CTT Report Hub
3.22K subscribers
8K photos
6 videos
67 files
11.7K links
Threat Intelligence Report Hub
https://cyberthreat.tech
ООО Технологии киберугроз
Contact: @nikolaiav
Download Telegram
#ParsedReport
07-01-2023

Zoom Users At Risk In Latest Malware Campaign

https://blog.cyble.com/2023/01/05/zoom-users-at-risk-in-latest-malware-campaign

Threats:
Icedid
Sandbox_evasion_technique
Emotet
Trickbot
Hancitor
Beacon

Industry:
Financial

TTPs:
Tactics: 4
Technics: 11

IOCs:
Url: 1
File: 2
Hash: 3
Domain: 1
IP: 1

Softs:
zoom

Functions:
ZwQuerySystemInformation, RtlGetVersion

Win API:
GetTickCount64, GetComputerNameExW, GetUserNameW, GetAdaptersInfo, LookupAccountNameW
#ParsedReport
07-01-2023

LummaC2 Stealer: A Potent Threat to Crypto Users

https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users

Threats:
Lumma_stealer

Industry:
Financial

Geo:
Bulgaria, Germany, Russian

TTPs:
Tactics: 5
Technics: 8

IOCs:
File: 1
IP: 2
Hash: 4

Softs:
chromium, telegram, electrum, chrome, kometa, vivaldi, opera, mozilla firefox
#ParsedReport
07-01-2023

Unveiling of a large resilient infrastructure distributing information stealers. Context

https://blog.sekoia.io/unveiling-of-a-large-resilient-infrastructure-distributing-information-stealers

Actors/Campaigns:
Apt31
Lapsus
Darkhalo

Threats:
Raccoon_stealer
Vidar_stealer
Themida_tool
Vmprotect_tool
Traffer
Aurora
Envyscout

Geo:
Dprk

TTPs:
Tactics: 4
Technics: 11

IOCs:
Url: 47
Domain: 260
File: 12
Hash: 152
Registry: 1
Command: 2
IP: 14

Softs:
photoshop, virtualbox, windows defender, microsoft office

Algorithms:
base64

SIGMA: Found

Links:
https://github.com/SEKOIA-IO/Community/blob/main/IOCs/infra\_seo\_crack\_stealers/infra\_seo\_crack\_stealers\_iocs\_20230106.csv
#ParsedReport
07-01-2023

SpyNote: Spyware with RAT capabilities targeting Financial Institutions

https://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions.html

Threats:
Spynote_rat
Spymax
Craxsrat

Industry:
Entertainment, Financial

Geo:
Deutsche, America

IOCs:
Hash: 9
IP: 2

Softs:
android, telegram

Algorithms:
base64
#ParsedReport
07-01-2023

Infostealer Malware: Targeting Italian Region - Uptycs. Infostealer Malware: Targeting Italian Region

https://www.uptycs.com/blog/infostealer-malware-attacks-targeting-italian-region

Industry:
Financial

Geo:
Italian, Italy

IOCs:
File: 2
Path: 3
Hash: 8
IP: 1

Softs:
zcash, coinbase, jaxx, bitclip

Algorithms:
base64, zip, gzip

YARA: Found
#ParsedReport
07-01-2023

Turla: A Galaxy of Opportunity

https://www.mandiant.com/resources/blog/turla-galaxy-opportunity

Actors/Campaigns:
Turla (motivation: financially_motivated, cyber_espionage, information_theft)

Threats:
Kopiluwak
Quietcanary
Andromeda
Beacon
Netstat_tool
Process_injection_technique

Geo:
Russian, Ukrainian, Ukraine, Asia

TTPs:
Tactics: 8
Technics: 21

IOCs:
Path: 4
Hash: 6
Domain: 4
File: 7
IP: 2
Registry: 1

Algorithms:
rc4, base64

Languages:
php, javascript

YARA: Found
#ParsedReport
07-01-2023

Bluebottle: Campaign Hits Banks in French-speaking Countries in Africa

https://symantec-enterprise-blogs.security.com/threat-intelligence/bluebottle-banks-targeted-africa

Actors/Campaigns:
Bluebottle (motivation: financially_motivated)
Opera1er
Blackcat

Threats:
Lotl_technique
Revealer_keylogger
Cobalt_strike
Rdpwrap_tool
Beacon
Cloudeye
Bumblebee
Quasar_rat
Netwire_rat
Api_hammering_technique
Lockbit
Cuba
Eamfo
Poortry
Stonestop
Burntcigar_tool
Mimikatz_tool
Bloodhound_tool

Industry:
Financial

Geo:
African, Canada, Africa

TTPs:
Tactics: 1
Technics: 0

IOCs:
Domain: 3
File: 8
Url: 10
Command: 1
Hash: 34
IP: 1

Softs:
psexec, internet explorer, asp.net, windows service, sysinternals

Algorithms:
zip

Links:
https://github.com/asmtron/rdpwrap
#ParsedReport
07-01-2023

LABScon Replay \| InkySquid: The Missing Arsenal. InkySquid: The Missing Arsenal: Audio automatically transcribed by Sonix

https://www.sentinelone.com/labs/labscon-replay-inkysquid-the-missing-arsenal

Actors/Campaigns:
Apt37 (motivation: cyber_espionage)

