#technique
Malicious Registry Timestamp Manipulation Technique: Detecting Registry Timestomping
https://www.inversecos.com/2022/04/malicious-registry-timestamp.html
Malicious Registry Timestamp Manipulation Technique: Detecting Registry Timestomping
https://www.inversecos.com/2022/04/malicious-registry-timestamp.html
Inversecos
Malicious Registry Timestamp Manipulation Technique: Detecting Registry Timestomping
Встречайте, AWS Lambda малварь
https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/
https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/
Darktrace
Solve Cloud Forensics at Scale
Darktrace has acquired Cado security, a cyber investigation and response solution provider and leader in cloud data capture and forensics.
#ParsedReport
06-04-2022
eSentire Threat Intelligence Malware Analysis: HeaderTip
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-headertip
Actors/Campaigns:
Scarab
Threats:
Headertip (tags: malware, phishing, scan, dns)
Geo:
Chinese, Chile, Russia, Syria, Ukraine
IOCs:
Path: 1
Registry: 2
Hash: 6
IP: 1
YARA: Found
06-04-2022
eSentire Threat Intelligence Malware Analysis: HeaderTip
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-headertip
Actors/Campaigns:
Scarab
Threats:
Headertip (tags: malware, phishing, scan, dns)
Geo:
Chinese, Chile, Russia, Syria, Ukraine
IOCs:
Path: 1
Registry: 2
Hash: 6
IP: 1
YARA: Found
eSentire
eSentire Threat Intelligence Malware Analysis: HeaderTip
#ParsedReport
06-04-2022
eSentire Threat Intelligence Malware Analysis: DoubleZero
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-doublezero
Threats:
Doublezero (tags: malware)
Whispergate (tags: malware)
Hermeticwiper (tags: malware)
Isaacwiper (tags: malware)
Killdisk (tags: malware)
Geo:
Ukraine
IOCs:
Hash: 5
Registry: 1
File: 11
Path: 1
YARA: Found
06-04-2022
eSentire Threat Intelligence Malware Analysis: DoubleZero
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-doublezero
Threats:
Doublezero (tags: malware)
Whispergate (tags: malware)
Hermeticwiper (tags: malware)
Isaacwiper (tags: malware)
Killdisk (tags: malware)
Geo:
Ukraine
IOCs:
Hash: 5
Registry: 1
File: 11
Path: 1
YARA: Found
eSentire
eSentire | Threat Intelligence Malware Analysis: DoubleZero
Read eSentire's Threat Response Unit (TRU) analysis of DoubleZero, a newly emerging destructive malware targeting Ukrainian enterprises.
#ParsedReport
06-04-2022
Contis Hacker Manuals Read, Reviewed & Analyzed
https://www.akamai.com/blog/security/conti
Actors/Campaigns:
Lapsus
Threats:
Conti (tags: stealer, phishing, dropper, backdoor, ransomware, dns, spyware, malware, trojan, rat, scan)
Ryuk
Maze
Cobalt_strike
Mimikatz
Psexec_tool
Winrm_tool
Eternalblue_vuln
Bluekeep_vuln
Anydesk_tool
Atera_tool
Printnightmare_vuln
Zerologon_vuln
Lolbin
Trickbot
Industry:
Government, Financial
Geo:
Ukrain, Russia
TTPs:
Tactics: 4
Technics: 0
IOCs:
File: 4
Links:
06-04-2022
Contis Hacker Manuals Read, Reviewed & Analyzed
https://www.akamai.com/blog/security/conti
Actors/Campaigns:
Lapsus
Threats:
Conti (tags: stealer, phishing, dropper, backdoor, ransomware, dns, spyware, malware, trojan, rat, scan)
