#ParsedReport
31-03-2022
Lazarus Trojanized DeFi app for delivering malware
https://securelist.com/lazarus-trojanized-defi-app/106195
Actors/Campaigns:
Lazarus (tags: malware, backdoor, trojan)
Threats:
Cookietime
Volgmer
Threatneedle
Industry:
Financial
Geo:
Korea
TTPs:
Tactics: 6
Technics: 11
IOCs:
Hash: 12
File: 11
Path: 2
Url: 8
31-03-2022
Lazarus Trojanized DeFi app for delivering malware
https://securelist.com/lazarus-trojanized-defi-app/106195
Actors/Campaigns:
Lazarus (tags: malware, backdoor, trojan)
Threats:
Cookietime
Volgmer
Threatneedle
Industry:
Financial
Geo:
Korea
TTPs:
Tactics: 6
Technics: 11
IOCs:
Hash: 12
File: 11
Path: 2
Url: 8
Securelist
Lazarus Trojanized DeFi app for delivering malware
We recently discovered a Trojanized DeFi application that contains a legitimate cryptocurrency wallet called DeFi Wallet, but also implants a full-featured backdoor.
#ParsedReport
31-03-2022
Ransomware Enforcement Operations in 2020 and 2021
https://www.recordedfuture.com/ransomware-enforcement-operations-in-2020-and-2021
Threats:
Revil (tags: ransomware)
Netwalker (tags: ransomware)
Log4shell_vuln
Industry:
Media, Financial, Healthcare, Government
Geo:
Romania, Russian, Uk, Japan, Poland, Ukraine
31-03-2022
Ransomware Enforcement Operations in 2020 and 2021
https://www.recordedfuture.com/ransomware-enforcement-operations-in-2020-and-2021
Threats:
Revil (tags: ransomware)
Netwalker (tags: ransomware)
Log4shell_vuln
Industry:
Media, Financial, Healthcare, Government
Geo:
Romania, Russian, Uk, Japan, Poland, Ukraine
Recordedfuture
Ransomware Enforcement Operations in 2020 and 2021
This report looks at international law enforcement operations focused on ransomware and is based on data collected over the last 2 years.
#ParsedReport
31-03-2022
Deep Dive Analysis Borat RAT
https://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat
Threats:
Borat_rat (tags: trojan, rat, keylogger, malware, ransomware)
TTPs:
Tactics: 6
Technics: 16
IOCs:
File: 2
Hash: 27
31-03-2022
Deep Dive Analysis Borat RAT
https://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat
Threats:
Borat_rat (tags: trojan, rat, keylogger, malware, ransomware)
TTPs:
Tactics: 6
Technics: 16
IOCs:
File: 2
Hash: 27
Cyble
Deep Dive Analysis – Borat RAT | Cyble
Cyble Research Labs analyzes Borat , a sophisticated RAT variant that boasts a combination of Remote Access Trojan, Spyware, Ransomware and DDoS capabilities.
#ParsedReport
31-03-2022
Conti-nuation: methods and techniques observed in operations post the leaks
https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks
Threats:
Conti
Bazarbackdoor
Trickbot
Cobalt_strike
Qakbot
Proxyshell_vuln
Proxylogon_exploit
Bloodhound_tool
Mimikatz
Zerologon_vuln
CVEs:
CVE-2018-13379 [Vulners]
Vulners score: 4.0
Exploitation: True
Patch: Official fix
Soft:
- fortinet fortios (le6.0.4, le5.6.7)
CVE-2018-13374 [Vulners]
Vulners score: 4.4
Exploitation: Unknown
Patch: Official fix
Soft:
- fortinet fortios (le5.6.7, le6.0.2)
CVE-2021-44228 [Vulners]
Vulners score: 4.0
Exploitation: True
Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.3.1, <2.12.2, <2.15.0)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens captial (<2019.1, 2019.1, 2019.1)
- siemens comos (*)
- siemens desigo cc advanced reports (4.0, 4.1, 4.2, 5.0, 5.1)
have more...
