#ParsedReport
31-12-2022
NetSupport RAT. Netsupport RAT disguised as a Pokemon game
https://asec.ahnlab.com/ko/45073
Threats:
Netsupportmanager_rat
Ammyyadmin_tool
Anydesk_tool
Teamviewer_tool
Tmate_tool
Malware/win.generic.c5339867
Malware/win.generic.c5335414
Malware/win.generic.c5333592
Malware/win.malware-gen.c5331507
IOCs:
File: 13
Hash: 11
Domain: 1
Url: 6
Softs:
visual studio
31-12-2022
NetSupport RAT. Netsupport RAT disguised as a Pokemon game
https://asec.ahnlab.com/ko/45073
Threats:
Netsupportmanager_rat
Ammyyadmin_tool
Anydesk_tool
Teamviewer_tool
Tmate_tool
Malware/win.generic.c5339867
Malware/win.generic.c5335414
Malware/win.generic.c5333592
Malware/win.malware-gen.c5331507
IOCs:
File: 13
Hash: 11
Domain: 1
Url: 6
Softs:
visual studio
ASEC BLOG
포켓몬 게임으로 위장한 NetSupport RAT 악성코드 유포 중 - ASEC BLOG
NetSupport Manager는 원격 제어 도구로서 일반 사용자나 기업 사용자들이 원격으로 시스템을 제어하기 위한 목적으로 설치하고 사용할 수 있다. 하지만 외부에서 특정 시스템을 제어할 수 있다는 기능으로 인해 다수의 공격자들에 의해 악용되고 있다. 원격 제어 도구(Remote Administration Tool)들은 대부분 커맨드 라인 기반인 백도어 및 RAT(Remote Access Trojan) 악성코드들과 달리 사용자 편의가 중요하기 때문에…
#ParsedReport
02-01-2023
ASEC Weekly Malware Statistics (December 19th, 2022 December 25th, 2022)
https://asec.ahnlab.com/en/45023
Threats:
Beamwinhttp_loader
Garbage_cleaner
Agent_tesla
Tofsee
Stop_ransomware
Smokeloader
Vidar_stealer
Formbook
Clipboard_grabbing_technique
Snake_keylogger
Industry:
Financial
Geo:
Korea
IOCs:
File: 19
Email: 9
Domain: 2
Url: 11
Softs:
telegram, discord
Languages:
php
02-01-2023
ASEC Weekly Malware Statistics (December 19th, 2022 December 25th, 2022)
https://asec.ahnlab.com/en/45023
Threats:
Beamwinhttp_loader
Garbage_cleaner
Agent_tesla
Tofsee
Stop_ransomware
Smokeloader
Vidar_stealer
Formbook
Clipboard_grabbing_technique
Snake_keylogger
Industry:
Financial
Geo:
Korea
IOCs:
File: 19
Email: 9
Domain: 2
Url: 11
Softs:
telegram, discord
Languages:
php
ASEC BLOG
ASEC Weekly Malware Statistics (December 19th, 2022 – December 25th, 2022) - ASEC BLOG
ContentsTop 1 – BeamWinHTTPTop 2 – AgentTeslaTop 3 – TofseeTop 4 – FormbookTop 5 – SnakeKeylogger The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected…
#ParsedReport
02-01-2023
Legitimate Apps a safe haven for IcedID
https://labs.k7computing.com/index.php/legitimate-apps-a-safe-haven-for-icedid
Threats:
Icedid
Cobalt_strike
Industry:
Financial
IOCs:
File: 6
Domain: 1
Hash: 2
Softs:
zoom
Algorithms:
zip
Platforms:
x86
02-01-2023
Legitimate Apps a safe haven for IcedID
https://labs.k7computing.com/index.php/legitimate-apps-a-safe-haven-for-icedid
Threats:
Icedid
Cobalt_strike
Industry:
Financial
IOCs:
File: 6
Domain: 1
Hash: 2
Softs:
zoom
Algorithms:
zip
Platforms:
x86
K7 Labs
Legitimate Apps a safe haven for IcedID
IcedID is a Banking Trojan(used to steal banking details) which has been active since 2017.However, it’s being used these days […]
#ParsedReport
02-01-2023
Dark Web Profile: MuddyWater APT Group
https://socradar.io/dark-web-profile-muddywater-apt-group
Actors/Campaigns:
Muddywater (motivation: cyber_espionage, financially_motivated)
Unc3313
Threats:
Powgoop
Powerstats
Stuxnet
Mimikatz_tool
Ligolo
Screenconnect_tool
Ehorus_tool
Starwhale
Disttrack
Syncro_tool
Industry:
Government, Energy, Healthcare, Education, Financial
Geo:
Asia, Iraq, Africa, Turkish, Turkey, Azerbaijan, Irans, America, Iran, Pakistan, Israeli, Bahrain, Iranian, Emirates, Israel
TTPs:
Tactics: 12
Technics: 55
IOCs:
File: 11
Hash: 30
IP: 16
Softs:
component object model
Languages:
visual_basic, python, javascript
