#ParsedReport
13-04-2022
Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware
https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware
Actors/Campaigns:
Darkside (tags: malware, ransomware)
Blackmatter (tags: malware, ransomware)
Threats:
Z_loader (tags: fraud, proxy, spam, scam, malware, ransomware, rat, trojan, phishing)
Zeus (tags: malware, ransomware)
Cobalt_strike (tags: malware, ransomware)
Ragnarlocker (tags: malware, ransomware)
Ryuk (tags: malware, ransomware)
Atera_tool
Psexec_tool
Industry:
Telco, Financial
Geo:
China, Japan
CVEs:
CVE-2020-1599 [Vulners]
Vulners: Score: 2.1, CVSS: 3.9,
Vulners: Exploitation: True
X-Force: Risk: 5.5
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (-, 20h2, 1607, 1803, 1809, 1903, 1909, 2004)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
- microsoft windows server 2008 (-, r2)
have more...
CVE-2012-0151 [Vulners]
Vulners: Score: 9.3, CVSS: 7.7,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows vista (*, *)
- microsoft windows server 2008 (r2, *, *, *, r2)
- microsoft windows xp (*, -)
- microsoft windows 7 (*, *)
- microsoft windows server 2003 (*)
have more...
CVE-2013-3900 [Vulners]
Vulners: Score: 7.6, CVSS: 7.3,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, r2, -)
- microsoft windows 7 (-)
- microsoft windows rt (-)
- microsoft windows 8.1 (-)
- microsoft windows server 2003 (-)
have more...
TTPs:
Tactics: 2
Technics: 0
IOCs:
Domain: 14
Url: 2
File: 16
Path: 1
13-04-2022
Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware
https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware
Actors/Campaigns:
Darkside (tags: malware, ransomware)
Blackmatter (tags: malware, ransomware)
Threats:
Z_loader (tags: fraud, proxy, spam, scam, malware, ransomware, rat, trojan, phishing)
Zeus (tags: malware, ransomware)
Cobalt_strike (tags: malware, ransomware)
Ragnarlocker (tags: malware, ransomware)
Ryuk (tags: malware, ransomware)
Atera_tool
Psexec_tool
Industry:
Telco, Financial
Geo:
China, Japan
CVEs:
CVE-2020-1599 [Vulners]
Vulners: Score: 2.1, CVSS: 3.9,
Vulners: Exploitation: True
X-Force: Risk: 5.5
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (-, 20h2, 1607, 1803, 1809, 1903, 1909, 2004)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
- microsoft windows server 2008 (-, r2)
have more...
CVE-2012-0151 [Vulners]
Vulners: Score: 9.3, CVSS: 7.7,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows vista (*, *)
- microsoft windows server 2008 (r2, *, *, *, r2)
- microsoft windows xp (*, -)
- microsoft windows 7 (*, *)
- microsoft windows server 2003 (*)
have more...
CVE-2013-3900 [Vulners]
Vulners: Score: 7.6, CVSS: 7.3,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, r2, -)
- microsoft windows 7 (-)
- microsoft windows rt (-)
- microsoft windows 8.1 (-)
- microsoft windows server 2003 (-)
have more...
