#ParsedReport
14-04-2022
Threat Spotlight: "Haskers Gang" Introduces New ZingoStealer
http://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html
Threats:
Zingo_stealer (tags: stealer, ransomware, malware, cryptomining, rat)
Redline_stealer (tags: fraud, malware, stealer)
Xmrig_miner (tags: malware, cryptomining, stealer, rat)
Exodus
Industry:
Financial
Geo:
Russian
TTPs:
Tactics: 2
Technics: 0
IOCs:
Url: 5
Domain: 3
File: 17
Path: 8
IP: 1
Coin: 1
Hash: 349
14-04-2022
Threat Spotlight: "Haskers Gang" Introduces New ZingoStealer
http://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html
Threats:
Zingo_stealer (tags: stealer, ransomware, malware, cryptomining, rat)
Redline_stealer (tags: fraud, malware, stealer)
Xmrig_miner (tags: malware, cryptomining, stealer, rat)
Exodus
Industry:
Financial
Geo:
Russian
TTPs:
Tactics: 2
Technics: 0
IOCs:
Url: 5
Domain: 3
File: 17
Path: 8
IP: 1
Coin: 1
Hash: 349
Cisco Talos Blog
Threat Spotlight: "Haskers Gang" Introduces New ZingoStealer
Update (04/14/22): Following the initial publication of this blog, we observed a new post in the Haskers Gang Telegram channel announcing that ownership of the ZingoStealer project is being transferred to a new threat actor.
We also observed the malware…
We also observed the malware…
#ParsedReport
14-04-2022
Lazarus Targets Chemical Sector
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical
Actors/Campaigns:
Lazarus (tags: backdoor, rat, malware)
Dream_job (tags: malware)
Threats:
Skynet_botnet
Industry:
Chemical, Government, Healthcare
Geo:
Korea, USA
IOCs:
File: 16
Hash: 32
Url: 3
Path: 4
IP: 2
Domain: 5
14-04-2022
Lazarus Targets Chemical Sector
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical
Actors/Campaigns:
Lazarus (tags: backdoor, rat, malware)
Dream_job (tags: malware)
Threats:
Skynet_botnet
Industry:
Chemical, Government, Healthcare
Geo:
Korea, USA
IOCs:
File: 16
Hash: 32
Url: 3
Path: 4
IP: 2
Domain: 5
Security
Lazarus Targets Chemical Sector
Continuation of Operation Dream Job sees North Korea-linked APT target orgs in espionage campaign.
#ParsedReport
14-04-2022
INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems
https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool
Threats:
Incontroller_tool (tags: ddos, scan, rat, backdoor, malware)
Triton (tags: malware)
Crashoverride (tags: malware)
Stuxnet
Vpnfilter (tags: malware)
Industry:
Ics, Financial, Energy
Geo:
Iranian, Ukraine, America, Russia
CVEs:
CVE-2020-15368 [Vulners]
Vulners: Score: 2.1, CVSS: 4.0,
Vulners: Exploitation: Unknown
X-Force: Risk: 6.2
X-Force: Patch: Unavailable
Soft:
- asrock rgb driver firmware (-)
TTPs:
Tactics: 8
Technics: 0
IOCs:
File: 1
YARA: Found
14-04-2022
INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems
https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool
Threats:
Incontroller_tool (tags: ddos, scan, rat, backdoor, malware)
Triton (tags: malware)
Crashoverride (tags: malware)
Stuxnet
Vpnfilter (tags: malware)
Industry:
Ics, Financial, Energy
Geo:
Iranian, Ukraine, America, Russia
CVEs:
CVE-2020-15368 [Vulners]
Vulners: Score: 2.1, CVSS: 4.0,
Vulners: Exploitation: Unknown
X-Force: Risk: 6.2
X-Force: Patch: Unavailable
Soft:
- asrock rgb driver firmware (-)
TTPs:
Tactics: 8
Technics: 0
IOCs:
File: 1
YARA: Found
Google Cloud Blog
INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems | Mandiant | Google Cloud Blog
#ParsedReport
14-04-2022
ESET takes part in global operation to disrupt Zloader botnets
https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets
Actors/Campaigns:
Darkside
Threats:
Z_loader (tags: malware, botnet, proxy, ransomware, stealer, rat, trojan, spam)
Zeus
Rig_tool
Hiddenvnc_tool
Raccoon_stealer
Cobalt_strike
Atera_tool
Gozi
Kryptik_trojan
Industry:
E-commerce, Financial
Geo:
Ukraine, Canada, Japan, Australia, USA, Germany
CVEs:
CVE-2012-0151 [Vulners]
Vulners: Score: 9.3, CVSS: 7.7,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows vista (*, *)
- microsoft windows server 2008 (r2, *, *, *, r2)
- microsoft windows xp (*, -)
- microsoft windows 7 (*, *)
- microsoft windows server 2003 (*)
have more...
