#ParsedReport
01-04-2022
AcidRain. A Modem Wiper Rains Down on Europe
https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe
Actors/Campaigns:
Fancy_bear
Sandworm
Threats:
Acidrain (tags: rat, vpn, ddos, malware)
Vpnfilter (tags: botnet)
Whispergate
Hermeticwiper
Isaacwiper
Killdisk
Doublezero
Cyclops_blink
Industry:
Ics, Government, Iot
Geo:
Germany, Ukraine, Italy, German, Italian, Russia
IOCs:
Hash: 2
Links:
01-04-2022
AcidRain. A Modem Wiper Rains Down on Europe
https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe
Actors/Campaigns:
Fancy_bear
Sandworm
Threats:
Acidrain (tags: rat, vpn, ddos, malware)
Vpnfilter (tags: botnet)
Whispergate
Hermeticwiper
Isaacwiper
Killdisk
Doublezero
Cyclops_blink
Industry:
Ics, Government, Iot
Geo:
Germany, Ukraine, Italy, German, Italian, Russia
IOCs:
Hash: 2
Links:
https://github.com/trendmicro/tlshSentinelOne
AcidRain | A Modem Wiper Rains Down on Europe
As the most impactful cyber attack of the Ukrainian invasion gets downplayed, SentinelLabs uncovers a more plausible explanation.
#ParsedReport
01-04-2022
What Our Honeypot Sees Just One Day After The Spring4Shell Advisory
https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en
Actors/Campaigns:
Lapsus
Threats:
Spring4shell (tags: scan, botnet)
Mirai (tags: botnet)
CVEs:
CVE-2010-1622 [Vulners]
Vulners: Score: 6.0, CVSS: 7.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- oracle fusion middleware (11.1.1.8.0, 7.6.2, 11.1.1.6.1)
- springsource spring framework (2.5.6, 2.5.7, 2.5.2, 2.5.3, 3.0.0, 2.5.0, 2.5.1, 3.0.2, 3.0.1, 2.5.4, 2.5.5)
CVE-2022-22965 [Vulners]
Vulners: Score: Unknown, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
IOCs:
File: 4
IP: 311
Url: 12
Hash: 18
01-04-2022
What Our Honeypot Sees Just One Day After The Spring4Shell Advisory
https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en
Actors/Campaigns:
Lapsus
Threats:
Spring4shell (tags: scan, botnet)
Mirai (tags: botnet)
CVEs:
CVE-2010-1622 [Vulners]
Vulners: Score: 6.0, CVSS: 7.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- oracle fusion middleware (11.1.1.8.0, 7.6.2, 11.1.1.6.1)
- springsource spring framework (2.5.6, 2.5.7, 2.5.2, 2.5.3, 3.0.0, 2.5.0, 2.5.1, 3.0.2, 3.0.1, 2.5.4, 2.5.5)
CVE-2022-22965 [Vulners]
Vulners: Score: Unknown, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
IOCs:
File: 4
IP: 311
Url: 12
Hash: 18
360 Netlab Blog - Network Security Research Lab at 360
What Our Honeypot Sees Just One Day After The Spring4Shell Advisory
Background
On March 31, 2022, Spring issued a security advisory[1] for the Spring4Shell vulnerability (CVE-2022-22965), this vulnerability has caused widespread concern in the security community.
When we looked back at our data, our threat hunting honeypot…
On March 31, 2022, Spring issued a security advisory[1] for the Spring4Shell vulnerability (CVE-2022-22965), this vulnerability has caused widespread concern in the security community.
When we looked back at our data, our threat hunting honeypot…
#ParsedReport
01-04-2022
New UAC-0056 activity: Theres a Go Elephant in the room
https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room
Actors/Campaigns:
Unc2589 (tags: stealer, backdoor, malware, phishing)
Threats:
Grimplant
Graphsteel
Cobalt_strike
Elephant_loader (tags: dropper)
Whispergate
Industry:
Media, Government
Geo:
Georgia, Ukrainian, Ukraine
IOCs:
Path: 4
Hash: 10
IP: 1
Links:
01-04-2022
New UAC-0056 activity: Theres a Go Elephant in the room
https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room
Actors/Campaigns:
Unc2589 (tags: stealer, backdoor, malware, phishing)
Threats:
Grimplant
Graphsteel
Cobalt_strike
Elephant_loader (tags: dropper)
Whispergate
Industry:
Media, Government
Geo:
Georgia, Ukrainian, Ukraine
IOCs:
Path: 4
Hash: 10
IP: 1
Links:
https://github.com/denisbrodbeck/machineidMalwarebytes Labs
New UAC-0056 activity: There's a Go Elephant in the room
In late March, the cyber espionage group UNC2589 also known as SaintBear launched a spear phishing campaign targeting several entities in Ukraine. In this blog we review this attack and the intended payloads.