TTPs:
Tactics: 2
Technics: 0
IOCs:
Domain: 14
Url: 2
File: 16
Path: 1
Microsoft Security Blog
Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware | Microsoft Security Blog
Microsoft took action against the ZLoader trojan by working with telecommunications providers around the world to disrupt key ZLoader infrastructure. In this blog, we detail the various characteristics for identifying ZLoader activity, including its associated…
#ParsedReport
13-04-2022
Fodcha, a new DDos botnet
https://blog.netlab.360.com/fodcha-a-new-ddos-botnet
Threats:
Fodcha_botnet (tags: scan, botnet, rat, backdoor, ddos, dns)
Industry:
Telco
Geo:
Korea, China, India, Japan
CVEs:
CVE-2021-22205 [Vulners]
Vulners: Score: 7.5, CVSS: 5.6,
Vulners: Exploitation: True
X-Force: Risk: 9.9
X-Force: Patch: Official fix
Soft:
- gitlab (<13.8.8, <13.8.8, <13.9.6, <13.9.6, <13.10.3, <13.10.3)
CVE-2021-35394 [Vulners]
Vulners: Score: 10.0, CVSS: 5.4,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- realtek realtek jungle sdk (le3.4.14b)
IOCs:
Hash: 37
Url: 28
Domain: 2
13-04-2022
Fodcha, a new DDos botnet
https://blog.netlab.360.com/fodcha-a-new-ddos-botnet
Threats:
Fodcha_botnet (tags: scan, botnet, rat, backdoor, ddos, dns)
Industry:
Telco
Geo:
Korea, China, India, Japan
CVEs:
CVE-2021-22205 [Vulners]
Vulners: Score: 7.5, CVSS: 5.6,
Vulners: Exploitation: True
X-Force: Risk: 9.9
X-Force: Patch: Official fix
Soft:
- gitlab (<13.8.8, <13.8.8, <13.9.6, <13.9.6, <13.10.3, <13.10.3)
CVE-2021-35394 [Vulners]
Vulners: Score: 10.0, CVSS: 5.4,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- realtek realtek jungle sdk (le3.4.14b)
IOCs:
Hash: 37
Url: 28
Domain: 2
360 Netlab Blog - Network Security Research Lab at 360
Fodcha, a new DDos botnet
Overview
Recently, CNCERT and 360netlab worked together and discovered a rapidly spreading DDoS botnet on the Internet. The global infection looks fairly big as just in China there are more than 10,000 daily active bots (IPs) and alsomore than 100 DDoS victims…
Recently, CNCERT and 360netlab worked together and discovered a rapidly spreading DDoS botnet on the Internet. The global infection looks fairly big as just in China there are more than 10,000 daily active bots (IPs) and alsomore than 100 DDoS victims…
#ParsedReport
13-04-2022
Enemybot: A Look into Keksec's Latest DDoS Botnet
https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet
Actors/Campaigns:
Keksec
Threats:
Enemybot (tags: botnet, cryptomining, ddos, rat, malware)
Bashlite (tags: botnet, ddos)
Mirai
Beastmode_botnet
Log4shell_vuln
Industry:
Iot
CVEs:
CVE-2021-41773 [Vulners]
Vulners: Score: 4.3, CVSS: 4.4,
Vulners: Exploitation: True
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- apache http server (2.4.49)
- fedoraproject fedora (34, 35)
- oracle instantis enterprisetrack (17.1, 17.2, 17.3)
- netapp cloud backup (-)
CVE-2017-18368 [Vulners]
Vulners: Score: 10.0, CVSS: 3.1,
Vulners: Exploitation: True
X-Force: Risk: 7.3
X-Force: Patch: Unavailable
Soft:
- billion 5200w-t firmware (7.3.8.0)
- zyxel p660hn-t1a v2 firmware (7.3.15.0)
- zyxel p660hn-t1a v1 firmware (7.3.15.0)
CVE-2020-17456 [Vulners]
Vulners: Score: 7.5, CVSS: 7.0,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- seowonintech slc-130 firmware (-)
- seowonintech slr-120s firmware (-)
CVE-2022-27226 [Vulners]
Vulners: Score: 9.3, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 8
X-Force: Patch: Unavailable
Soft:
- irz ru21 firmware (le2022-03-16)
- irz ru21w firmware (le2022-03-16)
- irz rl21 firmware (le2022-03-16)
- irz ru41 firmware (le2022-03-16)
- irz rl01 firmware (le2022-03-16)
have more...
CVE-2022-25075 [Vulners]
Vulners: Score: 7.5, CVSS: 6.9,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.3
X-Force: Patch: Official fix
Soft:
- totolink a3000ru firmware (v5.9c.2280_b20180512)
have more...
