#ParsedReport
09-01-2023
Unwrapping Ursnifs Gifts. Exfiltration
https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts
Threats:
Gozi
Cobalt_strike
Beacon
Icedid
Atera_tool
Splashtop_tool
Quantum_locker
Bumblebee
Diavol
Process_injection_technique
Mimikatz_tool
Impacket_tool
Hostile
Meterpreter_tool
Industry:
Financial
Geo:
Rus
TTPs:
Tactics: 9
Technics: 24
IOCs:
Domain: 2
IP: 72
File: 26
Registry: 1
Path: 10
Command: 16
Hash: 17
Coin: 1
Email: 1
Softs:
internet explorer, windows security
Algorithms:
base64
Functions:
eval
Win API:
DllRegisterServer, QueueUserAPC, GetCurrentThreadId, OpenThread, VirtualAlloc, CreateThread, SetThreadContext, CreateRemoteThread, RtlCreateUserThread, VirtualAllocEx, have more...
Win Services:
BITS, NtLmSsp
Languages:
visual_basic, php, javascript
Platforms:
x64
YARA: Found
SIGMA: Found
Links:
09-01-2023
Unwrapping Ursnifs Gifts. Exfiltration
https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts
Threats:
Gozi
Cobalt_strike
Beacon
Icedid
Atera_tool
Splashtop_tool
Quantum_locker
Bumblebee
Diavol
Process_injection_technique
Mimikatz_tool
Impacket_tool
Hostile
Meterpreter_tool
Industry:
Financial
Geo:
Rus
TTPs:
Tactics: 9
Technics: 24
IOCs:
Domain: 2
IP: 72
File: 26
Registry: 1
Path: 10
Command: 16
Hash: 17
Coin: 1
Email: 1
Softs:
internet explorer, windows security
Algorithms:
base64
Functions:
eval
Win API:
DllRegisterServer, QueueUserAPC, GetCurrentThreadId, OpenThread, VirtualAlloc, CreateThread, SetThreadContext, CreateRemoteThread, RtlCreateUserThread, VirtualAllocEx, have more...
Win Services:
BITS, NtLmSsp
Languages:
visual_basic, php, javascript
Platforms:
x64
YARA: Found
SIGMA: Found
Links:
https://github.com/The-DFIR-Report/Suricata-Rules/blob/main/potential-impacket-wmiexec.py-activity.ruleshttps://github.com/fortra/impacket/blob/master/examples/wmiexec.pyThe DFIR Report
Unwrapping Ursnifs Gifts
In late August 2022, we investigated an incident involving Ursnif malware, which resulted in Cobalt Strike being deployed. This was followed by the threat actors moving laterally throughout the env…
#ParsedReport
09-01-2023
CIAHive. Be wary: the CIA attack kit after the magic reform into the field of black and gray
https://blog.netlab.360.com/warning-hive-variant-xdr33-is-coming_cn
Threats:
Beacon
IOCs:
File: 9
IP: 4
Hash: 1
Algorithms:
crc-16, aes, bzip, xor
Languages:
python
Platforms:
x86
09-01-2023
CIAHive. Be wary: the CIA attack kit after the magic reform into the field of black and gray
https://blog.netlab.360.com/warning-hive-variant-xdr33-is-coming_cn
Threats:
Beacon
IOCs:
File: 9
IP: 4
Hash: 1
Algorithms:
crc-16, aes, bzip, xor
Languages:
python
Platforms:
x86
360 Netlab Blog - Network Security Research Lab at 360
警惕:魔改后的CIA攻击套件Hive进入黑灰产领域
概述
2022年10月21日,360Netlab的蜜罐系统捕获了一个通过F5漏洞传播,VT 0检测的可疑ELF文件ee07a74d12c0bb3594965b51d0e45b6f,流量监控系统提示它和IP45.9.150.144产生了SSL流量,而且双方都使用了伪造的Kaspersky证书,这引起了我们的关注。经过分析,我们确认它由CIA被泄露的Hive项目server源码改编而来。这是我们首次捕获到在野的CIA HIVE攻击套件变种,基于其内嵌Bot端证书的CN=xdr33, 我们内部将其命名为x…