#ParsedReport
02-04-2022
Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign
https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign
Threats:
Beastmode_botnet (tags: ddos, rat, malware, botnet)
Mirai (tags: ddos, rat, malware, botnet)
Dark_mirai_botnet
Industry:
Iot
CVEs:
CVE-2016-5674 [Vulners]
Vulners: Score: 10.0, CVSS: 8.5,
Vulners: Exploitation: Unknown
X-Force: Risk: 6.3
X-Force: Patch: Unavailable
Soft:
- netgear readynas surveillance (1.4.2, 1.4.1, 1.1.1, 1.1.2, 1.3.2.14, 1.2.0.4, 1.3.2.4, 1.4.0)
- nuuo nvrmini 2 (3.0.0, 2.2.1, 2.0.0, 1.7.6, 1.7.5)
- nuuo nvrsolo (2.3.9.6, 2.3.7.10, 2.0.0, 1.75, 3.0.0, 2.1.5, 2.0.1, 2.3.7.9, 2.3.1.20, 2.3, 2.2.2)
CVE-2021-4045 [Vulners]
Vulners: Score: 10.0, CVSS: 3.7,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- tp-link tapo c200 firmware (le1.1.15)
CVE-2022-25075 [Vulners]
Vulners: Score: 7.5, CVSS: 6.9,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.3
X-Force: Patch: Official fix
Soft:
- totolink a3000ru firmware (v5.9c.2280_b20180512)
CVE-2021-45382 [Vulners]
Vulners: Score: 10.0, CVSS: 5.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- dlink dir-820l firmware (-)
- dlink dir-820lw firmware (-)
- dlink dir-826l firmware (-)
- dlink dir-830l firmware (-)
- dlink dir-836l firmware (-)
have more...
CVE-2022-26210 [Vulners]
Vulners: Score: 7.5, CVSS: 7.1,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.3
X-Force: Patch: Unavailable
Soft:
- totolink a830r firmware (5.9c.4729_b20191112)
- totolink a3100r firmware (4.1.2cu.5050_b20200504)
- totolink a950rg firmware (4.1.2cu.5161_b20200903)
- totolink a800r firmware (4.1.2cu.5137_b20200730)
- totolink a3000ru firmware (5.9c.5185_b20201128)
have more...
CVE-2022-26186 [Vulners]
Vulners: Score: 7.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.3
X-Force: Patch: Unavailable
Soft:
- totolink n600r firmware (4.3.0cu.7570_b20200620)
CVE-2017-17215 [Vulners]
Vulners: Score: 6.5, CVSS: 6.9,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- huawei hg532 firmware (-)
IOCs:
File: 7
Url: 11
IP: 2
Hash: 22
02-04-2022
Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign
https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign
Threats:
Beastmode_botnet (tags: ddos, rat, malware, botnet)
Mirai (tags: ddos, rat, malware, botnet)
Dark_mirai_botnet
Industry:
Iot
CVEs:
CVE-2016-5674 [Vulners]
Vulners: Score: 10.0, CVSS: 8.5,
Vulners: Exploitation: Unknown
X-Force: Risk: 6.3
X-Force: Patch: Unavailable
Soft:
- netgear readynas surveillance (1.4.2, 1.4.1, 1.1.1, 1.1.2, 1.3.2.14, 1.2.0.4, 1.3.2.4, 1.4.0)
- nuuo nvrmini 2 (3.0.0, 2.2.1, 2.0.0, 1.7.6, 1.7.5)
- nuuo nvrsolo (2.3.9.6, 2.3.7.10, 2.0.0, 1.75, 3.0.0, 2.1.5, 2.0.1, 2.3.7.9, 2.3.1.20, 2.3, 2.2.2)
CVE-2021-4045 [Vulners]
Vulners: Score: 10.0, CVSS: 3.7,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- tp-link tapo c200 firmware (le1.1.15)
CVE-2022-25075 [Vulners]
Vulners: Score: 7.5, CVSS: 6.9,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.3
X-Force: Patch: Official fix
Soft:
- totolink a3000ru firmware (v5.9c.2280_b20180512)
CVE-2021-45382 [Vulners]
Vulners: Score: 10.0, CVSS: 5.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- dlink dir-820l firmware (-)
- dlink dir-820lw firmware (-)
- dlink dir-826l firmware (-)
- dlink dir-830l firmware (-)
- dlink dir-836l firmware (-)
have more...
