#technique
Не отчет, но описание еще одного ИБ-камня в огород open source
https://checkmarx.com/blog/starjacking-making-your-new-open-source-package-popular-in-a-snap/
Не отчет, но описание еще одного ИБ-камня в огород open source
https://checkmarx.com/blog/starjacking-making-your-new-open-source-package-popular-in-a-snap/
Checkmarx
StarJacking - Making Your New Open-Source Package Popular in a Snap
Checkmarx supply chain security has recently found a malicious PyPi package with more than 70,000 downloads using a technique we dubbed StarJacking - a way to make an open-source package instantly look popular by abusing the lack of validation between the…
#ParsedReport
20-04-2022
Nobelium - Israeli Embassy Maldoc
https://inquest.net/blog/2022/04/18/nobelium-israeli-embassy-maldoc
Actors/Campaigns:
Darkhalo
Threats:
Comrade_circle
Geo:
Israeli, Spain
IOCs:
Hash: 5
File: 1
Path: 1
Url: 2
20-04-2022
Nobelium - Israeli Embassy Maldoc
https://inquest.net/blog/2022/04/18/nobelium-israeli-embassy-maldoc
Actors/Campaigns:
Darkhalo
Threats:
Comrade_circle
Geo:
Israeli, Spain
IOCs:
Hash: 5
File: 1
Path: 1
Url: 2
InQuest
Nobelium - Israeli Embassy Maldoc - InQuest
We discovered an interesting sample that we believe is part of the Nobelium campaign, also known as Dark Halo. It contains an attractive visual lure representing a document from the Israeli embassy.
#ParsedReport
20-04-2022
Shuckworm: Espionage Group Continues Intense Campaign Against Ukraine
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-intense-campaign-ukraine
Actors/Campaigns:
Gamaredon (tags: malware, backdoor)
Threats:
Pterodo (tags: rat, dropper)
Geo:
Russian, Ukraine
IOCs:
File: 9
Path: 1
Domain: 1
Hash: 162
Url: 77
Links:
20-04-2022
Shuckworm: Espionage Group Continues Intense Campaign Against Ukraine
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-intense-campaign-ukraine
Actors/Campaigns:
Gamaredon (tags: malware, backdoor)
Threats:
Pterodo (tags: rat, dropper)
Geo:
Russian, Ukraine
IOCs:
File: 9
Path: 1
Domain: 1
Hash: 162
Url: 77
Links:
https://github.com/Symantec/threathunters/tree/main/ShuckwormSecurity
Shuckworm: Espionage Group Continues Intense Campaign Against Ukraine
Russia-linked group is continually refining its malware and often deploying multiple payloads to maximize chances of maintaining a persistent presence on targeted networks.
#ParsedReport
20-04-2022
Reversing a NSIS dropper using quick and dirty shellcode emulation. The Excel document
https://malcat.fr/blog/reversing-a-nsis-dropper-using-quick-and-dirty-shellcode-emulation
Threats:
Nsis_dropper (tags: malware, stealer, rat)
Dbat_loader
Lokibot_stealer (tags: malware, rat, stealer)
CVEs:
CVE-2018-0798 [Vulners]
Vulners: Score: 9.3, CVSS: 9.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2010, 2016, 2016, 2007, 2013)
- microsoft word (2013, 2016, 2007, 2010, 2013)
- microsoft office compatibility pack (-)
IOCs:
Url: 1
File: 2
Hash: 4
Links:
20-04-2022
Reversing a NSIS dropper using quick and dirty shellcode emulation. The Excel document
https://malcat.fr/blog/reversing-a-nsis-dropper-using-quick-and-dirty-shellcode-emulation
Threats:
Nsis_dropper (tags: malware, stealer, rat)
Dbat_loader
Lokibot_stealer (tags: malware, rat, stealer)
CVEs:
CVE-2018-0798 [Vulners]
Vulners: Score: 9.3, CVSS: 9.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2010, 2016, 2016, 2007, 2013)
- microsoft word (2013, 2016, 2007, 2010, 2013)
- microsoft office compatibility pack (-)
IOCs:
Url: 1
File: 2
Hash: 4
Links:
https://github.com/mandiant/speakeasyMALCAT
Reversing a NSIS dropper using quick and dirty shellcode emulation
We will statically unpack and emulate a malicious NSIS installer running multiple shellcodes, up to the final Lokibot password stealer and its configuration.
