#ParsedReport
17-01-2023
Phishing Web Server Identified Through an Impostor National Tax Service Email
https://asec.ahnlab.com/en/45669
17-01-2023
Phishing Web Server Identified Through an Impostor National Tax Service Email
https://asec.ahnlab.com/en/45669
ASEC
Phishing Web Server Identified Through an Impostor National Tax Service Email - ASEC
The ASEC analysis team recently discovered that a phishing email impersonating the National Tax Service was being distributed. This phishing email emphasizes the urgency of the company email password expiring on the same day, and it is being sent with a message…
#ParsedReport
17-01-2023
Earth Bogle: Campaigns Target the Middle East with Geopolitical Lures
https://www.trendmicro.com/en_us/research/23/a/earth-bogle-campaigns-target-middle-east-with-geopolitical-lures.html
Actors/Campaigns:
Earth_bogle
Threats:
Njrat
Powload
Powexec
Industry:
Government
Geo:
Africa
IOCs:
Hash: 21
Domain: 2
File: 4
Path: 2
Url: 7
Softs:
discord
17-01-2023
Earth Bogle: Campaigns Target the Middle East with Geopolitical Lures
https://www.trendmicro.com/en_us/research/23/a/earth-bogle-campaigns-target-middle-east-with-geopolitical-lures.html
Actors/Campaigns:
Earth_bogle
Threats:
Njrat
Powload
Powexec
Industry:
Government
Geo:
Africa
IOCs:
Hash: 21
Domain: 2
File: 4
Path: 2
Url: 7
Softs:
discord
Trend Micro
Earth Bogle: Campaigns Target the Middle East with Geopolitical Lures
We discovered an active campaign ongoing since at least mid-2022 which uses Middle Eastern geopolitical-themed lures to distribute NjRAT (also known as Bladabindi) to infect victims across the Middle East and North Africa.
#ParsedReport
17-01-2023
(favicon ). A phishing page that changes according to the user mail address (FAVICON)
https://asec.ahnlab.com/ko/45861
IOCs:
File: 5
Url: 1
Languages:
php
17-01-2023
(favicon ). A phishing page that changes according to the user mail address (FAVICON)
https://asec.ahnlab.com/ko/45861
IOCs:
File: 5
Url: 1
Languages:
php
ASEC
사용자 메일 주소에 따라 변경되는 피싱 페이지 (favicon 이용) - ASEC
ASEC 분석팀에서 지속적으로 피싱 메일에 대하여 모니터링을 수행하고 있다. 다수의 피싱 메일들이 확인되고 있는데, 사용자가 입력하는 본인 계정의 메일 서비스 종류에 따라 그에 해당하는 아이콘으로 변경되어 유포 중임을 확인하였다. 어제인 2023년 1월 16일 날짜로 유포된 메일로, 계정이 종료됨을 경고하며 다시 활성화가 필요할 시 ‘지금 재활성화하십시오‘ 링크를 클릭하도록 유도한다. 연결 된 피싱 페이지를 통해 사용자들의 이메일 […]
#ParsedReport
17-01-2023
. Coin minor attack case mining Ethereum Classic Coin
https://asec.ahnlab.com/ko/45794
Threats:
Lolminer
Gminer
Nbiner
Phoenixminer
Quasar_rat
Clipbanker
Nbminer
Tron
Vidar_stealer
Malware/win32.rl_generic.c4124695
Trojan/win.hpgen.r534371
Trojan/win.generic.r533377
Trojan/win.hpgen.r532433
Malware/mdp.behavior.m2318
Industry:
Financial
Geo:
Polish
IOCs:
File: 20
Path: 2
Coin: 7
Hash: 12
Url: 21
IP: 1
Softs:
discode, windows defender, task scheduler, curl, telegram, mastodon
17-01-2023
. Coin minor attack case mining Ethereum Classic Coin
https://asec.ahnlab.com/ko/45794
Threats:
Lolminer
Gminer
Nbiner
Phoenixminer
Quasar_rat
Clipbanker
Nbminer
Tron
Vidar_stealer
Malware/win32.rl_generic.c4124695
Trojan/win.hpgen.r534371
Trojan/win.generic.r533377
Trojan/win.hpgen.r532433
Malware/mdp.behavior.m2318
Industry:
Financial
Geo:
Polish
IOCs:
File: 20
Path: 2
Coin: 7
Hash: 12
Url: 21
IP: 1
Softs:
discode, windows defender, task scheduler, curl, telegram, mastodon
ASEC BLOG
이더리움 클래식 코인을 채굴하는 코인 마이너 공격 사례 - ASEC BLOG
Contents0. 개요1. 이더리움 코인 마이너 공격 사례1.1. 디스코드를 이용한 유포 사례1.2. dnSpy 툴을 위장한 공격 사례2. 이더리움 클래식 코인 마이너 공격 사례2.1. 이더리움 클래식으로의 변화A. 이더리움 클래식 코인 마이너B. ClipBankerC. Quasar RATD. Vidar InfoStealer3. 결론 ASEC 분석팀은 국내외를 대상으로 유포되고 있는 코인 마이너 악성코드들을 모니터링하고 있으며, 과거 다수의 블로그들을…
#ParsedReport
17-01-2023
Kasablanka Group Probably Conducted Compaigns Targeting Russia
https://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia
Actors/Campaigns:
Kasablanka (motivation: cyber_espionage)
Lazarus
Blindeagle
Confucius
Bitter
Threats:
Avemaria_rat
Lodarat
Motw_bypass_technique
Industry:
Government
Geo:
Kyrgyzstan, Ukraine, Russian, America, Turkey, Bangladesh, Morocco, Russia
IOCs:
IP: 6
File: 5
Path: 1
Hash: 22
Softs:
android, windows firewall, winscp, pyinstaller
Algorithms:
base64, zip
Languages:
autoit
17-01-2023
Kasablanka Group Probably Conducted Compaigns Targeting Russia
https://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia
Actors/Campaigns:
Kasablanka (motivation: cyber_espionage)
Lazarus
Blindeagle
Confucius
Bitter
Threats:
Avemaria_rat
Lodarat
Motw_bypass_technique
Industry:
Government
Geo:
Kyrgyzstan, Ukraine, Russian, America, Turkey, Bangladesh, Morocco, Russia
IOCs:
IP: 6
File: 5
Path: 1
Hash: 22
Softs:
android, windows firewall, winscp, pyinstaller
Algorithms:
base64, zip
Languages:
autoit
Qianxin
奇安信威胁情报中心
Nuxt.js project
#ParsedReport
17-01-2023
Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks. Indicators of Compromise (IOCs)
https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html
Actors/Campaigns:
Water_minyades
Threats:
Batloader
Qakbot
Raccoon_stealer
Bumblebee_loader
Pyarmor_tool
Trojan.win32.frs.vsnw1dk22
Cobalt_strike
Atera_tool
Beacon
Royal_ransomware
Gozi
Vidar_stealer
Redline_stealer
Z_loader
Smokeloader
Syncro_tool
Nsudo_tool
Gpg4win_tool
Rig_tool
Anydesk_tool
Logmein_tool
Putty_tool
Teamviewer_tool
Polyglot
Nircmd_tool
Bumblebee
Geo:
Germany, Poland, Netherlands, Canada, Australia, Japan, Brazil, Singapore
IOCs:
Domain: 17
Hash: 14
File: 12
Softs:
windows installer, windows defender, internet explorer, audacity, foxit, grammarly, kmsauto, minersoft, slack, tradingview, have more...
