#ParsedReport
29-12-2022

. Hidden teeth hidden in South Asia Slang snake tissue recent attack activity briefing

https://ti.qianxin.com/blog/articles/sidewinder-group%27s-recent-attack-activity-briefing

Actors/Campaigns:
Sidewinder

Threats:
Dll_sideloading_technique
Dotnettojscript_technique

Industry:
Government, Maritime, Education

Geo:
Bangladesh, Pakistan, China, Afghanistan, Asia, Pakistani, Nepal

CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)


IOCs:
File: 11
Hash: 14

Softs:
slack, android

Algorithms:
base64, xor

Languages:
javascript

#ParsedReport
29-12-2022

APT-C-36. 1. Analysis of attack activities

https://mp.weixin.qq.com/s/mTmJLHYC9bJDnphf_52JmA

Actors/Campaigns:
Blindeagle

Threats:
Njrat_rat
Syncrat
Asyncrat_rat

Industry:
Financial, Government

Geo:
Spanish, America, Ecuador, Colombia, Colombian

IOCs:
Hash: 14
File: 26
Url: 6

Softs:
virtualbox

Algorithms:
base64, aes

Functions:
Settings

Languages:
c_language, csharp

#ParsedReport
29-12-2022

Operation Dragon Dance

https://ti.qianxin.com/blog/articles/operation-dragon-dance-the-sword-of-damocles-hanging-over-the-gaming-industry

Actors/Campaigns:
Dragon_dance
Miuuti
Dragon_breath

Threats:
Powerkatz_stealer

Industry:
Entertainment

CVEs:
CVE-2021-21220 [Vulners]
Vulners: Score: 6.8, CVSS: 3.1,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- google chrome (<89.0.4389.128)
- fedoraproject fedora (32, 33, 34)


IOCs:
File: 8

Softs:
node.js, curl, chrome, telegram

Languages:
delphi

#ParsedReport
30-12-2022

. Analysis of the CNC organization "Ferry" of the CNC organization of the military and education industry

https://www.antiy.cn/research/notice&report/research_report/20221229.html

Actors/Campaigns:
Darkhotel

Industry:
Education

TTPs:
Tactics: 3
Technics: 0

IOCs:
File: 7
Hash: 2
IP: 2

Algorithms:
xxtea, base64

Platforms:
amd64

#ParsedReport
31-12-2022

ASEC (20221218 \~ 20221224). ASEC Weekly phishing email threat trend (20221218 \~ 20221224)

https://asec.ahnlab.com/ko/45061

Threats:
Agent_tesla
Formbook

Industry:
Transport, Financial

Geo:
Chile, Korean

TTPs:

IOCs:
File: 40
Url: 3

#ParsedReport
31-12-2022

NetSupport RAT. Netsupport RAT disguised as a Pokemon game

https://asec.ahnlab.com/ko/45073

Threats:
Netsupportmanager_rat
Ammyyadmin_tool
Anydesk_tool
Teamviewer_tool
Tmate_tool
Malware/win.generic.c5339867
Malware/win.generic.c5335414
Malware/win.generic.c5333592
Malware/win.malware-gen.c5331507

IOCs:
File: 13
Hash: 11
Domain: 1
Url: 6

Softs:
visual studio

#ParsedReport
02-01-2023

ASEC Weekly Malware Statistics (December 19th, 2022 December 25th, 2022)

https://asec.ahnlab.com/en/45023

Threats:
Beamwinhttp_loader
Garbage_cleaner
Agent_tesla
Tofsee
Stop_ransomware
Smokeloader
Vidar_stealer
Formbook
Clipboard_grabbing_technique
Snake_keylogger

Industry:
Financial

Geo:
Korea

IOCs:
File: 19
Email: 9
Domain: 2
Url: 11

Softs:
telegram, discord

Languages:
php

#ParsedReport
02-01-2023

Legitimate Apps a safe haven for IcedID

https://labs.k7computing.com/index.php/legitimate-apps-a-safe-haven-for-icedid

Threats:
Icedid
Cobalt_strike

Industry:
Financial

IOCs:
File: 6
Domain: 1
Hash: 2

Softs:
zoom

Algorithms:
zip

Platforms:
x86

#ParsedReport
02-01-2023

Dark Web Profile: MuddyWater APT Group

https://socradar.io/dark-web-profile-muddywater-apt-group

Actors/Campaigns:
Muddywater (motivation: cyber_espionage, financially_motivated)
Unc3313

Threats:
Powgoop
Powerstats
Stuxnet
Mimikatz_tool
Ligolo
Screenconnect_tool
Ehorus_tool
Starwhale
Disttrack
Syncro_tool

Industry:
Government, Energy, Healthcare, Education, Financial

Geo:
Asia, Iraq, Africa, Turkish, Turkey, Azerbaijan, Irans, America, Iran, Pakistan, Israeli, Bahrain, Iranian, Emirates, Israel

