Wed, 09 Mar 2022 16:07:56 +0000
Raccoon Stealer: “Trash panda” abuses Telegram
https://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram/?utm_source=rss&utm_medium=rss&utm_campaign=raccoon-stealer-trash-panda-abuses-telegram
Avast Threat Labs
Raccoon Stealer: “Trash panda” abuses Telegram - Avast Threat Labs
We recently came across a stealer, called Raccoon Stealer, a name given to it by its author. Raccoon Stealer uses the Telegram infrastructure to store and update actual C&C addresses. Raccoon Stealer is a password stealer capable of stealing not just passwords…
Wed, 09 Mar 2022 19:02:41 +0000
Russia-Ukraine Crisis Places Critical Infrastructure At High Risk
https://blog.cyble.com/2022/03/09/russia-ukraine-crisis-places-critical-infrastructure-at-high-risk/
Cyble
Russia-Ukraine Crisis Places Critical Infrastructure At High Risk
State-sponsored attackers, APT groups, and numerous hackers’ communities have been actively targeting the critical infrastructures.
Wed, 09 Mar 2022 19:13:31 +0000
Updated: Conti Ransomware
https://us-cert.cisa.gov/ncas/current-activity/2022/03/09/updated-conti-ransomware
Wed, 09 Mar 2022 19:44:35 +0000
FormBook spam campaign targets citizens of Ukraine️
https://blog.malwarebytes.com/threat-intelligence/2022/03/formbook-spam-campaign-targets-citizens-of-ukraine%EF%B8%8F/
Thu, 10 Mar 2022 01:51:19 +0000
Daxin Backdoor: In-Depth Analysis, Part Two
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage-analysis
Security
Daxin Backdoor: In-Depth Analysis, Part Two
In the second of a two-part series of blogs, we examine the communications and networking features of Daxin.
Thu, 10 Mar 2022 12:50:52 +0000
Qakbot injects itself into the middle of your conversations
https://news.sophos.com/en-us/2022/03/10/qakbot-injects-itself-into-the-middle-of-your-conversations/
Sophos News
Qakbot injects itself into the middle of your conversations
The heavily distributed botnet delivers a wide variety of payloads – and scans your network for weaknesses
Very very lazy Lazyscripter’s scripts: double compromise in a single obfuscation
https://lab52.io/blog/very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation/
https://lab52.io/blog/very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation/
PHOREAL Malware Targets the Southeast Asian Financial Sector
https://elastic.github.io/security-research/intelligence/2022/03/02.phoreal-targets-southeast-asia-financial-sector/article/
https://elastic.github.io/security-research/intelligence/2022/03/02.phoreal-targets-southeast-asia-financial-sector/article/
Thu, 10 Mar 2022 18:05:33 +0000
Ransomware: February 2022 review
https://blog.malwarebytes.com/threat-intelligence/2022/03/ransomware-february-2022-review/
Malwarebytes
Ransomware: February 2022 review
Get the latest information on ransomware trends with our monthly review.
Fri, 11 Mar 2022 00:38:32 +0000
Infostealer Being Distributed via YouTube
https://asec.ahnlab.com/en/32499/
ASEC BLOG
Infostealer Being Distributed via YouTube - ASEC BLOG
The ASEC analysis team has recently discovered an infostealer that is being distributed via YouTube. The attacker disguised the malware as a game hack for Valorant, and uploaded the following video with the download link for the malware, then guided the user…
Fri, 11 Mar 2022 17:22:38 +0000
New Wiper Malware Attacking Russia: Deep-dive into RURansom Malware
https://blog.cyble.com/2022/03/11/new-wiper-malware-attacking-russia-deep-dive-into-ruransom-malware/
Cyble
New Wiper Malware Attacking Russia: Deep-dive into RURansom Malware
Cyble's research on a wiper malware named RURansom which was found attacking Russia.
Удалось продвинуться в автоматическом анализаторе TI-отчетов.
Пока получается вот такая сырая html-ка (удобнее, чем глазами парсить json) и артефакты, которые генерит движок.
Над описанием связей еще надо поработать и привести к STIX.
На этой неделе соберу из технической html-ки саммари для отчетов, публикуемых в телеге.
Остальная инфа после ручной модерации будет грузится в графовую базу в RST Cloud.
