#ParsedReport
18-01-2023
ASEC (20230109 \~ 20230115). ASEC Weekly Malware Statistics (20230109 \~ 20230115)
https://asec.ahnlab.com/ko/45876
Threats:
Smokeloader
Beamwinhttp_loader
Garbage_cleaner
Formbook
Clipboard_grabbing_technique
Agent_tesla
Azorult
Lokibot_stealer
Industry:
Financial, Transport
Geo:
Korea
IOCs:
File: 21
Url: 23
Domain: 3
Email: 5
Softs:
telegram
18-01-2023
ASEC (20230109 \~ 20230115). ASEC Weekly Malware Statistics (20230109 \~ 20230115)
https://asec.ahnlab.com/ko/45876
Threats:
Smokeloader
Beamwinhttp_loader
Garbage_cleaner
Formbook
Clipboard_grabbing_technique
Agent_tesla
Azorult
Lokibot_stealer
Industry:
Financial, Transport
Geo:
Korea
IOCs:
File: 21
Url: 23
Domain: 3
Email: 5
Softs:
telegram
ASEC BLOG
ASEC 주간 악성코드 통계 (20230109 ~ 20230115) - ASEC BLOG
ContentsTop 1 – SmokeLoaderTop 2 – BeamWinHTTPTop 3 – FormbookTop 4 – AgentTeslaTop 5 – Lokibot ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2023년 1월 9일 월요일부터 01월 15일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 다운로더가 38.4%로…
#technique
Home Grown Red Team: Using LNK Files To Bypass Applocker
https://assume-breach.medium.com/home-grown-red-team-using-lnk-files-to-bypass-applocker-3fb1ecae291f
Home Grown Red Team: Using LNK Files To Bypass Applocker
https://assume-breach.medium.com/home-grown-red-team-using-lnk-files-to-bypass-applocker-3fb1ecae291f
Medium
Home Grown Red Team: Using LNK Files To Bypass Applocker
The Windows LNK file is just one of the many ways to get easy execution while bypassing Applocker and some AV. While this isn’t a new…
#technique
Avoid antivirus by hiding the import table
https://xz-aliyun-com.translate.goog/t/12035?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp
Avoid antivirus by hiding the import table
https://xz-aliyun-com.translate.goog/t/12035?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp
xz-aliyun-com.translate.goog
通过隐藏导入表的方式规避杀软 - 先知社区
先知社区,先知安全技术社区
#Research
Open SESAME: Fighting Botnets with Seed Reconstructions of
Domain Generation Algorithms
https://arxiv.org/pdf/2301.05048.pdf
Open SESAME: Fighting Botnets with Seed Reconstructions of
Domain Generation Algorithms
https://arxiv.org/pdf/2301.05048.pdf
#ParsedReport
19-01-2023
New version of Remcos RAT uses direct syscalls to evade detection.
https://minerva-labs.com/blog/new-version-of-remcos-rat-uses-direct-syscalls-to-evade-detection
Threats:
Remcos_rat
Process_hollowing_technique
A310loggerstealer
Uac_bypass_technique
Pony
Process_injection_technique
TTPs:
IOCs:
File: 4
Path: 1
Registry: 2
Command: 1
Hash: 4
Softs:
nsis installer, windows service
Algorithms:
xor
Functions:
Function
Win API:
ResumeThread, NtCreateSection, NtMapViewOfSection, CreateProcessW, NtGetContextThread, NtQueryInformationProcess, ReadProcessMemory, NtWriteVirtualMemory, SetThreadContext, NtResumeThread, have more...
