Sun, 27 Feb 2022 01:23:17 +0000
Something strange is going on with Trickbot
https://intel471.com/blog/trickbot-2022-emotet-bazar-loader
Intel471
Something strange is going on with Trickbot
There hasn't been any new activity from the Trickbot malware in 2022. Why?
Sun, 27 Feb 2022 01:23:45 +0000
MAR–10369127–1.v1 – MuddyWater
https://us-cert.cisa.gov/ncas/analysis-reports/ar22-055a
Mon, 28 Feb 2022 01:07:02 +0000
CoinMiner Being Distributed to Vulnerable MS-SQL Servers
https://asec.ahnlab.com/en/32143/
ASEC BLOG
CoinMiner Being Distributed to Unsecured MS-SQL Servers - ASEC BLOG
The ASEC analysis team is constantly monitoring malware distributed to unsecured MS-SQL servers. The previous blogs explained the distribution cases of Cobalt Strike and Remcos RAT, but the majority of the discovered attacks are CoinMiners. – [ASEC Blog] Remcos…
Mon, 28 Feb 2022 11:24:52 +0000
Exclusive in-depth analysis: directly attack the key technical details of Ukraine’s cyber warfare
https://blog.360totalsecurity.com/en/exclusive-in-depth-analysis-directly-attack-the-key-technical-details-of-ukraines-cyber-warfare/
360 Total Security Blog
Exclusive-in-depth-analysis: directly-attack-the-key-technical-details-of-Ukraine's-cyber-warfare
Recently, 360 Security Center observed a state-level cyber warfare attack against Ukraine for the purpose of sabotage, including distributed denial of service (DDoS) attacks, phishing scams, exploits, supply chain attacks, malicious data wipes disguised as…
Mon, 28 Feb 2022 15:23:06 +0000
Broadcom Software Discloses APT Actors Deploying Daxin Malware in Global Espionage Campaign
https://us-cert.cisa.gov/ncas/current-activity/2022/02/28/broadcom-software-discloses-apt-actors-deploying-daxin-malware
Коллеги, прошу прощения, что не все TI-отчеты попадают на канал.
Пока работает старая версия робота для определения TI-отчета в потоке новостей. Раньше, то что не смог определить робот я докидывал в канал руками.
Сейчас все силы бросил на дописывание новой версии робота.
Надеюсь, что через неделю запущу его в продакшен.
Пока работает старая версия робота для определения TI-отчета в потоке новостей. Раньше, то что не смог определить робот я докидывал в канал руками.
Сейчас все силы бросил на дописывание новой версии робота.
Надеюсь, что через неделю запущу его в продакшен.
👍1
Tue, 01 Mar 2022 14:18:27 +0000
Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage
Security
Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks
Espionage tool is the most advanced piece of malware Symantec researchers have seen from China-linked actors.
Tue, 01 Mar 2022 14:19:05 +0000
Conti and Karma actors attack healthcare provider at same time through ProxyShell exploits
https://news.sophos.com/en-us/2022/02/28/conti-and-karma-actors-attack-healthcare-provider-at-same-time-through-proxyshell-exploits/
Sophos News
Conti and Karma actors attack healthcare provider at same time through ProxyShell exploits
An unpatched Microsoft Exchange Server let both ransomware actors in; Karma just stole data, while Conti encrypted.
Tue, 01 Mar 2022 14:20:28 +0000
Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot
https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/
Unit 42
Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot
An attack in early February targeted an energy organization in Ukraine with OutSteel and SaintBot. The attack is part of a larger campaign.
Tue, 01 Mar 2022 14:20:39 +0000
SockDetour – a Silent, Fileless, Socketless Backdoor – Targets U.S. Defense Contractors
https://unit42.paloaltonetworks.com/sockdetour/
Unit 42
SockDetour – a Silent, Fileless, Socketless Backdoor – Targets U.S. Defense Contractors
SockDetour is a custom backdoor being used to maintain persistence, designed to serve as a backup backdoor in case the primary one is removed.
