#ParsedReport
16-01-2023
APTBitter. APT organization Bitter network spy attack activity instance analysis
https://mp.weixin.qq.com/s/7Q2nulqLsofjSftbWQt2kA
Actors/Campaigns:
Bitter
Manling_flower
Threats:
Disttrack
Industry:
Energy, Government
Geo:
China, Pakistan, Asian, Bangladesh
CVEs:
CVE-2018-0798 [Vulners]
Vulners: Score: 9.3, CVSS: 3.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2010, 2016, 2016, 2007, 2013)
- microsoft word (2013, 2016, 2007, 2010, 2013)
- microsoft office compatibility pack (-)
IOCs:
File: 10
Command: 1
Email: 1
Softs:
burpsuite, wechat
Algorithms:
xor
16-01-2023
APTBitter. APT organization Bitter network spy attack activity instance analysis
https://mp.weixin.qq.com/s/7Q2nulqLsofjSftbWQt2kA
Actors/Campaigns:
Bitter
Manling_flower
Threats:
Disttrack
Industry:
Energy, Government
Geo:
China, Pakistan, Asian, Bangladesh
CVEs:
CVE-2018-0798 [Vulners]
Vulners: Score: 9.3, CVSS: 3.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2010, 2016, 2016, 2007, 2013)
- microsoft word (2013, 2016, 2007, 2010, 2013)
- microsoft office compatibility pack (-)
IOCs:
File: 10
Command: 1
Email: 1
Softs:
burpsuite, wechat
Algorithms:
xor
Weixin Official Accounts Platform
APT组织Bitter网络间谍攻击活动实例分析
近日,中孚信息威胁研究人员分析了该组织近期一次针对孟加拉国军事机构的攻击活动。
#ParsedReport
16-01-2023
Abusing a GitHub Codespaces Feature For Malware Delivery. What is GitHub Codespaces?
https://www.trendmicro.com/en_us/research/23/a/abusing-github-codespaces-for-malware-delivery.html
Threats:
Typosquatting_technique
IOCs:
File: 1
Softs:
visual studio code, docker
Languages:
ruby, javascript, python
Links:
16-01-2023
Abusing a GitHub Codespaces Feature For Malware Delivery. What is GitHub Codespaces?
https://www.trendmicro.com/en_us/research/23/a/abusing-github-codespaces-for-malware-delivery.html
Threats:
Typosquatting_technique
IOCs:
File: 1
Softs:
visual studio code, docker
Languages:
ruby, javascript, python
Links:
https://docs.github.com/en/codespaces/customizing-your-codespace/configuring-automatic-deletion-of-your-codespaceshttps://cli.github.com/https://docs.github.com/en/codespaces/overviewhttps://github.com/adititli/adititlihttps://docs.github.com/en/codespaces/codespaces-reference/security-in-github-codespacesTrend Micro
Abusing a GitHub Codespaces Feature For Malware Delivery
Proof of Concept (POC): We investigate one of the GitHub Codespaces’ real-time code development and collaboration features that attackers can abuse for cloud-based trusted malware delivery. Once exploited, malicious actors can abuse legitimate GitHub accounts…
#ParsedReport
16-01-2023
APTMuddyWater. APT organization Muddywater analysis
https://mp.weixin.qq.com/s/aYB7W_elO4FHPUtKrUtzHQ
Actors/Campaigns:
Muddywater (motivation: cyber_espionage)
Unc3313
Threats:
Stuxnet
Ransomware.2
Mimikatz_tool
Powgoop
Starwhale
Powerstats
Disttrack
Syncro_tool
Uac_bypass_technique
Industry:
Government, Financial, Healthcare, Energy
Geo:
Israeli, Iranian, Emirates, Iran, Turkish, Iraq, Africa, Azerbaijan, Israel, Pakistan, Asia, Turkey
TTPs:
Tactics: 5
Technics: 56
IOCs:
File: 19
Hash: 30
IP: 16
Languages:
javascript, python, visual_basic
16-01-2023
APTMuddyWater. APT organization Muddywater analysis
https://mp.weixin.qq.com/s/aYB7W_elO4FHPUtKrUtzHQ
Actors/Campaigns:
Muddywater (motivation: cyber_espionage)
Unc3313
Threats:
Stuxnet
Ransomware.2
Mimikatz_tool
Powgoop
Starwhale
Powerstats
Disttrack
Syncro_tool
Uac_bypass_technique
Industry:
Government, Financial, Healthcare, Energy
Geo:
Israeli, Iranian, Emirates, Iran, Turkish, Iraq, Africa, Azerbaijan, Israel, Pakistan, Asia, Turkey
TTPs:
Tactics: 5
Technics: 56
IOCs:
File: 19
Hash: 30
IP: 16
Languages:
javascript, python, visual_basic
Weixin Official Accounts Platform
APT组织MuddyWater分析
MuddyWater组织自2017年底以来一直活跃于中东地区,其主要的攻击模式为网络间谍行动和知识产权窃取攻击。基于由各类已知漏洞和大量工具组成的武器库,MuddyWater能够入侵多达21个国家的关键领域机构。该组织值得各方关注与警惕。
#ParsedReport
16-01-2023
(Kimsuky), by 4 2023. 1. 13. 14:28. Text title Kimsuky organization, Kakao phishing attackMalware Analysis Report
https://blog.alyac.co.kr/5043
Actors/Campaigns:
Kimsuky
Threats:
Asyncrat_rat
Geo:
Korea, Korean
IOCs:
File: 1
Url: 1
Softs:
onenote
16-01-2023
(Kimsuky), by 4 2023. 1. 13. 14:28. Text title Kimsuky organization, Kakao phishing attackMalware Analysis Report
https://blog.alyac.co.kr/5043
Actors/Campaigns:
Kimsuky
Threats:
Asyncrat_rat
Geo:
Korea, Korean
IOCs:
File: 1
Url: 1
Softs:
onenote
이스트시큐리티 알약 블로그
김수키(Kimsuky)조직, 카카오 피싱 공격 진행 중
안녕하세요? 이스트시큐리티 시큐리티대응센터(이하 ESRC)입니다. 비밀번호 변경 메일을 통한 비밀번호 탈취 공격이 포착되어 사용자들의 각별한 주의가 필요합니다. 이번에 발견된 피싱 메일은 '[긴급] 지금 바로 비밀번호를 변경해 주세요.'제목으로 유포되었으며, 현재는 서비스가 종료된 다음 이메일을 위장하고 있습니다. 이메일 본문에는, 수신자의 계정정보 도용이 의심된다며 비밀번호 변경을 유도하는 내용과 함께 하이퍼링크가 포함되어 있습니다. 공격자는 발신자…
#ParsedReport
17-01-2023
Malware Disguised as a Manuscript Solicitation Letter (Targeting Security-Related Workers)
https://asec.ahnlab.com/en/45658
Actors/Campaigns:
Kimsuky
Geo:
Korea, Chinese, Korean
IOCs:
IP: 1
Hash: 6
Url: 6
Softs:
task scheduler
17-01-2023
Malware Disguised as a Manuscript Solicitation Letter (Targeting Security-Related Workers)
https://asec.ahnlab.com/en/45658
Actors/Campaigns:
Kimsuky
Geo:
Korea, Chinese, Korean
IOCs:
IP: 1
Hash: 6
Url: 6
Softs:
task scheduler
ASEC
Malware Disguised as a Manuscript Solicitation Letter (Targeting Security-Related Workers) - ASEC
On January 8th, the ASEC analysis team identified the distribution of a document-type malware targeting workers in the security field. The obtained malware uses an external object within a Word document to execute an additional malicious macro. Such a technique…
