r498082
Trojan/win.msil.c5198300
Trojan/win.msil.r510204
Geo:
Korea
IOCs:
File: 52
Hash: 33
Url: 27
Algorithms:
xor, base64
Functions:
Sleep, Loader, Runn
Win API:
GetPixel
ASEC
Types of Recent .NET Packers and Their Distribution Trends in Korea - ASEC
Types of Recent .NET Packers and Their Distribution Trends in Korea ASEC
#ParsedReport
28-12-2022
RCE Vulnerability (CVE-2022-45359) in Yith WooCommerce Gift Cards Plugin Exploited in Attacks
https://socradar.io/rce-vulnerability-cve-2022-45359-in-yith-woocommerce-gift-cards-plugin-exploited-in-attacks
Industry:
E-commerce, Financial
CVEs:
CVE-2022-45359 [Vulners]
Vulners: Score: Unknown, CVSS: 2.7,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- yithemes yith woocommerce gift cards (le3.19.0)
IOCs:
IP: 2
Softs:
wordpress
Languages:
php
28-12-2022
RCE Vulnerability (CVE-2022-45359) in Yith WooCommerce Gift Cards Plugin Exploited in Attacks
https://socradar.io/rce-vulnerability-cve-2022-45359-in-yith-woocommerce-gift-cards-plugin-exploited-in-attacks
Industry:
E-commerce, Financial
CVEs:
CVE-2022-45359 [Vulners]
Vulners: Score: Unknown, CVSS: 2.7,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- yithemes yith woocommerce gift cards (le3.19.0)
IOCs:
IP: 2
Softs:
wordpress
Languages:
php
SOCRadar® Cyber Intelligence Inc.
RCE Vulnerability (CVE-2022-45359) in Yith WooCommerce Gift Cards Plugin Exploited in Attacks - SOCRadar® Cyber Intelligence Inc.
In late November, security researchers found a critical vulnerability in Yith’s WooCommerce Gift Cards plugin. Attackers can gain remote code
#ParsedReport
29-12-2022
. Typical mining family series analysis 2 \| TeamTNT mining organization
https://www.antiy.cn/research/notice&report/research_report/20221207.html
Actors/Campaigns:
Teamtnt
Threats:
Hezb
Kthmimu
Tsunami_botnet
Masscan_tool
Zgrab_scanner_tool
Conti
Libprocesshider_rootkit
Tmate_tool
Pnscan_tool
Mimipy
Diamorphine_rootkit
Hildegard
Kangaroo
Mimipenguin_tool
Industry:
Energy, Government, Financial, Education
Geo:
Germany, German
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 13
Url: 48
Domain: 23
IP: 35
Hash: 138
Softs:
docker, redis
Algorithms:
aes, base64
29-12-2022
. Typical mining family series analysis 2 \| TeamTNT mining organization
https://www.antiy.cn/research/notice&report/research_report/20221207.html
Actors/Campaigns:
Teamtnt
Threats:
Hezb
Kthmimu
Tsunami_botnet
Masscan_tool
Zgrab_scanner_tool
Conti
Libprocesshider_rootkit
Tmate_tool
Pnscan_tool
Mimipy
Diamorphine_rootkit
Hildegard
Kangaroo
Mimipenguin_tool
Industry:
Energy, Government, Financial, Education
Geo:
Germany, German
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 13
Url: 48
Domain: 23
IP: 35
Hash: 138
Softs:
docker, redis
Algorithms:
aes, base64
www.antiy.cn
典型挖矿家族系列分析二 | TeamTNT挖矿组织
安天CERT将近几年历史跟踪储备的典型流行挖矿木马家族组织梳理形成专题报告,本期介绍TeamTNT挖矿组织
#ParsedReport