CVE-2013-3900 [Vulners]
Vulners: Score: 7.6, CVSS: 7.3,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, r2, -)
- microsoft windows 7 (-)
- microsoft windows rt (-)
- microsoft windows 8.1 (-)
- microsoft windows server 2003 (-)
have more...
TTPs:
Tactics: 12
Technics: 53
IOCs:
IP: 4
File: 7
Hash: 18
Url: 33
14-04-2022
ESET takes part in global operation to disrupt Zloader botnets
https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets
Actors/Campaigns:
Darkside
Threats:
Z_loader (tags: malware, botnet, proxy, ransomware, stealer, rat, trojan, spam)
Zeus
Rig_tool
Hiddenvnc_tool
Raccoon_stealer
Cobalt_strike
Atera_tool
Gozi
Kryptik_trojan
Industry:
E-commerce, Financial
Geo:
Ukraine, Canada, Japan, Australia, USA, Germany
CVEs:
CVE-2012-0151 [Vulners]
Vulners: Score: 9.3, CVSS: 7.7,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows vista (*, *)
- microsoft windows server 2008 (r2, *, *, *, r2)
- microsoft windows xp (*, -)
- microsoft windows 7 (*, *)
- microsoft windows server 2003 (*)
have more...
CVE-2013-3900 [Vulners]
Vulners: Score: 7.6, CVSS: 7.3,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, r2, -)
- microsoft windows 7 (-)
- microsoft windows rt (-)
- microsoft windows 8.1 (-)
- microsoft windows server 2003 (-)
have more...
TTPs:
Tactics: 12
Technics: 53
IOCs:
IP: 4
File: 7
Hash: 18
Url: 33
WeLiveSecurity
ESET takes part in global operation to disrupt Zloader botnets
ESET has collaborated with partners Microsoft, Lumen’s Black Lotus Labs, Palo Alto Networks, and others in an attempt to disrupt known Zloader botnets.
#ParsedReport
14-04-2022
Old Gremlins, new methods
https://blog.group-ib.com/oldgremlin_comeback
Actors/Campaigns:
Oldgremlin
Molerats
Industry:
Healthcare, Financial, Petroleum
Geo:
Belarus, Russia
IOCs:
Domain: 12
File: 12
Url: 8
Path: 2
IP: 4
Hash: 5
14-04-2022
Old Gremlins, new methods
https://blog.group-ib.com/oldgremlin_comeback
Actors/Campaigns:
Oldgremlin
Molerats
Industry:
Healthcare, Financial, Petroleum
Geo:
Belarus, Russia
IOCs:
Domain: 12
File: 12
Url: 8
Path: 2
IP: 4
Hash: 5
#ParsedReport
14-04-2022
Zloader 2: The Silent Night
https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/?utm_source=rss&utm_medium=rss&utm_campaign=zloader-the-silent-night
Threats:
Z_loader
Zeus
Exodus
Raccoon_stealer
Gozi
Industry:
Financial
IOCs:
Hash: 5
File: 6
Registry: 1
Domain: 6
14-04-2022
Zloader 2: The Silent Night
https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/?utm_source=rss&utm_medium=rss&utm_campaign=zloader-the-silent-night
Threats:
Z_loader
Zeus
Exodus
Raccoon_stealer
Gozi
Industry:
Financial
IOCs:
Hash: 5
File: 6
Registry: 1
Domain: 6
Gendigital
Zloader 2: The Silent Night
Banking Malware Analysis
#ParsedReport
18-04-2022
Orion Threat Alert: Flight of the BumbleBee. A new campaign in the wild: BumbleBee
https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee
Actors/Campaigns:
Exotic_lily
Wizard_spider
Molerats
Threats:
Bumblebee (tags: spam, malware, phishing, ransomware, rat)
Cobalt_strike
Lolbin
Fake-trusteer
Bazarbackdoor
Icedid
Conti
Lockbit
Avoslocker
Emotet
Industry:
Financial
TTPs:
Tactics: 6
Technics: 0
IOCs:
File: 15
Path: 1
IP: 9
Hash: 9
Domain: 3
18-04-2022
