Скоро новости на канале будут выглядеть как-то так (см. посты ниже).
1. TI-отчеты изначально анализируются RSTReportsAnalyser, он делает первичную свертку отчета.
2. Дале в 1-2 прохода (в зависимости от объема) ChatGPT обобщает текст и вытаскивает факты.
3. Полученная выжимка отправляется на перевод (думаю, иногда будут приколы машинного перевода).
Напомню, что основная задача - коротко рассказать о чем отчет и стоит ли его открывать и читать подробно.
1. TI-отчеты изначально анализируются RSTReportsAnalyser, он делает первичную свертку отчета.
2. Дале в 1-2 прохода (в зависимости от объема) ChatGPT обобщает текст и вытаскивает факты.
3. Полученная выжимка отправляется на перевод (думаю, иногда будут приколы машинного перевода).
Напомню, что основная задача - коротко рассказать о чем отчет и стоит ли его открывать и читать подробно.
👍1
Forwarded from RST Cloud Monitoring
#TEST
03-02-2023
TgToxic Malwares Automated Framework Targets Southeast Asia Android Users
https://www.trendmicro.com/en_us/research/23/b/tgtoxic-malware-targets-southeast-asia-android-users.html
Threats:
Tgtoxic
Powerkatz_stealer
Lockscreen
Industry:
Financial, Government
Geo:
Indonesian, Taiwan, Chinese, Asia, Thailand, Indonesia, Taiwanese
IOCs:
Domain: 109
Url: 1
File: 9
Hash: 46
Softs:
android, mainnet, coinbase.android, mathwallet.android, jaxx
Algorithms:
zip
Languages:
javascript, java
03-02-2023
TgToxic Malwares Automated Framework Targets Southeast Asia Android Users
https://www.trendmicro.com/en_us/research/23/b/tgtoxic-malware-targets-southeast-asia-android-users.html
Threats:
Tgtoxic
Powerkatz_stealer
Lockscreen
Industry:
Financial, Government
Geo:
Indonesian, Taiwan, Chinese, Asia, Thailand, Indonesia, Taiwanese
IOCs:
Domain: 109
Url: 1
File: 9
Hash: 46
Softs:
android, mainnet, coinbase.android, mathwallet.android, jaxx
Algorithms:
zip
Languages:
javascript, java
Trend Micro
TgToxic Malware’s Automated Framework Targets Southeast Asia Android Users
We look into an ongoing malware campaign we named TgToxic, targeting Android mobile users in Taiwan, Thailand, and Indonesia since July 2022. The malware steals users’ credentials and assets such as cryptocurrency from digital wallets, as well as money from…
Forwarded from RST Cloud Monitoring
RST Cloud Monitoring
#TEST 03-02-2023 TgToxic Malwares Automated Framework Targets Southeast Asia Android Users https://www.trendmicro.com/en_us/research/23/b/tgtoxic-malware-targets-southeast-asia-android-users.html Threats: Tgtoxic Powerkatz_stealer Lockscreen Industry:…
#ParsedReport
Автотекст: (RSTReportsAnalyser + ChatGPT + Google Translate)
TgToxic — вредоносный банковский троян, нацеленный на пользователей Android в Юго-Восточной Азии с июля 2022 года.
Его цель — украсть активы жертв из финансовых и банковских приложений.
Он использует обфускацию кода, шифрование полезной нагрузки и WebSocket в качестве канала управления и контроля (C&C).
Он может захватить системное приложение, чтобы автоматически предоставлять себе разрешения, а также предотвращать удаление.
Он также реализует службу автоматического перевода (ATS) для перевода денег злоумышленникам без ведома пользователей.
Злоумышленники, стоящие за TgToxic, в основном используют приманки социальной инженерии, такие как фишинговые ссылки, мошенничество с вымогательством и мошенничество с криптовалютой.
Чтобы не стать жертвой таких угроз, пользователям следует избегать установки приложений из неизвестных источников, не нажимать на приложения, установщики, веб-сайты, встроенные в SMS или электронные письма, не включать конфиденциальные разрешения и следить за разрядкой аккумулятора.