29-12-2022
. "Eternity" organization: continuous and active commercial arsenal
https://www.antiy.cn/research/notice&report/research_report/20221223.html
Actors/Campaigns:
Eternity
Threats:
Jester_stealer
Lightm4n_actor
Userpro9_actor
Savethekiddes_actor
Ransomware.exe
Geo:
Ukraine
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 6
Hash: 2
Url: 2
Softs:
telegram, pyinstaller, discord
Algorithms:
aes, zip
Languages:
python
Platforms:
intel
29-12-2022
. "Eternity" organization: continuous and active commercial arsenal
https://www.antiy.cn/research/notice&report/research_report/20221223.html
Actors/Campaigns:
Eternity
Threats:
Jester_stealer
Lightm4n_actor
Userpro9_actor
Savethekiddes_actor
Ransomware.exe
Geo:
Ukraine
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 6
Hash: 2
Url: 2
Softs:
telegram, pyinstaller, discord
Algorithms:
aes, zip
Languages:
python
Platforms:
intel
www.antiy.cn
“Eternity”组织:持续活跃的商业武器库
安天CERT在本篇报告中除了对Jester黑客团伙黑客团伙进行更多介绍之外,还会对其开发的蠕虫及勒索软件进行详细分析,帮助用户了解其恶意功能,以便进行更好的防护。
#ParsedReport
29-12-2022
New CatB Ransomware Employs 2-Year Old DLL Hijacking Technique To Evade Detection
https://minerva-labs.com/blog/new-catb-ransomware-employs-2-year-old-dll-hijacking-technique-to-evade-detection
Threats:
CatB_ransomware
Dll_hijacking_technique
Pandora
Upx_tool
Industry:
Financial, Transport
TTPs:
IOCs:
File: 4
Path: 1
Hash: 2
Email: 1
Softs:
windows service
Win API:
GetSystemInfo, GlobalMemoryStatusEx, DeviceIoControl
29-12-2022
New CatB Ransomware Employs 2-Year Old DLL Hijacking Technique To Evade Detection
https://minerva-labs.com/blog/new-catb-ransomware-employs-2-year-old-dll-hijacking-technique-to-evade-detection
Threats:
CatB_ransomware
Dll_hijacking_technique
Pandora
Upx_tool
Industry:
Financial, Transport
TTPs:
IOCs:
File: 4
Path: 1
Hash: 2
Email: 1
Softs:
windows service
Win API:
GetSystemInfo, GlobalMemoryStatusEx, DeviceIoControl
Rapid7
Rapid7 Managed Cybersecurity: Outpace Attackers
#ParsedReport
29-12-2022
Hackers abuse Google Ads to spread malware in legit software
https://www.bleepingcomputer.com/news/security/hackers-abuse-google-ads-to-spread-malware-in-legit-software
Threats:
Anydesk_tool
Teamviewer_tool
Raccoon_stealer
Vidar_stealer
Icedid
Typosquatting_technique
Redline_stealer
Softs:
slack
Algorithms:
zip
29-12-2022
Hackers abuse Google Ads to spread malware in legit software
https://www.bleepingcomputer.com/news/security/hackers-abuse-google-ads-to-spread-malware-in-legit-software
Threats:
Anydesk_tool
Teamviewer_tool
Raccoon_stealer
Vidar_stealer
Icedid
Typosquatting_technique
Redline_stealer
Softs:
slack
Algorithms:
zip
BleepingComputer
Hackers abuse Google Ads to spread malware in legit software
Malware operators have been increasingly abusing the Google Ads platform to spread malware to unsuspecting users searching for popular software products.