TTPs:
Tactics: 4
Technics: 0
IOCs:
File: 14
Url: 1
Path: 8
IP: 4
Domain: 1
Hash: 1
31-03-2022
Conti-nuation: methods and techniques observed in operations post the leaks
https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks
Threats:
Conti
Bazarbackdoor
Trickbot
Cobalt_strike
Qakbot
Proxyshell_vuln
Proxylogon_exploit
Bloodhound_tool
Mimikatz
Zerologon_vuln
CVEs:
CVE-2018-13379 [Vulners]
Vulners score: 4.0
Exploitation: True
Patch: Official fix
Soft:
- fortinet fortios (le6.0.4, le5.6.7)
CVE-2018-13374 [Vulners]
Vulners score: 4.4
Exploitation: Unknown
Patch: Official fix
Soft:
- fortinet fortios (le5.6.7, le6.0.2)
CVE-2021-44228 [Vulners]
Vulners score: 4.0
Exploitation: True
Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.3.1, <2.12.2, <2.15.0)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens captial (<2019.1, 2019.1, 2019.1)
- siemens comos (*)
- siemens desigo cc advanced reports (4.0, 4.1, 4.2, 5.0, 5.1)
have more...
TTPs:
Tactics: 4
Technics: 0
IOCs:
File: 14
Url: 1
Path: 8
IP: 4
Domain: 1
Hash: 1
NCC Group Research Blog
Conti-nuation: methods and techniques observed in operations post the leaks
This post describes the methods and techniques we observed during recent incidents that took place after the Coni data leaks.
#ParsedReport
31-03-2022
Security Advisory: Spring Cloud Framework Vulnerabilities
https://www.zscaler.com/blogs/security-research/security-advisory-spring-cloud-framework-vulnerabilities
Threats:
Spring4shell
CVEs:
CVE-2022-22963 [Vulners]
Score: CVSS Unknown, Vulners PENDING,
Exploitation: Unknown
Patch: Official fix
CVE-2022-22965 [Vulners]
Score: CVSS Unknown, Vulners PENDING,
Exploitation: Unknown
Patch: Official fix
Links:
31-03-2022
Security Advisory: Spring Cloud Framework Vulnerabilities
https://www.zscaler.com/blogs/security-research/security-advisory-spring-cloud-framework-vulnerabilities
Threats:
Spring4shell
CVEs:
CVE-2022-22963 [Vulners]
Score: CVSS Unknown, Vulners PENDING,
Exploitation: Unknown
Patch: Official fix
CVE-2022-22965 [Vulners]
Score: CVSS Unknown, Vulners PENDING,
Exploitation: Unknown
Patch: Official fix
Links:
https://github.com/spring-projects/spring-framework/commit/7f7fb58dd0dae86d22268a4b59ac7c72a6c22529Zscaler
Spring Cloud Framework Vulnerabilities
This article provides the analysis of the latest vulnerabilities found in Spring.
#ParsedReport
01-04-2022
APT Attack Disguised as Resume Template for North Korean Defectors (VBS Script)
https://asec.ahnlab.com/en/33322
Threats:
Trojan/vbs.agent
Geo:
Korean
IOCs:
File: 4
Url: 3
Hash: 2
01-04-2022
APT Attack Disguised as Resume Template for North Korean Defectors (VBS Script)
https://asec.ahnlab.com/en/33322
Threats:
Trojan/vbs.agent
Geo:
Korean
IOCs:
File: 4
Url: 3
Hash: 2
ASEC BLOG
APT Attack Disguised as Resume Template for North Korean Defectors (VBS Script) - ASEC BLOG
The ASEC analysis team has recently discovered that a malicious info-leaking VBS is being distributed via phishing email disguised as North Korea-related material. The email is about casting calls for a North Korea-related broadcast, and a compressed file…
#ParsedReport
01-04-2022
APT Attacks Using Word File Disguised as Donation Receipts for Uljin Wildfire (Kimsuky)
https://asec.ahnlab.com/en/33427
Actors/Campaigns:
Kimsuky (tags: trojan, malware)
Threats:
Akdoor
Trojan/vbs.runner
Geo:
Korea
IOCs:
File: 8
Path: 1
Url: 2
Hash: 7
01-04-2022
APT Attacks Using Word File Disguised as Donation Receipts for Uljin Wildfire (Kimsuky)
https://asec.ahnlab.com/en/33427
Actors/Campaigns:
Kimsuky (tags: trojan, malware)
Threats:
Akdoor
Trojan/vbs.runner
Geo:
Korea
IOCs:
File: 8
Path: 1
Url: 2
Hash: 7
ASEC BLOG
APT Attacks Using Word File Disguised as Donation Receipts for Uljin Wildfire (Kimsuky) - ASEC BLOG
At the beginning of March this year, a wildfire broke out in the Samcheok and Wuljin area, and numerous people from all over Korea donated to help the victims and restore the damages. Amidst such a situation, the ASEC analysis team discovered the attacker’s…