Ryuk
Maze
Cobalt_strike
Mimikatz
Psexec_tool
Winrm_tool
Eternalblue_vuln
Bluekeep_vuln
Anydesk_tool
Atera_tool
Printnightmare_vuln
Zerologon_vuln
Lolbin
Trickbot
Industry:
Government, Financial
Geo:
Ukrain, Russia
TTPs:
Tactics: 4
Technics: 0
IOCs:
File: 4
Links:
https://github.com/akamai/akamai-security-research/tree/main/leaks/Conti
https://github.com/RUB-NDS/PRETAkamai
Akamai Blog | Conti’s Hacker Manuals — Read, Reviewed & Analyzed
Conti is a notorious ransomware group that targets high-revenue organizations. They were first detected in 2020, and appear to be based in Russia. It is believed that the group is the successor to Ryuk ransomware group. According to Chainalysis, The ransomware…
#ParsedReport
06-04-2022
Cado Discovers Denonia: The First Malware Specifically Targeting Lambda
https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda
Threats:
Denonia (tags: malware, cryptomining, dns, botnet)
Xmrig_miner (tags: malware)
Log4shell_vuln (tags: malware)
IOCs:
Hash: 2
Domain: 7
IP: 3
Links:
06-04-2022
Cado Discovers Denonia: The First Malware Specifically Targeting Lambda
https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda
Threats:
Denonia (tags: malware, cryptomining, dns, botnet)
Xmrig_miner (tags: malware)
Log4shell_vuln (tags: malware)
IOCs:
Hash: 2
Domain: 7
IP: 3
Links:
https://github.com/goretk/redresshttps://github.com/aws/aws-lambda-goDarktrace
Solve Cloud Forensics at Scale
Darktrace has acquired Cado security, a cyber investigation and response solution provider and leader in cloud data capture and forensics.
#ParsedReport
06-04-2022
FFDroider Stealer Targeting Social Media Platform Users
https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users
Threats:
Ffdroider_stealer (tags: malware, stealer)
Cobalt_strike
Industry:
Financial
TTPs:
Tactics: 1
Technics: 8
IOCs:
File: 12
Path: 7
Registry: 1
Url: 5
Domain: 8
Hash: 4
06-04-2022
FFDroider Stealer Targeting Social Media Platform Users
https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users
Threats:
Ffdroider_stealer (tags: malware, stealer)
Cobalt_strike
Industry:
Financial
TTPs:
Tactics: 1
Technics: 8
IOCs:
File: 12
Path: 7
Registry: 1
Url: 5
Domain: 8
Hash: 4
Zscaler
FFDroider Stealer Is Targeting Social Media Platform | Blog
Zscaler ThreatLabz discovered several campaigns related to the FFDroider stealer in their cloud that arrived via the compromised URL. Read the blog
#ParsedReport
06-04-2022
The Latest Remcos RAT Driven By Phishing Campaign
https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing
Threats:
Remcos_rat (tags: malware, rat, phishing, proxy, trojan, keylogger)
Industry:
Financial
IOCs:
File: 12
Url: 3
Domain: 10
IP: 1
Hash: 8
06-04-2022
The Latest Remcos RAT Driven By Phishing Campaign
https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing
Threats:
Remcos_rat (tags: malware, rat, phishing, proxy, trojan, keylogger)
Industry:
Financial
IOCs:
File: 12
Url: 3
Domain: 10
IP: 1
Hash: 8
Fortinet Blog
The Latest Remcos RAT Driven By Phishing Campaign
