Wed, 23 Mar 2022 23:49:03 +0000
Mustang Panda’s Hodur: Old tricks, new Korplug variant
https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/
WeLiveSecurity
Mustang Panda’s Hodur: Old tricks, new Korplug variant
ESET research uncovers Hodur, a new variant of Korplug malware that is being spread by Mustang Panda and uses phishing lures referencing the war in Ukraine.
Wed, 23 Mar 2022 23:49:54 +0000
Bad Actors Trying to Capitalize on Current Events via Shameless Email Scams
https://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams
Fortinet Blog
Beware of Email Scams Related to Current Events | FortiGuard Labs
FortiGuard Labs uncovered tax themed phishing scams. Read our blog to learn more about how to avoid these socially engineered email scams this season.…
Wed, 23 Mar 2022 23:50:40 +0000
MS Office Files Involved Again in Recent Emotet Trojan Campaign – Part II
https://www.fortinet.com/blog/threat-research/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii
Fortinet Blog
MS Office Files Involved Again in Recent Emotet Trojan Campaign – Part II
FortiGuard Labs discovered more than 500 Microsoft Excel files involved in a campaign to deliver a fresh Emotet Trojan variant. Read part II of our analysis to learn more about malicious modules in…
Thu, 24 Mar 2022 09:12:40 +0000
Coper Banking Trojan
https://blog.cyble.com/2022/03/24/coper-banking-trojan/
Cyble
Coper Banking Trojan
Cyble Research Labs analyses the latest variant of the Coper Banking Trojan that is posing as a Google Play Store installer.
Thu, 24 Mar 2022 13:52:14 +0000
Windows Subsystem for Linux (WSL): Threats Still Lurk Below the (Sub)Surface
https://blog.lumen.com/windows-subsystem-for-linux-wsl-threats/?utm_source=rss&utm_medium=rss&utm_campaign=windows-subsystem-for-linux-wsl-threats
Lumen Blog
Windows Subsystem for Linux (WSL): Threats Still Lurk Below the (Sub)Surface
Last fall, Black Lotus Labs discovered in the wild what had until then only been theorized: Linux binaries were being used as loaders in WSL.
Thu, 24 Mar 2022 16:04:44 +0000
Countering threats from North Korea
https://blog.google/threat-analysis-group/countering-threats-north-korea/
Google
Countering threats from North Korea
On February 10, Threat Analysis Group discovered two distinct North Korean government-backed attacker groups exploiting a remote code execution vulnerability in Chrome, CVE-2022-0609.
Пока получаются автоматически генерить вот такие саммари.
Движок генерит еще кучу артефактов:
- Исходный отчет в формате HTML
- PDF и HTML отчета, очищенный от рекламы и лишнего мусора
- Скрин сайта
- Текстовую модель отчета (текст, разбитый на главы, абзацы и предложения)
- Модель со связями значимых токенов в тексте (кто кого дропает, откуда качается зараза, кто для кого C2 и т.д.)
- Собственно JSON с индикаторами (движ умеет понять что в отчете идут связки MD5+SHA1+SHA256 (или иные комбинации) и объединить их в хэши одного бинаря)
Движок еще требует иногда заглядывать и проверять что он там нашел, но очень многое он уже делать без моего участия.
Еще потестю и переведу постинг на этот движок.
З.ы. Алиасы имен малварей и группировок генерализируются.
З.З.ы. Все индикаторы попадают в наш фид https://rstcloud.net
Движок генерит еще кучу артефактов:
- Исходный отчет в формате HTML
- PDF и HTML отчета, очищенный от рекламы и лишнего мусора
- Скрин сайта
- Текстовую модель отчета (текст, разбитый на главы, абзацы и предложения)
- Модель со связями значимых токенов в тексте (кто кого дропает, откуда качается зараза, кто для кого C2 и т.д.)
