#ParsedReport
13-01-2023
ASEC Weekly Malware Statistics (January 2nd, 2023 January 8th, 2023)
https://asec.ahnlab.com/en/45636
Threats:
Beamwinhttp_loader
Garbage_cleaner
Smokeloader
Agent_tesla
Formbook
Mallox
Clipboard_grabbing_technique
Industry:
Financial
Geo:
Korea
IOCs:
IP: 3
Domain: 9
File: 9
Email: 2
Url: 12
Softs:
telegram, ms-sql
13-01-2023
ASEC Weekly Malware Statistics (January 2nd, 2023 January 8th, 2023)
https://asec.ahnlab.com/en/45636
Threats:
Beamwinhttp_loader
Garbage_cleaner
Smokeloader
Agent_tesla
Formbook
Mallox
Clipboard_grabbing_technique
Industry:
Financial
Geo:
Korea
IOCs:
IP: 3
Domain: 9
File: 9
Email: 2
Url: 12
Softs:
telegram, ms-sql
ASEC
ASEC Weekly Malware Statistics (January 2nd, 2023 – January 8th, 2023) - ASEC
The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from January 2nd, 2023 (Monday) to January 8th, 2023 (Sunday). For the main category, downloader…
#ParsedReport
15-01-2023
Supply Chain Attack Using Identical PyPI Packages, colorslib, httpslib, and libhttps
https://www.fortinet.com/blog/threat-research/supply-chain-attack-using-identical-pypi-packages-colorslib-httpslib-libhttps
IOCs:
Url: 1
Hash: 3
File: 4
Path: 2
Languages:
python
15-01-2023
Supply Chain Attack Using Identical PyPI Packages, colorslib, httpslib, and libhttps
https://www.fortinet.com/blog/threat-research/supply-chain-attack-using-identical-pypi-packages-colorslib-httpslib-libhttps
IOCs:
Url: 1
Hash: 3
File: 4
Path: 2
Languages:
python
Fortinet Blog
Supply Chain Attack Using Identical PyPI Packages, “colorslib”, “httpslib”, and “libhttps”
The FortiGuard Labs team discovered an attack embedded in three PyPI packages called ‘colorslib’, ‘httpslib’, and “libhttps”. Read our blog to learn more.…
#ParsedReport
15-01-2023
Cisco Talos Intelligence Blog. Threat Round up for January 6 to January 13
https://blog.talosintelligence.com/threat-roundup-0106-0113
Threats:
Lokibot_stealer
Upatre
Vobfus
Remcos_rat
Adwind_rat
Hawkeye_keylogger
Trickbot
Darkcomet_rat
Shiz
Industry:
Financial
IOCs:
File: 2
Domain: 58
Path: 36
Hash: 199
IP: 56
Email: 23
Softs:
microsoft office, directx
15-01-2023
Cisco Talos Intelligence Blog. Threat Round up for January 6 to January 13
https://blog.talosintelligence.com/threat-roundup-0106-0113
Threats:
Lokibot_stealer
Upatre
Vobfus
Remcos_rat
Adwind_rat
Hawkeye_keylogger
Trickbot
Darkcomet_rat
Shiz
Industry:
Financial
IOCs:
File: 2
Domain: 58
Path: 36
Hash: 199
IP: 56
Email: 23
Softs:
microsoft office, directx
Cisco Talos Blog
Threat Round up for January 6 to January 13
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 6 and Jan. 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting…
#ParsedReport
15-01-2023
QakBot Malware Used Unpatched Vulnerability to Bypass Windows OS Security Feature
https://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature
Threats:
Qakbot
Motw_bypass_technique
Lotl_technique
Lolbin_technique
Lolbas_technique
Blackbasta
Process_injection_technique
Process_hollowing_technique
Emotet
Industry:
Government, Financial
Geo:
Russia, Ukraine
CVEs:
CVE-2022-41049 [Vulners]
Vulners: Score: Unknown, CVSS: 2.4,
Vulners: Exploitation: True
X-Force: Risk: 5.4
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 20h2, 21h1, 21h2, 22h2, 1809)
- microsoft windows 8.1 (-, -)
- microsoft windows server 2016 (-)
have more...