TTPs:
Tactics: 12
Technics: 55

IOCs:
File: 11
Hash: 30
IP: 16

Softs:
component object model

Languages:
visual_basic, python, javascript

#ParsedReport
03-01-2023

How Infostealer Threat Actors Make a Profit

https://asec.ahnlab.com/en/45150

Threats:
Agent_tesla
Formbook
Lokibot_stealer
Snake_keylogger
Redline_stealer
Vidar_stealer
Lockbit

Industry:
Financial

#ParsedReport
03-01-2023

ASEC Weekly Phishing Email Threat Trends (December 18th, 2022 December 24th, 2022)

https://asec.ahnlab.com/en/45237

Threats:
Agent_tesla
Formbook

Industry:
Transport, Financial

Geo:
Chile, Korean

TTPs:

IOCs:
File: 36
Url: 3

#ParsedReport
03-01-2023

BitRAT Now Sharing Sensitive Bank Data as a Lure

https://blog.qualys.com/vulnerabilities-threat-research/2023/01/03/bitrat-now-sharing-sensitive-bank-data-as-a-lure

Threats:
Sbit_rat
Redline_stealer

Industry:
Financial

TTPs:
Tactics: 1
Technics: 9

IOCs:
File: 1
Hash: 1

Win API:
WinExec

#ParsedReport
04-01-2023

Shc Linux Malware Installing CoinMiner

https://asec.ahnlab.com/en/45182

Threats:
Xmrig_miner
Perlbot

Geo:
Korea

IOCs:
File: 1
Hash: 12
IP: 2
Url: 9

Softs:
ubuntu)

Algorithms:
rc4

Languages:
perl

#ParsedReport
04-01-2023

Pupy RAT hiding under WerFaults cover

https://labs.k7computing.com/index.php/pupy-rat-hiding-under-werfaults-cover

Actors/Campaigns:
Apt33 (motivation: cyber_espionage)
Cleaver (motivation: cyber_espionage)

Threats:
Pupy_rat
Lolbin_technique
Dll_sideloading_technique
Cloudeye
Reflectiveloader

Industry:
Energy

Geo:
Chinese, China, Iran

TTPs:
Tactics: 1
Technics: 0

IOCs:
File: 6
Hash: 3
Url: 1

Softs:
windows error reporting

Algorithms:
rc4

Win API:
CreateThread

Languages:
python

Links:
https://github.com/n1nj4sec/pupy

#ParsedReport
05-01-2023

BlindEagle Targeting Ecuador With Sharpened Tools. HIGHLIGHTS:

https://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools

Actors/Campaigns:
Blindeagle (motivation: financially_motivated, cyber_espionage)
Cloudatlas

Threats:
Quasar_rat
Meterpreter_tool
Lotl_technique
Azov
Wannacry
Rubyminer
Adwind_rat

Industry:
Financial, Government

Geo:
Ukraine, Ecuador, America, Russia, Spanish, Belarus, Colombian, Colombia, Turkish

IOCs:
Url: 5
File: 14
Domain: 3
Registry: 3
Hash: 13

Softs:
pyinstaller, windows defender), office 365, android

Algorithms:
prng, base64, zip

Functions:
GetConsoleWindow, CreateObject

Win API:
ShowWindow, VirtualAlloc, RtlMoveMemory, CreateThread, WaitForSingleObject

Win Services:
WebClient

Languages:
python

Links:
https://github.com/rapid7/metasploit-payloads/blob/master/python/meterpreter/meterpreter.py

#ParsedReport
05-01-2023

Securonix Threat Labs Monthly Intelligence Insights December

https://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-december

Actors/Campaigns:
Agrius
Steppy_kavach
Phosphorus
Transparenttribe
Sidecopy

Threats:
Crywiper
Zerobot
Raspberry_robin
Avkiller
Burntcigar_tool
Cuba
Apostle
Fantasy_wiper
Log4shell_vuln
Proxyshell_vuln

Industry:
Telco, Government, Energy, Iot, Financial

Geo:
Israel, Indias, Mexico, Argentina, Iran, Africa, Pakistan, Brazil, France, American, Colombia, Australian, Iranian, Russian, Australia, Indian, India, Emirates, Croatia, Italy

CVEs:
CVE-2022-42475 [Vulners]
Vulners: Score: Unknown, CVSS: 6.2,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix

CVE-2022-33891 [Vulners]
Vulners: Score: Unknown, CVSS: 2.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- apache spark (le3.0.3, le3.2.1, le3.1.2)


IOCs:
Path: 1
Command: 1
File: 14
IP: 1
Domain: 1

Softs:
apache spark

Languages:
javascript

#technique

DNSKeyGen is a Python-based open-source tool designed to facilitate the exchange of command and control (C2) beacon/implant decryption keys through DNS records, including A, AAAA, and TXT records.

https://github.com/mhaskar/DNSKeyGen

#technique

pure-python implementation of MemoryModule technique to load a dll entirely from memory

https://github.com/naksyn/PythonMemoryModule

#technique

Alcatraz is a x64 binary obfuscator that is able to obfuscate various different pe files including:

https://github.com/weak1337/Alcatraz