FortiGuard Labs analyzes how a phishing campaign delivers the Remcos RAT onto a victim’s device, how it executes on the device, the sensitive information it steals from the victim, as well as the c…
👍1
#ParsedReport
06-04-2022
Operation Bearded Barbie: APT-C-23 Campaign Targeting Israeli Officials
https://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials
Actors/Campaigns:
Aridviper (tags: ransomware, keylogger, malware, phishing, backdoor)
Molerats
Threats:
Barbie (tags: ransomware, keylogger, malware, phishing, backdoor)
Industry:
Government, Healthcare
Geo:
Israel
TTPs:
Tactics: 5
Technics: 0
IOCs:
Url: 8
File: 3
Domain: 8
Hash: 22
06-04-2022
Operation Bearded Barbie: APT-C-23 Campaign Targeting Israeli Officials
https://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials
Actors/Campaigns:
Aridviper (tags: ransomware, keylogger, malware, phishing, backdoor)
Molerats
Threats:
Barbie (tags: ransomware, keylogger, malware, phishing, backdoor)
Industry:
Government, Healthcare
Geo:
Israel
TTPs:
Tactics: 5
Technics: 0
IOCs:
Url: 8
File: 3
Domain: 8
Hash: 22
Cybereason
Operation Bearded Barbie: APT-C-23 Campaign Targeting Israeli Officials
This APT-C-23 campaign involves of two previously undocumented malware strains dubbed Barb(ie) Downloader and BarbWire Backdoor, which use an enhanced stealth mechanism to remain undetected - in addition, Cybereason observed an upgraded version of an Android…
#ParsedReport
07-04-2022
ASEC Weekly Malware Statistics (March 28th, 2022 April 3rd, 2022)
https://asec.ahnlab.com/en/33569
Threats:
Agent_tesla (tags: stealer, ransomware, spam, malware)
Lokibot_stealer
Formbook
Redline_stealer
Industry:
Financial
IOCs:
Domain: 5
IP: 10
Email: 7
File: 16
Url: 20
07-04-2022
ASEC Weekly Malware Statistics (March 28th, 2022 April 3rd, 2022)
https://asec.ahnlab.com/en/33569
Threats:
Agent_tesla (tags: stealer, ransomware, spam, malware)
Lokibot_stealer
Formbook
Redline_stealer
Industry:
Financial
IOCs:
Domain: 5
IP: 10
Email: 7
File: 16
Url: 20
ASEC BLOG
ASEC Weekly Malware Statistics (March 28th, 2022 - April 3rd, 2022) - ASEC BLOG
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from March 28th, 2022 (Monday) to April 3rd, 2022 (Sunday). For the main category, info-stealer…
#ParsedReport
07-04-2022
A Bad Luck BlackCat
https://securelist.com/a-bad-luck-blackcat/106254
Actors/Campaigns:
Blackmatter
Threats:
Blackcat (tags: malware, ransomware)
Revil
Exmatter_tool
Mimikatz
Lockbit
Psexec_tool
Industry:
Petroleum
Geo:
Russian, America
IOCs:
Hash: 2
File: 3
Registry: 1
Links:
07-04-2022
A Bad Luck BlackCat
https://securelist.com/a-bad-luck-blackcat/106254
Actors/Campaigns:
Blackmatter
Threats:
Blackcat (tags: malware, ransomware)
Revil
Exmatter_tool
Mimikatz
Lockbit
Psexec_tool
Industry:
Petroleum
Geo:
Russian, America
IOCs:
Hash: 2
File: 3
Registry: 1
Links:
https://gist.github.com/api0cradle/d4aaef39db0d845627d819b2b6b30512Securelist
A Bad Luck BlackCat
A new ransomware actor presented themselves as ALPHV, but the group is also known as BlackCat. Two recent BlackCat incidents stand out as particularly interesting.
