#technique

This map lists the essential techniques to bypass anti-virus and EDR

https://github.com/CMEPW/BypassAV

#technique

Threadless Process Injection using remote function hooking.

https://github.com/CCob/ThreadlessInject

#technique

Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.

https://github.com/xforcered/BokuLoader

#ParsedReport
13-02-2023

ASEC Weekly Phishing Email Threat Trends (January 29th, 2023 February 4th, 2023)

https://asec.ahnlab.com/en/47521

Actors/Campaigns:
Calypso

Threats:
Agent_tesla
Formbook
Asyncrat_rat
Qakbot
Redline_stealer

Industry:
Transport, Financial

Geo:
Korean, Mauritius, Italia

TTPs:

IOCs:
File: 80
Url: 12

Softs:
onenote, (office 365)

Algorithms:
zip

#ParsedReport
13-02-2023

AsyncRAT Being Distributed as Windows Help File (*.chm)

https://asec.ahnlab.com/en/47525

Threats:
Asyncrat_rat
Agent_tesla
Trojan/win.generic.c5303722
Malware/win32.rl_generic.c4363035
Trojan/win.agent.c4526491

Industry:
Education

Geo:
Korean, Korea

TTPs:
Tactics: 1
Technics: 0

IOCs:
Url: 7
File: 3
IP: 1
Path: 2
Hash: 7

Platforms:
x86

#ParsedReport
13-02-2023

Web Page Disguised as a Naver Login Page

https://asec.ahnlab.com/en/47530

Actors/Campaigns:
Kimsuky

IOCs:
Url: 3

Languages:
php

#ParsedReport
13-02-2023

Dalbit (m00nlight): Chinese Hacker Groups APT Attack Campaign

https://asec.ahnlab.com/en/47455

Actors/Campaigns:
Dalbit (motivation: information_theft)

Threats:
Mimikatz_tool
Bitlocker
Gotohttp_tool
Htran
Regeorg
Vmprotect_tool
Godzilla_loader
Aspxspy_shell
Antsword
Chinachopper
Bitsadmin
Badpotato_tool
Juicypotato_tool
Sweetpotato_tool
Rottenpotato_tool
Fscan_tool
Nbtscan_tool
Goon_tool
Nltest_tool
Remcom_tool
Wevtutil_tool
Procdump_tool
Dumpert_tool
Cobalt_strike
Metasploit_tool
Blueshell
Ladon_tool
Frpc_tool
Pypykatz_tool
Swrort
Trojan/js.agent

Industry:
Chemical, Education, Foodtech, Energy, Transport, Healthcare

Geo:
Korean, China, Chinese

CVEs:
CVE-2018-8639 [Vulners]
CVSS V2: 7.2,
Vulners: Exploitation: True
X-Force: Risk: 6.7
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, 1703, -, 1709, 1803, 1809)
- microsoft windows server 2016 (-, 1709, 1803)
- microsoft windows server 2008 (-, r2)
- microsoft windows 7 (-)
have more...
CVE-2019-1458 [Vulners]
CVSS V2: 7.2,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2012 (r2, -)
- microsoft windows server 2008 (r2, -)
- microsoft windows 10 (1607, -)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
have more...
CVE-2017-10271 [Vulners]
CVSS V2: 5.0,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- oracle weblogic server (12.1.3.0.0, 12.2.1.2.0, 10.3.6.0.0, 12.2.1.1.0)


TTPs:
Tactics: 12
Technics: 24

IOCs:
File: 31
Path: 10
Url: 8
Command: 6
IP: 11
Hash: 115

Softs:
itlocker to, efspotato, psexec, rsync, bitlocker, efspotato), proxifier, task scheduler, mssql, mysql, have more...

