#ParsedReport
31-01-2023
TZW Ransomware Being Distributed in Korea
https://asec.ahnlab.com/en/46812
Threats:
Tzw_ransomware
Ransomware/win.generic.c5355494
Trojan/win.msilkrypt.c5020026
Trojan/win32.ransomcrypt.r343432
Malware/mdp.inject.m218
Geo:
Korea
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 1
Command: 1
Hash: 3
Softs:
task scheduler
Functions:
ReadMe
31-01-2023
TZW Ransomware Being Distributed in Korea
https://asec.ahnlab.com/en/46812
Threats:
Tzw_ransomware
Ransomware/win.generic.c5355494
Trojan/win.msilkrypt.c5020026
Trojan/win32.ransomcrypt.r343432
Malware/mdp.inject.m218
Geo:
Korea
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 1
Command: 1
Hash: 3
Softs:
task scheduler
Functions:
ReadMe
ASEC BLOG
TZW Ransomware Being Distributed in Korea - ASEC BLOG
Through internal monitoring, the ASEC analysis team recently discovered the distribution of the TZW ransomware, which encrypts files before adding the “TZW” file extension to the original extension. This ransomware is being propagated with the version info…
#ParsedReport
01-02-2023
Phobos Ransomware found to be using DLL Side Loading
https://labs.k7computing.com/index.php/phobos-ransomware-found-to-be-using-dll-side-loading
Threats:
Dll_sideloading_technique
Phobos
Procmon_tool
Devos
IOCs:
File: 3
Hash: 4
Functions:
EnumWindowsStationsW
Win API:
VirtualAlloc, VirtualProtect
01-02-2023
Phobos Ransomware found to be using DLL Side Loading
https://labs.k7computing.com/index.php/phobos-ransomware-found-to-be-using-dll-side-loading
Threats:
Dll_sideloading_technique
Phobos
Procmon_tool
Devos
IOCs:
File: 3
Hash: 4
Functions:
EnumWindowsStationsW
Win API:
VirtualAlloc, VirtualProtect
K7 Labs
Phobos Ransomware found to be using DLL Side Loading
In one of our recent IR case, we found Phobos ransomware being executed using DLL sideloading technique. The threat actors […]
#ParsedReport
01-02-2023
OneNote Documents Increasingly Used to Deliver Malware
https://www.proofpoint.com/us/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware
Actors/Campaigns:
Ta577
Ta579
Threats:
Qakbot
Asyncrat_rat
Redline_stealer
Agent_tesla
Doubleback
Quasar_rat
Xworm_rat
Netwire_rat
Industry:
Transport, Education, Aerospace
Geo:
America, French
IOCs:
File: 5
Domain: 6
IP: 10
Hash: 27
Url: 1
Softs:
onenote, microsoft onenote, curl
Algorithms:
zip
Languages:
javascript, php
Links:
01-02-2023
OneNote Documents Increasingly Used to Deliver Malware
https://www.proofpoint.com/us/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware
Actors/Campaigns:
Ta577
Ta579
Threats:
Qakbot
Asyncrat_rat
Redline_stealer
Agent_tesla
Doubleback
Quasar_rat
Xworm_rat
Netwire_rat
Industry:
Transport, Education, Aerospace
Geo:
America, French
IOCs:
File: 5
Domain: 6
IP: 10
Hash: 27
Url: 1
Softs:
onenote, microsoft onenote, curl
Algorithms:
zip
Languages:
javascript, php
Links:
https://github.com/MREXw?tab=repositoriesProofpoint
The Rising Threat of OneNote Malware | Proofpoint US
Proofpoint recently identified a rise in threat actor use of OneNote documents to deliver malicious files. Learn about the rising threat of OneNote malware.
