#ParsedReport
10-01-2023
. Fishing web server confirmed through the IRS camouflage email
https://asec.ahnlab.com/ko/45483
Industry:
Financial
Geo:
Korea
IOCs:
Url: 1
File: 5
Softs:
telegram
Languages:
php
10-01-2023
. Fishing web server confirmed through the IRS camouflage email
https://asec.ahnlab.com/ko/45483
Industry:
Financial
Geo:
Korea
IOCs:
Url: 1
File: 5
Softs:
telegram
Languages:
php
ASEC BLOG
국세청 위장 메일을 통해 확인된 피싱 웹 서버 - ASEC BLOG
ASEC 분석팀에서는 최근 국세청을 사칭한 피싱메일이 유포되고 있는 정황을 확인하였다. 해당 피싱메일은 사내 메일의 비밀번호가 당일에 만료된다는 시급성을 강조하며, 계정이 잠기기 전에 암호를 유지하라는 내용으로 유포되고 있었다. 그림 1) 원문 메일 그림 2) 계정 입력 피싱 사이트 그림 3) 로그인 페이지의 소스코드 ‘같은 비밀번호를 유지’라는 URL을 클릭하면 사내 메일 로그인 페이지가 확인되는데, 해당 로그인 페이지의 HTML 스크립트 코드는…
#ParsedReport
10-01-2023
A Deep Dive Into poweRAT: a Newly Discovered Stealer/RAT Combo Polluting PyPI
https://blog.phylum.io/a-deep-dive-into-powerat-a-newly-discovered-stealer/rat-combo-polluting-pypi
Threats:
Powerat
Xrat_rat
Industry:
Government
IOCs:
File: 7
Domain: 1
Softs:
flask, telegram, discord
Algorithms:
lzma, base64, zip
Functions:
run_with_cloudflared
Languages:
javascript, python
Links:
10-01-2023
A Deep Dive Into poweRAT: a Newly Discovered Stealer/RAT Combo Polluting PyPI
https://blog.phylum.io/a-deep-dive-into-powerat-a-newly-discovered-stealer/rat-combo-polluting-pypi
Threats:
Powerat
Xrat_rat
Industry:
Government
IOCs:
File: 7
Domain: 1
Softs:
flask, telegram, discord
Algorithms:
lzma, base64, zip
Functions:
run_with_cloudflared
Languages:
javascript, python
Links:
https://github.com/cloudflare/cloudflaredPhylum Research | Software Supply Chain Security
A Deep Dive Into poweRAT: a Newly Discovered Stealer/RAT Combo Polluting PyPI
Phylum uncovers new PyPI malware distributing remote access tools.
#ParsedReport
10-01-2023
RomCom RAT Attack Analysis: Fake It to Make It
https://securityintelligence.com/articles/romcom-rat-attack-analysis
Threats:
Romcom_rat
Cuba
Geo:
Ukraine
IOCs:
File: 2
Softs:
keepass
10-01-2023
RomCom RAT Attack Analysis: Fake It to Make It
https://securityintelligence.com/articles/romcom-rat-attack-analysis
Threats:
Romcom_rat
Cuba
Geo:
Ukraine
IOCs:
File: 2
Softs:
keepass
Security Intelligence
RomCom RAT Attack Analysis: Fake It to Make It
Learn more about RomCom RAT attacks and the fake sites and emails used as a trojan horse to give threat actors access.