Algorithms:
zip

Win API:
MiniDumpWriteDump

Languages:
golang

Links:
https://github.com/outflanknl/Dumpert
https://github.com/fatedier/frp
https://github.com/ehang-io/nps
https://github.com/tonyseek/rsocks
https://github.com/HiwinCN/HTran
https://github.com/i11us0ry/goon
https://github.com/sensepost/reGeorg

#ParsedReport
14-02-2023

Fools Gold: dissecting a fake gold market pig-butchering scam

https://news.sophos.com/en-us/2023/02/13/fools-gold-dissecting-a-fake-gold-market-pig-butchering-scam

Threats:
Pig_butchering
Mole

Industry:
Financial, E-commerce, Government

Geo:
China, America, London, Japan, Chinese, Asia, Japanese, Russian, Cambodia

IOCs:
Domain: 11
Url: 5
IP: 5

Softs:
android, tradingview, telegram, microsoft store

Platforms:
apple

Links:
https://github.com/sophoslabs/IoCs/blob/master/FoolsGoldMetaTraderShaZhuPan.csv

#ParsedReport
14-02-2023

Phylum Discovers Revived Crypto Wallet Address Replacement Attack

https://blog.phylum.io/phylum-discovers-revived-crypto-wallet-address-replacement-attack

Threats:
Typosquatting_technique

Industry:
Financial, Government

Geo:
Chinese

IOCs:
File: 1

Softs:
pyinstaller

Functions:
__str__

Languages:
javascript, python

#ParsedReport
14-02-2023

APT Bahamut Attacks Indian Intelligence Operative using Android Malware

https://www.cyfirma.com/outofband/apt-bahamut-attacks-indian-intelligence-operative-using-android-malware

Threats:
Bahamut

Geo:
Indian, Asian, Irans, India

TTPs:
Tactics: 5
Technics: 9

IOCs:
Hash: 4
File: 1

Softs:
android, telegram, securevpn

Algorithms:
base64

Languages:
java

#ParsedReport
14-02-2023

Hangul (HWP) Malware using Stega Nagraph

https://asec.ahnlab.com/ko/47622

Actors/Campaigns:
Apt37

Threats:
Steganography_technique
Chinotto
M2rat
Trojan/win.loader.c5359534
Infostealer/win.phone.c5381667

Geo:
China, Korean

CVEs:
CVE-2017-8291 [Vulners]
CVSS V2: 6.8,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- artifex ghostscript (le9.21)


TTPs:
Tactics: 4
Technics: 0

IOCs:
File: 11
Registry: 2
Command: 2
Path: 2
IP: 1
Url: 1
Hash: 6

Algorithms:
base64, xor

Languages:
php, postscript

#ParsedReport
14-02-2023

Increase in fake donation schemes following massive earthquake in Turkey

https://blog.cyble.com/2023/02/13/increase-in-fake-donation-schemes-following-massive-earthquake-in-turkey

Industry:
Healthcare, Financial

Geo:
Syria, Turkey

IOCs:
Url: 3
Domain: 1
IP: 3

#ParsedReport
14-02-2023

Cisco Talos Intelligence Blog. New MortalKombat ransomware and Laplas Clipper malware threats deployed in financially motivated campaign

https://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats

Threats:
Mortalkombat
Laplas_clipper
Xorist
Lolbin_technique
Bitsadmin
Qtox
Timestomp_technique
Tron

Industry:
Financial

Geo:
Poland, Philippines, Turkey

TTPs:

IOCs:
IP: 2
Domain: 5
Url: 6
File: 3
Registry: 9
Path: 2
Hash: 7
Command: 2
Coin: 4
Email: 1

Softs:
windows explorer, telegram, windows scheduled task, zcash

Algorithms:
xor, zip, base64

Win Services:
BITS

#ParsedReport
14-02-2023

Defeating VMProtects Latest Tricks

https://cyber.wtf/2023/02/09/defeating-vmprotects-latest-tricks

Actors/Campaigns:
Tick

Threats:
Vmprotect_tool
Systembc
Scylla
Heavens_gate_technique
Windbg_tool
Hook
Sandbox_evasion_technique
Trap_flag_technique
Antidebugging_technique

IOCs:
File: 2
Hash: 1

Softs:
virtualbox

Win API:
GetVersion, GetTickCount, NtQueryVirtualMemory, NtOpenFile, NtCreateSection, NtQuerySystemInformation

