CTT Report Hub
3.22K subscribers
8.02K photos
6 videos
67 files
11.7K links
Threat Intelligence Report Hub
https://cyberthreat.tech
ООО Технологии киберугроз
Contact: @nikolaiav
Download Telegram
#ParsedReport
17-01-2023

Kasablanka Group Probably Conducted Compaigns Targeting Russia

https://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia

Actors/Campaigns:
Kasablanka (motivation: cyber_espionage)
Lazarus
Blindeagle
Confucius
Bitter

Threats:
Avemaria_rat
Lodarat
Motw_bypass_technique

Industry:
Government

Geo:
Kyrgyzstan, Ukraine, Russian, America, Turkey, Bangladesh, Morocco, Russia

IOCs:
IP: 6
File: 5
Path: 1
Hash: 22

Softs:
android, windows firewall, winscp, pyinstaller

Algorithms:
base64, zip

Languages:
autoit
#ParsedReport
17-01-2023

Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks. Indicators of Compromise (IOCs)

https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html

Actors/Campaigns:
Water_minyades

Threats:
Batloader
Qakbot
Raccoon_stealer
Bumblebee_loader
Pyarmor_tool
Trojan.win32.frs.vsnw1dk22
Cobalt_strike
Atera_tool
Beacon
Royal_ransomware
Gozi
Vidar_stealer
Redline_stealer
Z_loader
Smokeloader
Syncro_tool
Nsudo_tool
Gpg4win_tool
Rig_tool
Anydesk_tool
Logmein_tool
Putty_tool
Teamviewer_tool
Polyglot
Nircmd_tool
Bumblebee

Geo:
Germany, Poland, Netherlands, Canada, Australia, Japan, Brazil, Singapore

IOCs:
Domain: 17
Hash: 14
File: 12

Softs:
windows installer, windows defender, internet explorer, audacity, foxit, grammarly, kmsauto, minersoft, slack, tradingview, have more...

Algorithms:
zip

Functions:
GetNotes

Languages:
java, python, javascript

Links:
https://github.com/Svenskithesource/PyArmor-Unpacker
#ParsedReport
18-01-2023

IcedID and Infostealers Spread Through Adverts Mimicking Popular Tools

https://threatresearch.ext.hp.com/adverts-mimicking-popular-software-leads-to-malware

Threats:
Icedid
Vidar_stealer
Batloader
Rhadamanthys
Typosquatting_technique
Icedid_loader

IOCs:
File: 4
Hash: 4
Url: 9
Domain: 95

Softs:
audacity, telegram, microsoft teams

Algorithms:
zip
#Research
Open SESAME: Fighting Botnets with Seed Reconstructions of
Domain Generation Algorithms

https://arxiv.org/pdf/2301.05048.pdf
#ParsedReport
19-01-2023

New version of Remcos RAT uses direct syscalls to evade detection.

https://minerva-labs.com/blog/new-version-of-remcos-rat-uses-direct-syscalls-to-evade-detection

Threats:
Remcos_rat
Process_hollowing_technique
A310loggerstealer
Uac_bypass_technique
Pony
Process_injection_technique

TTPs:

IOCs:
File: 4
Path: 1
Registry: 2
Command: 1
Hash: 4

Softs:
nsis installer, windows service

Algorithms:
xor

Functions:
Function

Win API:
ResumeThread, NtCreateSection, NtMapViewOfSection, CreateProcessW, NtGetContextThread, NtQueryInformationProcess, ReadProcessMemory, NtWriteVirtualMemory, SetThreadContext, NtResumeThread, have more...

Links:
https://github.com/rxOred/process-hollowing
#ParsedReport
19-01-2023

Gigabud RAT: New Android RAT Masquerading as Government Agencies. Technical Analysis

https://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies

Threats:
Gigabud_rat

Industry:
Telco, Financial, Aerospace, Government

Geo:
Thailand, Philippine, Peru, Peruvian, Philippines

TTPs:
Tactics: 7
Technics: 9

IOCs:
Url: 5
File: 2
Hash: 2

Softs:
android

Functions:
OpenService
#ParsedReport
19-01-2023

Sliver C2 Leveraged by Many Threat Actors

https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors

Actors/Campaigns:
Duke
Shathak
Exotic_lily

Threats:
Sliver_tool
Cobalt_strike
Bumblebee
Uac_bypass_technique
Process_injection_technique
Rubeus_tool
Seatbelt_tool
Metasploit_tool
Silver_c2
Wellmess_rat
Wellmail
Gozi
Icedid
Qakbot
Beacon
Procdump_tool
Pypykatz_tool
Mimikatz_tool
Nltest_tool
Golden_ticket_technique
Dcsync_technique

Geo:
Russian

TTPs:
Tactics: 9
Technics: 0

IOCs:
File: 17
Path: 5
IP: 3

Softs:
psexec, wireguard, microsoft office, curl, sudo, systemd, active directory, confluence, openssl, windows service, have more...

Algorithms:
zip

Functions:
GetSystem

Win API:
CreateRemoteThread

Languages:
golang

Platforms:
amd64, intel, arm

Links:
https://github.com/gentilkiwi/mimikatz
https://github.com/BishopFox/sliver
https://github.com/salesforce/jarm
https://github.com/sliverarmory/armory
https://github.com/BishopFox/
https://github.com/BishopFox/sliver/releases/tag/v1.1.0
https://github.com/skelsec/pypykatz
https://github.com/GhostPack/Rubeus
#ParsedReport
19-01-2023

Dancing With Shellcodes: Analyzing Rhadamanthys Stealer. Threat Background

https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88

Threats:
Rhadamanthys
Anydesk_tool
Bumblebee

Industry:
Financial

TTPs:
Tactics: 1
Technics: 0

IOCs:
Hash: 1
File: 14
Url: 1

Softs:
windows error reporting, keepass, pale moon, sleipnir5, opera, chrome, coreftp, discord, telegram, foxmail, have more...

Algorithms:
rc4

Functions:
Unhooking, CreateCompletionPort, OpenVPN, GetModuleHandle

Win API:
VirtualAlloc, VirtualProtect, WinMain, ImmEnumInputContext, CreateThread, CreateRemoteThread, LocalFree, LocalAlloc, VirtualFree, ZwQueryInformationProcess, have more...

Links:
https://github.com/OALabs/BlobRunner
https://github.com/HoLLy-HaCKeR/KeePassHax
https://github.com/LordNoteworthy/al-khaser
#ParsedReport
19-01-2023

Darth Vidar: The Dark Side of Evolving Threat Infrastructure

https://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure

Threats:
Vidar_stealer
Arkei_stealer
Anydesk_tool
Lumma_stealer
Oski_stealer
Stop_ransomware
Icedid
Redline_stealer

Industry:
Financial

Geo:
Russian

IOCs:
Domain: 10
IP: 10
File: 1
Hash: 6
Url: 6

Softs:
telegram, opera, mastodon

Platforms:
intel
#ParsedReport
19-01-2023

Aurora A Stealer Using Shapeshifting Tactics

https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics

Threats:
Aurora
Teamviewer_tool
Redline_stealer
Vidar_stealer
Record_breaker_stealer
Beacon

TTPs:
Tactics: 6
Technics: 15

IOCs:
Url: 3
IP: 1
Hash: 4

Softs:
telegram, discord, (chrome

Algorithms:
gzip, base64

Functions:
wine_get_version

Win API:
GetProcAddress

Languages:
golang