A Detailed Analysis of The SunCrypt Ransomware
https://securityscorecard.com/resources/analysis-of-the-suncrypt-ransomware
https://securityscorecard.com/resources/analysis-of-the-suncrypt-ransomware
SecurityScorecard
A Detailed Analysis of The SunCrypt Ransomware
Vlad Pasca of LIFARS digs into the behavior of the SunCrypt Ransomware. SunCrypt ransomware is a less sophisticated malware that has impacted multiple companies since 2019. The malware can run one of a few parameters.
#ParsedReport
21-04-2022
LemonDuck Targets Docker for Cryptomining Operations
https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations
Threats:
Lemonduck (tags: botnet, dropper, rat, cryptomining, malware)
Proxylogon_exploit
Eternalblue_vuln
Bluekeep_vuln
Cr8escape_vuln
Xmrig_miner
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 2
Domain: 1
Links:
21-04-2022
LemonDuck Targets Docker for Cryptomining Operations
https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations
Threats:
Lemonduck (tags: botnet, dropper, rat, cryptomining, malware)
Proxylogon_exploit
Eternalblue_vuln
Bluekeep_vuln
Cr8escape_vuln
Xmrig_miner
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 2
Domain: 1
Links:
https://github.com/xmrig/xmrig-proxycrowdstrike.com
LemonDuck Botnet Targets Docker for Cryptomining Operations | CrowdStrike
The CrowdStrike Cloud Threat Research team recently detected the LemonDuck botnet actively targeting Docker to mine cryptocurrency on the Linux platform.
#ParsedReport
21-04-2022
Hackers Spearphish Corporate Hiring Managers with Poisoned Resumes, Infecting Them with the More_Eggs Malware, Warns eSentire
https://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware
Actors/Campaigns:
Venom_spider
Magecart (tags: ransomware, malware, backdoor)
Evilnum (tags: ransomware, malware, backdoor)
Threats:
More_eggs (tags: rat, ransomware, malware, phishing, backdoor)
Cobalt (tags: ransomware, malware, backdoor)
Terra_loader
Meterpreter_tool
Metasploit_tool
Terra_stealer
Lolbin
Industry:
Aerospace, Retail, Healthcare, E-commerce, Financial
Geo:
Canada
TTPs:
Tactics: 5
Technics: 28
IOCs:
File: 10
Hash: 5
21-04-2022
Hackers Spearphish Corporate Hiring Managers with Poisoned Resumes, Infecting Them with the More_Eggs Malware, Warns eSentire
https://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware
Actors/Campaigns:
Venom_spider
Magecart (tags: ransomware, malware, backdoor)
Evilnum (tags: ransomware, malware, backdoor)
Threats:
More_eggs (tags: rat, ransomware, malware, phishing, backdoor)
Cobalt (tags: ransomware, malware, backdoor)
Terra_loader
Meterpreter_tool
Metasploit_tool
Terra_stealer
Lolbin
Industry:
Aerospace, Retail, Healthcare, E-commerce, Financial
Geo:
Canada
TTPs:
Tactics: 5
Technics: 28
IOCs:
File: 10
Hash: 5
eSentire
Hackers Spearphish Corporate Hiring Managers with Poisoned Resumes…
Read this blog to learn about the eSentire Threat Response Unit (TRU)’s recent discovery of a phishing campaign where hackers are posing as job…
#ParsedReport
21-04-2022
Warez users fell for Certishell. Sivpici\.php5\.sk
https://decoded.avast.io/danielbenes/warez-users-fell-for-certishell/?utm_source=rss&utm_medium=rss&utm_campaign=warez-users-fell-for-certishell
Threats:
Certishell (tags: fraud, ddos, ransomware, rat, malware, keylogger, cryptomining)
Xmrig_miner (tags: cryptomining)
Vmprotect (tags: cryptomining)
Filecoder
Themida_packer_tool (tags: cryptomining)
Geo:
Slovakia, Czech
IOCs:
Domain: 3
File: 33
Registry: 2
Url: 272
Hash: 554
Links:
21-04-2022
Warez users fell for Certishell. Sivpici\.php5\.sk
https://decoded.avast.io/danielbenes/warez-users-fell-for-certishell/?utm_source=rss&utm_medium=rss&utm_campaign=warez-users-fell-for-certishell
Threats:
Certishell (tags: fraud, ddos, ransomware, rat, malware, keylogger, cryptomining)
Xmrig_miner (tags: cryptomining)
Vmprotect (tags: cryptomining)
Filecoder
Themida_packer_tool (tags: cryptomining)
Geo:
Slovakia, Czech
IOCs:
Domain: 3
File: 33
Registry: 2
Url: 272
Hash: 554
Links:
https://github.com/monoxgas/sRDI
https://github.com/avast/ioc/blob/master/Certishell/samples.sha256
https://github.com/avast/ioc/blob/master/Certishell/network.txt
https://github.com/avast/ioc/tree/master/CertishellAvast Threat Labs
Warez users fell for Certishell - Avast Threat Labs
Certishell deploys coinminers, remote access tools (RATs) and ransomware on machines in Czechia and Slovakia hidden within illegal copies of games, tools and music.
