Thu, 10 Mar 2022 18:05:33 +0000
Ransomware: February 2022 review
https://blog.malwarebytes.com/threat-intelligence/2022/03/ransomware-february-2022-review/
Malwarebytes
Ransomware: February 2022 review
Get the latest information on ransomware trends with our monthly review.
Fri, 11 Mar 2022 00:38:32 +0000
Infostealer Being Distributed via YouTube
https://asec.ahnlab.com/en/32499/
ASEC BLOG
Infostealer Being Distributed via YouTube - ASEC BLOG
The ASEC analysis team has recently discovered an infostealer that is being distributed via YouTube. The attacker disguised the malware as a game hack for Valorant, and uploaded the following video with the download link for the malware, then guided the user…
Fri, 11 Mar 2022 17:22:38 +0000
New Wiper Malware Attacking Russia: Deep-dive into RURansom Malware
https://blog.cyble.com/2022/03/11/new-wiper-malware-attacking-russia-deep-dive-into-ruransom-malware/
Cyble
New Wiper Malware Attacking Russia: Deep-dive into RURansom Malware
Cyble's research on a wiper malware named RURansom which was found attacking Russia.
Удалось продвинуться в автоматическом анализаторе TI-отчетов.
Пока получается вот такая сырая html-ка (удобнее, чем глазами парсить json) и артефакты, которые генерит движок.
Над описанием связей еще надо поработать и привести к STIX.
На этой неделе соберу из технической html-ки саммари для отчетов, публикуемых в телеге.
Остальная инфа после ручной модерации будет грузится в графовую базу в RST Cloud.
Пока получается вот такая сырая html-ка (удобнее, чем глазами парсить json) и артефакты, которые генерит движок.
Над описанием связей еще надо поработать и привести к STIX.
На этой неделе соберу из технической html-ки саммари для отчетов, публикуемых в телеге.
Остальная инфа после ручной модерации будет грузится в графовую базу в RST Cloud.
👍1
Mon, 14 Mar 2022 01:05:02 +0000
ASEC Weekly Malware Statistics (February 28th, 2022 – March 6th, 2022)
https://asec.ahnlab.com/en/32522/
ASEC BLOG
ASEC Weekly Malware Statistics (February 28th, 2022 - March 6th, 2022) - ASEC BLOG
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from February 28th, 2022 (Monday) to March 6th, 2022 (Sunday). For the main category, info…
#technique
Is this SID taken? Varonis Threat Labs Discovers Synthetic SID Injection Attack
https://www.varonis.com/blog/synthetic-sid
Is this SID taken? Varonis Threat Labs Discovers Synthetic SID Injection Attack
https://www.varonis.com/blog/synthetic-sid
Varonis
Is this SID taken? Varonis Threat Labs Discovers Synthetic SID Injection Attack
A technique where threat actors with existing high privileges can inject synthetic SIDs into an ACL creating backdoors and hidden permission grants.
Mon, 14 Mar 2022 07:41:22 +0000
Chinese phishing actors consistently targeting EU diplomats
https://www.proofpoint.com/us/newsroom/news/chinese-phishing-actors-consistently-targeting-eu-diplomats
BleepingComputer
Chinese phishing actors consistently targeting EU diplomats
The China-aligned group tracked as TA416 (aka Mustang Panda) has been consistently targeting European diplomats since August 2020, with the most recent activity involving refreshed lures to coincide with the Russian invasion of Ukraine.