IOCs:
Hash: 28
File: 12
Url: 19
Domain: 1
13-04-2022
Enemybot: A Look into Keksec's Latest DDoS Botnet
https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet
Actors/Campaigns:
Keksec
Threats:
Enemybot (tags: botnet, cryptomining, ddos, rat, malware)
Bashlite (tags: botnet, ddos)
Mirai
Beastmode_botnet
Log4shell_vuln
Industry:
Iot
CVEs:
CVE-2021-41773 [Vulners]
Vulners: Score: 4.3, CVSS: 4.4,
Vulners: Exploitation: True
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- apache http server (2.4.49)
- fedoraproject fedora (34, 35)
- oracle instantis enterprisetrack (17.1, 17.2, 17.3)
- netapp cloud backup (-)
CVE-2017-18368 [Vulners]
Vulners: Score: 10.0, CVSS: 3.1,
Vulners: Exploitation: True
X-Force: Risk: 7.3
X-Force: Patch: Unavailable
Soft:
- billion 5200w-t firmware (7.3.8.0)
- zyxel p660hn-t1a v2 firmware (7.3.15.0)
- zyxel p660hn-t1a v1 firmware (7.3.15.0)
CVE-2020-17456 [Vulners]
Vulners: Score: 7.5, CVSS: 7.0,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- seowonintech slc-130 firmware (-)
- seowonintech slr-120s firmware (-)
CVE-2022-27226 [Vulners]
Vulners: Score: 9.3, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 8
X-Force: Patch: Unavailable
Soft:
- irz ru21 firmware (le2022-03-16)
- irz ru21w firmware (le2022-03-16)
- irz rl21 firmware (le2022-03-16)
- irz ru41 firmware (le2022-03-16)
- irz rl01 firmware (le2022-03-16)
have more...
CVE-2022-25075 [Vulners]
Vulners: Score: 7.5, CVSS: 6.9,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.3
X-Force: Patch: Official fix
Soft:
- totolink a3000ru firmware (v5.9c.2280_b20180512)
have more...
IOCs:
Hash: 28
File: 12
Url: 19
Domain: 1
Fortinet Blog
Enemybot: A Look into Keksec's Latest DDoS Botnet
FortiGuard Labs observed a new DDoS botnet calling itself “Enemybot” and attributing itself to the Keksec threat group. Read our blog to learn its methods of obfuscation, how it leverages vulnerabi…
#ParsedReport
14-04-2022
ASEC Weekly Malware Statistics (April 4th, 2022 April 10th, 2022)
https://asec.ahnlab.com/en/33679
Threats:
Agent_tesla (tags: malware)
Formbook (tags: malware)
Lokibot_stealer (tags: malware)
Redline_stealer (tags: malware)
Beamwinhttp_loader (tags: malware)
IOCs:
Domain: 3
IP: 10
Email: 5
File: 20
Url: 26
14-04-2022
ASEC Weekly Malware Statistics (April 4th, 2022 April 10th, 2022)
https://asec.ahnlab.com/en/33679
Threats:
Agent_tesla (tags: malware)
Formbook (tags: malware)
Lokibot_stealer (tags: malware)
Redline_stealer (tags: malware)
Beamwinhttp_loader (tags: malware)
IOCs:
Domain: 3
IP: 10
Email: 5
File: 20
Url: 26
ASEC BLOG
ASEC Weekly Malware Statistics (April 4th, 2022 - April 10th, 2022) - ASEC BLOG
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from April 4th, 2022 (Monday) to April 10th, 2022 (Sunday). For the main category, info-stealer…
#ParsedReport
14-04-2022
Check Point Research detects Vulnerability in the Rarible NFT Marketplace, Preventing Risk of Account Takeover and Cryptocurrency Theft
https://research.checkpoint.com/2022/check-point-research-detects-vulnerability-in-the-rarible-nft-marketplace-preventing-risk-of-account-take-over-and-cryptocurrency-theft
Industry:
E-commerce, Financial
IOCs:
Coin: 1
14-04-2022
Check Point Research detects Vulnerability in the Rarible NFT Marketplace, Preventing Risk of Account Takeover and Cryptocurrency Theft
https://research.checkpoint.com/2022/check-point-research-detects-vulnerability-in-the-rarible-nft-marketplace-preventing-risk-of-account-take-over-and-cryptocurrency-theft
Industry:
E-commerce, Financial
IOCs:
Coin: 1
Check Point Research
Check Point Research detects Vulnerability in the Rarible NFT Marketplace, Preventing Risk of Account Takeover and Cryptocurrency…
14/04/2022 Research by: Roman Zaikin, Dikla Barda & Oded Vanunu Highlights: Check Point Research identifies a vulnerability within the Rarible NFT Marketplace that allows attackers to take over cryptocurrency wallets By luring victims to click on a malicious…
#ParsedReport
14-04-2022
Threat Spotlight: "Haskers Gang" Introduces New ZingoStealer
http://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html
Threats:
Zingo_stealer (tags: stealer, ransomware, malware, cryptomining, rat)
Redline_stealer (tags: fraud, malware, stealer)
Xmrig_miner (tags: malware, cryptomining, stealer, rat)
Exodus
Industry:
Financial
Geo:
Russian
TTPs:
Tactics: 2
Technics: 0
IOCs:
Url: 5
Domain: 3
File: 17
Path: 8
IP: 1
Coin: 1
Hash: 349
14-04-2022
Threat Spotlight: "Haskers Gang" Introduces New ZingoStealer
http://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html
Threats:
Zingo_stealer (tags: stealer, ransomware, malware, cryptomining, rat)
Redline_stealer (tags: fraud, malware, stealer)
Xmrig_miner (tags: malware, cryptomining, stealer, rat)
Exodus
Industry:
Financial
Geo:
Russian
TTPs:
Tactics: 2
Technics: 0
IOCs:
Url: 5
Domain: 3
File: 17
Path: 8
IP: 1
Coin: 1
Hash: 349
Cisco Talos Blog
Threat Spotlight: "Haskers Gang" Introduces New ZingoStealer
Update (04/14/22): Following the initial publication of this blog, we observed a new post in the Haskers Gang Telegram channel announcing that ownership of the ZingoStealer project is being transferred to a new threat actor.
