#technique
Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime
https://github.com/D1rkMtr/UnhookingPatch
Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime
https://github.com/D1rkMtr/UnhookingPatch
#technique
Bypass Userland EDR hooks by Loading Reflective Ntdll in memory from a remote server based on Windows ReleaseID to avoid opening a handle to ntdll , and trigger exported API from the export table
https://github.com/D1rkMtr/FilelessNtdllReflection
Bypass Userland EDR hooks by Loading Reflective Ntdll in memory from a remote server based on Windows ReleaseID to avoid opening a handle to ntdll , and trigger exported API from the export table
https://github.com/D1rkMtr/FilelessNtdllReflection
#ParsedReport
05-01-2023
Unraveling the techniques of Mac ransomware
https://www.microsoft.com/en-us/security/blog/2023/01/05/unraveling-the-techniques-of-mac-ransomware
Threats:
Opendir
Filecoder
Keranger
Macransom
Evilquest
Applescript
Timestomp_technique
TTPs:
Tactics: 8
Technics: 27
IOCs:
File: 1
Hash: 5
Softs:
macos, microsoft defender for endpoint, unix, mac os, virtualbox, microsoft edge, microsoft defender, sudo
Algorithms:
xor, cbc, aes, hmac, zip
Functions:
opendir, readdir, closedir, ptrace, time, sleep, kqueue, kevent, CreateMatchingDirectory
Languages:
objective_c
Links:
05-01-2023
Unraveling the techniques of Mac ransomware
https://www.microsoft.com/en-us/security/blog/2023/01/05/unraveling-the-techniques-of-mac-ransomware
Threats:
Opendir
Filecoder
Keranger
Macransom
Evilquest
Applescript
Timestomp_technique
TTPs:
Tactics: 8
Technics: 27
IOCs:
File: 1
Hash: 5
Softs:
macos, microsoft defender for endpoint, unix, mac os, virtualbox, microsoft edge, microsoft defender, sudo
Algorithms:
xor, cbc, aes, hmac, zip
Functions:
opendir, readdir, closedir, ptrace, time, sleep, kqueue, kevent, CreateMatchingDirectory
Languages:
objective_c
Links:
https://github.com/gdbinit/gopher#ParsedReport
06-01-2023
ASEC Weekly Malware Statistics (December 26th, 2022 January 1st, 2023)
https://asec.ahnlab.com/en/45359
Threats:
Smokeloader
Redline_stealer
Beamwinhttp_loader
Garbage_cleaner
Vidar_stealer
Tofsee
Stop_ransomware
Industry:
Financial
Geo:
Korean, Korea
IOCs:
File: 1
Domain: 7
IP: 6
Url: 6
06-01-2023
ASEC Weekly Malware Statistics (December 26th, 2022 January 1st, 2023)
https://asec.ahnlab.com/en/45359
Threats:
Smokeloader
Redline_stealer
Beamwinhttp_loader
Garbage_cleaner
Vidar_stealer
Tofsee
Stop_ransomware
Industry:
Financial
Geo:
Korean, Korea
IOCs:
File: 1
Domain: 7
IP: 6
Url: 6
ASEC BLOG
ASEC Weekly Malware Statistics (December 26th, 2022 – January 1st, 2023) - ASEC BLOG
ContentsTop 1 – SmokeLoaderTop 2 – RedlineTop 3 – BeamWinHTTPTop 4 – VidarTop 5 – Tofsee The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from…
#ParsedReport
06-01-2023
Distribution of NetSupport RAT Malware Disguised as a Pokemon Game
https://asec.ahnlab.com/en/45312
Threats:
Netsupportmanager_rat
Ammyyadmin_tool
Anydesk_tool
