#ParsedReport
02-01-2023
Dark Web Profile: MuddyWater APT Group
https://socradar.io/dark-web-profile-muddywater-apt-group
Actors/Campaigns:
Muddywater (motivation: cyber_espionage, financially_motivated)
Unc3313
Threats:
Powgoop
Powerstats
Stuxnet
Mimikatz_tool
Ligolo
Screenconnect_tool
Ehorus_tool
Starwhale
Disttrack
Syncro_tool
Industry:
Government, Energy, Healthcare, Education, Financial
Geo:
Asia, Iraq, Africa, Turkish, Turkey, Azerbaijan, Irans, America, Iran, Pakistan, Israeli, Bahrain, Iranian, Emirates, Israel
TTPs:
Tactics: 12
Technics: 55
IOCs:
File: 11
Hash: 30
IP: 16
Softs:
component object model
Languages:
visual_basic, python, javascript
02-01-2023
Dark Web Profile: MuddyWater APT Group
https://socradar.io/dark-web-profile-muddywater-apt-group
Actors/Campaigns:
Muddywater (motivation: cyber_espionage, financially_motivated)
Unc3313
Threats:
Powgoop
Powerstats
Stuxnet
Mimikatz_tool
Ligolo
Screenconnect_tool
Ehorus_tool
Starwhale
Disttrack
Syncro_tool
Industry:
Government, Energy, Healthcare, Education, Financial
Geo:
Asia, Iraq, Africa, Turkish, Turkey, Azerbaijan, Irans, America, Iran, Pakistan, Israeli, Bahrain, Iranian, Emirates, Israel
TTPs:
Tactics: 12
Technics: 55
IOCs:
File: 11
Hash: 30
IP: 16
Softs:
component object model
Languages:
visual_basic, python, javascript
SOCRadar® Cyber Intelligence Inc.
Dark Web Profile: MuddyWater APT Group
April 19, 2023: Added subheading: “MuddyWater Uses SimpleHelp Tool for Persistence on Victim Devices”
#ParsedReport
03-01-2023
How Infostealer Threat Actors Make a Profit
https://asec.ahnlab.com/en/45150
Threats:
Agent_tesla
Formbook
Lokibot_stealer
Snake_keylogger
Redline_stealer
Vidar_stealer
Lockbit
Industry:
Financial
03-01-2023
How Infostealer Threat Actors Make a Profit
https://asec.ahnlab.com/en/45150
Threats:
Agent_tesla
Formbook
Lokibot_stealer
Snake_keylogger
Redline_stealer
Vidar_stealer
Lockbit
Industry:
Financial
#ParsedReport
03-01-2023
ASEC Weekly Phishing Email Threat Trends (December 18th, 2022 December 24th, 2022)
https://asec.ahnlab.com/en/45237
Threats:
Agent_tesla
Formbook
Industry:
Transport, Financial
Geo:
Chile, Korean
TTPs:
IOCs:
File: 36
Url: 3
03-01-2023
ASEC Weekly Phishing Email Threat Trends (December 18th, 2022 December 24th, 2022)
https://asec.ahnlab.com/en/45237
Threats:
Agent_tesla
Formbook
Industry:
Transport, Financial
Geo:
Chile, Korean
TTPs:
IOCs:
File: 36
Url: 3
ASEC BLOG
ASEC Weekly Phishing Email Threat Trends (December 18th, 2022 – December 24th, 2022) - ASEC BLOG
ContentsPhishing EmailsFile Extensions in Phishing EmailsCases of DistributionCase: FakePageCase: Malware (Infostealer, Downloader, etc.)Keywords to Beware of: ‘RAR Compressed FileFakePage C2 URL Preventing Phishing Email Attacks The ASEC analysis team monitors…
#ParsedReport
03-01-2023
BitRAT Now Sharing Sensitive Bank Data as a Lure
https://blog.qualys.com/vulnerabilities-threat-research/2023/01/03/bitrat-now-sharing-sensitive-bank-data-as-a-lure
Threats:
Sbit_rat
Redline_stealer
Industry:
Financial
TTPs:
Tactics: 1
Technics: 9
IOCs:
File: 1
Hash: 1
Win API:
WinExec
03-01-2023
BitRAT Now Sharing Sensitive Bank Data as a Lure
https://blog.qualys.com/vulnerabilities-threat-research/2023/01/03/bitrat-now-sharing-sensitive-bank-data-as-a-lure
Threats:
Sbit_rat
Redline_stealer
Industry:
Financial
TTPs:
Tactics: 1
