#ParsedReport
30-03-2022
ASEC Weekly Malware Statistics (March 21st, 2022 March 27th, 2022)
https://asec.ahnlab.com/en/33217
Threats:
Agent_tesla (tags: malware)
Formbook (tags: malware)
Lokibot_stealer (tags: malware)
Redline_stealer (tags: malware)
Snake_keylogger (tags: malware)
Industry:
Financial
IOCs:
Domain: 7
Email: 10
File: 23
Url: 16
IP: 4
30-03-2022
ASEC Weekly Malware Statistics (March 21st, 2022 March 27th, 2022)
https://asec.ahnlab.com/en/33217
Threats:
Agent_tesla (tags: malware)
Formbook (tags: malware)
Lokibot_stealer (tags: malware)
Redline_stealer (tags: malware)
Snake_keylogger (tags: malware)
Industry:
Financial
IOCs:
Domain: 7
Email: 10
File: 23
Url: 16
IP: 4
ASEC BLOG
ASEC Weekly Malware Statistics (March 21st, 2022 - March 27th, 2022) - ASEC BLOG
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from March 21st, 2022 (Monday) to March 27th, 2022 (Sunday). For the main category, info-stealer…
#ParsedReport
30-03-2022
The Infection Chain. New Wave of Remcos RAT Phishing Campaign
https://blog.morphisec.com/remcos-trojan-analyzing-attack-chain
Threats:
Remcos_rat (tags: ransomware, phishing, rat, trojan, malware)
Cloudeye (tags: trojan)
Babadeda (tags: trojan)
Industry:
Financial
IOCs:
Hash: 28
File: 6
Domain: 8
Url: 12
30-03-2022
The Infection Chain. New Wave of Remcos RAT Phishing Campaign
https://blog.morphisec.com/remcos-trojan-analyzing-attack-chain
Threats:
Remcos_rat (tags: ransomware, phishing, rat, trojan, malware)
Cloudeye (tags: trojan)
Babadeda (tags: trojan)
Industry:
Financial
IOCs:
Hash: 28
File: 6
Domain: 8
Url: 12
Morphisec
Remcos Trojan: Analyzing the Attack Chain
Morphisec Labs has detected a new wave of Remcos trojan infection. In this blog post, get an analysis of the full attack chain used by the threat actor.
#ParsedReport
31-03-2022
Tracking cyber activity in Eastern Europe
https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe
Actors/Campaigns:
Curious_gorge
Comment_crew
Ghostwriter
Industry:
Government, Financial
Geo:
Russia, Korea, Belarusian, Iran, China, Ukraine, Mongolia
IOCs:
IP: 5
Domain: 9
31-03-2022
Tracking cyber activity in Eastern Europe
https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe
Actors/Campaigns:
Curious_gorge
Comment_crew
Ghostwriter
Industry:
Government, Financial
Geo:
Russia, Korea, Belarusian, Iran, China, Ukraine, Mongolia
IOCs:
IP: 5
Domain: 9
Google
Tracking cyber activity in Eastern Europe
An update on cyber activity in Eastern Europe.
