#ParsedReport
11-01-2023
Malicious JARs and Polyglot files: Who do you think you JAR?
https://www.deepinstinct.com/blog/malicious-jars-and-polyglot-files-who-do-you-think-you-jar
Threats:
Polyglot
Strrat
Ratty_rat
Geo:
Bulgarian
CVEs:
CVE-2020-1464 [Vulners]
Vulners: Score: 2.1, CVSS: 2.5,
Vulners: Exploitation: True
X-Force: Risk: 5.3
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (-, 1607, 1709, 1803, 1809, 1903, 1909, 2004)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
- microsoft windows server 2008 (-, r2)
have more...
TTPs:
Tactics: 3
Technics: 4
IOCs:
Hash: 40
Domain: 1
Url: 1
Softs:
discord
Algorithms:
zip
Languages:
java
Links:
11-01-2023
Malicious JARs and Polyglot files: Who do you think you JAR?
https://www.deepinstinct.com/blog/malicious-jars-and-polyglot-files-who-do-you-think-you-jar
Threats:
Polyglot
Strrat
Ratty_rat
Geo:
Bulgarian
CVEs:
CVE-2020-1464 [Vulners]
Vulners: Score: 2.1, CVSS: 2.5,
Vulners: Exploitation: True
X-Force: Risk: 5.3
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (-, 1607, 1709, 1803, 1809, 1903, 1909, 2004)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
- microsoft windows server 2008 (-, r2)
have more...
TTPs:
Tactics: 3
Technics: 4
IOCs:
Hash: 40
Domain: 1
Url: 1
Softs:
discord
Algorithms:
zip
Languages:
java
Links:
https://github.com/deepinstinct/RattyConfigExtractor
https://github.com/deepinstinct/JAR-Polyglot-POC
https://github.com/Polydet/polyglot-databaseDeep Instinct
Malicious JARs and Polyglot files: “Who do you think you JAR?” | Deep Instinct
Throughout 2022, Deep Instinct observed various combinations of polyglot files with malicious JARs. The initial technique dates to around 2018 when it used signed MSI files to bypass Microsoft code signing verification. A year later, in 2019, Virus Total…
#ParsedReport
12-01-2023
NoName057(16) The Pro-Russian Hacktivist Group Targeting NATO
https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato
Actors/Campaigns:
Noname057 (motivation: hacktivism)
Killnet (motivation: hacktivism)
Threats:
Bobiks
Ddosia_botnet
Industry:
Government, Telco, Financial, Transport
Geo:
Lithuania, Czech, Poland, Ukraine, Russian, Denmark, Polish, Danish, Bulgarian, Dutch, Russia, Ukrainian
IOCs:
Domain: 3
IP: 5
Url: 5
Hash: 12
Email: 1
Softs:
telegram, pyinstaller, macos, android
Languages:
python, golang
12-01-2023
NoName057(16) The Pro-Russian Hacktivist Group Targeting NATO
https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato
Actors/Campaigns:
Noname057 (motivation: hacktivism)
Killnet (motivation: hacktivism)
Threats:
Bobiks
Ddosia_botnet
Industry:
Government, Telco, Financial, Transport
Geo:
Lithuania, Czech, Poland, Ukraine, Russian, Denmark, Polish, Danish, Bulgarian, Dutch, Russia, Ukrainian
IOCs:
Domain: 3
IP: 5
Url: 5
Hash: 12
Email: 1
Softs:
telegram, pyinstaller, macos, android
Languages:
python, golang
SentinelOne
NoName057(16) - The Pro-Russian Hacktivist Group Targeting NATO
In the name of Russia's war in Ukraine, NoName057(16) abuses GitHub and Telegram in an ongoing campaign to disrupt NATO's critical infrastructure.
