#ParsedReport
21-04-2022
Analyzing Attempts to Exploit the Spring4Shell Vulnerability CVE-2022-22965 to Deploy Cryptocurrency Miners. A high number of exploitation attempts
https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html
Threats:
Spring4shell (tags: cryptomining, malware, botnet, rat)
Mirai (tags: cryptomining)
Malxmr_miner
CVEs:
CVE-2022-22965 [Vulners]
Vulners: Score: 7.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- vmware spring framework (<5.2.20, <5.3.18)
- cisco cx cloud agent (<2.1.0)
- oracle communications cloud native core automated test suite (1.9.0, 22.1.0)
- oracle communications cloud native core console (1.9.0, 22.1.0)
- oracle communications cloud native core network exposure function (22.1.0)
have more...
IOCs:
File: 2
Path: 1
IP: 1
Hash: 4
21-04-2022
Analyzing Attempts to Exploit the Spring4Shell Vulnerability CVE-2022-22965 to Deploy Cryptocurrency Miners. A high number of exploitation attempts
https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html
Threats:
Spring4shell (tags: cryptomining, malware, botnet, rat)
Mirai (tags: cryptomining)
Malxmr_miner
CVEs:
CVE-2022-22965 [Vulners]
Vulners: Score: 7.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- vmware spring framework (<5.2.20, <5.3.18)
- cisco cx cloud agent (<2.1.0)
- oracle communications cloud native core automated test suite (1.9.0, 22.1.0)
- oracle communications cloud native core console (1.9.0, 22.1.0)
- oracle communications cloud native core network exposure function (22.1.0)
have more...
IOCs:
File: 2
Path: 1
IP: 1
Hash: 4
Trend Micro
Spring4Shell Vulnerability CVE-2022-22965 Exploited to Deploy Cryptocurrency Miners
Recently, we observed the Spring4Shell vulnerability — a remote code execution bug, assigned as CVE-2022-22965 — being actively exploited by malicious actors to deploy cryptocurrency miners.
#ParsedReport
21-04-2022
Threat Assessment: BlackByte Ransomware
https://unit42.paloaltonetworks.com/blackbyte-ransomware
Threats:
Blackbyte (tags: proxy, spyware, rat, malware, ransomware, dns)
Proxyshell_vuln (tags: ransomware)
Lockbit
Cobalt_strike (tags: ransomware)
Industry:
Energy, E-commerce, Financial, Ics
Geo:
America, Asia, Africa, Australia, Canada, Russian, Apac, Japan, Emea
CVEs:
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
TTPs:
Tactics: 10
Technics: 17
IOCs:
IP: 7
Domain: 1
File: 9
Registry: 1
Coin: 1
Links:
21-04-2022
Threat Assessment: BlackByte Ransomware
https://unit42.paloaltonetworks.com/blackbyte-ransomware
Threats:
Blackbyte (tags: proxy, spyware, rat, malware, ransomware, dns)
Proxyshell_vuln (tags: ransomware)
Lockbit
Cobalt_strike (tags: ransomware)
Industry:
Energy, E-commerce, Financial, Ics
Geo:
America, Asia, Africa, Australia, Canada, Russian, Apac, Japan, Emea
CVEs:
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
TTPs:
Tactics: 10
Technics: 17
IOCs:
IP: 7
Domain: 1
File: 9
Registry: 1
Coin: 1
Links:
https://github.com/SpiderLabs/BlackByteDecryptorUnit 42
Threat Assessment: BlackByte Ransomware
BlackByte is ransomware as a service that emerged in July 2021. Read our overview and recommended courses of action for mitigation.
