#ParsedReport
05-04-2022
Threat Spotlight: AsyncRAT campaigns feature new version of 3LOSH crypter
http://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html
Threats:
Asyncrat_rat (tags: malware, rat, ransomware)
3losh (tags: malware, rat, ransomware)
Limerat_rat (tags: ransomware)
TTPs:
Tactics: 1
Technics: 0
IOCs:
Path: 1
File: 5
Hash: 81
Url: 16
IP: 2
Domain: 6
05-04-2022
Threat Spotlight: AsyncRAT campaigns feature new version of 3LOSH crypter
http://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html
Threats:
Asyncrat_rat (tags: malware, rat, ransomware)
3losh (tags: malware, rat, ransomware)
Limerat_rat (tags: ransomware)
TTPs:
Tactics: 1
Technics: 0
IOCs:
Path: 1
File: 5
Hash: 81
Url: 16
IP: 2
Domain: 6
Cisco Talos Blog
Threat Spotlight: AsyncRAT campaigns feature new version of 3LOSH crypter
By Edmund Brumaghin, with contributions from Alex Karkins.
* Ongoing malware distribution campaigns are using ISO disk images to deliver AsyncRAT, LimeRAT and other commodity malware to victims.
* The infections leverage process injection to evade detection…
* Ongoing malware distribution campaigns are using ISO disk images to deliver AsyncRAT, LimeRAT and other commodity malware to victims.
* The infections leverage process injection to evade detection…
#ParsedReport
05-04-2022
Detailed writeup on LAPSUS$ Cybercriminal Group who have compromised Microsoft and Okta
https://cloudsek.com/profile-lapsus-cybercriminal-group
Actors/Campaigns:
Lapsus (tags: ransomware, phishing, stealer, malware)
Threats:
Redline_stealer
Geo:
USA, Russia, Spain, Nepal
CVEs:
CVE-2019-5591 [Vulners]
Vulners: Score: 3.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 5.3
X-Force: Patch: Official fix
Soft:
- fortinet fortios (le6.2.0)
CVE-2021-45328 [Vulners]
Vulners: Score: 5.8, CVSS: 3.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.4
X-Force: Patch: Official fix
Soft:
- gitea (<1.4.3)
CVE-2022-0510 [Vulners]
Vulners: Score: 3.5, CVSS: 2.2,
Vulners: Exploitation: Unknown
X-Force: Risk: 6.4
X-Force: Patch: Official fix
Soft:
- pimcore (le10.3.0)
CVE-2018-13379 [Vulners]
Vulners: Score: 5.0, CVSS: 4.0,
Vulners: Exploitation: True
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- fortinet fortios (le6.0.4, le5.6.7)
CVE-2020-12812 [Vulners]
Vulners: Score: 7.5, CVSS: 3.3,
Vulners: Exploitation: True
X-Force: Risk: 5.3
X-Force: Patch: Official fix
Soft:
- fortinet fortios (<6.0.10, <6.2.4, 6.4.0)
have more...
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 3
Hash: 11
IP: 4
05-04-2022
Detailed writeup on LAPSUS$ Cybercriminal Group who have compromised Microsoft and Okta
https://cloudsek.com/profile-lapsus-cybercriminal-group
Actors/Campaigns:
Lapsus (tags: ransomware, phishing, stealer, malware)
Threats:
Redline_stealer
Geo:
USA, Russia, Spain, Nepal
CVEs:
CVE-2019-5591 [Vulners]
Vulners: Score: 3.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 5.3
X-Force: Patch: Official fix
Soft:
- fortinet fortios (le6.2.0)
CVE-2021-45328 [Vulners]
Vulners: Score: 5.8, CVSS: 3.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.4
X-Force: Patch: Official fix
Soft:
- gitea (<1.4.3)
CVE-2022-0510 [Vulners]
Vulners: Score: 3.5, CVSS: 2.2,
Vulners: Exploitation: Unknown
X-Force: Risk: 6.4
X-Force: Patch: Official fix
Soft:
- pimcore (le10.3.0)
CVE-2018-13379 [Vulners]
Vulners: Score: 5.0, CVSS: 4.0,
Vulners: Exploitation: True
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- fortinet fortios (le6.0.4, le5.6.7)
CVE-2020-12812 [Vulners]
Vulners: Score: 7.5, CVSS: 3.3,
Vulners: Exploitation: True
X-Force: Risk: 5.3
X-Force: Patch: Official fix
Soft:
- fortinet fortios (<6.0.10, <6.2.4, 6.4.0)
have more...