Threats:
Rokrat
Keybase
Cloudmensis_rat
Applescript
Fireball

Geo:
Korean, Korea, French

IOCs:
File: 1

Softs:
macos, android, microsoft word, zoom

Algorithms:
zip, xor

Platforms:
arm, x86
#ParsedReport
07-01-2023

PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources. Executive Summary

https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources

Actors/Campaigns:
Purpleurchin

Geo:
Japanese, Japan, African

IOCs:
Domain: 1

Softs:
imagemagick

Languages:
php, python

Links:
https://github.com/
#ParsedReport
07-01-2023

Dridex Returns, Targets MacOS Using New Entry Method. Introduction

https://www.trendmicro.com/en_us/research/23/a/-dridex-targets-macos-using-new-entry-method.html

Threats:
Dridex

Industry:
Financial

TTPs:
Tactics: 4
Technics: 6

IOCs:
File: 4
Hash: 2
Url: 1

Softs:
macos, microsoft word

Functions:
CreatePicture, CreateColor, RuBik

Languages:
python, visual_basic

Links:
https://github.com/decalage2/oletools
#ParsedReport
09-01-2023

Unwrapping Ursnifs Gifts. Exfiltration

https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts

Threats:
Gozi
Cobalt_strike
Beacon
Icedid
Atera_tool
Splashtop_tool
Quantum_locker
Bumblebee
Diavol
Process_injection_technique
Mimikatz_tool
Impacket_tool
Hostile
Meterpreter_tool

Industry:
Financial

Geo:
Rus

TTPs:
Tactics: 9
Technics: 24

IOCs:
Domain: 2
IP: 72
File: 26
Registry: 1
Path: 10
Command: 16
Hash: 17
Coin: 1
Email: 1

Softs:
internet explorer, windows security

Algorithms:
base64

Functions:
eval

Win API:
DllRegisterServer, QueueUserAPC, GetCurrentThreadId, OpenThread, VirtualAlloc, CreateThread, SetThreadContext, CreateRemoteThread, RtlCreateUserThread, VirtualAllocEx, have more...

Win Services:
BITS, NtLmSsp

Languages:
visual_basic, php, javascript

Platforms:
x64

YARA: Found
SIGMA: Found

Links:
https://github.com/The-DFIR-Report/Suricata-Rules/blob/main/potential-impacket-wmiexec.py-activity.rules
https://github.com/fortra/impacket/blob/master/examples/wmiexec.py
#ParsedReport
09-01-2023

Dark Web Profile: Royal Ransomware

https://socradar.io/dark-web-profile-royal-ransomware

Actors/Campaigns:
Dev-0569

Threats:
Royal_ransomware
Conti
Bazaar
Blackcat
Zeon
Process_injection_technique

Industry:
Petroleum, Healthcare, Telco

Geo:
American

TTPs:
Tactics: 1
Technics: 17

IOCs:
File: 1
Hash: 3
IP: 5
Url: 1

Softs:
zoom, microsoft teams, component object model

Algorithms:
aes
#ParsedReport
09-01-2023

0day in {REA_TEAM}

https://kienmanowar.wordpress.com/2023/01/09/quicknote-another-nice-plugx-sample

Actors/Campaigns:
Red_delta

Threats:
Plugx_rat
Dll_sideloading_technique

IOCs:
File: 28
Hash: 1
IP: 1

Softs:
wordpress

Functions:
plx_read_Mc_cp_content_and_exec, plx_patching_func, GetProcAdderss, GetProcAddress_rva

Win API:
VirtualAlloc, GetModuleFileNameW, lstrcpyW, CreateFileW, ReadFile, LoadLibraryW, GetLastError, GetSystemTime, VirtualProtect, GetProcAddress, have more...

Links:
https://github.com/m4now4r/PlugX\_Mustang-Panda/blob/main/390f166753608a29b350c43f91b3b252\_vhd.zip
#ParsedReport
09-01-2023

APTSaaiwc Group. New forces in Southeast Asia: New APT Organization Saaiwc Group analyzes the attack activities of Southeast Asia's military, finance and other departments

https://mp.weixin.qq.com/s/G3gUjg9WC96NW4cRPww6gw

Actors/Campaigns:
Saaiwc

Threats:
Lockbit

Industry:
Government, Financial

Geo:
Philippine, Cambodia, Asian, Vietnam, Asia, Philippines

CVEs:
CVE-2017-0199 [Vulners]
Vulners: Score: 9.3, CVSS: 7.8,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, *)
- microsoft windows server 2012 (-)
- microsoft windows vista (*)
- microsoft office (2010, 2013, 2016, 2007)
- microsoft windows 7 (*)
have more...

TTPs:
Tactics: 1
Technics: 0

IOCs:
Registry: 2
File: 11
Url: 1
Hash: 4

Softs:
telegram
#ParsedReport
10-01-2023

Crypto-inspired Magecart skimmer surfaces via digital crime haven

https://www.malwarebytes.com/blog/threat-intelligence/2023/01/crypto-inspired-magecart-skimmer-surfaces-via-digital-crime-haven

Threats:
Magentocore
Agent_tesla
Teamviewer_tool
Anydesk_tool
Vidar_stealer
Gozi
Aurora
Robin_banks_tool

Industry:
Financial, E-commerce, Retail

Geo:
American, Ukraine, Russian

TTPs:
Tactics: 1
Technics: 0

IOCs:
File: 1
Domain: 11
IP: 15
Url: 3

Softs:
cpanel

Languages:
javascript

Links:
https://gist.github.com/krautface/e5444c1bb9880518db0f128416c911e6