#ParsedReport
12-01-2023
Lockbit 3.0 AKA Lockbit Black is here, with a new icon, new ransom note, new wallpaper, but less evasiveness?
https://minerva-labs.com/blog/lockbit-3-0-aka-lockbit-black-is-here-with-a-new-icon-new-ransom-note-new-wallpaper-but-less-evasiveness
Threats:
Lockbit
Blackcat
Uac_bypass_technique
Geo:
Romanian, Russian, Syria, Belarusian, Moldova, Azerbaijani, Ukrainian
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 1
Registry: 1
Softs:
msexchange, onenote, thebat, wordpad, windows defender
Algorithms:
xor
Functions:
Windows
Win API:
GetSystemDefaultUILanguage, GetUserDefaultUILanguage, NtSetInformationThread
Win Services:
GxVss, GxBlr, GxFWD, GxCVD, GxCIMgr, ocssd, dbsnmp, synctime, agntsvc, isqlplussvc, have more...
12-01-2023
Lockbit 3.0 AKA Lockbit Black is here, with a new icon, new ransom note, new wallpaper, but less evasiveness?
https://minerva-labs.com/blog/lockbit-3-0-aka-lockbit-black-is-here-with-a-new-icon-new-ransom-note-new-wallpaper-but-less-evasiveness
Threats:
Lockbit
Blackcat
Uac_bypass_technique
Geo:
Romanian, Russian, Syria, Belarusian, Moldova, Azerbaijani, Ukrainian
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 1
Registry: 1
Softs:
msexchange, onenote, thebat, wordpad, windows defender
Algorithms:
xor
Functions:
Windows
Win API:
GetSystemDefaultUILanguage, GetUserDefaultUILanguage, NtSetInformationThread
Win Services:
GxVss, GxBlr, GxFWD, GxCVD, GxCIMgr, ocssd, dbsnmp, synctime, agntsvc, isqlplussvc, have more...
Minerva Labs
Lockbit 3.0 AKA Lockbit Black is here, with a new icon, new ransom note, new wallpaper, but less evasiveness?
Lockbit 3.0, also known as Lockbit Black was recently released and has already claimed its first victims. We dive into how it works and how you can protect yourselves
#ParsedReport
12-01-2023
New updated IceXLoader claims thousands of victims around the world
https://minerva-labs.com/blog/new-updated-icexloader-claims-thousands-of-victims-around-the-world
Threats:
Icexloader
Process_hollowing_technique
Nimbda_loader
Bazarnimrod
Process_injection_technique
Geo:
Chinese
TTPs:
IOCs:
Path: 8
Registry: 2
File: 4
Command: 2
Hash: 4
Url: 1
Softs:
net framework, windows defender
Win API:
AmsiScanBuffer
Languages:
javascript
12-01-2023
New updated IceXLoader claims thousands of victims around the world
https://minerva-labs.com/blog/new-updated-icexloader-claims-thousands-of-victims-around-the-world
Threats:
Icexloader
Process_hollowing_technique
Nimbda_loader
Bazarnimrod
Process_injection_technique
Geo:
Chinese
TTPs:
IOCs:
Path: 8
Registry: 2
File: 4
Command: 2
Hash: 4
Url: 1
Softs:
net framework, windows defender
Win API:
AmsiScanBuffer
Languages:
javascript
Rapid7
Rapid7 Cybersecurity - Command Your Attack Surface
Level up SecOps with the only endpoint to cloud, unified cybersecurity platform. Confidently act to prevent breaches with a leading MDR partner. Request demo!
#ParsedReport
12-01-2023
Rhadamanthys: New Stealer Spreading Through Google Ads
https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads
Threats:
Rhadamanthys
Anydesk_tool
Antivm
Beacon
Process_injection_technique
Industry:
Financial
TTPs:
Tactics: 8
Technics: 19
IOCs:
Url: 1
File: 5
Domain: 12
Hash: 6
Softs:
zoom, pyinstaller, virtualbox, chrome, opera, pale moon, coccoc, zcash, winscp), (foxmail, have more...
Algorithms:
base64
Win API:
CreateThread, BitBlt
Languages:
python
12-01-2023
Rhadamanthys: New Stealer Spreading Through Google Ads
https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads
Threats:
Rhadamanthys
Anydesk_tool
Antivm
Beacon
Process_injection_technique
Industry:
Financial
TTPs:
Tactics: 8
Technics: 19
IOCs:
Url: 1
File: 5
Domain: 12
Hash: 6
Softs:
zoom, pyinstaller, virtualbox, chrome, opera, pale moon, coccoc, zcash, winscp), (foxmail, have more...