02-01-2023
Dark Web Profile: MuddyWater APT Group
https://socradar.io/dark-web-profile-muddywater-apt-group
Actors/Campaigns:
Muddywater (motivation: cyber_espionage, financially_motivated)
Unc3313
Threats:
Powgoop
Powerstats
Stuxnet
Mimikatz_tool
Ligolo
Screenconnect_tool
Ehorus_tool
Starwhale
Disttrack
Syncro_tool
Industry:
Government, Energy, Healthcare, Education, Financial
Geo:
Asia, Iraq, Africa, Turkish, Turkey, Azerbaijan, Irans, America, Iran, Pakistan, Israeli, Bahrain, Iranian, Emirates, Israel
TTPs:
Tactics: 12
Technics: 55
IOCs:
File: 11
Hash: 30
IP: 16
Softs:
component object model
Languages:
visual_basic, python, javascript
SOCRadar® Cyber Intelligence Inc.
Dark Web Profile: MuddyWater APT Group
April 19, 2023: Added subheading: “MuddyWater Uses SimpleHelp Tool for Persistence on Victim Devices”
#ParsedReport
03-01-2023
How Infostealer Threat Actors Make a Profit
https://asec.ahnlab.com/en/45150
Threats:
Agent_tesla
Formbook
Lokibot_stealer
Snake_keylogger
Redline_stealer
Vidar_stealer
Lockbit
Industry:
Financial
03-01-2023
How Infostealer Threat Actors Make a Profit
https://asec.ahnlab.com/en/45150
Threats:
Agent_tesla
Formbook
Lokibot_stealer
Snake_keylogger
Redline_stealer
Vidar_stealer
Lockbit
Industry:
Financial
#ParsedReport
03-01-2023
ASEC Weekly Phishing Email Threat Trends (December 18th, 2022 December 24th, 2022)
https://asec.ahnlab.com/en/45237
Threats:
Agent_tesla
Formbook
Industry:
Transport, Financial
Geo:
Chile, Korean
TTPs:
IOCs:
File: 36
Url: 3
03-01-2023
ASEC Weekly Phishing Email Threat Trends (December 18th, 2022 December 24th, 2022)
https://asec.ahnlab.com/en/45237
Threats:
Agent_tesla
Formbook
Industry:
Transport, Financial
Geo:
Chile, Korean
TTPs:
IOCs:
File: 36
Url: 3
ASEC BLOG
ASEC Weekly Phishing Email Threat Trends (December 18th, 2022 – December 24th, 2022) - ASEC BLOG
ContentsPhishing EmailsFile Extensions in Phishing EmailsCases of DistributionCase: FakePageCase: Malware (Infostealer, Downloader, etc.)Keywords to Beware of: ‘RAR Compressed FileFakePage C2 URL Preventing Phishing Email Attacks The ASEC analysis team monitors…
#ParsedReport
03-01-2023
BitRAT Now Sharing Sensitive Bank Data as a Lure
https://blog.qualys.com/vulnerabilities-threat-research/2023/01/03/bitrat-now-sharing-sensitive-bank-data-as-a-lure
Threats:
Sbit_rat
Redline_stealer
Industry:
Financial
TTPs:
Tactics: 1
Technics: 9
IOCs:
File: 1
Hash: 1
Win API:
WinExec
03-01-2023
BitRAT Now Sharing Sensitive Bank Data as a Lure
https://blog.qualys.com/vulnerabilities-threat-research/2023/01/03/bitrat-now-sharing-sensitive-bank-data-as-a-lure
Threats:
Sbit_rat
Redline_stealer
Industry:
Financial
TTPs:
Tactics: 1
Technics: 9
IOCs:
File: 1
Hash: 1
Win API:
WinExec
Qualys Security Blog
BitRAT Now Sharing Sensitive Bank Data as a Lure | Qualys Security Blog
In June of 2022 Qualys Threat Research Unit (TRU) wrote an in-depth report on Redline, a commercial off the shelf infostealer that spreads via fake cracked software hosted on Discord’s content…
#ParsedReport
04-01-2023
Shc Linux Malware Installing CoinMiner
https://asec.ahnlab.com/en/45182
Threats:
Xmrig_miner
Perlbot
Geo:
Korea
IOCs:
File: 1
Hash: 12
IP: 2
Url: 9
Softs:
ubuntu)
Algorithms:
rc4
Languages:
perl
04-01-2023
Shc Linux Malware Installing CoinMiner
https://asec.ahnlab.com/en/45182
Threats:
Xmrig_miner
Perlbot
Geo:
Korea
IOCs:
File: 1
Hash: 12
IP: 2
Url: 9
Softs:
ubuntu)
Algorithms:
rc4
Languages:
perl
ASEC
Shc Linux Malware Installing CoinMiner - ASEC