#ParsedReport
31-03-2022
New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits
https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits
Actors/Campaigns:
Shell_crew (tags: dropper, rat, backdoor, malware, rootkit)
Axiom
Threats:
Fire_chili_rootkit (tags: dropper, rat, backdoor, malware, rootkit)
Log4shell_vuln (tags: dropper, rat, backdoor, malware, rootkit)
Gh0st_rat
Netbot
Themida_packer_tool
Industry:
Financial
Geo:
Chinese, Korean
TTPs:
IOCs:
File: 10
Path: 1
Domain: 4
Hash: 50
IP: 3
Url: 4
Links:
31-03-2022
New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits
https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits
Actors/Campaigns:
Shell_crew (tags: dropper, rat, backdoor, malware, rootkit)
Axiom
Threats:
Fire_chili_rootkit (tags: dropper, rat, backdoor, malware, rootkit)
Log4shell_vuln (tags: dropper, rat, backdoor, malware, rootkit)
Gh0st_rat
Netbot
Themida_packer_tool
Industry:
Financial
Geo:
Chinese, Korean
TTPs:
IOCs:
File: 10
Path: 1
Domain: 4
Hash: 50
IP: 3
Url: 4
Links:
https://github.com/bowlofstew/rootkit.com/blob/master/cardmagic/PortHidDemo\_Vista.chttps://github.com/geemion/Record/blob/master/HideReg.chttps://github.com/sin5678/gh0stFortinet Blog
New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits
FortiGuard Labs discovered a campaign by Deep Panda exploiting Log4Shell, along with a novel kernel rootkit signed with a stolen digital certificate also used by Winnti. Read to learn about these a…
#ParsedReport
31-03-2022
Cloud Atlas Maldoc
https://inquest.net/blog/2022/03/30/cloud-atlas-maldoc
Threats:
Cloudatlas (tags: rat, malware, phishing)
Industry:
Aerospace, Media, Financial, Government
Geo:
Russian, Ukraine
IOCs:
Hash: 3
Url: 1
Domain: 2
IP: 1
31-03-2022
Cloud Atlas Maldoc
https://inquest.net/blog/2022/03/30/cloud-atlas-maldoc
Threats:
Cloudatlas (tags: rat, malware, phishing)
Industry:
Aerospace, Media, Financial, Government
Geo:
Russian, Ukraine
IOCs:
Hash: 3
Url: 1
Domain: 2
IP: 1
#ParsedReport
31-03-2022
Analysis of BlackGuard - a new info stealer malware being sold in a Russian hacking forum
https://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking
Threats:
Blackguard_stealer (tags: cryptomining, vpn, ransomware, malware, phishing, stealer)
Exodus
Terra_stealer
Industry:
Financial, E-commerce
Geo:
Russian
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 2
Hash: 10
31-03-2022
Analysis of BlackGuard - a new info stealer malware being sold in a Russian hacking forum
https://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking
Threats:
Blackguard_stealer (tags: cryptomining, vpn, ransomware, malware, phishing, stealer)
Exodus
Terra_stealer
Industry:
Financial, E-commerce
Geo:
Russian
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 2
Hash: 10
Zscaler
Analysis of BlackGuard - Info Stealer Malware | Zscaler Blog
In this blog, ThreatLabz analyzes BlackGuard, an emerging an info stealer malware being sold as a service on a Russian hacking forum.
#ParsedReport
31-03-2022
Phishing pages used for Malware Delivery
https://blog.cyble.com/2022/03/31/phishing-pages-used-for-malware-delivery
Threats:
Sms_stealer (tags: malware, phishing)
Industry:
Media, Financial, Healthcare
Geo:
India
TTPs:
Tactics: 3
Technics: 0
IOCs:
Url: 4
Hash: 1
31-03-2022
Phishing pages used for Malware Delivery
https://blog.cyble.com/2022/03/31/phishing-pages-used-for-malware-delivery
Threats:
Sms_stealer (tags: malware, phishing)
Industry:
Media, Financial, Healthcare
Geo:
India
TTPs:
Tactics: 3
Technics: 0
IOCs:
Url: 4
Hash: 1
Cyble
Phishing pages used for Malware Delivery
Cyble Research Labs analyzes a threat actor leveraging Phishing techniques and malware to steal sensitive banking credentials from Patanjali customers.