- Собственно JSON с индикаторами (движ умеет понять что в отчете идут связки MD5+SHA1+SHA256 (или иные комбинации) и объединить их в хэши одного бинаря)
Движок еще требует иногда заглядывать и проверять что он там нашел, но очень многое он уже делать без моего участия.
Еще потестю и переведу постинг на этот движок.
З.ы. Алиасы имен малварей и группировок генерализируются.
З.З.ы. Все индикаторы попадают в наш фид https://rstcloud.net
RST Cloud - Threat Intelligence Solutions
The ultimate source of comprehensive and actual knowledge about cybersecurity threats from all over the world in a ready-to-use format available via API
Forwarded from RST Cloud Monitoring
23-03-2022
Mustang Pandas Hodur: Old tricks, new Korplug variant
https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant
Actors/Campaigns:
Red_delta (malware, rat, dns, phishing, backdoor)
Threats:
Hodur_rat (malware, rat, dns, phishing, backdoor)
Plugx_rat (malware, rat, dns, phishing, backdoor)
Thor (backdoor)
Cobalt_strike
Poison_ivy
Watering_hole_technique
Sunburst
Delf
Industry:
Media, Telco, Government
Geo:
Cyprus, Greece, Sudan, Asia, Mongolia, Africa, Myanmar, Ukraines, Vietnam, Russia, African, Ukraine
TTPs:
Tactics: 9
Technics: 44
IOCs:
File: 5
IP: 10
Hash: 28
Domain: 4
Links:
https://github.com/kcreyts/plugxdecoder
Mustang Pandas Hodur: Old tricks, new Korplug variant
https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant
Actors/Campaigns:
Red_delta (malware, rat, dns, phishing, backdoor)
Threats:
Hodur_rat (malware, rat, dns, phishing, backdoor)
Plugx_rat (malware, rat, dns, phishing, backdoor)
Thor (backdoor)
Cobalt_strike
Poison_ivy
Watering_hole_technique
Sunburst
Delf
Industry:
Media, Telco, Government
Geo:
Cyprus, Greece, Sudan, Asia, Mongolia, Africa, Myanmar, Ukraines, Vietnam, Russia, African, Ukraine
TTPs:
Tactics: 9
Technics: 44
IOCs:
File: 5
IP: 10
Hash: 28
Domain: 4
Links:
https://github.com/kcreyts/plugxdecoder
WeLiveSecurity
Mustang Panda’s Hodur: Old tricks, new Korplug variant
ESET research uncovers Hodur, a new variant of Korplug malware that is being spread by Mustang Panda and uses phishing lures referencing the war in Ukraine.
Fri, 25 Mar 2022 00:31:06 +0000
APT Attack Using Word Files About Cryptocurrency (Kimsuky)
https://asec.ahnlab.com/en/32958/
ASEC
APT Attack Using Word Files About Cryptocurrency (Kimsuky) - ASEC
APT Attack Using Word Files About Cryptocurrency (Kimsuky) ASEC
Fri, 25 Mar 2022 12:35:15 +0000
Purple Fox Uses New Arrival Vector and Improves Malware Arsenal
https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html
Trend Micro
Purple Fox Uses New Arrival Vector and Improves Malware Arsenal
Fri, 25 Mar 2022 16:55:09 +0000
Conti Continues Attacks With an Updated Ransomware Version Despite Leaks
https://www.zscaler.com/blogs/security-research/conti-continues-attacks-updated-ransomware-version-despite-leaks
Zscaler
Conti Continues Attacks With an Updated Ransomware Version Despite Leaks | Zscaler
Conti continues to attack organizations despite recent leaks with updated ransomware that can encrypt files in Windows Safe Mode
Fri, 25 Mar 2022 17:55:05 +0000
Conti Ransomware Attacks Persist With an Updated Version Despite Leaks
https://www.zscaler.com/blogs/security-research/conti-ransomware-attacks-persist-updated-version-despite-leaks
Zscaler
Despite Leaks, Conti Ransomware Attacks Persist | Zscaler
Conti ransomware attacks continue despite recent leaks with an updated version that adds new features including file encryption in Windows Safe Mode.