Shc Linux Malware Installing CoinMiner ASEC
#ParsedReport
04-01-2023
Pupy RAT hiding under WerFaults cover
https://labs.k7computing.com/index.php/pupy-rat-hiding-under-werfaults-cover
Actors/Campaigns:
Apt33 (motivation: cyber_espionage)
Cleaver (motivation: cyber_espionage)
Threats:
Pupy_rat
Lolbin_technique
Dll_sideloading_technique
Cloudeye
Reflectiveloader
Industry:
Energy
Geo:
Chinese, China, Iran
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 6
Hash: 3
Url: 1
Softs:
windows error reporting
Algorithms:
rc4
Win API:
CreateThread
Languages:
python
Links:
04-01-2023
Pupy RAT hiding under WerFaults cover
https://labs.k7computing.com/index.php/pupy-rat-hiding-under-werfaults-cover
Actors/Campaigns:
Apt33 (motivation: cyber_espionage)
Cleaver (motivation: cyber_espionage)
Threats:
Pupy_rat
Lolbin_technique
Dll_sideloading_technique
Cloudeye
Reflectiveloader
Industry:
Energy
Geo:
Chinese, China, Iran
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 6
Hash: 3
Url: 1
Softs:
windows error reporting
Algorithms:
rc4
Win API:
CreateThread
Languages:
python
Links:
https://github.com/n1nj4sec/pupyK7 Labs
Pupy RAT hiding under WerFault’s cover
We at K7 Labs recently identified an interesting technique used by threat actors to execute a Remote Admin Tool. We […]
#ParsedReport
05-01-2023
BlindEagle Targeting Ecuador With Sharpened Tools. HIGHLIGHTS:
https://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools
Actors/Campaigns:
Blindeagle (motivation: financially_motivated, cyber_espionage)
Cloudatlas
Threats:
Quasar_rat
Meterpreter_tool
Lotl_technique
Azov
Wannacry
Rubyminer
Adwind_rat
Industry:
Financial, Government
Geo:
Ukraine, Ecuador, America, Russia, Spanish, Belarus, Colombian, Colombia, Turkish
IOCs:
Url: 5
File: 14
Domain: 3
Registry: 3
Hash: 13
Softs:
pyinstaller, windows defender), office 365, android
Algorithms:
prng, base64, zip
Functions:
GetConsoleWindow, CreateObject
Win API:
ShowWindow, VirtualAlloc, RtlMoveMemory, CreateThread, WaitForSingleObject
Win Services:
WebClient
Languages:
python
Links:
05-01-2023
BlindEagle Targeting Ecuador With Sharpened Tools. HIGHLIGHTS:
https://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools
Actors/Campaigns:
Blindeagle (motivation: financially_motivated, cyber_espionage)
Cloudatlas
Threats:
Quasar_rat
Meterpreter_tool
Lotl_technique
Azov
Wannacry
Rubyminer
Adwind_rat
Industry:
Financial, Government
Geo:
Ukraine, Ecuador, America, Russia, Spanish, Belarus, Colombian, Colombia, Turkish
IOCs:
Url: 5
File: 14
Domain: 3
Registry: 3
Hash: 13
Softs:
pyinstaller, windows defender), office 365, android
Algorithms:
prng, base64, zip
Functions:
GetConsoleWindow, CreateObject
Win API:
ShowWindow, VirtualAlloc, RtlMoveMemory, CreateThread, WaitForSingleObject
Win Services:
WebClient
Languages:
python
Links:
https://github.com/rapid7/metasploit-payloads/blob/master/python/meterpreter/meterpreter.pyCheck Point Research
BlindEagle Targeting Ecuador With Sharpened Tools - Check Point Research
Blind Eagle, is a financially motivated threat group that has been launching indiscriminate attacks against citizens of various countries in South America since at least 2018. In a recent campaign targeting Ecuador based organizations, CPR detected a new…
#ParsedReport
05-01-2023
Securonix Threat Labs Monthly Intelligence Insights December
https://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-december
Actors/Campaigns:
Agrius
Steppy_kavach
Phosphorus
Transparenttribe