CVE-2022-44698 [Vulners]
Vulners: Score: Unknown, CVSS: 2.1,
Vulners: Exploitation: True
X-Force: Risk: 5.4
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (1607, 1809, 20h2, 21h1, 21h2, 22h2)
- microsoft windows server 2016 (-)
- microsoft windows server 2019 (-)
- microsoft windows server 2022 (-)
- microsoft windows 11 (-, -)
have more...
CVE-2022-41091 [Vulners]
Vulners: Score: Unknown, CVSS: 2.4,
Vulners: Exploitation: True
X-Force: Risk: 5.4
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (1607, -, 1809, 20h2, 21h1, 21h2, 22h2)
- microsoft windows server 2016 (-)
- microsoft windows server 2019 (-)
- microsoft windows server 2022 (-, -)
- microsoft windows 11 (-, -, 22h2, 22h2)
have more...
TTPs:
IOCs:
File: 6
Hash: 4
Softs:
windows defender smartscreen, windows security, microsoft office, windows error reporting
Algorithms:
xor, crc-32, rc4, zip, base64
Languages:
javascript
YARA: Found
15-01-2023
QakBot Malware Used Unpatched Vulnerability to Bypass Windows OS Security Feature
https://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature
Threats:
Qakbot
Motw_bypass_technique
Lotl_technique
Lolbin_technique
Lolbas_technique
Blackbasta
Process_injection_technique
Process_hollowing_technique
Emotet
Industry:
Government, Financial
Geo:
Russia, Ukraine
CVEs:
CVE-2022-41049 [Vulners]
Vulners: Score: Unknown, CVSS: 2.4,
Vulners: Exploitation: True
X-Force: Risk: 5.4
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 20h2, 21h1, 21h2, 22h2, 1809)
- microsoft windows 8.1 (-, -)
- microsoft windows server 2016 (-)
have more...
CVE-2022-44698 [Vulners]
Vulners: Score: Unknown, CVSS: 2.1,
Vulners: Exploitation: True
X-Force: Risk: 5.4
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (1607, 1809, 20h2, 21h1, 21h2, 22h2)
- microsoft windows server 2016 (-)
- microsoft windows server 2019 (-)
- microsoft windows server 2022 (-)
- microsoft windows 11 (-, -)
have more...
CVE-2022-41091 [Vulners]
Vulners: Score: Unknown, CVSS: 2.4,
Vulners: Exploitation: True
X-Force: Risk: 5.4
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (1607, -, 1809, 20h2, 21h1, 21h2, 22h2)
- microsoft windows server 2016 (-)
- microsoft windows server 2019 (-)
- microsoft windows server 2022 (-, -)
- microsoft windows 11 (-, -, 22h2, 22h2)
have more...
TTPs:
IOCs:
File: 6
Hash: 4
Softs:
windows defender smartscreen, windows security, microsoft office, windows error reporting
Algorithms:
xor, crc-32, rc4, zip, base64
Languages:
javascript
YARA: Found
Eclecticiq
QakBot Malware Bypass Windows Security Using Unpatched Vulnerability
QakBot phishing bypasses Mark-of-the-Web security and installs harmful software.