#ParsedReport
01-04-2022
Dissecting Blackguard Info Stealer. Sophisticated Variant Spotted in the wild
https://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer
Actors/Campaigns:
Lapsus
Threats:
Blackguard_stealer (tags: vpn, malware, phishing, stealer)
Industry:
Financial
TTPs:
Tactics: 7
Technics: 16
IOCs:
File: 12
Path: 2
Url: 2
Registry: 1
Hash: 4
01-04-2022
Dissecting Blackguard Info Stealer. Sophisticated Variant Spotted in the wild
https://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer
Actors/Campaigns:
Lapsus
Threats:
Blackguard_stealer (tags: vpn, malware, phishing, stealer)
Industry:
Financial
TTPs:
Tactics: 7
Technics: 16
IOCs:
File: 12
Path: 2
Url: 2
Registry: 1
Hash: 4
Cyble
Dissecting Blackguard Info Stealer
Cyble Research Labs analyzes the Blackguard Info Stealer, which currently has an extremely sophisticated variant out in the wild.
#ParsedReport
01-04-2022
Complete dissection of an APK with a suspicious C2 Server
https://lab52.io/blog/complete-dissection-of-an-apk-with-a-suspicious-c2-server
Threats:
Turla
IOCs:
IP: 1
Hash: 2
Url: 4
Email: 1
01-04-2022
Complete dissection of an APK with a suspicious C2 Server
https://lab52.io/blog/complete-dissection-of-an-apk-with-a-suspicious-c2-server
Threats:
Turla
IOCs:
IP: 1
Hash: 2
Url: 4
Email: 1
#ParsedReport
01-04-2022
AcidRain. A Modem Wiper Rains Down on Europe
https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe
Actors/Campaigns:
Fancy_bear
Sandworm
Threats:
Acidrain (tags: rat, vpn, ddos, malware)
Vpnfilter (tags: botnet)
Whispergate
Hermeticwiper
Isaacwiper
Killdisk
Doublezero
Cyclops_blink
Industry:
Ics, Government, Iot
Geo:
Germany, Ukraine, Italy, German, Italian, Russia
IOCs:
Hash: 2
Links:
01-04-2022
AcidRain. A Modem Wiper Rains Down on Europe
https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe
Actors/Campaigns:
Fancy_bear
Sandworm
Threats:
Acidrain (tags: rat, vpn, ddos, malware)
Vpnfilter (tags: botnet)
Whispergate
Hermeticwiper
Isaacwiper
Killdisk
Doublezero
Cyclops_blink
Industry:
Ics, Government, Iot
Geo:
Germany, Ukraine, Italy, German, Italian, Russia
IOCs:
Hash: 2
Links:
https://github.com/trendmicro/tlshSentinelOne
AcidRain | A Modem Wiper Rains Down on Europe
As the most impactful cyber attack of the Ukrainian invasion gets downplayed, SentinelLabs uncovers a more plausible explanation.
#ParsedReport
01-04-2022
What Our Honeypot Sees Just One Day After The Spring4Shell Advisory
https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en
Actors/Campaigns:
Lapsus
Threats:
Spring4shell (tags: scan, botnet)
Mirai (tags: botnet)
CVEs:
CVE-2010-1622 [Vulners]
Vulners: Score: 6.0, CVSS: 7.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- oracle fusion middleware (11.1.1.8.0, 7.6.2, 11.1.1.6.1)
- springsource spring framework (2.5.6, 2.5.7, 2.5.2, 2.5.3, 3.0.0, 2.5.0, 2.5.1, 3.0.2, 3.0.1, 2.5.4, 2.5.5)
CVE-2022-22965 [Vulners]
Vulners: Score: Unknown, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
IOCs:
File: 4
IP: 311
Url: 12
Hash: 18
01-04-2022
What Our Honeypot Sees Just One Day After The Spring4Shell Advisory
https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en
Actors/Campaigns:
Lapsus
Threats:
Spring4shell (tags: scan, botnet)
Mirai (tags: botnet)
CVEs:
CVE-2010-1622 [Vulners]
Vulners: Score: 6.0, CVSS: 7.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- oracle fusion middleware (11.1.1.8.0, 7.6.2, 11.1.1.6.1)
- springsource spring framework (2.5.6, 2.5.7, 2.5.2, 2.5.3, 3.0.0, 2.5.0, 2.5.1, 3.0.2, 3.0.1, 2.5.4, 2.5.5)
CVE-2022-22965 [Vulners]
Vulners: Score: Unknown, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
IOCs:
File: 4
IP: 311
Url: 12
Hash: 18
360 Netlab Blog - Network Security Research Lab at 360
What Our Honeypot Sees Just One Day After The Spring4Shell Advisory
Background
On March 31, 2022, Spring issued a security advisory[1] for the Spring4Shell vulnerability (CVE-2022-22965), this vulnerability has caused widespread concern in the security community.