Sidecopy
Threats:
Crywiper
Zerobot
Raspberry_robin
Avkiller
Burntcigar_tool
Cuba
Apostle
Fantasy_wiper
Log4shell_vuln
Proxyshell_vuln
Industry:
Telco, Government, Energy, Iot, Financial
Geo:
Israel, Indias, Mexico, Argentina, Iran, Africa, Pakistan, Brazil, France, American, Colombia, Australian, Iranian, Russian, Australia, Indian, India, Emirates, Croatia, Italy
CVEs:
CVE-2022-42475 [Vulners]
Vulners: Score: Unknown, CVSS: 6.2,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
CVE-2022-33891 [Vulners]
Vulners: Score: Unknown, CVSS: 2.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- apache spark (le3.0.3, le3.2.1, le3.1.2)
IOCs:
Path: 1
Command: 1
File: 14
IP: 1
Domain: 1
Softs:
apache spark
Languages:
javascript
05-01-2023
Securonix Threat Labs Monthly Intelligence Insights December
https://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-december
Actors/Campaigns:
Agrius
Steppy_kavach
Phosphorus
Transparenttribe
Sidecopy
Threats:
Crywiper
Zerobot
Raspberry_robin
Avkiller
Burntcigar_tool
Cuba
Apostle
Fantasy_wiper
Log4shell_vuln
Proxyshell_vuln
Industry:
Telco, Government, Energy, Iot, Financial
Geo:
Israel, Indias, Mexico, Argentina, Iran, Africa, Pakistan, Brazil, France, American, Colombia, Australian, Iranian, Russian, Australia, Indian, India, Emirates, Croatia, Italy
CVEs:
CVE-2022-42475 [Vulners]
Vulners: Score: Unknown, CVSS: 6.2,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
CVE-2022-33891 [Vulners]
Vulners: Score: Unknown, CVSS: 2.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- apache spark (le3.0.3, le3.2.1, le3.1.2)
IOCs:
Path: 1
Command: 1
File: 14
IP: 1
Domain: 1
Softs:
apache spark
Languages:
javascript
Securonix
Securonix Threat Labs Monthly Intelligence Insights – December
#technique
DNSKeyGen is a Python-based open-source tool designed to facilitate the exchange of command and control (C2) beacon/implant decryption keys through DNS records, including A, AAAA, and TXT records.
https://github.com/mhaskar/DNSKeyGen
DNSKeyGen is a Python-based open-source tool designed to facilitate the exchange of command and control (C2) beacon/implant decryption keys through DNS records, including A, AAAA, and TXT records.
https://github.com/mhaskar/DNSKeyGen
GitHub
GitHub - mhaskar/DNSKeyGen: A tool to exchange decryption keys for command and control (C2) beacons and implants through DNS records.
A tool to exchange decryption keys for command and control (C2) beacons and implants through DNS records. - mhaskar/DNSKeyGen
#technique
pure-python implementation of MemoryModule technique to load a dll entirely from memory
https://github.com/naksyn/PythonMemoryModule
pure-python implementation of MemoryModule technique to load a dll entirely from memory
https://github.com/naksyn/PythonMemoryModule
GitHub
GitHub - naksyn/PythonMemoryModule: pure-python implementation of MemoryModule technique to load dll and unmanaged exe entirely…
pure-python implementation of MemoryModule technique to load dll and unmanaged exe entirely from memory - naksyn/PythonMemoryModule
#technique
Alcatraz is a x64 binary obfuscator that is able to obfuscate various different pe files including:
https://github.com/weak1337/Alcatraz
Alcatraz is a x64 binary obfuscator that is able to obfuscate various different pe files including:
https://github.com/weak1337/Alcatraz
GitHub
GitHub - weak1337/Alcatraz: x64 binary obfuscator
x64 binary obfuscator. Contribute to weak1337/Alcatraz development by creating an account on GitHub.
