#ParsedReport
19-01-2023
Aurora A Stealer Using Shapeshifting Tactics
https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics
Threats:
Aurora
Teamviewer_tool
Redline_stealer
Vidar_stealer
Record_breaker_stealer
Beacon
TTPs:
Tactics: 6
Technics: 15
IOCs:
Url: 3
IP: 1
Hash: 4
Softs:
telegram, discord, (chrome
Algorithms:
gzip, base64
Functions:
wine_get_version
Win API:
GetProcAddress
Languages:
golang
19-01-2023
Aurora A Stealer Using Shapeshifting Tactics
https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics
Threats:
Aurora
Teamviewer_tool
Redline_stealer
Vidar_stealer
Record_breaker_stealer
Beacon
TTPs:
Tactics: 6
Technics: 15
IOCs:
Url: 3
IP: 1
Hash: 4
Softs:
telegram, discord, (chrome
Algorithms:
gzip, base64
Functions:
wine_get_version
Win API:
GetProcAddress
Languages:
golang
Cyble
Aurora – A Stealer Using Shapeshifting Tactics
CRIL analyzes Aurora, an information stealer leveraging Phishing pages imitating popular applications to infect users.
#ParsedReport
18-01-2023
Payzero Scams and The Evolution of Asset Theft in Web3. Pay zero, get it all
https://www.trendmicro.com/en_us/research/23/a/payzero-scams-and-the-evolution-of-asset-theft-in-web3.html
Threats:
Payzero
Medusalocker
Industry:
E-commerce, Financial
Softs:
discord
Functions:
OpenSea, SetApprovalForAll
18-01-2023
Payzero Scams and The Evolution of Asset Theft in Web3. Pay zero, get it all
https://www.trendmicro.com/en_us/research/23/a/payzero-scams-and-the-evolution-of-asset-theft-in-web3.html
Threats:
Payzero
Medusalocker
Industry:
E-commerce, Financial
Softs:
discord
Functions:
OpenSea, SetApprovalForAll
Trend Micro
“Payzero” Scams and The Evolution of Asset Theft in Web3
In this entry we would like to discuss a Web3 fraud scenario where scammers target potential victims via fake smart contracts, and then take over their digital assets, such as NFT tokens, without paying. We named this scam “Payzero”.
#ParsedReport
19-01-2023
Roaming Mantis implements new DNS changer in its malicious mobile app in 2022
https://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/108464
Actors/Campaigns:
Roaming_mantis (motivation: financially_motivated)
Threats:
Dns_changer
Mantis_botnet
Moqhao
Dns_hijacking_technique
Formbook
Industry:
Aerospace
Geo:
Asian, Malaysia, Korea, India, Germany, Austria, France, Taiwan, Turkey, Japan
IOCs:
Hash: 6
File: 1
IP: 48
Url: 34
Domain: 21
Softs:
android
19-01-2023
Roaming Mantis implements new DNS changer in its malicious mobile app in 2022
https://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/108464
Actors/Campaigns:
Roaming_mantis (motivation: financially_motivated)
Threats:
Dns_changer
Mantis_botnet
Moqhao
Dns_hijacking_technique
Formbook
Industry:
Aerospace
Geo:
Asian, Malaysia, Korea, India, Germany, Austria, France, Taiwan, Turkey, Japan
IOCs:
Hash: 6
File: 1
IP: 48
Url: 34
Domain: 21
Softs:
android
Securelist
Roaming Mantis implements new DNS changer in its malicious mobile app in 2022
Roaming Mantis (a.k.a Shaoye) is a long-term cyberattack campaign that uses malicious Android package (APK) files to control infected Android devices and steal data. In 2022, we observed a DNS changer function implemented in its Android malware Wroba.o.
#ParsedReport
19-01-2023
Breaking Down the SEO Poisoning Attack \| How Attackers Are Hijacking Search Results
https://www.sentinelone.com/blog/breaking-down-the-seo-poisoning-attack-how-attackers-are-hijacking-search-results
Threats:
Atera_tool
Batloader
Raccoon_stealer
Industry:
Financial
Geo:
Usa
IOCs:
Hash: 7
File: 4
IP: 1
Softs:
photoshop, discord
Algorithms:
zip
19-01-2023
Breaking Down the SEO Poisoning Attack \| How Attackers Are Hijacking Search Results
https://www.sentinelone.com/blog/breaking-down-the-seo-poisoning-attack-how-attackers-are-hijacking-search-results
Threats:
Atera_tool
Batloader
Raccoon_stealer
Industry:
Financial
Geo:
Usa
IOCs:
Hash: 7
File: 4
IP: 1
Softs:
photoshop, discord
Algorithms:
zip
SentinelOne
SEO Poisoning: Risks, Solutions & Indicators of Compromise
Learn about SEO Poisoning, its risks, and how to mitigate them. Explore indicators of compromise and find a conclusion to safeguard your projects.