#ParsedReport
01-02-2023
Qakbots Evolution Continues with New Strategies
https://blog.cyble.com/2023/02/01/qakbots-evolution-continues-with-new-strategies
Threats:
Qakbot
Formbook
Redline_stealer
Asyncrat_rat
Beacon
Industry:
Financial
TTPs:
Tactics: 4
Technics: 8
IOCs:
File: 8
Registry: 1
Url: 1
Hash: 4
Softs:
microsoft onenote, onenote, curl
Languages:
javascript
01-02-2023
Qakbots Evolution Continues with New Strategies
https://blog.cyble.com/2023/02/01/qakbots-evolution-continues-with-new-strategies
Threats:
Qakbot
Formbook
Redline_stealer
Asyncrat_rat
Beacon
Industry:
Financial
TTPs:
Tactics: 4
Technics: 8
IOCs:
File: 8
Registry: 1
Url: 1
Hash: 4
Softs:
microsoft onenote, onenote, curl
Languages:
javascript
Cyble
Qakbot’s Evolution Continues with New Strategies
Cyble Research & Intelligence Labs analyzes new strategies deployed by Qakbot to infect users via Microsoft OneNote.
#ParsedReport
01-02-2023
Analyzing Malware Code that Cryptojacks System to Mine for Monero Crypto
https://www.fortinet.com/blog/threat-research/malicious-code-cryptojacks-device-to-mine-for-monero-crypto
Threats:
Process_hollowing_technique
Monero_miner
Confuserex_tool
Xmr_miner
Xmrig_miner
Geo:
Spanish
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 17
Url: 3
Hash: 8
Path: 1
Domain: 2
Softs:
microsoft excel, net framework, task scheduler, android, macos)
Algorithms:
gzip, kawpow, ghostrider, base64, cryptonight, des
Functions:
Workbook_Open, FPKGNSJJDW_Shell_Application, Deserialize, Send, Recv
Win API:
GetObject, CreateProcess, VirtualAlloc, GetThreadContext, WriteProcessMemory, SetThreadContext, ResumeThread
Platforms:
intel
01-02-2023
Analyzing Malware Code that Cryptojacks System to Mine for Monero Crypto
https://www.fortinet.com/blog/threat-research/malicious-code-cryptojacks-device-to-mine-for-monero-crypto
Threats:
Process_hollowing_technique
Monero_miner
Confuserex_tool
Xmr_miner
Xmrig_miner
Geo:
Spanish
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 17
Url: 3
Hash: 8
Path: 1
Domain: 2
Softs:
microsoft excel, net framework, task scheduler, android, macos)
Algorithms:
gzip, kawpow, ghostrider, base64, cryptonight, des
Functions:
Workbook_Open, FPKGNSJJDW_Shell_Application, Deserialize, Send, Recv
Win API:
GetObject, CreateProcess, VirtualAlloc, GetThreadContext, WriteProcessMemory, SetThreadContext, ResumeThread
Platforms:
intel
Fortinet Blog
Analyzing Malware Code that Cryptojacks System to Mine for Monero Crypto
FortiGuard Labs analyzes malicious code found in captured excel documents that cryptojacks a victim’s system to mine for Monero cryptocurrency. See how the malicious software is delivered, executed…
#ParsedReport
01-02-2023
. Web page disguised as a Naver login screen
https://asec.ahnlab.com/ko/46916
IOCs:
Url: 3
Languages:
php
01-02-2023
. Web page disguised as a Naver login screen
https://asec.ahnlab.com/ko/46916
IOCs:
Url: 3
Languages:
php
ASEC BLOG
네이버 로그인화면으로 위장한 웹페이지 - ASEC BLOG
ASEC 분석팀은 지난 1월 3일에 카카오의 로그인 페이지를 위장하여 특정인의 계정 정보를 취하려는 정황에 대해 소개한 바 있다. 카카오 로그인화면으로 위장한 웹페이지 공격자는 취약한 웹사이트를 이용하여 도메인을 생성하였었는데, 동일한 방식으로 네이버의 로그인 페이지를 위장한 내용이 확인되어 이를 알리고자 한다. 네이버 고객센터를 사칭하는 유형의 이메일과 해당 이메일을 통해 계정정보를 탈취하려는 웹페이지는 수 년 전부터 지속적으로 확인되어왔다. 다만,…
#ParsedReport
01-02-2023
Vector Stealer: A Gateway for RDP Hijacking
https://blog.cyble.com/2023/02/01/vector-stealer-a-gateway-for-rdp-hijacking
Threats:
Vector_stealer
Quasar_rat
Venomrat
Redline_stealer
Pandora
Koivm
Confuserex_tool
Beacon
Industry:
Financial
Geo:
Russian
TTPs:
Tactics: 7
Technics: 13
IOCs:
File: 1
Registry: 3
Hash: 5
Url: 3
Softs:
telegram, chrome, discord, task scheduler, foxmail, opera, vivaldi, chromium, comodo dragon, chromeplus, have more...