Algorithms:
zip
Functions:
GetNotes
Languages:
java, python, javascript
Links:
17-01-2023
Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks. Indicators of Compromise (IOCs)
https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html
Actors/Campaigns:
Water_minyades
Threats:
Batloader
Qakbot
Raccoon_stealer
Bumblebee_loader
Pyarmor_tool
Trojan.win32.frs.vsnw1dk22
Cobalt_strike
Atera_tool
Beacon
Royal_ransomware
Gozi
Vidar_stealer
Redline_stealer
Z_loader
Smokeloader
Syncro_tool
Nsudo_tool
Gpg4win_tool
Rig_tool
Anydesk_tool
Logmein_tool
Putty_tool
Teamviewer_tool
Polyglot
Nircmd_tool
Bumblebee
Geo:
Germany, Poland, Netherlands, Canada, Australia, Japan, Brazil, Singapore
IOCs:
Domain: 17
Hash: 14
File: 12
Softs:
windows installer, windows defender, internet explorer, audacity, foxit, grammarly, kmsauto, minersoft, slack, tradingview, have more...
Algorithms:
zip
Functions:
GetNotes
Languages:
java, python, javascript
Links:
https://github.com/Svenskithesource/PyArmor-UnpackerTrend Micro
Batloader Malware Abuses Legitimate Tools Uses Obfuscated JavaScript Files in Q4 2022 Attacks
We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water Minyades-related events (This is the intrusion set we track behind the creation of Batloader).
#ParsedReport
18-01-2023
IcedID and Infostealers Spread Through Adverts Mimicking Popular Tools
https://threatresearch.ext.hp.com/adverts-mimicking-popular-software-leads-to-malware
Threats:
Icedid
Vidar_stealer
Batloader
Rhadamanthys
Typosquatting_technique
Icedid_loader
IOCs:
File: 4
Hash: 4
Url: 9
Domain: 95
Softs:
audacity, telegram, microsoft teams
Algorithms:
zip
18-01-2023
IcedID and Infostealers Spread Through Adverts Mimicking Popular Tools
https://threatresearch.ext.hp.com/adverts-mimicking-popular-software-leads-to-malware
Threats:
Icedid
Vidar_stealer
Batloader
Rhadamanthys
Typosquatting_technique
Icedid_loader
IOCs:
File: 4
Hash: 4
Url: 9
Domain: 95
Softs:
audacity, telegram, microsoft teams
Algorithms:
zip
HP Wolf Security
Fake Software Malvertising Spreads IcedID and Infostealers | HP Wolf Security
Don’t let cyber threats get the best of you. Read our post, Fake Software Malvertising Spreads IcedID and Infostealers, to learn more about cyber threats and cyber security.
#ParsedReport
18-01-2023
TZW. TZW ransomware domestic distribution
https://asec.ahnlab.com/ko/45706
Threats:
Tzw_ransomware
Majorcrypter
Darktortilla
Variantcrypter
Ransomware/win.generic.c5355494
Trojan/win.msilkrypt.c5020026
Trojan/win32.ransomcrypt.r343432
Malware/mdp.inject.m218
IOCs:
File: 13
Command: 1
Hash: 3
18-01-2023
TZW. TZW ransomware domestic distribution
https://asec.ahnlab.com/ko/45706
Threats:
Tzw_ransomware
Majorcrypter
Darktortilla
Variantcrypter
Ransomware/win.generic.c5355494
Trojan/win.msilkrypt.c5020026
Trojan/win32.ransomcrypt.r343432
Malware/mdp.inject.m218
IOCs:
File: 13
Command: 1
Hash: 3
ASEC BLOG
TZW 랜섬웨어 국내 유포 중 - ASEC BLOG