We also observed the malware…
We also observed the malware…
#ParsedReport
14-04-2022
Lazarus Targets Chemical Sector
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical
Actors/Campaigns:
Lazarus (tags: backdoor, rat, malware)
Dream_job (tags: malware)
Threats:
Skynet_botnet
Industry:
Chemical, Government, Healthcare
Geo:
Korea, USA
IOCs:
File: 16
Hash: 32
Url: 3
Path: 4
IP: 2
Domain: 5
14-04-2022
Lazarus Targets Chemical Sector
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical
Actors/Campaigns:
Lazarus (tags: backdoor, rat, malware)
Dream_job (tags: malware)
Threats:
Skynet_botnet
Industry:
Chemical, Government, Healthcare
Geo:
Korea, USA
IOCs:
File: 16
Hash: 32
Url: 3
Path: 4
IP: 2
Domain: 5
Security
Lazarus Targets Chemical Sector
Continuation of Operation Dream Job sees North Korea-linked APT target orgs in espionage campaign.
#ParsedReport
14-04-2022
INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems
https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool
Threats:
Incontroller_tool (tags: ddos, scan, rat, backdoor, malware)
Triton (tags: malware)
Crashoverride (tags: malware)
Stuxnet
Vpnfilter (tags: malware)
Industry:
Ics, Financial, Energy
Geo:
Iranian, Ukraine, America, Russia
CVEs:
CVE-2020-15368 [Vulners]
Vulners: Score: 2.1, CVSS: 4.0,
Vulners: Exploitation: Unknown
X-Force: Risk: 6.2
X-Force: Patch: Unavailable
Soft:
- asrock rgb driver firmware (-)
TTPs:
Tactics: 8
Technics: 0
IOCs:
File: 1
YARA: Found
14-04-2022
INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems
https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool
Threats:
Incontroller_tool (tags: ddos, scan, rat, backdoor, malware)
Triton (tags: malware)
Crashoverride (tags: malware)
Stuxnet
Vpnfilter (tags: malware)
Industry:
Ics, Financial, Energy
Geo:
Iranian, Ukraine, America, Russia
CVEs:
CVE-2020-15368 [Vulners]
Vulners: Score: 2.1, CVSS: 4.0,
Vulners: Exploitation: Unknown
X-Force: Risk: 6.2
X-Force: Patch: Unavailable
Soft:
- asrock rgb driver firmware (-)
TTPs:
Tactics: 8
Technics: 0
IOCs:
File: 1
YARA: Found
Google Cloud Blog
INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems | Mandiant | Google Cloud Blog
#ParsedReport
14-04-2022
ESET takes part in global operation to disrupt Zloader botnets
https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets
Actors/Campaigns:
Darkside
Threats:
Z_loader (tags: malware, botnet, proxy, ransomware, stealer, rat, trojan, spam)
Zeus
Rig_tool
Hiddenvnc_tool
Raccoon_stealer
Cobalt_strike
Atera_tool
Gozi
Kryptik_trojan
Industry:
E-commerce, Financial
Geo:
Ukraine, Canada, Japan, Australia, USA, Germany
CVEs:
CVE-2012-0151 [Vulners]
Vulners: Score: 9.3, CVSS: 7.7,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows vista (*, *)
- microsoft windows server 2008 (r2, *, *, *, r2)
- microsoft windows xp (*, -)
- microsoft windows 7 (*, *)
- microsoft windows server 2003 (*)
have more...