#ParsedReport
31-03-2022
State-sponsored Attack Groups Capitalise on Russia-Ukraine War for Cyber Espionage. Introduction
https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage
Actors/Campaigns:
Siamesekitten (tags: malware)
Sidewinder (tags: malware, stealer)
Threats:
Machete
Industry:
Financial, Government, Energy
Geo:
Nicaragua, Iranian, America, India, Indian, Venezuela, Americans, Africa, Pakistani, Israel, Pakistan, Israeli, Asia, Arabia, Russia, Iran, Ukraine, China, Saudi, Russian
CVEs:
CVE-2017-11882 [Vulners]
Vulners score: 8.3
Exploitation: True
Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
IOCs:
Email: 1
Domain: 7
File: 15
Hash: 53
IP: 3
Url: 7
Path: 2
YARA: Found
Links:
31-03-2022
State-sponsored Attack Groups Capitalise on Russia-Ukraine War for Cyber Espionage. Introduction
https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage
Actors/Campaigns:
Siamesekitten (tags: malware)
Sidewinder (tags: malware, stealer)
Threats:
Machete
Industry:
Financial, Government, Energy
Geo:
Nicaragua, Iranian, America, India, Indian, Venezuela, Americans, Africa, Pakistani, Israel, Pakistan, Israeli, Asia, Arabia, Russia, Iran, Ukraine, China, Saudi, Russian
CVEs:
CVE-2017-11882 [Vulners]
Vulners score: 8.3
Exploitation: True
Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
IOCs:
Email: 1
Domain: 7
File: 15
Hash: 53
IP: 3
Url: 7
Path: 2
YARA: Found
Links:
https://github.com/TheGeekHT/Loki.Rat/https://github.com/ghuntley/Heijden.DnsCheck Point Research
State-sponsored Attack Groups Capitalise on Russia-Ukraine War for Cyber Espionage - Check Point Research
Introduction Geopolitical tensions often make headlines and present a golden opportunity for threat actors to exploit the situation, especially those targeting high-profile victims. In the past month while the Russian invasion of Ukraine was unfolding, Check…
#ParsedReport
31-03-2022
Lazarus Trojanized DeFi app for delivering malware
https://securelist.com/lazarus-trojanized-defi-app/106195
Actors/Campaigns:
Lazarus (tags: malware, backdoor, trojan)
Threats:
Cookietime
Volgmer
Threatneedle
Industry:
Financial
Geo:
Korea
TTPs:
Tactics: 6
Technics: 11
IOCs:
Hash: 12
File: 11
Path: 2
Url: 8
31-03-2022
Lazarus Trojanized DeFi app for delivering malware
https://securelist.com/lazarus-trojanized-defi-app/106195
Actors/Campaigns:
Lazarus (tags: malware, backdoor, trojan)
Threats:
Cookietime
Volgmer
Threatneedle
Industry:
Financial
Geo:
Korea
TTPs:
Tactics: 6
Technics: 11
IOCs:
Hash: 12
File: 11
Path: 2
Url: 8
Securelist
Lazarus Trojanized DeFi app for delivering malware
We recently discovered a Trojanized DeFi application that contains a legitimate cryptocurrency wallet called DeFi Wallet, but also implants a full-featured backdoor.
#ParsedReport
31-03-2022
Ransomware Enforcement Operations in 2020 and 2021
https://www.recordedfuture.com/ransomware-enforcement-operations-in-2020-and-2021
Threats:
Revil (tags: ransomware)
Netwalker (tags: ransomware)
Log4shell_vuln
Industry:
Media, Financial, Healthcare, Government
Geo:
Romania, Russian, Uk, Japan, Poland, Ukraine
31-03-2022
Ransomware Enforcement Operations in 2020 and 2021
https://www.recordedfuture.com/ransomware-enforcement-operations-in-2020-and-2021
Threats:
Revil (tags: ransomware)
Netwalker (tags: ransomware)
Log4shell_vuln
Industry:
Media, Financial, Healthcare, Government
Geo:
Romania, Russian, Uk, Japan, Poland, Ukraine
Recordedfuture
Ransomware Enforcement Operations in 2020 and 2021
This report looks at international law enforcement operations focused on ransomware and is based on data collected over the last 2 years.
#ParsedReport
31-03-2022
Deep Dive Analysis Borat RAT
https://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat
Threats:
Borat_rat (tags: trojan, rat, keylogger, malware, ransomware)
TTPs:
Tactics: 6
Technics: 16
IOCs:
File: 2
Hash: 27
31-03-2022
Deep Dive Analysis Borat RAT
https://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat
Threats:
Borat_rat (tags: trojan, rat, keylogger, malware, ransomware)
TTPs:
Tactics: 6
Technics: 16
IOCs:
File: 2
Hash: 27
Cyble
Deep Dive Analysis – Borat RAT | Cyble
Cyble Research Labs analyzes Borat , a sophisticated RAT variant that boasts a combination of Remote Access Trojan, Spyware, Ransomware and DDoS capabilities.