#ParsedReport
29-12-2022
. Hidden teeth hidden in South Asia Slang snake tissue recent attack activity briefing
https://ti.qianxin.com/blog/articles/sidewinder-group%27s-recent-attack-activity-briefing
Actors/Campaigns:
Sidewinder
Threats:
Dll_sideloading_technique
Dotnettojscript_technique
Industry:
Government, Maritime, Education
Geo:
Bangladesh, Pakistan, China, Afghanistan, Asia, Pakistani, Nepal
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
IOCs:
File: 11
Hash: 14
Softs:
slack, android
Algorithms:
base64, xor
Languages:
javascript
29-12-2022
. Hidden teeth hidden in South Asia Slang snake tissue recent attack activity briefing
https://ti.qianxin.com/blog/articles/sidewinder-group%27s-recent-attack-activity-briefing
Actors/Campaigns:
Sidewinder
Threats:
Dll_sideloading_technique
Dotnettojscript_technique
Industry:
Government, Maritime, Education
Geo:
Bangladesh, Pakistan, China, Afghanistan, Asia, Pakistani, Nepal
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
IOCs:
File: 11
Hash: 14
Softs:
slack, android
Algorithms:
base64, xor
Languages:
javascript
Qianxin
奇安信威胁情报中心
Nuxt.js project
#ParsedReport
29-12-2022
APT-C-36. 1. Analysis of attack activities
https://mp.weixin.qq.com/s/mTmJLHYC9bJDnphf_52JmA
Actors/Campaigns:
Blindeagle
Threats:
Njrat_rat
Syncrat
Asyncrat_rat
Industry:
Financial, Government
Geo:
Spanish, America, Ecuador, Colombia, Colombian
IOCs:
Hash: 14
File: 26
Url: 6
Softs:
virtualbox
Algorithms:
base64, aes
Functions:
Settings
Languages:
c_language, csharp
29-12-2022
APT-C-36. 1. Analysis of attack activities
https://mp.weixin.qq.com/s/mTmJLHYC9bJDnphf_52JmA
Actors/Campaigns:
Blindeagle
Threats:
Njrat_rat
Syncrat
Asyncrat_rat
Industry:
Financial, Government
Geo:
Spanish, America, Ecuador, Colombia, Colombian
IOCs:
Hash: 14
File: 26
Url: 6
Softs:
virtualbox
Algorithms:
base64, aes
Functions:
Settings
Languages:
c_language, csharp
Weixin Official Accounts Platform
APT-C-36(盲眼鹰)近期攻击活动分析
APT-C-36近期常采用鱼叉攻击,以PDF文件作为入口点,诱导用户点击文档里面的恶意链接下载RAR压缩包文件
#ParsedReport
29-12-2022
Operation Dragon Dance
https://ti.qianxin.com/blog/articles/operation-dragon-dance-the-sword-of-damocles-hanging-over-the-gaming-industry
Actors/Campaigns:
Dragon_dance
Miuuti
Dragon_breath
Threats:
Powerkatz_stealer
Industry:
Entertainment
CVEs:
CVE-2021-21220 [Vulners]
Vulners: Score: 6.8, CVSS: 3.1,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- google chrome (<89.0.4389.128)
- fedoraproject fedora (32, 33, 34)
IOCs:
File: 8
Softs:
node.js, curl, chrome, telegram
Languages:
delphi
29-12-2022
Operation Dragon Dance
https://ti.qianxin.com/blog/articles/operation-dragon-dance-the-sword-of-damocles-hanging-over-the-gaming-industry
Actors/Campaigns:
Dragon_dance
Miuuti
Dragon_breath
Threats:
Powerkatz_stealer
Industry:
Entertainment
CVEs:
CVE-2021-21220 [Vulners]
Vulners: Score: 6.8, CVSS: 3.1,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- google chrome (<89.0.4389.128)
- fedoraproject fedora (32, 33, 34)
IOCs:
File: 8
Softs:
node.js, curl, chrome, telegram
Languages:
delphi
Qianxin
奇安信威胁情报中心
Nuxt.js project
#ParsedReport
30-12-2022
. Analysis of the CNC organization "Ferry" of the CNC organization of the military and education industry
https://www.antiy.cn/research/notice&report/research_report/20221229.html
Actors/Campaigns:
Darkhotel
Industry:
Education
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 7
Hash: 2
IP: 2
Algorithms:
xxtea, base64
Platforms:
amd64
30-12-2022
. Analysis of the CNC organization "Ferry" of the CNC organization of the military and education industry
https://www.antiy.cn/research/notice&report/research_report/20221229.html
Actors/Campaigns:
Darkhotel
Industry:
Education
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 7
Hash: 2
IP: 2
Algorithms:
xxtea, base64
Platforms:
amd64
www.antiy.cn
针对军工和教育行业的CNC组织“摆渡”木马分析
安天应急响应中心(安天CERT)在梳理攻击活动时发现CNC组织使用的两个下载器,其中一个下载器具有摆渡攻击的能力,利用移动存储设备作为“渡船”,间接从隔离网中窃取攻击者感兴趣的文件;另一个下载器使用欺骗性的具有不可信数字证书的C2节点进行通信。
#ParsedReport
31-12-2022
ASEC (20221218 \~ 20221224). ASEC Weekly phishing email threat trend (20221218 \~ 20221224)
https://asec.ahnlab.com/ko/45061
Threats:
Agent_tesla
Formbook
Industry:
Transport, Financial
Geo:
Chile, Korean
TTPs:
IOCs:
File: 40
Url: 3
31-12-2022
ASEC (20221218 \~ 20221224). ASEC Weekly phishing email threat trend (20221218 \~ 20221224)
https://asec.ahnlab.com/ko/45061
Threats:
Agent_tesla
Formbook
Industry:
Transport, Financial
Geo:
Chile, Korean
TTPs:
IOCs:
File: 40
Url: 3
ASEC BLOG
ASEC 주간 피싱 이메일 위협 트렌드 (20221218 ~ 20221224) - ASEC BLOG
Contents피싱 이메일 위협 유형첨부파일 확장자유포 사례사례: 가짜 로그인 페이지 (FakePage)사례: 악성코드 (Infostealer, Downloader 등)주의 키워드: ‘RAR 압축파일’ 가짜 페이지 (FakePage) C2 주소피싱 이메일 공격 예방 ASEC 분석팀에서는 샘플 자동 분석 시스템(RAPIT)과 허니팟을 활용하여 피싱 이메일 위협을 모니터링하고 있다. 본 포스팅에서는 2022년 12월 18일부터 12월 24일까지 한 주간 확인된…
#ParsedReport
31-12-2022
NetSupport RAT. Netsupport RAT disguised as a Pokemon game
https://asec.ahnlab.com/ko/45073
Threats:
Netsupportmanager_rat
Ammyyadmin_tool
Anydesk_tool
Teamviewer_tool
Tmate_tool
Malware/win.generic.c5339867
Malware/win.generic.c5335414
Malware/win.generic.c5333592
Malware/win.malware-gen.c5331507
IOCs:
File: 13
Hash: 11
Domain: 1
Url: 6
Softs:
visual studio
31-12-2022
NetSupport RAT. Netsupport RAT disguised as a Pokemon game
https://asec.ahnlab.com/ko/45073
Threats:
Netsupportmanager_rat
Ammyyadmin_tool
Anydesk_tool
Teamviewer_tool
Tmate_tool
Malware/win.generic.c5339867
Malware/win.generic.c5335414
Malware/win.generic.c5333592
Malware/win.malware-gen.c5331507
IOCs:
File: 13
Hash: 11
Domain: 1
Url: 6
Softs:
visual studio
ASEC BLOG
포켓몬 게임으로 위장한 NetSupport RAT 악성코드 유포 중 - ASEC BLOG
NetSupport Manager는 원격 제어 도구로서 일반 사용자나 기업 사용자들이 원격으로 시스템을 제어하기 위한 목적으로 설치하고 사용할 수 있다. 하지만 외부에서 특정 시스템을 제어할 수 있다는 기능으로 인해 다수의 공격자들에 의해 악용되고 있다. 원격 제어 도구(Remote Administration Tool)들은 대부분 커맨드 라인 기반인 백도어 및 RAT(Remote Access Trojan) 악성코드들과 달리 사용자 편의가 중요하기 때문에…
#ParsedReport
02-01-2023
ASEC Weekly Malware Statistics (December 19th, 2022 December 25th, 2022)