#ParsedReport
11-01-2023
A View Into Web(View) Attacks in Android
https://securityintelligence.com/posts/view-into-webview-attacks-android
Threats:
Fake-trusteer
Zeus_sphinx
Zeus
Sphinx
Icedid
Trickbot
Rustock
Flubot
Sharkbot
Hydra
Industry:
Financial, E-commerce
IOCs:
Hash: 2
Softs:
android, google chrome, chrome
Algorithms:
base64
Functions:
val, loadUrl, getCookie
Languages:
javascript
11-01-2023
A View Into Web(View) Attacks in Android
https://securityintelligence.com/posts/view-into-webview-attacks-android
Threats:
Fake-trusteer
Zeus_sphinx
Zeus
Sphinx
Icedid
Trickbot
Rustock
Flubot
Sharkbot
Hydra
Industry:
Financial, E-commerce
IOCs:
Hash: 2
Softs:
android, google chrome, chrome
Algorithms:
base64
Functions:
val, loadUrl, getCookie
Languages:
javascript
Security Intelligence
A View Into Web(View) Attacks in Android
Unpack two effective attack techniques as it relates to financial malware in Android: the Web(View) injection attack and mobile cookie stealing.
#ParsedReport
11-01-2023
NeedleDropper
https://decoded.avast.io/threatresearch/needledropper/?utm_source=rss&utm_medium=rss&utm_campaign=needledropper
Threats:
Needledropper
Formbook
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 5
Path: 1
Hash: 9
Softs:
discord
Win API:
CryptDecrypt, WriteProcessMemory
Languages:
visual_basic, autoit
Links:
11-01-2023
NeedleDropper
https://decoded.avast.io/threatresearch/needledropper/?utm_source=rss&utm_medium=rss&utm_campaign=needledropper
Threats:
Needledropper
Formbook
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 5
Path: 1
Hash: 9
Softs:
discord
Win API:
CryptDecrypt, WriteProcessMemory
Languages:
visual_basic, autoit
Links:
https://github.com/avast/ioc/tree/master/NeedleDropperGendigital
NeedleDropper
New dropper strain hides payloads effectively
#ParsedReport
11-01-2023
Raspberry Robins botnet second life
https://blog.sekoia.io/raspberry-robins-botnet-second-life
Actors/Campaigns:
Evil_corp (motivation: financially_motivated)
Turla
Apt31
Threats:
Raspberry_robin
Qnapworm
Dridex
Socgholish_loader
Bumblebee
Truebot
Icedid
Dns_hijacking_technique
Quantum_locker
Retadup
Andromeda
Aurora
Industry:
Education
Geo:
Kazakhstan, France, Romania, Oman, Russian, Bahrain, Germany, Morocco
IOCs:
Domain: 3
Softs:
microsoft jscript
11-01-2023
Raspberry Robins botnet second life
https://blog.sekoia.io/raspberry-robins-botnet-second-life
Actors/Campaigns:
Evil_corp (motivation: financially_motivated)
Turla
Apt31
Threats:
Raspberry_robin
Qnapworm
Dridex
Socgholish_loader
Bumblebee
Truebot
Icedid
Dns_hijacking_technique
Quantum_locker
Retadup
Andromeda
Aurora
Industry:
Education
Geo:
Kazakhstan, France, Romania, Oman, Russian, Bahrain, Germany, Morocco
IOCs:
Domain: 3
Softs:
microsoft jscript
Sekoia.io Blog
Raspberry Robin's botnet second life
Raspberry Robin appears to be a type of Pay-Per-Install botnet, likely to be used by cybercriminals to distribute other malware.
