#ParsedReport
14-04-2022
Old Gremlins, new methods
https://blog.group-ib.com/oldgremlin_comeback
Actors/Campaigns:
Oldgremlin
Molerats
Industry:
Healthcare, Financial, Petroleum
Geo:
Belarus, Russia
IOCs:
Domain: 12
File: 12
Url: 8
Path: 2
IP: 4
Hash: 5
14-04-2022
Old Gremlins, new methods
https://blog.group-ib.com/oldgremlin_comeback
Actors/Campaigns:
Oldgremlin
Molerats
Industry:
Healthcare, Financial, Petroleum
Geo:
Belarus, Russia
IOCs:
Domain: 12
File: 12
Url: 8
Path: 2
IP: 4
Hash: 5
#ParsedReport
14-04-2022
Zloader 2: The Silent Night
https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/?utm_source=rss&utm_medium=rss&utm_campaign=zloader-the-silent-night
Threats:
Z_loader
Zeus
Exodus
Raccoon_stealer
Gozi
Industry:
Financial
IOCs:
Hash: 5
File: 6
Registry: 1
Domain: 6
14-04-2022
Zloader 2: The Silent Night
https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/?utm_source=rss&utm_medium=rss&utm_campaign=zloader-the-silent-night
Threats:
Z_loader
Zeus
Exodus
Raccoon_stealer
Gozi
Industry:
Financial
IOCs:
Hash: 5
File: 6
Registry: 1
Domain: 6
Gendigital
Zloader 2: The Silent Night
Banking Malware Analysis
#ParsedReport
18-04-2022
Orion Threat Alert: Flight of the BumbleBee. A new campaign in the wild: BumbleBee
https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee
Actors/Campaigns:
Exotic_lily
Wizard_spider
Molerats
Threats:
Bumblebee (tags: spam, malware, phishing, ransomware, rat)
Cobalt_strike
Lolbin
Fake-trusteer
Bazarbackdoor
Icedid
Conti
Lockbit
Avoslocker
Emotet
Industry:
Financial
TTPs:
Tactics: 6
Technics: 0
IOCs:
File: 15
Path: 1
IP: 9
Hash: 9
Domain: 3
18-04-2022
Orion Threat Alert: Flight of the BumbleBee. A new campaign in the wild: BumbleBee
https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee
Actors/Campaigns:
Exotic_lily
Wizard_spider
Molerats
Threats:
Bumblebee (tags: spam, malware, phishing, ransomware, rat)
Cobalt_strike
Lolbin
Fake-trusteer
Bazarbackdoor
Icedid
Conti
Lockbit
Avoslocker
Emotet
Industry:
Financial
TTPs:
Tactics: 6
Technics: 0
IOCs:
File: 15
Path: 1
IP: 9
Hash: 9
Domain: 3
Cynet XDR | Autonomous Breach Protection
Orion Threat Alert: Flight of the BumbleBee - Cynet XDR | Autonomous Breach Protection
End-to-end, natively automated, instant to deploy, and simple to use XDR platform with a 24/7 MDR service
#ParsedReport
18-04-2022
An Investigation of the BlackCat Ransomware via Trend Micro Vision One. Finding the threats
https://www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html
Threats:
Blackcat (tags: backdoor, scan, dns, ransomware, malware, rat)
Cobalt_strike (tags: ransomware)
Proxyshell_vuln
Proxylogon_exploit
Netscan_tool
Bloodhound_tool
Crackmapexec_tool
Mimikatz
Lolbin
CVEs:
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 13
IP: 2
Path: 1
Hash: 25
Domain: 1
Links:
18-04-2022
An Investigation of the BlackCat Ransomware via Trend Micro Vision One. Finding the threats
https://www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html
Threats:
Blackcat (tags: backdoor, scan, dns, ransomware, malware, rat)
Cobalt_strike (tags: ransomware)
Proxyshell_vuln
Proxylogon_exploit
Netscan_tool
Bloodhound_tool
Crackmapexec_tool
Mimikatz
Lolbin
CVEs:
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 13