#ParsedReport
17-01-2023
ASEC Weekly Phishing Email Threat Trends (January 1st, 2023 January 7th, 2023)
https://asec.ahnlab.com/en/45693
Threats:
Agent_tesla
Formbook
Remcos_rat
Motw_bypass_technique
Industry:
Financial
Geo:
Korean
TTPs:
IOCs:
File: 15
Url: 4
Algorithms:
zip
Links:
17-01-2023
ASEC Weekly Phishing Email Threat Trends (January 1st, 2023 January 7th, 2023)
https://asec.ahnlab.com/en/45693
Threats:
Agent_tesla
Formbook
Remcos_rat
Motw_bypass_technique
Industry:
Financial
Geo:
Korean
TTPs:
IOCs:
File: 15
Url: 4
Algorithms:
zip
Links:
https://github.com/nmantani/archiver-MOTW-support-comparisonASEC BLOG
ASEC Weekly Phishing Email Threat Trends (January 1st, 2023 – January 7th, 2023) - ASEC BLOG
ContentsPhishing EmailsFile Extensions in Phishing EmailsCases of DistributionCase: FakePageCase: Malware (Infostealer, Downloader, etc.)Keywords to Beware of: ‘RAR’ FakePage C2 URLPreventing Phishing Email Attacks The ASEC analysis team monitors phishing…
#ParsedReport
17-01-2023
Phishing Web Server Identified Through an Impostor National Tax Service Email
https://asec.ahnlab.com/en/45669
17-01-2023
Phishing Web Server Identified Through an Impostor National Tax Service Email
https://asec.ahnlab.com/en/45669
ASEC
Phishing Web Server Identified Through an Impostor National Tax Service Email - ASEC
The ASEC analysis team recently discovered that a phishing email impersonating the National Tax Service was being distributed. This phishing email emphasizes the urgency of the company email password expiring on the same day, and it is being sent with a message…
#ParsedReport
17-01-2023
Earth Bogle: Campaigns Target the Middle East with Geopolitical Lures
https://www.trendmicro.com/en_us/research/23/a/earth-bogle-campaigns-target-middle-east-with-geopolitical-lures.html
Actors/Campaigns:
Earth_bogle
Threats:
Njrat
Powload
Powexec
Industry:
Government
Geo:
Africa
IOCs:
Hash: 21
Domain: 2
File: 4
Path: 2
Url: 7
Softs:
discord
17-01-2023
Earth Bogle: Campaigns Target the Middle East with Geopolitical Lures
https://www.trendmicro.com/en_us/research/23/a/earth-bogle-campaigns-target-middle-east-with-geopolitical-lures.html
Actors/Campaigns:
Earth_bogle
Threats:
Njrat
Powload
Powexec
Industry:
Government
Geo:
Africa
IOCs:
Hash: 21
Domain: 2
File: 4
Path: 2
Url: 7
Softs:
discord
Trend Micro
Earth Bogle: Campaigns Target the Middle East with Geopolitical Lures
We discovered an active campaign ongoing since at least mid-2022 which uses Middle Eastern geopolitical-themed lures to distribute NjRAT (also known as Bladabindi) to infect victims across the Middle East and North Africa.