When we looked back at our data, our threat hunting honeypot…
On March 31, 2022, Spring issued a security advisory[1] for the Spring4Shell vulnerability (CVE-2022-22965), this vulnerability has caused widespread concern in the security community.
When we looked back at our data, our threat hunting honeypot…
#ParsedReport
01-04-2022
New UAC-0056 activity: Theres a Go Elephant in the room
https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room
Actors/Campaigns:
Unc2589 (tags: stealer, backdoor, malware, phishing)
Threats:
Grimplant
Graphsteel
Cobalt_strike
Elephant_loader (tags: dropper)
Whispergate
Industry:
Media, Government
Geo:
Georgia, Ukrainian, Ukraine
IOCs:
Path: 4
Hash: 10
IP: 1
Links:
01-04-2022
New UAC-0056 activity: Theres a Go Elephant in the room
https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room
Actors/Campaigns:
Unc2589 (tags: stealer, backdoor, malware, phishing)
Threats:
Grimplant
Graphsteel
Cobalt_strike
Elephant_loader (tags: dropper)
Whispergate
Industry:
Media, Government
Geo:
Georgia, Ukrainian, Ukraine
IOCs:
Path: 4
Hash: 10
IP: 1
Links:
https://github.com/denisbrodbeck/machineidMalwarebytes Labs
New UAC-0056 activity: There's a Go Elephant in the room
In late March, the cyber espionage group UNC2589 also known as SaintBear launched a spear phishing campaign targeting several entities in Ukraine. In this blog we review this attack and the intended payloads.
#ParsedReport
02-04-2022
Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign
https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign
Threats:
Beastmode_botnet (tags: ddos, rat, malware, botnet)
Mirai (tags: ddos, rat, malware, botnet)
Dark_mirai_botnet
Industry:
Iot
CVEs:
CVE-2016-5674 [Vulners]
Vulners: Score: 10.0, CVSS: 8.5,
Vulners: Exploitation: Unknown
X-Force: Risk: 6.3
X-Force: Patch: Unavailable
Soft:
- netgear readynas surveillance (1.4.2, 1.4.1, 1.1.1, 1.1.2, 1.3.2.14, 1.2.0.4, 1.3.2.4, 1.4.0)
- nuuo nvrmini 2 (3.0.0, 2.2.1, 2.0.0, 1.7.6, 1.7.5)
- nuuo nvrsolo (2.3.9.6, 2.3.7.10, 2.0.0, 1.75, 3.0.0, 2.1.5, 2.0.1, 2.3.7.9, 2.3.1.20, 2.3, 2.2.2)
CVE-2021-4045 [Vulners]
Vulners: Score: 10.0, CVSS: 3.7,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- tp-link tapo c200 firmware (le1.1.15)
CVE-2022-25075 [Vulners]
Vulners: Score: 7.5, CVSS: 6.9,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.3
X-Force: Patch: Official fix
Soft:
- totolink a3000ru firmware (v5.9c.2280_b20180512)
CVE-2021-45382 [Vulners]
Vulners: Score: 10.0, CVSS: 5.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- dlink dir-820l firmware (-)
- dlink dir-820lw firmware (-)
- dlink dir-826l firmware (-)
- dlink dir-830l firmware (-)
- dlink dir-836l firmware (-)
have more...