https://asec.ahnlab.com/en/45023
Threats:
Beamwinhttp_loader
Garbage_cleaner
Agent_tesla
Tofsee
Stop_ransomware
Smokeloader
Vidar_stealer
Formbook
Clipboard_grabbing_technique
Snake_keylogger
Industry:
Financial
Geo:
Korea
IOCs:
File: 19
Email: 9
Domain: 2
Url: 11
Softs:
telegram, discord
Languages:
php
02-01-2023
ASEC Weekly Malware Statistics (December 19th, 2022 December 25th, 2022)
https://asec.ahnlab.com/en/45023
Threats:
Beamwinhttp_loader
Garbage_cleaner
Agent_tesla
Tofsee
Stop_ransomware
Smokeloader
Vidar_stealer
Formbook
Clipboard_grabbing_technique
Snake_keylogger
Industry:
Financial
Geo:
Korea
IOCs:
File: 19
Email: 9
Domain: 2
Url: 11
Softs:
telegram, discord
Languages:
php
ASEC BLOG
ASEC Weekly Malware Statistics (December 19th, 2022 – December 25th, 2022) - ASEC BLOG
ContentsTop 1 – BeamWinHTTPTop 2 – AgentTeslaTop 3 – TofseeTop 4 – FormbookTop 5 – SnakeKeylogger The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected…
#ParsedReport
02-01-2023
Legitimate Apps a safe haven for IcedID
https://labs.k7computing.com/index.php/legitimate-apps-a-safe-haven-for-icedid
Threats:
Icedid
Cobalt_strike
Industry:
Financial
IOCs:
File: 6
Domain: 1
Hash: 2
Softs:
zoom
Algorithms:
zip
Platforms:
x86
02-01-2023
Legitimate Apps a safe haven for IcedID
https://labs.k7computing.com/index.php/legitimate-apps-a-safe-haven-for-icedid
Threats:
Icedid
Cobalt_strike
Industry:
Financial
IOCs:
File: 6
Domain: 1
Hash: 2
Softs:
zoom
Algorithms:
zip
Platforms:
x86
K7 Labs
Legitimate Apps a safe haven for IcedID
IcedID is a Banking Trojan(used to steal banking details) which has been active since 2017.However, it’s being used these days […]
#ParsedReport
02-01-2023
Dark Web Profile: MuddyWater APT Group
https://socradar.io/dark-web-profile-muddywater-apt-group
Actors/Campaigns:
Muddywater (motivation: cyber_espionage, financially_motivated)
Unc3313
Threats:
Powgoop
Powerstats
Stuxnet
Mimikatz_tool
Ligolo
Screenconnect_tool
Ehorus_tool
Starwhale
Disttrack
Syncro_tool
Industry:
Government, Energy, Healthcare, Education, Financial
Geo:
Asia, Iraq, Africa, Turkish, Turkey, Azerbaijan, Irans, America, Iran, Pakistan, Israeli, Bahrain, Iranian, Emirates, Israel
TTPs:
Tactics: 12
Technics: 55
IOCs:
File: 11
Hash: 30
IP: 16
Softs:
component object model
Languages:
visual_basic, python, javascript
02-01-2023
Dark Web Profile: MuddyWater APT Group
https://socradar.io/dark-web-profile-muddywater-apt-group
Actors/Campaigns:
Muddywater (motivation: cyber_espionage, financially_motivated)
Unc3313
Threats:
Powgoop
Powerstats
Stuxnet
Mimikatz_tool
Ligolo
Screenconnect_tool
Ehorus_tool
Starwhale
Disttrack
Syncro_tool
Industry:
Government, Energy, Healthcare, Education, Financial
Geo:
Asia, Iraq, Africa, Turkish, Turkey, Azerbaijan, Irans, America, Iran, Pakistan, Israeli, Bahrain, Iranian, Emirates, Israel
TTPs:
Tactics: 12
Technics: 55
IOCs:
File: 11
Hash: 30
IP: 16
Softs:
component object model
Languages:
visual_basic, python, javascript
SOCRadar® Cyber Intelligence Inc.