#ParsedReport
11-01-2023
DDosia Project: Volunteers Carrying out NoName(057)16s Dirty Work
https://decoded.avast.io/martinchlumecky/ddosia-project/?utm_source=rss&utm_medium=rss&utm_campaign=ddosia-project
Actors/Campaigns:
Noname057
Killnet
Threats:
Ddosia_botnet
Bobiks
Redline_stealer
Nmap_tool
Prestige_ransomware
Industry:
Education, Financial, Healthcare, Government, Transport, Aerospace
Geo:
Polish, Polands, Belarus, Canada, Germany, Ukrainian, Moscow, Ukraine, Poland, Russian, Lithuania, Berlin, Russia, Latvia
IOCs:
File: 3
IP: 1
Url: 2
Softs:
telegram, macos, pyinstaller, nginx
Algorithms:
zip
Languages:
python
Links:
11-01-2023
DDosia Project: Volunteers Carrying out NoName(057)16s Dirty Work
https://decoded.avast.io/martinchlumecky/ddosia-project/?utm_source=rss&utm_medium=rss&utm_campaign=ddosia-project
Actors/Campaigns:
Noname057
Killnet
Threats:
Ddosia_botnet
Bobiks
Redline_stealer
Nmap_tool
Prestige_ransomware
Industry:
Education, Financial, Healthcare, Government, Transport, Aerospace
Geo:
Polish, Polands, Belarus, Canada, Germany, Ukrainian, Moscow, Ukraine, Poland, Russian, Lithuania, Berlin, Russia, Latvia
IOCs:
File: 3
IP: 1
Url: 2
Softs:
telegram, macos, pyinstaller, nginx
Algorithms:
zip
Languages:
python
Links:
https://github.com/avast/ioc/blob/master/Bobik/targets.xlsxAvast Threat Labs
DDosia Project: Volunteers Carrying out NoName(057)16’s Dirty Work - Avast Threat Labs
Volunteers join a DDoS botnet called DDosia to carry out attacks in order to earn up to 80,000 rubles in crypto by providing their network bandwidth.
#ParsedReport
11-01-2023
ASEC (20230102 \~ 20230108). ASEC Weekly Malware Statistics (20230102 \~ 20230108)
https://asec.ahnlab.com/ko/45447
Threats:
Beamwinhttp_loader
Garbage_cleaner
Smokeloader
Smokerloader
Agent_tesla
Azorult
Formbook
Clipboard_grabbing_technique
Mallox
Remcos_rat
Globeimposter
Industry:
Transport, Financial
Geo:
Korea
IOCs:
IP: 3
Domain: 9
File: 16
Email: 2
Url: 12
Softs:
telegram, ms-sql
11-01-2023
ASEC (20230102 \~ 20230108). ASEC Weekly Malware Statistics (20230102 \~ 20230108)
https://asec.ahnlab.com/ko/45447
Threats:
Beamwinhttp_loader
Garbage_cleaner
Smokeloader
Smokerloader
Agent_tesla
Azorult
Formbook
Clipboard_grabbing_technique
Mallox
Remcos_rat
Globeimposter
Industry:
Transport, Financial
Geo:
Korea
IOCs:
IP: 3
Domain: 9
File: 16
Email: 2
Url: 12
Softs:
telegram, ms-sql
ASEC BLOG
ASEC 주간 악성코드 통계 (20230102 ~ 20230108) - ASEC BLOG
ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2023년 1월 2일 월요일부터 01월 08일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 다운로더가 55.9%로 1위를 차지하였으며, 그 다음으로는 인포스틸러가 21.3%, 이어서 백도어 14.2%, 랜섬웨어 7.9%, 코인마이너 0.8%로 집계되었다. Top 1 – BeamWinHTTP…
#ParsedReport
11-01-2023
StrongPity espionage campaign targeting Android users
https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users
Threats:
Strongpity
Httrack_tool
Bahamut
Geo:
Syrian, Ukraine
TTPs:
Tactics: 7
Technics: 15
IOCs:
Hash: 13
File: 3
Domain: 2
IP: 2
Softs:
android, android telegram, telegram, tinder, wechat, instagram, instagram.android
Algorithms:
aes, cbc
YARA: Found
11-01-2023
StrongPity espionage campaign targeting Android users
https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users
Threats:
Strongpity
Httrack_tool
Bahamut
Geo:
Syrian, Ukraine
TTPs:
Tactics: 7
Technics: 15
IOCs:
Hash: 13
File: 3
Domain: 2
IP: 2
Softs:
android, android telegram, telegram, tinder, wechat, instagram, instagram.android
Algorithms:
aes, cbc
YARA: Found
WeLiveSecurity
StrongPity espionage campaign targeting Android users
ESET researchers uncover an active StrongPity campaign that spreads a trojanized version of the Android Telegram app posing as the Shagle video chat app.