CVE-2013-3900 [Vulners]
Vulners: Score: 7.6, CVSS: 7.3,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, r2, -)
- microsoft windows 7 (-)
- microsoft windows rt (-)
- microsoft windows 8.1 (-)
- microsoft windows server 2003 (-)
have more...
TTPs:
Tactics: 12
Technics: 53
IOCs:
IP: 4
File: 7
Hash: 18
Url: 33
14-04-2022
ESET takes part in global operation to disrupt Zloader botnets
https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets
Actors/Campaigns:
Darkside
Threats:
Z_loader (tags: malware, botnet, proxy, ransomware, stealer, rat, trojan, spam)
Zeus
Rig_tool
Hiddenvnc_tool
Raccoon_stealer
Cobalt_strike
Atera_tool
Gozi
Kryptik_trojan
Industry:
E-commerce, Financial
Geo:
Ukraine, Canada, Japan, Australia, USA, Germany
CVEs:
CVE-2012-0151 [Vulners]
Vulners: Score: 9.3, CVSS: 7.7,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows vista (*, *)
- microsoft windows server 2008 (r2, *, *, *, r2)
- microsoft windows xp (*, -)
- microsoft windows 7 (*, *)
- microsoft windows server 2003 (*)
have more...
CVE-2013-3900 [Vulners]
Vulners: Score: 7.6, CVSS: 7.3,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, r2, -)
- microsoft windows 7 (-)
- microsoft windows rt (-)
- microsoft windows 8.1 (-)
- microsoft windows server 2003 (-)
have more...
TTPs:
Tactics: 12
Technics: 53
IOCs:
IP: 4
File: 7
Hash: 18
Url: 33
WeLiveSecurity
ESET takes part in global operation to disrupt Zloader botnets
ESET has collaborated with partners Microsoft, Lumen’s Black Lotus Labs, Palo Alto Networks, and others in an attempt to disrupt known Zloader botnets.
#ParsedReport
14-04-2022
Old Gremlins, new methods
https://blog.group-ib.com/oldgremlin_comeback
Actors/Campaigns:
Oldgremlin
Molerats
Industry:
Healthcare, Financial, Petroleum
Geo:
Belarus, Russia
IOCs:
Domain: 12
File: 12
Url: 8
Path: 2
IP: 4
Hash: 5
14-04-2022
Old Gremlins, new methods
https://blog.group-ib.com/oldgremlin_comeback
Actors/Campaigns:
Oldgremlin
Molerats
Industry:
Healthcare, Financial, Petroleum
Geo:
Belarus, Russia
IOCs:
Domain: 12
File: 12
Url: 8
Path: 2
IP: 4
Hash: 5
#ParsedReport
14-04-2022
Zloader 2: The Silent Night
https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/?utm_source=rss&utm_medium=rss&utm_campaign=zloader-the-silent-night
Threats:
Z_loader
Zeus
Exodus
Raccoon_stealer
Gozi
Industry:
Financial
IOCs:
Hash: 5
File: 6
Registry: 1
Domain: 6
14-04-2022
Zloader 2: The Silent Night
https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/?utm_source=rss&utm_medium=rss&utm_campaign=zloader-the-silent-night
Threats:
Z_loader
Zeus
Exodus
Raccoon_stealer
Gozi
Industry:
Financial
IOCs:
Hash: 5
File: 6
Registry: 1
Domain: 6
Gendigital
Zloader 2: The Silent Night
Banking Malware Analysis
#ParsedReport
18-04-2022
Orion Threat Alert: Flight of the BumbleBee. A new campaign in the wild: BumbleBee
https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee
Actors/Campaigns:
Exotic_lily
Wizard_spider
Molerats
Threats:
Bumblebee (tags: spam, malware, phishing, ransomware, rat)
Cobalt_strike
Lolbin
Fake-trusteer
Bazarbackdoor
Icedid
Conti
Lockbit
Avoslocker
Emotet
Industry:
Financial
TTPs:
Tactics: 6
Technics: 0
IOCs:
File: 15
Path: 1
IP: 9
Hash: 9
Domain: 3
18-04-2022