#ParsedReport
21-04-2022
Android/Bianlian Botnet Trying to Bypass Photo TAN Used for Mobile Banking
https://www.fortinet.com/blog/threat-research/android-bianlian-botnet-mobile-banking
Threats:
Hydra (tags: botnet, malware)
Industry:
Financial
IOCs:
Hash: 1
Url: 2
File: 6
21-04-2022
Android/Bianlian Botnet Trying to Bypass Photo TAN Used for Mobile Banking
https://www.fortinet.com/blog/threat-research/android-bianlian-botnet-mobile-banking
Threats:
Hydra (tags: botnet, malware)
Industry:
Financial
IOCs:
Hash: 1
Url: 2
File: 6
Fortinet Blog
Android/Bianlian Botnet Trying to Bypass Photo TAN Used for Mobile Banking
FortiGuard Labs has been closely investigating the Android BianLian botnet (also known as Hydra). Although it emerged in 2018, it is still alive in 2022. Our blog provides a brief analysis as well …
#ParsedReport
21-04-2022
New BotenaGo Variant Discovered by Nozomi Networks Labs
https://www.nozominetworks.com/blog/new-botenago-variant-discovered-by-nozomi-networks-labs
Threats:
Botenago (tags: botnet, scan, malware)
Alien
Lillin_scanner_tool (tags: malware)
Mirai (tags: botnet, scan, malware)
Log4shell_vuln
Industry:
Energy, Iot, Media
IOCs:
IP: 1
Hash: 3
21-04-2022
New BotenaGo Variant Discovered by Nozomi Networks Labs
https://www.nozominetworks.com/blog/new-botenago-variant-discovered-by-nozomi-networks-labs
Threats:
Botenago (tags: botnet, scan, malware)
Alien
Lillin_scanner_tool (tags: malware)
Mirai (tags: botnet, scan, malware)
Log4shell_vuln
Industry:
Energy, Iot, Media
IOCs:
IP: 1
Hash: 3
Nozominetworks
New BotenaGo Variant Discovered by Nozomi Networks Labs
Lillin scanner is a new variant of the BotenaGo malware that specifically targets Lilin security camera DVR devices, discovered by Nozomi Networks Labs.
#ParsedReport
21-04-2022
Analyzing Attempts to Exploit the Spring4Shell Vulnerability CVE-2022-22965 to Deploy Cryptocurrency Miners. A high number of exploitation attempts
https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html
Threats:
Spring4shell (tags: cryptomining, malware, botnet, rat)
Mirai (tags: cryptomining)
Malxmr_miner
CVEs:
CVE-2022-22965 [Vulners]
Vulners: Score: 7.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- vmware spring framework (<5.2.20, <5.3.18)
- cisco cx cloud agent (<2.1.0)
- oracle communications cloud native core automated test suite (1.9.0, 22.1.0)
- oracle communications cloud native core console (1.9.0, 22.1.0)
- oracle communications cloud native core network exposure function (22.1.0)
have more...
IOCs:
File: 2
Path: 1
IP: 1
Hash: 4
21-04-2022
Analyzing Attempts to Exploit the Spring4Shell Vulnerability CVE-2022-22965 to Deploy Cryptocurrency Miners. A high number of exploitation attempts
https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html
Threats:
Spring4shell (tags: cryptomining, malware, botnet, rat)
Mirai (tags: cryptomining)
Malxmr_miner
CVEs:
CVE-2022-22965 [Vulners]
Vulners: Score: 7.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- vmware spring framework (<5.2.20, <5.3.18)
- cisco cx cloud agent (<2.1.0)
- oracle communications cloud native core automated test suite (1.9.0, 22.1.0)
- oracle communications cloud native core console (1.9.0, 22.1.0)
- oracle communications cloud native core network exposure function (22.1.0)
have more...