Algorithms:
base64
Win API:
CreateThread, BitBlt
Languages:
python
Cyble
Cyble - Rhadamanthys: New Stealer Spreading Through Google Ads
CRIL analyzes Rhadamanthys Stealer, a new strain of malware spread via Google Ads to steal users' sensitive information.
#ParsedReport
12-01-2023
STOP/DJVU Ransomware
https://minerva-labs.com/blog/stop-djvu-ransomware
Threats:
Stop_ransomware
Process_hollowing_technique
Vidar_stealer
Gozi
Industry:
Financial
Geo:
Tajikistan, Ukraine, Kazakhstan, Uzbekistan, Azerbaijan, Kyrgyzstan, Belarus, Russia, Armenia, Syria
IOCs:
Registry: 1
Path: 2
Url: 2
File: 3
Win API:
InternetReadFile, ShellExecuteA
Platforms:
x86, intel
12-01-2023
STOP/DJVU Ransomware
https://minerva-labs.com/blog/stop-djvu-ransomware
Threats:
Stop_ransomware
Process_hollowing_technique
Vidar_stealer
Gozi
Industry:
Financial
Geo:
Tajikistan, Ukraine, Kazakhstan, Uzbekistan, Azerbaijan, Kyrgyzstan, Belarus, Russia, Armenia, Syria
IOCs:
Registry: 1
Path: 2
Url: 2
File: 3
Win API:
InternetReadFile, ShellExecuteA
Platforms:
x86, intel
Rapid7
Rapid7 Cybersecurity - Command Your Attack Surface
Level up SecOps with the only endpoint to cloud, unified cybersecurity platform. Confidently act to prevent breaches with a leading MDR partner. Request demo!
#ParsedReport
12-01-2023
Trojan Puzzle attack trains AI assistants into suggesting malicious code
https://www.bleepingcomputer.com/news/security/trojan-puzzle-attack-trains-ai-assistants-into-suggesting-malicious-code
Threats:
Trojanpuzzle_technique
Industry:
Education
Geo:
California
Languages:
python
12-01-2023
Trojan Puzzle attack trains AI assistants into suggesting malicious code
https://www.bleepingcomputer.com/news/security/trojan-puzzle-attack-trains-ai-assistants-into-suggesting-malicious-code
Threats:
Trojanpuzzle_technique
Industry:
Education
Geo:
California
Languages:
python
BleepingComputer
Trojan Puzzle attack trains AI assistants into suggesting malicious code
Researchers at the universities of California, Virginia, and Microsoft have devised a new poisoning attack that could trick AI-based coding assistants into suggesting dangerous code.
#ParsedReport
12-01-2023
SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security
https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic
Actors/Campaigns:
0ktapus
Threats:
Byovd_technique
Kdmapper_tool
Industry:
Bp_outsourcing, Telco
CVEs:
CVE-2015-2291 [Vulners]
Vulners: Score: 7.2, CVSS: 6.7,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.5
X-Force: Patch: Unavailable
Soft:
- intel ethernet diagnostics driver iqvw32.sys (1.03.0.7)
- intel ethernet diagnostics driver iqvw64.sys (1.03.0.7)
IOCs:
File: 2
Hash: 2
Softs:
windows security, windows kernel, microsoft defender for endpoint, windows registry, microsoft windows defender application control
Algorithms:
xor
Functions:
DbgPrintEx
Platforms:
intel
12-01-2023
SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security
https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic
Actors/Campaigns:
0ktapus
Threats:
Byovd_technique
Kdmapper_tool
Industry:
Bp_outsourcing, Telco
CVEs:
CVE-2015-2291 [Vulners]
Vulners: Score: 7.2, CVSS: 6.7,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.5
X-Force: Patch: Unavailable
Soft:
- intel ethernet diagnostics driver iqvw32.sys (1.03.0.7)
- intel ethernet diagnostics driver iqvw64.sys (1.03.0.7)
IOCs:
File: 2
Hash: 2
Softs:
windows security, windows kernel, microsoft defender for endpoint, windows registry, microsoft windows defender application control
Algorithms:
xor
Functions:
DbgPrintEx
Platforms:
intel
CrowdStrike.com
SCATTERED SPIDER Attempts to Avoid Detection with Bring-Your-Own-Driver Tactic
Learn how CrowdStrike detected SCATTERED SPIDER's attempt to deploy a malicious driver through a vulnerability (CVE-2015-2291) in the Intel Ethernet diagnostics driver.