Teamviewer_tool
Tmate_tool
Socgholish_loader
Malware/win.generic.c5339867
Malware/win.generic.c5335414
Malware/win.generic.c5333592
Malware/win.malware-gen.c5331507
IOCs:
File: 7
Hash: 11
Domain: 1
Url: 6
Softs:
visual studio
06-01-2023
Distribution of NetSupport RAT Malware Disguised as a Pokemon Game
https://asec.ahnlab.com/en/45312
Threats:
Netsupportmanager_rat
Ammyyadmin_tool
Anydesk_tool
Teamviewer_tool
Tmate_tool
Socgholish_loader
Malware/win.generic.c5339867
Malware/win.generic.c5335414
Malware/win.generic.c5333592
Malware/win.malware-gen.c5331507
IOCs:
File: 7
Hash: 11
Domain: 1
Url: 6
Softs:
visual studio
ASEC BLOG
Distribution of NetSupport RAT Malware Disguised as a Pokemon Game - ASEC BLOG
NetSupport Manager is a remote control tool that can be installed and used by ordinary or corporate users for the purpose of remotely controlling systems. However, it is being abused by many threat actors because it allows external control over specific systems.…
#ParsedReport
07-01-2023
Ransomware Roundup Monti, BlackHunt, and Putin Ransomware
https://www.fortinet.com/blog/threat-research/ransomware-roundup-monti-blackhunt-and-more
Threats:
Monti
Blackhunt
Conti
Ragnarlocker
Industry:
Financial
Geo:
Spanish, Singapore, Argentina
IOCs:
File: 2
Hash: 7
Softs:
telegram
07-01-2023
Ransomware Roundup Monti, BlackHunt, and Putin Ransomware
https://www.fortinet.com/blog/threat-research/ransomware-roundup-monti-blackhunt-and-more
Threats:
Monti
Blackhunt
Conti
Ragnarlocker
Industry:
Financial
Geo:
Spanish, Singapore, Argentina
IOCs:
File: 2
Hash: 7
Softs:
telegram
Fortinet Blog
Ransomware Roundup – Monti, BlackHunt, and Putin | FortiGuard Labs
In this week's ransomware roundup, FortiGuard Labs covers the Monti, BlackHunt, and Putin ransomware along with protection recommendations. Read our blog to find out more.…
#ParsedReport
07-01-2023
Zoom Users At Risk In Latest Malware Campaign
https://blog.cyble.com/2023/01/05/zoom-users-at-risk-in-latest-malware-campaign
Threats:
Icedid
Sandbox_evasion_technique
Emotet
Trickbot
Hancitor
Beacon
Industry:
Financial
TTPs:
Tactics: 4
Technics: 11
IOCs:
Url: 1
File: 2
Hash: 3
Domain: 1
IP: 1
Softs:
zoom
Functions:
ZwQuerySystemInformation, RtlGetVersion
Win API:
GetTickCount64, GetComputerNameExW, GetUserNameW, GetAdaptersInfo, LookupAccountNameW
07-01-2023
Zoom Users At Risk In Latest Malware Campaign
https://blog.cyble.com/2023/01/05/zoom-users-at-risk-in-latest-malware-campaign
Threats:
Icedid
Sandbox_evasion_technique
Emotet
Trickbot
Hancitor
Beacon
Industry:
Financial
TTPs:
Tactics: 4
Technics: 11
IOCs:
Url: 1
File: 2
Hash: 3
Domain: 1
IP: 1
Softs:
zoom
Functions:
ZwQuerySystemInformation, RtlGetVersion
Win API:
GetTickCount64, GetComputerNameExW, GetUserNameW, GetAdaptersInfo, LookupAccountNameW
Cyble
Zoom Users Targeted In Latest Malware Campaign | Cyble
Cyble Research and Intelligence Labs analyzes IceID Malware and it's latest campaign targeting Zoom users via phishing attacks.