#ParsedReport
07-04-2022
Google is on guard: sharks shall not pass!. Introduction
https://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass
Threats:
Sharkbot
Industry:
Financial
Geo:
Russia, Belarus, China, Ukraine, Romania, Italy, India
IOCs:
Domain: 2
IP: 1
File: 2
Hash: 128
SIGMA: Found
07-04-2022
Google is on guard: sharks shall not pass!. Introduction
https://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass
Threats:
Sharkbot
Industry:
Financial
Geo:
Russia, Belarus, China, Ukraine, Romania, Italy, India
IOCs:
Domain: 2
IP: 1
File: 2
Hash: 128
SIGMA: Found
Check Point Research
Google is on guard: sharks shall not pass! - Check Point Research
Research by: Alex Shamshur, Raman Ladutska Introduction When you search for Anti-Virus (AV) solutions to protect your mobile devices, you don’t expect these solutions to do the opposite i.e. make devices vulnerable to malware. This what the Check Point Research…
#ParsedReport
07-04-2022
Parrot TDS takes over web servers and threatens millions. Campaign overview
https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/?utm_source=rss&utm_medium=rss&utm_campaign=parrot-tds-takes-over-web-servers-and-threatens-millions
Threats:
Socgholish_loader
Prometheus
Netsupportmanager_rat
Industry:
Government
Geo:
Brazil, India, Chinese
IOCs:
File: 1
Registry: 1
Hash: 8
Domain: 38
IP: 13
Links:
07-04-2022
Parrot TDS takes over web servers and threatens millions. Campaign overview
https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/?utm_source=rss&utm_medium=rss&utm_campaign=parrot-tds-takes-over-web-servers-and-threatens-millions
Threats:
Socgholish_loader
Prometheus
Netsupportmanager_rat
Industry:
Government
Geo:
Brazil, India, Chinese
IOCs:
File: 1
Registry: 1
Hash: 8
Domain: 38
IP: 13
Links:
https://github.com/avast/ioc/tree/master/ParrotTDSGendigital
Parrot TDS takes over web servers and threatens millions
Web Server Takeover Threat
#ParsedReport
07-04-2022
UpdateAgent macOS Malware
https://www.esentire.com/blog/updateagent-macos-malware
Threats:
Vigram (tags: phishing, malware)
More_eggs (tags: malware)
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 6
Url: 2
Hash: 1
Domain: 2
07-04-2022
UpdateAgent macOS Malware
https://www.esentire.com/blog/updateagent-macos-malware
Threats:
Vigram (tags: phishing, malware)
More_eggs (tags: malware)
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 6
Url: 2
Hash: 1
Domain: 2
eSentire
UpdateAgent macOS Malware
Read this blog to learn how eSentire Threat Response Unit (TRU) detected and contained an UpdateAgent malware threat impacting a customer in the software industry.
#ParsedReport
08-04-2022
Rook Ransomware. Static Code Analysis
https://chuongdong.com/reverse%20engineering/2022/01/06/RookRansomware
Threats:
Rook (tags: ransomware, scan, malware)
Babuk
Maze
IOCs:
Hash: 2
File: 2
Links:
08-04-2022
Rook Ransomware. Static Code Analysis
https://chuongdong.com/reverse%20engineering/2022/01/06/RookRansomware
Threats:
Rook (tags: ransomware, scan, malware)
Babuk
Maze
IOCs:
Hash: 2
File: 2
Links:
https://github.com/ARMmbed/mbedtlsChuong Dong
Rook Ransomware
Malware Analysis Report - Rook Ransomware
#ParsedReport
08-04-2022
CryptoClip Hijacker
https://labs.k7computing.com/index.php/cryptoclip-hijacker
Threats:
Cryptoclip (tags: trojan, malware)
IOCs:
File: 5
Path: 1
Hash: 1
08-04-2022
CryptoClip Hijacker
https://labs.k7computing.com/index.php/cryptoclip-hijacker
Threats:
Cryptoclip (tags: trojan, malware)
IOCs:
File: 5
Path: 1
Hash: 1
K7 Labs
CryptoClip Hijacker
Stealing crypto-currency is not new to threat actors. Thinner profit margins from mining makes stealing the coins from wallets more […]
#ParsedReport
09-04-2022
New SolarMarker (Jupyter) Campaign Demonstrates the Malwares Changing Attack Patterns
https://unit42.paloaltonetworks.com/solarmarker-malware
Threats:
Solarmarker (tags: dropper, backdoor, rat, malware, stealer)
Jupyter_stealer
IOCs:
File: 45
IP: 18
Hash: 23
Links:
09-04-2022
New SolarMarker (Jupyter) Campaign Demonstrates the Malwares Changing Attack Patterns
https://unit42.paloaltonetworks.com/solarmarker-malware
Threats:
Solarmarker (tags: dropper, backdoor, rat, malware, stealer)
Jupyter_stealer
IOCs:
File: 45
IP: 18
Hash: 23
Links:
https://github.com/de4dot/de4dotUnit 42
New SolarMarker (Jupyter) Campaign Demonstrates the Malware’s Changing Attack Patterns
A new version of SolarMarker malware appears to upgrade evasion abilities and demonstrates that the infostealer and backdoor continues to evolve.