#ParsedReport
22-04-2022
Blackbyte Ransomware. Threat Description
https://blogs.juniper.net/en-us/threat-labs-knowledge-base/blackbyte-ransomware
Threats:
Blackbyte (tags: ransomware, malware)
Conti
Ryuk
Industry:
Government, Financial
IOCs:
Hash: 41
Path: 7
File: 3
Url: 1
IP: 1
22-04-2022
Blackbyte Ransomware. Threat Description
https://blogs.juniper.net/en-us/threat-labs-knowledge-base/blackbyte-ransomware
Threats:
Blackbyte (tags: ransomware, malware)
Conti
Ryuk
Industry:
Government, Financial
IOCs:
Hash: 41
Path: 7
File: 3
Url: 1
IP: 1
Juniper Networks
Threat Description
Threat Description Sha256: 1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad Blackbyte has been known to be a Ransomware-as-a-Service (RaaS) since July 2021. It was reported that it was used in infecting organizations in at least three
#ParsedReport
22-04-2022
TeamTNT targeting AWS, Alibaba
http://blog.talosintelligence.com/2022/04/teamtnt-targeting-aws-alibaba.html
Actors/Campaigns:
Teamtnt (tags: malware, scan, stealer, dns, cryptomining, rat, rootkit)
Chimaera
Threats:
Xmrig_miner
Tsunami_botnet
Hildegard
Pnscan_tool
Masscan_tool
Zgrab_scanner_tool
Industry:
Financial
Geo:
German
TTPs:
Tactics: 1
Technics: 7
IOCs:
Domain: 2
IP: 10
Url: 12
File: 8
Coin: 5
Email: 1
Hash: 50
Links:
22-04-2022
TeamTNT targeting AWS, Alibaba
http://blog.talosintelligence.com/2022/04/teamtnt-targeting-aws-alibaba.html
Actors/Campaigns:
Teamtnt (tags: malware, scan, stealer, dns, cryptomining, rat, rootkit)
Chimaera
Threats:
Xmrig_miner
Tsunami_botnet
Hildegard
Pnscan_tool
Masscan_tool
Zgrab_scanner_tool
Industry:
Financial
Geo:
German
TTPs:
Tactics: 1
Technics: 7
IOCs:
Domain: 2
IP: 10
Url: 12
File: 8
Coin: 5
Email: 1
Hash: 50
Links:
https://github.com/weaveworks/scope/https://github.com/tmate-io/tmate/releases/download/2.4.0/tmate-2.4.0-static-linux-amd64.tar.xzhttps://github.com/rainbowminer/RainbowMinerhttps://github.com/Lolliedieb/lolMiner-releases/releases/download/1.31/lolMiner\_v1.31\_Lin64.tar.gzhttps://github.com/PowerShell/PowerShell/releases/download/v7.1.3/powershell\_7.1.3-1.ubuntu.18.04\_amd64.#ParsedReport
22-04-2022
Threat Source newsletter (April 21, 2022) Sideloading apps is as safe as you make it
http://blog.talosintelligence.com/2022/04/threat-source-newsletter-april-21-2022.html
Actors/Campaigns:
Gamaredon
Teamtnt
Threats:
Zingo_stealer
Redline_stealer
Xmrig_miner
Industry:
Energy
Geo:
Russian
IOCs:
Hash: 10
File: 5
22-04-2022
Threat Source newsletter (April 21, 2022) Sideloading apps is as safe as you make it
http://blog.talosintelligence.com/2022/04/threat-source-newsletter-april-21-2022.html
Actors/Campaigns:
Gamaredon
Teamtnt
Threats:
Zingo_stealer
Redline_stealer
Xmrig_miner
Industry:
Energy
Geo:
Russian
IOCs:
Hash: 10
File: 5
Cisco Talos Blog
Threat Source newsletter (April 21, 2022) — Sideloading apps is as safe as you make it
Welcome to this week’s edition of the Threat Source newsletter.
