Mon, 28 Mar 2022 00:31:01 +0000
BitRAT Disguised as Officer Installer Being Distributed
https://asec.ahnlab.com/en/33024/
ASEC BLOG
BitRAT Disguised as Officer Installer Being Distributed - ASEC BLOG
The ASEC analysis team previously uploaded a post about BitRAT that was distributed under the disguise of Windows OS license verification tool. The BitRAT is now being distributed as Office Installer with different files, preying upon potential victims. The…
Mon, 28 Mar 2022 00:31:01 +0000
VBS Script Disguised as PDF File Being Distributed (Kimsuky)
https://asec.ahnlab.com/en/33032/
ASEC BLOG
VBS Script Disguised as PDF File Being Distributed (Kimsuky) - ASEC BLOG
On March 23rd, the ASEC analysis team has discovered APT attacks launched by an attack group presumed to be Kimsuky, and they targeted certain Korean companies. Upon running the script file with the VBS extension, the malware runs the innocuous PDF file that…
Mon, 28 Mar 2022 08:05:49 +0000
Dissecting the Kazy Crypter
https://labs.k7computing.com/index.php/dissecting-the-kazy-crypter/
K7 Labs
Dissecting the Kazy Crypter
Kazy Crypter has been sold in many underground forums and markets since 2014. The cost of this crypter averages between […]
Mon, 28 Mar 2022 12:23:12 +0000
Avast Finds Compromised Philippine Navy Certificate Used in Remote Access Tool
https://decoded.avast.io/threatintel/avast-finds-compromised-philippine-navy-certificate-used-in-remote-access-tool/?utm_source=rss&utm_medium=rss&utm_campaign=avast-finds-compromised-philippine-navy-certificate-used-in-remote-access-tool
Avast Threat Labs
Avast Finds Compromised Philippine Navy Certificate Used in Remote Access Tool - Avast Threat Labs
Avast Threat Intelligence Team has found a remote access tool (RAT) actively being used in the wild in the Philippines that uses what appears to be a compromised digital certificate belonging to the Philippine Navy.
28-03-2022
BitRAT Disguised as Officer Installer Being Distributed
https://asec.ahnlab.com/en/33024
Threats:
Sbit_rat (tags: malware)
Malware/mdp.download.m1197
Geo:
Korean
IOCs:
File: 1
Hash: 5
BitRAT Disguised as Officer Installer Being Distributed
https://asec.ahnlab.com/en/33024
Threats:
Sbit_rat (tags: malware)
Malware/mdp.download.m1197
Geo:
Korean
IOCs:
File: 1
Hash: 5
ASEC BLOG
BitRAT Disguised as Officer Installer Being Distributed - ASEC BLOG
The ASEC analysis team previously uploaded a post about BitRAT that was distributed under the disguise of Windows OS license verification tool. The BitRAT is now being distributed as Office Installer with different files, preying upon potential victims. The…
#ParsedReport
28-03-2022
Dissecting the Kazy Crypter
https://labs.k7computing.com/index.php/dissecting-the-kazy-crypter
Threats:
Kazy (tags: malware, trojan, ransomware, rat)
Luminosity_rat
Nanocore_rat
IOCs:
File: 1
Hash: 2
28-03-2022
Dissecting the Kazy Crypter
https://labs.k7computing.com/index.php/dissecting-the-kazy-crypter
Threats:
Kazy (tags: malware, trojan, ransomware, rat)
Luminosity_rat
Nanocore_rat
IOCs:
File: 1
Hash: 2
K7 Labs
Dissecting the Kazy Crypter
Kazy Crypter has been sold in many underground forums and markets since 2014. The cost of this crypter averages between […]
#ParsedReport
28-03-2022
Avast Finds Compromised Philippine Navy Certificate Used in Remote Access Tool
https://decoded.avast.io/threatintel/avast-finds-compromised-philippine-navy-certificate-used-in-remote-access-tool/?utm_source=rss&utm_medium=rss&utm_campaign=avast-finds-compromised-philippine-navy-certificate-used-in-remote-access-tool
Threats:
Quasar_rat
Geo:
Philippines, Philippine
IOCs:
Domain: 1
Path: 1
Hash: 1
File: 1
Links:
28-03-2022
Avast Finds Compromised Philippine Navy Certificate Used in Remote Access Tool
https://decoded.avast.io/threatintel/avast-finds-compromised-philippine-navy-certificate-used-in-remote-access-tool/?utm_source=rss&utm_medium=rss&utm_campaign=avast-finds-compromised-philippine-navy-certificate-used-in-remote-access-tool
Threats:
Quasar_rat
Geo:
Philippines, Philippine
IOCs:
Domain: 1
Path: 1
Hash: 1
File: 1
Links:
https://github.com/avast/ioc/tree/master/Philippine-Navy-CertificateAvast Threat Labs
Avast Finds Compromised Philippine Navy Certificate Used in Remote Access Tool - Avast Threat Labs
Avast Threat Intelligence Team has found a remote access tool (RAT) actively being used in the wild in the Philippines that uses what appears to be a compromised digital certificate belonging to the Philippine Navy.