Links:
19-01-2023
New version of Remcos RAT uses direct syscalls to evade detection.
https://minerva-labs.com/blog/new-version-of-remcos-rat-uses-direct-syscalls-to-evade-detection
Threats:
Remcos_rat
Process_hollowing_technique
A310loggerstealer
Uac_bypass_technique
Pony
Process_injection_technique
TTPs:
IOCs:
File: 4
Path: 1
Registry: 2
Command: 1
Hash: 4
Softs:
nsis installer, windows service
Algorithms:
xor
Functions:
Function
Win API:
ResumeThread, NtCreateSection, NtMapViewOfSection, CreateProcessW, NtGetContextThread, NtQueryInformationProcess, ReadProcessMemory, NtWriteVirtualMemory, SetThreadContext, NtResumeThread, have more...
Links:
https://github.com/rxOred/process-hollowingRapid7
Rapid7 Cybersecurity - Command Your Attack Surface
Level up SecOps with the only endpoint to cloud, unified cybersecurity platform. Confidently act to prevent breaches with a leading MDR partner. Request demo!
#ParsedReport
19-01-2023
(LNK). Malicious link file disguised as a normal Korean document (LNK)
https://asec.ahnlab.com/ko/45988
Threats:
Dropper/lnk.agent
Trojan/bat.agent
Trojan/vbs.agent
Trojan/vbs.obfuscated
Trojan/vbs.runner
Trojan/vbs.uploader
Geo:
Korean
IOCs:
File: 23
Registry: 1
Url: 8
Path: 3
Hash: 16
Algorithms:
zip
19-01-2023
(LNK). Malicious link file disguised as a normal Korean document (LNK)
https://asec.ahnlab.com/ko/45988
Threats:
Dropper/lnk.agent
Trojan/bat.agent
Trojan/vbs.agent
Trojan/vbs.obfuscated
Trojan/vbs.runner
Trojan/vbs.uploader
Geo:
Korean
IOCs:
File: 23
Registry: 1
Url: 8
Path: 3
Hash: 16
Algorithms:
zip
ASEC
정상 한글 문서를 위장한 악성 링크 파일(LNK) - ASEC
ASEC 분석팀은 정상 한글 문서를 위장한 악성 LNK 파일이 유포되고 있음을 확인하였다. 국세청을 사칭한 텍스트 파일과 함께 유포되고 있으며 관련 내용이 담긴 정상 한글 문서가 실행되어 사용자가 악성 파일임을 인지하기 어렵다. 최종적으로 실행되는 악성 스크립트 파일은 ‘제품소개서로 위장한 악성 워드 문서‘ 에서 소개한 악성스크립트와 동일한 유형으로 확인되며 같은 공격자에 의해 제작된 것으로 보인다. 최근 확인된 […]
#ParsedReport
19-01-2023
Gigabud RAT: New Android RAT Masquerading as Government Agencies. Technical Analysis
https://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies
Threats:
Gigabud_rat
Industry:
Telco, Financial, Aerospace, Government
Geo:
Thailand, Philippine, Peru, Peruvian, Philippines
TTPs:
Tactics: 7
Technics: 9
IOCs:
Url: 5
File: 2
Hash: 2
Softs:
android
Functions:
OpenService
19-01-2023
Gigabud RAT: New Android RAT Masquerading as Government Agencies. Technical Analysis
https://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies
Threats:
Gigabud_rat
Industry:
Telco, Financial, Aerospace, Government
Geo:
Thailand, Philippine, Peru, Peruvian, Philippines
TTPs:
Tactics: 7
Technics: 9
IOCs:
Url: 5
File: 2
Hash: 2
Softs:
android
Functions:
OpenService
Cyble
Cyble - Gigabud RAT: New Android RAT Masquerading As Government Agencies
CRIL analyzes Gigabud RAT, the latest Android malware posing as a government agency to steal sensitive information.