ASEC 분석팀은 최근 내부 모니터링을 통해, 파일 암호화 후 원본 확장자 이름에 “TZW” 확장자를 추가하는 TZW 랜섬웨어가 유포되는 것을 확인하였다. 해당 랜섬웨어는 버전 정보 상 “System Boot Info” 라고 명시하여 부트 정보 관련 프로그램인 것처럼 정상 파일로 위장하여 유포되고 있다. 닷넷 형태로 제작되었으며 내부에 로더와 실제 랜섬웨어 데이터를 포함한다. 로더를 통해 랜섬웨어 파일을 최종적으로 로드하여 실행하는 구조이다. 리소스 영역의…
#ParsedReport
18-01-2023
ASEC (20230109 \~ 20230115). ASEC Weekly Malware Statistics (20230109 \~ 20230115)
https://asec.ahnlab.com/ko/45876
Threats:
Smokeloader
Beamwinhttp_loader
Garbage_cleaner
Formbook
Clipboard_grabbing_technique
Agent_tesla
Azorult
Lokibot_stealer
Industry:
Financial, Transport
Geo:
Korea
IOCs:
File: 21
Url: 23
Domain: 3
Email: 5
Softs:
telegram
18-01-2023
ASEC (20230109 \~ 20230115). ASEC Weekly Malware Statistics (20230109 \~ 20230115)
https://asec.ahnlab.com/ko/45876
Threats:
Smokeloader
Beamwinhttp_loader
Garbage_cleaner
Formbook
Clipboard_grabbing_technique
Agent_tesla
Azorult
Lokibot_stealer
Industry:
Financial, Transport
Geo:
Korea
IOCs:
File: 21
Url: 23
Domain: 3
Email: 5
Softs:
telegram
ASEC BLOG
ASEC 주간 악성코드 통계 (20230109 ~ 20230115) - ASEC BLOG
ContentsTop 1 – SmokeLoaderTop 2 – BeamWinHTTPTop 3 – FormbookTop 4 – AgentTeslaTop 5 – Lokibot ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2023년 1월 9일 월요일부터 01월 15일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 다운로더가 38.4%로…
#technique
Home Grown Red Team: Using LNK Files To Bypass Applocker
https://assume-breach.medium.com/home-grown-red-team-using-lnk-files-to-bypass-applocker-3fb1ecae291f
Home Grown Red Team: Using LNK Files To Bypass Applocker
https://assume-breach.medium.com/home-grown-red-team-using-lnk-files-to-bypass-applocker-3fb1ecae291f
Medium
Home Grown Red Team: Using LNK Files To Bypass Applocker
The Windows LNK file is just one of the many ways to get easy execution while bypassing Applocker and some AV. While this isn’t a new…
#technique
Avoid antivirus by hiding the import table
https://xz-aliyun-com.translate.goog/t/12035?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp
Avoid antivirus by hiding the import table
https://xz-aliyun-com.translate.goog/t/12035?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp
xz-aliyun-com.translate.goog
通过隐藏导入表的方式规避杀软 - 先知社区
先知社区,先知安全技术社区
#Research
Open SESAME: Fighting Botnets with Seed Reconstructions of
Domain Generation Algorithms
https://arxiv.org/pdf/2301.05048.pdf
Open SESAME: Fighting Botnets with Seed Reconstructions of
Domain Generation Algorithms
https://arxiv.org/pdf/2301.05048.pdf
#ParsedReport
19-01-2023
New version of Remcos RAT uses direct syscalls to evade detection.
https://minerva-labs.com/blog/new-version-of-remcos-rat-uses-direct-syscalls-to-evade-detection
Threats:
Remcos_rat
Process_hollowing_technique
A310loggerstealer
Uac_bypass_technique
Pony
Process_injection_technique
TTPs:
IOCs:
File: 4
Path: 1
Registry: 2
Command: 1
Hash: 4
Softs:
nsis installer, windows service
Algorithms:
xor
Functions:
Function
Win API:
ResumeThread, NtCreateSection, NtMapViewOfSection, CreateProcessW, NtGetContextThread, NtQueryInformationProcess, ReadProcessMemory, NtWriteVirtualMemory, SetThreadContext, NtResumeThread, have more...