IP: 2
Path: 1
Hash: 25
Domain: 1
Links:
https://github.com/Kevin-Robertson/InveighTrend Micro
An Investigation of the BlackCat Ransomware via Trend Micro Vision One
We recently investigated a case related to the BlackCat ransomware group using the Trend Micro Vision One™ platform, which comes with extended detection and response (XDR) capabilities. BlackCat (aka AlphaVM or AlphaV) is a ransomware family created in the…
#ParsedReport
18-04-2022
From the Front Lines \| Peering into A PYSA Ransomware Attack
https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack
Actors/Campaigns:
Quickbooks
Threats:
Mespinoza (tags: malware, phishing, ransomware, backdoor)
Lolbin
Cobalt_strike
Empire_loader
Chisel_tool
Powershell_ransomware
Psexec_tool
Koadic_tool
Mimikatz
Anydesk_tool
Magicsocks
Industry:
Government, Education, Healthcare
TTPs:
Tactics: 3
Technics: 19
IOCs:
File: 12
Path: 3
Hash: 40
Links:
18-04-2022
From the Front Lines \| Peering into A PYSA Ransomware Attack
https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack
Actors/Campaigns:
Quickbooks
Threats:
Mespinoza (tags: malware, phishing, ransomware, backdoor)
Lolbin
Cobalt_strike
Empire_loader
Chisel_tool
Powershell_ransomware
Psexec_tool
Koadic_tool
Mimikatz
Anydesk_tool
Magicsocks
Industry:
Government, Education, Healthcare
TTPs:
Tactics: 3
Technics: 19
IOCs:
File: 12
Path: 3
Hash: 40
Links:
https://github.com/winscp/winscphttps://github.com/jpillora/chiselSentinelOne
From the Front Lines | Peering into A PYSA Ransomware Attack
Learn about PYSA ransomware's novel use of the Chisel tunneling tool and how to defend your organization against this and other crimeware actors.
#ParsedReport
18-04-2022
How to recover files encrypted by Yanlouwang
https://securelist.com/how-to-recover-files-encrypted-by-yanlouwang/106332
Threats:
Yanluowang (tags: vpn, trojan, malware, ransomware, rat)
Industry:
Financial
Geo:
Brazil, Turkey, Chinese
IOCs:
File: 1
Hash: 2
18-04-2022
How to recover files encrypted by Yanlouwang
https://securelist.com/how-to-recover-files-encrypted-by-yanlouwang/106332
Threats:
Yanluowang (tags: vpn, trojan, malware, ransomware, rat)
Industry:
Financial
Geo:
Brazil, Turkey, Chinese
IOCs:
File: 1
Hash: 2
Securelist
How to recover files encrypted by Yanluowang
Kaspersky experts have found a vulnerability in the Yanluowang encryption algorithm and created a free decryptor to help victims of this ransomware with recovering their files.
#ParsedReport
18-04-2022
Threat Spotlight: Conti Ransomware Group Behind theKarakurt Hacking Team. Threat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team
https://www.infinitumit.com.tr/conti-ransomware-group-behind-the-karakurt-hacking-team
Threats:
Conti (tags: phishing, ransomware, malware, rat, dns, vpn, proxy)
Cobalt_strike
Anydesk_tool
Mimikatz
Metasploit_tool
Ligolo
Log4shell_vuln
Industry:
Government
Geo:
Germany, Canada, Russian
CVEs:
CVE-2021-44228 [Vulners]
Vulners: Score: 9.3, CVSS: 4.0,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.3.1, <2.12.2, <2.15.0)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens captial (<2019.1, 2019.1, 2019.1)
- siemens comos (*)
- siemens desigo cc advanced reports (4.0, 4.1, 4.2, 5.0, 5.1)
have more...