Technics: 9
IOCs:
File: 1
Hash: 1
Win API:
WinExec
Qualys Security Blog
BitRAT Now Sharing Sensitive Bank Data as a Lure | Qualys Security Blog
In June of 2022 Qualys Threat Research Unit (TRU) wrote an in-depth report on Redline, a commercial off the shelf infostealer that spreads via fake cracked software hosted on Discord’s content…
#ParsedReport
04-01-2023
Shc Linux Malware Installing CoinMiner
https://asec.ahnlab.com/en/45182
Threats:
Xmrig_miner
Perlbot
Geo:
Korea
IOCs:
File: 1
Hash: 12
IP: 2
Url: 9
Softs:
ubuntu)
Algorithms:
rc4
Languages:
perl
04-01-2023
Shc Linux Malware Installing CoinMiner
https://asec.ahnlab.com/en/45182
Threats:
Xmrig_miner
Perlbot
Geo:
Korea
IOCs:
File: 1
Hash: 12
IP: 2
Url: 9
Softs:
ubuntu)
Algorithms:
rc4
Languages:
perl
ASEC
Shc Linux Malware Installing CoinMiner - ASEC
Shc Linux Malware Installing CoinMiner ASEC
#ParsedReport
04-01-2023
Pupy RAT hiding under WerFaults cover
https://labs.k7computing.com/index.php/pupy-rat-hiding-under-werfaults-cover
Actors/Campaigns:
Apt33 (motivation: cyber_espionage)
Cleaver (motivation: cyber_espionage)
Threats:
Pupy_rat
Lolbin_technique
Dll_sideloading_technique
Cloudeye
Reflectiveloader
Industry:
Energy
Geo:
Chinese, China, Iran
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 6
Hash: 3
Url: 1
Softs:
windows error reporting
Algorithms:
rc4
Win API:
CreateThread
Languages:
python
Links:
04-01-2023
Pupy RAT hiding under WerFaults cover
https://labs.k7computing.com/index.php/pupy-rat-hiding-under-werfaults-cover
Actors/Campaigns:
Apt33 (motivation: cyber_espionage)
Cleaver (motivation: cyber_espionage)
Threats:
Pupy_rat
Lolbin_technique
Dll_sideloading_technique
Cloudeye
Reflectiveloader
Industry:
Energy
Geo:
Chinese, China, Iran
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 6
Hash: 3
Url: 1
Softs:
windows error reporting
Algorithms:
rc4
Win API:
CreateThread
Languages:
python
Links:
https://github.com/n1nj4sec/pupyK7 Labs
Pupy RAT hiding under WerFault’s cover
We at K7 Labs recently identified an interesting technique used by threat actors to execute a Remote Admin Tool. We […]
#ParsedReport
05-01-2023
BlindEagle Targeting Ecuador With Sharpened Tools. HIGHLIGHTS:
https://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools
Actors/Campaigns:
Blindeagle (motivation: financially_motivated, cyber_espionage)
Cloudatlas
Threats:
Quasar_rat
Meterpreter_tool
Lotl_technique
Azov
Wannacry
Rubyminer
Adwind_rat
Industry:
Financial, Government
Geo:
Ukraine, Ecuador, America, Russia, Spanish, Belarus, Colombian, Colombia, Turkish
IOCs:
Url: 5
File: 14
Domain: 3
Registry: 3
Hash: 13
Softs:
pyinstaller, windows defender), office 365, android
Algorithms:
prng, base64, zip
Functions:
GetConsoleWindow, CreateObject
Win API:
ShowWindow, VirtualAlloc, RtlMoveMemory, CreateThread, WaitForSingleObject
Win Services:
WebClient
Languages:
python
Links:
05-01-2023
BlindEagle Targeting Ecuador With Sharpened Tools. HIGHLIGHTS:
https://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools
Actors/Campaigns:
Blindeagle (motivation: financially_motivated, cyber_espionage)
Cloudatlas
Threats:
Quasar_rat
Meterpreter_tool
Lotl_technique
Azov
Wannacry
Rubyminer
Adwind_rat
Industry:
Financial, Government
Geo:
Ukraine, Ecuador, America, Russia, Spanish, Belarus, Colombian, Colombia, Turkish
IOCs:
Url: 5
File: 14