Orion Threat Alert: Flight of the BumbleBee. A new campaign in the wild: BumbleBee
https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee
Actors/Campaigns:
Exotic_lily
Wizard_spider
Molerats
Threats:
Bumblebee (tags: spam, malware, phishing, ransomware, rat)
Cobalt_strike
Lolbin
Fake-trusteer
Bazarbackdoor
Icedid
Conti
Lockbit
Avoslocker
Emotet
Industry:
Financial
TTPs:
Tactics: 6
Technics: 0
IOCs:
File: 15
Path: 1
IP: 9
Hash: 9
Domain: 3
Cynet XDR | Autonomous Breach Protection
Orion Threat Alert: Flight of the BumbleBee - Cynet XDR | Autonomous Breach Protection
End-to-end, natively automated, instant to deploy, and simple to use XDR platform with a 24/7 MDR service
#ParsedReport
18-04-2022
An Investigation of the BlackCat Ransomware via Trend Micro Vision One. Finding the threats
https://www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html
Threats:
Blackcat (tags: backdoor, scan, dns, ransomware, malware, rat)
Cobalt_strike (tags: ransomware)
Proxyshell_vuln
Proxylogon_exploit
Netscan_tool
Bloodhound_tool
Crackmapexec_tool
Mimikatz
Lolbin
CVEs:
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 13
IP: 2
Path: 1
Hash: 25
Domain: 1
Links:
18-04-2022
An Investigation of the BlackCat Ransomware via Trend Micro Vision One. Finding the threats
https://www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html
Threats:
Blackcat (tags: backdoor, scan, dns, ransomware, malware, rat)
Cobalt_strike (tags: ransomware)
Proxyshell_vuln
Proxylogon_exploit
Netscan_tool
Bloodhound_tool
Crackmapexec_tool
Mimikatz
Lolbin
CVEs:
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 13
IP: 2
Path: 1
Hash: 25
Domain: 1
Links:
https://github.com/Kevin-Robertson/InveighTrend Micro
An Investigation of the BlackCat Ransomware via Trend Micro Vision One
We recently investigated a case related to the BlackCat ransomware group using the Trend Micro Vision One™ platform, which comes with extended detection and response (XDR) capabilities. BlackCat (aka AlphaVM or AlphaV) is a ransomware family created in the…
#ParsedReport
18-04-2022
From the Front Lines \| Peering into A PYSA Ransomware Attack
https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack
Actors/Campaigns:
Quickbooks
Threats:
Mespinoza (tags: malware, phishing, ransomware, backdoor)
Lolbin
Cobalt_strike
Empire_loader
Chisel_tool
Powershell_ransomware
Psexec_tool
Koadic_tool
Mimikatz
Anydesk_tool
Magicsocks
Industry:
Government, Education, Healthcare
TTPs:
Tactics: 3
Technics: 19
IOCs:
File: 12
Path: 3
Hash: 40
Links:
18-04-2022
From the Front Lines \| Peering into A PYSA Ransomware Attack
https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack
Actors/Campaigns:
Quickbooks
Threats:
Mespinoza (tags: malware, phishing, ransomware, backdoor)
Lolbin
Cobalt_strike
Empire_loader
Chisel_tool
Powershell_ransomware
Psexec_tool
Koadic_tool
Mimikatz
Anydesk_tool
Magicsocks
Industry:
Government, Education, Healthcare
TTPs:
Tactics: 3
Technics: 19
IOCs:
File: 12
Path: 3
Hash: 40
Links:
https://github.com/winscp/winscphttps://github.com/jpillora/chiselSentinelOne
From the Front Lines | Peering into A PYSA Ransomware Attack
Learn about PYSA ransomware's novel use of the Chisel tunneling tool and how to defend your organization against this and other crimeware actors.