Автотекст: (RSTReportsAnalyser + ChatGPT + Google Translate)
TgToxic — вредоносный банковский троян, нацеленный на пользователей Android в Юго-Восточной Азии с июля 2022 года.
Его цель — украсть активы жертв из финансовых и банковских приложений.
Он использует обфускацию кода, шифрование полезной нагрузки и WebSocket в качестве канала управления и контроля (C&C).
Он может захватить системное приложение, чтобы автоматически предоставлять себе разрешения, а также предотвращать удаление.
Он также реализует службу автоматического перевода (ATS) для перевода денег злоумышленникам без ведома пользователей.
Злоумышленники, стоящие за TgToxic, в основном используют приманки социальной инженерии, такие как фишинговые ссылки, мошенничество с вымогательством и мошенничество с криптовалютой.
Чтобы не стать жертвой таких угроз, пользователям следует избегать установки приложений из неизвестных источников, не нажимать на приложения, установщики, веб-сайты, встроенные в SMS или электронные письма, не включать конфиденциальные разрешения и следить за разрядкой аккумулятора.
🔥1
Forwarded from RST Cloud Monitoring
RST Cloud Monitoring
#TEST 03-02-2023 TgToxic Malwares Automated Framework Targets Southeast Asia Android Users https://www.trendmicro.com/en_us/research/23/b/tgtoxic-malware-targets-southeast-asia-android-users.html Threats: Tgtoxic Powerkatz_stealer Lockscreen Industry:…
chatgpt_summary_eng.txt
2.8 KB
ChatGPT ENG summary
chatgpt_summary_ru.txt
5.8 KB
ChatGPT RU summary
#technique
This map lists the essential techniques to bypass anti-virus and EDR
https://github.com/CMEPW/BypassAV
This map lists the essential techniques to bypass anti-virus and EDR
https://github.com/CMEPW/BypassAV
🔥1
#technique
Threadless Process Injection using remote function hooking.
https://github.com/CCob/ThreadlessInject
Threadless Process Injection using remote function hooking.
https://github.com/CCob/ThreadlessInject
GitHub
GitHub - CCob/ThreadlessInject: Threadless Process Injection using remote function hooking.
Threadless Process Injection using remote function hooking. - CCob/ThreadlessInject
#technique
Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.
https://github.com/xforcered/BokuLoader
Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.
https://github.com/xforcered/BokuLoader
GitHub
GitHub - xforcered/BokuLoader: A proof-of-concept Cobalt Strike Reflective Loader which aims to recreate, integrate, and enhance…
A proof-of-concept Cobalt Strike Reflective Loader which aims to recreate, integrate, and enhance Cobalt Strike's evasion features! - xforcered/BokuLoader
#ParsedReport
13-02-2023
ASEC Weekly Phishing Email Threat Trends (January 29th, 2023 February 4th, 2023)
https://asec.ahnlab.com/en/47521
Actors/Campaigns:
Calypso
Threats:
Agent_tesla
Formbook
Asyncrat_rat
Qakbot
Redline_stealer
Industry:
Transport, Financial
Geo:
Korean, Mauritius, Italia
TTPs:
IOCs:
File: 80
Url: 12
Softs:
onenote, (office 365)
Algorithms:
zip
13-02-2023
ASEC Weekly Phishing Email Threat Trends (January 29th, 2023 February 4th, 2023)
https://asec.ahnlab.com/en/47521
Actors/Campaigns:
Calypso
Threats:
Agent_tesla
Formbook
Asyncrat_rat
Qakbot
Redline_stealer
Industry:
Transport, Financial
Geo:
Korean, Mauritius, Italia
TTPs:
IOCs:
File: 80
Url: 12
Softs:
onenote, (office 365)
Algorithms:
zip
ASEC BLOG
ASEC Weekly Phishing Email Threat Trends (January 29th, 2023 – February 4th, 2023) - ASEC BLOG
The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from January 29th, 2023 to February 4th, 2023 and…
#ParsedReport
13-02-2023
AsyncRAT Being Distributed as Windows Help File (*.chm)
https://asec.ahnlab.com/en/47525
Threats:
Asyncrat_rat
Agent_tesla
Trojan/win.generic.c5303722
Malware/win32.rl_generic.c4363035
Trojan/win.agent.c4526491
Industry:
Education
Geo:
Korean, Korea
TTPs:
Tactics: 1
Technics: 0
IOCs:
Url: 7
File: 3
IP: 1
Path: 2
Hash: 7
Platforms:
x86
13-02-2023
AsyncRAT Being Distributed as Windows Help File (*.chm)
https://asec.ahnlab.com/en/47525
Threats:
Asyncrat_rat
Agent_tesla
Trojan/win.generic.c5303722
Malware/win32.rl_generic.c4363035
Trojan/win.agent.c4526491
Industry:
Education
Geo:
Korean, Korea
TTPs:
Tactics: 1
Technics: 0
IOCs:
Url: 7
File: 3
IP: 1
Path: 2
Hash: 7
Platforms:
x86
ASEC
AsyncRAT Being Distributed as Windows Help File (*.chm) - ASEC
AsyncRAT Being Distributed as Windows Help File (*.chm) ASEC
#ParsedReport
13-02-2023
Web Page Disguised as a Naver Login Page
https://asec.ahnlab.com/en/47530
Actors/Campaigns:
Kimsuky
IOCs:
Url: 3
Languages:
php
13-02-2023
Web Page Disguised as a Naver Login Page
https://asec.ahnlab.com/en/47530
Actors/Campaigns:
Kimsuky
IOCs:
Url: 3
Languages:
php
ASEC BLOG
Web Page Disguised as a Naver Login Page - ASEC BLOG
On January 3rd, the ASEC analysis team covered a situation where a fake Kakao login page was used to steal the account credentials of certain individuals. Web Page Disguised as a Kakao Login Page The team has confirmed that the threat actor used a vulnerable…
#ParsedReport
13-02-2023
Dalbit (m00nlight): Chinese Hacker Groups APT Attack Campaign
https://asec.ahnlab.com/en/47455
Actors/Campaigns:
Dalbit (motivation: information_theft)
Threats:
Mimikatz_tool
Bitlocker
Gotohttp_tool
Htran
Regeorg
Vmprotect_tool
Godzilla_loader
Aspxspy_shell
Antsword
Chinachopper
Bitsadmin
Badpotato_tool
Juicypotato_tool
Sweetpotato_tool
Rottenpotato_tool
Fscan_tool
Nbtscan_tool
Goon_tool
Nltest_tool
Remcom_tool
Wevtutil_tool
Procdump_tool
Dumpert_tool
Cobalt_strike
Metasploit_tool
Blueshell
Ladon_tool
Frpc_tool
Pypykatz_tool
Swrort
Trojan/js.agent
Industry:
Chemical, Education, Foodtech, Energy, Transport, Healthcare
Geo:
Korean, China, Chinese
CVEs:
CVE-2018-8639 [Vulners]
CVSS V2: 7.2,
Vulners: Exploitation: True
X-Force: Risk: 6.7
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, 1703, -, 1709, 1803, 1809)
- microsoft windows server 2016 (-, 1709, 1803)
- microsoft windows server 2008 (-, r2)
- microsoft windows 7 (-)
have more...
CVE-2019-1458 [Vulners]
CVSS V2: 7.2,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2012 (r2, -)
- microsoft windows server 2008 (r2, -)
- microsoft windows 10 (1607, -)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
have more...