#ParsedReport
19-01-2023
Sliver C2 Leveraged by Many Threat Actors
https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors
Actors/Campaigns:
Duke
Shathak
Exotic_lily
Threats:
Sliver_tool
Cobalt_strike
Bumblebee
Uac_bypass_technique
Process_injection_technique
Rubeus_tool
Seatbelt_tool
Metasploit_tool
Silver_c2
Wellmess_rat
Wellmail
Gozi
Icedid
Qakbot
Beacon
Procdump_tool
Pypykatz_tool
Mimikatz_tool
Nltest_tool
Golden_ticket_technique
Dcsync_technique
Geo:
Russian
TTPs:
Tactics: 9
Technics: 0
IOCs:
File: 17
Path: 5
IP: 3
Softs:
psexec, wireguard, microsoft office, curl, sudo, systemd, active directory, confluence, openssl, windows service, have more...
Algorithms:
zip
Functions:
GetSystem
Win API:
CreateRemoteThread
Languages:
golang
Platforms:
amd64, intel, arm
Links:
19-01-2023
Sliver C2 Leveraged by Many Threat Actors
https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors
Actors/Campaigns:
Duke
Shathak
Exotic_lily
Threats:
Sliver_tool
Cobalt_strike
Bumblebee
Uac_bypass_technique
Process_injection_technique
Rubeus_tool
Seatbelt_tool
Metasploit_tool
Silver_c2
Wellmess_rat
Wellmail
Gozi
Icedid
Qakbot
Beacon
Procdump_tool
Pypykatz_tool
Mimikatz_tool
Nltest_tool
Golden_ticket_technique
Dcsync_technique
Geo:
Russian
TTPs:
Tactics: 9
Technics: 0
IOCs:
File: 17
Path: 5
IP: 3
Softs:
psexec, wireguard, microsoft office, curl, sudo, systemd, active directory, confluence, openssl, windows service, have more...
Algorithms:
zip
Functions:
GetSystem
Win API:
CreateRemoteThread
Languages:
golang
Platforms:
amd64, intel, arm
Links:
https://github.com/gentilkiwi/mimikatzhttps://github.com/BishopFox/sliverhttps://github.com/salesforce/jarmhttps://github.com/sliverarmory/armoryhttps://github.com/BishopFox/https://github.com/BishopFox/sliver/releases/tag/v1.1.0https://github.com/skelsec/pypykatzhttps://github.com/GhostPack/RubeusCybereason
Sliver C2 Leveraged by Many Threat Actors
Threat Research: Sliver C2 gets more and more traction from Threat Actors, often seen as an alternative from Cobalt Striker.
#ParsedReport
19-01-2023
Dancing With Shellcodes: Analyzing Rhadamanthys Stealer. Threat Background
https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88
Threats:
Rhadamanthys
Anydesk_tool
Bumblebee
Industry:
Financial
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 1
File: 14
Url: 1
Softs:
windows error reporting, keepass, pale moon, sleipnir5, opera, chrome, coreftp, discord, telegram, foxmail, have more...
Algorithms:
rc4
Functions:
Unhooking, CreateCompletionPort, OpenVPN, GetModuleHandle
Win API:
VirtualAlloc, VirtualProtect, WinMain, ImmEnumInputContext, CreateThread, CreateRemoteThread, LocalFree, LocalAlloc, VirtualFree, ZwQueryInformationProcess, have more...
Links:
19-01-2023
Dancing With Shellcodes: Analyzing Rhadamanthys Stealer. Threat Background
https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88
Threats:
Rhadamanthys
Anydesk_tool
Bumblebee
Industry:
Financial
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 1
File: 14
Url: 1
Softs:
windows error reporting, keepass, pale moon, sleipnir5, opera, chrome, coreftp, discord, telegram, foxmail, have more...
Algorithms:
rc4
Functions:
Unhooking, CreateCompletionPort, OpenVPN, GetModuleHandle
Win API:
VirtualAlloc, VirtualProtect, WinMain, ImmEnumInputContext, CreateThread, CreateRemoteThread, LocalFree, LocalAlloc, VirtualFree, ZwQueryInformationProcess, have more...