If you pay attention to the video game community as much as I do, you’ve been closely following the ongoing legal battle between Apple and Epic over the sale of “Fortnite” on the Apple App Store.…
If you pay attention to the video game community as much as I do, you’ve been closely following the ongoing legal battle between Apple and Epic over the sale of “Fortnite” on the Apple App Store.…
#ParsedReport
22-04-2022
Nokoyawa Ransomware \| New Karma/Nemty Variant Wears Thin Disguise
https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise
Threats:
Nokoyawa (tags: malware, ransomware)
Karma (tags: malware, ransomware)
Nemty (tags: malware, ransomware)
Hive
Industry:
Financial
IOCs:
File: 1
Hash: 4
YARA: Found
22-04-2022
Nokoyawa Ransomware \| New Karma/Nemty Variant Wears Thin Disguise
https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise
Threats:
Nokoyawa (tags: malware, ransomware)
Karma (tags: malware, ransomware)
Nemty (tags: malware, ransomware)
Hive
Industry:
Financial
IOCs:
File: 1
Hash: 4
YARA: Found
SentinelOne
Nokoyawa Ransomware | New Karma/Nemty Variant Wears Thin Disguise
Nemty developers have created a new, flawed update to the Karma ransomware variant in a bid to avoid detection and mislead attribution.
#ParsedReport
22-04-2022
Hive Ransomware Analysis
https://www.varonis.com/blog/hive-ransomware-analysis
Threats:
Hive (tags: backdoor, ransomware, scan, phishing, malware, vpn)
Proxyshell_vuln (tags: backdoor, malware)
Cobalt_strike (tags: malware)
Mimikatz
Log4shell_vuln
Emotet
Icedid
Qakbot
Conti
Industry:
Energy, Healthcare, Retail
Geo:
Netherlands, Usa
CVEs:
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
TTPs:
Tactics: 10
Technics: 19
IOCs:
File: 7
IP: 4
Registry: 1
Hash: 7
Links:
22-04-2022
Hive Ransomware Analysis
https://www.varonis.com/blog/hive-ransomware-analysis
Threats:
Hive (tags: backdoor, ransomware, scan, phishing, malware, vpn)
Proxyshell_vuln (tags: backdoor, malware)
Cobalt_strike (tags: malware)
Mimikatz
Log4shell_vuln
Emotet
Icedid
Qakbot
Conti
Industry:
Energy, Healthcare, Retail
Geo:
Netherlands, Usa
CVEs:
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
TTPs:
Tactics: 10
Technics: 19
IOCs:
File: 7
IP: 4
Registry: 1
Hash: 7
Links:
https://github.com/ThePacketBender/webshellsVaronis
Hive Ransomware Analysis
Learn how Hive ransomware exploits public servers, spreads through your network, encrypts sensitive files, and exports victims for cryptocurrency.
#ParsedReport
22-04-2022
Threat Thursday: BlackGuard Infostealer Rises from Russian Underground Markets
https://blogs.blackberry.com/en/2022/04/threat-thursday-blackguard-infostealer
Threats:
Blackguard_stealer (tags: stealer, malware, ransomware, vpn)
Arkei_stealer (tags: stealer)
Bhunt_stealer (tags: stealer)
Exodus
Industry:
Financial
Geo:
Tajikistan, Belarus, Ireland, Ukraine, Azerbaijan, Russia, Kyrgyzstan, Uzbekistan
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 11
Path: 5
Coin: 1
Hash: 5
Url: 4
YARA: Found
22-04-2022
Threat Thursday: BlackGuard Infostealer Rises from Russian Underground Markets
https://blogs.blackberry.com/en/2022/04/threat-thursday-blackguard-infostealer
Threats:
Blackguard_stealer (tags: stealer, malware, ransomware, vpn)
Arkei_stealer (tags: stealer)
Bhunt_stealer (tags: stealer)
Exodus