Пока получается вот такая сырая html-ка (удобнее, чем глазами парсить json) и артефакты, которые генерит движок.
Над описанием связей еще надо поработать и привести к STIX.
На этой неделе соберу из технической html-ки саммари для отчетов, публикуемых в телеге.
Остальная инфа после ручной модерации будет грузится в графовую базу в RST Cloud.
👍1
Mon, 14 Mar 2022 01:05:02 +0000
ASEC Weekly Malware Statistics (February 28th, 2022 – March 6th, 2022)
https://asec.ahnlab.com/en/32522/
ASEC BLOG
ASEC Weekly Malware Statistics (February 28th, 2022 - March 6th, 2022) - ASEC BLOG
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from February 28th, 2022 (Monday) to March 6th, 2022 (Sunday). For the main category, info…
#technique
Is this SID taken? Varonis Threat Labs Discovers Synthetic SID Injection Attack
https://www.varonis.com/blog/synthetic-sid
Is this SID taken? Varonis Threat Labs Discovers Synthetic SID Injection Attack
https://www.varonis.com/blog/synthetic-sid
Varonis
Is this SID taken? Varonis Threat Labs Discovers Synthetic SID Injection Attack
A technique where threat actors with existing high privileges can inject synthetic SIDs into an ACL creating backdoors and hidden permission grants.
Mon, 14 Mar 2022 07:41:22 +0000
Chinese phishing actors consistently targeting EU diplomats
https://www.proofpoint.com/us/newsroom/news/chinese-phishing-actors-consistently-targeting-eu-diplomats
BleepingComputer
Chinese phishing actors consistently targeting EU diplomats
The China-aligned group tracked as TA416 (aka Mustang Panda) has been consistently targeting European diplomats since August 2020, with the most recent activity involving refreshed lures to coincide with the Russian invasion of Ukraine.
New Formbook Campaign Delivered Through Phishing Emails
https://www.netskope.com/blog/new-formbook-campaign-delivered-through-phishing-emails
https://www.netskope.com/blog/new-formbook-campaign-delivered-through-phishing-emails
Netskope
New Formbook Campaign Delivered Through Phishing Emails
Summary Since the beginning of 2022, the unfolding geopolitical conflict between Russia and Ukraine has resulted in the discovery of new malware families
Gh0stCringe RAT being distributed targeting vulnerable database servers
https://asec-ahnlab-com.translate.goog/ko/32394/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
https://asec-ahnlab-com.translate.goog/ko/32394/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
ASEC BLOG
취약한 데이터베이스 서버를 대상으로 유포 중인 Gh0stCringe RAT - ASEC BLOG
ASEC 분석팀은 취약한 데이터베이스 서버(MS-SQL, MySQL 서버)를 대상으로 유포되는 악성 코드들을 지속해서 모니터링하고 있다. 여기에서는 Gh0stCringe[1]라고 하는 RAT 악성코드를 다룬다. Gh0stCringe는 CirenegRAT이라고도 불리는 악성코드로서 Gh0st RAT의 코드를 기반으로 하는 변종 중 하나이다. 2018년 12월경에 처음 확인되었으며 SMB 취약점(ZombieBoy의 SMB 취약점 도구를 사용하여)을 통해 유포되었던…
Mon, 14 Mar 2022 14:36:11 +0000
CVE-2022-0847 aka Dirty Pipe vulnerability in Linux kernel
https://securelist.com/cve-2022-0847-aka-dirty-pipe-vulnerability-in-linux-kernel/106088/
Securelist
Notes on CVE-2022-0847 (Dirty Pipe) vulnerability
Exploit for CVE-2022-0847 (Dirty Pipe) vulnerability in Linux kernel is available online. Kaspersky solutions detect and prevent exploitation attempts.
Mon, 14 Mar 2022 17:03:26 +0000
Podcast: “Behind the Scenes of BlackShadow APT” with Amitai Ben Shushan Ehrlich
https://www.sentinelone.com/blog/podcast-behind-the-scenes-of-blackshadow-apt-with-amitai-ben-shushan-ehrlich/
SentinelOne
Behind the Scenes of BlackShadow APT
Listen to SentinelLabs' Amitai Ben Shushan Ehrlich share his research into BlackShadow. Learn about the APT's MO, attack vectors and practical mitigations.