CVE-2022-26210 [Vulners]
Vulners: Score: 7.5, CVSS: 7.1,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.3
X-Force: Patch: Unavailable
Soft:
- totolink a830r firmware (5.9c.4729_b20191112)
- totolink a3100r firmware (4.1.2cu.5050_b20200504)
- totolink a950rg firmware (4.1.2cu.5161_b20200903)
- totolink a800r firmware (4.1.2cu.5137_b20200730)
- totolink a3000ru firmware (5.9c.5185_b20201128)
have more...
CVE-2022-26186 [Vulners]
Vulners: Score: 7.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.3
X-Force: Patch: Unavailable
Soft:
- totolink n600r firmware (4.3.0cu.7570_b20200620)
CVE-2017-17215 [Vulners]
Vulners: Score: 6.5, CVSS: 6.9,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- huawei hg532 firmware (-)
IOCs:
File: 7
Url: 11
IP: 2
Hash: 22
Fortinet Blog
Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign
FortiGuard Labs analyzed fresh TOTOLINK vulnerabilities which the Beastmode Mirai-based DDoS campaign added to its arsenal. Read about how this threat leverages these vulnerabilities to control aff…
#ParsedReport
03-04-2022
PlugX: A Talisman to Behold
https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html
Actors/Campaigns:
Redfoxtrot
Threats:
Plugx_rat (tags: rat, dns, malware, backdoor, scan)
Thor
Pcshare
Industry:
Telco
Geo:
Asia, China, Africa
TTPs:
Tactics: 3
Technics: 14
IOCs:
File: 13
Path: 2
Domain: 10
Hash: 19
IP: 18
03-04-2022
PlugX: A Talisman to Behold
https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html
Actors/Campaigns:
Redfoxtrot
Threats:
Plugx_rat (tags: rat, dns, malware, backdoor, scan)
Thor
Pcshare
Industry:
Telco
Geo:
Asia, China, Africa
TTPs:
Tactics: 3
Technics: 14
IOCs:
File: 13
Path: 2
Domain: 10
Hash: 19
IP: 18
Trellix
PlugX: A Talisman to Behold
This blog covers a PlugX variant that we have named Talisman and its rather long life since it first emerged in 2008.
#ParsedReport
04-04-2022
Stolen Images Campaign Ends in Conti Ransomware
https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware
Threats:
Conti (tags: trojan, rat, malware, ransomware, dns, proxy, backdoor)
Icedid
Cobalt_strike
Atera_agent
Mimikatz
Ryuk
Industry:
Financial
CVEs:
CVE-2021-42278 [Vulners]
Vulners: Score: 6.5, CVSS: 7.1,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (-, r2)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2016 (-, 20h2, 2004)
- microsoft windows server 2019 (-)
- microsoft windows server 2022 (-)
have more...
CVE-2021-42287 [Vulners]
Vulners: Score: 6.5, CVSS: 7.1,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- microsoft windows server (2004)
- microsoft windows server 2008 (-, -, r2)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2016 (-)
- microsoft windows server 2019 (-)
have more...
TTPs:
Tactics: 11
Technics: 22
IOCs:
File: 13
Domain: 2
Path: 1
IP: 10
Hash: 10
YARA: Found
SIGMA: Found
Links:
04-04-2022
Stolen Images Campaign Ends in Conti Ransomware
https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware
Threats:
Conti (tags: trojan, rat, malware, ransomware, dns, proxy, backdoor)
Icedid
Cobalt_strike
Atera_agent
Mimikatz
Ryuk
Industry:
Financial
CVEs:
CVE-2021-42278 [Vulners]
Vulners: Score: 6.5, CVSS: 7.1,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (-, r2)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2016 (-, 20h2, 2004)
- microsoft windows server 2019 (-)
- microsoft windows server 2022 (-)
have more...