#ParsedReport
31-03-2022
Conti-nuation: methods and techniques observed in operations post the leaks
https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks
Threats:
Conti
Bazarbackdoor
Trickbot
Cobalt_strike
Qakbot
Proxyshell_vuln
Proxylogon_exploit
Bloodhound_tool
Mimikatz
Zerologon_vuln
CVEs:
CVE-2018-13379 [Vulners]
Vulners score: 4.0
Exploitation: True
Patch: Official fix
Soft:
- fortinet fortios (le6.0.4, le5.6.7)
CVE-2018-13374 [Vulners]
Vulners score: 4.4
Exploitation: Unknown
Patch: Official fix
Soft:
- fortinet fortios (le5.6.7, le6.0.2)
CVE-2021-44228 [Vulners]
Vulners score: 4.0
Exploitation: True
Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.3.1, <2.12.2, <2.15.0)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens captial (<2019.1, 2019.1, 2019.1)
- siemens comos (*)
- siemens desigo cc advanced reports (4.0, 4.1, 4.2, 5.0, 5.1)
have more...
TTPs:
Tactics: 4
Technics: 0
IOCs:
File: 14
Url: 1
Path: 8
IP: 4
Domain: 1
Hash: 1
31-03-2022
Conti-nuation: methods and techniques observed in operations post the leaks
https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks
Threats:
Conti
Bazarbackdoor
Trickbot
Cobalt_strike
Qakbot
Proxyshell_vuln
Proxylogon_exploit
Bloodhound_tool
Mimikatz
Zerologon_vuln
CVEs:
CVE-2018-13379 [Vulners]
Vulners score: 4.0
Exploitation: True
Patch: Official fix
Soft:
- fortinet fortios (le6.0.4, le5.6.7)
CVE-2018-13374 [Vulners]
Vulners score: 4.4
Exploitation: Unknown
Patch: Official fix
Soft:
- fortinet fortios (le5.6.7, le6.0.2)
CVE-2021-44228 [Vulners]
Vulners score: 4.0
Exploitation: True
Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.3.1, <2.12.2, <2.15.0)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens captial (<2019.1, 2019.1, 2019.1)
- siemens comos (*)
- siemens desigo cc advanced reports (4.0, 4.1, 4.2, 5.0, 5.1)
have more...
TTPs:
Tactics: 4
Technics: 0
IOCs:
File: 14
Url: 1
Path: 8
IP: 4
Domain: 1
Hash: 1
NCC Group Research Blog
Conti-nuation: methods and techniques observed in operations post the leaks
This post describes the methods and techniques we observed during recent incidents that took place after the Coni data leaks.
#ParsedReport
31-03-2022
Security Advisory: Spring Cloud Framework Vulnerabilities
https://www.zscaler.com/blogs/security-research/security-advisory-spring-cloud-framework-vulnerabilities
Threats:
Spring4shell
CVEs:
CVE-2022-22963 [Vulners]
Score: CVSS Unknown, Vulners PENDING,
Exploitation: Unknown
Patch: Official fix
CVE-2022-22965 [Vulners]
Score: CVSS Unknown, Vulners PENDING,
Exploitation: Unknown
Patch: Official fix
Links:
31-03-2022
Security Advisory: Spring Cloud Framework Vulnerabilities
https://www.zscaler.com/blogs/security-research/security-advisory-spring-cloud-framework-vulnerabilities
Threats:
Spring4shell
CVEs:
CVE-2022-22963 [Vulners]
Score: CVSS Unknown, Vulners PENDING,
Exploitation: Unknown
Patch: Official fix
CVE-2022-22965 [Vulners]
Score: CVSS Unknown, Vulners PENDING,
Exploitation: Unknown
Patch: Official fix
Links:
https://github.com/spring-projects/spring-framework/commit/7f7fb58dd0dae86d22268a4b59ac7c72a6c22529Zscaler
Spring Cloud Framework Vulnerabilities
This article provides the analysis of the latest vulnerabilities found in Spring.