Links:
https://github.com/OALabs/BlobRunnerhttps://github.com/HoLLy-HaCKeR/KeePassHaxhttps://github.com/LordNoteworthy/al-khaserMedium
Dancing With Shellcodes: Analyzing Rhadamanthys Stealer
Threat Background
#ParsedReport
19-01-2023
apt-c-26 lazarus. 1. Affected situation
https://mp.weixin.qq.com/s/W4hkBRJnwN1G32QCpaNNoA
Actors/Campaigns:
Lazarus
Axiom
Ta505
Threats:
Nukesped_rat
Process_injection_technique
IOCs:
Hash: 4
File: 3
Softs:
somora
Algorithms:
des, rc4, base64
Languages:
php
19-01-2023
apt-c-26 lazarus. 1. Affected situation
https://mp.weixin.qq.com/s/W4hkBRJnwN1G32QCpaNNoA
Actors/Campaigns:
Lazarus
Axiom
Ta505
Threats:
Nukesped_rat
Process_injection_technique
IOCs:
Hash: 4
File: 3
Softs:
somora
Algorithms:
des, rc4, base64
Languages:
php
Weixin Official Accounts Platform
疑似APT-C-26(Lazarus)组织通过加密货币钱包推广信息进行攻击活动分析
由于ISO文件的特性,在诱饵文件的使用上深受Lazarus、Winnti、TA505等APT组织的青睐。近日360高级威胁研究院监测到一起疑似APT-C-26(Lazarus)组织以加密货币钱包推广信息为主题投递恶意ISO文件的攻击事件
#ParsedReport
19-01-2023
Darth Vidar: The Dark Side of Evolving Threat Infrastructure
https://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure
Threats:
Vidar_stealer
Arkei_stealer
Anydesk_tool
Lumma_stealer
Oski_stealer
Stop_ransomware
Icedid
Redline_stealer
Industry:
Financial
Geo:
Russian
IOCs:
Domain: 10
IP: 10
File: 1
Hash: 6
Url: 6
Softs:
telegram, opera, mastodon
Platforms:
intel
19-01-2023
Darth Vidar: The Dark Side of Evolving Threat Infrastructure
https://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure
Threats:
Vidar_stealer
Arkei_stealer
Anydesk_tool
Lumma_stealer
Oski_stealer
Stop_ransomware
Icedid
Redline_stealer
Industry:
Financial
Geo:
Russian
IOCs:
Domain: 10
IP: 10
File: 1
Hash: 6
Url: 6
Softs:
telegram, opera, mastodon
Platforms:
intel
Team-Cymru
Darth Vidar: Evolution of Threat Infrastructure at Team Cymru
Uncover the menacing force of "Darth Vidar" and its impact on evolving threat infrastructure. Explore how a Technology Company can combat this dark side.
#ParsedReport
19-01-2023
Aurora A Stealer Using Shapeshifting Tactics
https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics
Threats:
Aurora
Teamviewer_tool
Redline_stealer
Vidar_stealer
Record_breaker_stealer
Beacon
TTPs:
Tactics: 6
Technics: 15
IOCs:
Url: 3
IP: 1
Hash: 4
Softs:
telegram, discord, (chrome
Algorithms:
gzip, base64
Functions:
wine_get_version
Win API:
GetProcAddress
Languages:
golang
19-01-2023
Aurora A Stealer Using Shapeshifting Tactics
https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics
Threats:
Aurora
Teamviewer_tool
Redline_stealer
Vidar_stealer
Record_breaker_stealer
Beacon
TTPs:
Tactics: 6
Technics: 15
IOCs:
Url: 3
IP: 1
Hash: 4
Softs:
telegram, discord, (chrome
Algorithms:
gzip, base64
Functions:
wine_get_version
Win API:
GetProcAddress
Languages:
golang
Cyble
Aurora – A Stealer Using Shapeshifting Tactics
CRIL analyzes Aurora, an information stealer leveraging Phishing pages imitating popular applications to infect users.