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 3
Hash: 11
IP: 4
CloudSEK - Digital Risk Management Enterprise | Artificial Intelligence based Cybersecurity
A detailed writeup on LAPSUS$ Cybercriminal Group who claimed to have compromised Nvidia and Samsung
Detailed profile on the Cybercriminal group and Threat Actor - Lapsus$ Group. The ransomware gang leaked source code, dehashed credentials, code signing certificates and source code to Nvidia and Samsung.
#ParsedReport
05-04-2022
Colibri Loader combines Task Scheduler and PowerShell in clever persistence technique
https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique
Threats:
Colibri_loader (tags: malware)
Vidar_stealer
IOCs:
Domain: 1
File: 7
Path: 2
Hash: 3
05-04-2022
Colibri Loader combines Task Scheduler and PowerShell in clever persistence technique
https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique
Threats:
Colibri_loader (tags: malware)
Vidar_stealer
IOCs:
Domain: 1
File: 7
Path: 2
Hash: 3
Malwarebytes
Colibri Loader combines Task Scheduler and PowerShell in clever persistence technique
This blog post was authored by Ankur Saini, with contributions from Hossein Jazi and Jérôme Segura (2022-04-07): Added MITRE ATT&CK mappings...
#technique
Malicious Registry Timestamp Manipulation Technique: Detecting Registry Timestomping
https://www.inversecos.com/2022/04/malicious-registry-timestamp.html
Malicious Registry Timestamp Manipulation Technique: Detecting Registry Timestomping
https://www.inversecos.com/2022/04/malicious-registry-timestamp.html
Inversecos
Malicious Registry Timestamp Manipulation Technique: Detecting Registry Timestomping
Встречайте, AWS Lambda малварь
https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/
https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/
Darktrace
Solve Cloud Forensics at Scale
Darktrace has acquired Cado security, a cyber investigation and response solution provider and leader in cloud data capture and forensics.
#ParsedReport
06-04-2022
eSentire Threat Intelligence Malware Analysis: HeaderTip
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-headertip
Actors/Campaigns:
Scarab
Threats:
Headertip (tags: malware, phishing, scan, dns)
Geo:
Chinese, Chile, Russia, Syria, Ukraine
IOCs:
Path: 1
Registry: 2
Hash: 6
IP: 1
YARA: Found
06-04-2022
eSentire Threat Intelligence Malware Analysis: HeaderTip
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-headertip
Actors/Campaigns:
Scarab
Threats:
Headertip (tags: malware, phishing, scan, dns)
Geo:
Chinese, Chile, Russia, Syria, Ukraine
IOCs:
Path: 1
Registry: 2
Hash: 6
IP: 1
YARA: Found
eSentire
eSentire Threat Intelligence Malware Analysis: HeaderTip
#ParsedReport
06-04-2022
eSentire Threat Intelligence Malware Analysis: DoubleZero
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-doublezero
Threats:
Doublezero (tags: malware)
Whispergate (tags: malware)
Hermeticwiper (tags: malware)
Isaacwiper (tags: malware)
Killdisk (tags: malware)
Geo:
Ukraine
IOCs:
Hash: 5
Registry: 1
File: 11
Path: 1
YARA: Found
06-04-2022
eSentire Threat Intelligence Malware Analysis: DoubleZero
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-doublezero
Threats:
Doublezero (tags: malware)
Whispergate (tags: malware)
Hermeticwiper (tags: malware)
Isaacwiper (tags: malware)
Killdisk (tags: malware)
Geo:
Ukraine
IOCs:
Hash: 5
Registry: 1
File: 11
Path: 1
YARA: Found
eSentire
eSentire | Threat Intelligence Malware Analysis: DoubleZero
Read eSentire's Threat Response Unit (TRU) analysis of DoubleZero, a newly emerging destructive malware targeting Ukrainian enterprises.