Orion Threat Alert: Flight of the BumbleBee. A new campaign in the wild: BumbleBee
https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee
Actors/Campaigns:
Exotic_lily
Wizard_spider
Molerats
Threats:
Bumblebee (tags: spam, malware, phishing, ransomware, rat)
Cobalt_strike
Lolbin
Fake-trusteer
Bazarbackdoor
Icedid
Conti
Lockbit
Avoslocker
Emotet
Industry:
Financial
TTPs:
Tactics: 6
Technics: 0
IOCs:
File: 15
Path: 1
IP: 9
Hash: 9
Domain: 3
Cynet XDR | Autonomous Breach Protection
Orion Threat Alert: Flight of the BumbleBee - Cynet XDR | Autonomous Breach Protection
End-to-end, natively automated, instant to deploy, and simple to use XDR platform with a 24/7 MDR service
#ParsedReport
18-04-2022
An Investigation of the BlackCat Ransomware via Trend Micro Vision One. Finding the threats
https://www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html
Threats:
Blackcat (tags: backdoor, scan, dns, ransomware, malware, rat)
Cobalt_strike (tags: ransomware)
Proxyshell_vuln
Proxylogon_exploit
Netscan_tool
Bloodhound_tool
Crackmapexec_tool
Mimikatz
Lolbin
CVEs:
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 13
IP: 2
Path: 1
Hash: 25
Domain: 1
Links:
18-04-2022
An Investigation of the BlackCat Ransomware via Trend Micro Vision One. Finding the threats
https://www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html
Threats:
Blackcat (tags: backdoor, scan, dns, ransomware, malware, rat)
Cobalt_strike (tags: ransomware)
Proxyshell_vuln
Proxylogon_exploit
Netscan_tool
Bloodhound_tool
Crackmapexec_tool
Mimikatz
Lolbin
CVEs:
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 13
IP: 2
Path: 1
Hash: 25
Domain: 1
Links:
https://github.com/Kevin-Robertson/InveighTrend Micro
An Investigation of the BlackCat Ransomware via Trend Micro Vision One
We recently investigated a case related to the BlackCat ransomware group using the Trend Micro Vision One™ platform, which comes with extended detection and response (XDR) capabilities. BlackCat (aka AlphaVM or AlphaV) is a ransomware family created in the…
#ParsedReport
18-04-2022
From the Front Lines \| Peering into A PYSA Ransomware Attack
https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack
Actors/Campaigns:
Quickbooks
Threats:
Mespinoza (tags: malware, phishing, ransomware, backdoor)
Lolbin
Cobalt_strike
Empire_loader
Chisel_tool
Powershell_ransomware
Psexec_tool
Koadic_tool
Mimikatz
Anydesk_tool
Magicsocks
Industry:
Government, Education, Healthcare
TTPs:
Tactics: 3
Technics: 19
IOCs:
File: 12
Path: 3
Hash: 40
Links:
18-04-2022
From the Front Lines \| Peering into A PYSA Ransomware Attack
https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack
Actors/Campaigns:
Quickbooks
Threats:
Mespinoza (tags: malware, phishing, ransomware, backdoor)
Lolbin
Cobalt_strike
Empire_loader
Chisel_tool
Powershell_ransomware
Psexec_tool
Koadic_tool
Mimikatz
Anydesk_tool
Magicsocks
Industry:
Government, Education, Healthcare
TTPs:
Tactics: 3
Technics: 19
IOCs:
File: 12
Path: 3
Hash: 40
Links:
https://github.com/winscp/winscphttps://github.com/jpillora/chiselSentinelOne
From the Front Lines | Peering into A PYSA Ransomware Attack
Learn about PYSA ransomware's novel use of the Chisel tunneling tool and how to defend your organization against this and other crimeware actors.