#ParsedReport
13-01-2023
Orcus RAT Being Distributed Disguised as a Hangul Word Processor Crack
https://asec.ahnlab.com/en/45462
Threats:
Orcus_rat
Sbit_rat
Xmrig_miner
Nircmd_tool
Process_hacker_tool
Cobalt_strike
Androm
Trojan/win.injection.c5347028
Orcusrat
Industry:
Media
Geo:
Korean
IOCs:
File: 38
Path: 1
Coin: 1
Hash: 8
Domain: 3
Url: 13
Softs:
task scheduler, microsoft office word, windows defender, telegram, exe,v_ser, process explorer, visual studio
13-01-2023
Orcus RAT Being Distributed Disguised as a Hangul Word Processor Crack
https://asec.ahnlab.com/en/45462
Threats:
Orcus_rat
Sbit_rat
Xmrig_miner
Nircmd_tool
Process_hacker_tool
Cobalt_strike
Androm
Trojan/win.injection.c5347028
Orcusrat
Industry:
Media
Geo:
Korean
IOCs:
File: 38
Path: 1
Coin: 1
Hash: 8
Domain: 3
Url: 13
Softs:
task scheduler, microsoft office word, windows defender, telegram, exe,v_ser, process explorer, visual studio
ASEC
Orcus RAT Being Distributed Disguised as a Hangul Word Processor Crack - ASEC
Orcus RAT Being Distributed Disguised as a Hangul Word Processor Crack ASEC
#ParsedReport
13-01-2023
ASEC Weekly Malware Statistics (January 2nd, 2023 January 8th, 2023)
https://asec.ahnlab.com/en/45636
Threats:
Beamwinhttp_loader
Garbage_cleaner
Smokeloader
Agent_tesla
Formbook
Mallox
Clipboard_grabbing_technique
Industry:
Financial
Geo:
Korea
IOCs:
IP: 3
Domain: 9
File: 9
Email: 2
Url: 12
Softs:
telegram, ms-sql
13-01-2023
ASEC Weekly Malware Statistics (January 2nd, 2023 January 8th, 2023)
https://asec.ahnlab.com/en/45636
Threats:
Beamwinhttp_loader
Garbage_cleaner
Smokeloader
Agent_tesla
Formbook
Mallox
Clipboard_grabbing_technique
Industry:
Financial
Geo:
Korea
IOCs:
IP: 3
Domain: 9
File: 9
Email: 2
Url: 12
Softs:
telegram, ms-sql
ASEC
ASEC Weekly Malware Statistics (January 2nd, 2023 – January 8th, 2023) - ASEC
The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from January 2nd, 2023 (Monday) to January 8th, 2023 (Sunday). For the main category, downloader…
#ParsedReport
15-01-2023
Supply Chain Attack Using Identical PyPI Packages, colorslib, httpslib, and libhttps
https://www.fortinet.com/blog/threat-research/supply-chain-attack-using-identical-pypi-packages-colorslib-httpslib-libhttps
IOCs:
Url: 1
Hash: 3
File: 4
Path: 2
Languages:
python
15-01-2023
Supply Chain Attack Using Identical PyPI Packages, colorslib, httpslib, and libhttps
https://www.fortinet.com/blog/threat-research/supply-chain-attack-using-identical-pypi-packages-colorslib-httpslib-libhttps
IOCs:
Url: 1
Hash: 3
File: 4
Path: 2
Languages:
python
Fortinet Blog
Supply Chain Attack Using Identical PyPI Packages, “colorslib”, “httpslib”, and “libhttps”
The FortiGuard Labs team discovered an attack embedded in three PyPI packages called ‘colorslib’, ‘httpslib’, and “libhttps”. Read our blog to learn more.…
#ParsedReport
15-01-2023
Cisco Talos Intelligence Blog. Threat Round up for January 6 to January 13
https://blog.talosintelligence.com/threat-roundup-0106-0113
Threats:
Lokibot_stealer
Upatre
Vobfus
Remcos_rat
Adwind_rat
Hawkeye_keylogger
Trickbot
Darkcomet_rat
Shiz
Industry:
Financial
IOCs:
File: 2
Domain: 58
Path: 36
Hash: 199
IP: 56
Email: 23
Softs:
microsoft office, directx
15-01-2023
Cisco Talos Intelligence Blog. Threat Round up for January 6 to January 13
https://blog.talosintelligence.com/threat-roundup-0106-0113
Threats:
Lokibot_stealer
Upatre
Vobfus
Remcos_rat
Adwind_rat
Hawkeye_keylogger
Trickbot
Darkcomet_rat
Shiz
Industry:
Financial
IOCs:
File: 2
Domain: 58
Path: 36
Hash: 199
IP: 56
Email: 23
Softs:
microsoft office, directx
Cisco Talos Blog
Threat Round up for January 6 to January 13
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 6 and Jan. 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting…
#ParsedReport
15-01-2023
QakBot Malware Used Unpatched Vulnerability to Bypass Windows OS Security Feature
https://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature
Threats:
Qakbot
Motw_bypass_technique
Lotl_technique
Lolbin_technique
Lolbas_technique
Blackbasta
Process_injection_technique
Process_hollowing_technique
Emotet
Industry:
Government, Financial
Geo:
Russia, Ukraine
CVEs:
CVE-2022-41049 [Vulners]
Vulners: Score: Unknown, CVSS: 2.4,
Vulners: Exploitation: True
X-Force: Risk: 5.4
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 20h2, 21h1, 21h2, 22h2, 1809)
- microsoft windows 8.1 (-, -)
- microsoft windows server 2016 (-)
have more...
CVE-2022-44698 [Vulners]
Vulners: Score: Unknown, CVSS: 2.1,
Vulners: Exploitation: True
X-Force: Risk: 5.4
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (1607, 1809, 20h2, 21h1, 21h2, 22h2)
- microsoft windows server 2016 (-)
- microsoft windows server 2019 (-)
- microsoft windows server 2022 (-)
- microsoft windows 11 (-, -)
have more...
CVE-2022-41091 [Vulners]
Vulners: Score: Unknown, CVSS: 2.4,
Vulners: Exploitation: True
X-Force: Risk: 5.4
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (1607, -, 1809, 20h2, 21h1, 21h2, 22h2)
- microsoft windows server 2016 (-)
- microsoft windows server 2019 (-)
- microsoft windows server 2022 (-, -)
- microsoft windows 11 (-, -, 22h2, 22h2)
have more...
TTPs:
IOCs:
File: 6
Hash: 4
Softs:
windows defender smartscreen, windows security, microsoft office, windows error reporting
Algorithms:
xor, crc-32, rc4, zip, base64
Languages:
javascript
YARA: Found
15-01-2023
QakBot Malware Used Unpatched Vulnerability to Bypass Windows OS Security Feature
https://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature
Threats:
Qakbot
Motw_bypass_technique
Lotl_technique
Lolbin_technique
Lolbas_technique
Blackbasta
Process_injection_technique
Process_hollowing_technique
Emotet
Industry:
Government, Financial
Geo:
Russia, Ukraine
CVEs:
CVE-2022-41049 [Vulners]
Vulners: Score: Unknown, CVSS: 2.4,
Vulners: Exploitation: True
X-Force: Risk: 5.4
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 20h2, 21h1, 21h2, 22h2, 1809)
- microsoft windows 8.1 (-, -)
- microsoft windows server 2016 (-)
have more...
CVE-2022-44698 [Vulners]
Vulners: Score: Unknown, CVSS: 2.1,
Vulners: Exploitation: True
X-Force: Risk: 5.4
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (1607, 1809, 20h2, 21h1, 21h2, 22h2)
- microsoft windows server 2016 (-)
- microsoft windows server 2019 (-)
- microsoft windows server 2022 (-)
- microsoft windows 11 (-, -)
have more...