#ParsedReport
06-04-2022
Contis Hacker Manuals Read, Reviewed & Analyzed
https://www.akamai.com/blog/security/conti
Actors/Campaigns:
Lapsus
Threats:
Conti (tags: stealer, phishing, dropper, backdoor, ransomware, dns, spyware, malware, trojan, rat, scan)
Ryuk
Maze
Cobalt_strike
Mimikatz
Psexec_tool
Winrm_tool
Eternalblue_vuln
Bluekeep_vuln
Anydesk_tool
Atera_tool
Printnightmare_vuln
Zerologon_vuln
Lolbin
Trickbot
Industry:
Government, Financial
Geo:
Ukrain, Russia
TTPs:
Tactics: 4
Technics: 0
IOCs:
File: 4
Links:
06-04-2022
Contis Hacker Manuals Read, Reviewed & Analyzed
https://www.akamai.com/blog/security/conti
Actors/Campaigns:
Lapsus
Threats:
Conti (tags: stealer, phishing, dropper, backdoor, ransomware, dns, spyware, malware, trojan, rat, scan)
Ryuk
Maze
Cobalt_strike
Mimikatz
Psexec_tool
Winrm_tool
Eternalblue_vuln
Bluekeep_vuln
Anydesk_tool
Atera_tool
Printnightmare_vuln
Zerologon_vuln
Lolbin
Trickbot
Industry:
Government, Financial
Geo:
Ukrain, Russia
TTPs:
Tactics: 4
Technics: 0
IOCs:
File: 4
Links:
https://github.com/akamai/akamai-security-research/tree/main/leaks/Conti
https://github.com/RUB-NDS/PRETAkamai
Akamai Blog | Conti’s Hacker Manuals — Read, Reviewed & Analyzed
Conti is a notorious ransomware group that targets high-revenue organizations. They were first detected in 2020, and appear to be based in Russia. It is believed that the group is the successor to Ryuk ransomware group. According to Chainalysis, The ransomware…
#ParsedReport
06-04-2022
Cado Discovers Denonia: The First Malware Specifically Targeting Lambda
https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda
Threats:
Denonia (tags: malware, cryptomining, dns, botnet)
Xmrig_miner (tags: malware)
Log4shell_vuln (tags: malware)
IOCs:
Hash: 2
Domain: 7
IP: 3
Links:
06-04-2022
Cado Discovers Denonia: The First Malware Specifically Targeting Lambda
https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda
Threats:
Denonia (tags: malware, cryptomining, dns, botnet)
Xmrig_miner (tags: malware)
Log4shell_vuln (tags: malware)
IOCs:
Hash: 2
Domain: 7
IP: 3
Links:
https://github.com/goretk/redresshttps://github.com/aws/aws-lambda-goDarktrace
Solve Cloud Forensics at Scale
Darktrace has acquired Cado security, a cyber investigation and response solution provider and leader in cloud data capture and forensics.
#ParsedReport
06-04-2022
FFDroider Stealer Targeting Social Media Platform Users
https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users
Threats:
Ffdroider_stealer (tags: malware, stealer)
Cobalt_strike
Industry:
Financial
TTPs:
Tactics: 1
Technics: 8
IOCs:
File: 12
Path: 7
Registry: 1
Url: 5
Domain: 8
Hash: 4
06-04-2022
FFDroider Stealer Targeting Social Media Platform Users
https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users
Threats:
Ffdroider_stealer (tags: malware, stealer)
Cobalt_strike
Industry:
Financial
TTPs:
Tactics: 1
Technics: 8
IOCs:
File: 12
Path: 7
Registry: 1
Url: 5
Domain: 8
Hash: 4
Zscaler
FFDroider Stealer Is Targeting Social Media Platform | Blog
Zscaler ThreatLabz discovered several campaigns related to the FFDroider stealer in their cloud that arrived via the compromised URL. Read the blog
#ParsedReport
06-04-2022
The Latest Remcos RAT Driven By Phishing Campaign
https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing
Threats:
Remcos_rat (tags: malware, rat, phishing, proxy, trojan, keylogger)
Industry:
Financial
IOCs:
File: 12
Url: 3
Domain: 10
IP: 1