Tue, 01 Mar 2022 14:29:27 +0000
Elections GoRansom – a smoke screen for the HermeticWiper attack
https://securelist.com/elections-goransom-and-hermeticwiper-attack/105960/
Securelist
Elections GoRansom – a smoke screen for the HermeticWiper attack
We present our analysis of HermeticRansom (aka Elections GoRansom) ransomware that was likely used as a smokescreen for the HermeticWiper attack.
Tue, 01 Mar 2022 16:34:17 +0000
The InQuest Insider Issue #42 - Glowspark
https://inquest.net/newsletter/2022/03/inquest-insider-issue-42-glowspark
inquest.net
InQuest - Join the Hunt.
InQuest provides Deep File Inspection (DFI) for real-time protection and RetroHunting to leverage hindsight and apply today's intelligence to yesterday's data.
Tue, 01 Mar 2022 21:18:36 +0000
Decryptable PartyTicket Ransomware Reportedly Targeting Ukrainian Entities
https://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine/
crowdstrike.com
How to Decrypt the PartyTicket Ransomware Targeting Ukraine | CrowdStrike
We explain how PartyTicket ransomware used in Ukraine attacks only superficially encrypts files, and outline how it's possible to recover the encrypted files.
Tue, 01 Mar 2022 22:51:28 +0000
Asylum Ambuscade: State Actor Uses Compromised Private Ukrainian Military Emails to Target European Governments and Refugee Movement
https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails
Proofpoint
SunSeed Malware Targets Refugees & EU Government | Proofpoint US
Proofpoint has identified a campaign using a Lua-based malware dubbed SunSeed. Learn more about the attack with Proofpoint's in-depth report.
#technique
Rogue RDP – Revisiting Initial Access Methods
https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/
Rogue RDP – Revisiting Initial Access Methods
https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/
Black Hills Information Security, Inc.
Rogue RDP – Revisiting Initial Access Methods - Black Hills Information Security, Inc.
Mike Felch // The Hunt for Initial Access With the default disablement of VBA macros originating from the internet, Microsoft may be pitching a curveball to threat actors and red […]
Tue, 01 Mar 2022 22:55:01 +0000
IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine
https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/
WeLiveSecurity
IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine
ESET researchers uncover IsaacWiper, a new wiper that attacks Ukrainian organizations and HermeticWizard, a worm spreading HermeticWiper in local networks.
Tue, 01 Mar 2022 22:55:43 +0000
The Hunt for the Lost Soul: Unraveling the Evolution of the SoulSearcher Malware
https://www.fortinet.com/blog/threat-research/unraveling-the-evolution-of-the-soul-searcher-malware
Fortinet Blog
The Hunt for the Lost Soul: Unraveling the Evolution of the SoulSearcher Malware
FortiGuard Labs provides a deep analysis of the evolution of SoulSearcher malware focusing on a malicious DLL payload module. With reverse engineering the team analyzes the different components and…
Tue, 01 Mar 2022 22:56:01 +0000
Nobelium Returns to the Political World Stage
https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage
Fortinet Blog
Nobelium Returns to the Political World Stage | FortiGuard Labs
FortiGuard Labs has discovered evidence that the Nobelium Group is impersonating someone associated with the Turkish embassy as a lure to introduce a Cobalt Strike beacon payload and gain access. R…
Tue, 01 Mar 2022 22:56:50 +0000
The Conti ransomware leaks
https://blog.malwarebytes.com/threat-intelligence/2022/03/the-conti-ransomware-leaks/
Malwarebytes Labs
The Conti ransomware leaks
Perhaps one of the most interesting leaks for the threat intelligence community, the Conti data dumps will provide invaluable data for a long time to come.
Tue, 01 Mar 2022 23:17:18 +0000
Malware Analysis Report – Rewterz | LokiBOT
https://www.rewterz.com/articles/malware-analysis-report-rewterz-lokibot
Rewterz
Malware Analysis Report - Rewterz | LokiBOT | Rewterz
Malware Analysis Report - Rewterz | LokiBOT