#ParsedReport
18-04-2022
How to recover files encrypted by Yanlouwang
https://securelist.com/how-to-recover-files-encrypted-by-yanlouwang/106332
Threats:
Yanluowang (tags: vpn, trojan, malware, ransomware, rat)
Industry:
Financial
Geo:
Brazil, Turkey, Chinese
IOCs:
File: 1
Hash: 2
18-04-2022
How to recover files encrypted by Yanlouwang
https://securelist.com/how-to-recover-files-encrypted-by-yanlouwang/106332
Threats:
Yanluowang (tags: vpn, trojan, malware, ransomware, rat)
Industry:
Financial
Geo:
Brazil, Turkey, Chinese
IOCs:
File: 1
Hash: 2
Securelist
How to recover files encrypted by Yanluowang
Kaspersky experts have found a vulnerability in the Yanluowang encryption algorithm and created a free decryptor to help victims of this ransomware with recovering their files.
#ParsedReport
18-04-2022
Threat Spotlight: Conti Ransomware Group Behind theKarakurt Hacking Team. Threat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team
https://www.infinitumit.com.tr/conti-ransomware-group-behind-the-karakurt-hacking-team
Threats:
Conti (tags: phishing, ransomware, malware, rat, dns, vpn, proxy)
Cobalt_strike
Anydesk_tool
Mimikatz
Metasploit_tool
Ligolo
Log4shell_vuln
Industry:
Government
Geo:
Germany, Canada, Russian
CVEs:
CVE-2021-44228 [Vulners]
Vulners: Score: 9.3, CVSS: 4.0,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.3.1, <2.12.2, <2.15.0)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens captial (<2019.1, 2019.1, 2019.1)
- siemens comos (*)
- siemens desigo cc advanced reports (4.0, 4.1, 4.2, 5.0, 5.1)
have more...
TTPs:
Tactics: 9
Technics: 23
IOCs:
Domain: 1
IP: 21
File: 3
Url: 2
Links:
18-04-2022
Threat Spotlight: Conti Ransomware Group Behind theKarakurt Hacking Team. Threat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team
https://www.infinitumit.com.tr/conti-ransomware-group-behind-the-karakurt-hacking-team
Threats:
Conti (tags: phishing, ransomware, malware, rat, dns, vpn, proxy)
Cobalt_strike
Anydesk_tool
Mimikatz
Metasploit_tool
Ligolo
Log4shell_vuln
Industry:
Government
Geo:
Germany, Canada, Russian
CVEs:
CVE-2021-44228 [Vulners]
Vulners: Score: 9.3, CVSS: 4.0,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.3.1, <2.12.2, <2.15.0)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens captial (<2019.1, 2019.1, 2019.1)
- siemens comos (*)
- siemens desigo cc advanced reports (4.0, 4.1, 4.2, 5.0, 5.1)
have more...