#ParsedReport
18-04-2022
How to recover files encrypted by Yanlouwang
https://securelist.com/how-to-recover-files-encrypted-by-yanlouwang/106332
Threats:
Yanluowang (tags: vpn, trojan, malware, ransomware, rat)
Industry:
Financial
Geo:
Brazil, Turkey, Chinese
IOCs:
File: 1
Hash: 2
18-04-2022
How to recover files encrypted by Yanlouwang
https://securelist.com/how-to-recover-files-encrypted-by-yanlouwang/106332
Threats:
Yanluowang (tags: vpn, trojan, malware, ransomware, rat)
Industry:
Financial
Geo:
Brazil, Turkey, Chinese
IOCs:
File: 1
Hash: 2
Securelist
How to recover files encrypted by Yanluowang
Kaspersky experts have found a vulnerability in the Yanluowang encryption algorithm and created a free decryptor to help victims of this ransomware with recovering their files.
#ParsedReport
18-04-2022
Threat Spotlight: Conti Ransomware Group Behind theKarakurt Hacking Team. Threat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team
https://www.infinitumit.com.tr/conti-ransomware-group-behind-the-karakurt-hacking-team
Threats:
Conti (tags: phishing, ransomware, malware, rat, dns, vpn, proxy)
Cobalt_strike
Anydesk_tool
Mimikatz
Metasploit_tool
Ligolo
Log4shell_vuln
Industry:
Government
Geo:
Germany, Canada, Russian
CVEs:
CVE-2021-44228 [Vulners]
Vulners: Score: 9.3, CVSS: 4.0,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.3.1, <2.12.2, <2.15.0)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens captial (<2019.1, 2019.1, 2019.1)
- siemens comos (*)
- siemens desigo cc advanced reports (4.0, 4.1, 4.2, 5.0, 5.1)
have more...
TTPs:
Tactics: 9
Technics: 23
IOCs:
Domain: 1
IP: 21
File: 3
Url: 2
Links:
18-04-2022
Threat Spotlight: Conti Ransomware Group Behind theKarakurt Hacking Team. Threat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team
https://www.infinitumit.com.tr/conti-ransomware-group-behind-the-karakurt-hacking-team
Threats:
Conti (tags: phishing, ransomware, malware, rat, dns, vpn, proxy)
Cobalt_strike
Anydesk_tool
Mimikatz
Metasploit_tool
Ligolo
Log4shell_vuln
Industry:
Government
Geo:
Germany, Canada, Russian
CVEs:
CVE-2021-44228 [Vulners]
Vulners: Score: 9.3, CVSS: 4.0,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.3.1, <2.12.2, <2.15.0)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens captial (<2019.1, 2019.1, 2019.1)
- siemens comos (*)
- siemens desigo cc advanced reports (4.0, 4.1, 4.2, 5.0, 5.1)
have more...
TTPs:
Tactics: 9
Technics: 23
IOCs:
Domain: 1
IP: 21
File: 3
Url: 2
Links:
https://github.com/tnpitsecurity/ligolo-nghttps://github.com/infinitumitlabshttps://github.com/rapid7/metasploit-frameworkhttps://github.com/Lozy/dantedhttps://github.com/SecureAuthCorp/impackethttps://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTIInfinitumIT
Conti Ransomware Group Behind the Karakurt Hacking Team - InfinitumIT
Rapor Conti Ransomware Group Behind the Karakurt Hacking Team Ücretsiz İndir Conti Ransomware Group Behind the Karakurt Hacking Team Rapor Kayıt Formu Bilgilendirme, tanıtım ve reklam amaçlı ileti ve SMS gönderilmesi için, Kullanım şartlarını ve Hizmet Sözleşmesini…
#ParsedReport
19-04-2022
VajraSpy An Android RAT
https://labs.k7computing.com/index.php/vajraspy-an-android-rat
Actors/Campaigns:
Vajraeleph (tags: rat)
Threats:
Vajraspy (tags: spyware, malware, rat)
Cryptoclip
Geo:
Pakistani
IOCs:
File: 6
Hash: 1
19-04-2022
VajraSpy An Android RAT
https://labs.k7computing.com/index.php/vajraspy-an-android-rat
Actors/Campaigns:
Vajraeleph (tags: rat)
Threats:
Vajraspy (tags: spyware, malware, rat)
Cryptoclip
Geo:
Pakistani
IOCs:
File: 6
Hash: 1
K7 Labs
VajraSpy – An Android RAT
Collecting high profile users’ private information is the trend in recent times. We came across a twitter post that described […]