#ParsedReport
18-01-2023
Chinese Playful Taurus Activity in Iran
https://unit42.paloaltonetworks.com/playful-taurus
Actors/Campaigns:
Playful_taurus (motivation: cyber_espionage)
Threats:
Terra_stealer
Turian
Vmprotect_tool
Api_obfuscation_technique
Neshta
Industry:
Telco, Government
Geo:
Iranian, Syrian, Irans, Iran, America, Apac, Africa, Senegal, Japan, Emea, Chinese, China
IOCs:
Domain: 14
IP: 9
Hash: 7
File: 2
Algorithms:
xor
Functions:
connect
Win API:
InitSecurityInterfaceA, AcquireCredentialsHandleA, InitializeSecurityContextA, EncryptMessage, DecryptMessage
Languages:
python
Platforms:
x64
18-01-2023
Chinese Playful Taurus Activity in Iran
https://unit42.paloaltonetworks.com/playful-taurus
Actors/Campaigns:
Playful_taurus (motivation: cyber_espionage)
Threats:
Terra_stealer
Turian
Vmprotect_tool
Api_obfuscation_technique
Neshta
Industry:
Telco, Government
Geo:
Iranian, Syrian, Irans, Iran, America, Apac, Africa, Senegal, Japan, Emea, Chinese, China
IOCs:
Domain: 14
IP: 9
Hash: 7
File: 2
Algorithms:
xor
Functions:
connect
Win API:
InitSecurityInterfaceA, AcquireCredentialsHandleA, InitializeSecurityContextA, EncryptMessage, DecryptMessage
Languages:
python
Platforms:
x64
Unit 42
Chinese Playful Taurus Activity in Iran
Chinese APT Playful Taurus is using a new backdoor named Turian. Analysis suggests several Iranian government networks have likely been compromised.
#ParsedReport
20-01-2023
ASEC Weekly Malware Statistics (January 9th, 2023 January 15th, 2023)
https://asec.ahnlab.com/en/46169
Threats:
Smokeloader
Beamwinhttp_loader
Garbage_cleaner
Formbook
Clipboard_grabbing_technique
Agent_tesla
Lokibot_stealer
Industry:
Transport, Financial
Geo:
Korea
IOCs:
File: 15
Url: 23
Domain: 3
Email: 5
Softs:
telegram
20-01-2023
ASEC Weekly Malware Statistics (January 9th, 2023 January 15th, 2023)
https://asec.ahnlab.com/en/46169
Threats:
Smokeloader
Beamwinhttp_loader
Garbage_cleaner
Formbook
Clipboard_grabbing_technique
Agent_tesla
Lokibot_stealer
Industry:
Transport, Financial
Geo:
Korea
IOCs:
File: 15
Url: 23
Domain: 3
Email: 5
Softs:
telegram
ASEC BLOG
ASEC Weekly Malware Statistics (January 9th, 2023 – January 15th, 2023) - ASEC BLOG
The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from January 9th, 2023 (Monday) to January 15th, 2023 (Sunday). For the main category, downloader…
#ParsedReport
20-01-2023
Ransomware Roundup Playing Whack-a-Mole with New CrySIS/Dharma Variants
https://www.fortinet.com/blog/threat-research/ransomware-roundup-playing-whack-a-mole-with-new-crysis-dharma-variants
Threats:
Dharma
Vssadmin_tool
Industry:
Financial
Geo:
Bulgarian, Russian, Ukrainian
IOCs:
File: 2
Path: 6
Hash: 6
20-01-2023
Ransomware Roundup Playing Whack-a-Mole with New CrySIS/Dharma Variants
https://www.fortinet.com/blog/threat-research/ransomware-roundup-playing-whack-a-mole-with-new-crysis-dharma-variants
Threats:
Dharma
Vssadmin_tool
Industry:
Financial
Geo:
Bulgarian, Russian, Ukrainian
IOCs:
File: 2
Path: 6
Hash: 6
Fortinet Blog
Ransomware Roundup – Playing Whack-a-Mole with New CrySIS/Dharma Variants | FortiGuard Labs
In this week's Ransomware Roundup, FortiGuard Labs covers variants of the CrySIS/Dharma ransomware family along with protection recommendations. Read our blog to find out more.…