#ParsedReport
15-01-2023
ASEC (20230101 \~ 20230107). ASEC Weekly phishing email threat trend (20230101 \~ 20230107)
https://asec.ahnlab.com/ko/45597
Threats:
Agent_tesla
Formbook
Remcos_rat
Motw_bypass_technique
Industry:
Financial
Geo:
Korean
TTPs:
IOCs:
File: 21
Url: 4
Algorithms:
zip
Links:
15-01-2023
ASEC (20230101 \~ 20230107). ASEC Weekly phishing email threat trend (20230101 \~ 20230107)
https://asec.ahnlab.com/ko/45597
Threats:
Agent_tesla
Formbook
Remcos_rat
Motw_bypass_technique
Industry:
Financial
Geo:
Korean
TTPs:
IOCs:
File: 21
Url: 4
Algorithms:
zip
Links:
https://github.com/nmantani/archiver-MOTW-support-comparisonASEC BLOG
ASEC 주간 피싱 이메일 위협 트렌드 (20230101 ~ 20230107) - ASEC BLOG
Contents피싱 이메일 위협 유형첨부파일 확장자유포 사례사례: 가짜 로그인 페이지 (FakePage)사례: 악성코드 (Infostealer, Downloader 등)주의 키워드: ‘RAR’ 가짜 페이지 (FakePage) C2 주소피싱 이메일 공격 예방 ASEC 분석팀에서는 샘플 자동 분석 시스템(RAPIT)과 허니팟을 활용하여 피싱 이메일 위협을 모니터링하고 있다. 본 포스팅에서는 2023년 01월 01일부터 01월 07일까지 한 주간 확인된 피싱…
#technique
Explorer Persistence technique : Hijacking cscapi.dll order loading path and writing our malicious dll into C:\Windows\cscapi.dll , when it's get loaded into the explorer process , our malicoius code get executed. The persistence is triggered each time the explorer process is runned.
https://github.com/D1rkMtr/ExplorerPersist
Explorer Persistence technique : Hijacking cscapi.dll order loading path and writing our malicious dll into C:\Windows\cscapi.dll , when it's get loaded into the explorer process , our malicoius code get executed. The persistence is triggered each time the explorer process is runned.
https://github.com/D1rkMtr/ExplorerPersist
#ParsedReport
16-01-2023
Decrypted: BianLian Ransomware
https://decoded.avast.io/threatresearch/decrypted-bianlian-ransomware/?utm_source=rss&utm_medium=rss&utm_campaign=decrypted-bianlian-ransomware
Threats:
Hydra
Industry:
Healthcare, Entertainment
IOCs:
File: 2
Command: 1
Path: 3
Hash: 7
Softs:
windows explorer
Algorithms:
cbc, aes, aes-256
16-01-2023
Decrypted: BianLian Ransomware
https://decoded.avast.io/threatresearch/decrypted-bianlian-ransomware/?utm_source=rss&utm_medium=rss&utm_campaign=decrypted-bianlian-ransomware
Threats:
Hydra
Industry:
Healthcare, Entertainment
IOCs:
File: 2
Command: 1
Path: 3
Hash: 7
Softs:
windows explorer
Algorithms:
cbc, aes, aes-256
Avast Threat Labs
Decrypted: BianLian Ransomware - Avast Threat Labs
The team at Avast has developed a decryptor for the BianLian ransomware and released it for public download. The BianLian ransomware emerged in August 2022, performing targeted attacks in various industries, such as the media and entertainment, manufacturing…
#ParsedReport
16-01-2023
Attackers Infected a CircleCI Employee with Malware to Steal Customer Session Tokens
https://socradar.io/attackers-infected-a-circleci-employee-with-malware-to-steal-customer-session-tokens
Geo:
Quebec
IOCs:
IP: 8
File: 1
Domain: 1
16-01-2023
Attackers Infected a CircleCI Employee with Malware to Steal Customer Session Tokens
https://socradar.io/attackers-infected-a-circleci-employee-with-malware-to-steal-customer-session-tokens
Geo:
Quebec
IOCs:
IP: 8
File: 1
Domain: 1
SOCRadar® Cyber Intelligence Inc.
Attackers Infected a CircleCI Employee with Malware to Steal Customer Session Tokens
Software provider CircleCI confirmed that a data breach in December resulted in the theft of some of its customers' sensitive information.