Domain: 3
Registry: 3
Hash: 13
Softs:
pyinstaller, windows defender), office 365, android
Algorithms:
prng, base64, zip
Functions:
GetConsoleWindow, CreateObject
Win API:
ShowWindow, VirtualAlloc, RtlMoveMemory, CreateThread, WaitForSingleObject
Win Services:
WebClient
Languages:
python
Links:
https://github.com/rapid7/metasploit-payloads/blob/master/python/meterpreter/meterpreter.pyCheck Point Research
BlindEagle Targeting Ecuador With Sharpened Tools - Check Point Research
Blind Eagle, is a financially motivated threat group that has been launching indiscriminate attacks against citizens of various countries in South America since at least 2018. In a recent campaign targeting Ecuador based organizations, CPR detected a new…
#ParsedReport
05-01-2023
Securonix Threat Labs Monthly Intelligence Insights December
https://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-december
Actors/Campaigns:
Agrius
Steppy_kavach
Phosphorus
Transparenttribe
Sidecopy
Threats:
Crywiper
Zerobot
Raspberry_robin
Avkiller
Burntcigar_tool
Cuba
Apostle
Fantasy_wiper
Log4shell_vuln
Proxyshell_vuln
Industry:
Telco, Government, Energy, Iot, Financial
Geo:
Israel, Indias, Mexico, Argentina, Iran, Africa, Pakistan, Brazil, France, American, Colombia, Australian, Iranian, Russian, Australia, Indian, India, Emirates, Croatia, Italy
CVEs:
CVE-2022-42475 [Vulners]
Vulners: Score: Unknown, CVSS: 6.2,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
CVE-2022-33891 [Vulners]
Vulners: Score: Unknown, CVSS: 2.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- apache spark (le3.0.3, le3.2.1, le3.1.2)
IOCs:
Path: 1
Command: 1
File: 14
IP: 1
Domain: 1
Softs:
apache spark
Languages:
javascript
05-01-2023
Securonix Threat Labs Monthly Intelligence Insights December
https://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-december
Actors/Campaigns:
Agrius
Steppy_kavach
Phosphorus
Transparenttribe
Sidecopy
Threats:
Crywiper
Zerobot
Raspberry_robin
Avkiller
Burntcigar_tool
Cuba
Apostle
Fantasy_wiper
Log4shell_vuln
Proxyshell_vuln
Industry:
Telco, Government, Energy, Iot, Financial
Geo:
Israel, Indias, Mexico, Argentina, Iran, Africa, Pakistan, Brazil, France, American, Colombia, Australian, Iranian, Russian, Australia, Indian, India, Emirates, Croatia, Italy
CVEs:
CVE-2022-42475 [Vulners]
Vulners: Score: Unknown, CVSS: 6.2,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
CVE-2022-33891 [Vulners]
Vulners: Score: Unknown, CVSS: 2.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- apache spark (le3.0.3, le3.2.1, le3.1.2)
IOCs:
Path: 1
Command: 1
File: 14
IP: 1
Domain: 1
Softs:
apache spark
Languages:
javascript
Securonix
Securonix Threat Labs Monthly Intelligence Insights – December
#technique
DNSKeyGen is a Python-based open-source tool designed to facilitate the exchange of command and control (C2) beacon/implant decryption keys through DNS records, including A, AAAA, and TXT records.
https://github.com/mhaskar/DNSKeyGen
DNSKeyGen is a Python-based open-source tool designed to facilitate the exchange of command and control (C2) beacon/implant decryption keys through DNS records, including A, AAAA, and TXT records.
https://github.com/mhaskar/DNSKeyGen
GitHub
GitHub - mhaskar/DNSKeyGen: A tool to exchange decryption keys for command and control (C2) beacons and implants through DNS records.
