Tue, 22 Mar 2022 11:20:19 +0000
The Attack of the Chameleon Phishing Page
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-attack-of-the-chameleon-phishing-page/
Trustwave
The Attack of the Chameleon Phishing Page | Trustwave
Recently, we encountered an interesting phishing webpage that caught our interest because it acts like a chameleon by changing and blending its color based on its environment. In addition, the site adapts its background page and logo depending on user input…
APT-C-53(Gamaredon in recent attacks in new changes)
https://translate.yandex.ru/translate?url=https%3A%2F%2Fmp.weixin.qq.com%2Fs%2FYsyeLQDR_LQLfKhigSm2_Q&lang=zh-en
https://translate.yandex.ru/translate?url=https%3A%2F%2Fmp.weixin.qq.com%2Fs%2FYsyeLQDR_LQLfKhigSm2_Q&lang=zh-en
translate.yandex.ru
Переводчик сайтов онлайн на русский и другие языки – Яндекс.Переводчик
Перевод сайтов с английского, немецкого, французского, испанского, польского, турецкого и других языков на русский и обратно. Работает в режиме онлайн.
Tue, 22 Mar 2022 15:35:19 +0000
FBI and FinCEN Release Advisory on AvosLocker Ransomware
https://us-cert.cisa.gov/ncas/current-activity/2022/03/22/fbi-and-fincen-release-advisory-avoslocker-ransomware
Tue, 22 Mar 2022 16:21:25 +0000
Storm Cloud on the Horizon: GIMMICK Malware Strikes at macOS
https://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/
Volexity
Storm Cloud on the Horizon: GIMMICK Malware Strikes at macOS
In late 2021, Volexity discovered an intrusion in an environment monitored as part of its Network Security Monitoring service. Volexity detected a system running frp, otherwise known as fast reverse […]
Tue, 22 Mar 2022 17:29:42 +0000
Hunters become the Hunted
https://blog.cyble.com/2022/03/22/hunters-become-the-hunted/
Cyble
Cyble - Hunters Become The Hunted
Cyble Research Labs analyzes a Clipper malware variant disguised as an AvD Crypto-stealer, potentially targeting other Threat Actors.
Wed, 23 Mar 2022 00:28:02 +0000
Distribution of ClipBanker Disguised as Malware Creation Tool
https://asec.ahnlab.com/en/32825/
ASEC
Distribution of ClipBanker Disguised as Malware Creation Tool - ASEC
The ASEC analysis team has recently discovered a distribution of ClipBanker disguised as a malware creation tool. ClipBanker is a malware that monitors the clipboard of the infected system. If a string for a coin wallet address is copied, the malware changes…
Wed, 23 Mar 2022 00:57:04 +0000
Word Document Attack Targeting Companies Specialized in Carbon Emissions
https://asec.ahnlab.com/en/32822/
ASEC BLOG
Word Document Attack Targeting Companies Specialized in Carbon Emissions - ASEC BLOG
On March 18th, the ASEC analysis team discovered a document-borne APT attack targeting companies specialized in carbon emissions. According to logs collected from AhnLab’s ASD (AhnLab Smart Defense), the user of the infected PC appears to have downloaded…
Wed, 23 Mar 2022 12:27:08 +0000
Operation Dragon Castling: APT group targeting betting companies
https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies/?utm_source=rss&utm_medium=rss&utm_campaign=operation-dragon-castling-apt-group-targeting-betting-companies
Gendigital
Operation Dragon Castling: APT group targeting betting companies
APT Targets Betting Firms Clandestinely
Wed, 23 Mar 2022 16:32:32 +0000
Midas Ransomware : Tracing the Evolution of Thanos Ransomware Variants
https://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants
Zscaler
A Study of Thanos Ransomware Variants | Zscaler Blog
Thanos-based ransomware was on rise in 2021. Learn about Prometheus, Haron, Spook and Midas double-extortion ransomware variants.
Wed, 23 Mar 2022 16:54:35 +0000
GodFather Malware Under the Lens
https://blog.cyble.com/2022/03/23/godfather-malware-under-the-lens/
Cyble
GodFather Malware Under the Lens
Cyble takes a look at the GodFather Android malware variant that has recently been targeting European banking users.
Wed, 23 Mar 2022 23:49:03 +0000
Mustang Panda’s Hodur: Old tricks, new Korplug variant
https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/
WeLiveSecurity
Mustang Panda’s Hodur: Old tricks, new Korplug variant
ESET research uncovers Hodur, a new variant of Korplug malware that is being spread by Mustang Panda and uses phishing lures referencing the war in Ukraine.
Wed, 23 Mar 2022 23:49:54 +0000
Bad Actors Trying to Capitalize on Current Events via Shameless Email Scams
https://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams
Fortinet Blog
Beware of Email Scams Related to Current Events | FortiGuard Labs
FortiGuard Labs uncovered tax themed phishing scams. Read our blog to learn more about how to avoid these socially engineered email scams this season.…
Wed, 23 Mar 2022 23:50:40 +0000
MS Office Files Involved Again in Recent Emotet Trojan Campaign – Part II
https://www.fortinet.com/blog/threat-research/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii
Fortinet Blog
MS Office Files Involved Again in Recent Emotet Trojan Campaign – Part II
FortiGuard Labs discovered more than 500 Microsoft Excel files involved in a campaign to deliver a fresh Emotet Trojan variant. Read part II of our analysis to learn more about malicious modules in…
Thu, 24 Mar 2022 09:12:40 +0000
Coper Banking Trojan
https://blog.cyble.com/2022/03/24/coper-banking-trojan/
Cyble
Coper Banking Trojan
Cyble Research Labs analyses the latest variant of the Coper Banking Trojan that is posing as a Google Play Store installer.