Hash: 8
06-04-2022
The Latest Remcos RAT Driven By Phishing Campaign
https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing
Threats:
Remcos_rat (tags: malware, rat, phishing, proxy, trojan, keylogger)
Industry:
Financial
IOCs:
File: 12
Url: 3
Domain: 10
IP: 1
Hash: 8
Fortinet Blog
The Latest Remcos RAT Driven By Phishing Campaign
FortiGuard Labs analyzes how a phishing campaign delivers the Remcos RAT onto a victim’s device, how it executes on the device, the sensitive information it steals from the victim, as well as the c…
👍1
#ParsedReport
06-04-2022
Operation Bearded Barbie: APT-C-23 Campaign Targeting Israeli Officials
https://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials
Actors/Campaigns:
Aridviper (tags: ransomware, keylogger, malware, phishing, backdoor)
Molerats
Threats:
Barbie (tags: ransomware, keylogger, malware, phishing, backdoor)
Industry:
Government, Healthcare
Geo:
Israel
TTPs:
Tactics: 5
Technics: 0
IOCs:
Url: 8
File: 3
Domain: 8
Hash: 22
06-04-2022
Operation Bearded Barbie: APT-C-23 Campaign Targeting Israeli Officials
https://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials
Actors/Campaigns:
Aridviper (tags: ransomware, keylogger, malware, phishing, backdoor)
Molerats
Threats:
Barbie (tags: ransomware, keylogger, malware, phishing, backdoor)
Industry:
Government, Healthcare
Geo:
Israel
TTPs:
Tactics: 5
Technics: 0
IOCs:
Url: 8
File: 3
Domain: 8
Hash: 22
Cybereason
Operation Bearded Barbie: APT-C-23 Campaign Targeting Israeli Officials
This APT-C-23 campaign involves of two previously undocumented malware strains dubbed Barb(ie) Downloader and BarbWire Backdoor, which use an enhanced stealth mechanism to remain undetected - in addition, Cybereason observed an upgraded version of an Android…
#ParsedReport
07-04-2022
ASEC Weekly Malware Statistics (March 28th, 2022 April 3rd, 2022)
https://asec.ahnlab.com/en/33569
Threats:
Agent_tesla (tags: stealer, ransomware, spam, malware)
Lokibot_stealer
Formbook
Redline_stealer
Industry:
Financial
IOCs:
Domain: 5
IP: 10
Email: 7
File: 16
Url: 20
07-04-2022
ASEC Weekly Malware Statistics (March 28th, 2022 April 3rd, 2022)
https://asec.ahnlab.com/en/33569
Threats:
Agent_tesla (tags: stealer, ransomware, spam, malware)
Lokibot_stealer
Formbook
Redline_stealer
Industry:
Financial
IOCs:
Domain: 5
IP: 10
Email: 7
File: 16
Url: 20
ASEC BLOG
ASEC Weekly Malware Statistics (March 28th, 2022 - April 3rd, 2022) - ASEC BLOG
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from March 28th, 2022 (Monday) to April 3rd, 2022 (Sunday). For the main category, info-stealer…
#ParsedReport
07-04-2022
A Bad Luck BlackCat
https://securelist.com/a-bad-luck-blackcat/106254
Actors/Campaigns:
Blackmatter
Threats:
Blackcat (tags: malware, ransomware)
Revil
Exmatter_tool
Mimikatz
Lockbit
Psexec_tool
Industry:
Petroleum
Geo:
Russian, America
IOCs:
Hash: 2
File: 3
Registry: 1
Links:
07-04-2022
A Bad Luck BlackCat
https://securelist.com/a-bad-luck-blackcat/106254
Actors/Campaigns:
Blackmatter
Threats:
Blackcat (tags: malware, ransomware)
Revil
Exmatter_tool
Mimikatz
Lockbit
Psexec_tool
Industry:
Petroleum
Geo:
Russian, America
IOCs:
Hash: 2
File: 3
Registry: 1
Links:
https://gist.github.com/api0cradle/d4aaef39db0d845627d819b2b6b30512Securelist
A Bad Luck BlackCat
A new ransomware actor presented themselves as ALPHV, but the group is also known as BlackCat. Two recent BlackCat incidents stand out as particularly interesting.