2022年10月21日,360Netlab的蜜罐系统捕获了一个通过F5漏洞传播,VT 0检测的可疑ELF文件ee07a74d12c0bb3594965b51d0e45b6f,流量监控系统提示它和IP45.9.150.144产生了SSL流量,而且双方都使用了伪造的Kaspersky证书,这引起了我们的关注。经过分析,我们确认它由CIA被泄露的Hive项目server源码改编而来。这是我们首次捕获到在野的CIA HIVE攻击套件变种,基于其内嵌Bot端证书的CN=xdr33, 我们内部将其命名为x…
#ParsedReport
09-01-2023
Dark Web Profile: Royal Ransomware
https://socradar.io/dark-web-profile-royal-ransomware
Actors/Campaigns:
Dev-0569
Threats:
Royal_ransomware
Conti
Bazaar
Blackcat
Zeon
Process_injection_technique
Industry:
Petroleum, Healthcare, Telco
Geo:
American
TTPs:
Tactics: 1
Technics: 17
IOCs:
File: 1
Hash: 3
IP: 5
Url: 1
Softs:
zoom, microsoft teams, component object model
Algorithms:
aes
09-01-2023
Dark Web Profile: Royal Ransomware
https://socradar.io/dark-web-profile-royal-ransomware
Actors/Campaigns:
Dev-0569
Threats:
Royal_ransomware
Conti
Bazaar
Blackcat
Zeon
Process_injection_technique
Industry:
Petroleum, Healthcare, Telco
Geo:
American
TTPs:
Tactics: 1
Technics: 17
IOCs:
File: 1
Hash: 3
IP: 5
Url: 1
Softs:
zoom, microsoft teams, component object model
Algorithms:
aes
SOCRadar® Cyber Intelligence Inc.
Dark Web Profile: Royal Ransomware - SOCRadar® Cyber Intelligence Inc.
Royal Ransomware strain was first detected on DEV-0569’s (threat actor) operations in September 2022. The actors behind the Royal are...
#ParsedReport
09-01-2023
Ransomware Gangs Leak Large Amounts of Data in Recent Attacks: Hive and Vice Society
https://socradar.io/ransomware-gangs-leak-large-amounts-of-data-in-recent-attacks-hive-and-vice-society
Actors/Campaigns:
Vice_society
Threats:
Hive
Stop_ransomware
Industry:
Healthcare, Education
IOCs:
File: 1
Domain: 4
IP: 10
Hash: 4
09-01-2023
Ransomware Gangs Leak Large Amounts of Data in Recent Attacks: Hive and Vice Society
https://socradar.io/ransomware-gangs-leak-large-amounts-of-data-in-recent-attacks-hive-and-vice-society
Actors/Campaigns:
Vice_society
Threats:
Hive
Stop_ransomware
Industry:
Healthcare, Education
IOCs:
File: 1
Domain: 4
IP: 10
Hash: 4
SOCRadar® Cyber Intelligence Inc.
Ransomware Gangs Leak Large Amounts of Data in Recent Attacks: Hive and Vice Society
Recent ransomware data leaks in this blog are a good reminder of how important it is to take proper security measures to defend against...
#ParsedReport
09-01-2023
0day in {REA_TEAM}
https://kienmanowar.wordpress.com/2023/01/09/quicknote-another-nice-plugx-sample
Actors/Campaigns:
Red_delta
Threats:
Plugx_rat
Dll_sideloading_technique
IOCs:
File: 28
Hash: 1
IP: 1
Softs:
wordpress
Functions:
plx_read_Mc_cp_content_and_exec, plx_patching_func, GetProcAdderss, GetProcAddress_rva
Win API:
VirtualAlloc, GetModuleFileNameW, lstrcpyW, CreateFileW, ReadFile, LoadLibraryW, GetLastError, GetSystemTime, VirtualProtect, GetProcAddress, have more...
Links:
09-01-2023
0day in {REA_TEAM}
https://kienmanowar.wordpress.com/2023/01/09/quicknote-another-nice-plugx-sample
Actors/Campaigns:
Red_delta
Threats:
Plugx_rat
Dll_sideloading_technique
IOCs:
File: 28
Hash: 1
IP: 1
Softs:
wordpress
Functions:
plx_read_Mc_cp_content_and_exec, plx_patching_func, GetProcAdderss, GetProcAddress_rva
Win API:
VirtualAlloc, GetModuleFileNameW, lstrcpyW, CreateFileW, ReadFile, LoadLibraryW, GetLastError, GetSystemTime, VirtualProtect, GetProcAddress, have more...