TTPs:
Tactics: 9
Technics: 23
IOCs:
Domain: 1
IP: 21
File: 3
Url: 2
Links:
https://github.com/tnpitsecurity/ligolo-nghttps://github.com/infinitumitlabshttps://github.com/rapid7/metasploit-frameworkhttps://github.com/Lozy/dantedhttps://github.com/SecureAuthCorp/impackethttps://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTIInfinitumIT
Conti Ransomware Group Behind the Karakurt Hacking Team - InfinitumIT
Rapor Conti Ransomware Group Behind the Karakurt Hacking Team Ücretsiz İndir Conti Ransomware Group Behind the Karakurt Hacking Team Rapor Kayıt Formu Bilgilendirme, tanıtım ve reklam amaçlı ileti ve SMS gönderilmesi için, Kullanım şartlarını ve Hizmet Sözleşmesini…
#ParsedReport
19-04-2022
VajraSpy An Android RAT
https://labs.k7computing.com/index.php/vajraspy-an-android-rat
Actors/Campaigns:
Vajraeleph (tags: rat)
Threats:
Vajraspy (tags: spyware, malware, rat)
Cryptoclip
Geo:
Pakistani
IOCs:
File: 6
Hash: 1
19-04-2022
VajraSpy An Android RAT
https://labs.k7computing.com/index.php/vajraspy-an-android-rat
Actors/Campaigns:
Vajraeleph (tags: rat)
Threats:
Vajraspy (tags: spyware, malware, rat)
Cryptoclip
Geo:
Pakistani
IOCs:
File: 6
Hash: 1
K7 Labs
VajraSpy – An Android RAT
Collecting high profile users’ private information is the trend in recent times. We came across a twitter post that described […]
#ParsedReport
19-04-2022
BAZARLOADER: Unpacking an ISO File Infection. Step 1: Mounting ISO File & Extracting Stage 1 Executable
https://www.0ffset.net/reverse-engineering/bazarloader-iso-file-infection/?utm_source=rss&utm_medium=rss&utm_campaign=bazarloader-iso-file-infection
Threats:
Bazarbackdoor
Metasploit_tool
Cobalt_strike
IOCs:
File: 4
Hash: 1
Links:
19-04-2022
BAZARLOADER: Unpacking an ISO File Infection. Step 1: Mounting ISO File & Extracting Stage 1 Executable
https://www.0ffset.net/reverse-engineering/bazarloader-iso-file-infection/?utm_source=rss&utm_medium=rss&utm_campaign=bazarloader-iso-file-infection
Threats:
Bazarbackdoor
Metasploit_tool
Cobalt_strike
IOCs:
File: 4
Hash: 1
Links:
https://github.com/OALabs/hashdb-idahttps://github.com/mandiant/flare-emuhttps://github.com/OALabs/hashdb/blob/b3cc544fad41c749d04616663ac13f02bf1aaf37/algorithms/metasploit.pyhttps://github.com/OALabs/BlobRunner0ffset Training Solutions | Practical and Affordable Cyber Security Training
BAZARLOADER: Unpacking an ISO File Infection - 0ffset Training Solutions
BAZARLOADER (aka BAZARBACKDOOR) is a Windows-based loader that spreads through attachments in phishing emails. During infection, it is common for BAZARLOADER to lead to Cobalt Strike execution
#technique
Не отчет, но описание еще одного ИБ-камня в огород open source
https://checkmarx.com/blog/starjacking-making-your-new-open-source-package-popular-in-a-snap/
Не отчет, но описание еще одного ИБ-камня в огород open source
https://checkmarx.com/blog/starjacking-making-your-new-open-source-package-popular-in-a-snap/
Checkmarx
StarJacking - Making Your New Open-Source Package Popular in a Snap
Checkmarx supply chain security has recently found a malicious PyPi package with more than 70,000 downloads using a technique we dubbed StarJacking - a way to make an open-source package instantly look popular by abusing the lack of validation between the…
#ParsedReport
20-04-2022
Nobelium - Israeli Embassy Maldoc
https://inquest.net/blog/2022/04/18/nobelium-israeli-embassy-maldoc
Actors/Campaigns:
Darkhalo
Threats:
Comrade_circle
Geo:
Israeli, Spain
IOCs:
Hash: 5
File: 1
Path: 1
Url: 2
20-04-2022
Nobelium - Israeli Embassy Maldoc
https://inquest.net/blog/2022/04/18/nobelium-israeli-embassy-maldoc
Actors/Campaigns:
Darkhalo
Threats:
Comrade_circle
Geo:
Israeli, Spain
IOCs:
Hash: 5
File: 1
Path: 1
Url: 2
InQuest
Nobelium - Israeli Embassy Maldoc - InQuest
We discovered an interesting sample that we believe is part of the Nobelium campaign, also known as Dark Halo. It contains an attractive visual lure representing a document from the Israeli embassy.