#ParsedReport
20-01-2023
Following the LNK metadata trail
https://blog.talosintelligence.com/following-the-lnk-metadata-trail
Actors/Campaigns:
Obama
Gamaredon
Threats:
Mlnk_tool
Quantumbuilder_tool
Quantum_locker
Macropack_tool
Lnkup_tool
Lnk2pwn_tool
Sharpersist_tool
Rustlnkbuilder_tool
Raspberry_robin
Qakbot
Motw_bypass_technique
Meterpreter_tool
Cobalt_strike
Redline_stealer
Glowsand
Bumblebee
Icedid
Geo:
Ukranian, Ukrainian
CVEs:
CVE-2015-0096 [Vulners]
Vulners: Score: 9.3, CVSS: 4.9,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows rt (-)
- microsoft windows rt 8.1 (-)
- microsoft windows server 2012 (-, r2)
- microsoft windows 8.1 (-)
- microsoft windows server 2003 (-)
have more...
IOCs:
Hash: 35
Url: 1
Softs:
office 365, microsoft defender
Algorithms:
zip
Functions:
WriteTime
Languages:
python
YARA: Found
Links:
20-01-2023
Following the LNK metadata trail
https://blog.talosintelligence.com/following-the-lnk-metadata-trail
Actors/Campaigns:
Obama
Gamaredon
Threats:
Mlnk_tool
Quantumbuilder_tool
Quantum_locker
Macropack_tool
Lnkup_tool
Lnk2pwn_tool
Sharpersist_tool
Rustlnkbuilder_tool
Raspberry_robin
Qakbot
Motw_bypass_technique
Meterpreter_tool
Cobalt_strike
Redline_stealer
Glowsand
Bumblebee
Icedid
Geo:
Ukranian, Ukrainian
CVEs:
CVE-2015-0096 [Vulners]
Vulners: Score: 9.3, CVSS: 4.9,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows rt (-)
- microsoft windows rt 8.1 (-)
- microsoft windows server 2012 (-, r2)
- microsoft windows 8.1 (-)
- microsoft windows server 2003 (-)
have more...
IOCs:
Hash: 35
Url: 1
Softs:
office 365, microsoft defender
Algorithms:
zip
Functions:
WriteTime
Languages:
python
YARA: Found
Links:
https://github.com/Cisco-Talos/IOCs/blob/main/2023/01/following-the-lnk-metadata-trail.txt
https://github.com/EricZimmerman/LECmdCisco Talos Blog
Following the LNK metadata trail
While tracking some prevalent commodity malware threat actors, Talos observed the popularization of malicious LNK files as their initial access method to download and execute payloads. A closer look at the LNK files illustrates how their metadata could be…
#ParsedReport
19-01-2023
StrongPity APT After Android Users with Trojanized Telegram App
https://www.secureblink.com/threat-research/strong-pity-apt-after-android-users-with-trojanized-telegram-app
Threats:
Strongpity
Watering_hole_technique
Industry:
Telco
Geo:
Syrian, Turkish, Italian, Africa, Spain, Turkey, Belgium, Italy, France, America
IOCs:
File: 5
Hash: 5
Softs:
android, telegram, tinder
Algorithms:
aes
19-01-2023
StrongPity APT After Android Users with Trojanized Telegram App
https://www.secureblink.com/threat-research/strong-pity-apt-after-android-users-with-trojanized-telegram-app
Threats:
Strongpity
Watering_hole_technique
Industry:
Telco
Geo:
Syrian, Turkish, Italian, Africa, Spain, Turkey, Belgium, Italy, France, America
IOCs:
File: 5
Hash: 5
Softs:
android, telegram, tinder
Algorithms:
aes
Secureblink
StrongPity APT After Android Users with Trojanized Telegram App | Secure Blink
Learn about the StrongPity APT group's latest espionage campaign targeting Android users with a trojanized Telegram app disguised as the Shagle chat app...