CVE-2022-26210 [Vulners]
Vulners: Score: 7.5, CVSS: 7.1,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.3
X-Force: Patch: Unavailable
Soft:
- totolink a830r firmware (5.9c.4729_b20191112)
- totolink a3100r firmware (4.1.2cu.5050_b20200504)
- totolink a950rg firmware (4.1.2cu.5161_b20200903)
- totolink a800r firmware (4.1.2cu.5137_b20200730)
- totolink a3000ru firmware (5.9c.5185_b20201128)
have more...
CVE-2022-26186 [Vulners]
Vulners: Score: 7.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.3
X-Force: Patch: Unavailable
Soft:
- totolink n600r firmware (4.3.0cu.7570_b20200620)
CVE-2017-17215 [Vulners]
Vulners: Score: 6.5, CVSS: 6.9,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- huawei hg532 firmware (-)
IOCs:
File: 7
Url: 11
IP: 2
Hash: 22
02-04-2022
Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign
https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign
Threats:
Beastmode_botnet (tags: ddos, rat, malware, botnet)
Mirai (tags: ddos, rat, malware, botnet)
Dark_mirai_botnet
Industry:
Iot
CVEs:
CVE-2016-5674 [Vulners]
Vulners: Score: 10.0, CVSS: 8.5,
Vulners: Exploitation: Unknown
X-Force: Risk: 6.3
X-Force: Patch: Unavailable
Soft:
- netgear readynas surveillance (1.4.2, 1.4.1, 1.1.1, 1.1.2, 1.3.2.14, 1.2.0.4, 1.3.2.4, 1.4.0)
- nuuo nvrmini 2 (3.0.0, 2.2.1, 2.0.0, 1.7.6, 1.7.5)
- nuuo nvrsolo (2.3.9.6, 2.3.7.10, 2.0.0, 1.75, 3.0.0, 2.1.5, 2.0.1, 2.3.7.9, 2.3.1.20, 2.3, 2.2.2)
CVE-2021-4045 [Vulners]
Vulners: Score: 10.0, CVSS: 3.7,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- tp-link tapo c200 firmware (le1.1.15)
CVE-2022-25075 [Vulners]
Vulners: Score: 7.5, CVSS: 6.9,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.3
X-Force: Patch: Official fix
Soft:
- totolink a3000ru firmware (v5.9c.2280_b20180512)
CVE-2021-45382 [Vulners]
Vulners: Score: 10.0, CVSS: 5.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- dlink dir-820l firmware (-)
- dlink dir-820lw firmware (-)
- dlink dir-826l firmware (-)
- dlink dir-830l firmware (-)
- dlink dir-836l firmware (-)
have more...
CVE-2022-26210 [Vulners]
Vulners: Score: 7.5, CVSS: 7.1,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.3
X-Force: Patch: Unavailable
Soft:
- totolink a830r firmware (5.9c.4729_b20191112)
- totolink a3100r firmware (4.1.2cu.5050_b20200504)
- totolink a950rg firmware (4.1.2cu.5161_b20200903)
- totolink a800r firmware (4.1.2cu.5137_b20200730)
- totolink a3000ru firmware (5.9c.5185_b20201128)
have more...
CVE-2022-26186 [Vulners]
Vulners: Score: 7.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.3
X-Force: Patch: Unavailable
Soft:
- totolink n600r firmware (4.3.0cu.7570_b20200620)
CVE-2017-17215 [Vulners]
Vulners: Score: 6.5, CVSS: 6.9,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- huawei hg532 firmware (-)
IOCs:
File: 7
Url: 11
IP: 2
Hash: 22
Fortinet Blog
Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign
FortiGuard Labs analyzed fresh TOTOLINK vulnerabilities which the Beastmode Mirai-based DDoS campaign added to its arsenal. Read about how this threat leverages these vulnerabilities to control aff…
#ParsedReport
03-04-2022
PlugX: A Talisman to Behold
https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html
Actors/Campaigns:
Redfoxtrot
Threats:
Plugx_rat (tags: rat, dns, malware, backdoor, scan)
Thor
Pcshare
Industry:
Telco
Geo:
Asia, China, Africa
TTPs:
Tactics: 3
Technics: 14
IOCs:
File: 13
Path: 2
Domain: 10
Hash: 19
IP: 18
03-04-2022
PlugX: A Talisman to Behold
https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html
Actors/Campaigns:
Redfoxtrot
Threats:
Plugx_rat (tags: rat, dns, malware, backdoor, scan)
Thor
Pcshare
Industry:
Telco
Geo:
Asia, China, Africa
TTPs:
Tactics: 3
Technics: 14
IOCs:
File: 13
Path: 2
Domain: 10
Hash: 19
IP: 18
Trellix
PlugX: A Talisman to Behold
This blog covers a PlugX variant that we have named Talisman and its rather long life since it first emerged in 2008.