#ParsedReport
20-04-2022
Shuckworm: Espionage Group Continues Intense Campaign Against Ukraine
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-intense-campaign-ukraine
Actors/Campaigns:
Gamaredon (tags: malware, backdoor)
Threats:
Pterodo (tags: rat, dropper)
Geo:
Russian, Ukraine
IOCs:
File: 9
Path: 1
Domain: 1
Hash: 162
Url: 77
Links:
20-04-2022
Shuckworm: Espionage Group Continues Intense Campaign Against Ukraine
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-intense-campaign-ukraine
Actors/Campaigns:
Gamaredon (tags: malware, backdoor)
Threats:
Pterodo (tags: rat, dropper)
Geo:
Russian, Ukraine
IOCs:
File: 9
Path: 1
Domain: 1
Hash: 162
Url: 77
Links:
https://github.com/Symantec/threathunters/tree/main/ShuckwormSecurity
Shuckworm: Espionage Group Continues Intense Campaign Against Ukraine
Russia-linked group is continually refining its malware and often deploying multiple payloads to maximize chances of maintaining a persistent presence on targeted networks.
#ParsedReport
20-04-2022
Reversing a NSIS dropper using quick and dirty shellcode emulation. The Excel document
https://malcat.fr/blog/reversing-a-nsis-dropper-using-quick-and-dirty-shellcode-emulation
Threats:
Nsis_dropper (tags: malware, stealer, rat)
Dbat_loader
Lokibot_stealer (tags: malware, rat, stealer)
CVEs:
CVE-2018-0798 [Vulners]
Vulners: Score: 9.3, CVSS: 9.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2010, 2016, 2016, 2007, 2013)
- microsoft word (2013, 2016, 2007, 2010, 2013)
- microsoft office compatibility pack (-)
IOCs:
Url: 1
File: 2
Hash: 4
Links:
20-04-2022
Reversing a NSIS dropper using quick and dirty shellcode emulation. The Excel document
https://malcat.fr/blog/reversing-a-nsis-dropper-using-quick-and-dirty-shellcode-emulation
Threats:
Nsis_dropper (tags: malware, stealer, rat)
Dbat_loader
Lokibot_stealer (tags: malware, rat, stealer)
CVEs:
CVE-2018-0798 [Vulners]
Vulners: Score: 9.3, CVSS: 9.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2010, 2016, 2016, 2007, 2013)
- microsoft word (2013, 2016, 2007, 2010, 2013)
- microsoft office compatibility pack (-)
IOCs:
Url: 1
File: 2
Hash: 4
Links:
https://github.com/mandiant/speakeasyMALCAT
Reversing a NSIS dropper using quick and dirty shellcode emulation
We will statically unpack and emulate a malicious NSIS installer running multiple shellcodes, up to the final Lokibot password stealer and its configuration.
A Detailed Analysis of The SunCrypt Ransomware
https://securityscorecard.com/resources/analysis-of-the-suncrypt-ransomware
https://securityscorecard.com/resources/analysis-of-the-suncrypt-ransomware
SecurityScorecard
A Detailed Analysis of The SunCrypt Ransomware
Vlad Pasca of LIFARS digs into the behavior of the SunCrypt Ransomware. SunCrypt ransomware is a less sophisticated malware that has impacted multiple companies since 2019. The malware can run one of a few parameters.
#ParsedReport
21-04-2022
LemonDuck Targets Docker for Cryptomining Operations
https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations
Threats:
Lemonduck (tags: botnet, dropper, rat, cryptomining, malware)
Proxylogon_exploit
Eternalblue_vuln
Bluekeep_vuln
Cr8escape_vuln
Xmrig_miner
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 2
Domain: 1
Links:
21-04-2022
LemonDuck Targets Docker for Cryptomining Operations
https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations
Threats:
Lemonduck (tags: botnet, dropper, rat, cryptomining, malware)
Proxylogon_exploit
Eternalblue_vuln
Bluekeep_vuln
Cr8escape_vuln
Xmrig_miner
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 2
Domain: 1
Links:
https://github.com/xmrig/xmrig-proxycrowdstrike.com
LemonDuck Botnet Targets Docker for Cryptomining Operations | CrowdStrike
The CrowdStrike Cloud Threat Research team recently detected the LemonDuck botnet actively targeting Docker to mine cryptocurrency on the Linux platform.