#ParsedReport
16-01-2023
Gotta Catch Em All \| Understanding the NetSupport RAT Campaigns Hiding Behind Pokemon Lures
https://www.sentinelone.com/blog/gotta-catch-em-all-understanding-the-netsupport-rat-campaigns-hiding-behind-pokemon-lures
Threats:
Netsupportmanager_rat
Teamviewer_tool
Andromeda
Nanocore_rat
Cirenegrat
Meteor_wiper
Ragnarlocker
Maze
Babadeda
Industry:
E-commerce, Financial
TTPs:
Tactics: 1
Technics: 13
IOCs:
File: 6
Hash: 16
Domain: 1
Softs:
google chrome
Algorithms:
base64
Win API:
GetAdaptersAddresses, IsDebuggerPresent, EnumProcesses
Platforms:
x86
16-01-2023
Gotta Catch Em All \| Understanding the NetSupport RAT Campaigns Hiding Behind Pokemon Lures
https://www.sentinelone.com/blog/gotta-catch-em-all-understanding-the-netsupport-rat-campaigns-hiding-behind-pokemon-lures
Threats:
Netsupportmanager_rat
Teamviewer_tool
Andromeda
Nanocore_rat
Cirenegrat
Meteor_wiper
Ragnarlocker
Maze
Babadeda
Industry:
E-commerce, Financial
TTPs:
Tactics: 1
Technics: 13
IOCs:
File: 6
Hash: 16
Domain: 1
Softs:
google chrome
Algorithms:
base64
Win API:
GetAdaptersAddresses, IsDebuggerPresent, EnumProcesses
Platforms:
x86
SentinelOne
Gotta Catch ‘Em All | Understanding the NetSupport RAT Campaigns Hiding Behind Pokemon Lures
🧐 Understand the NetSupport RAT campaigns hiding behind #Pokemon lures. #NetSupport RAT is a remote access tool used for exploitation. Stay informed & protected with the latest campaign details & SentinelOne.
#ParsedReport
16-01-2023
APTBitter. APT organization Bitter network spy attack activity instance analysis
https://mp.weixin.qq.com/s/7Q2nulqLsofjSftbWQt2kA
Actors/Campaigns:
Bitter
Manling_flower
Threats:
Disttrack
Industry:
Energy, Government
Geo:
China, Pakistan, Asian, Bangladesh
CVEs:
CVE-2018-0798 [Vulners]
Vulners: Score: 9.3, CVSS: 3.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2010, 2016, 2016, 2007, 2013)
- microsoft word (2013, 2016, 2007, 2010, 2013)
- microsoft office compatibility pack (-)
IOCs:
File: 10
Command: 1
Email: 1
Softs:
burpsuite, wechat
Algorithms:
xor
16-01-2023
APTBitter. APT organization Bitter network spy attack activity instance analysis
https://mp.weixin.qq.com/s/7Q2nulqLsofjSftbWQt2kA
Actors/Campaigns:
Bitter
Manling_flower
Threats:
Disttrack
Industry:
Energy, Government
Geo:
China, Pakistan, Asian, Bangladesh
CVEs:
CVE-2018-0798 [Vulners]
Vulners: Score: 9.3, CVSS: 3.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2010, 2016, 2016, 2007, 2013)
- microsoft word (2013, 2016, 2007, 2010, 2013)
- microsoft office compatibility pack (-)
IOCs:
File: 10
Command: 1
Email: 1
Softs:
burpsuite, wechat
Algorithms:
xor
Weixin Official Accounts Platform
APT组织Bitter网络间谍攻击活动实例分析
近日,中孚信息威胁研究人员分析了该组织近期一次针对孟加拉国军事机构的攻击活动。
#ParsedReport
16-01-2023
Abusing a GitHub Codespaces Feature For Malware Delivery. What is GitHub Codespaces?
https://www.trendmicro.com/en_us/research/23/a/abusing-github-codespaces-for-malware-delivery.html
Threats:
Typosquatting_technique
IOCs:
File: 1
Softs:
visual studio code, docker
Languages:
ruby, javascript, python
Links:
16-01-2023
Abusing a GitHub Codespaces Feature For Malware Delivery. What is GitHub Codespaces?