Dark Web Profile: MuddyWater APT Group
April 19, 2023: Added subheading: “MuddyWater Uses SimpleHelp Tool for Persistence on Victim Devices”
#ParsedReport
03-01-2023
How Infostealer Threat Actors Make a Profit
https://asec.ahnlab.com/en/45150
Threats:
Agent_tesla
Formbook
Lokibot_stealer
Snake_keylogger
Redline_stealer
Vidar_stealer
Lockbit
Industry:
Financial
03-01-2023
How Infostealer Threat Actors Make a Profit
https://asec.ahnlab.com/en/45150
Threats:
Agent_tesla
Formbook
Lokibot_stealer
Snake_keylogger
Redline_stealer
Vidar_stealer
Lockbit
Industry:
Financial
#ParsedReport
03-01-2023
ASEC Weekly Phishing Email Threat Trends (December 18th, 2022 December 24th, 2022)
https://asec.ahnlab.com/en/45237
Threats:
Agent_tesla
Formbook
Industry:
Transport, Financial
Geo:
Chile, Korean
TTPs:
IOCs:
File: 36
Url: 3
03-01-2023
ASEC Weekly Phishing Email Threat Trends (December 18th, 2022 December 24th, 2022)
https://asec.ahnlab.com/en/45237
Threats:
Agent_tesla
Formbook
Industry:
Transport, Financial
Geo:
Chile, Korean
TTPs:
IOCs:
File: 36
Url: 3
ASEC BLOG
ASEC Weekly Phishing Email Threat Trends (December 18th, 2022 – December 24th, 2022) - ASEC BLOG
ContentsPhishing EmailsFile Extensions in Phishing EmailsCases of DistributionCase: FakePageCase: Malware (Infostealer, Downloader, etc.)Keywords to Beware of: ‘RAR Compressed FileFakePage C2 URL Preventing Phishing Email Attacks The ASEC analysis team monitors…
#ParsedReport
03-01-2023
BitRAT Now Sharing Sensitive Bank Data as a Lure
https://blog.qualys.com/vulnerabilities-threat-research/2023/01/03/bitrat-now-sharing-sensitive-bank-data-as-a-lure
Threats:
Sbit_rat
Redline_stealer
Industry:
Financial
TTPs:
Tactics: 1
Technics: 9
IOCs:
File: 1
Hash: 1
Win API:
WinExec
03-01-2023
BitRAT Now Sharing Sensitive Bank Data as a Lure
https://blog.qualys.com/vulnerabilities-threat-research/2023/01/03/bitrat-now-sharing-sensitive-bank-data-as-a-lure
Threats:
Sbit_rat
Redline_stealer
Industry:
Financial
TTPs:
Tactics: 1
Technics: 9
IOCs:
File: 1
Hash: 1
Win API:
WinExec
Qualys Security Blog
BitRAT Now Sharing Sensitive Bank Data as a Lure | Qualys Security Blog
In June of 2022 Qualys Threat Research Unit (TRU) wrote an in-depth report on Redline, a commercial off the shelf infostealer that spreads via fake cracked software hosted on Discord’s content…
#ParsedReport
04-01-2023
Shc Linux Malware Installing CoinMiner
https://asec.ahnlab.com/en/45182
Threats:
Xmrig_miner
Perlbot
Geo:
Korea
IOCs:
File: 1
Hash: 12
IP: 2
Url: 9
Softs:
ubuntu)
Algorithms:
rc4
Languages:
perl
04-01-2023
Shc Linux Malware Installing CoinMiner
https://asec.ahnlab.com/en/45182
Threats:
Xmrig_miner
Perlbot
Geo:
Korea
IOCs:
File: 1
Hash: 12
IP: 2
Url: 9
Softs:
ubuntu)
Algorithms:
rc4
Languages:
perl
ASEC
Shc Linux Malware Installing CoinMiner - ASEC
Shc Linux Malware Installing CoinMiner ASEC
#ParsedReport
04-01-2023
Pupy RAT hiding under WerFaults cover
https://labs.k7computing.com/index.php/pupy-rat-hiding-under-werfaults-cover
Actors/Campaigns:
Apt33 (motivation: cyber_espionage)