#ParsedReport
28-03-2022
Minerva Labs Blog
https://blog.minerva-labs.com/suncrypt-ransomware-gains-new-abilities-in-2022
Threats:
Suncrypt (tags: ransomware)
Industry:
Retail
Geo:
Switzerland
IOCs:
File: 38
28-03-2022
Minerva Labs Blog
https://blog.minerva-labs.com/suncrypt-ransomware-gains-new-abilities-in-2022
Threats:
Suncrypt (tags: ransomware)
Industry:
Retail
Geo:
Switzerland
IOCs:
File: 38
Rapid7
Managed Threat Complete Solution - Rapid7
Rapid7’s Managed Threat Complete with unlimited incident response and vulnerability management. Contain costs and eliminate threats. Get Started Now.
#ParsedReport
28-03-2022
New Conversation Hijacking Campaign Delivering IcedID
https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid
Actors/Campaigns:
Shathak
Threats:
Icedid (tags: malware, ransomware, phishing, rat, proxy)
Pony
Gziploader
Qakbot (tags: phishing)
Proxyshell_vuln
Industry:
Financial
IOCs:
File: 1
Domain: 1
IP: 1
28-03-2022
New Conversation Hijacking Campaign Delivering IcedID
https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid
Actors/Campaigns:
Shathak
Threats:
Icedid (tags: malware, ransomware, phishing, rat, proxy)
Pony
Gziploader
Qakbot (tags: phishing)
Proxyshell_vuln
Industry:
Financial
IOCs:
File: 1
Domain: 1
IP: 1
Intezer
New Conversation Hijacking Campaign Delivering IcedID
This post describes the technical analysis of a new campaign detected by Intezer’s research team, which initiates attacks with a phishing email that uses conversation hijacking to deliver IcedID. The underground economy is constantly evolving with threat…
Ближайшие 3-4 месяца выхлоп парсера отчетов будет доступен вот тут: https://github.com/rstcloud/rstthreats/tree/master/tireports
Что там лежит:
- PDF и HTML из тела отчета
- Текстовая модель отчета в JSON
- Модель извлеченных из отчета "смыслов"
Если у вас есть какие-то идеи, что еще полезного можно включить в саммари, пишите в личку (контакт в описании канала).
Что там лежит:
- PDF и HTML из тела отчета
- Текстовая модель отчета в JSON
- Модель извлеченных из отчета "смыслов"
Если у вас есть какие-то идеи, что еще полезного можно включить в саммари, пишите в личку (контакт в описании канала).
GitHub
rstthreats/tireports at master · rstcloud/rstthreats
Aggregated Indicators of Compromise collected and cross-verified from multiple open and community-supported sources, enriched and ranked using our intelligence platform for you. Threat Intelligence...