CVE-2021-42287 [Vulners]
Vulners: Score: 6.5, CVSS: 7.1,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- microsoft windows server (2004)
- microsoft windows server 2008 (-, -, r2)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2016 (-)
- microsoft windows server 2019 (-)
have more...
TTPs:
Tactics: 11
Technics: 22
IOCs:
File: 13
Domain: 2
Path: 1
IP: 10
Hash: 10
YARA: Found
SIGMA: Found
Links:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/deprecated/sysmon\_mimikatz\_detection\_lsass.ymlhttps://github.com/SigmaHQ/sigma/blob/becf3baeb4f6313bf267f7e8d6e9808fc0fc059c/rules/windows/process\_creation/proc\_creation\_win\_susp\_recon\_activity.ymlhttps://github.com/SigmaHQ/sigma/blob/e049058d14dd9ec09771b38ed4d59e8b49ba1bad/rules/windows/builtin/security/win\_security\_cobaltstrike\_service\_installs.ymlhttps://github.com/darkoperator/Veil-PowerView/blob/master/PowerView/functions/Invoke-ShareFinder.ps1https://github.com/WazeHell/sam-the-admin/https://github.com/SigmaHQ/sigma/blob/04f72b9e78f196544f8f1331b4d9158df34d7ecf/rules/windows/builtin/application/win\_software\_atera\_rmm\_agent\_install.ymlhttps://github.com/SigmaHQ/sigma/blob/eb382c4a59b6d87e186ee269805fe2db2acf250e/rules/windows/builtin/security/win\_admin\_share\_access.ymlhttps://github.com/SigmaHQ/sigma/blob/071bcc292362fd3754a2da00878bba4bae1a335f/rules/windows/process\_creation/proc\_creation\_win\_ad\_find\_discovery.ymlhttps://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process\_creation/proc\_creation\_win\_trust\_discovery.ymlhttps://github.com/SigmaHQ/sigma/blob/11b6b24660c045bb907ed43cfe007349764173bc/rules/windows/powershell/powershell\_script/posh\_ps\_powerview\_malicious\_commandlets.ymlhttps://github.com/SigmaHQ/sigma/blob/6b3fc11a48e8aa2773dfe266c3be11e4c4c973a5/rules/windows/process\_creation/proc\_creation\_win\_powershell\_defender\_disable\_feature.ymlhttps://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1The DFIR Report
Stolen Images Campaign Ends in Conti Ransomware
In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector. IcedID is a banking trojan that first appeared in 2017, usually, it is delivered via malspam ca…
#ParsedReport
04-04-2022
The Discord Token Grab
https://labs.k7computing.com/index.php/the-discord-token-grab
Threats:
Kazy
Industry:
Financial
IOCs:
File: 1
Url: 1
Path: 1
Hash: 1
Links:
04-04-2022
The Discord Token Grab
https://labs.k7computing.com/index.php/the-discord-token-grab
Threats:
Kazy
Industry:
Financial
IOCs:
File: 1
Url: 1
Path: 1
Hash: 1
Links:
https://github.com/extremecoders-re/pyinstxtractorK7 Labs
The Discord Token Grab
Recently we came across a Twitter feed that described a malware sample coded in Python and fairly new to have […]
#ParsedReport
04-04-2022
Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations
https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs
Actors/Campaigns:
Unc2589 (tags: phishing)
Threats:
Graphsteel (tags: stealer, malware, phishing)
Grimplant (tags: malware, backdoor, phishing)
Cobalt_strike
Elephant_loader
Babar
Industry:
Government, Petroleum, Media
Geo:
Romania, Russian, Ukrainian, Turkey, French, Ukraine, Israel
IOCs:
File: 3
IP: 1
Url: 1
Hash: 1
Path: 1
Domain: 1
Links:
04-04-2022
Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations
https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs
Actors/Campaigns:
Unc2589 (tags: phishing)
Threats:
Graphsteel (tags: stealer, malware, phishing)
Grimplant (tags: malware, backdoor, phishing)
Cobalt_strike
Elephant_loader
Babar
Industry:
Government, Petroleum, Media
Geo:
Romania, Russian, Ukrainian, Turkey, French, Ukraine, Israel
IOCs:
File: 3
IP: 1
Url: 1
Hash: 1
Path: 1
Domain: 1
Links:
https://github.com/redcode-labs/Coldfirehttps://github.com/kerbyj/goLazagneIntezer
Elephant Framework Delivered in Phishing Attacks against Ukrainian Organizations
Malware using the Elephant malware framework was delivered via phishing emails from spoofed Ukrainian email addresses.