CVE-2017-10271 [Vulners]
CVSS V2: 5.0,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- oracle weblogic server (12.1.3.0.0, 12.2.1.2.0, 10.3.6.0.0, 12.2.1.1.0)
TTPs:
Tactics: 12
Technics: 24
IOCs:
File: 31
Path: 10
Url: 8
Command: 6
IP: 11
Hash: 115
Softs:
itlocker to, efspotato, psexec, rsync, bitlocker, efspotato), proxifier, task scheduler, mssql, mysql, have more...
Algorithms:
zip
Win API:
MiniDumpWriteDump
Languages:
golang
Links:
13-02-2023
Dalbit (m00nlight): Chinese Hacker Groups APT Attack Campaign
https://asec.ahnlab.com/en/47455
Actors/Campaigns:
Dalbit (motivation: information_theft)
Threats:
Mimikatz_tool
Bitlocker
Gotohttp_tool
Htran
Regeorg
Vmprotect_tool
Godzilla_loader
Aspxspy_shell
Antsword
Chinachopper
Bitsadmin
Badpotato_tool
Juicypotato_tool
Sweetpotato_tool
Rottenpotato_tool
Fscan_tool
Nbtscan_tool
Goon_tool
Nltest_tool
Remcom_tool
Wevtutil_tool
Procdump_tool
Dumpert_tool
Cobalt_strike
Metasploit_tool
Blueshell
Ladon_tool
Frpc_tool
Pypykatz_tool
Swrort
Trojan/js.agent
Industry:
Chemical, Education, Foodtech, Energy, Transport, Healthcare
Geo:
Korean, China, Chinese
CVEs:
CVE-2018-8639 [Vulners]
CVSS V2: 7.2,
Vulners: Exploitation: True
X-Force: Risk: 6.7
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, 1703, -, 1709, 1803, 1809)
- microsoft windows server 2016 (-, 1709, 1803)
- microsoft windows server 2008 (-, r2)
- microsoft windows 7 (-)
have more...
CVE-2019-1458 [Vulners]
CVSS V2: 7.2,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2012 (r2, -)
- microsoft windows server 2008 (r2, -)
- microsoft windows 10 (1607, -)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
have more...
CVE-2017-10271 [Vulners]
CVSS V2: 5.0,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- oracle weblogic server (12.1.3.0.0, 12.2.1.2.0, 10.3.6.0.0, 12.2.1.1.0)
TTPs:
Tactics: 12
Technics: 24
IOCs:
File: 31
Path: 10
Url: 8
Command: 6
IP: 11
Hash: 115
Softs:
itlocker to, efspotato, psexec, rsync, bitlocker, efspotato), proxifier, task scheduler, mssql, mysql, have more...
Algorithms:
zip
Win API:
MiniDumpWriteDump
Languages:
golang
Links:
https://github.com/outflanknl/Dumperthttps://github.com/fatedier/frphttps://github.com/ehang-io/npshttps://github.com/tonyseek/rsockshttps://github.com/HiwinCN/HTranhttps://github.com/i11us0ry/goonhttps://github.com/sensepost/reGeorgASEC
Dalbit (m00nlight): Chinese Hacker Group's APT Attack Campaign - ASEC
Dalbit (m00nlight): Chinese Hacker Group's APT Attack Campaign ASEC
#ParsedReport
14-02-2023
Fools Gold: dissecting a fake gold market pig-butchering scam
https://news.sophos.com/en-us/2023/02/13/fools-gold-dissecting-a-fake-gold-market-pig-butchering-scam
Threats:
Pig_butchering
Mole
Industry:
Financial, E-commerce, Government
Geo:
China, America, London, Japan, Chinese, Asia, Japanese, Russian, Cambodia
IOCs:
Domain: 11
Url: 5
IP: 5
Softs:
android, tradingview, telegram, microsoft store
Platforms:
apple
Links:
14-02-2023
Fools Gold: dissecting a fake gold market pig-butchering scam
https://news.sophos.com/en-us/2023/02/13/fools-gold-dissecting-a-fake-gold-market-pig-butchering-scam
Threats:
Pig_butchering
Mole
Industry:
Financial, E-commerce, Government
Geo:
China, America, London, Japan, Chinese, Asia, Japanese, Russian, Cambodia
IOCs:
Domain: 11
Url: 5
IP: 5
Softs:
android, tradingview, telegram, microsoft store
Platforms:
apple
Links:
https://github.com/sophoslabs/IoCs/blob/master/FoolsGoldMetaTraderShaZhuPan.csvSophos
Fool’s Gold: dissecting a fake gold market pig-butchering scam
Scammers use counterfeit bank website, hijacked legitimate app to defraud and steal identifying information.