#ParsedReport
04-04-2022
Stolen Images Campaign Ends in Conti Ransomware
https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware
Threats:
Conti (tags: trojan, rat, malware, ransomware, dns, proxy, backdoor)
Icedid
Cobalt_strike
Atera_agent
Mimikatz
Ryuk
Industry:
Financial
CVEs:
CVE-2021-42278 [Vulners]
Vulners: Score: 6.5, CVSS: 7.1,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (-, r2)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2016 (-, 20h2, 2004)
- microsoft windows server 2019 (-)
- microsoft windows server 2022 (-)
have more...
CVE-2021-42287 [Vulners]
Vulners: Score: 6.5, CVSS: 7.1,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- microsoft windows server (2004)
- microsoft windows server 2008 (-, -, r2)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2016 (-)
- microsoft windows server 2019 (-)
have more...
TTPs:
Tactics: 11
Technics: 22
IOCs:
File: 13
Domain: 2
Path: 1
IP: 10
Hash: 10
YARA: Found
SIGMA: Found
Links:
04-04-2022
Stolen Images Campaign Ends in Conti Ransomware
https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware
Threats:
Conti (tags: trojan, rat, malware, ransomware, dns, proxy, backdoor)
Icedid
Cobalt_strike
Atera_agent
Mimikatz
Ryuk
Industry:
Financial
CVEs:
CVE-2021-42278 [Vulners]
Vulners: Score: 6.5, CVSS: 7.1,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (-, r2)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2016 (-, 20h2, 2004)
- microsoft windows server 2019 (-)
- microsoft windows server 2022 (-)
have more...
CVE-2021-42287 [Vulners]
Vulners: Score: 6.5, CVSS: 7.1,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- microsoft windows server (2004)
- microsoft windows server 2008 (-, -, r2)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2016 (-)
- microsoft windows server 2019 (-)
have more...
TTPs:
Tactics: 11
Technics: 22
IOCs:
File: 13
Domain: 2
Path: 1
IP: 10
Hash: 10
YARA: Found
SIGMA: Found
Links:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/deprecated/sysmon\_mimikatz\_detection\_lsass.ymlhttps://github.com/SigmaHQ/sigma/blob/becf3baeb4f6313bf267f7e8d6e9808fc0fc059c/rules/windows/process\_creation/proc\_creation\_win\_susp\_recon\_activity.ymlhttps://github.com/SigmaHQ/sigma/blob/e049058d14dd9ec09771b38ed4d59e8b49ba1bad/rules/windows/builtin/security/win\_security\_cobaltstrike\_service\_installs.ymlhttps://github.com/darkoperator/Veil-PowerView/blob/master/PowerView/functions/Invoke-ShareFinder.ps1https://github.com/WazeHell/sam-the-admin/https://github.com/SigmaHQ/sigma/blob/04f72b9e78f196544f8f1331b4d9158df34d7ecf/rules/windows/builtin/application/win\_software\_atera\_rmm\_agent\_install.ymlhttps://github.com/SigmaHQ/sigma/blob/eb382c4a59b6d87e186ee269805fe2db2acf250e/rules/windows/builtin/security/win\_admin\_share\_access.ymlhttps://github.com/SigmaHQ/sigma/blob/071bcc292362fd3754a2da00878bba4bae1a335f/rules/windows/process\_creation/proc\_creation\_win\_ad\_find\_discovery.ymlhttps://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process\_creation/proc\_creation\_win\_trust\_discovery.ymlhttps://github.com/SigmaHQ/sigma/blob/11b6b24660c045bb907ed43cfe007349764173bc/rules/windows/powershell/powershell\_script/posh\_ps\_powerview\_malicious\_commandlets.ymlhttps://github.com/SigmaHQ/sigma/blob/6b3fc11a48e8aa2773dfe266c3be11e4c4c973a5/rules/windows/process\_creation/proc\_creation\_win\_powershell\_defender\_disable\_feature.ymlhttps://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1The DFIR Report
Stolen Images Campaign Ends in Conti Ransomware