#ParsedReport
19-04-2022
BAZARLOADER: Unpacking an ISO File Infection. Step 1: Mounting ISO File & Extracting Stage 1 Executable
https://www.0ffset.net/reverse-engineering/bazarloader-iso-file-infection/?utm_source=rss&utm_medium=rss&utm_campaign=bazarloader-iso-file-infection
Threats:
Bazarbackdoor
Metasploit_tool
Cobalt_strike
IOCs:
File: 4
Hash: 1
Links:
19-04-2022
BAZARLOADER: Unpacking an ISO File Infection. Step 1: Mounting ISO File & Extracting Stage 1 Executable
https://www.0ffset.net/reverse-engineering/bazarloader-iso-file-infection/?utm_source=rss&utm_medium=rss&utm_campaign=bazarloader-iso-file-infection
Threats:
Bazarbackdoor
Metasploit_tool
Cobalt_strike
IOCs:
File: 4
Hash: 1
Links:
https://github.com/OALabs/hashdb-idahttps://github.com/mandiant/flare-emuhttps://github.com/OALabs/hashdb/blob/b3cc544fad41c749d04616663ac13f02bf1aaf37/algorithms/metasploit.pyhttps://github.com/OALabs/BlobRunner0ffset Training Solutions | Practical and Affordable Cyber Security Training
BAZARLOADER: Unpacking an ISO File Infection - 0ffset Training Solutions
BAZARLOADER (aka BAZARBACKDOOR) is a Windows-based loader that spreads through attachments in phishing emails. During infection, it is common for BAZARLOADER to lead to Cobalt Strike execution
#technique
Не отчет, но описание еще одного ИБ-камня в огород open source
https://checkmarx.com/blog/starjacking-making-your-new-open-source-package-popular-in-a-snap/
Не отчет, но описание еще одного ИБ-камня в огород open source
https://checkmarx.com/blog/starjacking-making-your-new-open-source-package-popular-in-a-snap/
Checkmarx
StarJacking - Making Your New Open-Source Package Popular in a Snap
Checkmarx supply chain security has recently found a malicious PyPi package with more than 70,000 downloads using a technique we dubbed StarJacking - a way to make an open-source package instantly look popular by abusing the lack of validation between the…
#ParsedReport
20-04-2022
Nobelium - Israeli Embassy Maldoc
https://inquest.net/blog/2022/04/18/nobelium-israeli-embassy-maldoc
Actors/Campaigns:
Darkhalo
Threats:
Comrade_circle
Geo:
Israeli, Spain
IOCs:
Hash: 5
File: 1
Path: 1
Url: 2
20-04-2022
Nobelium - Israeli Embassy Maldoc
https://inquest.net/blog/2022/04/18/nobelium-israeli-embassy-maldoc
Actors/Campaigns:
Darkhalo
Threats:
Comrade_circle
Geo:
Israeli, Spain
IOCs:
Hash: 5
File: 1
Path: 1
Url: 2
InQuest
Nobelium - Israeli Embassy Maldoc - InQuest
We discovered an interesting sample that we believe is part of the Nobelium campaign, also known as Dark Halo. It contains an attractive visual lure representing a document from the Israeli embassy.
#ParsedReport
20-04-2022
Shuckworm: Espionage Group Continues Intense Campaign Against Ukraine
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-intense-campaign-ukraine
Actors/Campaigns:
Gamaredon (tags: malware, backdoor)
Threats:
Pterodo (tags: rat, dropper)
Geo:
Russian, Ukraine
IOCs:
File: 9
Path: 1
Domain: 1
Hash: 162
Url: 77
Links:
20-04-2022
Shuckworm: Espionage Group Continues Intense Campaign Against Ukraine
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-intense-campaign-ukraine
Actors/Campaigns:
Gamaredon (tags: malware, backdoor)
Threats:
Pterodo (tags: rat, dropper)
Geo:
Russian, Ukraine
IOCs:
File: 9
Path: 1
Domain: 1
Hash: 162
Url: 77
Links:
https://github.com/Symantec/threathunters/tree/main/ShuckwormSecurity
Shuckworm: Espionage Group Continues Intense Campaign Against Ukraine
Russia-linked group is continually refining its malware and often deploying multiple payloads to maximize chances of maintaining a persistent presence on targeted networks.