TTPs:
Tactics: 9
Technics: 23
IOCs:
Domain: 1
IP: 21
File: 3
Url: 2
Links:
18-04-2022
Threat Spotlight: Conti Ransomware Group Behind theKarakurt Hacking Team. Threat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team
https://www.infinitumit.com.tr/conti-ransomware-group-behind-the-karakurt-hacking-team
Threats:
Conti (tags: phishing, ransomware, malware, rat, dns, vpn, proxy)
Cobalt_strike
Anydesk_tool
Mimikatz
Metasploit_tool
Ligolo
Log4shell_vuln
Industry:
Government
Geo:
Germany, Canada, Russian
CVEs:
CVE-2021-44228 [Vulners]
Vulners: Score: 9.3, CVSS: 4.0,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.3.1, <2.12.2, <2.15.0)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens captial (<2019.1, 2019.1, 2019.1)
- siemens comos (*)
- siemens desigo cc advanced reports (4.0, 4.1, 4.2, 5.0, 5.1)
have more...
TTPs:
Tactics: 9
Technics: 23
IOCs:
Domain: 1
IP: 21
File: 3
Url: 2
Links:
https://github.com/tnpitsecurity/ligolo-nghttps://github.com/infinitumitlabshttps://github.com/rapid7/metasploit-frameworkhttps://github.com/Lozy/dantedhttps://github.com/SecureAuthCorp/impackethttps://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTIInfinitumIT
Conti Ransomware Group Behind the Karakurt Hacking Team - InfinitumIT
Rapor Conti Ransomware Group Behind the Karakurt Hacking Team Ücretsiz İndir Conti Ransomware Group Behind the Karakurt Hacking Team Rapor Kayıt Formu Bilgilendirme, tanıtım ve reklam amaçlı ileti ve SMS gönderilmesi için, Kullanım şartlarını ve Hizmet Sözleşmesini…
#ParsedReport
19-04-2022
VajraSpy An Android RAT
https://labs.k7computing.com/index.php/vajraspy-an-android-rat
Actors/Campaigns:
Vajraeleph (tags: rat)
Threats:
Vajraspy (tags: spyware, malware, rat)
Cryptoclip
Geo:
Pakistani
IOCs:
File: 6
Hash: 1
19-04-2022
VajraSpy An Android RAT
https://labs.k7computing.com/index.php/vajraspy-an-android-rat
Actors/Campaigns:
Vajraeleph (tags: rat)
Threats:
Vajraspy (tags: spyware, malware, rat)
Cryptoclip
Geo:
Pakistani
IOCs:
File: 6
Hash: 1
K7 Labs
VajraSpy – An Android RAT
Collecting high profile users’ private information is the trend in recent times. We came across a twitter post that described […]
#ParsedReport
19-04-2022
BAZARLOADER: Unpacking an ISO File Infection. Step 1: Mounting ISO File & Extracting Stage 1 Executable
https://www.0ffset.net/reverse-engineering/bazarloader-iso-file-infection/?utm_source=rss&utm_medium=rss&utm_campaign=bazarloader-iso-file-infection
Threats:
Bazarbackdoor
Metasploit_tool
Cobalt_strike
IOCs:
File: 4
Hash: 1
Links:
19-04-2022
BAZARLOADER: Unpacking an ISO File Infection. Step 1: Mounting ISO File & Extracting Stage 1 Executable
https://www.0ffset.net/reverse-engineering/bazarloader-iso-file-infection/?utm_source=rss&utm_medium=rss&utm_campaign=bazarloader-iso-file-infection
Threats:
Bazarbackdoor
Metasploit_tool
Cobalt_strike
IOCs:
File: 4
Hash: 1
Links:
https://github.com/OALabs/hashdb-idahttps://github.com/mandiant/flare-emuhttps://github.com/OALabs/hashdb/blob/b3cc544fad41c749d04616663ac13f02bf1aaf37/algorithms/metasploit.pyhttps://github.com/OALabs/BlobRunner0ffset Training Solutions | Practical and Affordable Cyber Security Training
BAZARLOADER: Unpacking an ISO File Infection - 0ffset Training Solutions
BAZARLOADER (aka BAZARBACKDOOR) is a Windows-based loader that spreads through attachments in phishing emails. During infection, it is common for BAZARLOADER to lead to Cobalt Strike execution
#technique
Не отчет, но описание еще одного ИБ-камня в огород open source
https://checkmarx.com/blog/starjacking-making-your-new-open-source-package-popular-in-a-snap/