#ParsedReport
04-04-2022
Spring4Shell (CVE-2022-22965): details and mitigations
https://securelist.com/spring4shell-cve-2022-22965/106239
Threats:
Spring4shell (tags: malware)
Log4shell_vuln
CVEs:
CVE-2022-22963 [Vulners]
Vulners: Score: Unknown, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
CVE-2010-1622 [Vulners]
Vulners: Score: 6.0, CVSS: 7.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- oracle fusion middleware (11.1.1.8.0, 7.6.2, 11.1.1.6.1)
- springsource spring framework (2.5.6, 2.5.7, 2.5.2, 2.5.3, 3.0.0, 2.5.0, 2.5.1, 3.0.2, 3.0.1, 2.5.4, 2.5.5)
CVE-2022-22965 [Vulners]
Vulners: Score: Unknown, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
IOCs:
Hash: 2
File: 1
04-04-2022
Spring4Shell (CVE-2022-22965): details and mitigations
https://securelist.com/spring4shell-cve-2022-22965/106239
Threats:
Spring4shell (tags: malware)
Log4shell_vuln
CVEs:
CVE-2022-22963 [Vulners]
Vulners: Score: Unknown, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
CVE-2010-1622 [Vulners]
Vulners: Score: 6.0, CVSS: 7.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- oracle fusion middleware (11.1.1.8.0, 7.6.2, 11.1.1.6.1)
- springsource spring framework (2.5.6, 2.5.7, 2.5.2, 2.5.3, 3.0.0, 2.5.0, 2.5.1, 3.0.2, 3.0.1, 2.5.4, 2.5.5)
CVE-2022-22965 [Vulners]
Vulners: Score: Unknown, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
IOCs:
Hash: 2
File: 1
Securelist
Spring4Shell (CVE-2022-22965): details and mitigations
Technical details and mitigations for CVE-2022-22965 vulnerability (Spring4Shell) that can help an attacker to execute arbitrary code on a remote web server.
#ParsedReport
04-04-2022
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
https://www.mandiant.com/resources/evolution-of-fin7
Actors/Campaigns:
Carbanak (tags: scan, dropper, ransomware, dns, malware, backdoor, phishing, rat, proxy)
Darkside (tags: ransomware)
Blackmatter
Fin12
Threats:
Revil
Blackcat (tags: ransomware)
Powerplant
Birdwatch_loader
Fowlgaze
Loadout_loader
Griffon
Badusb_technique
Dice_loader
Killack
Powertrash_tool
Supersoft
Pillowmint
Powersploit
Termite
Metasploit_tool
Bughatch
Cobalt_strike
Kerberoasting_technique
Hello
Atera_agent
Easylook_tool
Boatlaunch_tool
Jssloader
Maze (tags: ransomware)
Ryuk (tags: ransomware)
Bateleur
Driftpin
Industry:
Financial, Healthcare, Telco
TTPs:
Tactics: 10
Technics: 53
IOCs:
Path: 4
File: 28
Hash: 34
Coin: 1
Domain: 15
Links:
04-04-2022
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
https://www.mandiant.com/resources/evolution-of-fin7
Actors/Campaigns:
Carbanak (tags: scan, dropper, ransomware, dns, malware, backdoor, phishing, rat, proxy)
Darkside (tags: ransomware)
Blackmatter
Fin12
Threats:
Revil
Blackcat (tags: ransomware)
Powerplant
Birdwatch_loader
Fowlgaze
Loadout_loader
Griffon
Badusb_technique
Dice_loader
Killack
Powertrash_tool
Supersoft
Pillowmint
Powersploit
Termite
Metasploit_tool
Bughatch
Cobalt_strike
Kerberoasting_technique
Hello
Atera_agent
Easylook_tool
Boatlaunch_tool
Jssloader
Maze (tags: ransomware)
Ryuk (tags: ransomware)
Bateleur
Driftpin
Industry:
Financial, Healthcare, Telco
TTPs:
Tactics: 10
Technics: 53
IOCs:
Path: 4
File: 28
Hash: 34
Coin: 1
Domain: 15
Links:
https://github.com/monoxgas/sRDIhttps://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1Google Cloud Blog
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7 | Mandiant | Google Cloud Blog
#ParsedReport
05-04-2022
Malicious Help File Disguised as COVID-19 Infectee Notice Being Distributed in Korea
https://asec.ahnlab.com/en/33486
Threats:
Akdoor (tags: malware)
Trojan/win.generic.c5025270 (tags: malware)
Dropper/win.agent.c5028107 (tags: malware)
Geo:
Korea
IOCs:
File: 3
Url: 1
Hash: 3
05-04-2022