#ParsedReport
18-01-2023
Payzero Scams and The Evolution of Asset Theft in Web3. Pay zero, get it all
https://www.trendmicro.com/en_us/research/23/a/payzero-scams-and-the-evolution-of-asset-theft-in-web3.html
Threats:
Payzero
Medusalocker
Industry:
E-commerce, Financial
Softs:
discord
Functions:
OpenSea, SetApprovalForAll
18-01-2023
Payzero Scams and The Evolution of Asset Theft in Web3. Pay zero, get it all
https://www.trendmicro.com/en_us/research/23/a/payzero-scams-and-the-evolution-of-asset-theft-in-web3.html
Threats:
Payzero
Medusalocker
Industry:
E-commerce, Financial
Softs:
discord
Functions:
OpenSea, SetApprovalForAll
Trend Micro
“Payzero” Scams and The Evolution of Asset Theft in Web3
In this entry we would like to discuss a Web3 fraud scenario where scammers target potential victims via fake smart contracts, and then take over their digital assets, such as NFT tokens, without paying. We named this scam “Payzero”.
#ParsedReport
19-01-2023
Roaming Mantis implements new DNS changer in its malicious mobile app in 2022
https://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/108464
Actors/Campaigns:
Roaming_mantis (motivation: financially_motivated)
Threats:
Dns_changer
Mantis_botnet
Moqhao
Dns_hijacking_technique
Formbook
Industry:
Aerospace
Geo:
Asian, Malaysia, Korea, India, Germany, Austria, France, Taiwan, Turkey, Japan
IOCs:
Hash: 6
File: 1
IP: 48
Url: 34
Domain: 21
Softs:
android
19-01-2023
Roaming Mantis implements new DNS changer in its malicious mobile app in 2022
https://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/108464
Actors/Campaigns:
Roaming_mantis (motivation: financially_motivated)
Threats:
Dns_changer
Mantis_botnet
Moqhao
Dns_hijacking_technique
Formbook
Industry:
Aerospace
Geo:
Asian, Malaysia, Korea, India, Germany, Austria, France, Taiwan, Turkey, Japan
IOCs:
Hash: 6
File: 1
IP: 48
Url: 34
Domain: 21
Softs:
android
Securelist
Roaming Mantis implements new DNS changer in its malicious mobile app in 2022
Roaming Mantis (a.k.a Shaoye) is a long-term cyberattack campaign that uses malicious Android package (APK) files to control infected Android devices and steal data. In 2022, we observed a DNS changer function implemented in its Android malware Wroba.o.
#ParsedReport
19-01-2023
Breaking Down the SEO Poisoning Attack \| How Attackers Are Hijacking Search Results
https://www.sentinelone.com/blog/breaking-down-the-seo-poisoning-attack-how-attackers-are-hijacking-search-results
Threats:
Atera_tool
Batloader
Raccoon_stealer
Industry:
Financial
Geo:
Usa
IOCs:
Hash: 7
File: 4
IP: 1
Softs:
photoshop, discord
Algorithms:
zip
19-01-2023
Breaking Down the SEO Poisoning Attack \| How Attackers Are Hijacking Search Results
https://www.sentinelone.com/blog/breaking-down-the-seo-poisoning-attack-how-attackers-are-hijacking-search-results
Threats:
Atera_tool
Batloader
Raccoon_stealer
Industry:
Financial
Geo:
Usa
IOCs:
Hash: 7
File: 4
IP: 1
Softs:
photoshop, discord
Algorithms:
zip
SentinelOne
SEO Poisoning: Risks, Solutions & Indicators of Compromise
Learn about SEO Poisoning, its risks, and how to mitigate them. Explore indicators of compromise and find a conclusion to safeguard your projects.