Links:
19-01-2023
New version of Remcos RAT uses direct syscalls to evade detection.
https://minerva-labs.com/blog/new-version-of-remcos-rat-uses-direct-syscalls-to-evade-detection
Threats:
Remcos_rat
Process_hollowing_technique
A310loggerstealer
Uac_bypass_technique
Pony
Process_injection_technique
TTPs:
IOCs:
File: 4
Path: 1
Registry: 2
Command: 1
Hash: 4
Softs:
nsis installer, windows service
Algorithms:
xor
Functions:
Function
Win API:
ResumeThread, NtCreateSection, NtMapViewOfSection, CreateProcessW, NtGetContextThread, NtQueryInformationProcess, ReadProcessMemory, NtWriteVirtualMemory, SetThreadContext, NtResumeThread, have more...
Links:
https://github.com/rxOred/process-hollowingRapid7
Rapid7 Cybersecurity - Command Your Attack Surface
Level up SecOps with the only endpoint to cloud, unified cybersecurity platform. Confidently act to prevent breaches with a leading MDR partner. Request demo!
#ParsedReport
19-01-2023
(LNK). Malicious link file disguised as a normal Korean document (LNK)
https://asec.ahnlab.com/ko/45988
Threats:
Dropper/lnk.agent
Trojan/bat.agent
Trojan/vbs.agent
Trojan/vbs.obfuscated
Trojan/vbs.runner
Trojan/vbs.uploader
Geo:
Korean
IOCs:
File: 23
Registry: 1
Url: 8
Path: 3
Hash: 16
Algorithms:
zip
19-01-2023
(LNK). Malicious link file disguised as a normal Korean document (LNK)
https://asec.ahnlab.com/ko/45988
Threats:
Dropper/lnk.agent
Trojan/bat.agent
Trojan/vbs.agent
Trojan/vbs.obfuscated
Trojan/vbs.runner
Trojan/vbs.uploader
Geo:
Korean
IOCs:
File: 23
Registry: 1
Url: 8
Path: 3
Hash: 16
Algorithms:
zip
ASEC
정상 한글 문서를 위장한 악성 링크 파일(LNK) - ASEC
ASEC 분석팀은 정상 한글 문서를 위장한 악성 LNK 파일이 유포되고 있음을 확인하였다. 국세청을 사칭한 텍스트 파일과 함께 유포되고 있으며 관련 내용이 담긴 정상 한글 문서가 실행되어 사용자가 악성 파일임을 인지하기 어렵다. 최종적으로 실행되는 악성 스크립트 파일은 ‘제품소개서로 위장한 악성 워드 문서‘ 에서 소개한 악성스크립트와 동일한 유형으로 확인되며 같은 공격자에 의해 제작된 것으로 보인다. 최근 확인된 […]
#ParsedReport
19-01-2023
Gigabud RAT: New Android RAT Masquerading as Government Agencies. Technical Analysis
https://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies
Threats:
Gigabud_rat
Industry:
Telco, Financial, Aerospace, Government
Geo:
Thailand, Philippine, Peru, Peruvian, Philippines
TTPs:
Tactics: 7
Technics: 9
IOCs:
Url: 5
File: 2
Hash: 2
Softs:
android
Functions:
OpenService
19-01-2023
Gigabud RAT: New Android RAT Masquerading as Government Agencies. Technical Analysis
https://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies
Threats:
Gigabud_rat
Industry:
Telco, Financial, Aerospace, Government
Geo:
Thailand, Philippine, Peru, Peruvian, Philippines
TTPs:
Tactics: 7
Technics: 9
IOCs:
Url: 5
File: 2
Hash: 2
Softs:
android
Functions:
OpenService
Cyble
Cyble - Gigabud RAT: New Android RAT Masquerading As Government Agencies
CRIL analyzes Gigabud RAT, the latest Android malware posing as a government agency to steal sensitive information.