#ParsedReport
07-01-2023
LummaC2 Stealer: A Potent Threat to Crypto Users
https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users
Threats:
Lumma_stealer
Industry:
Financial
Geo:
Bulgaria, Germany, Russian
TTPs:
Tactics: 5
Technics: 8
IOCs:
File: 1
IP: 2
Hash: 4
Softs:
chromium, telegram, electrum, chrome, kometa, vivaldi, opera, mozilla firefox
07-01-2023
LummaC2 Stealer: A Potent Threat to Crypto Users
https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users
Threats:
Lumma_stealer
Industry:
Financial
Geo:
Bulgaria, Germany, Russian
TTPs:
Tactics: 5
Technics: 8
IOCs:
File: 1
IP: 2
Hash: 4
Softs:
chromium, telegram, electrum, chrome, kometa, vivaldi, opera, mozilla firefox
Cyble
Cyble - LummaC2 Stealer: A Potent Threat To Crypto Users
CRIL analyzes the latest version of LummaC2 Stealer , targeting crypto users via stealing their crypto wallet and 2FA extensions.
#ParsedReport
07-01-2023
Unveiling of a large resilient infrastructure distributing information stealers. Context
https://blog.sekoia.io/unveiling-of-a-large-resilient-infrastructure-distributing-information-stealers
Actors/Campaigns:
Apt31
Lapsus
Darkhalo
Threats:
Raccoon_stealer
Vidar_stealer
Themida_tool
Vmprotect_tool
Traffer
Aurora
Envyscout
Geo:
Dprk
TTPs:
Tactics: 4
Technics: 11
IOCs:
Url: 47
Domain: 260
File: 12
Hash: 152
Registry: 1
Command: 2
IP: 14
Softs:
photoshop, virtualbox, windows defender, microsoft office
Algorithms:
base64
SIGMA: Found
Links:
07-01-2023
Unveiling of a large resilient infrastructure distributing information stealers. Context
https://blog.sekoia.io/unveiling-of-a-large-resilient-infrastructure-distributing-information-stealers
Actors/Campaigns:
Apt31
Lapsus
Darkhalo
Threats:
Raccoon_stealer
Vidar_stealer
Themida_tool
Vmprotect_tool
Traffer
Aurora
Envyscout
Geo:
Dprk
TTPs:
Tactics: 4
Technics: 11
IOCs:
Url: 47
Domain: 260
File: 12
Hash: 152
Registry: 1
Command: 2
IP: 14
Softs:
photoshop, virtualbox, windows defender, microsoft office
Algorithms:
base64
SIGMA: Found
Links:
https://github.com/SEKOIA-IO/Community/blob/main/IOCs/infra\_seo\_crack\_stealers/infra\_seo\_crack\_stealers\_iocs\_20230106.csvSekoia.io Blog
Unveiling of a large resilient infrastructure distributing information stealers
The distribution methods used to distribute infostealer are varied, ranging from malspam to fake installers. Discover their infection chains.
#ParsedReport
07-01-2023
SpyNote: Spyware with RAT capabilities targeting Financial Institutions
https://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions.html
Threats:
Spynote_rat
Spymax
Craxsrat
Industry:
Entertainment, Financial
Geo:
Deutsche, America
IOCs:
Hash: 9
IP: 2
Softs:
android, telegram
Algorithms:
base64
07-01-2023
SpyNote: Spyware with RAT capabilities targeting Financial Institutions
https://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions.html
Threats:
Spynote_rat
Spymax
Craxsrat
Industry:
Entertainment, Financial
Geo:
Deutsche, America
IOCs:
Hash: 9
IP: 2
Softs:
android, telegram
Algorithms:
base64
ThreatFabric
SpyNote: Spyware with RAT capabilities targeting Financial Institutions
SpyNote, also known as SpyMax and CypherRat, is a unique and effective Spyware which developed unique interest in banking users
#ParsedReport
07-01-2023
Infostealer Malware: Targeting Italian Region - Uptycs. Infostealer Malware: Targeting Italian Region
https://www.uptycs.com/blog/infostealer-malware-attacks-targeting-italian-region
Industry:
Financial
Geo:
Italian, Italy
IOCs:
File: 2
Path: 3
Hash: 8
IP: 1
Softs:
zcash, coinbase, jaxx, bitclip
Algorithms:
base64, zip, gzip
YARA: Found
07-01-2023
Infostealer Malware: Targeting Italian Region - Uptycs. Infostealer Malware: Targeting Italian Region
https://www.uptycs.com/blog/infostealer-malware-attacks-targeting-italian-region
Industry:
Financial
Geo:
Italian, Italy
IOCs:
File: 2
Path: 3
Hash: 8
IP: 1
Softs:
zcash, coinbase, jaxx, bitclip
Algorithms:
base64, zip, gzip
YARA: Found
Uptycs
Infostealer Malware: Targeting the Italian Region
The Uptycs Threat research team became aware of a new infostealer malware attack campaign, employing phishing, that has appeared in the Italian region.