Industry:
Financial
Geo:
Tajikistan, Belarus, Ireland, Ukraine, Azerbaijan, Russia, Kyrgyzstan, Uzbekistan
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 11
Path: 5
Coin: 1
Hash: 5
Url: 4
YARA: Found
BlackBerry
Threat Thursday: BlackGuard Infostealer Rises from Russian Underground Markets
BlackGuard is one of the latest .NET-based information-stealers to rise to prominence in the Russian underground markets. Its focus is on web-browsers, cryptocurrency services, and cold-wallets. The malware will additionally target VPN clients, instant messaging…
#ParsedReport
23-04-2022
ASEC Weekly Malware Statistics ( 20220411 \~ 20220417 )
https://asec-ahnlab-com.translate.goog/ko/33741/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Threats:
Agent_tesla (tags: stealer, malware)
Azorult
Formbook (tags: stealer)
Lokibot_stealer
Avemaria_rat
Redline_stealer
Beamwinhttp_loader
Snake_keylogger (tags: malware)
Industry:
Financial
Geo:
Korea
IOCs:
Domain: 5
IP: 6
Email: 7
File: 18
Url: 15
23-04-2022
ASEC Weekly Malware Statistics ( 20220411 \~ 20220417 )
https://asec-ahnlab-com.translate.goog/ko/33741/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Threats:
Agent_tesla (tags: stealer, malware)
Azorult
Formbook (tags: stealer)
Lokibot_stealer
Avemaria_rat
Redline_stealer
Beamwinhttp_loader
Snake_keylogger (tags: malware)
Industry:
Financial
Geo:
Korea
IOCs:
Domain: 5
IP: 6
Email: 7
File: 18
Url: 15
ASEC BLOG
ASEC 주간 악성코드 통계 ( 20220411 ~ 20220417 ) - ASEC BLOG
ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2022년 4월 11일 월요일부터 4월 17일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 인포스틸러가 77.4%로 1위를 차지하였으며, 그 다음으로는 RAT (Remote Administration Tool) 악성코드가 15.9%, 다운로더 5.4%, 뱅킹 악성코드가 0.8%, 랜섬웨어…
#ParsedReport
24-04-2022
Industroyer2 in Perspective. Background
https://pylos.co/2022/04/23/industroyer2-in-perspective
Actors/Campaigns:
Sandworm
Threats:
Crashoverride
Triton
Industry:
Energy, Government, Ics
Geo:
Ukraine, Russia
IOCs:
File: 1
Hash: 4
24-04-2022
Industroyer2 in Perspective. Background
https://pylos.co/2022/04/23/industroyer2-in-perspective
Actors/Campaigns:
Sandworm
Threats:
Crashoverride
Triton
Industry:
Energy, Government, Ics
Geo:
Ukraine, Russia
IOCs:
File: 1
Hash: 4
Stranded on Pylos
Industroyer2 in Perspective
Background On 12 April 2022, the Ukrainian CERT and ESET disclosed the existence of Industroyer2, a successor to the malware targeting Ukrainian electric distribution and transmission operations in…
#ParsedReport
24-04-2022
Criminals provide Ginzo stealer for free, now it is gaining traction
https://www.gdatasoftware.com/blog/2022/03/ginzo-free-malware
Threats:
Ginzo_stealer (tags: malware, stealer, cryptomining)
Confuserex_tool
Exodus
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 10
Url: 10
Hash: 3
Path: 25
24-04-2022
Criminals provide Ginzo stealer for free, now it is gaining traction
https://www.gdatasoftware.com/blog/2022/03/ginzo-free-malware
Threats:
Ginzo_stealer (tags: malware, stealer, cryptomining)
Confuserex_tool
Exodus
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 10
Url: 10
Hash: 3
Path: 25
Gdatasoftware
Free malware - what gives?
We identified more than 400 samples for Ginzo stealer within 10 days since 20th March and the numbers are rising. What is behind the free stealer?