#ParsedReport
11-01-2023
Gootkit Loader Actively Targets Australian Healthcare Industry
https://www.trendmicro.com/en_us/research/23/a/gootkit-loader-actively-targets-the-australian-healthcare-indust.html
Actors/Campaigns:
Stone_panda
Threats:
Gootkit
Gootloader
Cobalt_strike
Dll_sideloading_technique
Beacon
Process_injection_technique
Bloodhound_tool
Trojan.win32.frs.vsnw0ek22
Follina_vuln
Trojan.js.downloader.ac
Trojan.ps1.powload.tiaoeno
Industry:
Healthcare, Media
Geo:
Australia, Australian
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 7
Path: 1
IP: 1
Hash: 4
Url: 2
Softs:
wordpress
Algorithms:
zip
Languages:
javascript, php
11-01-2023
Gootkit Loader Actively Targets Australian Healthcare Industry
https://www.trendmicro.com/en_us/research/23/a/gootkit-loader-actively-targets-the-australian-healthcare-indust.html
Actors/Campaigns:
Stone_panda
Threats:
Gootkit
Gootloader
Cobalt_strike
Dll_sideloading_technique
Beacon
Process_injection_technique
Bloodhound_tool
Trojan.win32.frs.vsnw0ek22
Follina_vuln
Trojan.js.downloader.ac
Trojan.ps1.powload.tiaoeno
Industry:
Healthcare, Media
Geo:
Australia, Australian
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 7
Path: 1
IP: 1
Hash: 4
Url: 2
Softs:
wordpress
Algorithms:
zip
Languages:
javascript, php
Trend Micro
Gootkit Loader Actively Targets Australian Healthcare Industry
We analyzed the infection routine used in recent Gootkit loader attacks on the Australian healthcare industry and found that Gootkit leveraged SEO poisoning for its initial access and abused legitimate tools like VLC Media Player.
#ParsedReport
11-01-2023
Dark Pink
https://blog.group-ib.com/dark-pink-apt
Actors/Campaigns:
Darkpink (motivation: financially_motivated, cyber_espionage)
Axiom
Saaiwc
Threats:
Telepowerbot
Kamikakabot
Cucky_stealer
Ctealer_stealer
Dll_sideloading_technique
Powersploit
Uac_bypass_technique
Industry:
Government
Geo:
Indonesian, Cambodia, Iran, China, Pakistan, Vietnamese, Korea, Philippines, Vietnam, Malaysia, Apac, Chinese, Indonesia
TTPs:
Tactics: 2
Technics: 0
IOCs:
Registry: 33
File: 23
Email: 6
Path: 4
Hash: 12
Softs:
telegram, windows defender, chrome, coccoc, chromium, amigo, kometa, nichrome, comodo dragon, vivaldi, have more...
Algorithms:
xor, base64, zip
Win API:
DriveType
11-01-2023
Dark Pink
https://blog.group-ib.com/dark-pink-apt
Actors/Campaigns:
Darkpink (motivation: financially_motivated, cyber_espionage)
Axiom
Saaiwc
Threats:
Telepowerbot
Kamikakabot
Cucky_stealer
Ctealer_stealer
Dll_sideloading_technique
Powersploit
Uac_bypass_technique
Industry:
Government
Geo:
Indonesian, Cambodia, Iran, China, Pakistan, Vietnamese, Korea, Philippines, Vietnam, Malaysia, Apac, Chinese, Indonesia
TTPs:
Tactics: 2
Technics: 0
IOCs:
Registry: 33
File: 23
Email: 6
Path: 4
Hash: 12
Softs:
telegram, windows defender, chrome, coccoc, chromium, amigo, kometa, nichrome, comodo dragon, vivaldi, have more...