#ParsedReport
07-01-2023
Turla: A Galaxy of Opportunity
https://www.mandiant.com/resources/blog/turla-galaxy-opportunity
Actors/Campaigns:
Turla (motivation: financially_motivated, cyber_espionage, information_theft)
Threats:
Kopiluwak
Quietcanary
Andromeda
Beacon
Netstat_tool
Process_injection_technique
Geo:
Russian, Ukrainian, Ukraine, Asia
TTPs:
Tactics: 8
Technics: 21
IOCs:
Path: 4
Hash: 6
Domain: 4
File: 7
IP: 2
Registry: 1
Algorithms:
rc4, base64
Languages:
php, javascript
YARA: Found
07-01-2023
Turla: A Galaxy of Opportunity
https://www.mandiant.com/resources/blog/turla-galaxy-opportunity
Actors/Campaigns:
Turla (motivation: financially_motivated, cyber_espionage, information_theft)
Threats:
Kopiluwak
Quietcanary
Andromeda
Beacon
Netstat_tool
Process_injection_technique
Geo:
Russian, Ukrainian, Ukraine, Asia
TTPs:
Tactics: 8
Technics: 21
IOCs:
Path: 4
Hash: 6
Domain: 4
File: 7
IP: 2
Registry: 1
Algorithms:
rc4, base64
Languages:
php, javascript
YARA: Found
Google Cloud Blog
Turla: A Galaxy of Opportunity | Mandiant | Google Cloud Blog
A suspected Turla Team operation distributing a reconnaissance utility and backdoor to malware victims in Ukraine.
#ParsedReport
07-01-2023
Bluebottle: Campaign Hits Banks in French-speaking Countries in Africa
https://symantec-enterprise-blogs.security.com/threat-intelligence/bluebottle-banks-targeted-africa
Actors/Campaigns:
Bluebottle (motivation: financially_motivated)
Opera1er
Blackcat
Threats:
Lotl_technique
Revealer_keylogger
Cobalt_strike
Rdpwrap_tool
Beacon
Cloudeye
Bumblebee
Quasar_rat
Netwire_rat
Api_hammering_technique
Lockbit
Cuba
Eamfo
Poortry
Stonestop
Burntcigar_tool
Mimikatz_tool
Bloodhound_tool
Industry:
Financial
Geo:
African, Canada, Africa
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 3
File: 8
Url: 10
Command: 1
Hash: 34
IP: 1
Softs:
psexec, internet explorer, asp.net, windows service, sysinternals
Algorithms:
zip
Links:
07-01-2023
Bluebottle: Campaign Hits Banks in French-speaking Countries in Africa
https://symantec-enterprise-blogs.security.com/threat-intelligence/bluebottle-banks-targeted-africa
Actors/Campaigns:
Bluebottle (motivation: financially_motivated)
Opera1er
Blackcat
Threats:
Lotl_technique
Revealer_keylogger
Cobalt_strike
Rdpwrap_tool
Beacon
Cloudeye
Bumblebee
Quasar_rat
Netwire_rat
Api_hammering_technique
Lockbit
Cuba
Eamfo
Poortry
Stonestop
Burntcigar_tool
Mimikatz_tool
Bloodhound_tool
Industry:
Financial
Geo:
African, Canada, Africa
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 3
File: 8
Url: 10
Command: 1
Hash: 34
IP: 1
Softs:
psexec, internet explorer, asp.net, windows service, sysinternals
Algorithms:
zip
Links:
https://github.com/asmtron/rdpwrapSecurity
Bluebottle: Campaign Hits Banks in French-speaking Countries in Africa
Continuation of previously documented activity leverages new TTPs.