Thu, 24 Mar 2022 13:52:14 +0000
Windows Subsystem for Linux (WSL): Threats Still Lurk Below the (Sub)Surface
https://blog.lumen.com/windows-subsystem-for-linux-wsl-threats/?utm_source=rss&utm_medium=rss&utm_campaign=windows-subsystem-for-linux-wsl-threats
Lumen Blog
Windows Subsystem for Linux (WSL): Threats Still Lurk Below the (Sub)Surface
Last fall, Black Lotus Labs discovered in the wild what had until then only been theorized: Linux binaries were being used as loaders in WSL.
Thu, 24 Mar 2022 16:04:44 +0000
Countering threats from North Korea
https://blog.google/threat-analysis-group/countering-threats-north-korea/
Google
Countering threats from North Korea
On February 10, Threat Analysis Group discovered two distinct North Korean government-backed attacker groups exploiting a remote code execution vulnerability in Chrome, CVE-2022-0609.
Пока получаются автоматически генерить вот такие саммари.
Движок генерит еще кучу артефактов:
- Исходный отчет в формате HTML
- PDF и HTML отчета, очищенный от рекламы и лишнего мусора
- Скрин сайта
- Текстовую модель отчета (текст, разбитый на главы, абзацы и предложения)
- Модель со связями значимых токенов в тексте (кто кого дропает, откуда качается зараза, кто для кого C2 и т.д.)
- Собственно JSON с индикаторами (движ умеет понять что в отчете идут связки MD5+SHA1+SHA256 (или иные комбинации) и объединить их в хэши одного бинаря)
Движок еще требует иногда заглядывать и проверять что он там нашел, но очень многое он уже делать без моего участия.
Еще потестю и переведу постинг на этот движок.
З.ы. Алиасы имен малварей и группировок генерализируются.
З.З.ы. Все индикаторы попадают в наш фид https://rstcloud.net
Движок генерит еще кучу артефактов:
- Исходный отчет в формате HTML
- PDF и HTML отчета, очищенный от рекламы и лишнего мусора
- Скрин сайта
- Текстовую модель отчета (текст, разбитый на главы, абзацы и предложения)
- Модель со связями значимых токенов в тексте (кто кого дропает, откуда качается зараза, кто для кого C2 и т.д.)
- Собственно JSON с индикаторами (движ умеет понять что в отчете идут связки MD5+SHA1+SHA256 (или иные комбинации) и объединить их в хэши одного бинаря)
Движок еще требует иногда заглядывать и проверять что он там нашел, но очень многое он уже делать без моего участия.
Еще потестю и переведу постинг на этот движок.
З.ы. Алиасы имен малварей и группировок генерализируются.
З.З.ы. Все индикаторы попадают в наш фид https://rstcloud.net
RST Cloud - Threat Intelligence Solutions
The ultimate source of comprehensive and actual knowledge about cybersecurity threats from all over the world in a ready-to-use format available via API
Forwarded from RST Cloud Monitoring
23-03-2022
Mustang Pandas Hodur: Old tricks, new Korplug variant
https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant
Actors/Campaigns:
Red_delta (malware, rat, dns, phishing, backdoor)
Threats:
Hodur_rat (malware, rat, dns, phishing, backdoor)
Plugx_rat (malware, rat, dns, phishing, backdoor)
Thor (backdoor)
Cobalt_strike
Poison_ivy
Watering_hole_technique
Sunburst
Delf
Industry:
Media, Telco, Government
Geo:
Cyprus, Greece, Sudan, Asia, Mongolia, Africa, Myanmar, Ukraines, Vietnam, Russia, African, Ukraine
TTPs:
Tactics: 9
Technics: 44
IOCs:
File: 5
IP: 10
Hash: 28
Domain: 4
Links:
https://github.com/kcreyts/plugxdecoder
Mustang Pandas Hodur: Old tricks, new Korplug variant
https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant
Actors/Campaigns:
Red_delta (malware, rat, dns, phishing, backdoor)
Threats:
Hodur_rat (malware, rat, dns, phishing, backdoor)
Plugx_rat (malware, rat, dns, phishing, backdoor)
Thor (backdoor)
Cobalt_strike
Poison_ivy
Watering_hole_technique
Sunburst
Delf
Industry:
Media, Telco, Government
Geo:
Cyprus, Greece, Sudan, Asia, Mongolia, Africa, Myanmar, Ukraines, Vietnam, Russia, African, Ukraine
TTPs:
Tactics: 9
Technics: 44
IOCs:
File: 5
IP: 10
Hash: 28
Domain: 4
Links:
https://github.com/kcreyts/plugxdecoder
WeLiveSecurity
Mustang Panda’s Hodur: Old tricks, new Korplug variant
ESET research uncovers Hodur, a new variant of Korplug malware that is being spread by Mustang Panda and uses phishing lures referencing the war in Ukraine.
Fri, 25 Mar 2022 00:31:06 +0000
APT Attack Using Word Files About Cryptocurrency (Kimsuky)
https://asec.ahnlab.com/en/32958/
ASEC
APT Attack Using Word Files About Cryptocurrency (Kimsuky) - ASEC
APT Attack Using Word Files About Cryptocurrency (Kimsuky) ASEC