In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector. IcedID is a banking trojan that first appeared in 2017, usually, it is delivered via malspam ca…
#ParsedReport
04-04-2022
The Discord Token Grab
https://labs.k7computing.com/index.php/the-discord-token-grab
Threats:
Kazy
Industry:
Financial
IOCs:
File: 1
Url: 1
Path: 1
Hash: 1
Links:
04-04-2022
The Discord Token Grab
https://labs.k7computing.com/index.php/the-discord-token-grab
Threats:
Kazy
Industry:
Financial
IOCs:
File: 1
Url: 1
Path: 1
Hash: 1
Links:
https://github.com/extremecoders-re/pyinstxtractorK7 Labs
The Discord Token Grab
Recently we came across a Twitter feed that described a malware sample coded in Python and fairly new to have […]
#ParsedReport
04-04-2022
Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations
https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs
Actors/Campaigns:
Unc2589 (tags: phishing)
Threats:
Graphsteel (tags: stealer, malware, phishing)
Grimplant (tags: malware, backdoor, phishing)
Cobalt_strike
Elephant_loader
Babar
Industry:
Government, Petroleum, Media
Geo:
Romania, Russian, Ukrainian, Turkey, French, Ukraine, Israel
IOCs:
File: 3
IP: 1
Url: 1
Hash: 1
Path: 1
Domain: 1
Links:
04-04-2022
Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations
https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs
Actors/Campaigns:
Unc2589 (tags: phishing)
Threats:
Graphsteel (tags: stealer, malware, phishing)
Grimplant (tags: malware, backdoor, phishing)
Cobalt_strike
Elephant_loader
Babar
Industry:
Government, Petroleum, Media
Geo:
Romania, Russian, Ukrainian, Turkey, French, Ukraine, Israel
IOCs:
File: 3
IP: 1
Url: 1
Hash: 1
Path: 1
Domain: 1
Links:
https://github.com/redcode-labs/Coldfirehttps://github.com/kerbyj/goLazagneIntezer
Elephant Framework Delivered in Phishing Attacks against Ukrainian Organizations
Malware using the Elephant malware framework was delivered via phishing emails from spoofed Ukrainian email addresses.
#ParsedReport
04-04-2022
Spring4Shell (CVE-2022-22965): details and mitigations
https://securelist.com/spring4shell-cve-2022-22965/106239
Threats:
Spring4shell (tags: malware)
Log4shell_vuln
CVEs:
CVE-2022-22963 [Vulners]
Vulners: Score: Unknown, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
CVE-2010-1622 [Vulners]
Vulners: Score: 6.0, CVSS: 7.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- oracle fusion middleware (11.1.1.8.0, 7.6.2, 11.1.1.6.1)
- springsource spring framework (2.5.6, 2.5.7, 2.5.2, 2.5.3, 3.0.0, 2.5.0, 2.5.1, 3.0.2, 3.0.1, 2.5.4, 2.5.5)
CVE-2022-22965 [Vulners]
Vulners: Score: Unknown, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
IOCs:
Hash: 2
File: 1
04-04-2022
Spring4Shell (CVE-2022-22965): details and mitigations
https://securelist.com/spring4shell-cve-2022-22965/106239
Threats:
Spring4shell (tags: malware)
Log4shell_vuln
CVEs:
CVE-2022-22963 [Vulners]
Vulners: Score: Unknown, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
CVE-2010-1622 [Vulners]
Vulners: Score: 6.0, CVSS: 7.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- oracle fusion middleware (11.1.1.8.0, 7.6.2, 11.1.1.6.1)
- springsource spring framework (2.5.6, 2.5.7, 2.5.2, 2.5.3, 3.0.0, 2.5.0, 2.5.1, 3.0.2, 3.0.1, 2.5.4, 2.5.5)
CVE-2022-22965 [Vulners]
Vulners: Score: Unknown, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
IOCs:
Hash: 2
File: 1
Securelist
Spring4Shell (CVE-2022-22965): details and mitigations
Technical details and mitigations for CVE-2022-22965 vulnerability (Spring4Shell) that can help an attacker to execute arbitrary code on a remote web server.