#ParsedReport
07-01-2023
ASEC (20221225 \~ 20221231). ASEC Weekly phishing email threat trend (20221225 \~ 20221231)
https://asec.ahnlab.com/ko/45373
Threats:
Agent_tesla
Formbook
Motw_bypass_technique
Industry:
Financial, Transport
Geo:
Korean
TTPs:
IOCs:
File: 31
Url: 3
Softs:
chrome
Algorithms:
zip
07-01-2023
ASEC (20221225 \~ 20221231). ASEC Weekly phishing email threat trend (20221225 \~ 20221231)
https://asec.ahnlab.com/ko/45373
Threats:
Agent_tesla
Formbook
Motw_bypass_technique
Industry:
Financial, Transport
Geo:
Korean
TTPs:
IOCs:
File: 31
Url: 3
Softs:
chrome
Algorithms:
zip
ASEC BLOG
ASEC 주간 피싱 이메일 위협 트렌드 (20221225 ~ 20221231) - ASEC BLOG
Contents피싱 이메일 위협 유형첨부파일 확장자유포 사례사례: 가짜 로그인 페이지 (FakePage)사례: 악성코드 (Infostealer, Downloader 등)주의 키워드: ‘IMG, ISO’ 가짜 페이지 (FakePage) C2 주소피싱 이메일 공격 예방 ASEC 분석팀에서는 샘플 자동 분석 시스템(RAPIT)과 허니팟을 활용하여 피싱 이메일 위협을 모니터링하고 있다. 본 포스팅에서는 2022년 12월 25일부터 12월 31일까지 한 주간 확인된…
#ParsedReport
07-01-2023
LABScon Replay \| InkySquid: The Missing Arsenal. InkySquid: The Missing Arsenal: Audio automatically transcribed by Sonix
https://www.sentinelone.com/labs/labscon-replay-inkysquid-the-missing-arsenal
Actors/Campaigns:
Apt37 (motivation: cyber_espionage)
Threats:
Rokrat
Keybase
Cloudmensis_rat
Applescript
Fireball
Geo:
Korean, Korea, French
IOCs:
File: 1
Softs:
macos, android, microsoft word, zoom
Algorithms:
zip, xor
Platforms:
arm, x86
07-01-2023
LABScon Replay \| InkySquid: The Missing Arsenal. InkySquid: The Missing Arsenal: Audio automatically transcribed by Sonix
https://www.sentinelone.com/labs/labscon-replay-inkysquid-the-missing-arsenal
Actors/Campaigns:
Apt37 (motivation: cyber_espionage)
Threats:
Rokrat
Keybase
Cloudmensis_rat
Applescript
Fireball
Geo:
Korean, Korea, French
IOCs:
File: 1
Softs:
macos, android, microsoft word, zoom
Algorithms:
zip, xor
Platforms:
arm, x86
SentinelOne
LABScon Replay | InkySquid: The Missing Arsenal
Paul Rascagneres explores a macOS port of the Windows RoKRAT malware and how it bypasses Apple security protections.