Links:
https://github.com/m4now4r/PlugX\_Mustang-Panda/blob/main/390f166753608a29b350c43f91b3b252\_vhd.zip0day in {REA_TEAM}
[QuickNote] Another nice PlugX sample
Sample information shared by Johann Aydinbas(@jaydinbas): Sample hash: 2025427bba36b48e827a61116321bbe6b00d77d3fd35d552f72e052eb88948e0 Download here!
#ParsedReport
09-01-2023
APTSaaiwc Group. New forces in Southeast Asia: New APT Organization Saaiwc Group analyzes the attack activities of Southeast Asia's military, finance and other departments
https://mp.weixin.qq.com/s/G3gUjg9WC96NW4cRPww6gw
Actors/Campaigns:
Saaiwc
Threats:
Lockbit
Industry:
Government, Financial
Geo:
Philippine, Cambodia, Asian, Vietnam, Asia, Philippines
CVEs:
CVE-2017-0199 [Vulners]
Vulners: Score: 9.3, CVSS: 7.8,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, *)
- microsoft windows server 2012 (-)
- microsoft windows vista (*)
- microsoft office (2010, 2013, 2016, 2007)
- microsoft windows 7 (*)
have more...
TTPs:
Tactics: 1
Technics: 0
IOCs:
Registry: 2
File: 11
Url: 1
Hash: 4
Softs:
telegram
09-01-2023
APTSaaiwc Group. New forces in Southeast Asia: New APT Organization Saaiwc Group analyzes the attack activities of Southeast Asia's military, finance and other departments
https://mp.weixin.qq.com/s/G3gUjg9WC96NW4cRPww6gw
Actors/Campaigns:
Saaiwc
Threats:
Lockbit
Industry:
Government, Financial
Geo:
Philippine, Cambodia, Asian, Vietnam, Asia, Philippines
CVEs:
CVE-2017-0199 [Vulners]
Vulners: Score: 9.3, CVSS: 7.8,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, *)
- microsoft windows server 2012 (-)
- microsoft windows vista (*)
- microsoft office (2010, 2013, 2016, 2007)
- microsoft windows 7 (*)
have more...
TTPs:
Tactics: 1
Technics: 0
IOCs:
Registry: 2
File: 11
Url: 1
Hash: 4
Softs:
telegram
#ParsedReport
10-01-2023
Crypto-inspired Magecart skimmer surfaces via digital crime haven
https://www.malwarebytes.com/blog/threat-intelligence/2023/01/crypto-inspired-magecart-skimmer-surfaces-via-digital-crime-haven
Threats:
Magentocore
Agent_tesla
Teamviewer_tool
Anydesk_tool
Vidar_stealer
Gozi
Aurora
Robin_banks_tool
Industry:
Financial, E-commerce, Retail
Geo:
American, Ukraine, Russian
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 1
Domain: 11
IP: 15
Url: 3
Softs:
cpanel
Languages:
javascript
Links:
10-01-2023
Crypto-inspired Magecart skimmer surfaces via digital crime haven
https://www.malwarebytes.com/blog/threat-intelligence/2023/01/crypto-inspired-magecart-skimmer-surfaces-via-digital-crime-haven
Threats:
Magentocore
Agent_tesla
Teamviewer_tool
Anydesk_tool
Vidar_stealer
Gozi
Aurora
Robin_banks_tool
Industry:
Financial, E-commerce, Retail
Geo:
American, Ukraine, Russian
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 1
Domain: 11
IP: 15
Url: 3
Softs:
cpanel
Languages:
javascript
Links:
https://gist.github.com/krautface/e5444c1bb9880518db0f128416c911e6Malwarebytes
Crypto-inspired Magecart skimmer surfaces via digital crime haven
This blog post was authored by Jérôme Segura Online criminals rarely reinvent the wheel, especially when they don’t have to. From...