#ParsedReport
20-01-2023
ASEC (20230108 \~ 20230114). ASEC Weekly phishing email threat trend (20230108 \~ 20230114)
https://asec.ahnlab.com/ko/45965
Threats:
Agent_tesla
Formbook
Industry:
Transport, Financial
Geo:
Korea, Korean
TTPs:
IOCs:
File: 56
Url: 12
Algorithms:
zip
20-01-2023
ASEC (20230108 \~ 20230114). ASEC Weekly phishing email threat trend (20230108 \~ 20230114)
https://asec.ahnlab.com/ko/45965
Threats:
Agent_tesla
Formbook
Industry:
Transport, Financial
Geo:
Korea, Korean
TTPs:
IOCs:
File: 56
Url: 12
Algorithms:
zip
ASEC BLOG
ASEC 주간 피싱 이메일 위협 트렌드 (20230108 ~ 20230114) - ASEC BLOG
Contents피싱 이메일 위협 유형첨부파일 확장자유포 사례 사례: 가짜 로그인 페이지 (FakePage)사례: 악성코드 (Infostealer, Downloader 등)주의 키워드: ‘ONE’ 확장자가짜 페이지 (FakePage) C2 주소 ASEC 분석팀에서는 샘플 자동 분석 시스템(RAPIT)과 허니팟을 활용하여 피싱 이메일 위협을 모니터링하고 있다. 본 포스팅에서는 2023년 01월 08일부터 01월 14일까지 한 주간 확인된 피싱 이메일 공격의…
#ParsedReport
21-01-2023
Album Stealer Targets Facebook Adult-Only Content Seekers
https://www.zscaler.com/blogs/security-research/album-stealer-targets-facebook-adult-only-content-seekers
Threats:
Album_stealer
Dll_sideloading_technique
Sparkle
Beacon
Geo:
Vietnamese, Vietnam
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 32
Url: 5
Registry: 1
Path: 7
Hash: 14
Domain: 9
Softs:
microsoft onedrive, curl, google chrome, opera, microsoft edge, chromium
Algorithms:
gzip, aes, base64, zip
Languages:
php
21-01-2023
Album Stealer Targets Facebook Adult-Only Content Seekers
https://www.zscaler.com/blogs/security-research/album-stealer-targets-facebook-adult-only-content-seekers
Threats:
Album_stealer
Dll_sideloading_technique
Sparkle
Beacon
Geo:
Vietnamese, Vietnam
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 32
Url: 5
Registry: 1
Path: 7
Hash: 14
Domain: 9
Softs:
microsoft onedrive, curl, google chrome, opera, microsoft edge, chromium
Algorithms:
gzip, aes, base64, zip
Languages:
php
Zscaler
Album Stealer | ThreatLabz
Album steals cookies and stored credentials from different web browsers and Facebook business and Ad pages details. It uses DLL side loading technique.
#ParsedReport
23-01-2023
Information Stealers going Incognito on Google Ads
https://labs.k7computing.com/index.php/information-stealers-going-incognito-on-google-ads
Threats:
Anydesk_tool
Aurora
Vidar_stealer
Rhadamanthys
Icedid
Gozi
Redline_stealer
Gpg4win_tool
IOCs:
File: 11
Url: 8
IP: 3
Hash: 17
Domain: 1
Softs:
pyinstaller, windows explorer, discord, zoom
Algorithms:
base64, zip
Win API:
VirtualAlloc, RtlMoveMemory, CreateThread
Languages:
python
23-01-2023
Information Stealers going Incognito on Google Ads
https://labs.k7computing.com/index.php/information-stealers-going-incognito-on-google-ads
Threats:
Anydesk_tool
Aurora
Vidar_stealer
Rhadamanthys
Icedid
Gozi
Redline_stealer
Gpg4win_tool
IOCs:
File: 11
Url: 8
IP: 3
Hash: 17
Domain: 1
Softs:
pyinstaller, windows explorer, discord, zoom
Algorithms:
base64, zip
Win API:
VirtualAlloc, RtlMoveMemory, CreateThread
Languages:
python
K7 Labs
Information Stealers going Incognito on Google Ads - K7 Labs
It is not new for threat actors to abuse online advertising networks for their malvertising campaigns. But recently, we have […]
#ParsedReport
23-01-2023
Attackers Exploit Fortinet Zero-Day CVE-2022-42475 with BoldMove Malware
https://socradar.io/attackers-exploit-fortinet-zero-day-cve-2022-42475-with-boldmove-malware
Threats:
Boldmove
Industry:
Government
Geo:
China, African
CVEs:
CVE-2022-42475 [Vulners]