Algorithms:
xor, base64, zip
Win API:
DriveType
Group-IB
Dark Pink
Dark Pink APT unleashes malware for deeper and more sinister intrusions in the Asia-Pacific and Europe
#ParsedReport
11-01-2023
Malicious JARs and Polyglot files: Who do you think you JAR?
https://www.deepinstinct.com/blog/malicious-jars-and-polyglot-files-who-do-you-think-you-jar
Threats:
Polyglot
Strrat
Ratty_rat
Geo:
Bulgarian
CVEs:
CVE-2020-1464 [Vulners]
Vulners: Score: 2.1, CVSS: 2.5,
Vulners: Exploitation: True
X-Force: Risk: 5.3
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (-, 1607, 1709, 1803, 1809, 1903, 1909, 2004)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
- microsoft windows server 2008 (-, r2)
have more...
TTPs:
Tactics: 3
Technics: 4
IOCs:
Hash: 40
Domain: 1
Url: 1
Softs:
discord
Algorithms:
zip
Languages:
java
Links:
11-01-2023
Malicious JARs and Polyglot files: Who do you think you JAR?
https://www.deepinstinct.com/blog/malicious-jars-and-polyglot-files-who-do-you-think-you-jar
Threats:
Polyglot
Strrat
Ratty_rat
Geo:
Bulgarian
CVEs:
CVE-2020-1464 [Vulners]
Vulners: Score: 2.1, CVSS: 2.5,
Vulners: Exploitation: True
X-Force: Risk: 5.3
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (-, 1607, 1709, 1803, 1809, 1903, 1909, 2004)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
- microsoft windows server 2008 (-, r2)
have more...
TTPs:
Tactics: 3
Technics: 4
IOCs:
Hash: 40
Domain: 1
Url: 1
Softs:
discord
Algorithms:
zip
Languages:
java
Links:
https://github.com/deepinstinct/RattyConfigExtractor
https://github.com/deepinstinct/JAR-Polyglot-POC
https://github.com/Polydet/polyglot-databaseDeep Instinct
Malicious JARs and Polyglot files: “Who do you think you JAR?” | Deep Instinct
Throughout 2022, Deep Instinct observed various combinations of polyglot files with malicious JARs. The initial technique dates to around 2018 when it used signed MSI files to bypass Microsoft code signing verification. A year later, in 2019, Virus Total…
#ParsedReport
12-01-2023
NoName057(16) The Pro-Russian Hacktivist Group Targeting NATO
https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato
Actors/Campaigns:
Noname057 (motivation: hacktivism)
Killnet (motivation: hacktivism)
Threats:
Bobiks
Ddosia_botnet
Industry:
Government, Telco, Financial, Transport
Geo:
Lithuania, Czech, Poland, Ukraine, Russian, Denmark, Polish, Danish, Bulgarian, Dutch, Russia, Ukrainian
IOCs:
Domain: 3
IP: 5
Url: 5
Hash: 12
Email: 1
Softs:
telegram, pyinstaller, macos, android
Languages:
python, golang
12-01-2023
NoName057(16) The Pro-Russian Hacktivist Group Targeting NATO
https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato
Actors/Campaigns:
Noname057 (motivation: hacktivism)
Killnet (motivation: hacktivism)
Threats:
Bobiks
Ddosia_botnet
Industry:
Government, Telco, Financial, Transport
Geo:
Lithuania, Czech, Poland, Ukraine, Russian, Denmark, Polish, Danish, Bulgarian, Dutch, Russia, Ukrainian
IOCs:
Domain: 3
IP: 5
Url: 5
Hash: 12
Email: 1
Softs:
telegram, pyinstaller, macos, android
Languages:
python, golang
SentinelOne
NoName057(16) - The Pro-Russian Hacktivist Group Targeting NATO
In the name of Russia's war in Ukraine, NoName057(16) abuses GitHub and Telegram in an ongoing campaign to disrupt NATO's critical infrastructure.