CVE-2022-41091 [Vulners]
Vulners: Score: Unknown, CVSS: 2.4,
Vulners: Exploitation: True
X-Force: Risk: 5.4
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (1607, -, 1809, 20h2, 21h1, 21h2, 22h2)
- microsoft windows server 2016 (-)
- microsoft windows server 2019 (-)
- microsoft windows server 2022 (-, -)
- microsoft windows 11 (-, -, 22h2, 22h2)
have more...
TTPs:
IOCs:
File: 6
Hash: 4
Softs:
windows defender smartscreen, windows security, microsoft office, windows error reporting
Algorithms:
xor, crc-32, rc4, zip, base64
Languages:
javascript
YARA: Found
Eclecticiq
QakBot Malware Bypass Windows Security Using Unpatched Vulnerability
QakBot phishing bypasses Mark-of-the-Web security and installs harmful software.
#ParsedReport
15-01-2023
ASEC (20230101 \~ 20230107). ASEC Weekly phishing email threat trend (20230101 \~ 20230107)
https://asec.ahnlab.com/ko/45597
Threats:
Agent_tesla
Formbook
Remcos_rat
Motw_bypass_technique
Industry:
Financial
Geo:
Korean
TTPs:
IOCs:
File: 21
Url: 4
Algorithms:
zip
Links:
15-01-2023
ASEC (20230101 \~ 20230107). ASEC Weekly phishing email threat trend (20230101 \~ 20230107)
https://asec.ahnlab.com/ko/45597
Threats:
Agent_tesla
Formbook
Remcos_rat
Motw_bypass_technique
Industry:
Financial
Geo:
Korean
TTPs:
IOCs:
File: 21
Url: 4
Algorithms:
zip
Links:
https://github.com/nmantani/archiver-MOTW-support-comparisonASEC BLOG
ASEC 주간 피싱 이메일 위협 트렌드 (20230101 ~ 20230107) - ASEC BLOG
Contents피싱 이메일 위협 유형첨부파일 확장자유포 사례사례: 가짜 로그인 페이지 (FakePage)사례: 악성코드 (Infostealer, Downloader 등)주의 키워드: ‘RAR’ 가짜 페이지 (FakePage) C2 주소피싱 이메일 공격 예방 ASEC 분석팀에서는 샘플 자동 분석 시스템(RAPIT)과 허니팟을 활용하여 피싱 이메일 위협을 모니터링하고 있다. 본 포스팅에서는 2023년 01월 01일부터 01월 07일까지 한 주간 확인된 피싱…
#technique
Explorer Persistence technique : Hijacking cscapi.dll order loading path and writing our malicious dll into C:\Windows\cscapi.dll , when it's get loaded into the explorer process , our malicoius code get executed. The persistence is triggered each time the explorer process is runned.
https://github.com/D1rkMtr/ExplorerPersist
Explorer Persistence technique : Hijacking cscapi.dll order loading path and writing our malicious dll into C:\Windows\cscapi.dll , when it's get loaded into the explorer process , our malicoius code get executed. The persistence is triggered each time the explorer process is runned.
https://github.com/D1rkMtr/ExplorerPersist
#ParsedReport
16-01-2023
Decrypted: BianLian Ransomware
https://decoded.avast.io/threatresearch/decrypted-bianlian-ransomware/?utm_source=rss&utm_medium=rss&utm_campaign=decrypted-bianlian-ransomware
Threats:
Hydra
Industry:
Healthcare, Entertainment
IOCs:
File: 2
Command: 1
Path: 3
Hash: 7
Softs:
windows explorer
Algorithms:
cbc, aes, aes-256
16-01-2023
Decrypted: BianLian Ransomware
https://decoded.avast.io/threatresearch/decrypted-bianlian-ransomware/?utm_source=rss&utm_medium=rss&utm_campaign=decrypted-bianlian-ransomware
Threats:
Hydra
Industry:
Healthcare, Entertainment
IOCs:
File: 2
Command: 1
Path: 3
Hash: 7
Softs:
windows explorer
Algorithms:
cbc, aes, aes-256
Avast Threat Labs
Decrypted: BianLian Ransomware - Avast Threat Labs
The team at Avast has developed a decryptor for the BianLian ransomware and released it for public download. The BianLian ransomware emerged in August 2022, performing targeted attacks in various industries, such as the media and entertainment, manufacturing…
#ParsedReport
16-01-2023
Attackers Infected a CircleCI Employee with Malware to Steal Customer Session Tokens
https://socradar.io/attackers-infected-a-circleci-employee-with-malware-to-steal-customer-session-tokens
Geo:
Quebec
IOCs:
IP: 8
File: 1
Domain: 1
16-01-2023
Attackers Infected a CircleCI Employee with Malware to Steal Customer Session Tokens
https://socradar.io/attackers-infected-a-circleci-employee-with-malware-to-steal-customer-session-tokens
Geo:
Quebec
IOCs:
IP: 8
File: 1
Domain: 1
SOCRadar® Cyber Intelligence Inc.