Algorithms:
zip
Functions:
Shell
01-02-2023
Vector Stealer: A Gateway for RDP Hijacking
https://blog.cyble.com/2023/02/01/vector-stealer-a-gateway-for-rdp-hijacking
Threats:
Vector_stealer
Quasar_rat
Venomrat
Redline_stealer
Pandora
Koivm
Confuserex_tool
Beacon
Industry:
Financial
Geo:
Russian
TTPs:
Tactics: 7
Technics: 13
IOCs:
File: 1
Registry: 3
Hash: 5
Url: 3
Softs:
telegram, chrome, discord, task scheduler, foxmail, opera, vivaldi, chromium, comodo dragon, chromeplus, have more...
Algorithms:
zip
Functions:
Shell
Cyble
Vector Stealer: A Gateway for RDP Hijacking
Cyble Research & Intelligence Labs analyses VectorStealer, capable of stealing RDP files with possible ties to KGB Crypter.
#ParsedReport
01-02-2023
(*.chm) AsyncRAT. Asyncrat distributed to Windows Help File (*.chm)
https://asec.ahnlab.com/ko/46923
Threats:
Asyncrat_rat
Agent_tesla
Trojan/win.generic.c5303722
Malware/win32.rl_generic.c4363035
Trojan/win.agent.c4526491
Industry:
Financial, Education
IOCs:
File: 11
Url: 7
IP: 1
Path: 1
Hash: 7
Softs:
internet explorer
Platforms:
x86
01-02-2023
(*.chm) AsyncRAT. Asyncrat distributed to Windows Help File (*.chm)
https://asec.ahnlab.com/ko/46923
Threats:
Asyncrat_rat
Agent_tesla
Trojan/win.generic.c5303722
Malware/win32.rl_generic.c4363035
Trojan/win.agent.c4526491
Industry:
Financial, Education
IOCs:
File: 11
Url: 7
IP: 1
Path: 1
Hash: 7
Softs:
internet explorer
Platforms:
x86
ASEC BLOG
윈도우 도움말 파일(*.chm) 로 유포 중인 AsyncRAT - ASEC BLOG
최근 악성코드의 유포 형태가 다양하게 변화하고 있다. 그 중 윈도우 도움말 파일(*.chm) 을 이용한 악성코드가 작년부터 증가하고 있으며, ASEC 블로그를 통해 아래와 같이 여러 차례 소개해왔다. 최근에는 AsyncRAT 악성코드가 chm 을 이용하여 유포 중인 것으로 확인되었다. 전체적인 동작 과정은 [그림 1] 과 같으며, 각 과정에 대해 아래에서 설명한다. 먼저, chm 파일을 실행하게 되면 기존에 소개했던 유형과는 다르게 빈 화면의 도움말 창이…
#ParsedReport
01-02-2023
Fraudulent CryptoRom trading apps sneak into Apple and Google app stores
https://news.sophos.com/en-us/2023/02/01/fraudulent-cryptorom-trading-apps-sneak-into-apple-and-google-app-stores
Threats:
Pig_butchering
Spook
Industry:
Logistic, E-commerce, Financial
Geo:
Switzerland, Malaysia, Taiwan, India, China, Asian, Cambodia, Chinese, Japanese, London
IOCs:
Domain: 1
Softs:
tinder, android
Platforms:
apple
01-02-2023
Fraudulent CryptoRom trading apps sneak into Apple and Google app stores
https://news.sophos.com/en-us/2023/02/01/fraudulent-cryptorom-trading-apps-sneak-into-apple-and-google-app-stores
Threats:
Pig_butchering
Spook
Industry:
Logistic, E-commerce, Financial
Geo:
Switzerland, Malaysia, Taiwan, India, China, Asian, Cambodia, Chinese, Japanese, London
IOCs:
Domain: 1
Softs:
tinder, android
Platforms:
apple
Sophos News
Fraudulent “CryptoRom” trading apps sneak into Apple and Google app stores
Using changing remote content, apps slide by official review process to deliver fraud through the Apple App Store and Google Play Store.