#ParsedReport
12-01-2023
Lockbit 3.0 AKA Lockbit Black is here, with a new icon, new ransom note, new wallpaper, but less evasiveness?
https://minerva-labs.com/blog/lockbit-3-0-aka-lockbit-black-is-here-with-a-new-icon-new-ransom-note-new-wallpaper-but-less-evasiveness
Threats:
Lockbit
Blackcat
Uac_bypass_technique
Geo:
Romanian, Russian, Syria, Belarusian, Moldova, Azerbaijani, Ukrainian
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 1
Registry: 1
Softs:
msexchange, onenote, thebat, wordpad, windows defender
Algorithms:
xor
Functions:
Windows
Win API:
GetSystemDefaultUILanguage, GetUserDefaultUILanguage, NtSetInformationThread
Win Services:
GxVss, GxBlr, GxFWD, GxCVD, GxCIMgr, ocssd, dbsnmp, synctime, agntsvc, isqlplussvc, have more...
12-01-2023
Lockbit 3.0 AKA Lockbit Black is here, with a new icon, new ransom note, new wallpaper, but less evasiveness?
https://minerva-labs.com/blog/lockbit-3-0-aka-lockbit-black-is-here-with-a-new-icon-new-ransom-note-new-wallpaper-but-less-evasiveness
Threats:
Lockbit
Blackcat
Uac_bypass_technique
Geo:
Romanian, Russian, Syria, Belarusian, Moldova, Azerbaijani, Ukrainian
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 1
Registry: 1
Softs:
msexchange, onenote, thebat, wordpad, windows defender
Algorithms:
xor
Functions:
Windows
Win API:
GetSystemDefaultUILanguage, GetUserDefaultUILanguage, NtSetInformationThread
Win Services:
GxVss, GxBlr, GxFWD, GxCVD, GxCIMgr, ocssd, dbsnmp, synctime, agntsvc, isqlplussvc, have more...
Minerva Labs
Lockbit 3.0 AKA Lockbit Black is here, with a new icon, new ransom note, new wallpaper, but less evasiveness?
Lockbit 3.0, also known as Lockbit Black was recently released and has already claimed its first victims. We dive into how it works and how you can protect yourselves
#ParsedReport
12-01-2023
New updated IceXLoader claims thousands of victims around the world
https://minerva-labs.com/blog/new-updated-icexloader-claims-thousands-of-victims-around-the-world
Threats:
Icexloader
Process_hollowing_technique
Nimbda_loader
Bazarnimrod
Process_injection_technique
Geo:
Chinese
TTPs:
IOCs:
Path: 8
Registry: 2
File: 4
Command: 2
Hash: 4
Url: 1
Softs:
net framework, windows defender
Win API:
AmsiScanBuffer
Languages:
javascript
12-01-2023
New updated IceXLoader claims thousands of victims around the world
https://minerva-labs.com/blog/new-updated-icexloader-claims-thousands-of-victims-around-the-world
Threats:
Icexloader
Process_hollowing_technique
Nimbda_loader
Bazarnimrod
Process_injection_technique
Geo:
Chinese
TTPs:
IOCs:
Path: 8
Registry: 2
File: 4
Command: 2
Hash: 4
Url: 1
Softs:
net framework, windows defender
Win API:
AmsiScanBuffer
Languages:
javascript
Rapid7
Rapid7 Cybersecurity - Command Your Attack Surface
Level up SecOps with the only endpoint to cloud, unified cybersecurity platform. Confidently act to prevent breaches with a leading MDR partner. Request demo!
#ParsedReport
12-01-2023
Rhadamanthys: New Stealer Spreading Through Google Ads
https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads
Threats:
Rhadamanthys
Anydesk_tool
Antivm
Beacon
Process_injection_technique
Industry:
Financial
TTPs:
Tactics: 8
Technics: 19
IOCs:
Url: 1
File: 5
Domain: 12
Hash: 6
Softs:
zoom, pyinstaller, virtualbox, chrome, opera, pale moon, coccoc, zcash, winscp), (foxmail, have more...