#ParsedReport
09-04-2022
The State of Browser Extension Malware
https://blog.zimperium.com/the-state-of-browser-extension-malware
Industry:
Financial
IOCs:
File: 5
IP: 1
09-04-2022
The State of Browser Extension Malware
https://blog.zimperium.com/the-state-of-browser-extension-malware
Industry:
Financial
IOCs:
File: 5
IP: 1
Zimperium Mobile Security Blog
The State of Browser Extension Malware - Zimperium Mobile Security Blog
Web browsers have become very lucrative and effective attack surfaces. Zimperium zLabs team has classified thousands of malicious browser extension samples. Read on to learn the state of browser extensions today.
#ParsedReport
09-04-2022
Looking Inside Pandoras Box
https://www.fortinet.com/blog/threat-research/looking-inside-pandoras-box
Threats:
Pandora (tags: ransomware, malware, scan, rat)
Filecoder
Industry:
Financial
Geo:
Japanese
TTPs:
Tactics: 2
Technics: 11
IOCs:
Hash: 2
File: 19
Registry: 1
Links:
09-04-2022
Looking Inside Pandoras Box
https://www.fortinet.com/blog/threat-research/looking-inside-pandoras-box
Threats:
Pandora (tags: ransomware, malware, scan, rat)
Filecoder
Industry:
Financial
Geo:
Japanese
TTPs:
Tactics: 2
Technics: 11
IOCs:
Hash: 2
File: 19
Registry: 1
Links:
https://github.com/ARMmbed/mbedtlshttps://github.com/mandiant/flare-emuFortinet Blog
Looking Inside Pandora’s Box | FortiGuard Labs
FortiGuard Labs analyzes the emerging state-of-the-art Pandora ransomware targeting corporate networks for financial gain. Read our blog to see how it evades detection, anti-analysis, and more. Rea…
#ParsedReport
10-04-2022
Dragon News Blog. MoqHao Part 2: Continued European Expansion
https://team-cymru.com/blog/2022/04/07/moqhao-part-2-continued-european-expansion
Actors/Campaigns:
Roaming_mantis
Threats:
Moqhao (tags: phishing, malware)
Wroba
Formbook
Merlin_tool
Industry:
Financial
Geo:
Japan, South Korea, Taiwan, France, Germany, United States
IOCs:
Hash: 2
IP: 52
Links:
10-04-2022
Dragon News Blog. MoqHao Part 2: Continued European Expansion
https://team-cymru.com/blog/2022/04/07/moqhao-part-2-continued-european-expansion
Actors/Campaigns:
Roaming_mantis
Threats:
Moqhao (tags: phishing, malware)
Wroba
Formbook
Merlin_tool
Industry:
Financial
Geo:
Japan, South Korea, Taiwan, France, Germany, United States
IOCs:
Hash: 2
IP: 52
Links:
https://github.com/Ne0nd0g/merlinhttps://github.com/salesforce/jarmhttps://github.com/ninosekiTeam Cymru
MoqHao Part 2: Continued European Expansion
Monitoring Roaming Mantis Operations with Pure Signal™ Recon This blog is a product of ongoing collaboration with @ninoseki, a Tokyo-based researcher who has tracked MoqHao for several years. His public GitHub contains numerous useful OSINT threat hunting…