#ParsedReport
18-01-2023
Chinese Playful Taurus Activity in Iran
https://unit42.paloaltonetworks.com/playful-taurus
Actors/Campaigns:
Playful_taurus (motivation: cyber_espionage)
Threats:
Terra_stealer
Turian
Vmprotect_tool
Api_obfuscation_technique
Neshta
Industry:
Telco, Government
Geo:
Iranian, Syrian, Irans, Iran, America, Apac, Africa, Senegal, Japan, Emea, Chinese, China
IOCs:
Domain: 14
IP: 9
Hash: 7
File: 2
Algorithms:
xor
Functions:
connect
Win API:
InitSecurityInterfaceA, AcquireCredentialsHandleA, InitializeSecurityContextA, EncryptMessage, DecryptMessage
Languages:
python
Platforms:
x64
18-01-2023
Chinese Playful Taurus Activity in Iran
https://unit42.paloaltonetworks.com/playful-taurus
Actors/Campaigns:
Playful_taurus (motivation: cyber_espionage)
Threats:
Terra_stealer
Turian
Vmprotect_tool
Api_obfuscation_technique
Neshta
Industry:
Telco, Government
Geo:
Iranian, Syrian, Irans, Iran, America, Apac, Africa, Senegal, Japan, Emea, Chinese, China
IOCs:
Domain: 14
IP: 9
Hash: 7
File: 2
Algorithms:
xor
Functions:
connect
Win API:
InitSecurityInterfaceA, AcquireCredentialsHandleA, InitializeSecurityContextA, EncryptMessage, DecryptMessage
Languages:
python
Platforms:
x64
Unit 42
Chinese Playful Taurus Activity in Iran
Chinese APT Playful Taurus is using a new backdoor named Turian. Analysis suggests several Iranian government networks have likely been compromised.
#ParsedReport
20-01-2023
ASEC Weekly Malware Statistics (January 9th, 2023 January 15th, 2023)
https://asec.ahnlab.com/en/46169
Threats:
Smokeloader
Beamwinhttp_loader
Garbage_cleaner
Formbook
Clipboard_grabbing_technique
Agent_tesla
Lokibot_stealer
Industry:
Transport, Financial
Geo:
Korea
IOCs:
File: 15
Url: 23
Domain: 3
Email: 5
Softs:
telegram
20-01-2023
ASEC Weekly Malware Statistics (January 9th, 2023 January 15th, 2023)
https://asec.ahnlab.com/en/46169
Threats:
Smokeloader
Beamwinhttp_loader
Garbage_cleaner
Formbook
Clipboard_grabbing_technique
Agent_tesla
Lokibot_stealer
Industry:
Transport, Financial
Geo:
Korea
IOCs:
File: 15
Url: 23
Domain: 3
Email: 5
Softs:
telegram
ASEC BLOG
ASEC Weekly Malware Statistics (January 9th, 2023 – January 15th, 2023) - ASEC BLOG
The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from January 9th, 2023 (Monday) to January 15th, 2023 (Sunday). For the main category, downloader…
#ParsedReport
20-01-2023
Ransomware Roundup Playing Whack-a-Mole with New CrySIS/Dharma Variants
https://www.fortinet.com/blog/threat-research/ransomware-roundup-playing-whack-a-mole-with-new-crysis-dharma-variants
Threats:
Dharma
Vssadmin_tool
Industry:
Financial
Geo:
Bulgarian, Russian, Ukrainian
IOCs:
File: 2
Path: 6
Hash: 6
20-01-2023
Ransomware Roundup Playing Whack-a-Mole with New CrySIS/Dharma Variants
https://www.fortinet.com/blog/threat-research/ransomware-roundup-playing-whack-a-mole-with-new-crysis-dharma-variants
Threats:
Dharma
Vssadmin_tool
Industry:
Financial
Geo:
Bulgarian, Russian, Ukrainian
IOCs:
File: 2
Path: 6
Hash: 6
Fortinet Blog
Ransomware Roundup – Playing Whack-a-Mole with New CrySIS/Dharma Variants | FortiGuard Labs
In this week's Ransomware Roundup, FortiGuard Labs covers variants of the CrySIS/Dharma ransomware family along with protection recommendations. Read our blog to find out more.…
#ParsedReport
20-01-2023
Following the LNK metadata trail
https://blog.talosintelligence.com/following-the-lnk-metadata-trail
Actors/Campaigns:
Obama
Gamaredon
Threats:
Mlnk_tool
Quantumbuilder_tool
Quantum_locker
Macropack_tool
Lnkup_tool
Lnk2pwn_tool
Sharpersist_tool
Rustlnkbuilder_tool
Raspberry_robin
Qakbot
Motw_bypass_technique
Meterpreter_tool
Cobalt_strike
Redline_stealer
Glowsand
Bumblebee
Icedid
Geo:
Ukranian, Ukrainian
CVEs:
CVE-2015-0096 [Vulners]
Vulners: Score: 9.3, CVSS: 4.9,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows rt (-)
- microsoft windows rt 8.1 (-)
- microsoft windows server 2012 (-, r2)
- microsoft windows 8.1 (-)
- microsoft windows server 2003 (-)
have more...