#ParsedReport
19-01-2023
Sliver C2 Leveraged by Many Threat Actors
https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors
Actors/Campaigns:
Duke
Shathak
Exotic_lily
Threats:
Sliver_tool
Cobalt_strike
Bumblebee
Uac_bypass_technique
Process_injection_technique
Rubeus_tool
Seatbelt_tool
Metasploit_tool
Silver_c2
Wellmess_rat
Wellmail
Gozi
Icedid
Qakbot
Beacon
Procdump_tool
Pypykatz_tool
Mimikatz_tool
Nltest_tool
Golden_ticket_technique
Dcsync_technique
Geo:
Russian
TTPs:
Tactics: 9
Technics: 0
IOCs:
File: 17
Path: 5
IP: 3
Softs:
psexec, wireguard, microsoft office, curl, sudo, systemd, active directory, confluence, openssl, windows service, have more...
Algorithms:
zip
Functions:
GetSystem
Win API:
CreateRemoteThread
Languages:
golang
Platforms:
amd64, intel, arm
Links:
19-01-2023
Sliver C2 Leveraged by Many Threat Actors
https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors
Actors/Campaigns:
Duke
Shathak
Exotic_lily
Threats:
Sliver_tool
Cobalt_strike
Bumblebee
Uac_bypass_technique
Process_injection_technique
Rubeus_tool
Seatbelt_tool
Metasploit_tool
Silver_c2
Wellmess_rat
Wellmail
Gozi
Icedid
Qakbot
Beacon
Procdump_tool
Pypykatz_tool
Mimikatz_tool
Nltest_tool
Golden_ticket_technique
Dcsync_technique
Geo:
Russian
TTPs:
Tactics: 9
Technics: 0
IOCs:
File: 17
Path: 5
IP: 3
Softs:
psexec, wireguard, microsoft office, curl, sudo, systemd, active directory, confluence, openssl, windows service, have more...
Algorithms:
zip
Functions:
GetSystem
Win API:
CreateRemoteThread
Languages:
golang
Platforms:
amd64, intel, arm
Links:
https://github.com/gentilkiwi/mimikatzhttps://github.com/BishopFox/sliverhttps://github.com/salesforce/jarmhttps://github.com/sliverarmory/armoryhttps://github.com/BishopFox/https://github.com/BishopFox/sliver/releases/tag/v1.1.0https://github.com/skelsec/pypykatzhttps://github.com/GhostPack/RubeusCybereason
Sliver C2 Leveraged by Many Threat Actors
Threat Research: Sliver C2 gets more and more traction from Threat Actors, often seen as an alternative from Cobalt Striker.
#ParsedReport
19-01-2023
Dancing With Shellcodes: Analyzing Rhadamanthys Stealer. Threat Background
https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88
Threats:
Rhadamanthys
Anydesk_tool
Bumblebee
Industry:
Financial
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 1
File: 14
Url: 1
Softs:
windows error reporting, keepass, pale moon, sleipnir5, opera, chrome, coreftp, discord, telegram, foxmail, have more...
Algorithms:
rc4
Functions:
Unhooking, CreateCompletionPort, OpenVPN, GetModuleHandle
Win API:
VirtualAlloc, VirtualProtect, WinMain, ImmEnumInputContext, CreateThread, CreateRemoteThread, LocalFree, LocalAlloc, VirtualFree, ZwQueryInformationProcess, have more...
Links:
19-01-2023
Dancing With Shellcodes: Analyzing Rhadamanthys Stealer. Threat Background
https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88
Threats:
Rhadamanthys
Anydesk_tool
Bumblebee
Industry:
Financial
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 1
File: 14
Url: 1
Softs:
windows error reporting, keepass, pale moon, sleipnir5, opera, chrome, coreftp, discord, telegram, foxmail, have more...
Algorithms:
rc4
Functions:
Unhooking, CreateCompletionPort, OpenVPN, GetModuleHandle
Win API:
VirtualAlloc, VirtualProtect, WinMain, ImmEnumInputContext, CreateThread, CreateRemoteThread, LocalFree, LocalAlloc, VirtualFree, ZwQueryInformationProcess, have more...