#ParsedReport
10-01-2023
Web Page Disguised as a Kakao Login Page
https://asec.ahnlab.com/en/45437
Industry:
Education
Geo:
Korean, Korea
IOCs:
Url: 2
10-01-2023
Web Page Disguised as a Kakao Login Page
https://asec.ahnlab.com/en/45437
Industry:
Education
Geo:
Korean, Korea
IOCs:
Url: 2
ASEC BLOG
Web Page Disguised as a Kakao Login Page - ASEC BLOG
The ASEC analysis team recently identified a fake Kakao login page attempting to gain access to the account credentials of specific individuals. The specific route through which users first arrive on these pages is unknown, but it is assumed that users were…
#ParsedReport
10-01-2023
THREAT ANALYSIS: From IcedID to Domain Compromise
https://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise
Actors/Campaigns:
Shathak
Threats:
Icedid
Cobalt_strike
Conti
Lockbit
Fivehands
Beacon
Rubeus_tool
Kerberoasting_technique
Atera_tool
Dcsync_technique
Credential_stealing_technique
Nltest_tool
Industry:
Financial, Education
Geo:
French
TTPs:
Tactics: 4
Technics: 2
IOCs:
File: 28
Domain: 5
Softs:
active directory, curl, chrome, windows explorer
Algorithms:
base64, zip
Functions:
RPC, MSRPC
Languages:
python
Links:
10-01-2023
THREAT ANALYSIS: From IcedID to Domain Compromise
https://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise
Actors/Campaigns:
Shathak
Threats:
Icedid
Cobalt_strike
Conti
Lockbit
Fivehands
Beacon
Rubeus_tool
Kerberoasting_technique
Atera_tool
Dcsync_technique
Credential_stealing_technique
Nltest_tool
Industry:
Financial, Education
Geo:
French
TTPs:
Tactics: 4
Technics: 2
IOCs:
File: 28
Domain: 5
Softs:
active directory, curl, chrome, windows explorer
Algorithms:
base64, zip
Functions:
RPC, MSRPC
Languages:
python
Links:
https://github.com/hashcat/hashcathttps://github.com/openwall/johnhttps://github.com/GhostPack/RubeusCybereason
THREAT ANALYSIS: From IcedID to Domain Compromise
Recently, IcedID, also known as BokBot, has been used more as a dropper for other malware families and as a tool for initial access brokers.
#ParsedReport
10-01-2023
ASEC Weekly Phishing Email Threat Trends (December 25th, 2022 December 31st, 2022)
https://asec.ahnlab.com/en/45442
Threats:
Agent_tesla
Formbook
Motw_bypass_technique
Industry:
Financial, Transport
Geo:
Korean
TTPs:
IOCs:
File: 23
Url: 3
Softs:
chrome
Algorithms:
zip
10-01-2023
ASEC Weekly Phishing Email Threat Trends (December 25th, 2022 December 31st, 2022)
https://asec.ahnlab.com/en/45442
Threats:
Agent_tesla
Formbook
Motw_bypass_technique
Industry:
Financial, Transport
Geo:
Korean
TTPs:
IOCs:
File: 23
Url: 3
Softs:
chrome
Algorithms:
zip
ASEC BLOG
ASEC Weekly Phishing Email Threat Trends (December 25th, 2022 – December 31st, 2022) - ASEC BLOG
The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from December 25th, 2022 to December 31st, 2022 and…
#ParsedReport
10-01-2023
( ). Malware disguised as a plaintiff (for security workers)
https://asec.ahnlab.com/ko/45537
Actors/Campaigns:
Kimsuky
Geo:
Chinese, Korean, Korea
IOCs:
IP: 1
Hash: 6
Url: 6
10-01-2023
( ). Malware disguised as a plaintiff (for security workers)
https://asec.ahnlab.com/ko/45537
Actors/Campaigns:
Kimsuky
Geo:
Chinese, Korean, Korea
IOCs:
IP: 1
Hash: 6
Url: 6
ASEC BLOG
원고 청탁서로 위장한 악성코드 (안보 분야 종사자 대상) - ASEC BLOG
ASEC 분석팀은 01월 08일 안보 분야 종사자를 대상으로 원고 청탁서로 위장한 문서형 악성코드 유포 정황을 확인하였다. 확보된 악성코드는 워드 문서 내 External 개체를 통해 추가 악성 매크로를 실행한다. 이러한 기법은 템플릿 인젝션(Template Injection) 기법으로 불리며 이전 블로그를 통해 유사한 공격 사례를 소개한 바 있다. 워드 문서를 실행하면 공격자 C&C 서버로부터 추가 악성 워드 매크로 문서를 다운로드 받아 실행한다. 추가로…
#ParsedReport
10-01-2023
Heads up! Xdr33, A Variant Of CIAs HIVE Attack Kit Emerges. Overview