#ParsedReport
14-02-2023
Phylum Discovers Revived Crypto Wallet Address Replacement Attack
https://blog.phylum.io/phylum-discovers-revived-crypto-wallet-address-replacement-attack
Threats:
Typosquatting_technique
Industry:
Financial, Government
Geo:
Chinese
IOCs:
File: 1
Softs:
pyinstaller
Functions:
__str__
Languages:
javascript, python
14-02-2023
Phylum Discovers Revived Crypto Wallet Address Replacement Attack
https://blog.phylum.io/phylum-discovers-revived-crypto-wallet-address-replacement-attack
Threats:
Typosquatting_technique
Industry:
Financial, Government
Geo:
Chinese
IOCs:
File: 1
Softs:
pyinstaller
Functions:
__str__
Languages:
javascript, python
#ParsedReport
14-02-2023
APT Bahamut Attacks Indian Intelligence Operative using Android Malware
https://www.cyfirma.com/outofband/apt-bahamut-attacks-indian-intelligence-operative-using-android-malware
Threats:
Bahamut
Geo:
Indian, Asian, Irans, India
TTPs:
Tactics: 5
Technics: 9
IOCs:
Hash: 4
File: 1
Softs:
android, telegram, securevpn
Algorithms:
base64
Languages:
java
14-02-2023
APT Bahamut Attacks Indian Intelligence Operative using Android Malware
https://www.cyfirma.com/outofband/apt-bahamut-attacks-indian-intelligence-operative-using-android-malware
Threats:
Bahamut
Geo:
Indian, Asian, Irans, India
TTPs:
Tactics: 5
Technics: 9
IOCs:
Hash: 4
File: 1
Softs:
android, telegram, securevpn
Algorithms:
base64
Languages:
java
CYFIRMA
APT Bahamut Attacks Indian Intelligence Operative using Android Malware - CYFIRMA
Executive Summary In November 2022, CYFIRMA detected a cyber-attack on an intelligence operative in India. In this attack, the threat...
#ParsedReport
14-02-2023
Hangul (HWP) Malware using Stega Nagraph
https://asec.ahnlab.com/ko/47622
Actors/Campaigns:
Apt37
Threats:
Steganography_technique
Chinotto
M2rat
Trojan/win.loader.c5359534
Infostealer/win.phone.c5381667
Geo:
China, Korean
CVEs:
CVE-2017-8291 [Vulners]
CVSS V2: 6.8,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- artifex ghostscript (le9.21)
TTPs:
Tactics: 4
Technics: 0
IOCs:
File: 11
Registry: 2
Command: 2
Path: 2
IP: 1
Url: 1
Hash: 6
Algorithms:
base64, xor
Languages:
php, postscript
14-02-2023
Hangul (HWP) Malware using Stega Nagraph
https://asec.ahnlab.com/ko/47622
Actors/Campaigns:
Apt37
Threats:
Steganography_technique
Chinotto
M2rat
Trojan/win.loader.c5359534
Infostealer/win.phone.c5381667
Geo:
China, Korean
CVEs:
CVE-2017-8291 [Vulners]
CVSS V2: 6.8,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- artifex ghostscript (le9.21)
TTPs:
Tactics: 4
Technics: 0
IOCs:
File: 11
Registry: 2
Command: 2
Path: 2
IP: 1
Url: 1
Hash: 6
Algorithms:
base64, xor
Languages:
php, postscript
ASEC
스테가노그래피 기법 사용한 한글(HWP) 악성코드 : RedEyes(ScarCruft) - ASEC
ASEC(AhnLab Security Emergengy response Center) 분석팀은 지난 1월 RedEyes 공격 그룹(also known as APT37, ScarCruft)이 한글 EPS(Encapulated PostScript) 취약점(CVE-2017-8291)을 통해 악성코드를 유포하는 정황을 확인하였다. 본 보고서에서는 RedEyes 그룹의 최신 국내 활동에 대해 공유한다. 1. 개요 RedEyes 그룹은 기업이 아닌 특정 개인을 대상으로…
#ParsedReport
14-02-2023
Increase in fake donation schemes following massive earthquake in Turkey
https://blog.cyble.com/2023/02/13/increase-in-fake-donation-schemes-following-massive-earthquake-in-turkey
Industry:
Healthcare, Financial
Geo:
Syria, Turkey
IOCs:
Url: 3
Domain: 1
IP: 3
14-02-2023
Increase in fake donation schemes following massive earthquake in Turkey
https://blog.cyble.com/2023/02/13/increase-in-fake-donation-schemes-following-massive-earthquake-in-turkey
Industry:
Healthcare, Financial
Geo:
Syria, Turkey
IOCs:
Url: 3
Domain: 1
IP: 3
Cyble
Increase in fake donation schemes following massive earthquake in Turkey
Cyble investigates the trend of fake donation schemes following the devastating Kahramanmaras earthquake in Turkey and Syria.
#ParsedReport
14-02-2023
Cisco Talos Intelligence Blog. New MortalKombat ransomware and Laplas Clipper malware threats deployed in financially motivated campaign
https://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats
Threats:
Mortalkombat
Laplas_clipper
Xorist
Lolbin_technique
Bitsadmin
Qtox
Timestomp_technique
Tron
Industry:
Financial
Geo:
Poland, Philippines, Turkey
TTPs:
IOCs:
IP: 2
Domain: 5
Url: 6
File: 3
Registry: 9
Path: 2
Hash: 7
Command: 2
Coin: 4
Email: 1
Softs:
windows explorer, telegram, windows scheduled task, zcash
Algorithms:
xor, zip, base64
Win Services:
BITS
14-02-2023
Cisco Talos Intelligence Blog. New MortalKombat ransomware and Laplas Clipper malware threats deployed in financially motivated campaign
https://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats
Threats:
Mortalkombat
Laplas_clipper
Xorist
Lolbin_technique
Bitsadmin
Qtox
Timestomp_technique
Tron
Industry:
Financial
Geo:
Poland, Philippines, Turkey
TTPs:
IOCs:
IP: 2
Domain: 5
Url: 6
File: 3
Registry: 9
Path: 2
Hash: 7
Command: 2
Coin: 4
Email: 1
Softs:
windows explorer, telegram, windows scheduled task, zcash
Algorithms:
xor, zip, base64
Win Services:
BITS
Cisco Talos
New MortalKombat ransomware and Laplas Clipper malware threats deployed in financially motivated campaign
Since December 2022, Cisco Talos has been observing an unidentified actor deploying two relatively new threats, the recently discovered MortalKombat ransomware and a GO variant of the Laplas Clipper malware, to steal cryptocurrency from victims.