Algorithms:
base64
Win API:
CreateThread, BitBlt
Languages:
python
12-01-2023
Rhadamanthys: New Stealer Spreading Through Google Ads
https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads
Threats:
Rhadamanthys
Anydesk_tool
Antivm
Beacon
Process_injection_technique
Industry:
Financial
TTPs:
Tactics: 8
Technics: 19
IOCs:
Url: 1
File: 5
Domain: 12
Hash: 6
Softs:
zoom, pyinstaller, virtualbox, chrome, opera, pale moon, coccoc, zcash, winscp), (foxmail, have more...
Algorithms:
base64
Win API:
CreateThread, BitBlt
Languages:
python
Cyble
Cyble - Rhadamanthys: New Stealer Spreading Through Google Ads
CRIL analyzes Rhadamanthys Stealer, a new strain of malware spread via Google Ads to steal users' sensitive information.
#ParsedReport
12-01-2023
STOP/DJVU Ransomware
https://minerva-labs.com/blog/stop-djvu-ransomware
Threats:
Stop_ransomware
Process_hollowing_technique
Vidar_stealer
Gozi
Industry:
Financial
Geo:
Tajikistan, Ukraine, Kazakhstan, Uzbekistan, Azerbaijan, Kyrgyzstan, Belarus, Russia, Armenia, Syria
IOCs:
Registry: 1
Path: 2
Url: 2
File: 3
Win API:
InternetReadFile, ShellExecuteA
Platforms:
x86, intel
12-01-2023
STOP/DJVU Ransomware
https://minerva-labs.com/blog/stop-djvu-ransomware
Threats:
Stop_ransomware
Process_hollowing_technique
Vidar_stealer
Gozi
Industry:
Financial
Geo:
Tajikistan, Ukraine, Kazakhstan, Uzbekistan, Azerbaijan, Kyrgyzstan, Belarus, Russia, Armenia, Syria
IOCs:
Registry: 1
Path: 2
Url: 2
File: 3
Win API:
InternetReadFile, ShellExecuteA
Platforms:
x86, intel
Rapid7
Rapid7 Cybersecurity - Command Your Attack Surface
Level up SecOps with the only endpoint to cloud, unified cybersecurity platform. Confidently act to prevent breaches with a leading MDR partner. Request demo!
#ParsedReport
12-01-2023
Trojan Puzzle attack trains AI assistants into suggesting malicious code
https://www.bleepingcomputer.com/news/security/trojan-puzzle-attack-trains-ai-assistants-into-suggesting-malicious-code
Threats:
Trojanpuzzle_technique
Industry:
Education
Geo:
California
Languages:
python
12-01-2023
Trojan Puzzle attack trains AI assistants into suggesting malicious code
https://www.bleepingcomputer.com/news/security/trojan-puzzle-attack-trains-ai-assistants-into-suggesting-malicious-code
Threats:
Trojanpuzzle_technique
Industry:
Education
Geo:
California
Languages:
python
BleepingComputer
Trojan Puzzle attack trains AI assistants into suggesting malicious code
Researchers at the universities of California, Virginia, and Microsoft have devised a new poisoning attack that could trick AI-based coding assistants into suggesting dangerous code.