A tool to exchange decryption keys for command and control (C2) beacons and implants through DNS records. - mhaskar/DNSKeyGen
#technique
pure-python implementation of MemoryModule technique to load a dll entirely from memory
https://github.com/naksyn/PythonMemoryModule
pure-python implementation of MemoryModule technique to load a dll entirely from memory
https://github.com/naksyn/PythonMemoryModule
GitHub
GitHub - naksyn/PythonMemoryModule: pure-python implementation of MemoryModule technique to load dll and unmanaged exe entirely…
pure-python implementation of MemoryModule technique to load dll and unmanaged exe entirely from memory - naksyn/PythonMemoryModule
#technique
Alcatraz is a x64 binary obfuscator that is able to obfuscate various different pe files including:
https://github.com/weak1337/Alcatraz
Alcatraz is a x64 binary obfuscator that is able to obfuscate various different pe files including:
https://github.com/weak1337/Alcatraz
GitHub
GitHub - weak1337/Alcatraz: x64 binary obfuscator
x64 binary obfuscator. Contribute to weak1337/Alcatraz development by creating an account on GitHub.
Нужны ли на этом канале ссылки на инструментарий: тулы, обфускаторы и т.д (тег #technique)?
Final Results
77%
Да
18%
Нет
5%
Посмотреть ответы
Спасибо, что поучаствовали в голосовалке.
Расклад понятен, посты под тегом #technique продолжаем :)
Расклад понятен, посты под тегом #technique продолжаем :)
🔥1
#technique
Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime
https://github.com/D1rkMtr/UnhookingPatch
Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime
https://github.com/D1rkMtr/UnhookingPatch
#technique
Bypass Userland EDR hooks by Loading Reflective Ntdll in memory from a remote server based on Windows ReleaseID to avoid opening a handle to ntdll , and trigger exported API from the export table
https://github.com/D1rkMtr/FilelessNtdllReflection
Bypass Userland EDR hooks by Loading Reflective Ntdll in memory from a remote server based on Windows ReleaseID to avoid opening a handle to ntdll , and trigger exported API from the export table
https://github.com/D1rkMtr/FilelessNtdllReflection
#ParsedReport
05-01-2023
Unraveling the techniques of Mac ransomware
https://www.microsoft.com/en-us/security/blog/2023/01/05/unraveling-the-techniques-of-mac-ransomware
Threats:
Opendir
Filecoder
Keranger
Macransom
Evilquest
Applescript
Timestomp_technique
TTPs:
Tactics: 8
Technics: 27
IOCs:
File: 1
Hash: 5
Softs:
macos, microsoft defender for endpoint, unix, mac os, virtualbox, microsoft edge, microsoft defender, sudo
Algorithms:
xor, cbc, aes, hmac, zip
Functions:
opendir, readdir, closedir, ptrace, time, sleep, kqueue, kevent, CreateMatchingDirectory
Languages:
objective_c
Links:
05-01-2023
Unraveling the techniques of Mac ransomware
https://www.microsoft.com/en-us/security/blog/2023/01/05/unraveling-the-techniques-of-mac-ransomware
Threats:
Opendir
Filecoder
Keranger
Macransom
Evilquest
Applescript
Timestomp_technique
TTPs:
Tactics: 8
Technics: 27
IOCs:
File: 1
Hash: 5
Softs:
macos, microsoft defender for endpoint, unix, mac os, virtualbox, microsoft edge, microsoft defender, sudo
Algorithms:
xor, cbc, aes, hmac, zip
Functions:
opendir, readdir, closedir, ptrace, time, sleep, kqueue, kevent, CreateMatchingDirectory
Languages:
objective_c
Links:
https://github.com/gdbinit/gopher#ParsedReport
06-01-2023
ASEC Weekly Malware Statistics (December 26th, 2022 January 1st, 2023)
https://asec.ahnlab.com/en/45359
Threats:
Smokeloader
Redline_stealer
Beamwinhttp_loader
Garbage_cleaner
Vidar_stealer
Tofsee
Stop_ransomware
Industry:
Financial
Geo:
Korean, Korea
IOCs:
File: 1
Domain: 7
IP: 6
Url: 6
06-01-2023