IOCs:
File: 2
Path: 1
IP: 1
Hash: 4
Trend Micro
Spring4Shell Vulnerability CVE-2022-22965 Exploited to Deploy Cryptocurrency Miners
Recently, we observed the Spring4Shell vulnerability — a remote code execution bug, assigned as CVE-2022-22965 — being actively exploited by malicious actors to deploy cryptocurrency miners.
#ParsedReport
21-04-2022
Threat Assessment: BlackByte Ransomware
https://unit42.paloaltonetworks.com/blackbyte-ransomware
Threats:
Blackbyte (tags: proxy, spyware, rat, malware, ransomware, dns)
Proxyshell_vuln (tags: ransomware)
Lockbit
Cobalt_strike (tags: ransomware)
Industry:
Energy, E-commerce, Financial, Ics
Geo:
America, Asia, Africa, Australia, Canada, Russian, Apac, Japan, Emea
CVEs:
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
TTPs:
Tactics: 10
Technics: 17
IOCs:
IP: 7
Domain: 1
File: 9
Registry: 1
Coin: 1
Links:
21-04-2022
Threat Assessment: BlackByte Ransomware
https://unit42.paloaltonetworks.com/blackbyte-ransomware
Threats:
Blackbyte (tags: proxy, spyware, rat, malware, ransomware, dns)
Proxyshell_vuln (tags: ransomware)
Lockbit
Cobalt_strike (tags: ransomware)
Industry:
Energy, E-commerce, Financial, Ics
Geo:
America, Asia, Africa, Australia, Canada, Russian, Apac, Japan, Emea
CVEs:
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
TTPs:
Tactics: 10
Technics: 17
IOCs:
IP: 7
Domain: 1
File: 9
Registry: 1
Coin: 1
Links:
https://github.com/SpiderLabs/BlackByteDecryptorUnit 42
Threat Assessment: BlackByte Ransomware
BlackByte is ransomware as a service that emerged in July 2021. Read our overview and recommended courses of action for mitigation.
#ParsedReport
22-04-2022
Blackbyte Ransomware. Threat Description
https://blogs.juniper.net/en-us/threat-labs-knowledge-base/blackbyte-ransomware
Threats:
Blackbyte (tags: ransomware, malware)
Conti
Ryuk
Industry:
Government, Financial
IOCs:
Hash: 41
Path: 7
File: 3
Url: 1
IP: 1
22-04-2022
Blackbyte Ransomware. Threat Description
https://blogs.juniper.net/en-us/threat-labs-knowledge-base/blackbyte-ransomware
Threats:
Blackbyte (tags: ransomware, malware)
Conti
Ryuk
Industry:
Government, Financial
IOCs:
Hash: 41
Path: 7
File: 3
Url: 1
IP: 1
Juniper Networks
Threat Description
Threat Description Sha256: 1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad Blackbyte has been known to be a Ransomware-as-a-Service (RaaS) since July 2021. It was reported that it was used in infecting organizations in at least three
#ParsedReport
22-04-2022
TeamTNT targeting AWS, Alibaba
http://blog.talosintelligence.com/2022/04/teamtnt-targeting-aws-alibaba.html
Actors/Campaigns:
Teamtnt (tags: malware, scan, stealer, dns, cryptomining, rat, rootkit)
Chimaera
Threats:
Xmrig_miner
Tsunami_botnet
Hildegard
Pnscan_tool
Masscan_tool
Zgrab_scanner_tool
Industry:
Financial
Geo:
German
TTPs:
Tactics: 1
Technics: 7
IOCs:
Domain: 2
IP: 10
Url: 12
File: 8
Coin: 5
Email: 1
Hash: 50
Links:
22-04-2022
TeamTNT targeting AWS, Alibaba
http://blog.talosintelligence.com/2022/04/teamtnt-targeting-aws-alibaba.html
Actors/Campaigns:
Teamtnt (tags: malware, scan, stealer, dns, cryptomining, rat, rootkit)
Chimaera
Threats:
Xmrig_miner
Tsunami_botnet
Hildegard
Pnscan_tool
Masscan_tool
Zgrab_scanner_tool
Industry:
Financial
Geo:
German
TTPs:
Tactics: 1
Technics: 7
IOCs:
Domain: 2
IP: 10
Url: 12
File: 8
Coin: 5
Email: 1
Hash: 50
Links:
https://github.com/weaveworks/scope/https://github.com/tmate-io/tmate/releases/download/2.4.0/tmate-2.4.0-static-linux-amd64.tar.xzhttps://github.com/rainbowminer/RainbowMinerhttps://github.com/Lolliedieb/lolMiner-releases/releases/download/1.31/lolMiner\_v1.31\_Lin64.tar.gzhttps://github.com/PowerShell/PowerShell/releases/download/v7.1.3/powershell\_7.1.3-1.ubuntu.18.04\_amd64.#ParsedReport
22-04-2022
Threat Source newsletter (April 21, 2022) Sideloading apps is as safe as you make it
http://blog.talosintelligence.com/2022/04/threat-source-newsletter-april-21-2022.html
Actors/Campaigns:
Gamaredon
Teamtnt
Threats:
Zingo_stealer
Redline_stealer
Xmrig_miner
Industry:
Energy
Geo:
Russian
IOCs:
Hash: 10
File: 5
22-04-2022
Threat Source newsletter (April 21, 2022) Sideloading apps is as safe as you make it
http://blog.talosintelligence.com/2022/04/threat-source-newsletter-april-21-2022.html
Actors/Campaigns:
Gamaredon
Teamtnt
Threats:
Zingo_stealer
Redline_stealer
Xmrig_miner
Industry:
Energy
Geo:
Russian
IOCs:
Hash: 10
File: 5
Cisco Talos Blog
Threat Source newsletter (April 21, 2022) — Sideloading apps is as safe as you make it
Welcome to this week’s edition of the Threat Source newsletter.
If you pay attention to the video game community as much as I do, you’ve been closely following the ongoing legal battle between Apple and Epic over the sale of “Fortnite” on the Apple App Store.…
If you pay attention to the video game community as much as I do, you’ve been closely following the ongoing legal battle between Apple and Epic over the sale of “Fortnite” on the Apple App Store.…
#ParsedReport
22-04-2022
Nokoyawa Ransomware \| New Karma/Nemty Variant Wears Thin Disguise
https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise
Threats:
Nokoyawa (tags: malware, ransomware)
Karma (tags: malware, ransomware)
Nemty (tags: malware, ransomware)
Hive
Industry:
Financial
IOCs:
File: 1
Hash: 4
YARA: Found
22-04-2022
Nokoyawa Ransomware \| New Karma/Nemty Variant Wears Thin Disguise
https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise
Threats:
Nokoyawa (tags: malware, ransomware)
Karma (tags: malware, ransomware)
Nemty (tags: malware, ransomware)
Hive
Industry:
Financial
IOCs:
File: 1
Hash: 4
YARA: Found
SentinelOne
Nokoyawa Ransomware | New Karma/Nemty Variant Wears Thin Disguise
Nemty developers have created a new, flawed update to the Karma ransomware variant in a bid to avoid detection and mislead attribution.
#ParsedReport
22-04-2022
Hive Ransomware Analysis
https://www.varonis.com/blog/hive-ransomware-analysis
Threats:
Hive (tags: backdoor, ransomware, scan, phishing, malware, vpn)
Proxyshell_vuln (tags: backdoor, malware)
Cobalt_strike (tags: malware)
Mimikatz
Log4shell_vuln
Emotet
Icedid
Qakbot
Conti
Industry:
Energy, Healthcare, Retail
Geo:
Netherlands, Usa
CVEs:
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
TTPs:
Tactics: 10
Technics: 19
IOCs:
File: 7
IP: 4
Registry: 1
Hash: 7
Links:
22-04-2022
Hive Ransomware Analysis
https://www.varonis.com/blog/hive-ransomware-analysis
Threats:
Hive (tags: backdoor, ransomware, scan, phishing, malware, vpn)
Proxyshell_vuln (tags: backdoor, malware)
Cobalt_strike (tags: malware)
Mimikatz
Log4shell_vuln
Emotet
Icedid
Qakbot
Conti
Industry:
Energy, Healthcare, Retail
Geo:
Netherlands, Usa
CVEs:
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
TTPs:
Tactics: 10
Technics: 19
IOCs:
File: 7
IP: 4
Registry: 1
Hash: 7
Links:
https://github.com/ThePacketBender/webshellsVaronis
Hive Ransomware Analysis
Learn how Hive ransomware exploits public servers, spreads through your network, encrypts sensitive files, and exports victims for cryptocurrency.