Links:
https://github.com/x64dbg/ScyllaHide
https://github.com/x64dbg/ScyllaHide/issues/53#issuecomment-373646762

#ParsedReport
14-02-2023

Havoc Across the Cyberspace

https://www.zscaler.com/blogs/security-research/havoc-across-cyberspace

Actors/Campaigns:
Shathak

Threats:
Havoc
Kaynldr
Metasploit_tool
Meterpreter_tool

Industry:
Government

Geo:
Japanese, Usa

TTPs:
Tactics: 1
Technics: 0

IOCs:
File: 15
IP: 1
Url: 4
Domain: 2
Path: 2
Hash: 2

Softs:
event tracing for windows, bat2exe

Algorithms:
aes-256, xor, aes, zip

Functions:
EtwEventWrite, DemonConfig, DemonRoutine, TransportInit, CommandDispatcher, DemonMetaData, PackageTransmit, TransportSend

Win API:
CreateThreadpoolWait, GetModuleHandleA, GetProcAddress, EtwEventWrite, VirtualProtect, CryptDecrypt, CreateEventA, VirtualAlloc, WaitForSingleObject, NtAllocateVirtualMemory, have more...

Platforms:
x86, x64

Links:
https://github.com/HavocFramework/Havoc

#ParsedReport
14-02-2023

TTPs $ ScarCruft Tracking Note

https://thorcert.notion.site/TTPs-ScarCruft-Tracking-Note-67acee42e4ba47398183db9fc7792aff

Actors/Campaigns:
Apt37

Threats:
Chinotto
Bitsadmin

Geo:
China, Korea

IOCs:
File: 18
Path: 10
Registry: 1

Functions:
API

Languages:
golang, jscript

Platforms:
x86

#ParsedReport
14-02-2023

NewsPenguin, a Previously Unknown Threat Actor, Targets Pakistan with Advanced Espionage Tool

https://blogs.blackberry.com/en/2023/02/newspenguin-a-previously-unknown-threat-actor-targets-pakistan-with-advanced-espionage-tool

Actors/Campaigns:
Newspenguin (motivation: financially_motivated, cyber_espionage)

Industry:
Maritime, Government

Geo:
Pakistani, Pakistan, Asian

TTPs:
Tactics: 6
Technics: 28

IOCs:
File: 15
Url: 3
IP: 2
Registry: 1
Domain: 2
Path: 10
Hash: 12
Email: 1

Softs:
visual basic for applications, microsoft office, curl, microsoft visual c++, (ubuntu)

Algorithms:
zip, xor, base64

Win API:
GetTickCount, GetLastError

#ParsedReport
Автотекст: (RSTReportsAnalyser + ChatGPT + Google Translate)

Ранее неизвестный злоумышленник нацелился на организации в Пакистане, используя предстоящую Пакистанскую международную морскую выставку и конференцию (PIMEC-2023) в качестве приманки и рассылая целевые фишинговые электронные письма с вложенным военным документом.

Домен, используемый для удаленного внедрения шаблонов, был зарегистрирован в июне 2022 года, что указывает на то, что злоумышленник, вероятно, уже некоторое время ведет свою деятельность.

Целевой аудиторией этой атаки являются пакистанские компании, производящие военные технологии, национальные государства и вооруженные силы; включая организаторов и участников мероприятия, особенно экспонентов.

Субъектом угрозы, скорее всего, является национальное государство или аутсорсинговая команда, работающая на субъект угрозы национального государства.

Вредоносная программа использует несколько методов антианализа для обхода функций сна, проверки размера жесткого диска и требует более 10 ГБ ОЗУ.

Организации должны защищаться от NewsPenguin, блокируя вредоносные IP-адреса, домены и URL-адреса, осознавая потенциальные угрозы, исходящие от кампаний целевого фишинга и подозрительных документов, а также регулярно обновляя свои решения по обеспечению безопасности и устраняя любые уязвимости.