Fri, 25 Mar 2022 18:55:32 +0000
Escobar Malware: An emerging threat to stealing credentials from your Phone
https://www.secureblink.com/threat-research/escobar-malware:-an-emerging-threat-to-stealing-credentials-from-your-phone
Secureblink
Escobar Malware: An emerging threat to stealing credentials from your Phone | Secure Blink
Aberebot, Android banking trojan resurrected with a new name as Escobar Trojan with updated features while offering a homage to Colombian Drug Lord...
Fri, 25 Mar 2022 22:47:11 +0000
Threat Advisory: DoubleZero
http://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html
Cisco Talos Blog
Threat Advisory: DoubleZero
This post is also available in:
Українська (Ukrainian)
Overview
The Computer Emergency Response Team of Ukraine released an advisory on March 22, 2022 disclosing another wiper dubbed "DoubleZero" targeting Ukrainian enterprises during Russia's invasion…
Українська (Ukrainian)
Overview
The Computer Emergency Response Team of Ukraine released an advisory on March 22, 2022 disclosing another wiper dubbed "DoubleZero" targeting Ukrainian enterprises during Russia's invasion…
Fri, 25 Mar 2022 22:50:27 +0000
New JSSLoader Trojan Delivered Through XLL Files
https://blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files
Morphisec
New JSSLoader Trojan Delivered Through XLL Files
Read how a new variant of JSSLoader, delivered via .XLL files, utilizes the Excel add-ins feature to load the malware and inspect the changes inside.
Fri, 25 Mar 2022 22:52:26 +0000
Serpent Backdoor Slithers into Orgs Using Chocolatey Installer
https://www.proofpoint.com/us/newsroom/news/serpent-backdoor-slithers-orgs-using-chocolatey-installer
Threat Post
Serpent Backdoor Slithers into Orgs Using Chocolatey Installer
An unusual attack using an open-source package installer called Chocolatey, steganography and Scheduled Tasks is stealthily delivering spyware to companies.
Corporate user target of the malicious Word document circulated among
https://translate.yandex.ru/translate?url=https%3A%2F%2Fasec.ahnlab.com%2Fko%2F33034%2F&lang=ko-en
https://translate.yandex.ru/translate?url=https%3A%2F%2Fasec.ahnlab.com%2Fko%2F33034%2F&lang=ko-en
translate.yandex.ru
Переводчик сайтов онлайн на русский и другие языки – Яндекс.Переводчик
Перевод сайтов с английского, немецкого, французского, испанского, польского, турецкого и других языков на русский и обратно. Работает в режиме онлайн.
Fri, 25 Mar 2022 22:55:25 +0000
Cyber Attackers Leverage Russia-Ukraine Conflict in Multiple Spam Campaigns
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cyber-attackers-leverage-russia-ukraine-conflict-in-multiple-spam-campaigns/
Trustwave
Cyber Attackers Leverage Russia-Ukraine Conflict in Multiple Spam Campaigns
The Trustwave SpiderLabs email security team has been monitoring the ongoing Russia-Ukraine crisis to ensure that our clients are protected and aware of any imminent threats. This research blog captures some of the phishing email threats we have discovered.
Fri, 25 Mar 2022 23:01:30 +0000
Another cyber espionage campaign in the Russia-Ukrainian ongoing cyber attacks
https://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/
Mon, 28 Mar 2022 00:31:01 +0000
BitRAT Disguised as Officer Installer Being Distributed
https://asec.ahnlab.com/en/33024/
ASEC BLOG
BitRAT Disguised as Officer Installer Being Distributed - ASEC BLOG
The ASEC analysis team previously uploaded a post about BitRAT that was distributed under the disguise of Windows OS license verification tool. The BitRAT is now being distributed as Office Installer with different files, preying upon potential victims. The…