Нужны ли на этом канале ссылки на инструментарий: тулы, обфускаторы и т.д (тег #technique)?
Final Results
77%
Да
18%
Нет
5%
Посмотреть ответы
Спасибо, что поучаствовали в голосовалке.
Расклад понятен, посты под тегом #technique продолжаем :)
Расклад понятен, посты под тегом #technique продолжаем :)
🔥1
#technique
Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime
https://github.com/D1rkMtr/UnhookingPatch
Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime
https://github.com/D1rkMtr/UnhookingPatch
#technique
Bypass Userland EDR hooks by Loading Reflective Ntdll in memory from a remote server based on Windows ReleaseID to avoid opening a handle to ntdll , and trigger exported API from the export table
https://github.com/D1rkMtr/FilelessNtdllReflection
Bypass Userland EDR hooks by Loading Reflective Ntdll in memory from a remote server based on Windows ReleaseID to avoid opening a handle to ntdll , and trigger exported API from the export table
https://github.com/D1rkMtr/FilelessNtdllReflection
#ParsedReport
05-01-2023
Unraveling the techniques of Mac ransomware
https://www.microsoft.com/en-us/security/blog/2023/01/05/unraveling-the-techniques-of-mac-ransomware
Threats:
Opendir
Filecoder
Keranger
Macransom
Evilquest
Applescript
Timestomp_technique
TTPs:
Tactics: 8
Technics: 27
IOCs:
File: 1
Hash: 5
Softs:
macos, microsoft defender for endpoint, unix, mac os, virtualbox, microsoft edge, microsoft defender, sudo
Algorithms:
xor, cbc, aes, hmac, zip
Functions:
opendir, readdir, closedir, ptrace, time, sleep, kqueue, kevent, CreateMatchingDirectory
Languages:
objective_c
Links:
05-01-2023
Unraveling the techniques of Mac ransomware
https://www.microsoft.com/en-us/security/blog/2023/01/05/unraveling-the-techniques-of-mac-ransomware
Threats:
Opendir
Filecoder
Keranger
Macransom
Evilquest
Applescript
Timestomp_technique
TTPs:
Tactics: 8
Technics: 27
IOCs:
File: 1
Hash: 5
Softs:
macos, microsoft defender for endpoint, unix, mac os, virtualbox, microsoft edge, microsoft defender, sudo
Algorithms:
xor, cbc, aes, hmac, zip
Functions:
opendir, readdir, closedir, ptrace, time, sleep, kqueue, kevent, CreateMatchingDirectory
Languages:
objective_c
Links:
https://github.com/gdbinit/gopher#ParsedReport
06-01-2023
ASEC Weekly Malware Statistics (December 26th, 2022 January 1st, 2023)
https://asec.ahnlab.com/en/45359
Threats:
Smokeloader
Redline_stealer
Beamwinhttp_loader
Garbage_cleaner
Vidar_stealer
Tofsee
Stop_ransomware
Industry:
Financial
Geo:
Korean, Korea
IOCs:
File: 1
Domain: 7
IP: 6
Url: 6
06-01-2023
ASEC Weekly Malware Statistics (December 26th, 2022 January 1st, 2023)
https://asec.ahnlab.com/en/45359
Threats:
Smokeloader
Redline_stealer
Beamwinhttp_loader
Garbage_cleaner
Vidar_stealer
Tofsee
Stop_ransomware
Industry:
Financial
Geo:
Korean, Korea
IOCs:
File: 1
Domain: 7
IP: 6
Url: 6
ASEC BLOG
ASEC Weekly Malware Statistics (December 26th, 2022 – January 1st, 2023) - ASEC BLOG
ContentsTop 1 – SmokeLoaderTop 2 – RedlineTop 3 – BeamWinHTTPTop 4 – VidarTop 5 – Tofsee The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from…