#ParsedReport
14-02-2023
Defeating VMProtects Latest Tricks
https://cyber.wtf/2023/02/09/defeating-vmprotects-latest-tricks
Actors/Campaigns:
Tick
Threats:
Vmprotect_tool
Systembc
Scylla
Heavens_gate_technique
Windbg_tool
Hook
Sandbox_evasion_technique
Trap_flag_technique
Antidebugging_technique
IOCs:
File: 2
Hash: 1
Softs:
virtualbox
Win API:
GetVersion, GetTickCount, NtQueryVirtualMemory, NtOpenFile, NtCreateSection, NtQuerySystemInformation
Links:
14-02-2023
Defeating VMProtects Latest Tricks
https://cyber.wtf/2023/02/09/defeating-vmprotects-latest-tricks
Actors/Campaigns:
Tick
Threats:
Vmprotect_tool
Systembc
Scylla
Heavens_gate_technique
Windbg_tool
Hook
Sandbox_evasion_technique
Trap_flag_technique
Antidebugging_technique
IOCs:
File: 2
Hash: 1
Softs:
virtualbox
Win API:
GetVersion, GetTickCount, NtQueryVirtualMemory, NtOpenFile, NtCreateSection, NtQuerySystemInformation
Links:
https://github.com/x64dbg/ScyllaHidehttps://github.com/x64dbg/ScyllaHide/issues/53#issuecomment-373646762#ParsedReport
14-02-2023
Havoc Across the Cyberspace
https://www.zscaler.com/blogs/security-research/havoc-across-cyberspace
Actors/Campaigns:
Shathak
Threats:
Havoc
Kaynldr
Metasploit_tool
Meterpreter_tool
Industry:
Government
Geo:
Japanese, Usa
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 15
IP: 1
Url: 4
Domain: 2
Path: 2
Hash: 2
Softs:
event tracing for windows, bat2exe
Algorithms:
aes-256, xor, aes, zip
Functions:
EtwEventWrite, DemonConfig, DemonRoutine, TransportInit, CommandDispatcher, DemonMetaData, PackageTransmit, TransportSend
Win API:
CreateThreadpoolWait, GetModuleHandleA, GetProcAddress, EtwEventWrite, VirtualProtect, CryptDecrypt, CreateEventA, VirtualAlloc, WaitForSingleObject, NtAllocateVirtualMemory, have more...
Platforms:
x86, x64
Links:
14-02-2023
Havoc Across the Cyberspace
https://www.zscaler.com/blogs/security-research/havoc-across-cyberspace
Actors/Campaigns:
Shathak
Threats:
Havoc
Kaynldr
Metasploit_tool
Meterpreter_tool
Industry:
Government
Geo:
Japanese, Usa
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 15
IP: 1
Url: 4
Domain: 2
Path: 2
Hash: 2
Softs:
event tracing for windows, bat2exe
Algorithms:
aes-256, xor, aes, zip
Functions:
EtwEventWrite, DemonConfig, DemonRoutine, TransportInit, CommandDispatcher, DemonMetaData, PackageTransmit, TransportSend
Win API:
CreateThreadpoolWait, GetModuleHandleA, GetProcAddress, EtwEventWrite, VirtualProtect, CryptDecrypt, CreateEventA, VirtualAlloc, WaitForSingleObject, NtAllocateVirtualMemory, have more...
Platforms:
x86, x64
Links:
https://github.com/HavocFramework/HavocZscaler
Havoc Across the Cyberspace | Blog | Zscaler
ThreatLabz observed a new campaign targeting a Government organization in which the threat actors utilized a new Command & Control (C2) framework named Havoc
#ParsedReport
14-02-2023
TTPs $ ScarCruft Tracking Note
https://thorcert.notion.site/TTPs-ScarCruft-Tracking-Note-67acee42e4ba47398183db9fc7792aff
Actors/Campaigns:
Apt37
Threats:
Chinotto
Bitsadmin
Geo:
China, Korea
IOCs:
File: 18
Path: 10
Registry: 1
Functions:
API
Languages:
golang, jscript
Platforms:
x86
14-02-2023
TTPs $ ScarCruft Tracking Note
https://thorcert.notion.site/TTPs-ScarCruft-Tracking-Note-67acee42e4ba47398183db9fc7792aff
Actors/Campaigns:
Apt37
Threats:
Chinotto
Bitsadmin
Geo:
China, Korea
IOCs:
File: 18
Path: 10
Registry: 1
Functions:
API
Languages:
golang, jscript
Platforms:
x86
Notion
Notion | Where teams and agents work together
A collaborative AI workspace, built on your company context. Build and orchestrate agents right alongside your team's projects, meetings, and connected apps.