Vulners: Score: Unknown, CVSS: 6.2,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- fortinet fortios (le5.6.14, le5.4.13, le5.2.15, le5.0.14, le6.2.11, le6.0.15, le6.4.10, le7.2.2, le7.0.8, le6.0.14, le6.2.11, le6.4.9, le7.0.7)
- fortinet fortiproxy (le1.0.7, le1.1.6, le1.2.13, 7.2.0, le7.0.7, le2.0.11)
IOCs:
Hash: 6
23-01-2023
Attackers Exploit Fortinet Zero-Day CVE-2022-42475 with BoldMove Malware
https://socradar.io/attackers-exploit-fortinet-zero-day-cve-2022-42475-with-boldmove-malware
Threats:
Boldmove
Industry:
Government
Geo:
China, African
CVEs:
CVE-2022-42475 [Vulners]
Vulners: Score: Unknown, CVSS: 6.2,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- fortinet fortios (le5.6.14, le5.4.13, le5.2.15, le5.0.14, le6.2.11, le6.0.15, le6.4.10, le7.2.2, le7.0.8, le6.0.14, le6.2.11, le6.4.9, le7.0.7)
- fortinet fortiproxy (le1.0.7, le1.1.6, le1.2.13, 7.2.0, le7.0.7, le2.0.11)
IOCs:
Hash: 6
SOCRadar® Cyber Intelligence Inc.
Attackers Exploit Fortinet Zero-Day CVE-2022-42475 with BoldMove Malware - SOCRadar® Cyber Intelligence Inc.
Researchers have discovered a sophisticated new BoldMove malware created specifically to operate on Fortinet’s FortiGate
#ParsedReport
23-01-2023
New 'Blank Image' attack hides phishing scripts in SVG files
https://www.bleepingcomputer.com/news/security/new-blank-image-attack-hides-phishing-scripts-in-svg-files
Threats:
Qakbot
Algorithms:
base64
Languages:
javascript
23-01-2023
New 'Blank Image' attack hides phishing scripts in SVG files
https://www.bleepingcomputer.com/news/security/new-blank-image-attack-hides-phishing-scripts-in-svg-files
Threats:
Qakbot
Algorithms:
base64
Languages:
javascript
BleepingComputer
New 'Blank Image' attack hides phishing scripts in SVG files
An unusual phishing technique has been observed in the wild, hiding empty SVG files inside HTML attachments pretending to be DocuSign documents.
#ParsedReport
23-01-2023
Hook: a new Ermac fork with RAT capabilities
https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html
Actors/Campaigns:
Dukeeugene
Indra
Threats:
Hook
Ermac
Flubot
Anatsa
Hydra
Octo
Cerberus
Spynote_rat
Tron
Geral
Halkbank
Mallox
Robinhood
Industry:
Foodtech, Financial, Retail, E-commerce, Ics
Geo:
America, Indonesia, Argentina, Georgia, Germany, Budapest, India, Chile, Denmark, Deutsche, Turkey, Colombia, Australia, Italia, Emirates, Austria, Kenya, Ita, Africa, Uruguay, Switzerland, Malaysia, Russian, Asian, France, Dubai, Asia, Spain, Singapore, Canada, Portugal
IOCs:
File: 194
Hash: 4
IP: 2
Softs:
android, coinbase, google chrome, wechat, tinder, telegram, tronlink, coinbase.android, instagram.android, instagram, have more...
Algorithms:
aes-256-cbc, zip, base64
Functions:
VNC
Platforms:
intel
23-01-2023
Hook: a new Ermac fork with RAT capabilities
https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html
Actors/Campaigns:
Dukeeugene
Indra
Threats:
Hook
Ermac
Flubot
Anatsa
Hydra
Octo
Cerberus
Spynote_rat
Tron
Geral
Halkbank
Mallox
Robinhood
Industry:
Foodtech, Financial, Retail, E-commerce, Ics
Geo:
America, Indonesia, Argentina, Georgia, Germany, Budapest, India, Chile, Denmark, Deutsche, Turkey, Colombia, Australia, Italia, Emirates, Austria, Kenya, Ita, Africa, Uruguay, Switzerland, Malaysia, Russian, Asian, France, Dubai, Asia, Spain, Singapore, Canada, Portugal
IOCs:
File: 194
Hash: 4
IP: 2
Softs:
android, coinbase, google chrome, wechat, tinder, telegram, tronlink, coinbase.android, instagram.android, instagram, have more...