Не отчет, но описание еще одного ИБ-камня в огород open source
https://checkmarx.com/blog/starjacking-making-your-new-open-source-package-popular-in-a-snap/
Checkmarx
StarJacking - Making Your New Open-Source Package Popular in a Snap
Checkmarx supply chain security has recently found a malicious PyPi package with more than 70,000 downloads using a technique we dubbed StarJacking - a way to make an open-source package instantly look popular by abusing the lack of validation between the…
#ParsedReport
20-04-2022
Nobelium - Israeli Embassy Maldoc
https://inquest.net/blog/2022/04/18/nobelium-israeli-embassy-maldoc
Actors/Campaigns:
Darkhalo
Threats:
Comrade_circle
Geo:
Israeli, Spain
IOCs:
Hash: 5
File: 1
Path: 1
Url: 2
20-04-2022
Nobelium - Israeli Embassy Maldoc
https://inquest.net/blog/2022/04/18/nobelium-israeli-embassy-maldoc
Actors/Campaigns:
Darkhalo
Threats:
Comrade_circle
Geo:
Israeli, Spain
IOCs:
Hash: 5
File: 1
Path: 1
Url: 2
InQuest
Nobelium - Israeli Embassy Maldoc - InQuest
We discovered an interesting sample that we believe is part of the Nobelium campaign, also known as Dark Halo. It contains an attractive visual lure representing a document from the Israeli embassy.
#ParsedReport
20-04-2022
Shuckworm: Espionage Group Continues Intense Campaign Against Ukraine
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-intense-campaign-ukraine
Actors/Campaigns:
Gamaredon (tags: malware, backdoor)
Threats:
Pterodo (tags: rat, dropper)
Geo:
Russian, Ukraine
IOCs:
File: 9
Path: 1
Domain: 1
Hash: 162
Url: 77
Links:
20-04-2022
Shuckworm: Espionage Group Continues Intense Campaign Against Ukraine
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-intense-campaign-ukraine
Actors/Campaigns:
Gamaredon (tags: malware, backdoor)
Threats:
Pterodo (tags: rat, dropper)
Geo:
Russian, Ukraine
IOCs:
File: 9
Path: 1
Domain: 1
Hash: 162
Url: 77
Links:
https://github.com/Symantec/threathunters/tree/main/ShuckwormSecurity
Shuckworm: Espionage Group Continues Intense Campaign Against Ukraine
Russia-linked group is continually refining its malware and often deploying multiple payloads to maximize chances of maintaining a persistent presence on targeted networks.
#ParsedReport
20-04-2022
Reversing a NSIS dropper using quick and dirty shellcode emulation. The Excel document
https://malcat.fr/blog/reversing-a-nsis-dropper-using-quick-and-dirty-shellcode-emulation
Threats:
Nsis_dropper (tags: malware, stealer, rat)
Dbat_loader
Lokibot_stealer (tags: malware, rat, stealer)
CVEs:
CVE-2018-0798 [Vulners]
Vulners: Score: 9.3, CVSS: 9.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2010, 2016, 2016, 2007, 2013)
- microsoft word (2013, 2016, 2007, 2010, 2013)
- microsoft office compatibility pack (-)
IOCs:
Url: 1
File: 2
Hash: 4
Links:
20-04-2022
Reversing a NSIS dropper using quick and dirty shellcode emulation. The Excel document
https://malcat.fr/blog/reversing-a-nsis-dropper-using-quick-and-dirty-shellcode-emulation
Threats:
Nsis_dropper (tags: malware, stealer, rat)
Dbat_loader
Lokibot_stealer (tags: malware, rat, stealer)
CVEs:
CVE-2018-0798 [Vulners]
Vulners: Score: 9.3, CVSS: 9.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2010, 2016, 2016, 2007, 2013)
- microsoft word (2013, 2016, 2007, 2010, 2013)
- microsoft office compatibility pack (-)
IOCs:
Url: 1
File: 2
Hash: 4
Links:
https://github.com/mandiant/speakeasyMALCAT
Reversing a NSIS dropper using quick and dirty shellcode emulation
We will statically unpack and emulate a malicious NSIS installer running multiple shellcodes, up to the final Lokibot password stealer and its configuration.