#ParsedReport
01-02-2023
InTheBox Web Injects Targeting Android Banking Applications Worldwide. References
https://blog.cyble.com/2023/01/31/inthebox-web-injects-targeting-android-banking-applications-worldwide
Threats:
Alien
Ermac
Octopus
Metadroid_botnet
Cerberus
Hydra
Octo
Industry:
E-commerce, Financial, Retail
Geo:
Indonesia, Japan, Kuwait, Thailand, America, Russian, Australia, Spanish, Malaysia, Asia, Qatar, Philippines, Asian, Singapore, Brazil, Brazilian, India
IOCs:
Url: 6
Hash: 9
Softs:
android
Functions:
Javascript
Languages:
javascript
01-02-2023
InTheBox Web Injects Targeting Android Banking Applications Worldwide. References
https://blog.cyble.com/2023/01/31/inthebox-web-injects-targeting-android-banking-applications-worldwide
Threats:
Alien
Ermac
Octopus
Metadroid_botnet
Cerberus
Hydra
Octo
Industry:
E-commerce, Financial, Retail
Geo:
Indonesia, Japan, Kuwait, Thailand, America, Russian, Australia, Spanish, Malaysia, Asia, Qatar, Philippines, Asian, Singapore, Brazil, Brazilian, India
IOCs:
Url: 6
Hash: 9
Softs:
android
Functions:
Javascript
Languages:
javascript
Cyble
‘InTheBox’ Web Injects Targeting Android Banking Applications Worldwide
Cyble analyzes 'InTheBox' as part of its thorough research on Web Injects and their role in targeting Android Banking applications worldwide.
#ParsedReport
01-02-2023
Fodcha, a new DDos botnet
https://blog.netlab.360.com/fodcha-a-new-ddos-botnet
Threats:
Fodcha
Industry:
Telco
Geo:
Korea, China, Japan, India
CVEs:
CVE-2021-22205 [Vulners]
Vulners: Score: 7.5, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 9.9
X-Force: Patch: Official fix
Soft:
- gitlab (<13.10.3, <13.10.3, <13.9.6, <13.9.6, <13.8.8, <13.8.8)
CVE-2021-35394 [Vulners]
Vulners: Score: 10.0, CVSS: 5.1,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- realtek realtek jungle sdk (le3.4.14b)
IOCs:
File: 1
Softs:
android
Algorithms:
chacha20
Languages:
python
Platforms:
arm, mips, x86
01-02-2023
Fodcha, a new DDos botnet
https://blog.netlab.360.com/fodcha-a-new-ddos-botnet
Threats:
Fodcha
Industry:
Telco
Geo:
Korea, China, Japan, India
CVEs:
CVE-2021-22205 [Vulners]
Vulners: Score: 7.5, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 9.9
X-Force: Patch: Official fix
Soft:
- gitlab (<13.10.3, <13.10.3, <13.9.6, <13.9.6, <13.8.8, <13.8.8)
CVE-2021-35394 [Vulners]
Vulners: Score: 10.0, CVSS: 5.1,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- realtek realtek jungle sdk (le3.4.14b)
IOCs:
File: 1
Softs:
android
Algorithms:
chacha20
Languages:
python
Platforms:
arm, mips, x86
360 Netlab Blog - Network Security Research Lab at 360
Fodcha, a new DDos botnet
Overview
Recently, CNCERT and 360netlab worked together and discovered a rapidly spreading DDoS botnet on the Internet. The global infection looks fairly big as just in China there are more than 10,000 daily active bots (IPs) and alsomore than 100 DDoS victims…
Recently, CNCERT and 360netlab worked together and discovered a rapidly spreading DDoS botnet on the Internet. The global infection looks fairly big as just in China there are more than 10,000 daily active bots (IPs) and alsomore than 100 DDoS victims…
👍1
#ParsedReport
01-02-2023