https://blog.netlab.360.com/headsup_xdr33_variant_of_ciahive_emeerges
Threats:
Cia_hive_tool
Xdr33
Beacon
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 3
IP: 4
File: 3
Softs:
openssl
Algorithms:
aes, xor, crc-16, bzip
Languages:
python
Platforms:
x86
10-01-2023
Heads up! Xdr33, A Variant Of CIAs HIVE Attack Kit Emerges. Overview
https://blog.netlab.360.com/headsup_xdr33_variant_of_ciahive_emeerges
Threats:
Cia_hive_tool
Xdr33
Beacon
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 3
IP: 4
File: 3
Softs:
openssl
Algorithms:
aes, xor, crc-16, bzip
Languages:
python
Platforms:
x86
360 Netlab Blog - Network Security Research Lab at 360
Heads up! Xdr33, A Variant Of CIA’s HIVE Attack Kit Emerges
Overview
On Oct 21, 2022, 360Netlab's honeypot system captured a suspicious ELF file ee07a74d12c0bb3594965b51d0e45b6f, which propagated via F5 vulnerability with zero VT detection, our system observces that it communicates with IP 45.9.150.144 using SSL…
On Oct 21, 2022, 360Netlab's honeypot system captured a suspicious ELF file ee07a74d12c0bb3594965b51d0e45b6f, which propagated via F5 vulnerability with zero VT detection, our system observces that it communicates with IP 45.9.150.144 using SSL…
#ParsedReport
10-01-2023
. Fishing web server confirmed through the IRS camouflage email
https://asec.ahnlab.com/ko/45483
Industry:
Financial
Geo:
Korea
IOCs:
Url: 1
File: 5
Softs:
telegram
Languages:
php
10-01-2023
. Fishing web server confirmed through the IRS camouflage email
https://asec.ahnlab.com/ko/45483
Industry:
Financial
Geo:
Korea
IOCs:
Url: 1
File: 5
Softs:
telegram
Languages:
php
ASEC BLOG
국세청 위장 메일을 통해 확인된 피싱 웹 서버 - ASEC BLOG
ASEC 분석팀에서는 최근 국세청을 사칭한 피싱메일이 유포되고 있는 정황을 확인하였다. 해당 피싱메일은 사내 메일의 비밀번호가 당일에 만료된다는 시급성을 강조하며, 계정이 잠기기 전에 암호를 유지하라는 내용으로 유포되고 있었다. 그림 1) 원문 메일 그림 2) 계정 입력 피싱 사이트 그림 3) 로그인 페이지의 소스코드 ‘같은 비밀번호를 유지’라는 URL을 클릭하면 사내 메일 로그인 페이지가 확인되는데, 해당 로그인 페이지의 HTML 스크립트 코드는…
#ParsedReport
10-01-2023
A Deep Dive Into poweRAT: a Newly Discovered Stealer/RAT Combo Polluting PyPI
https://blog.phylum.io/a-deep-dive-into-powerat-a-newly-discovered-stealer/rat-combo-polluting-pypi
Threats:
Powerat
Xrat_rat
Industry:
Government
IOCs:
File: 7
Domain: 1
Softs:
flask, telegram, discord
Algorithms:
lzma, base64, zip
Functions:
run_with_cloudflared
Languages:
javascript, python
Links:
10-01-2023
A Deep Dive Into poweRAT: a Newly Discovered Stealer/RAT Combo Polluting PyPI
https://blog.phylum.io/a-deep-dive-into-powerat-a-newly-discovered-stealer/rat-combo-polluting-pypi
Threats:
Powerat
Xrat_rat
Industry:
Government
IOCs:
File: 7
Domain: 1
Softs:
flask, telegram, discord
Algorithms:
lzma, base64, zip
Functions:
run_with_cloudflared
Languages:
javascript, python
Links:
https://github.com/cloudflare/cloudflaredPhylum Research | Software Supply Chain Security
A Deep Dive Into poweRAT: a Newly Discovered Stealer/RAT Combo Polluting PyPI
Phylum uncovers new PyPI malware distributing remote access tools.
#ParsedReport
10-01-2023
RomCom RAT Attack Analysis: Fake It to Make It
https://securityintelligence.com/articles/romcom-rat-attack-analysis
Threats:
Romcom_rat
Cuba
Geo:
Ukraine
IOCs:
File: 2
Softs:
keepass
10-01-2023
RomCom RAT Attack Analysis: Fake It to Make It
https://securityintelligence.com/articles/romcom-rat-attack-analysis
Threats:
Romcom_rat
Cuba
Geo:
Ukraine
IOCs:
File: 2
Softs:
keepass
Security Intelligence
RomCom RAT Attack Analysis: Fake It to Make It
Learn more about RomCom RAT attacks and the fake sites and emails used as a trojan horse to give threat actors access.