IOCs:
Hash: 35
Url: 1
Softs:
office 365, microsoft defender
Algorithms:
zip
Functions:
WriteTime
Languages:
python
YARA: Found
Links:
20-01-2023
Following the LNK metadata trail
https://blog.talosintelligence.com/following-the-lnk-metadata-trail
Actors/Campaigns:
Obama
Gamaredon
Threats:
Mlnk_tool
Quantumbuilder_tool
Quantum_locker
Macropack_tool
Lnkup_tool
Lnk2pwn_tool
Sharpersist_tool
Rustlnkbuilder_tool
Raspberry_robin
Qakbot
Motw_bypass_technique
Meterpreter_tool
Cobalt_strike
Redline_stealer
Glowsand
Bumblebee
Icedid
Geo:
Ukranian, Ukrainian
CVEs:
CVE-2015-0096 [Vulners]
Vulners: Score: 9.3, CVSS: 4.9,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows rt (-)
- microsoft windows rt 8.1 (-)
- microsoft windows server 2012 (-, r2)
- microsoft windows 8.1 (-)
- microsoft windows server 2003 (-)
have more...
IOCs:
Hash: 35
Url: 1
Softs:
office 365, microsoft defender
Algorithms:
zip
Functions:
WriteTime
Languages:
python
YARA: Found
Links:
https://github.com/Cisco-Talos/IOCs/blob/main/2023/01/following-the-lnk-metadata-trail.txt
https://github.com/EricZimmerman/LECmdCisco Talos Blog
Following the LNK metadata trail
While tracking some prevalent commodity malware threat actors, Talos observed the popularization of malicious LNK files as their initial access method to download and execute payloads. A closer look at the LNK files illustrates how their metadata could be…
#ParsedReport
19-01-2023
StrongPity APT After Android Users with Trojanized Telegram App
https://www.secureblink.com/threat-research/strong-pity-apt-after-android-users-with-trojanized-telegram-app
Threats:
Strongpity
Watering_hole_technique
Industry:
Telco
Geo:
Syrian, Turkish, Italian, Africa, Spain, Turkey, Belgium, Italy, France, America
IOCs:
File: 5
Hash: 5
Softs:
android, telegram, tinder
Algorithms:
aes
19-01-2023
StrongPity APT After Android Users with Trojanized Telegram App
https://www.secureblink.com/threat-research/strong-pity-apt-after-android-users-with-trojanized-telegram-app
Threats:
Strongpity
Watering_hole_technique
Industry:
Telco
Geo:
Syrian, Turkish, Italian, Africa, Spain, Turkey, Belgium, Italy, France, America
IOCs:
File: 5
Hash: 5
Softs:
android, telegram, tinder
Algorithms:
aes
Secureblink
StrongPity APT After Android Users with Trojanized Telegram App | Secure Blink
Learn about the StrongPity APT group's latest espionage campaign targeting Android users with a trojanized Telegram app disguised as the Shagle chat app...