Malicious Help File Disguised as COVID-19 Infectee Notice Being Distributed in Korea
https://asec.ahnlab.com/en/33486
Threats:
Akdoor (tags: malware)
Trojan/win.generic.c5025270 (tags: malware)
Dropper/win.agent.c5028107 (tags: malware)
Geo:
Korea
IOCs:
File: 3
Url: 1
Hash: 3
ASEC BLOG
Malicious Help File Disguised as COVID-19 Infectee Notice Being Distributed in Korea - ASEC BLOG
The ASEC analysis team introduced readers to malware that takes the form of a Windows help file (*.chm) about two weeks ago. The malicious CHM file that was recently discovered is disguised as a notice for people infected with COVID-19 and is being distributed…
#ParsedReport
05-04-2022
Malicious Word Documents Using MS Media Player (Impersonating AhnLab)
https://asec.ahnlab.com/en/33477
Threats:
Akdoor (tags: malware)
Trojan/win.generic.c5025270 (tags: malware)
IOCs:
File: 7
Url: 10
Path: 1
Registry: 1
Hash: 4
05-04-2022
Malicious Word Documents Using MS Media Player (Impersonating AhnLab)
https://asec.ahnlab.com/en/33477
Threats:
Akdoor (tags: malware)
Trojan/win.generic.c5025270 (tags: malware)
IOCs:
File: 7
Url: 10
Path: 1
Registry: 1
Hash: 4
ASEC
Malicious Word Documents Using MS Media Player (Impersonating AhnLab) - ASEC
Last week, the ASEC analysis team uploaded a post named “Malicious Word File Targeting Corporate Users Being Distributed” that contained information about a malicious Word file. Currently, documents of the same type are being distributed with text that impersonates…
#ParsedReport
05-04-2022
Thwarting Loaders: From SocGholish to BLISTERs LockBit Payload
https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html
Threats:
Socgholish_loader (tags: ransomware, dropper, rat, malware)
Blister_loader (tags: ransomware, dropper, malware, rat)
Lockbit (tags: ransomware, dropper, malware, rat)
Cobalt_strike
Emotet
Dridex
Sbit_rat
Jadtre
Lolbin
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 5
Domain: 1
IP: 20
Path: 1
Hash: 57
05-04-2022
Thwarting Loaders: From SocGholish to BLISTERs LockBit Payload
https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html
Threats:
Socgholish_loader (tags: ransomware, dropper, rat, malware)
Blister_loader (tags: ransomware, dropper, malware, rat)
Lockbit (tags: ransomware, dropper, malware, rat)
Cobalt_strike
Emotet
Dridex
Sbit_rat
Jadtre
Lolbin
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 5
Domain: 1
IP: 20
Path: 1
Hash: 57
Trend Micro
Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload
Both BLISTER and SocGholish are loaders known for their evasion tactics. Our report details what these loaders are capable of and our investigation into a campaign that uses both to deliver the LockBit ransomware.
#ParsedReport
05-04-2022
Cicada: Chinese APT Group Widens Targeting in Recent Espionage Activity
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks
Actors/Campaigns:
Stone_panda (tags: malware, backdoor)
Threats:
Sodamaster
Mimikatz
Winvnc_tool
Nbtscan_tool
Industry:
Education, Ngo, Healthcare, Telco, Religion, Government
Geo:
Asia, Montenegro, Japan, Israel, Italy, Chinese, Turkey, India, Canada, America
IOCs:
File: 1
Hash: 27
IP: 2
05-04-2022
Cicada: Chinese APT Group Widens Targeting in Recent Espionage Activity
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks
Actors/Campaigns:
Stone_panda (tags: malware, backdoor)
Threats:
Sodamaster
Mimikatz
Winvnc_tool
Nbtscan_tool
Industry:
Education, Ngo, Healthcare, Telco, Religion, Government
Geo:
Asia, Montenegro, Japan, Israel, Italy, Chinese, Turkey, India, Canada, America
IOCs:
File: 1
Hash: 27
IP: 2
Security
Cicada: Chinese APT Group Widens Targeting in Recent Espionage Activity
Government orgs and NGOs among victims in a wide-ranging and sustained campaign.