https://www.trendmicro.com/en_us/research/23/a/abusing-github-codespaces-for-malware-delivery.html
Threats:
Typosquatting_technique
IOCs:
File: 1
Softs:
visual studio code, docker
Languages:
ruby, javascript, python
Links:
https://docs.github.com/en/codespaces/customizing-your-codespace/configuring-automatic-deletion-of-your-codespaceshttps://cli.github.com/https://docs.github.com/en/codespaces/overviewhttps://github.com/adititli/adititlihttps://docs.github.com/en/codespaces/codespaces-reference/security-in-github-codespacesTrend Micro
Abusing a GitHub Codespaces Feature For Malware Delivery
Proof of Concept (POC): We investigate one of the GitHub Codespaces’ real-time code development and collaboration features that attackers can abuse for cloud-based trusted malware delivery. Once exploited, malicious actors can abuse legitimate GitHub accounts…
#ParsedReport
16-01-2023
APTMuddyWater. APT organization Muddywater analysis
https://mp.weixin.qq.com/s/aYB7W_elO4FHPUtKrUtzHQ
Actors/Campaigns:
Muddywater (motivation: cyber_espionage)
Unc3313
Threats:
Stuxnet
Ransomware.2
Mimikatz_tool
Powgoop
Starwhale
Powerstats
Disttrack
Syncro_tool
Uac_bypass_technique
Industry:
Government, Financial, Healthcare, Energy
Geo:
Israeli, Iranian, Emirates, Iran, Turkish, Iraq, Africa, Azerbaijan, Israel, Pakistan, Asia, Turkey
TTPs:
Tactics: 5
Technics: 56
IOCs:
File: 19
Hash: 30
IP: 16
Languages:
javascript, python, visual_basic
16-01-2023
APTMuddyWater. APT organization Muddywater analysis
https://mp.weixin.qq.com/s/aYB7W_elO4FHPUtKrUtzHQ
Actors/Campaigns:
Muddywater (motivation: cyber_espionage)
Unc3313
Threats:
Stuxnet
Ransomware.2
Mimikatz_tool
Powgoop
Starwhale
Powerstats
Disttrack
Syncro_tool
Uac_bypass_technique
Industry:
Government, Financial, Healthcare, Energy
Geo:
Israeli, Iranian, Emirates, Iran, Turkish, Iraq, Africa, Azerbaijan, Israel, Pakistan, Asia, Turkey
TTPs:
Tactics: 5
Technics: 56
IOCs:
File: 19
Hash: 30
IP: 16
Languages:
javascript, python, visual_basic
Weixin Official Accounts Platform
APT组织MuddyWater分析
MuddyWater组织自2017年底以来一直活跃于中东地区,其主要的攻击模式为网络间谍行动和知识产权窃取攻击。基于由各类已知漏洞和大量工具组成的武器库,MuddyWater能够入侵多达21个国家的关键领域机构。该组织值得各方关注与警惕。
#ParsedReport
16-01-2023
(Kimsuky), by 4 2023. 1. 13. 14:28. Text title Kimsuky organization, Kakao phishing attackMalware Analysis Report
https://blog.alyac.co.kr/5043
Actors/Campaigns:
Kimsuky
Threats:
Asyncrat_rat
Geo:
Korea, Korean
IOCs:
File: 1
Url: 1
Softs:
onenote
16-01-2023
(Kimsuky), by 4 2023. 1. 13. 14:28. Text title Kimsuky organization, Kakao phishing attackMalware Analysis Report
https://blog.alyac.co.kr/5043
Actors/Campaigns:
Kimsuky
Threats:
Asyncrat_rat
Geo:
Korea, Korean
IOCs:
File: 1
Url: 1
Softs:
onenote
이스트시큐리티 알약 블로그
김수키(Kimsuky)조직, 카카오 피싱 공격 진행 중
안녕하세요? 이스트시큐리티 시큐리티대응센터(이하 ESRC)입니다. 비밀번호 변경 메일을 통한 비밀번호 탈취 공격이 포착되어 사용자들의 각별한 주의가 필요합니다. 이번에 발견된 피싱 메일은 '[긴급] 지금 바로 비밀번호를 변경해 주세요.'제목으로 유포되었으며, 현재는 서비스가 종료된 다음 이메일을 위장하고 있습니다. 이메일 본문에는, 수신자의 계정정보 도용이 의심된다며 비밀번호 변경을 유도하는 내용과 함께 하이퍼링크가 포함되어 있습니다. 공격자는 발신자…
#ParsedReport
17-01-2023
Malware Disguised as a Manuscript Solicitation Letter (Targeting Security-Related Workers)
https://asec.ahnlab.com/en/45658
Actors/Campaigns:
Kimsuky
Geo:
Korea, Chinese, Korean
IOCs:
IP: 1
Hash: 6
Url: 6
Softs:
task scheduler
17-01-2023
Malware Disguised as a Manuscript Solicitation Letter (Targeting Security-Related Workers)
https://asec.ahnlab.com/en/45658
Actors/Campaigns:
Kimsuky
Geo:
Korea, Chinese, Korean
IOCs:
IP: 1
Hash: 6
Url: 6
Softs:
task scheduler
ASEC
Malware Disguised as a Manuscript Solicitation Letter (Targeting Security-Related Workers) - ASEC
On January 8th, the ASEC analysis team identified the distribution of a document-type malware targeting workers in the security field. The obtained malware uses an external object within a Word document to execute an additional malicious macro. Such a technique…
#ParsedReport
17-01-2023
ASEC Weekly Phishing Email Threat Trends (January 1st, 2023 January 7th, 2023)
https://asec.ahnlab.com/en/45693
Threats:
Agent_tesla
Formbook
Remcos_rat
Motw_bypass_technique
Industry:
Financial
Geo:
Korean
TTPs:
IOCs:
File: 15
Url: 4
Algorithms:
zip
Links:
17-01-2023
ASEC Weekly Phishing Email Threat Trends (January 1st, 2023 January 7th, 2023)
https://asec.ahnlab.com/en/45693
Threats:
Agent_tesla
Formbook
Remcos_rat
Motw_bypass_technique
Industry:
Financial
Geo:
Korean
TTPs:
IOCs:
File: 15
Url: 4
Algorithms:
zip
Links:
https://github.com/nmantani/archiver-MOTW-support-comparisonASEC BLOG
ASEC Weekly Phishing Email Threat Trends (January 1st, 2023 – January 7th, 2023) - ASEC BLOG
ContentsPhishing EmailsFile Extensions in Phishing EmailsCases of DistributionCase: FakePageCase: Malware (Infostealer, Downloader, etc.)Keywords to Beware of: ‘RAR’ FakePage C2 URLPreventing Phishing Email Attacks The ASEC analysis team monitors phishing…
#ParsedReport
17-01-2023
Phishing Web Server Identified Through an Impostor National Tax Service Email
https://asec.ahnlab.com/en/45669
17-01-2023
Phishing Web Server Identified Through an Impostor National Tax Service Email
https://asec.ahnlab.com/en/45669
ASEC
Phishing Web Server Identified Through an Impostor National Tax Service Email - ASEC
The ASEC analysis team recently discovered that a phishing email impersonating the National Tax Service was being distributed. This phishing email emphasizes the urgency of the company email password expiring on the same day, and it is being sent with a message…
#ParsedReport
17-01-2023
Earth Bogle: Campaigns Target the Middle East with Geopolitical Lures
https://www.trendmicro.com/en_us/research/23/a/earth-bogle-campaigns-target-middle-east-with-geopolitical-lures.html
Actors/Campaigns:
Earth_bogle
Threats:
Njrat
Powload
Powexec
Industry:
Government
Geo:
Africa
IOCs:
Hash: 21
Domain: 2
File: 4
Path: 2
Url: 7
Softs:
discord
17-01-2023
Earth Bogle: Campaigns Target the Middle East with Geopolitical Lures
https://www.trendmicro.com/en_us/research/23/a/earth-bogle-campaigns-target-middle-east-with-geopolitical-lures.html
Actors/Campaigns:
Earth_bogle
Threats:
Njrat
Powload
Powexec
Industry:
Government
Geo:
Africa
IOCs:
Hash: 21
Domain: 2
File: 4
Path: 2
Url: 7
Softs:
discord
Trend Micro
Earth Bogle: Campaigns Target the Middle East with Geopolitical Lures
We discovered an active campaign ongoing since at least mid-2022 which uses Middle Eastern geopolitical-themed lures to distribute NjRAT (also known as Bladabindi) to infect victims across the Middle East and North Africa.