#ParsedReport
28-03-2022
Spoofed Invoice Used to Drop IcedID
https://www.fortinet.com/blog/threat-research/spoofed-invoice-drops-iced-id
Threats:
Icedid (tags: dropper, phishing, malware)
Kryptik_trojan
Industry:
Retail, Financial, Petroleum
Geo:
Belize, Ukraine
IOCs:
IP: 3
Domain: 3
Hash: 5
28-03-2022
Spoofed Invoice Used to Drop IcedID
https://www.fortinet.com/blog/threat-research/spoofed-invoice-drops-iced-id
Threats:
Icedid (tags: dropper, phishing, malware)
Kryptik_trojan
Industry:
Retail, Financial, Petroleum
Geo:
Belize, Ukraine
IOCs:
IP: 3
Domain: 3
Hash: 5
Fortinet Blog
Spoofed Invoice Used to Drop IcedID | FortiGuard Labs
FortiGuard Labs discovered a spearphishing email for a Ukrainian fuel company with an attached invoice—seemingly from another fuel provider—that contains the IcedID Trojan. Read to learn more about…
APT attack disguised as North Korean defector resume format (VBS script)
https://asec-ahnlab-com.translate.goog/ko/33141/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
https://asec-ahnlab-com.translate.goog/ko/33141/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
ASEC BLOG
탈북자 이력서 양식을 가장한 APT 공격 (VBS 스크립트) - ASEC BLOG
ASEC 분석팀은 최근 대북 관련 내용의 피싱 메일을 통해 정보 유출 목적의 악성 VBS가 유포되고 있음을 확인하였다. 대북 관련 방송의 섭외 내용을 담고 있으며 압축 파일이 첨부되어 있다. 이력서 작성을 언급하여 첨부된 파일의 실행을 유도한다. 압축 파일 내부에는 악성 VBS 스크립트 파일이 존재한다. ‘2022 이력서 양식.vbs’ 파일의 간략한 행위는 다음과 같다. 정보 수집 및 전송 정상 한글 파일 생성 추가 악성 스크립트 파일 생성 및 작업 스케줄러…
#ParsedReport
29-03-2022
Transparent Tribe campaign uses new bespoke malware to target Indian government officials
http://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html
Actors/Campaigns:
Transparenttribe (tags: vpn, rat, trojan, malware)
Sidecopy
Armor_piercer
Threats:
Crimson_rat (tags: rat, keylogger, malware)
Oblique_rat
Capra_rat
Margulasrat_rat
Industry:
Media, Government
Geo:
India, Indian, Pakistan, Afghanistan
IOCs:
Domain: 7
Hash: 36
IP: 6
Url: 19
29-03-2022
Transparent Tribe campaign uses new bespoke malware to target Indian government officials
http://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html
Actors/Campaigns:
Transparenttribe (tags: vpn, rat, trojan, malware)
Sidecopy
Armor_piercer
Threats:
Crimson_rat (tags: rat, keylogger, malware)
Oblique_rat
Capra_rat
Margulasrat_rat
Industry:
Media, Government
Geo:
India, Indian, Pakistan, Afghanistan
IOCs:
Domain: 7
Hash: 36
IP: 6
Url: 19
Cisco Talos Blog
Transparent Tribe campaign uses new bespoke malware to target Indian government officials
By Asheer Malhotra and Justin Thattil with contributions from Kendall McKay.
* Cisco Talos has observed a new Transparent Tribe campaign targeting Indian government and military entities. While the actors are infecting victims with CrimsonRAT, their well…
* Cisco Talos has observed a new Transparent Tribe campaign targeting Indian government and military entities. While the actors are infecting victims with CrimsonRAT, their well…
#ParsedReport
29-03-2022
Verblecon: Sophisticated New Loader Used in Low-level Attacks
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord
Threats:
Verblecon_loader (tags: cryptomining, malware, ransomware)
IOCs:
File: 22
Hash: 6
Url: 9
Domain: 2
Links:
29-03-2022
Verblecon: Sophisticated New Loader Used in Low-level Attacks
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord
Threats:
Verblecon_loader (tags: cryptomining, malware, ransomware)
IOCs:
File: 22
Hash: 6
Url: 9
Domain: 2
Links:
https://github.com/zettabithf/LiteHTTPSecurity
Verblecon: Sophisticated New Loader Used in Low-level Attacks
Indications the attacker may not realize the potential capabilities of the malware they are using.