Algorithms:
aes-256-cbc, zip, base64
Functions:
VNC
Platforms:
intel
ThreatFabric
Hook: a new Ermac fork with RAT capabilities
Hook, the latest project of the criminals behind the Ermac banking malware, adds Remote Access Tool features, allowing this variant to perform On Device Fraud.
#ParsedReport
23-01-2023
The Titan Stealer: Notorious Telegram Malware Campaign - Uptycs
https://www.uptycs.com/blog/titan-stealer-telegram-malware-campaign
Threats:
Titanstealer
Process_hollowing_technique
Geo:
Russian
TTPs:
Tactics: 3
Technics: 4
IOCs:
Hash: 13
File: 1
Path: 26
Softs:
telegram, coinomi, zcash
Algorithms:
base64, xor
Functions:
CreateFile
Win API:
FindFirstFileW
Languages:
golang
YARA: Found
23-01-2023
The Titan Stealer: Notorious Telegram Malware Campaign - Uptycs
https://www.uptycs.com/blog/titan-stealer-telegram-malware-campaign
Threats:
Titanstealer
Process_hollowing_technique
Geo:
Russian
TTPs:
Tactics: 3
Technics: 4
IOCs:
Hash: 13
File: 1
Path: 26
Softs:
telegram, coinomi, zcash
Algorithms:
base64, xor
Functions:
CreateFile
Win API:
FindFirstFileW
Languages:
golang
YARA: Found
Uptycs
The Titan Stealer: Notorious Telegram Malware Campaign - Uptycs
The Uptycs threat research team discovered a Titan stealer malware campaign, which is marketed and sold by a threat actor (TA) through a Telegram channel.
#ParsedReport
23-01-2023
Hackers now use Microsoft OneNote attachments to spread malware
https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware
Threats:
Motw_bypass_technique
Asyncrat_rat
Xworm_rat
Quasar_rat
Industry:
Transport
Softs:
microsoft onenote, onenote, microsoft office
Algorithms:
zip
23-01-2023
Hackers now use Microsoft OneNote attachments to spread malware
https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware
Threats:
Motw_bypass_technique
Asyncrat_rat
Xworm_rat
Quasar_rat
Industry:
Transport
Softs:
microsoft onenote, onenote, microsoft office
Algorithms:
zip
BleepingComputer
Hackers now use Microsoft OneNote attachments to spread malware
Threat actors now use OneNote attachments in phishing emails that infect victims with remote access malware which can be used to install further malware, steal passwords, or even cryptocurrency wallets.
#ParsedReport
24-01-2023
DragonSpark \| Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation
https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation
Actors/Campaigns:
Dragonspark (motivation: cyber_espionage, information_theft, cyber_criminal)
Emissary_panda (motivation: cyber_espionage, cyber_criminal)
Leviathan (motivation: cyber_espionage, cyber_criminal)
Threats:
Sparkrat
Chinachopper
Sharptoken_tool
Badpotato_tool
Gotohttp_tool
Xzb-1248_actor
Meterpreter_tool
Cobalt_strike
Zegost
Beichendream_tool
Industry:
Retail
Geo:
Asia, Asian, Chinese, Taiwan, China, Singapore
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 5
File: 1
IP: 8
Domain: 5
Url: 7
Softs:
mysql, pyinstaller, macos
Algorithms:
aes, cbc, base64
Win API:
HeapCreate
Languages:
python, golang
Links:
24-01-2023
DragonSpark \| Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation
https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation
Actors/Campaigns:
Dragonspark (motivation: cyber_espionage, information_theft, cyber_criminal)
Emissary_panda (motivation: cyber_espionage, cyber_criminal)
Leviathan (motivation: cyber_espionage, cyber_criminal)
Threats:
Sparkrat
Chinachopper
Sharptoken_tool
Badpotato_tool
Gotohttp_tool
Xzb-1248_actor
Meterpreter_tool
Cobalt_strike
Zegost
Beichendream_tool
Industry:
Retail
Geo:
Asia, Asian, Chinese, Taiwan, China, Singapore
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 5
File: 1
IP: 8
Domain: 5
Url: 7
Softs:
mysql, pyinstaller, macos
Algorithms:
aes, cbc, base64
Win API:
HeapCreate
Languages:
python, golang
Links:
https://github.com/XZB-1248/Spark
https://github.com/BeichenDream/
https://github.com/BeichenDream/BadPotato
https://github.com/XZB-1248
https://github.com/BeichenDream/SharpToken
https://github.com/traefik/yaegiSentinelOne
DragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation
A cluster of attacks uses a novel technique, Golang source code interpretation, to avoid detection while also deploying a little-known tool called SparkRAT.