#ParsedReport
17-01-2023
(favicon ). A phishing page that changes according to the user mail address (FAVICON)
https://asec.ahnlab.com/ko/45861
IOCs:
File: 5
Url: 1
Languages:
php
17-01-2023
(favicon ). A phishing page that changes according to the user mail address (FAVICON)
https://asec.ahnlab.com/ko/45861
IOCs:
File: 5
Url: 1
Languages:
php
ASEC
사용자 메일 주소에 따라 변경되는 피싱 페이지 (favicon 이용) - ASEC
ASEC 분석팀에서 지속적으로 피싱 메일에 대하여 모니터링을 수행하고 있다. 다수의 피싱 메일들이 확인되고 있는데, 사용자가 입력하는 본인 계정의 메일 서비스 종류에 따라 그에 해당하는 아이콘으로 변경되어 유포 중임을 확인하였다. 어제인 2023년 1월 16일 날짜로 유포된 메일로, 계정이 종료됨을 경고하며 다시 활성화가 필요할 시 ‘지금 재활성화하십시오‘ 링크를 클릭하도록 유도한다. 연결 된 피싱 페이지를 통해 사용자들의 이메일 […]
#ParsedReport
17-01-2023
. Coin minor attack case mining Ethereum Classic Coin
https://asec.ahnlab.com/ko/45794
Threats:
Lolminer
Gminer
Nbiner
Phoenixminer
Quasar_rat
Clipbanker
Nbminer
Tron
Vidar_stealer
Malware/win32.rl_generic.c4124695
Trojan/win.hpgen.r534371
Trojan/win.generic.r533377
Trojan/win.hpgen.r532433
Malware/mdp.behavior.m2318
Industry:
Financial
Geo:
Polish
IOCs:
File: 20
Path: 2
Coin: 7
Hash: 12
Url: 21
IP: 1
Softs:
discode, windows defender, task scheduler, curl, telegram, mastodon
17-01-2023
. Coin minor attack case mining Ethereum Classic Coin
https://asec.ahnlab.com/ko/45794
Threats:
Lolminer
Gminer
Nbiner
Phoenixminer
Quasar_rat
Clipbanker
Nbminer
Tron
Vidar_stealer
Malware/win32.rl_generic.c4124695
Trojan/win.hpgen.r534371
Trojan/win.generic.r533377
Trojan/win.hpgen.r532433
Malware/mdp.behavior.m2318
Industry:
Financial
Geo:
Polish
IOCs:
File: 20
Path: 2
Coin: 7
Hash: 12
Url: 21
IP: 1
Softs:
discode, windows defender, task scheduler, curl, telegram, mastodon
ASEC BLOG
이더리움 클래식 코인을 채굴하는 코인 마이너 공격 사례 - ASEC BLOG
Contents0. 개요1. 이더리움 코인 마이너 공격 사례1.1. 디스코드를 이용한 유포 사례1.2. dnSpy 툴을 위장한 공격 사례2. 이더리움 클래식 코인 마이너 공격 사례2.1. 이더리움 클래식으로의 변화A. 이더리움 클래식 코인 마이너B. ClipBankerC. Quasar RATD. Vidar InfoStealer3. 결론 ASEC 분석팀은 국내외를 대상으로 유포되고 있는 코인 마이너 악성코드들을 모니터링하고 있으며, 과거 다수의 블로그들을…
#ParsedReport
17-01-2023
Kasablanka Group Probably Conducted Compaigns Targeting Russia
https://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia
Actors/Campaigns:
Kasablanka (motivation: cyber_espionage)
Lazarus
Blindeagle
Confucius
Bitter
Threats:
Avemaria_rat
Lodarat
Motw_bypass_technique
Industry:
Government
Geo:
Kyrgyzstan, Ukraine, Russian, America, Turkey, Bangladesh, Morocco, Russia
IOCs:
IP: 6
File: 5
Path: 1
Hash: 22
Softs:
android, windows firewall, winscp, pyinstaller
Algorithms:
base64, zip
Languages:
autoit
17-01-2023
Kasablanka Group Probably Conducted Compaigns Targeting Russia
https://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia
Actors/Campaigns:
Kasablanka (motivation: cyber_espionage)
Lazarus
Blindeagle
Confucius
Bitter
Threats:
Avemaria_rat
Lodarat
Motw_bypass_technique
Industry:
Government
Geo:
Kyrgyzstan, Ukraine, Russian, America, Turkey, Bangladesh, Morocco, Russia
IOCs:
IP: 6
File: 5
Path: 1
Hash: 22
Softs:
android, windows firewall, winscp, pyinstaller
Algorithms:
base64, zip
Languages:
autoit
Qianxin
奇安信威胁情报中心
Nuxt.js project
#ParsedReport
17-01-2023
Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks. Indicators of Compromise (IOCs)
https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html
Actors/Campaigns:
Water_minyades
Threats:
Batloader
Qakbot
Raccoon_stealer
Bumblebee_loader
Pyarmor_tool
Trojan.win32.frs.vsnw1dk22
Cobalt_strike
Atera_tool
Beacon
Royal_ransomware
Gozi
Vidar_stealer
Redline_stealer
Z_loader
Smokeloader
Syncro_tool
Nsudo_tool
Gpg4win_tool
Rig_tool
Anydesk_tool
Logmein_tool
Putty_tool
Teamviewer_tool
Polyglot
Nircmd_tool
Bumblebee
Geo:
Germany, Poland, Netherlands, Canada, Australia, Japan, Brazil, Singapore
IOCs:
Domain: 17
Hash: 14
File: 12
Softs:
windows installer, windows defender, internet explorer, audacity, foxit, grammarly, kmsauto, minersoft, slack, tradingview, have more...