#ParsedReport
05-04-2022
New Analysis: The CaddyWiper Malware Attacking Ukraine
https://blog.morphisec.com/caddywiper-analysis-new-malware-attacking-ukraine
Threats:
Killdisk (tags: malware, ransomware)
Whispergate (tags: malware)
Hermeticwiper (tags: malware)
Isaacwiper (tags: malware)
Industry:
Government
Geo:
Ukraine
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 7
05-04-2022
New Analysis: The CaddyWiper Malware Attacking Ukraine
https://blog.morphisec.com/caddywiper-analysis-new-malware-attacking-ukraine
Threats:
Killdisk (tags: malware, ransomware)
Whispergate (tags: malware)
Hermeticwiper (tags: malware)
Isaacwiper (tags: malware)
Industry:
Government
Geo:
Ukraine
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 7
Morphisec
CaddyWiper Analysis: New Malware Attacking Ukraine
In this Threat Post, Morphisec Labs analyzes Caddywiper, a new strain of wiper malware attacking Ukrainian infrastructure.
#ParsedReport
05-04-2022
Inside Lightning Stealer. A New Info Stealer Targeting over 30 Browsers
https://blog.cyble.com/2022/04/05/inside-lightning-stealer
Threats:
Lightning_stealer (tags: ransomware, stealer, phishing, malware)
TTPs:
Tactics: 6
Technics: 11
IOCs:
File: 12
Registry: 1
Url: 2
Hash: 2
05-04-2022
Inside Lightning Stealer. A New Info Stealer Targeting over 30 Browsers
https://blog.cyble.com/2022/04/05/inside-lightning-stealer
Threats:
Lightning_stealer (tags: ransomware, stealer, phishing, malware)
TTPs:
Tactics: 6
Technics: 11
IOCs:
File: 12
Registry: 1
Url: 2
Hash: 2
Cyble
Inside Lightning Stealer
In this report, Cyble analyzes a stealer that has been targeting over 30 browsers - Lightning Stealer.
#ParsedReport
05-04-2022
Threat Spotlight: AsyncRAT campaigns feature new version of 3LOSH crypter
http://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html
Threats:
Asyncrat_rat (tags: malware, rat, ransomware)
3losh (tags: malware, rat, ransomware)
Limerat_rat (tags: ransomware)
TTPs:
Tactics: 1
Technics: 0
IOCs:
Path: 1
File: 5
Hash: 81
Url: 16
IP: 2
Domain: 6
05-04-2022
Threat Spotlight: AsyncRAT campaigns feature new version of 3LOSH crypter
http://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html
Threats:
Asyncrat_rat (tags: malware, rat, ransomware)
3losh (tags: malware, rat, ransomware)
Limerat_rat (tags: ransomware)
TTPs:
Tactics: 1
Technics: 0
IOCs:
Path: 1
File: 5
Hash: 81
Url: 16
IP: 2
Domain: 6
Cisco Talos Blog
Threat Spotlight: AsyncRAT campaigns feature new version of 3LOSH crypter
By Edmund Brumaghin, with contributions from Alex Karkins.
* Ongoing malware distribution campaigns are using ISO disk images to deliver AsyncRAT, LimeRAT and other commodity malware to victims.
* The infections leverage process injection to evade detection…
* Ongoing malware distribution campaigns are using ISO disk images to deliver AsyncRAT, LimeRAT and other commodity malware to victims.