#ParsedReport
12-01-2023
SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security
https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic
Actors/Campaigns:
0ktapus
Threats:
Byovd_technique
Kdmapper_tool
Industry:
Bp_outsourcing, Telco
CVEs:
CVE-2015-2291 [Vulners]
Vulners: Score: 7.2, CVSS: 6.7,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.5
X-Force: Patch: Unavailable
Soft:
- intel ethernet diagnostics driver iqvw32.sys (1.03.0.7)
- intel ethernet diagnostics driver iqvw64.sys (1.03.0.7)
IOCs:
File: 2
Hash: 2
Softs:
windows security, windows kernel, microsoft defender for endpoint, windows registry, microsoft windows defender application control
Algorithms:
xor
Functions:
DbgPrintEx
Platforms:
intel
12-01-2023
SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security
https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic
Actors/Campaigns:
0ktapus
Threats:
Byovd_technique
Kdmapper_tool
Industry:
Bp_outsourcing, Telco
CVEs:
CVE-2015-2291 [Vulners]
Vulners: Score: 7.2, CVSS: 6.7,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.5
X-Force: Patch: Unavailable
Soft:
- intel ethernet diagnostics driver iqvw32.sys (1.03.0.7)
- intel ethernet diagnostics driver iqvw64.sys (1.03.0.7)
IOCs:
File: 2
Hash: 2
Softs:
windows security, windows kernel, microsoft defender for endpoint, windows registry, microsoft windows defender application control
Algorithms:
xor
Functions:
DbgPrintEx
Platforms:
intel
CrowdStrike.com
SCATTERED SPIDER Attempts to Avoid Detection with Bring-Your-Own-Driver Tactic
Learn how CrowdStrike detected SCATTERED SPIDER's attempt to deploy a malicious driver through a vulnerability (CVE-2015-2291) in the Intel Ethernet diagnostics driver.
#ParsedReport
13-01-2023
Orcus RAT Being Distributed Disguised as a Hangul Word Processor Crack
https://asec.ahnlab.com/en/45462
Threats:
Orcus_rat
Sbit_rat
Xmrig_miner
Nircmd_tool
Process_hacker_tool
Cobalt_strike
Androm
Trojan/win.injection.c5347028
Orcusrat
Industry:
Media
Geo:
Korean
IOCs:
File: 38
Path: 1
Coin: 1
Hash: 8
Domain: 3
Url: 13
Softs:
task scheduler, microsoft office word, windows defender, telegram, exe,v_ser, process explorer, visual studio
13-01-2023
Orcus RAT Being Distributed Disguised as a Hangul Word Processor Crack
https://asec.ahnlab.com/en/45462
Threats:
Orcus_rat
Sbit_rat
Xmrig_miner
Nircmd_tool
Process_hacker_tool
Cobalt_strike
Androm
Trojan/win.injection.c5347028
Orcusrat
Industry:
Media
Geo:
Korean
IOCs:
File: 38
Path: 1
Coin: 1
Hash: 8
Domain: 3
Url: 13
Softs:
task scheduler, microsoft office word, windows defender, telegram, exe,v_ser, process explorer, visual studio
ASEC
Orcus RAT Being Distributed Disguised as a Hangul Word Processor Crack - ASEC
Orcus RAT Being Distributed Disguised as a Hangul Word Processor Crack ASEC
#ParsedReport
13-01-2023
ASEC Weekly Malware Statistics (January 2nd, 2023 January 8th, 2023)
https://asec.ahnlab.com/en/45636
Threats:
Beamwinhttp_loader
Garbage_cleaner
Smokeloader
Agent_tesla
Formbook
Mallox
Clipboard_grabbing_technique
Industry:
Financial
Geo:
Korea
IOCs:
IP: 3
Domain: 9
File: 9
Email: 2
Url: 12
Softs:
telegram, ms-sql
13-01-2023
ASEC Weekly Malware Statistics (January 2nd, 2023 January 8th, 2023)
https://asec.ahnlab.com/en/45636
Threats:
Beamwinhttp_loader
Garbage_cleaner
Smokeloader
Agent_tesla
Formbook
Mallox
Clipboard_grabbing_technique
Industry:
Financial
Geo:
Korea
IOCs:
IP: 3
Domain: 9
File: 9
Email: 2
Url: 12
Softs:
telegram, ms-sql
ASEC
ASEC Weekly Malware Statistics (January 2nd, 2023 – January 8th, 2023) - ASEC
The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from January 2nd, 2023 (Monday) to January 8th, 2023 (Sunday). For the main category, downloader…