A Detailed Analysis of The SunCrypt Ransomware
https://securityscorecard.com/resources/analysis-of-the-suncrypt-ransomware
https://securityscorecard.com/resources/analysis-of-the-suncrypt-ransomware
SecurityScorecard
A Detailed Analysis of The SunCrypt Ransomware
Vlad Pasca of LIFARS digs into the behavior of the SunCrypt Ransomware. SunCrypt ransomware is a less sophisticated malware that has impacted multiple companies since 2019. The malware can run one of a few parameters.
#ParsedReport
21-04-2022
LemonDuck Targets Docker for Cryptomining Operations
https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations
Threats:
Lemonduck (tags: botnet, dropper, rat, cryptomining, malware)
Proxylogon_exploit
Eternalblue_vuln
Bluekeep_vuln
Cr8escape_vuln
Xmrig_miner
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 2
Domain: 1
Links:
21-04-2022
LemonDuck Targets Docker for Cryptomining Operations
https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations
Threats:
Lemonduck (tags: botnet, dropper, rat, cryptomining, malware)
Proxylogon_exploit
Eternalblue_vuln
Bluekeep_vuln
Cr8escape_vuln
Xmrig_miner
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 2
Domain: 1
Links:
https://github.com/xmrig/xmrig-proxycrowdstrike.com
LemonDuck Botnet Targets Docker for Cryptomining Operations | CrowdStrike
The CrowdStrike Cloud Threat Research team recently detected the LemonDuck botnet actively targeting Docker to mine cryptocurrency on the Linux platform.
#ParsedReport
21-04-2022
Hackers Spearphish Corporate Hiring Managers with Poisoned Resumes, Infecting Them with the More_Eggs Malware, Warns eSentire
https://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware
Actors/Campaigns:
Venom_spider
Magecart (tags: ransomware, malware, backdoor)
Evilnum (tags: ransomware, malware, backdoor)
Threats:
More_eggs (tags: rat, ransomware, malware, phishing, backdoor)
Cobalt (tags: ransomware, malware, backdoor)
Terra_loader
Meterpreter_tool
Metasploit_tool
Terra_stealer
Lolbin
Industry:
Aerospace, Retail, Healthcare, E-commerce, Financial
Geo:
Canada
TTPs:
Tactics: 5
Technics: 28
IOCs:
File: 10
Hash: 5
21-04-2022
Hackers Spearphish Corporate Hiring Managers with Poisoned Resumes, Infecting Them with the More_Eggs Malware, Warns eSentire
https://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware
Actors/Campaigns:
Venom_spider
Magecart (tags: ransomware, malware, backdoor)
Evilnum (tags: ransomware, malware, backdoor)
Threats:
More_eggs (tags: rat, ransomware, malware, phishing, backdoor)
Cobalt (tags: ransomware, malware, backdoor)
Terra_loader
Meterpreter_tool
Metasploit_tool
Terra_stealer
Lolbin
Industry:
Aerospace, Retail, Healthcare, E-commerce, Financial
Geo:
Canada
TTPs:
Tactics: 5
Technics: 28
IOCs:
File: 10
Hash: 5
eSentire
Hackers Spearphish Corporate Hiring Managers with Poisoned Resumes…
Read this blog to learn about the eSentire Threat Response Unit (TRU)’s recent discovery of a phishing campaign where hackers are posing as job…
#ParsedReport
21-04-2022
Warez users fell for Certishell. Sivpici\.php5\.sk