A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information. Overview
https://blog.netlab.360.com/a-new-botnet-orchard-generates-dga-domains-with-bitcoin-transaction-information
Threats:
Orchard_botnet
Enigma_tool
Xmrig_miner
Industry:
Financial
Geo:
China
IOCs:
Hash: 4
Coin: 1
IP: 1
Softs:
net framework, windows authentication
Algorithms:
base64
Languages:
c_language, golang
01-02-2023
A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information. Overview
https://blog.netlab.360.com/a-new-botnet-orchard-generates-dga-domains-with-bitcoin-transaction-information
Threats:
Orchard_botnet
Enigma_tool
Xmrig_miner
Industry:
Financial
Geo:
China
IOCs:
Hash: 4
Coin: 1
IP: 1
Softs:
net framework, windows authentication
Algorithms:
base64
Languages:
c_language, golang
360 Netlab Blog - Network Security Research Lab at 360
A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information
DGA is one of the classic techniques for botnets to hide their C2s, attacker only needs to selectively register a very small number of C2 domains, while for the defenders, it is difficult to determine in advance which domain names will be generated and registered.…
#ParsedReport
01-02-2023
PureCrypter is busy pumping out various malicious malware families. Sample analysis
https://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families
Threats:
Purecryptor
Formbook
Snake_keylogger
Agent_tesla
Redline_stealer
Asyncrat_rat
Process_hollowing_technique
Godzilla_loader
Raccoon_stealer
Azorult
Remcos_rat
Pureminer
Mars_stealer
TTPs:
Tactics: 1
Technics: 0
IOCs:
IP: 4
File: 9
Hash: 4
Softs:
discord, telegram
Algorithms:
des, rc4, aes, base64, gzip
Languages:
php
01-02-2023
PureCrypter is busy pumping out various malicious malware families. Sample analysis
https://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families
Threats:
Purecryptor
Formbook
Snake_keylogger
Agent_tesla
Redline_stealer
Asyncrat_rat
Process_hollowing_technique
Godzilla_loader
Raccoon_stealer
Azorult
Remcos_rat
Pureminer
Mars_stealer
TTPs:
Tactics: 1
Technics: 0
IOCs:
IP: 4
File: 9
Hash: 4
Softs:
discord, telegram
Algorithms:
des, rc4, aes, base64, gzip
Languages:
php
360 Netlab Blog - Network Security Research Lab at 360
PureCrypter is busy pumping out various malicious malware families
In our daily botnet analysis work, it is common to encounter various loaders.Compared to other types of malware, loaders are unique in that they are mainly used to "promote", i.e., download and run other malware on the infected machine. According to our observations…
#ParsedReport
01-02-2023
DGAOrchardDGA. The DGA family orchard continues to change, and the new version uses Bitcoin transaction information to generate DGA domain name
https://blog.netlab.360.com/orchard-dga
Threats:
Orchard_botnet
Enigma_tool
Xmrig_miner
Industry:
Financial
IOCs:
File: 7
Coin: 1
Hash: 3
Softs:
net framework
Algorithms:
base64
Languages:
golang
01-02-2023
DGAOrchardDGA. The DGA family orchard continues to change, and the new version uses Bitcoin transaction information to generate DGA domain name
https://blog.netlab.360.com/orchard-dga
Threats:
Orchard_botnet
Enigma_tool
Xmrig_miner
Industry:
Financial
IOCs:
File: 7
Coin: 1
Hash: 3
Softs:
net framework
Algorithms:
base64
Languages:
golang
360 Netlab Blog - Network Security Research Lab at 360
DGA家族Orchard持续变化,新版本用比特币交易信息生成DGA域名
DGA是一种经典的botnet对抗检测的技术,其原理是使用某种DGA算法,结合特定的种子和当前日期,定期生成大量的域名,而攻击者只是选择性的注册其中的极少数。对于防御者而言,因为难以事先确定哪些域名会被生成和注册,因而防御难度极大。
360 netlab长期专注于botnet攻防技术的研究,维护了专门的DGA算法和情报库,并通过订阅情报的方式与业界分享研究成果。近期我们在分析未知DGA域名时发现一例不但使用日期,还会同时使用中本聪的比特币账号交易信息来生成DGA域名的例子。因为比特币交易的不确定性,…
360 netlab长期专注于botnet攻防技术的研究,维护了专门的DGA算法和情报库,并通过订阅情报的方式与业界分享研究成果。近期我们在分析未知DGA域名时发现一例不但使用日期,还会同时使用中本聪的比特币账号交易信息来生成DGA域名的例子。因为比特币交易的不确定性,…
#ParsedReport
01-02-2023
202204. Public cloud network security threat intelligence (202204)
https://blog.netlab.360.com/public-cloud-threat-intelligence-202204
Threats:
Perlbot
Magnitude
Mirai
Bashlite
Tsunami_botnet
Kryptik_trojan
Industry:
Healthcare, Financial, Government
Geo:
China
CVEs:
CVE-2022-29464 [Vulners]
Vulners: Score: 10.0, CVSS: 5.2,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- wso2 identity server analytics (5.5.0, 5.4.1, 5.6.0, 5.4.0)
- wso2 api manager (le4.0.0)
- wso2 identity server (le5.11.0)
- wso2 enterprise integrator (le6.6.0)
- wso2 identity server as key manager (le5.10.0)
have more...
CVE-2021-31805 [Vulners]
Vulners: Score: 7.5, CVSS: 1.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.1
X-Force: Patch: Official fix
Soft:
- apache struts (le2.5.29)
IOCs:
File: 9
Softs:
apache struts2, redis, docker, mssql, apache struts, docker'
Functions:
FindValue
01-02-2023
202204. Public cloud network security threat intelligence (202204)
https://blog.netlab.360.com/public-cloud-threat-intelligence-202204
Threats:
Perlbot
Magnitude
Mirai
Bashlite
Tsunami_botnet
Kryptik_trojan
Industry:
Healthcare, Financial, Government
Geo:
China
CVEs:
CVE-2022-29464 [Vulners]
Vulners: Score: 10.0, CVSS: 5.2,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- wso2 identity server analytics (5.5.0, 5.4.1, 5.6.0, 5.4.0)
- wso2 api manager (le4.0.0)
- wso2 identity server (le5.11.0)
- wso2 enterprise integrator (le6.6.0)
- wso2 identity server as key manager (le5.10.0)
have more...
CVE-2021-31805 [Vulners]
Vulners: Score: 7.5, CVSS: 1.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.1
X-Force: Patch: Official fix
Soft:
- apache struts (le2.5.29)
IOCs:
File: 9
Softs:
apache struts2, redis, docker, mssql, apache struts, docker'
Functions:
FindValue
360 Netlab Blog - Network Security Research Lab at 360
公有云网络安全威胁情报(202204)
概述
本文聚焦于云上重点资产的扫描攻击、云服务器总体攻击情况分析、热门漏洞及恶意程序的攻击威胁。
* 360高级威胁狩猎蜜罐系统发现全球9.2万个云服务器IP进行网络扫描、漏洞攻击、传播恶意软件等行为。其中包括国内39家单位所属的云服务资产IP,这些单位涉及政府、医疗、建筑、军工等多个行业。
* 2022年4月,WSO2多个产品和Apache Struts2爆出高危漏洞,两个漏洞技术细节已经公开,并且我们发现两个漏洞都已有在野利用和利用漏洞传播恶意软件的行为。
* 本月共记录来源于云服务器的…
本文聚焦于云上重点资产的扫描攻击、云服务器总体攻击情况分析、热门漏洞及恶意程序的攻击威胁。
* 360高级威胁狩猎蜜罐系统发现全球9.2万个云服务器IP进行网络扫描、漏洞攻击、传播恶意软件等行为。其中包括国内39家单位所属的云服务资产IP,这些单位涉及政府、医疗、建筑、军工等多个行业。
* 2022年4月,WSO2多个产品和Apache Struts2爆出高危漏洞,两个漏洞技术细节已经公开,并且我们发现两个漏洞都已有在野利用和利用漏洞传播恶意软件的行为。
* 本月共记录来源于云服务器的…
#ParsedReport
02-02-2023
ASEC Weekly Malware Statistics (January 23rd, 2023 January 29th, 2023)
https://asec.ahnlab.com/en/47011
Threats:
Beamwinhttp_loader
Garbage_cleaner
Smokeloader
Formbook
Clipboard_grabbing_technique
Agent_tesla
Snake_keylogger