Algorithms:
zip
Functions:
GetNotes
Languages:
java, python, javascript
Links:
17-01-2023
Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks. Indicators of Compromise (IOCs)
https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html
Actors/Campaigns:
Water_minyades
Threats:
Batloader
Qakbot
Raccoon_stealer
Bumblebee_loader
Pyarmor_tool
Trojan.win32.frs.vsnw1dk22
Cobalt_strike
Atera_tool
Beacon
Royal_ransomware
Gozi
Vidar_stealer
Redline_stealer
Z_loader
Smokeloader
Syncro_tool
Nsudo_tool
Gpg4win_tool
Rig_tool
Anydesk_tool
Logmein_tool
Putty_tool
Teamviewer_tool
Polyglot
Nircmd_tool
Bumblebee
Geo:
Germany, Poland, Netherlands, Canada, Australia, Japan, Brazil, Singapore
IOCs:
Domain: 17
Hash: 14
File: 12
Softs:
windows installer, windows defender, internet explorer, audacity, foxit, grammarly, kmsauto, minersoft, slack, tradingview, have more...
Algorithms:
zip
Functions:
GetNotes
Languages:
java, python, javascript
Links:
https://github.com/Svenskithesource/PyArmor-UnpackerTrend Micro
Batloader Malware Abuses Legitimate Tools Uses Obfuscated JavaScript Files in Q4 2022 Attacks
We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water Minyades-related events (This is the intrusion set we track behind the creation of Batloader).
#ParsedReport
18-01-2023
IcedID and Infostealers Spread Through Adverts Mimicking Popular Tools
https://threatresearch.ext.hp.com/adverts-mimicking-popular-software-leads-to-malware
Threats:
Icedid
Vidar_stealer
Batloader
Rhadamanthys
Typosquatting_technique
Icedid_loader
IOCs:
File: 4
Hash: 4
Url: 9
Domain: 95
Softs:
audacity, telegram, microsoft teams
Algorithms:
zip
18-01-2023
IcedID and Infostealers Spread Through Adverts Mimicking Popular Tools
https://threatresearch.ext.hp.com/adverts-mimicking-popular-software-leads-to-malware
Threats:
Icedid
Vidar_stealer
Batloader
Rhadamanthys
Typosquatting_technique
Icedid_loader
IOCs:
File: 4
Hash: 4
Url: 9
Domain: 95
Softs:
audacity, telegram, microsoft teams
Algorithms:
zip
HP Wolf Security
Fake Software Malvertising Spreads IcedID and Infostealers | HP Wolf Security
Don’t let cyber threats get the best of you. Read our post, Fake Software Malvertising Spreads IcedID and Infostealers, to learn more about cyber threats and cyber security.