#ParsedReport
11-01-2023
A View Into Web(View) Attacks in Android
https://securityintelligence.com/posts/view-into-webview-attacks-android
Threats:
Fake-trusteer
Zeus_sphinx
Zeus
Sphinx
Icedid
Trickbot
Rustock
Flubot
Sharkbot
Hydra
Industry:
Financial, E-commerce
IOCs:
Hash: 2
Softs:
android, google chrome, chrome
Algorithms:
base64
Functions:
val, loadUrl, getCookie
Languages:
javascript
11-01-2023
A View Into Web(View) Attacks in Android
https://securityintelligence.com/posts/view-into-webview-attacks-android
Threats:
Fake-trusteer
Zeus_sphinx
Zeus
Sphinx
Icedid
Trickbot
Rustock
Flubot
Sharkbot
Hydra
Industry:
Financial, E-commerce
IOCs:
Hash: 2
Softs:
android, google chrome, chrome
Algorithms:
base64
Functions:
val, loadUrl, getCookie
Languages:
javascript
Security Intelligence
A View Into Web(View) Attacks in Android
Unpack two effective attack techniques as it relates to financial malware in Android: the Web(View) injection attack and mobile cookie stealing.
#ParsedReport
11-01-2023
NeedleDropper
https://decoded.avast.io/threatresearch/needledropper/?utm_source=rss&utm_medium=rss&utm_campaign=needledropper
Threats:
Needledropper
Formbook
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 5
Path: 1
Hash: 9
Softs:
discord
Win API:
CryptDecrypt, WriteProcessMemory
Languages:
visual_basic, autoit
Links:
11-01-2023
NeedleDropper
https://decoded.avast.io/threatresearch/needledropper/?utm_source=rss&utm_medium=rss&utm_campaign=needledropper
Threats:
Needledropper
Formbook
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 5
Path: 1
Hash: 9
Softs:
discord
Win API:
CryptDecrypt, WriteProcessMemory
Languages:
visual_basic, autoit
Links:
https://github.com/avast/ioc/tree/master/NeedleDropperGendigital
NeedleDropper
New dropper strain hides payloads effectively
#ParsedReport
11-01-2023
Raspberry Robins botnet second life
https://blog.sekoia.io/raspberry-robins-botnet-second-life
Actors/Campaigns:
Evil_corp (motivation: financially_motivated)
Turla
Apt31
Threats:
Raspberry_robin
Qnapworm
Dridex
Socgholish_loader
Bumblebee
Truebot
Icedid
Dns_hijacking_technique
Quantum_locker
Retadup
Andromeda
Aurora
Industry:
Education
Geo:
Kazakhstan, France, Romania, Oman, Russian, Bahrain, Germany, Morocco
IOCs:
Domain: 3
Softs:
microsoft jscript
11-01-2023
Raspberry Robins botnet second life
https://blog.sekoia.io/raspberry-robins-botnet-second-life
Actors/Campaigns:
Evil_corp (motivation: financially_motivated)
Turla
Apt31
Threats:
Raspberry_robin
Qnapworm
Dridex
Socgholish_loader
Bumblebee
Truebot
Icedid
Dns_hijacking_technique
Quantum_locker
Retadup
Andromeda
Aurora
Industry:
Education
Geo:
Kazakhstan, France, Romania, Oman, Russian, Bahrain, Germany, Morocco
IOCs:
Domain: 3
Softs:
microsoft jscript
Sekoia.io Blog
Raspberry Robin's botnet second life
Raspberry Robin appears to be a type of Pay-Per-Install botnet, likely to be used by cybercriminals to distribute other malware.