#ParsedReport
01-04-2022
APT Attack Disguised as Resume Template for North Korean Defectors (VBS Script)
https://asec.ahnlab.com/en/33322
Threats:
Trojan/vbs.agent
Geo:
Korean
IOCs:
File: 4
Url: 3
Hash: 2
01-04-2022
APT Attack Disguised as Resume Template for North Korean Defectors (VBS Script)
https://asec.ahnlab.com/en/33322
Threats:
Trojan/vbs.agent
Geo:
Korean
IOCs:
File: 4
Url: 3
Hash: 2
ASEC BLOG
APT Attack Disguised as Resume Template for North Korean Defectors (VBS Script) - ASEC BLOG
The ASEC analysis team has recently discovered that a malicious info-leaking VBS is being distributed via phishing email disguised as North Korea-related material. The email is about casting calls for a North Korea-related broadcast, and a compressed file…
#ParsedReport
01-04-2022
APT Attacks Using Word File Disguised as Donation Receipts for Uljin Wildfire (Kimsuky)
https://asec.ahnlab.com/en/33427
Actors/Campaigns:
Kimsuky (tags: trojan, malware)
Threats:
Akdoor
Trojan/vbs.runner
Geo:
Korea
IOCs:
File: 8
Path: 1
Url: 2
Hash: 7
01-04-2022
APT Attacks Using Word File Disguised as Donation Receipts for Uljin Wildfire (Kimsuky)
https://asec.ahnlab.com/en/33427
Actors/Campaigns:
Kimsuky (tags: trojan, malware)
Threats:
Akdoor
Trojan/vbs.runner
Geo:
Korea
IOCs:
File: 8
Path: 1
Url: 2
Hash: 7
ASEC BLOG
APT Attacks Using Word File Disguised as Donation Receipts for Uljin Wildfire (Kimsuky) - ASEC BLOG
At the beginning of March this year, a wildfire broke out in the Samcheok and Wuljin area, and numerous people from all over Korea donated to help the victims and restore the damages. Amidst such a situation, the ASEC analysis team discovered the attacker’s…
#ParsedReport
01-04-2022
Dissecting Blackguard Info Stealer. Sophisticated Variant Spotted in the wild
https://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer
Actors/Campaigns:
Lapsus
Threats:
Blackguard_stealer (tags: vpn, malware, phishing, stealer)
Industry:
Financial
TTPs:
Tactics: 7
Technics: 16
IOCs:
File: 12
Path: 2
Url: 2
Registry: 1
Hash: 4
01-04-2022
Dissecting Blackguard Info Stealer. Sophisticated Variant Spotted in the wild
https://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer
Actors/Campaigns:
Lapsus
Threats:
Blackguard_stealer (tags: vpn, malware, phishing, stealer)
Industry:
Financial
TTPs:
Tactics: 7
Technics: 16
IOCs:
File: 12
Path: 2
Url: 2
Registry: 1
Hash: 4
Cyble
Dissecting Blackguard Info Stealer
Cyble Research Labs analyzes the Blackguard Info Stealer, which currently has an extremely sophisticated variant out in the wild.
#ParsedReport
01-04-2022
Complete dissection of an APK with a suspicious C2 Server
https://lab52.io/blog/complete-dissection-of-an-apk-with-a-suspicious-c2-server
Threats:
Turla
IOCs:
IP: 1
Hash: 2
Url: 4
Email: 1
01-04-2022
Complete dissection of an APK with a suspicious C2 Server
https://lab52.io/blog/complete-dissection-of-an-apk-with-a-suspicious-c2-server
Threats:
Turla
IOCs:
IP: 1
Hash: 2
Url: 4
Email: 1
#ParsedReport
01-04-2022
AcidRain. A Modem Wiper Rains Down on Europe
https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe
Actors/Campaigns:
Fancy_bear
Sandworm
Threats:
Acidrain (tags: rat, vpn, ddos, malware)
Vpnfilter (tags: botnet)
Whispergate
Hermeticwiper
Isaacwiper
Killdisk
Doublezero
Cyclops_blink
Industry:
Ics, Government, Iot
Geo:
Germany, Ukraine, Italy, German, Italian, Russia
IOCs:
Hash: 2
Links:
01-04-2022
AcidRain. A Modem Wiper Rains Down on Europe
https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe
Actors/Campaigns:
Fancy_bear
Sandworm
Threats:
Acidrain (tags: rat, vpn, ddos, malware)
Vpnfilter (tags: botnet)
Whispergate
Hermeticwiper
Isaacwiper
Killdisk
Doublezero
Cyclops_blink
Industry:
Ics, Government, Iot
Geo:
Germany, Ukraine, Italy, German, Italian, Russia
IOCs:
Hash: 2
Links:
https://github.com/trendmicro/tlshSentinelOne
AcidRain | A Modem Wiper Rains Down on Europe
As the most impactful cyber attack of the Ukrainian invasion gets downplayed, SentinelLabs uncovers a more plausible explanation.