Attackers Infected a CircleCI Employee with Malware to Steal Customer Session Tokens
Software provider CircleCI confirmed that a data breach in December resulted in the theft of some of its customers' sensitive information.
#ParsedReport
16-01-2023
Gotta Catch Em All \| Understanding the NetSupport RAT Campaigns Hiding Behind Pokemon Lures
https://www.sentinelone.com/blog/gotta-catch-em-all-understanding-the-netsupport-rat-campaigns-hiding-behind-pokemon-lures
Threats:
Netsupportmanager_rat
Teamviewer_tool
Andromeda
Nanocore_rat
Cirenegrat
Meteor_wiper
Ragnarlocker
Maze
Babadeda
Industry:
E-commerce, Financial
TTPs:
Tactics: 1
Technics: 13
IOCs:
File: 6
Hash: 16
Domain: 1
Softs:
google chrome
Algorithms:
base64
Win API:
GetAdaptersAddresses, IsDebuggerPresent, EnumProcesses
Platforms:
x86
16-01-2023
Gotta Catch Em All \| Understanding the NetSupport RAT Campaigns Hiding Behind Pokemon Lures
https://www.sentinelone.com/blog/gotta-catch-em-all-understanding-the-netsupport-rat-campaigns-hiding-behind-pokemon-lures
Threats:
Netsupportmanager_rat
Teamviewer_tool
Andromeda
Nanocore_rat
Cirenegrat
Meteor_wiper
Ragnarlocker
Maze
Babadeda
Industry:
E-commerce, Financial
TTPs:
Tactics: 1
Technics: 13
IOCs:
File: 6
Hash: 16
Domain: 1
Softs:
google chrome
Algorithms:
base64
Win API:
GetAdaptersAddresses, IsDebuggerPresent, EnumProcesses
Platforms:
x86
SentinelOne
Gotta Catch ‘Em All | Understanding the NetSupport RAT Campaigns Hiding Behind Pokemon Lures
🧐 Understand the NetSupport RAT campaigns hiding behind #Pokemon lures. #NetSupport RAT is a remote access tool used for exploitation. Stay informed & protected with the latest campaign details & SentinelOne.
#ParsedReport
16-01-2023
APTBitter. APT organization Bitter network spy attack activity instance analysis
https://mp.weixin.qq.com/s/7Q2nulqLsofjSftbWQt2kA
Actors/Campaigns:
Bitter
Manling_flower
Threats:
Disttrack
Industry:
Energy, Government
Geo:
China, Pakistan, Asian, Bangladesh
CVEs:
CVE-2018-0798 [Vulners]
Vulners: Score: 9.3, CVSS: 3.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2010, 2016, 2016, 2007, 2013)
- microsoft word (2013, 2016, 2007, 2010, 2013)
- microsoft office compatibility pack (-)
IOCs:
File: 10
Command: 1
Email: 1
Softs:
burpsuite, wechat
Algorithms:
xor
16-01-2023
APTBitter. APT organization Bitter network spy attack activity instance analysis
https://mp.weixin.qq.com/s/7Q2nulqLsofjSftbWQt2kA
Actors/Campaigns:
Bitter
Manling_flower
Threats:
Disttrack
Industry:
Energy, Government
Geo:
China, Pakistan, Asian, Bangladesh
CVEs:
CVE-2018-0798 [Vulners]
Vulners: Score: 9.3, CVSS: 3.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2010, 2016, 2016, 2007, 2013)
- microsoft word (2013, 2016, 2007, 2010, 2013)
- microsoft office compatibility pack (-)
IOCs:
File: 10
Command: 1
Email: 1
Softs:
burpsuite, wechat
Algorithms:
xor
Weixin Official Accounts Platform
APT组织Bitter网络间谍攻击活动实例分析
近日,中孚信息威胁研究人员分析了该组织近期一次针对孟加拉国军事机构的攻击活动。
#ParsedReport
16-01-2023
Abusing a GitHub Codespaces Feature For Malware Delivery. What is GitHub Codespaces?