ASEC Weekly Malware Statistics (December 26th, 2022 January 1st, 2023)
https://asec.ahnlab.com/en/45359
Threats:
Smokeloader
Redline_stealer
Beamwinhttp_loader
Garbage_cleaner
Vidar_stealer
Tofsee
Stop_ransomware
Industry:
Financial
Geo:
Korean, Korea
IOCs:
File: 1
Domain: 7
IP: 6
Url: 6
ASEC BLOG
ASEC Weekly Malware Statistics (December 26th, 2022 – January 1st, 2023) - ASEC BLOG
ContentsTop 1 – SmokeLoaderTop 2 – RedlineTop 3 – BeamWinHTTPTop 4 – VidarTop 5 – Tofsee The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from…
#ParsedReport
06-01-2023
Distribution of NetSupport RAT Malware Disguised as a Pokemon Game
https://asec.ahnlab.com/en/45312
Threats:
Netsupportmanager_rat
Ammyyadmin_tool
Anydesk_tool
Teamviewer_tool
Tmate_tool
Socgholish_loader
Malware/win.generic.c5339867
Malware/win.generic.c5335414
Malware/win.generic.c5333592
Malware/win.malware-gen.c5331507
IOCs:
File: 7
Hash: 11
Domain: 1
Url: 6
Softs:
visual studio
06-01-2023
Distribution of NetSupport RAT Malware Disguised as a Pokemon Game
https://asec.ahnlab.com/en/45312
Threats:
Netsupportmanager_rat
Ammyyadmin_tool
Anydesk_tool
Teamviewer_tool
Tmate_tool
Socgholish_loader
Malware/win.generic.c5339867
Malware/win.generic.c5335414
Malware/win.generic.c5333592
Malware/win.malware-gen.c5331507
IOCs:
File: 7
Hash: 11
Domain: 1
Url: 6
Softs:
visual studio
ASEC BLOG
Distribution of NetSupport RAT Malware Disguised as a Pokemon Game - ASEC BLOG
NetSupport Manager is a remote control tool that can be installed and used by ordinary or corporate users for the purpose of remotely controlling systems. However, it is being abused by many threat actors because it allows external control over specific systems.…
#ParsedReport
07-01-2023
Ransomware Roundup Monti, BlackHunt, and Putin Ransomware
https://www.fortinet.com/blog/threat-research/ransomware-roundup-monti-blackhunt-and-more
Threats:
Monti
Blackhunt
Conti
Ragnarlocker
Industry:
Financial
Geo:
Spanish, Singapore, Argentina
IOCs:
File: 2
Hash: 7
Softs:
telegram
07-01-2023
Ransomware Roundup Monti, BlackHunt, and Putin Ransomware
https://www.fortinet.com/blog/threat-research/ransomware-roundup-monti-blackhunt-and-more
Threats:
Monti
Blackhunt
Conti
Ragnarlocker
Industry:
Financial
Geo:
Spanish, Singapore, Argentina
IOCs:
File: 2
Hash: 7
Softs:
telegram
Fortinet Blog
Ransomware Roundup – Monti, BlackHunt, and Putin | FortiGuard Labs
In this week's ransomware roundup, FortiGuard Labs covers the Monti, BlackHunt, and Putin ransomware along with protection recommendations. Read our blog to find out more.…
#ParsedReport
07-01-2023
Zoom Users At Risk In Latest Malware Campaign
https://blog.cyble.com/2023/01/05/zoom-users-at-risk-in-latest-malware-campaign
Threats:
Icedid
Sandbox_evasion_technique
Emotet
Trickbot
Hancitor
Beacon
Industry:
Financial
TTPs:
Tactics: 4
Technics: 11
IOCs:
Url: 1
File: 2
Hash: 3
Domain: 1
IP: 1
Softs:
zoom
Functions:
ZwQuerySystemInformation, RtlGetVersion
Win API:
GetTickCount64, GetComputerNameExW, GetUserNameW, GetAdaptersInfo, LookupAccountNameW
07-01-2023
Zoom Users At Risk In Latest Malware Campaign
https://blog.cyble.com/2023/01/05/zoom-users-at-risk-in-latest-malware-campaign
Threats:
Icedid
Sandbox_evasion_technique
Emotet
Trickbot
Hancitor
Beacon
Industry:
Financial
TTPs:
Tactics: 4
Technics: 11
IOCs:
Url: 1
File: 2
Hash: 3
Domain: 1
IP: 1
Softs:
zoom
Functions:
ZwQuerySystemInformation, RtlGetVersion
Win API:
GetTickCount64, GetComputerNameExW, GetUserNameW, GetAdaptersInfo, LookupAccountNameW
Cyble
Zoom Users Targeted In Latest Malware Campaign | Cyble
Cyble Research and Intelligence Labs analyzes IceID Malware and it's latest campaign targeting Zoom users via phishing attacks.