#ParsedReport
29-03-2022
Exclusive Threat Research: Mars (Stealer) Attacks!
https://blog.morphisec.com/threat-research-mars-stealer
Threats:
Mars_stealer (tags: ransomware, spam, malware, stealer)
Oski_stealer
Babadeda
Industry:
Healthcare
Geo:
Canada, Russian
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 1
IP: 1
Domain: 3
Hash: 15
29-03-2022
Exclusive Threat Research: Mars (Stealer) Attacks!
https://blog.morphisec.com/threat-research-mars-stealer
Threats:
Mars_stealer (tags: ransomware, spam, malware, stealer)
Oski_stealer
Babadeda
Industry:
Healthcare
Geo:
Canada, Russian
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 1
IP: 1
Domain: 3
Hash: 15
Morphisec
Mars Stealer: Exclusive New Threat Research
Read the Morphisec Labs Team's research on the new Mars infostealer. Mars Stealer steals user credentials stored in many different browsers and cryptocurrency wallets.
#ParsedReport
29-03-2022
RED-LILIs Profile.
https://checkmarx.com/blog/a-beautiful-factory-for-malicious-packages
Actors/Campaigns:
Red_lili
Threats:
Nmap_tool
IOCs:
IP: 1
Domain: 2
File: 3
Links:
29-03-2022
RED-LILIs Profile.
https://checkmarx.com/blog/a-beautiful-factory-for-malicious-packages
Actors/Campaigns:
Red_lili
Threats:
Nmap_tool
IOCs:
IP: 1
Domain: 2
File: 3
Links:
https://gist.github.com/Aviadg/3e640afe6dcbc651958c270ff9e57c8dhttps://github.com/projectdiscovery/interactshCheckmarx
A Beautiful Factory for Malicious Packages
In the past month, Checkmarx SCS research team has been tracking the malicious activity of RED-LILI, which marks a significant milestone in the development of software supply-chain attacks. After gathering enough clues, the team has reconstructed this threat…
#ParsedReport
29-03-2022
From the Front Lines \| Hive Ransomware Deploys Novel IPfuscation Technique To Avoid Detection
https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique
Threats:
Hive (tags: backdoor, malware, ransomware, rat)
Cobalt_strike (tags: malware, rat)
Lolbin (tags: ransomware)
Bloodhound_tool
Hellsgate_technique (tags: rat)
TTPs:
Tactics: 1
Technics: 10
IOCs:
Hash: 38
Path: 2
IP: 6
Domain: 2
YARA: Found
Links:
29-03-2022
From the Front Lines \| Hive Ransomware Deploys Novel IPfuscation Technique To Avoid Detection
https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique
Threats:
Hive (tags: backdoor, malware, ransomware, rat)
Cobalt_strike (tags: malware, rat)
Lolbin (tags: ransomware)
Bloodhound_tool
Hellsgate_technique (tags: rat)
TTPs:
Tactics: 1
Technics: 10
IOCs:
Hash: 38
Path: 2
IP: 6
Domain: 2
YARA: Found
Links:
https://github.com/am0nsec/HellsGateSentinelOne
From the Front Lines | Hive Ransomware Deploys Novel IPfuscation Technique To Avoid Detection
Learn how the Hive ransomware gang are using a simple yet effective obfuscation method to beat unwary enterprise defenses.
#ParsedReport
29-03-2022
Forged in Fire: A Survey of MobileIron Log4Shell Exploitation
https://www.mandiant.com/resources/mobileiron-log4shell-exploitation
Actors/Campaigns:
Axiom
Unc3500
Unc961
Unc3535
Threats:
Log4shell_vuln
Xmrig_miner
Nexus_logger
Powershell_shell_tool
Holepunch_tool
Holedoor (tags: backdoor)
Darkdoor (tags: backdoor)
Chinachopper
Industry:
Government, Media, Education, Healthcare, Financial, Telco, Energy, Retail
Geo:
America, Asia, China
CVEs:
CVE-2021-44228 [Vulners]
Vulners score: 4.0
Exploitation: True
Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.3.1, <2.12.2, <2.15.0)
- siemens sppa-t3000 ses3000 firmware ()
- siemens captial (<2019.1, 2019.1, 2019.1)
- siemens comos ()
- siemens desigo cc advanced reports (4.0, 4.1, 4.2, 5.0, 5.1)
have more...