https://www.trendmicro.com/en_us/research/23/a/abusing-github-codespaces-for-malware-delivery.html
Threats:
Typosquatting_technique
IOCs:
File: 1
Softs:
visual studio code, docker
Languages:
ruby, javascript, python
Links:
16-01-2023
Abusing a GitHub Codespaces Feature For Malware Delivery. What is GitHub Codespaces?
https://www.trendmicro.com/en_us/research/23/a/abusing-github-codespaces-for-malware-delivery.html
Threats:
Typosquatting_technique
IOCs:
File: 1
Softs:
visual studio code, docker
Languages:
ruby, javascript, python
Links:
https://docs.github.com/en/codespaces/customizing-your-codespace/configuring-automatic-deletion-of-your-codespaceshttps://cli.github.com/https://docs.github.com/en/codespaces/overviewhttps://github.com/adititli/adititlihttps://docs.github.com/en/codespaces/codespaces-reference/security-in-github-codespacesTrend Micro
Abusing a GitHub Codespaces Feature For Malware Delivery
Proof of Concept (POC): We investigate one of the GitHub Codespaces’ real-time code development and collaboration features that attackers can abuse for cloud-based trusted malware delivery. Once exploited, malicious actors can abuse legitimate GitHub accounts…
#ParsedReport
16-01-2023
APTMuddyWater. APT organization Muddywater analysis
https://mp.weixin.qq.com/s/aYB7W_elO4FHPUtKrUtzHQ
Actors/Campaigns:
Muddywater (motivation: cyber_espionage)
Unc3313
Threats:
Stuxnet
Ransomware.2
Mimikatz_tool
Powgoop
Starwhale
Powerstats
Disttrack
Syncro_tool
Uac_bypass_technique
Industry:
Government, Financial, Healthcare, Energy
Geo:
Israeli, Iranian, Emirates, Iran, Turkish, Iraq, Africa, Azerbaijan, Israel, Pakistan, Asia, Turkey
TTPs:
Tactics: 5
Technics: 56
IOCs:
File: 19
Hash: 30
IP: 16
Languages:
javascript, python, visual_basic
16-01-2023
APTMuddyWater. APT organization Muddywater analysis
https://mp.weixin.qq.com/s/aYB7W_elO4FHPUtKrUtzHQ
Actors/Campaigns:
Muddywater (motivation: cyber_espionage)
Unc3313
Threats:
Stuxnet
Ransomware.2
Mimikatz_tool
Powgoop
Starwhale
Powerstats
Disttrack
Syncro_tool
Uac_bypass_technique
Industry:
Government, Financial, Healthcare, Energy
Geo:
Israeli, Iranian, Emirates, Iran, Turkish, Iraq, Africa, Azerbaijan, Israel, Pakistan, Asia, Turkey
TTPs:
Tactics: 5
Technics: 56
IOCs:
File: 19
Hash: 30
IP: 16
Languages:
javascript, python, visual_basic
Weixin Official Accounts Platform
APT组织MuddyWater分析
MuddyWater组织自2017年底以来一直活跃于中东地区,其主要的攻击模式为网络间谍行动和知识产权窃取攻击。基于由各类已知漏洞和大量工具组成的武器库,MuddyWater能够入侵多达21个国家的关键领域机构。该组织值得各方关注与警惕。