#ParsedReport
07-04-2022
Google is on guard: sharks shall not pass!. Introduction
https://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass
Threats:
Sharkbot
Industry:
Financial
Geo:
Russia, Belarus, China, Ukraine, Romania, Italy, India
IOCs:
Domain: 2
IP: 1
File: 2
Hash: 128
SIGMA: Found
07-04-2022
Google is on guard: sharks shall not pass!. Introduction
https://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass
Threats:
Sharkbot
Industry:
Financial
Geo:
Russia, Belarus, China, Ukraine, Romania, Italy, India
IOCs:
Domain: 2
IP: 1
File: 2
Hash: 128
SIGMA: Found
Check Point Research
Google is on guard: sharks shall not pass! - Check Point Research
Research by: Alex Shamshur, Raman Ladutska Introduction When you search for Anti-Virus (AV) solutions to protect your mobile devices, you don’t expect these solutions to do the opposite i.e. make devices vulnerable to malware. This what the Check Point Research…
#ParsedReport
07-04-2022
Parrot TDS takes over web servers and threatens millions. Campaign overview
https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/?utm_source=rss&utm_medium=rss&utm_campaign=parrot-tds-takes-over-web-servers-and-threatens-millions
Threats:
Socgholish_loader
Prometheus
Netsupportmanager_rat
Industry:
Government
Geo:
Brazil, India, Chinese
IOCs:
File: 1
Registry: 1
Hash: 8
Domain: 38
IP: 13
Links:
07-04-2022
Parrot TDS takes over web servers and threatens millions. Campaign overview
https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/?utm_source=rss&utm_medium=rss&utm_campaign=parrot-tds-takes-over-web-servers-and-threatens-millions
Threats:
Socgholish_loader
Prometheus
Netsupportmanager_rat
Industry:
Government
Geo:
Brazil, India, Chinese
IOCs:
File: 1
Registry: 1
Hash: 8
Domain: 38
IP: 13
Links:
https://github.com/avast/ioc/tree/master/ParrotTDSGendigital
Parrot TDS takes over web servers and threatens millions
Web Server Takeover Threat
#ParsedReport
07-04-2022
UpdateAgent macOS Malware
https://www.esentire.com/blog/updateagent-macos-malware
Threats:
Vigram (tags: phishing, malware)
More_eggs (tags: malware)
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 6
Url: 2
Hash: 1
Domain: 2
07-04-2022
UpdateAgent macOS Malware
https://www.esentire.com/blog/updateagent-macos-malware
Threats:
Vigram (tags: phishing, malware)
More_eggs (tags: malware)
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 6
Url: 2
Hash: 1
Domain: 2
eSentire
UpdateAgent macOS Malware
Read this blog to learn how eSentire Threat Response Unit (TRU) detected and contained an UpdateAgent malware threat impacting a customer in the software industry.
#ParsedReport
08-04-2022
Rook Ransomware. Static Code Analysis
https://chuongdong.com/reverse%20engineering/2022/01/06/RookRansomware
Threats:
Rook (tags: ransomware, scan, malware)
Babuk
Maze
IOCs:
Hash: 2
File: 2
Links:
08-04-2022
Rook Ransomware. Static Code Analysis
https://chuongdong.com/reverse%20engineering/2022/01/06/RookRansomware
Threats:
Rook (tags: ransomware, scan, malware)
Babuk
Maze
IOCs:
Hash: 2
File: 2
Links:
https://github.com/ARMmbed/mbedtlsChuong Dong
Rook Ransomware
Malware Analysis Report - Rook Ransomware
#ParsedReport
08-04-2022
CryptoClip Hijacker
https://labs.k7computing.com/index.php/cryptoclip-hijacker
Threats:
Cryptoclip (tags: trojan, malware)
IOCs:
File: 5
Path: 1
Hash: 1
08-04-2022
CryptoClip Hijacker
https://labs.k7computing.com/index.php/cryptoclip-hijacker
Threats:
Cryptoclip (tags: trojan, malware)
IOCs:
File: 5
Path: 1
Hash: 1
K7 Labs
CryptoClip Hijacker
Stealing crypto-currency is not new to threat actors. Thinner profit margins from mining makes stealing the coins from wallets more […]
#ParsedReport
09-04-2022
New SolarMarker (Jupyter) Campaign Demonstrates the Malwares Changing Attack Patterns
https://unit42.paloaltonetworks.com/solarmarker-malware
Threats:
Solarmarker (tags: dropper, backdoor, rat, malware, stealer)
Jupyter_stealer
IOCs:
File: 45
IP: 18
Hash: 23
Links:
09-04-2022
New SolarMarker (Jupyter) Campaign Demonstrates the Malwares Changing Attack Patterns
https://unit42.paloaltonetworks.com/solarmarker-malware
Threats:
Solarmarker (tags: dropper, backdoor, rat, malware, stealer)
Jupyter_stealer
IOCs:
File: 45
IP: 18
Hash: 23
Links:
https://github.com/de4dot/de4dotUnit 42
New SolarMarker (Jupyter) Campaign Demonstrates the Malware’s Changing Attack Patterns
A new version of SolarMarker malware appears to upgrade evasion abilities and demonstrates that the infostealer and backdoor continues to evolve.