Links:
https://github.com/OALabs/BlobRunnerhttps://github.com/HoLLy-HaCKeR/KeePassHaxhttps://github.com/LordNoteworthy/al-khaserMedium
Dancing With Shellcodes: Analyzing Rhadamanthys Stealer
Threat Background
#ParsedReport
19-01-2023
apt-c-26 lazarus. 1. Affected situation
https://mp.weixin.qq.com/s/W4hkBRJnwN1G32QCpaNNoA
Actors/Campaigns:
Lazarus
Axiom
Ta505
Threats:
Nukesped_rat
Process_injection_technique
IOCs:
Hash: 4
File: 3
Softs:
somora
Algorithms:
des, rc4, base64
Languages:
php
19-01-2023
apt-c-26 lazarus. 1. Affected situation
https://mp.weixin.qq.com/s/W4hkBRJnwN1G32QCpaNNoA
Actors/Campaigns:
Lazarus
Axiom
Ta505
Threats:
Nukesped_rat
Process_injection_technique
IOCs:
Hash: 4
File: 3
Softs:
somora
Algorithms:
des, rc4, base64
Languages:
php
Weixin Official Accounts Platform
疑似APT-C-26(Lazarus)组织通过加密货币钱包推广信息进行攻击活动分析
由于ISO文件的特性,在诱饵文件的使用上深受Lazarus、Winnti、TA505等APT组织的青睐。近日360高级威胁研究院监测到一起疑似APT-C-26(Lazarus)组织以加密货币钱包推广信息为主题投递恶意ISO文件的攻击事件
#ParsedReport
19-01-2023
Darth Vidar: The Dark Side of Evolving Threat Infrastructure
https://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure
Threats:
Vidar_stealer
Arkei_stealer
Anydesk_tool
Lumma_stealer
Oski_stealer
Stop_ransomware
Icedid
Redline_stealer
Industry:
Financial
Geo:
Russian
IOCs:
Domain: 10
IP: 10
File: 1
Hash: 6
Url: 6
Softs:
telegram, opera, mastodon
Platforms:
intel
19-01-2023
Darth Vidar: The Dark Side of Evolving Threat Infrastructure
https://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure
Threats:
Vidar_stealer
Arkei_stealer
Anydesk_tool
Lumma_stealer
Oski_stealer
Stop_ransomware
Icedid
Redline_stealer
Industry:
Financial
Geo:
Russian
IOCs:
Domain: 10
IP: 10
File: 1
Hash: 6
Url: 6
Softs:
telegram, opera, mastodon
Platforms:
intel
Team-Cymru
Darth Vidar: Evolution of Threat Infrastructure at Team Cymru
Uncover the menacing force of "Darth Vidar" and its impact on evolving threat infrastructure. Explore how a Technology Company can combat this dark side.
#ParsedReport
19-01-2023
Aurora A Stealer Using Shapeshifting Tactics
https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics
Threats:
Aurora
Teamviewer_tool
Redline_stealer
Vidar_stealer
Record_breaker_stealer
Beacon
TTPs:
Tactics: 6
Technics: 15
IOCs:
Url: 3
IP: 1
Hash: 4
Softs:
telegram, discord, (chrome
Algorithms:
gzip, base64
Functions:
wine_get_version
Win API:
GetProcAddress
Languages:
golang
19-01-2023
Aurora A Stealer Using Shapeshifting Tactics
https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics
Threats:
Aurora
Teamviewer_tool
Redline_stealer
Vidar_stealer
Record_breaker_stealer
Beacon
TTPs:
Tactics: 6
Technics: 15
IOCs:
Url: 3
IP: 1
Hash: 4
Softs:
telegram, discord, (chrome
Algorithms:
gzip, base64
Functions:
wine_get_version
Win API:
GetProcAddress
Languages:
golang
Cyble
Aurora – A Stealer Using Shapeshifting Tactics
CRIL analyzes Aurora, an information stealer leveraging Phishing pages imitating popular applications to infect users.