#ParsedReport
07-01-2023
. Web page disguised as a Kakao login screen
https://asec.ahnlab.com/ko/45204
Industry:
Education
Geo:
Korea
IOCs:
File: 1
Url: 2
07-01-2023
. Web page disguised as a Kakao login screen
https://asec.ahnlab.com/ko/45204
Industry:
Education
Geo:
Korea
IOCs:
File: 1
Url: 2
ASEC
카카오 로그인화면으로 위장한 웹페이지 - ASEC
ASEC 분석팀은 최근 카카오의 로그인 페이지를 위장하여 특정인의 계정정보를 취하려는 정황을 확인하였다. 사용자가 해당 페이지에 최초 접속하게 되는 정확한 유입경로는 확인되지 않았으나, 피싱메일을 통해 접속하게 되는 페이지에서 웹 로그인을 유도하였을 것으로 추정된다. 웹페이지에 접속하면 아래의 그림 1)과 같이 카카오 계정의 ID가 자동완성 되어있다. 카카오메일이 있을 경우 메일 아이디만 입력하면 로그인이 가능한 카카오 로그인페이지의 정상포맷(그림 2)과…
#ParsedReport
07-01-2023
Orcus RAT. ORCUS RAT is being distributed by disguised as a Korean word processor crack
https://asec.ahnlab.com/ko/45153
Threats:
Orcus_rat
Sbit_rat
Xmrig_miner
Nircmd_tool
Process_hacker_tool
Cobalt_strike
Androm
Trojan/win.injection.c5347028
Geo:
Korea, Korean
IOCs:
File: 47
Coin: 1
Hash: 8
Domain: 3
Url: 13
Softs:
microsoft office, windows defender, telegram, exe,v_ser, process explorer, visual studio
Algorithms:
zip
07-01-2023
Orcus RAT. ORCUS RAT is being distributed by disguised as a Korean word processor crack
https://asec.ahnlab.com/ko/45153
Threats:
Orcus_rat
Sbit_rat
Xmrig_miner
Nircmd_tool
Process_hacker_tool
Cobalt_strike
Androm
Trojan/win.injection.c5347028
Geo:
Korea, Korean
IOCs:
File: 47
Coin: 1
Hash: 8
Domain: 3
Url: 13
Softs:
microsoft office, windows defender, telegram, exe,v_ser, process explorer, visual studio
Algorithms:
zip
ASEC
한글 워드 프로세서 크랙으로 위장하여 유포 중인 Orcus RAT - ASEC
ASEC 분석팀은 최근 Orcus RAT이 웹하드에서 한글 워드 프로세서의 크랙 버전으로 유포 중인 것을 확인하였다. 이를 유포한 공격자는 과거 웹하드에서 윈도우 정품 인증 툴을 위장해 BitRAT과 XMRig 코인 마이너를 유포하였던 공격자와 동일하다.[1] 공격자가 유포 중인 악성코드들은 과거와 유사한 형태이지만, BitRAT 대신 Orcus RAT을 사용한 것이 특징이다. 이외에도 안티바이러스의 행위 탐지를 우회하기 위해 복잡한 과정을 거친다거나…
#ParsedReport
07-01-2023
PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources. Executive Summary
https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources
Actors/Campaigns:
Purpleurchin
Geo:
Japanese, Japan, African
IOCs:
Domain: 1
Softs:
imagemagick
Languages:
php, python
Links:
07-01-2023
PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources. Executive Summary
https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources
Actors/Campaigns:
Purpleurchin
Geo:
Japanese, Japan, African
IOCs:
Domain: 1
Softs:
imagemagick
Languages:
php, python
Links:
https://github.com/Unit 42
PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources
We take a deep dive into Automated Libra, the cloud threat actor group behind the freejacking campaign PurpleUrchin.