#ParsedReport
04-04-2022
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
https://www.mandiant.com/resources/evolution-of-fin7
Actors/Campaigns:
Carbanak (tags: scan, dropper, ransomware, dns, malware, backdoor, phishing, rat, proxy)
Darkside (tags: ransomware)
Blackmatter
Fin12
Threats:
Revil
Blackcat (tags: ransomware)
Powerplant
Birdwatch_loader
Fowlgaze
Loadout_loader
Griffon
Badusb_technique
Dice_loader
Killack
Powertrash_tool
Supersoft
Pillowmint
Powersploit
Termite
Metasploit_tool
Bughatch
Cobalt_strike
Kerberoasting_technique
Hello
Atera_agent
Easylook_tool
Boatlaunch_tool
Jssloader
Maze (tags: ransomware)
Ryuk (tags: ransomware)
Bateleur
Driftpin
Industry:
Financial, Healthcare, Telco
TTPs:
Tactics: 10
Technics: 53
IOCs:
Path: 4
File: 28
Hash: 34
Coin: 1
Domain: 15
Links:
04-04-2022
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
https://www.mandiant.com/resources/evolution-of-fin7
Actors/Campaigns:
Carbanak (tags: scan, dropper, ransomware, dns, malware, backdoor, phishing, rat, proxy)
Darkside (tags: ransomware)
Blackmatter
Fin12
Threats:
Revil
Blackcat (tags: ransomware)
Powerplant
Birdwatch_loader
Fowlgaze
Loadout_loader
Griffon
Badusb_technique
Dice_loader
Killack
Powertrash_tool
Supersoft
Pillowmint
Powersploit
Termite
Metasploit_tool
Bughatch
Cobalt_strike
Kerberoasting_technique
Hello
Atera_agent
Easylook_tool
Boatlaunch_tool
Jssloader
Maze (tags: ransomware)
Ryuk (tags: ransomware)
Bateleur
Driftpin
Industry:
Financial, Healthcare, Telco
TTPs:
Tactics: 10
Technics: 53
IOCs:
Path: 4
File: 28
Hash: 34
Coin: 1
Domain: 15
Links:
https://github.com/monoxgas/sRDIhttps://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1Google Cloud Blog
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7 | Mandiant | Google Cloud Blog
#ParsedReport
05-04-2022
Malicious Help File Disguised as COVID-19 Infectee Notice Being Distributed in Korea
https://asec.ahnlab.com/en/33486
Threats:
Akdoor (tags: malware)
Trojan/win.generic.c5025270 (tags: malware)
Dropper/win.agent.c5028107 (tags: malware)
Geo:
Korea
IOCs:
File: 3
Url: 1
Hash: 3
05-04-2022
Malicious Help File Disguised as COVID-19 Infectee Notice Being Distributed in Korea
https://asec.ahnlab.com/en/33486
Threats:
Akdoor (tags: malware)
Trojan/win.generic.c5025270 (tags: malware)
Dropper/win.agent.c5028107 (tags: malware)
Geo:
Korea
IOCs:
File: 3
Url: 1
Hash: 3
ASEC BLOG
Malicious Help File Disguised as COVID-19 Infectee Notice Being Distributed in Korea - ASEC BLOG
The ASEC analysis team introduced readers to malware that takes the form of a Windows help file (*.chm) about two weeks ago. The malicious CHM file that was recently discovered is disguised as a notice for people infected with COVID-19 and is being distributed…
#ParsedReport
05-04-2022
Malicious Word Documents Using MS Media Player (Impersonating AhnLab)
https://asec.ahnlab.com/en/33477
Threats:
Akdoor (tags: malware)
Trojan/win.generic.c5025270 (tags: malware)
IOCs:
File: 7
Url: 10
Path: 1
Registry: 1
Hash: 4
05-04-2022
Malicious Word Documents Using MS Media Player (Impersonating AhnLab)
https://asec.ahnlab.com/en/33477
Threats:
Akdoor (tags: malware)
Trojan/win.generic.c5025270 (tags: malware)
IOCs:
File: 7
Url: 10
Path: 1
Registry: 1
Hash: 4
ASEC
Malicious Word Documents Using MS Media Player (Impersonating AhnLab) - ASEC
Last week, the ASEC analysis team uploaded a post named “Malicious Word File Targeting Corporate Users Being Distributed” that contained information about a malicious Word file. Currently, documents of the same type are being distributed with text that impersonates…