#ParsedReport
18-01-2023
TZW. TZW ransomware domestic distribution
https://asec.ahnlab.com/ko/45706
Threats:
Tzw_ransomware
Majorcrypter
Darktortilla
Variantcrypter
Ransomware/win.generic.c5355494
Trojan/win.msilkrypt.c5020026
Trojan/win32.ransomcrypt.r343432
Malware/mdp.inject.m218
IOCs:
File: 13
Command: 1
Hash: 3
18-01-2023
TZW. TZW ransomware domestic distribution
https://asec.ahnlab.com/ko/45706
Threats:
Tzw_ransomware
Majorcrypter
Darktortilla
Variantcrypter
Ransomware/win.generic.c5355494
Trojan/win.msilkrypt.c5020026
Trojan/win32.ransomcrypt.r343432
Malware/mdp.inject.m218
IOCs:
File: 13
Command: 1
Hash: 3
ASEC BLOG
TZW 랜섬웨어 국내 유포 중 - ASEC BLOG
ASEC 분석팀은 최근 내부 모니터링을 통해, 파일 암호화 후 원본 확장자 이름에 “TZW” 확장자를 추가하는 TZW 랜섬웨어가 유포되는 것을 확인하였다. 해당 랜섬웨어는 버전 정보 상 “System Boot Info” 라고 명시하여 부트 정보 관련 프로그램인 것처럼 정상 파일로 위장하여 유포되고 있다. 닷넷 형태로 제작되었으며 내부에 로더와 실제 랜섬웨어 데이터를 포함한다. 로더를 통해 랜섬웨어 파일을 최종적으로 로드하여 실행하는 구조이다. 리소스 영역의…
#ParsedReport
18-01-2023
ASEC (20230109 \~ 20230115). ASEC Weekly Malware Statistics (20230109 \~ 20230115)
https://asec.ahnlab.com/ko/45876
Threats:
Smokeloader
Beamwinhttp_loader
Garbage_cleaner
Formbook
Clipboard_grabbing_technique
Agent_tesla
Azorult
Lokibot_stealer
Industry:
Financial, Transport
Geo:
Korea
IOCs:
File: 21
Url: 23
Domain: 3
Email: 5
Softs:
telegram
18-01-2023
ASEC (20230109 \~ 20230115). ASEC Weekly Malware Statistics (20230109 \~ 20230115)
https://asec.ahnlab.com/ko/45876
Threats:
Smokeloader
Beamwinhttp_loader
Garbage_cleaner
Formbook
Clipboard_grabbing_technique
Agent_tesla
Azorult
Lokibot_stealer
Industry:
Financial, Transport
Geo:
Korea
IOCs:
File: 21
Url: 23
Domain: 3
Email: 5
Softs:
telegram
ASEC BLOG
ASEC 주간 악성코드 통계 (20230109 ~ 20230115) - ASEC BLOG
ContentsTop 1 – SmokeLoaderTop 2 – BeamWinHTTPTop 3 – FormbookTop 4 – AgentTeslaTop 5 – Lokibot ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2023년 1월 9일 월요일부터 01월 15일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 다운로더가 38.4%로…
#technique
Home Grown Red Team: Using LNK Files To Bypass Applocker
https://assume-breach.medium.com/home-grown-red-team-using-lnk-files-to-bypass-applocker-3fb1ecae291f
Home Grown Red Team: Using LNK Files To Bypass Applocker
https://assume-breach.medium.com/home-grown-red-team-using-lnk-files-to-bypass-applocker-3fb1ecae291f
Medium
Home Grown Red Team: Using LNK Files To Bypass Applocker
The Windows LNK file is just one of the many ways to get easy execution while bypassing Applocker and some AV. While this isn’t a new…
#technique
Avoid antivirus by hiding the import table
https://xz-aliyun-com.translate.goog/t/12035?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp
Avoid antivirus by hiding the import table
https://xz-aliyun-com.translate.goog/t/12035?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp
xz-aliyun-com.translate.goog
通过隐藏导入表的方式规避杀软 - 先知社区
先知社区,先知安全技术社区
#Research
Open SESAME: Fighting Botnets with Seed Reconstructions of
Domain Generation Algorithms
https://arxiv.org/pdf/2301.05048.pdf
Open SESAME: Fighting Botnets with Seed Reconstructions of
Domain Generation Algorithms
https://arxiv.org/pdf/2301.05048.pdf
#ParsedReport
19-01-2023
New version of Remcos RAT uses direct syscalls to evade detection.