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 9
Url: 7
File: 5
IP: 22
Hash: 4
Links:
29-03-2022
Forged in Fire: A Survey of MobileIron Log4Shell Exploitation
https://www.mandiant.com/resources/mobileiron-log4shell-exploitation
Actors/Campaigns:
Axiom
Unc3500
Unc961
Unc3535
Threats:
Log4shell_vuln
Xmrig_miner
Nexus_logger
Powershell_shell_tool
Holepunch_tool
Holedoor (tags: backdoor)
Darkdoor (tags: backdoor)
Chinachopper
Industry:
Government, Media, Education, Healthcare, Financial, Telco, Energy, Retail
Geo:
America, Asia, China
CVEs:
CVE-2021-44228 [Vulners]
Vulners score: 4.0
Exploitation: True
Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.3.1, <2.12.2, <2.15.0)
- siemens sppa-t3000 ses3000 firmware ()
- siemens captial (<2019.1, 2019.1, 2019.1)
- siemens comos ()
- siemens desigo cc advanced reports (4.0, 4.1, 4.2, 5.0, 5.1)
have more...
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 9
Url: 7
File: 5
IP: 22
Hash: 4
Links:
https://github.com/cisagov/log4j-affected-dbMandiant
Forged in Fire: A Survey of MobileIron Log4Shell Exploitation | Mandiant
#ParsedReport
29-03-2022
New spear phishing campaign targets Russian dissidents
https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents
Actors/Campaigns:
Red_delta (tags: phishing)
Ghostwriter (tags: phishing)
Scarab (tags: phishing)
Threats:
Formbook (tags: phishing)
Quasar_rat (tags: phishing)
Cobalt_strike (tags: phishing)
Industry:
Media, Education, Telco, Government
Geo:
Russia, Madagascar, Ukraine
CVEs:
CVE-2021-40444 [Vulners]
Vulners score: 2.1
Exploitation: True
Patch: Official fix
Soft:
- microsoft windows 10 (-, 20h2, 21h1, 1607, 1809, 1909, 2004)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
- microsoft windows server 2008 (-, r2)
have more...
CVE-2017-0199 [Vulners]
Vulners score: 9.6
Exploitation: True
Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, *)
- microsoft windows server 2012 (-)
- microsoft windows vista (*)
- microsoft office (2010, 2013, 2016, 2007)
- microsoft windows 7 (*)
have more...
IOCs:
Domain: 2
Hash: 6
29-03-2022
New spear phishing campaign targets Russian dissidents
https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents
Actors/Campaigns:
Red_delta (tags: phishing)
Ghostwriter (tags: phishing)
Scarab (tags: phishing)
Threats:
Formbook (tags: phishing)
Quasar_rat (tags: phishing)
Cobalt_strike (tags: phishing)
Industry:
Media, Education, Telco, Government
Geo:
Russia, Madagascar, Ukraine
CVEs:
CVE-2021-40444 [Vulners]
Vulners score: 2.1
Exploitation: True
Patch: Official fix
Soft:
- microsoft windows 10 (-, 20h2, 21h1, 1607, 1809, 1909, 2004)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
- microsoft windows server 2008 (-, r2)
have more...
CVE-2017-0199 [Vulners]
Vulners score: 9.6
Exploitation: True
Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, *)
- microsoft windows server 2012 (-)
- microsoft windows vista (*)
- microsoft office (2010, 2013, 2016, 2007)
- microsoft windows 7 (*)
have more...
IOCs:
Domain: 2
Hash: 6
ThreatDown by Malwarebytes
New spear phishing campaign targets Russian dissidents - ThreatDown by Malwarebytes
This blog post was authored by Hossein Jazi. — Updated to clarify the two different campaigns (Cobalt Strike and Rat) Several threat actors have taken advantage of the war in Ukraine to launch a…