Cleaver (motivation: cyber_espionage)
Threats:
Pupy_rat
Lolbin_technique
Dll_sideloading_technique
Cloudeye
Reflectiveloader
Industry:
Energy
Geo:
Chinese, China, Iran
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 6
Hash: 3
Url: 1
Softs:
windows error reporting
Algorithms:
rc4
Win API:
CreateThread
Languages:
python
Links:
04-01-2023
Pupy RAT hiding under WerFaults cover
https://labs.k7computing.com/index.php/pupy-rat-hiding-under-werfaults-cover
Actors/Campaigns:
Apt33 (motivation: cyber_espionage)
Cleaver (motivation: cyber_espionage)
Threats:
Pupy_rat
Lolbin_technique
Dll_sideloading_technique
Cloudeye
Reflectiveloader
Industry:
Energy
Geo:
Chinese, China, Iran
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 6
Hash: 3
Url: 1
Softs:
windows error reporting
Algorithms:
rc4
Win API:
CreateThread
Languages:
python
Links:
https://github.com/n1nj4sec/pupyK7 Labs
Pupy RAT hiding under WerFault’s cover
We at K7 Labs recently identified an interesting technique used by threat actors to execute a Remote Admin Tool. We […]
#ParsedReport
05-01-2023
BlindEagle Targeting Ecuador With Sharpened Tools. HIGHLIGHTS:
https://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools
Actors/Campaigns:
Blindeagle (motivation: financially_motivated, cyber_espionage)
Cloudatlas
Threats:
Quasar_rat
Meterpreter_tool
Lotl_technique
Azov
Wannacry
Rubyminer
Adwind_rat
Industry:
Financial, Government
Geo:
Ukraine, Ecuador, America, Russia, Spanish, Belarus, Colombian, Colombia, Turkish
IOCs:
Url: 5
File: 14
Domain: 3
Registry: 3
Hash: 13
Softs:
pyinstaller, windows defender), office 365, android
Algorithms:
prng, base64, zip
Functions:
GetConsoleWindow, CreateObject
Win API:
ShowWindow, VirtualAlloc, RtlMoveMemory, CreateThread, WaitForSingleObject
Win Services:
WebClient
Languages:
python
Links:
05-01-2023
BlindEagle Targeting Ecuador With Sharpened Tools. HIGHLIGHTS:
https://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools
Actors/Campaigns:
Blindeagle (motivation: financially_motivated, cyber_espionage)
Cloudatlas
Threats:
Quasar_rat
Meterpreter_tool
Lotl_technique
Azov
Wannacry
Rubyminer
Adwind_rat
Industry:
Financial, Government
Geo:
Ukraine, Ecuador, America, Russia, Spanish, Belarus, Colombian, Colombia, Turkish
IOCs:
Url: 5
File: 14
Domain: 3
Registry: 3
Hash: 13
Softs:
pyinstaller, windows defender), office 365, android
Algorithms:
prng, base64, zip
Functions:
GetConsoleWindow, CreateObject
Win API:
ShowWindow, VirtualAlloc, RtlMoveMemory, CreateThread, WaitForSingleObject
Win Services:
WebClient
Languages:
python
Links:
https://github.com/rapid7/metasploit-payloads/blob/master/python/meterpreter/meterpreter.pyCheck Point Research
BlindEagle Targeting Ecuador With Sharpened Tools - Check Point Research
Blind Eagle, is a financially motivated threat group that has been launching indiscriminate attacks against citizens of various countries in South America since at least 2018. In a recent campaign targeting Ecuador based organizations, CPR detected a new…