https://decoded.avast.io/danielbenes/warez-users-fell-for-certishell/?utm_source=rss&utm_medium=rss&utm_campaign=warez-users-fell-for-certishell
Threats:
Certishell (tags: fraud, ddos, ransomware, rat, malware, keylogger, cryptomining)
Xmrig_miner (tags: cryptomining)
Vmprotect (tags: cryptomining)
Filecoder
Themida_packer_tool (tags: cryptomining)
Geo:
Slovakia, Czech
IOCs:
Domain: 3
File: 33
Registry: 2
Url: 272
Hash: 554
Links:
21-04-2022
Warez users fell for Certishell. Sivpici\.php5\.sk
https://decoded.avast.io/danielbenes/warez-users-fell-for-certishell/?utm_source=rss&utm_medium=rss&utm_campaign=warez-users-fell-for-certishell
Threats:
Certishell (tags: fraud, ddos, ransomware, rat, malware, keylogger, cryptomining)
Xmrig_miner (tags: cryptomining)
Vmprotect (tags: cryptomining)
Filecoder
Themida_packer_tool (tags: cryptomining)
Geo:
Slovakia, Czech
IOCs:
Domain: 3
File: 33
Registry: 2
Url: 272
Hash: 554
Links:
https://github.com/monoxgas/sRDI
https://github.com/avast/ioc/blob/master/Certishell/samples.sha256
https://github.com/avast/ioc/blob/master/Certishell/network.txt
https://github.com/avast/ioc/tree/master/CertishellAvast Threat Labs
Warez users fell for Certishell - Avast Threat Labs
Certishell deploys coinminers, remote access tools (RATs) and ransomware on machines in Czechia and Slovakia hidden within illegal copies of games, tools and music.
#ParsedReport
21-04-2022
Android/Bianlian Botnet Trying to Bypass Photo TAN Used for Mobile Banking
https://www.fortinet.com/blog/threat-research/android-bianlian-botnet-mobile-banking
Threats:
Hydra (tags: botnet, malware)
Industry:
Financial
IOCs:
Hash: 1
Url: 2
File: 6
21-04-2022
Android/Bianlian Botnet Trying to Bypass Photo TAN Used for Mobile Banking
https://www.fortinet.com/blog/threat-research/android-bianlian-botnet-mobile-banking
Threats:
Hydra (tags: botnet, malware)
Industry:
Financial
IOCs:
Hash: 1
Url: 2
File: 6
Fortinet Blog
Android/Bianlian Botnet Trying to Bypass Photo TAN Used for Mobile Banking
FortiGuard Labs has been closely investigating the Android BianLian botnet (also known as Hydra). Although it emerged in 2018, it is still alive in 2022. Our blog provides a brief analysis as well …
#ParsedReport
21-04-2022
New BotenaGo Variant Discovered by Nozomi Networks Labs
https://www.nozominetworks.com/blog/new-botenago-variant-discovered-by-nozomi-networks-labs
Threats:
Botenago (tags: botnet, scan, malware)
Alien
Lillin_scanner_tool (tags: malware)
Mirai (tags: botnet, scan, malware)
Log4shell_vuln
Industry:
Energy, Iot, Media
IOCs:
IP: 1
Hash: 3
21-04-2022
New BotenaGo Variant Discovered by Nozomi Networks Labs
https://www.nozominetworks.com/blog/new-botenago-variant-discovered-by-nozomi-networks-labs
Threats:
Botenago (tags: botnet, scan, malware)
Alien
Lillin_scanner_tool (tags: malware)
Mirai (tags: botnet, scan, malware)
Log4shell_vuln
Industry:
Energy, Iot, Media
IOCs:
IP: 1
Hash: 3
Nozominetworks
New BotenaGo Variant Discovered by Nozomi Networks Labs
Lillin scanner is a new variant of the BotenaGo malware that specifically targets Lilin security camera DVR devices, discovered by Nozomi Networks Labs.