#ParsedReport
07-01-2023
Dridex Returns, Targets MacOS Using New Entry Method. Introduction
https://www.trendmicro.com/en_us/research/23/a/-dridex-targets-macos-using-new-entry-method.html
Threats:
Dridex
Industry:
Financial
TTPs:
Tactics: 4
Technics: 6
IOCs:
File: 4
Hash: 2
Url: 1
Softs:
macos, microsoft word
Functions:
CreatePicture, CreateColor, RuBik
Languages:
python, visual_basic
Links:
07-01-2023
Dridex Returns, Targets MacOS Using New Entry Method. Introduction
https://www.trendmicro.com/en_us/research/23/a/-dridex-targets-macos-using-new-entry-method.html
Threats:
Dridex
Industry:
Financial
TTPs:
Tactics: 4
Technics: 6
IOCs:
File: 4
Hash: 2
Url: 1
Softs:
macos, microsoft word
Functions:
CreatePicture, CreateColor, RuBik
Languages:
python, visual_basic
Links:
https://github.com/decalage2/oletoolsTrend Micro
Dridex Targets MacOS Using New Entry Method
#technique
Unpack Brute Ratel (BRC4) stager and extract config
also tries to find the rc4 key in case of encrypted config
https://github.com/matthw/malware_analysis/tree/main/brc4
Unpack Brute Ratel (BRC4) stager and extract config
also tries to find the rc4 key in case of encrypted config
https://github.com/matthw/malware_analysis/tree/main/brc4
GitHub
malware_analysis/brc4 at main · matthw/malware_analysis
Contribute to matthw/malware_analysis development by creating an account on GitHub.
#ParsedReport
09-01-2023
Unwrapping Ursnifs Gifts. Exfiltration
https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts
Threats:
Gozi
Cobalt_strike
Beacon
Icedid
Atera_tool
Splashtop_tool
Quantum_locker
Bumblebee
Diavol
Process_injection_technique
Mimikatz_tool
Impacket_tool
Hostile
Meterpreter_tool
Industry:
Financial
Geo:
Rus
TTPs:
Tactics: 9
Technics: 24
IOCs:
Domain: 2
IP: 72
File: 26
Registry: 1
Path: 10
Command: 16
Hash: 17
Coin: 1
Email: 1
Softs:
internet explorer, windows security
Algorithms:
base64
Functions:
eval
Win API:
DllRegisterServer, QueueUserAPC, GetCurrentThreadId, OpenThread, VirtualAlloc, CreateThread, SetThreadContext, CreateRemoteThread, RtlCreateUserThread, VirtualAllocEx, have more...
Win Services:
BITS, NtLmSsp
Languages:
visual_basic, php, javascript
Platforms:
x64
YARA: Found
SIGMA: Found
Links:
09-01-2023
Unwrapping Ursnifs Gifts. Exfiltration
https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts
Threats:
Gozi
Cobalt_strike
Beacon
Icedid
Atera_tool
Splashtop_tool
Quantum_locker
Bumblebee
Diavol
Process_injection_technique
Mimikatz_tool
Impacket_tool
Hostile
Meterpreter_tool
Industry:
Financial
Geo:
Rus
TTPs:
Tactics: 9
Technics: 24
IOCs:
Domain: 2
IP: 72
File: 26
Registry: 1
Path: 10
Command: 16
Hash: 17
Coin: 1
Email: 1
Softs:
internet explorer, windows security
Algorithms:
base64
Functions:
eval
Win API:
DllRegisterServer, QueueUserAPC, GetCurrentThreadId, OpenThread, VirtualAlloc, CreateThread, SetThreadContext, CreateRemoteThread, RtlCreateUserThread, VirtualAllocEx, have more...
Win Services:
BITS, NtLmSsp
Languages:
visual_basic, php, javascript
Platforms:
x64
YARA: Found
SIGMA: Found
Links:
https://github.com/The-DFIR-Report/Suricata-Rules/blob/main/potential-impacket-wmiexec.py-activity.ruleshttps://github.com/fortra/impacket/blob/master/examples/wmiexec.pyThe DFIR Report
Unwrapping Ursnifs Gifts
In late August 2022, we investigated an incident involving Ursnif malware, which resulted in Cobalt Strike being deployed. This was followed by the threat actors moving laterally throughout the env…