New Formbook Campaign Delivered Through Phishing Emails
https://www.netskope.com/blog/new-formbook-campaign-delivered-through-phishing-emails
https://www.netskope.com/blog/new-formbook-campaign-delivered-through-phishing-emails
Netskope
New Formbook Campaign Delivered Through Phishing Emails
Summary Since the beginning of 2022, the unfolding geopolitical conflict between Russia and Ukraine has resulted in the discovery of new malware families
Gh0stCringe RAT being distributed targeting vulnerable database servers
https://asec-ahnlab-com.translate.goog/ko/32394/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
https://asec-ahnlab-com.translate.goog/ko/32394/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
ASEC BLOG
취약한 데이터베이스 서버를 대상으로 유포 중인 Gh0stCringe RAT - ASEC BLOG
ASEC 분석팀은 취약한 데이터베이스 서버(MS-SQL, MySQL 서버)를 대상으로 유포되는 악성 코드들을 지속해서 모니터링하고 있다. 여기에서는 Gh0stCringe[1]라고 하는 RAT 악성코드를 다룬다. Gh0stCringe는 CirenegRAT이라고도 불리는 악성코드로서 Gh0st RAT의 코드를 기반으로 하는 변종 중 하나이다. 2018년 12월경에 처음 확인되었으며 SMB 취약점(ZombieBoy의 SMB 취약점 도구를 사용하여)을 통해 유포되었던…
Mon, 14 Mar 2022 14:36:11 +0000
CVE-2022-0847 aka Dirty Pipe vulnerability in Linux kernel
https://securelist.com/cve-2022-0847-aka-dirty-pipe-vulnerability-in-linux-kernel/106088/
Securelist
Notes on CVE-2022-0847 (Dirty Pipe) vulnerability
Exploit for CVE-2022-0847 (Dirty Pipe) vulnerability in Linux kernel is available online. Kaspersky solutions detect and prevent exploitation attempts.
Mon, 14 Mar 2022 17:03:26 +0000
Podcast: “Behind the Scenes of BlackShadow APT” with Amitai Ben Shushan Ehrlich
https://www.sentinelone.com/blog/podcast-behind-the-scenes-of-blackshadow-apt-with-amitai-ben-shushan-ehrlich/
SentinelOne
Behind the Scenes of BlackShadow APT
Listen to SentinelLabs' Amitai Ben Shushan Ehrlich share his research into BlackShadow. Learn about the APT's MO, attack vectors and practical mitigations.
Brazilian trojan impacting Portuguese users and using the same capabilities seen in other Latin American threats
https://seguranca-informatica.pt/brazilian-trojan-impacting-portuguese-users-and-using-the-same-capabilities-seen-in-other-latin-american-threats/#.Yi-CE3rP02w
https://seguranca-informatica.pt/brazilian-trojan-impacting-portuguese-users-and-using-the-same-capabilities-seen-in-other-latin-american-threats/#.Yi-CE3rP02w
New Evidence Linking Kwampirs Malware to Shamoon APTS
https://resources.cylera.com/new-evidence-linking-kwampirs-malware-to-shamoon-apts
https://resources.cylera.com/new-evidence-linking-kwampirs-malware-to-shamoon-apts
Cylera
New Evidence Linking Kwampirs Malware to Shamoon APTS (Technical Blog)
Cylera Labs presents medium-high confidence evidence tying Kwampirs to the notorious Shamoon attacks — a technical analysis
Malicious word document disguised as product introduction
https://asec-ahnlab-com.translate.goog/ko/32532/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
https://asec-ahnlab-com.translate.goog/ko/32532/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
ASEC BLOG
제품소개서로 위장한 악성 워드 문서 - ASEC BLOG
ASEC 분석팀은 작년 12월에 게시한 <디자인수정 요청 문서로 위장한 정보 탈취 목적의 악성 워드>와 동일한 유형의 워드 문서를 확인하였다. 이번에 확인된 워드 문서의 제목은 ‘제품소개서.doc’이며 내부에 특정 제품들에 대한 설명을 포함하고 있는 것으로 보아 물류, 쇼핑 관련 업체를 타겟한 공격으로 추정된다. 확인된 워드 문서 내부에는 이전과 동일한 이미지가 포함되어 있어 매크로 실행을 유도한다. 해당 워드 문서는 ‘디자인수정 요청.doc’ 파일과…
#technique
Windows Keyboard Layout Persistence Proof of Concept: Achieve execution using a custom keyboard layout, tested in Windows 11 Home version 21H2
https://github.com/NtQuerySystemInformation/CustomKeyboardLayoutPersistence
Windows Keyboard Layout Persistence Proof of Concept: Achieve execution using a custom keyboard layout, tested in Windows 11 Home version 21H2
https://github.com/NtQuerySystemInformation/CustomKeyboardLayoutPersistence
GitHub
GitHub - NtQuerySystemInformation/CustomKeyboardLayoutPersistence: Achieve execution using a custom keyboard layout
Achieve execution using a custom keyboard layout. Contribute to NtQuerySystemInformation/CustomKeyboardLayoutPersistence development by creating an account on GitHub.