#ParsedReport
21-04-2022
Analyzing Attempts to Exploit the Spring4Shell Vulnerability CVE-2022-22965 to Deploy Cryptocurrency Miners. A high number of exploitation attempts
https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html
Threats:
Spring4shell (tags: cryptomining, malware, botnet, rat)
Mirai (tags: cryptomining)
Malxmr_miner
CVEs:
CVE-2022-22965 [Vulners]
Vulners: Score: 7.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- vmware spring framework (<5.2.20, <5.3.18)
- cisco cx cloud agent (<2.1.0)
- oracle communications cloud native core automated test suite (1.9.0, 22.1.0)
- oracle communications cloud native core console (1.9.0, 22.1.0)
- oracle communications cloud native core network exposure function (22.1.0)
have more...
IOCs:
File: 2
Path: 1
IP: 1
Hash: 4
21-04-2022
Analyzing Attempts to Exploit the Spring4Shell Vulnerability CVE-2022-22965 to Deploy Cryptocurrency Miners. A high number of exploitation attempts
https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html
Threats:
Spring4shell (tags: cryptomining, malware, botnet, rat)
Mirai (tags: cryptomining)
Malxmr_miner
CVEs:
CVE-2022-22965 [Vulners]
Vulners: Score: 7.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- vmware spring framework (<5.2.20, <5.3.18)
- cisco cx cloud agent (<2.1.0)
- oracle communications cloud native core automated test suite (1.9.0, 22.1.0)
- oracle communications cloud native core console (1.9.0, 22.1.0)
- oracle communications cloud native core network exposure function (22.1.0)
have more...
IOCs:
File: 2
Path: 1
IP: 1
Hash: 4
Trend Micro
Spring4Shell Vulnerability CVE-2022-22965 Exploited to Deploy Cryptocurrency Miners
Recently, we observed the Spring4Shell vulnerability — a remote code execution bug, assigned as CVE-2022-22965 — being actively exploited by malicious actors to deploy cryptocurrency miners.
#ParsedReport
21-04-2022
Threat Assessment: BlackByte Ransomware
https://unit42.paloaltonetworks.com/blackbyte-ransomware
Threats:
Blackbyte (tags: proxy, spyware, rat, malware, ransomware, dns)
Proxyshell_vuln (tags: ransomware)
Lockbit
Cobalt_strike (tags: ransomware)
Industry:
Energy, E-commerce, Financial, Ics
Geo:
America, Asia, Africa, Australia, Canada, Russian, Apac, Japan, Emea
CVEs:
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
TTPs:
Tactics: 10
Technics: 17
IOCs:
IP: 7
Domain: 1
File: 9
Registry: 1
Coin: 1
Links:
21-04-2022
Threat Assessment: BlackByte Ransomware
https://unit42.paloaltonetworks.com/blackbyte-ransomware
Threats:
Blackbyte (tags: proxy, spyware, rat, malware, ransomware, dns)
Proxyshell_vuln (tags: ransomware)
Lockbit
Cobalt_strike (tags: ransomware)
Industry:
Energy, E-commerce, Financial, Ics
Geo:
America, Asia, Africa, Australia, Canada, Russian, Apac, Japan, Emea
CVEs:
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
TTPs:
Tactics: 10
Technics: 17
IOCs:
IP: 7
Domain: 1
File: 9
Registry: 1
Coin: 1
Links:
https://github.com/SpiderLabs/BlackByteDecryptorUnit 42
Threat Assessment: BlackByte Ransomware
BlackByte is ransomware as a service that emerged in July 2021. Read our overview and recommended courses of action for mitigation.