#ParsedReport
21-04-2022
Hackers Spearphish Corporate Hiring Managers with Poisoned Resumes, Infecting Them with the More_Eggs Malware, Warns eSentire
https://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware
Actors/Campaigns:
Venom_spider
Magecart (tags: ransomware, malware, backdoor)
Evilnum (tags: ransomware, malware, backdoor)
Threats:
More_eggs (tags: rat, ransomware, malware, phishing, backdoor)
Cobalt (tags: ransomware, malware, backdoor)
Terra_loader
Meterpreter_tool
Metasploit_tool
Terra_stealer
Lolbin
Industry:
Aerospace, Retail, Healthcare, E-commerce, Financial
Geo:
Canada
TTPs:
Tactics: 5
Technics: 28
IOCs:
File: 10
Hash: 5
21-04-2022
Hackers Spearphish Corporate Hiring Managers with Poisoned Resumes, Infecting Them with the More_Eggs Malware, Warns eSentire
https://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware
Actors/Campaigns:
Venom_spider
Magecart (tags: ransomware, malware, backdoor)
Evilnum (tags: ransomware, malware, backdoor)
Threats:
More_eggs (tags: rat, ransomware, malware, phishing, backdoor)
Cobalt (tags: ransomware, malware, backdoor)
Terra_loader
Meterpreter_tool
Metasploit_tool
Terra_stealer
Lolbin
Industry:
Aerospace, Retail, Healthcare, E-commerce, Financial
Geo:
Canada
TTPs:
Tactics: 5
Technics: 28
IOCs:
File: 10
Hash: 5
eSentire
Hackers Spearphish Corporate Hiring Managers with Poisoned Resumes…
Read this blog to learn about the eSentire Threat Response Unit (TRU)’s recent discovery of a phishing campaign where hackers are posing as job…
#ParsedReport
21-04-2022
Warez users fell for Certishell. Sivpici\.php5\.sk
https://decoded.avast.io/danielbenes/warez-users-fell-for-certishell/?utm_source=rss&utm_medium=rss&utm_campaign=warez-users-fell-for-certishell
Threats:
Certishell (tags: fraud, ddos, ransomware, rat, malware, keylogger, cryptomining)
Xmrig_miner (tags: cryptomining)
Vmprotect (tags: cryptomining)
Filecoder
Themida_packer_tool (tags: cryptomining)
Geo:
Slovakia, Czech
IOCs:
Domain: 3
File: 33
Registry: 2
Url: 272
Hash: 554
Links:
21-04-2022
Warez users fell for Certishell. Sivpici\.php5\.sk
https://decoded.avast.io/danielbenes/warez-users-fell-for-certishell/?utm_source=rss&utm_medium=rss&utm_campaign=warez-users-fell-for-certishell
Threats:
Certishell (tags: fraud, ddos, ransomware, rat, malware, keylogger, cryptomining)
Xmrig_miner (tags: cryptomining)
Vmprotect (tags: cryptomining)
Filecoder
Themida_packer_tool (tags: cryptomining)
Geo:
Slovakia, Czech
IOCs:
Domain: 3
File: 33
Registry: 2
Url: 272
Hash: 554
Links:
https://github.com/monoxgas/sRDI
https://github.com/avast/ioc/blob/master/Certishell/samples.sha256
https://github.com/avast/ioc/blob/master/Certishell/network.txt
https://github.com/avast/ioc/tree/master/CertishellAvast Threat Labs
Warez users fell for Certishell - Avast Threat Labs
Certishell deploys coinminers, remote access tools (RATs) and ransomware on machines in Czechia and Slovakia hidden within illegal copies of games, tools and music.