#ParsedReport
22-04-2022
Threat Thursday: BlackGuard Infostealer Rises from Russian Underground Markets
https://blogs.blackberry.com/en/2022/04/threat-thursday-blackguard-infostealer
Threats:
Blackguard_stealer (tags: stealer, malware, ransomware, vpn)
Arkei_stealer (tags: stealer)
Bhunt_stealer (tags: stealer)
Exodus
Industry:
Financial
Geo:
Tajikistan, Belarus, Ireland, Ukraine, Azerbaijan, Russia, Kyrgyzstan, Uzbekistan
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 11
Path: 5
Coin: 1
Hash: 5
Url: 4
YARA: Found
22-04-2022
Threat Thursday: BlackGuard Infostealer Rises from Russian Underground Markets
https://blogs.blackberry.com/en/2022/04/threat-thursday-blackguard-infostealer
Threats:
Blackguard_stealer (tags: stealer, malware, ransomware, vpn)
Arkei_stealer (tags: stealer)
Bhunt_stealer (tags: stealer)
Exodus
Industry:
Financial
Geo:
Tajikistan, Belarus, Ireland, Ukraine, Azerbaijan, Russia, Kyrgyzstan, Uzbekistan
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 11
Path: 5
Coin: 1
Hash: 5
Url: 4
YARA: Found
BlackBerry
Threat Thursday: BlackGuard Infostealer Rises from Russian Underground Markets
BlackGuard is one of the latest .NET-based information-stealers to rise to prominence in the Russian underground markets. Its focus is on web-browsers, cryptocurrency services, and cold-wallets. The malware will additionally target VPN clients, instant messaging…
#ParsedReport
23-04-2022
ASEC Weekly Malware Statistics ( 20220411 \~ 20220417 )
https://asec-ahnlab-com.translate.goog/ko/33741/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Threats:
Agent_tesla (tags: stealer, malware)
Azorult
Formbook (tags: stealer)
Lokibot_stealer
Avemaria_rat
Redline_stealer
Beamwinhttp_loader
Snake_keylogger (tags: malware)
Industry:
Financial
Geo:
Korea
IOCs:
Domain: 5
IP: 6
Email: 7
File: 18
Url: 15
23-04-2022
ASEC Weekly Malware Statistics ( 20220411 \~ 20220417 )
https://asec-ahnlab-com.translate.goog/ko/33741/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Threats:
Agent_tesla (tags: stealer, malware)
Azorult
Formbook (tags: stealer)
Lokibot_stealer
Avemaria_rat
Redline_stealer
Beamwinhttp_loader
Snake_keylogger (tags: malware)
Industry:
Financial
Geo:
Korea
IOCs:
Domain: 5
IP: 6
Email: 7
File: 18
Url: 15
ASEC BLOG
ASEC 주간 악성코드 통계 ( 20220411 ~ 20220417 ) - ASEC BLOG
ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2022년 4월 11일 월요일부터 4월 17일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 인포스틸러가 77.4%로 1위를 차지하였으며, 그 다음으로는 RAT (Remote Administration Tool) 악성코드가 15.9%, 다운로더 5.4%, 뱅킹 악성코드가 0.8%, 랜섬웨어…
#ParsedReport
24-04-2022
Industroyer2 in Perspective. Background
https://pylos.co/2022/04/23/industroyer2-in-perspective
Actors/Campaigns:
Sandworm
Threats:
Crashoverride
Triton
Industry:
Energy, Government, Ics
Geo:
Ukraine, Russia
IOCs:
File: 1
Hash: 4
24-04-2022
Industroyer2 in Perspective. Background
https://pylos.co/2022/04/23/industroyer2-in-perspective
Actors/Campaigns:
Sandworm
Threats:
Crashoverride
Triton
Industry:
Energy, Government, Ics
Geo:
Ukraine, Russia
IOCs:
File: 1
Hash: 4
Stranded on Pylos
Industroyer2 in Perspective
Background On 12 April 2022, the Ukrainian CERT and ESET disclosed the existence of Industroyer2, a successor to the malware targeting Ukrainian electric distribution and transmission operations in…