#ParsedReport
17-01-2023
(favicon ). A phishing page that changes according to the user mail address (FAVICON)
https://asec.ahnlab.com/ko/45861
IOCs:
File: 5
Url: 1
Languages:
php
17-01-2023
(favicon ). A phishing page that changes according to the user mail address (FAVICON)
https://asec.ahnlab.com/ko/45861
IOCs:
File: 5
Url: 1
Languages:
php
ASEC
사용자 메일 주소에 따라 변경되는 피싱 페이지 (favicon 이용) - ASEC
ASEC 분석팀에서 지속적으로 피싱 메일에 대하여 모니터링을 수행하고 있다. 다수의 피싱 메일들이 확인되고 있는데, 사용자가 입력하는 본인 계정의 메일 서비스 종류에 따라 그에 해당하는 아이콘으로 변경되어 유포 중임을 확인하였다. 어제인 2023년 1월 16일 날짜로 유포된 메일로, 계정이 종료됨을 경고하며 다시 활성화가 필요할 시 ‘지금 재활성화하십시오‘ 링크를 클릭하도록 유도한다. 연결 된 피싱 페이지를 통해 사용자들의 이메일 […]
#ParsedReport
17-01-2023
. Coin minor attack case mining Ethereum Classic Coin
https://asec.ahnlab.com/ko/45794
Threats:
Lolminer
Gminer
Nbiner
Phoenixminer
Quasar_rat
Clipbanker
Nbminer
Tron
Vidar_stealer
Malware/win32.rl_generic.c4124695
Trojan/win.hpgen.r534371
Trojan/win.generic.r533377
Trojan/win.hpgen.r532433
Malware/mdp.behavior.m2318
Industry:
Financial
Geo:
Polish
IOCs:
File: 20
Path: 2
Coin: 7
Hash: 12
Url: 21
IP: 1
Softs:
discode, windows defender, task scheduler, curl, telegram, mastodon
17-01-2023
. Coin minor attack case mining Ethereum Classic Coin
https://asec.ahnlab.com/ko/45794
Threats:
Lolminer
Gminer
Nbiner
Phoenixminer
Quasar_rat
Clipbanker
Nbminer
Tron
Vidar_stealer
Malware/win32.rl_generic.c4124695
Trojan/win.hpgen.r534371
Trojan/win.generic.r533377
Trojan/win.hpgen.r532433
Malware/mdp.behavior.m2318
Industry:
Financial
Geo:
Polish
IOCs:
File: 20
Path: 2
Coin: 7
Hash: 12
Url: 21
IP: 1
Softs:
discode, windows defender, task scheduler, curl, telegram, mastodon
ASEC BLOG
이더리움 클래식 코인을 채굴하는 코인 마이너 공격 사례 - ASEC BLOG
Contents0. 개요1. 이더리움 코인 마이너 공격 사례1.1. 디스코드를 이용한 유포 사례1.2. dnSpy 툴을 위장한 공격 사례2. 이더리움 클래식 코인 마이너 공격 사례2.1. 이더리움 클래식으로의 변화A. 이더리움 클래식 코인 마이너B. ClipBankerC. Quasar RATD. Vidar InfoStealer3. 결론 ASEC 분석팀은 국내외를 대상으로 유포되고 있는 코인 마이너 악성코드들을 모니터링하고 있으며, 과거 다수의 블로그들을…
#ParsedReport
17-01-2023
Kasablanka Group Probably Conducted Compaigns Targeting Russia
https://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia
Actors/Campaigns:
Kasablanka (motivation: cyber_espionage)
Lazarus
Blindeagle
Confucius
Bitter
Threats:
Avemaria_rat
Lodarat
Motw_bypass_technique
Industry:
Government
Geo:
Kyrgyzstan, Ukraine, Russian, America, Turkey, Bangladesh, Morocco, Russia
IOCs:
IP: 6
File: 5
Path: 1
Hash: 22
Softs:
android, windows firewall, winscp, pyinstaller
Algorithms:
base64, zip
Languages:
autoit
17-01-2023
Kasablanka Group Probably Conducted Compaigns Targeting Russia