Tue, 15 Mar 2022 04:30:47 +0000
新威胁:使用DNS Tunnel技术的Linux后门B1txor20正在通过Log4j漏洞传播
https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_cn/
360 Netlab Blog - Network Security Research Lab at 360
新威胁:使用DNS Tunnel技术的Linux后门B1txor20正在通过Log4j漏洞传播
背景
自从Log4J漏洞被曝光后,正所谓"忽如一夜漏洞来,大黑小灰笑开怀”。无数黑产团伙摩拳擦掌加入了这个“狂欢派对”,其中既有许多业界非常熟悉的恶意软件家族,同时也有一些新兴势力想趁着这股东风在黑灰产上分一杯羹。360Netlab作为专注于蜜罐和Botnet检测跟踪的团队,我们自该漏洞被公开后就一直关注它会被哪些僵尸网络利用,期间我们看到了Elknot,Gafgyt,Mirai等老朋友的从不缺席,也见证了一些新朋友的粉墨登场。
2022年2月9日,360Netlab的蜜罐系统捕获了一个未知的E…
自从Log4J漏洞被曝光后,正所谓"忽如一夜漏洞来,大黑小灰笑开怀”。无数黑产团伙摩拳擦掌加入了这个“狂欢派对”,其中既有许多业界非常熟悉的恶意软件家族,同时也有一些新兴势力想趁着这股东风在黑灰产上分一杯羹。360Netlab作为专注于蜜罐和Botnet检测跟踪的团队,我们自该漏洞被公开后就一直关注它会被哪些僵尸网络利用,期间我们看到了Elknot,Gafgyt,Mirai等老朋友的从不缺席,也见证了一些新朋友的粉墨登场。
2022年2月9日,360Netlab的蜜罐系统捕获了一个未知的E…
Tue, 15 Mar 2022 10:43:06 +0000
Deep Dive Analysis – Pandora Ransomware
https://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/
Cyble
Deep Dive Analysis – Pandora Ransomware
Cyble Research Lab's analyzes Pandora Ransomware and the possibility that it may be a re-brand of Rook Ransomware.
Tue, 15 Mar 2022 14:35:26 +0000
New Threat: B1txor20, A Linux Backdoor Using DNS Tunnel
https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/
360 Netlab Blog - Network Security Research Lab at 360
New Threat: B1txor20, A Linux Backdoor Using DNS Tunnel
Background
Since the Log4J vulnerability was exposed, we see more and more malware jumped on the wagon, Elknot, Gafgyt, Mirai are all too familiar, on February 9, 2022, 360Netlab's honeypot system captured an unknown ELF file propagating through the Log4J…
Since the Log4J vulnerability was exposed, we see more and more malware jumped on the wagon, Elknot, Gafgyt, Mirai are all too familiar, on February 9, 2022, 360Netlab's honeypot system captured an unknown ELF file propagating through the Log4J…
Tue, 15 Mar 2022 14:43:24 +0000
cr8escape: Zero-day in CRI-O Container Engine Discovered by CrowdStrike (CVE-2022-0811)
https://www.crowdstrike.com/blog/cr8escape-zero-day-vulnerability-discovered-in-cri-o-container-engine-cve-2022-0811/
crowdstrike.com
cr8escape: New Vulnerability in CRI-O Container Engine (CVE-2022-0811)
Learn how CrowdStrike discovered a new vulnerability in the CRI-O Container Engine (CVE-2022-0811), and what organizations can do to remediate this vulnerability.