https://minerva-labs.com/blog/new-version-of-remcos-rat-uses-direct-syscalls-to-evade-detection
Threats:
Remcos_rat
Process_hollowing_technique
A310loggerstealer
Uac_bypass_technique
Pony
Process_injection_technique
TTPs:
IOCs:
File: 4
Path: 1
Registry: 2
Command: 1
Hash: 4
Softs:
nsis installer, windows service
Algorithms:
xor
Functions:
Function
Win API:
ResumeThread, NtCreateSection, NtMapViewOfSection, CreateProcessW, NtGetContextThread, NtQueryInformationProcess, ReadProcessMemory, NtWriteVirtualMemory, SetThreadContext, NtResumeThread, have more...
Links:
19-01-2023
New version of Remcos RAT uses direct syscalls to evade detection.
https://minerva-labs.com/blog/new-version-of-remcos-rat-uses-direct-syscalls-to-evade-detection
Threats:
Remcos_rat
Process_hollowing_technique
A310loggerstealer
Uac_bypass_technique
Pony
Process_injection_technique
TTPs:
IOCs:
File: 4
Path: 1
Registry: 2
Command: 1
Hash: 4
Softs:
nsis installer, windows service
Algorithms:
xor
Functions:
Function
Win API:
ResumeThread, NtCreateSection, NtMapViewOfSection, CreateProcessW, NtGetContextThread, NtQueryInformationProcess, ReadProcessMemory, NtWriteVirtualMemory, SetThreadContext, NtResumeThread, have more...
Links:
https://github.com/rxOred/process-hollowingRapid7
Rapid7 Cybersecurity - Command Your Attack Surface
Level up SecOps with the only endpoint to cloud, unified cybersecurity platform. Confidently act to prevent breaches with a leading MDR partner. Request demo!
#ParsedReport
19-01-2023
(LNK). Malicious link file disguised as a normal Korean document (LNK)
https://asec.ahnlab.com/ko/45988
Threats:
Dropper/lnk.agent
Trojan/bat.agent
Trojan/vbs.agent
Trojan/vbs.obfuscated
Trojan/vbs.runner
Trojan/vbs.uploader
Geo:
Korean
IOCs:
File: 23
Registry: 1
Url: 8
Path: 3
Hash: 16
Algorithms:
zip
19-01-2023
(LNK). Malicious link file disguised as a normal Korean document (LNK)
https://asec.ahnlab.com/ko/45988
Threats:
Dropper/lnk.agent
Trojan/bat.agent
Trojan/vbs.agent
Trojan/vbs.obfuscated
Trojan/vbs.runner
Trojan/vbs.uploader
Geo:
Korean
IOCs:
File: 23
Registry: 1
Url: 8
Path: 3
Hash: 16
Algorithms:
zip
ASEC
정상 한글 문서를 위장한 악성 링크 파일(LNK) - ASEC
ASEC 분석팀은 정상 한글 문서를 위장한 악성 LNK 파일이 유포되고 있음을 확인하였다. 국세청을 사칭한 텍스트 파일과 함께 유포되고 있으며 관련 내용이 담긴 정상 한글 문서가 실행되어 사용자가 악성 파일임을 인지하기 어렵다. 최종적으로 실행되는 악성 스크립트 파일은 ‘제품소개서로 위장한 악성 워드 문서‘ 에서 소개한 악성스크립트와 동일한 유형으로 확인되며 같은 공격자에 의해 제작된 것으로 보인다. 최근 확인된 […]