Geo:
Korea
IOCs:
Url: 24
File: 12
Email: 11
Domain: 3
Softs:
telegram, discord
02-02-2023
ASEC Weekly Malware Statistics (January 23rd, 2023 January 29th, 2023)
https://asec.ahnlab.com/en/47011
Threats:
Beamwinhttp_loader
Garbage_cleaner
Smokeloader
Formbook
Clipboard_grabbing_technique
Agent_tesla
Snake_keylogger
Geo:
Korea
IOCs:
Url: 24
File: 12
Email: 11
Domain: 3
Softs:
telegram, discord
ASEC BLOG
ASEC Weekly Malware Statistics (January 23rd, 2023 – January 29th, 2023) - ASEC BLOG
ContentsTop 1 – BeamWinHTTPTop 2 – SmokeLoaderTop 3 – FormbookTop 4 – AgentTeslaTop 5 – SnakeKeylogger The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected…
#ParsedReport
02-02-2023
Malicious LNK File Disguised as a Normal HWP Document
https://asec.ahnlab.com/en/46865
Threats:
Dropper/lnk.agent
Trojan/bat.agent
Trojan/vbs.agent
Trojan/vbs.obfuscated
Trojan/vbs.runner
Trojan/vbs.uploader
IOCs:
File: 19
Registry: 1
Url: 8
Path: 3
Command: 1
Hash: 16
Algorithms:
zip
02-02-2023
Malicious LNK File Disguised as a Normal HWP Document
https://asec.ahnlab.com/en/46865
Threats:
Dropper/lnk.agent
Trojan/bat.agent
Trojan/vbs.agent
Trojan/vbs.obfuscated
Trojan/vbs.runner
Trojan/vbs.uploader
IOCs:
File: 19
Registry: 1
Url: 8
Path: 3
Command: 1
Hash: 16
Algorithms:
zip
ASEC
Malicious LNK File Disguised as a Normal HWP Document - ASEC
The ASEC analysis team discovered the distribution of a malicious LNK file disguised as a normal HWP document, Along with a text file impersonating the National Tax Service. A normal HWP document with related contents is opened simultaneously, making it difficult…
#ParsedReport
02-02-2023
No Macro? No Worries. VSTO Being Weaponized by Threat Actors
https://www.deepinstinct.com/blog/no-macro-no-worries-vsto-being-weaponized-by-threat-actors
Threats:
Motw_bypass_technique
Meterpreter_tool
TTPs:
Tactics: 3
Technics: 5
IOCs:
File: 4
Hash: 7
Url: 2
Softs:
visual basic for applications, visual studio, microsoft windows defender
Links:
02-02-2023
No Macro? No Worries. VSTO Being Weaponized by Threat Actors
https://www.deepinstinct.com/blog/no-macro-no-worries-vsto-being-weaponized-by-threat-actors
Threats:
Motw_bypass_technique
Meterpreter_tool
TTPs:
Tactics: 3
Technics: 5
IOCs:
File: 4
Hash: 7
Url: 2
Softs:
visual basic for applications, visual studio, microsoft windows defender
Links:
https://github.com/deepinstinct/VSTO-POCDeep Instinct
No Macro? No Worries. VSTO Being Weaponized by Threat Actors | Deep Instinct
A software development toolset, VSTO is available in Microsoft’s Visual Studio IDE. It enables Office Add-In’s (a type of Office application extension) to be developed in .NET and also allows for Office documents to be created that will deliver and execute…
#ParsedReport
02-02-2023
Ransomed by Warlock Dark Army OFFICIALS
https://labs.k7computing.com/index.php/ransomed-by-warlock-dark-army-officials
Actors/Campaigns:
Fin11
Threats:
Chaos
Cyberchef_tool
Industry:
Financial, E-commerce
IOCs:
Hash: 1
Softs:
windows registry, telegram, instagram
Algorithms:
aes, xor
02-02-2023
Ransomed by Warlock Dark Army OFFICIALS
https://labs.k7computing.com/index.php/ransomed-by-warlock-dark-army-officials
Actors/Campaigns:
Fin11
Threats:
Chaos
Cyberchef_tool
Industry:
Financial, E-commerce
IOCs:
Hash: 1
Softs:
windows registry, telegram, instagram
Algorithms:
aes, xor
K7 Labs
Ransomed by Warlock Dark Army “OFFICIALS”
Recently we came across a tweet shared by petikvx. The tweet was on a ransomware family that had the group […]
#ParsedReport
02-02-2023
Mustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware
https://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware
Actors/Campaigns:
Red_delta (motivation: cyber_espionage, cyber_criminal)
Threats:
Plugx_rat
Dll_hijacking_technique
Qakbot
Godfather
Industry:
Government, Financial, Petroleum
Geo:
Russia, Asia, Ukraine, Chinese, Russian
TTPs:
IOCs:
File: 2
Command: 1
Path: 1
IP: 2
Hash: 5
Softs:
microsoft office word, windows registry, microsoft word
Algorithms:
xor
Languages:
python
YARA: Found
02-02-2023
Mustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware
https://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware
Actors/Campaigns:
Red_delta (motivation: cyber_espionage, cyber_criminal)
Threats:
Plugx_rat
Dll_hijacking_technique
Qakbot
Godfather
Industry:
Government, Financial, Petroleum
Geo:
Russia, Asia, Ukraine, Chinese, Russian
TTPs:
IOCs:
File: 2
Command: 1
Path: 1
IP: 2
Hash: 5
Softs:
microsoft office word, windows registry, microsoft word
Algorithms:
xor
Languages:
python
YARA: Found
Eclecticiq
Mustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware
EclecticIQ researchers continue to track a Chinese state-sponsored APT group called Mustang Panda. In December 2022, this group started targeting Europe with a new spearphishing campaign using a customized variant of the PlugX backdoor.
#ParsedReport
02-02-2023
MalVirt \| .NET Virtualization Thrives in Malvertising Attacks
https://www.sentinelone.com/labs/malvirt-net-virtualization-thrives-in-malvertising-attacks
Actors/Campaigns:
Kimsuky
Threats:
Malvirt
Formbook
Beacon
Koivm
0onfirm
Agent_tesla
Backstab_tool
Geo:
Ukrainian, Ukraines, Usa
IOCs:
Path: 1
Hash: 5
File: 7
Registry: 3
Domain: 17
Softs:
process explorer, virtualbox, sysinternals
Algorithms:
base64, aes
Win API:
AmsiScanBuffer, NtQueryInformationProcess, NtQuerySystemInformation
Links:
02-02-2023
MalVirt \| .NET Virtualization Thrives in Malvertising Attacks
https://www.sentinelone.com/labs/malvirt-net-virtualization-thrives-in-malvertising-attacks
Actors/Campaigns:
Kimsuky
Threats:
Malvirt
Formbook
Beacon
Koivm
0onfirm
Agent_tesla
Backstab_tool
Geo:
Ukrainian, Ukraines, Usa
IOCs:
Path: 1
Hash: 5
File: 7
Registry: 3
Domain: 17
Softs:
process explorer, virtualbox, sysinternals
Algorithms:
base64, aes
Win API:
AmsiScanBuffer, NtQueryInformationProcess, NtQuerySystemInformation
Links:
https://github.com/sandboxie/sandboxiehttps://github.com/Yaxser/Backstabhttps://github.com/Washi1337/OldRodhttps://github.com/Loksie/KoiVM-Virtualizationhttps://github.com/Washi1337/OldRod/blob/master/doc/Recompiler.mdhttps://github.com/Aekras1a/KoiVM-moddedSentinelOne
MalVirt | .NET Virtualization Thrives in Malvertising Attacks
.NET malware loaders distributed through malvertising are using obfuscated virtualization for anti-analysis and evasion in an ongoing campaign.