* The infections leverage process injection to evade detection…
#ParsedReport
05-04-2022
Detailed writeup on LAPSUS$ Cybercriminal Group who have compromised Microsoft and Okta
https://cloudsek.com/profile-lapsus-cybercriminal-group
Actors/Campaigns:
Lapsus (tags: ransomware, phishing, stealer, malware)
Threats:
Redline_stealer
Geo:
USA, Russia, Spain, Nepal
CVEs:
CVE-2019-5591 [Vulners]
Vulners: Score: 3.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 5.3
X-Force: Patch: Official fix
Soft:
- fortinet fortios (le6.2.0)
CVE-2021-45328 [Vulners]
Vulners: Score: 5.8, CVSS: 3.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.4
X-Force: Patch: Official fix
Soft:
- gitea (<1.4.3)
CVE-2022-0510 [Vulners]
Vulners: Score: 3.5, CVSS: 2.2,
Vulners: Exploitation: Unknown
X-Force: Risk: 6.4
X-Force: Patch: Official fix
Soft:
- pimcore (le10.3.0)
CVE-2018-13379 [Vulners]
Vulners: Score: 5.0, CVSS: 4.0,
Vulners: Exploitation: True
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- fortinet fortios (le6.0.4, le5.6.7)
CVE-2020-12812 [Vulners]
Vulners: Score: 7.5, CVSS: 3.3,
Vulners: Exploitation: True
X-Force: Risk: 5.3
X-Force: Patch: Official fix
Soft:
- fortinet fortios (<6.0.10, <6.2.4, 6.4.0)
have more...
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 3
Hash: 11
IP: 4
05-04-2022
Detailed writeup on LAPSUS$ Cybercriminal Group who have compromised Microsoft and Okta
https://cloudsek.com/profile-lapsus-cybercriminal-group
Actors/Campaigns:
Lapsus (tags: ransomware, phishing, stealer, malware)
Threats:
Redline_stealer
Geo:
USA, Russia, Spain, Nepal
CVEs:
CVE-2019-5591 [Vulners]
Vulners: Score: 3.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 5.3
X-Force: Patch: Official fix
Soft:
- fortinet fortios (le6.2.0)
CVE-2021-45328 [Vulners]
Vulners: Score: 5.8, CVSS: 3.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.4
X-Force: Patch: Official fix
Soft:
- gitea (<1.4.3)
CVE-2022-0510 [Vulners]
Vulners: Score: 3.5, CVSS: 2.2,
Vulners: Exploitation: Unknown
X-Force: Risk: 6.4
X-Force: Patch: Official fix
Soft:
- pimcore (le10.3.0)
CVE-2018-13379 [Vulners]
Vulners: Score: 5.0, CVSS: 4.0,
Vulners: Exploitation: True
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- fortinet fortios (le6.0.4, le5.6.7)
CVE-2020-12812 [Vulners]
Vulners: Score: 7.5, CVSS: 3.3,
Vulners: Exploitation: True
X-Force: Risk: 5.3
X-Force: Patch: Official fix
Soft:
- fortinet fortios (<6.0.10, <6.2.4, 6.4.0)
have more...
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 3
Hash: 11
IP: 4
CloudSEK - Digital Risk Management Enterprise | Artificial Intelligence based Cybersecurity
A detailed writeup on LAPSUS$ Cybercriminal Group who claimed to have compromised Nvidia and Samsung
Detailed profile on the Cybercriminal group and Threat Actor - Lapsus$ Group. The ransomware gang leaked source code, dehashed credentials, code signing certificates and source code to Nvidia and Samsung.
#ParsedReport
05-04-2022
Colibri Loader combines Task Scheduler and PowerShell in clever persistence technique
https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique
Threats:
Colibri_loader (tags: malware)
Vidar_stealer
IOCs:
Domain: 1
File: 7
Path: 2
Hash: 3
05-04-2022
Colibri Loader combines Task Scheduler and PowerShell in clever persistence technique
https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique
Threats:
Colibri_loader (tags: malware)
Vidar_stealer
IOCs:
Domain: 1
File: 7
Path: 2
Hash: 3
Malwarebytes
Colibri Loader combines Task Scheduler and PowerShell in clever persistence technique
This blog post was authored by Ankur Saini, with contributions from Hossein Jazi and Jérôme Segura (2022-04-07): Added MITRE ATT&CK mappings...
#technique
Malicious Registry Timestamp Manipulation Technique: Detecting Registry Timestomping
https://www.inversecos.com/2022/04/malicious-registry-timestamp.html
Malicious Registry Timestamp Manipulation Technique: Detecting Registry Timestomping
https://www.inversecos.com/2022/04/malicious-registry-timestamp.html
Inversecos
Malicious Registry Timestamp Manipulation Technique: Detecting Registry Timestomping
Встречайте, AWS Lambda малварь
https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/
https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/
Darktrace
Solve Cloud Forensics at Scale
Darktrace has acquired Cado security, a cyber investigation and response solution provider and leader in cloud data capture and forensics.