#ParsedReport
11-01-2023
DDosia Project: Volunteers Carrying out NoName(057)16s Dirty Work
https://decoded.avast.io/martinchlumecky/ddosia-project/?utm_source=rss&utm_medium=rss&utm_campaign=ddosia-project
Actors/Campaigns:
Noname057
Killnet
Threats:
Ddosia_botnet
Bobiks
Redline_stealer
Nmap_tool
Prestige_ransomware
Industry:
Education, Financial, Healthcare, Government, Transport, Aerospace
Geo:
Polish, Polands, Belarus, Canada, Germany, Ukrainian, Moscow, Ukraine, Poland, Russian, Lithuania, Berlin, Russia, Latvia
IOCs:
File: 3
IP: 1
Url: 2
Softs:
telegram, macos, pyinstaller, nginx
Algorithms:
zip
Languages:
python
Links:
11-01-2023
DDosia Project: Volunteers Carrying out NoName(057)16s Dirty Work
https://decoded.avast.io/martinchlumecky/ddosia-project/?utm_source=rss&utm_medium=rss&utm_campaign=ddosia-project
Actors/Campaigns:
Noname057
Killnet
Threats:
Ddosia_botnet
Bobiks
Redline_stealer
Nmap_tool
Prestige_ransomware
Industry:
Education, Financial, Healthcare, Government, Transport, Aerospace
Geo:
Polish, Polands, Belarus, Canada, Germany, Ukrainian, Moscow, Ukraine, Poland, Russian, Lithuania, Berlin, Russia, Latvia
IOCs:
File: 3
IP: 1
Url: 2
Softs:
telegram, macos, pyinstaller, nginx
Algorithms:
zip
Languages:
python
Links:
https://github.com/avast/ioc/blob/master/Bobik/targets.xlsxAvast Threat Labs
DDosia Project: Volunteers Carrying out NoName(057)16’s Dirty Work - Avast Threat Labs
Volunteers join a DDoS botnet called DDosia to carry out attacks in order to earn up to 80,000 rubles in crypto by providing their network bandwidth.
#ParsedReport
11-01-2023
ASEC (20230102 \~ 20230108). ASEC Weekly Malware Statistics (20230102 \~ 20230108)
https://asec.ahnlab.com/ko/45447
Threats:
Beamwinhttp_loader
Garbage_cleaner
Smokeloader
Smokerloader
Agent_tesla
Azorult
Formbook
Clipboard_grabbing_technique
Mallox
Remcos_rat
Globeimposter
Industry:
Transport, Financial
Geo:
Korea
IOCs:
IP: 3
Domain: 9
File: 16
Email: 2
Url: 12
Softs:
telegram, ms-sql
11-01-2023
ASEC (20230102 \~ 20230108). ASEC Weekly Malware Statistics (20230102 \~ 20230108)
https://asec.ahnlab.com/ko/45447
Threats:
Beamwinhttp_loader
Garbage_cleaner
Smokeloader
Smokerloader
Agent_tesla
Azorult
Formbook
Clipboard_grabbing_technique
Mallox
Remcos_rat
Globeimposter
Industry:
Transport, Financial
Geo:
Korea
IOCs:
IP: 3
Domain: 9
File: 16
Email: 2
Url: 12
Softs:
telegram, ms-sql
ASEC BLOG
ASEC 주간 악성코드 통계 (20230102 ~ 20230108) - ASEC BLOG
ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2023년 1월 2일 월요일부터 01월 08일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 다운로더가 55.9%로 1위를 차지하였으며, 그 다음으로는 인포스틸러가 21.3%, 이어서 백도어 14.2%, 랜섬웨어 7.9%, 코인마이너 0.8%로 집계되었다. Top 1 – BeamWinHTTP…
#ParsedReport
11-01-2023
StrongPity espionage campaign targeting Android users
https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users
Threats:
Strongpity
Httrack_tool
Bahamut
Geo:
Syrian, Ukraine
TTPs:
Tactics: 7
Technics: 15
IOCs:
Hash: 13
File: 3
Domain: 2
IP: 2
Softs:
android, android telegram, telegram, tinder, wechat, instagram, instagram.android
Algorithms:
aes, cbc
YARA: Found
11-01-2023
StrongPity espionage campaign targeting Android users
https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users
Threats:
Strongpity
Httrack_tool
Bahamut
Geo:
Syrian, Ukraine
TTPs:
Tactics: 7
Technics: 15
IOCs:
Hash: 13
File: 3
Domain: 2
IP: 2
Softs:
android, android telegram, telegram, tinder, wechat, instagram, instagram.android
Algorithms:
aes, cbc
YARA: Found
WeLiveSecurity
StrongPity espionage campaign targeting Android users
ESET researchers uncover an active StrongPity campaign that spreads a trojanized version of the Android Telegram app posing as the Shagle video chat app.