https://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia
Actors/Campaigns:
Kasablanka (motivation: cyber_espionage)
Lazarus
Blindeagle
Confucius
Bitter
Threats:
Avemaria_rat
Lodarat
Motw_bypass_technique
Industry:
Government
Geo:
Kyrgyzstan, Ukraine, Russian, America, Turkey, Bangladesh, Morocco, Russia
IOCs:
IP: 6
File: 5
Path: 1
Hash: 22
Softs:
android, windows firewall, winscp, pyinstaller
Algorithms:
base64, zip
Languages:
autoit
Qianxin
奇安信威胁情报中心
Nuxt.js project
#ParsedReport
17-01-2023
Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks. Indicators of Compromise (IOCs)
https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html
Actors/Campaigns:
Water_minyades
Threats:
Batloader
Qakbot
Raccoon_stealer
Bumblebee_loader
Pyarmor_tool
Trojan.win32.frs.vsnw1dk22
Cobalt_strike
Atera_tool
Beacon
Royal_ransomware
Gozi
Vidar_stealer
Redline_stealer
Z_loader
Smokeloader
Syncro_tool
Nsudo_tool
Gpg4win_tool
Rig_tool
Anydesk_tool
Logmein_tool
Putty_tool
Teamviewer_tool
Polyglot
Nircmd_tool
Bumblebee
Geo:
Germany, Poland, Netherlands, Canada, Australia, Japan, Brazil, Singapore
IOCs:
Domain: 17
Hash: 14
File: 12
Softs:
windows installer, windows defender, internet explorer, audacity, foxit, grammarly, kmsauto, minersoft, slack, tradingview, have more...
Algorithms:
zip
Functions:
GetNotes
Languages:
java, python, javascript
Links:
17-01-2023
Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks. Indicators of Compromise (IOCs)
https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html
Actors/Campaigns:
Water_minyades
Threats:
Batloader
Qakbot
Raccoon_stealer
Bumblebee_loader
Pyarmor_tool
Trojan.win32.frs.vsnw1dk22
Cobalt_strike
Atera_tool
Beacon
Royal_ransomware
Gozi
Vidar_stealer
Redline_stealer
Z_loader
Smokeloader
Syncro_tool
Nsudo_tool
Gpg4win_tool
Rig_tool
Anydesk_tool
Logmein_tool
Putty_tool
Teamviewer_tool
Polyglot
Nircmd_tool
Bumblebee
Geo:
Germany, Poland, Netherlands, Canada, Australia, Japan, Brazil, Singapore
IOCs:
Domain: 17
Hash: 14
File: 12
Softs:
windows installer, windows defender, internet explorer, audacity, foxit, grammarly, kmsauto, minersoft, slack, tradingview, have more...
Algorithms:
zip
Functions:
GetNotes
Languages:
java, python, javascript
Links:
https://github.com/Svenskithesource/PyArmor-UnpackerTrend Micro
Batloader Malware Abuses Legitimate Tools Uses Obfuscated JavaScript Files in Q4 2022 Attacks
We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water Minyades-related events (This is the intrusion set we track behind the creation of Batloader).