#ParsedReport
01-04-2022
What Our Honeypot Sees Just One Day After The Spring4Shell Advisory
https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en
Actors/Campaigns:
Lapsus
Threats:
Spring4shell (tags: scan, botnet)
Mirai (tags: botnet)
CVEs:
CVE-2010-1622 [Vulners]
Vulners: Score: 6.0, CVSS: 7.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- oracle fusion middleware (11.1.1.8.0, 7.6.2, 11.1.1.6.1)
- springsource spring framework (2.5.6, 2.5.7, 2.5.2, 2.5.3, 3.0.0, 2.5.0, 2.5.1, 3.0.2, 3.0.1, 2.5.4, 2.5.5)
CVE-2022-22965 [Vulners]
Vulners: Score: Unknown, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
IOCs:
File: 4
IP: 311
Url: 12
Hash: 18
01-04-2022
What Our Honeypot Sees Just One Day After The Spring4Shell Advisory
https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en
Actors/Campaigns:
Lapsus
Threats:
Spring4shell (tags: scan, botnet)
Mirai (tags: botnet)
CVEs:
CVE-2010-1622 [Vulners]
Vulners: Score: 6.0, CVSS: 7.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- oracle fusion middleware (11.1.1.8.0, 7.6.2, 11.1.1.6.1)
- springsource spring framework (2.5.6, 2.5.7, 2.5.2, 2.5.3, 3.0.0, 2.5.0, 2.5.1, 3.0.2, 3.0.1, 2.5.4, 2.5.5)
CVE-2022-22965 [Vulners]
Vulners: Score: Unknown, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
IOCs:
File: 4
IP: 311
Url: 12
Hash: 18
360 Netlab Blog - Network Security Research Lab at 360
What Our Honeypot Sees Just One Day After The Spring4Shell Advisory
Background
On March 31, 2022, Spring issued a security advisory[1] for the Spring4Shell vulnerability (CVE-2022-22965), this vulnerability has caused widespread concern in the security community.
When we looked back at our data, our threat hunting honeypot…
On March 31, 2022, Spring issued a security advisory[1] for the Spring4Shell vulnerability (CVE-2022-22965), this vulnerability has caused widespread concern in the security community.
When we looked back at our data, our threat hunting honeypot…
#ParsedReport
01-04-2022
New UAC-0056 activity: Theres a Go Elephant in the room
https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room
Actors/Campaigns:
Unc2589 (tags: stealer, backdoor, malware, phishing)
Threats:
Grimplant
Graphsteel
Cobalt_strike
Elephant_loader (tags: dropper)
Whispergate
Industry:
Media, Government
Geo:
Georgia, Ukrainian, Ukraine
IOCs:
Path: 4
Hash: 10
IP: 1
Links:
01-04-2022
New UAC-0056 activity: Theres a Go Elephant in the room
https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room
Actors/Campaigns:
Unc2589 (tags: stealer, backdoor, malware, phishing)
Threats:
Grimplant
Graphsteel
Cobalt_strike
Elephant_loader (tags: dropper)
Whispergate
Industry:
Media, Government
Geo:
Georgia, Ukrainian, Ukraine
IOCs:
Path: 4
Hash: 10
IP: 1
Links:
https://github.com/denisbrodbeck/machineidMalwarebytes Labs
New UAC-0056 activity: There's a Go Elephant in the room
In late March, the cyber espionage group UNC2589 also known as SaintBear launched a spear phishing campaign targeting several entities in Ukraine. In this blog we review this attack and the intended payloads.