#ParsedReport
24-01-2023
QR Code Phishing Attempts to Steal Credentials from Chinese Language Users
https://www.fortinet.com/blog/threat-research/qr-code-phishing-attempts-to-steal-credentials-from-chinese-language-users
Industry:
Financial, Entertainment
Geo:
China, Chinese
IOCs:
Url: 3
Hash: 3
Softs:
microsoft word, wechat
24-01-2023
QR Code Phishing Attempts to Steal Credentials from Chinese Language Users
https://www.fortinet.com/blog/threat-research/qr-code-phishing-attempts-to-steal-credentials-from-chinese-language-users
Industry:
Financial, Entertainment
Geo:
China, Chinese
IOCs:
Url: 3
Hash: 3
Softs:
microsoft word, wechat
Fortinet Blog
QR Code Phishing Attempts to Steal Credentials from Chinese Language Users
FortiGuard Labs recently discovered a phishing campaign using a variety of QR codes to target Chinese language users. It aims to steal credentials by luring users into entering their data into a ph…
#ParsedReport
24-01-2023
CrossTalk and Secret Agent: Two Attack Vectors on Okta's Identity Suite
https://www.varonis.com/blog/okta-attack-vectors
Threats:
Kerberoasting_technique
Geo:
Romania
Softs:
zoom, active directory
24-01-2023
CrossTalk and Secret Agent: Two Attack Vectors on Okta's Identity Suite
https://www.varonis.com/blog/okta-attack-vectors
Threats:
Kerberoasting_technique
Geo:
Romania
Softs:
zoom, active directory
Varonis
CrossTalk and Secret Agent: Two Attack Vectors on Okta's Identity Suite
Varonis Threat Labs discovered and disclosed two attack vectors on Okta's identity suite: CrossTalk and Secret Agent.
#ParsedReport
24-01-2023
Vice Society Ransomware Group Targets Manufacturing Companies. Technical analysis and infection flow
https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html
Actors/Campaigns:
Vice_society
Threats:
Hellokitty
Printnightmare_vuln
Zeppelin
Cobalt_strike
Rubeus_tool
Mimikatz_tool
Neshta
Ryuk
Conti
Blackcat
Clop
Killdisk
Anydesk_tool
Logmein_tool
Teamviewer_tool
Fivehands
Ransom.win64.ransrevy.thaafbc
Industry:
Education, Healthcare
Geo:
Israel, Argentina, Brazil, Switzerland
IOCs:
File: 5
Domain: 10
Path: 5
Command: 2
Registry: 3
Email: 3
Hash: 13
Softs:
windows defender, hyper-v
Languages:
java
24-01-2023
Vice Society Ransomware Group Targets Manufacturing Companies. Technical analysis and infection flow
https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html
Actors/Campaigns:
Vice_society
Threats:
Hellokitty
Printnightmare_vuln
Zeppelin
Cobalt_strike
Rubeus_tool
Mimikatz_tool
Neshta
Ryuk
Conti
Blackcat
Clop
Killdisk
Anydesk_tool
Logmein_tool
Teamviewer_tool
Fivehands
Ransom.win64.ransrevy.thaafbc
Industry:
Education, Healthcare
Geo:
Israel, Argentina, Brazil, Switzerland
IOCs:
File: 5
Domain: 10
Path: 5
Command: 2
Registry: 3
Email: 3
Hash: 13
Softs:
windows defender, hyper-v
Languages:
java
Trend Micro
Vice Society Ransomware Group Targets Manufacturing Companies
In this blog entry, we’d like to highlight our findings on Vice Society, which includes an end-to-end infection diagram that we were able to create using Trend Micro internal telemetry.