#ParsedReport
25-04-2022
Quantum Ransomware
https://thedfirreport.com/2022/04/25/quantum-ransomware
Actors/Campaigns:
Xinglocker (tags: ransomware)
Threats:
Quantum_locker
Icedid
Conti (tags: ransomware)
Revil (tags: ransomware)
Cobalt_strike
Psexec_tool
TTPs:
Tactics: 10
Technics: 18
IOCs:
File: 15
Path: 7
Domain: 3
IP: 5
Coin: 1
Hash: 9
YARA: Found
SIGMA: Found
Links:
25-04-2022
Quantum Ransomware
https://thedfirreport.com/2022/04/25/quantum-ransomware
Actors/Campaigns:
Xinglocker (tags: ransomware)
Threats:
Quantum_locker
Icedid
Conti (tags: ransomware)
Revil (tags: ransomware)
Cobalt_strike
Psexec_tool
TTPs:
Tactics: 10
Technics: 18
IOCs:
File: 15
Path: 7
Domain: 3
IP: 5
Coin: 1
Hash: 9
YARA: Found
SIGMA: Found
Links:
https://gist.github.com/0xtornado/69d12572520122cb9bddc2d6793d97abThe DFIR Report
Quantum Ransomware
In one of the fastest ransomware cases we have observed, in under four hours the threat actors went from initial access, to domain wide ransomware. The initial access vector for this case was an Ic…
#ParsedReport
25-04-2022
ASEC Weekly Malware Statistics (April 11th, 2022 April 17th, 2022)
https://asec.ahnlab.com/en/33763
Threats:
Agent_tesla (tags: malware)
Formbook (tags: malware)
Lokibot_stealer (tags: malware)
Redline_stealer (tags: malware)
Beamwinhttp_loader (tags: malware)
Snake_keylogger (tags: malware)
Industry:
Financial
IOCs:
Domain: 5
IP: 6
Email: 7
File: 18
Url: 15
25-04-2022
ASEC Weekly Malware Statistics (April 11th, 2022 April 17th, 2022)
https://asec.ahnlab.com/en/33763
Threats:
Agent_tesla (tags: malware)
Formbook (tags: malware)
Lokibot_stealer (tags: malware)
Redline_stealer (tags: malware)
Beamwinhttp_loader (tags: malware)
Snake_keylogger (tags: malware)
Industry:
Financial
IOCs:
Domain: 5
IP: 6
Email: 7
File: 18
Url: 15
ASEC BLOG
ASEC Weekly Malware Statistics (April 11th, 2022 - April 17th, 2022) - ASEC BLOG
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from April 11th, 2022 (Monday) to April 17th, 2022 (Sunday). For the main category, info-stealer…
#ParsedReport
25-04-2022
INDUSTROYER.V2: Old Malware Learns New Tricks
https://www.mandiant.com/resources/industroyer-v2-old-malware-new-tricks
Threats:
Crashoverride (tags: malware)
Incontroller_tool (tags: malware)
Industry:
Ics
Geo:
Ukraine
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 1
File: 1
YARA: Found
25-04-2022
INDUSTROYER.V2: Old Malware Learns New Tricks
https://www.mandiant.com/resources/industroyer-v2-old-malware-new-tricks
Threats:
Crashoverride (tags: malware)
Incontroller_tool (tags: malware)
Industry:
Ics
Geo:
Ukraine
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 1
File: 1
YARA: Found
Mandiant
INDUSTROYER.V2: Old Malware Learns New Tricks | Mandiant
#ParsedReport
25-04-2022
Defeating BazarLoader Anti-Analysis Techniques
https://unit42.paloaltonetworks.com/bazarloader-anti-analysis-techniques
Threats:
Bazarbackdoor (tags: malware, ransomware, backdoor)
IOCs:
Hash: 1
Links:
25-04-2022
Defeating BazarLoader Anti-Analysis Techniques
https://unit42.paloaltonetworks.com/bazarloader-anti-analysis-techniques
Threats:
Bazarbackdoor (tags: malware, ransomware, backdoor)
IOCs:
Hash: 1
Links:
https://github.com/pan-unit42/iocs/blob/master/DeObfuscate\_Opaquehttps://github.com/pan-unit42/iocs/blob/master/Appcall\_rename\_apihttps://github.com/idapythonUnit 42
Defeating BazarLoader Anti-Analysis Techniques
Anti-analysis techniques make it harder for malware analysts to do their work. We cover BazarLoader anti-analysis techniques and how to defeat them.
#ParsedReport
25-04-2022
THREAT ANALYSIS REPORT: SocGholish and Zloader From Fake Updates and Installers to Owning Your Systems. MITRE ATT&CK Techniques
https://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems
Threats:
Socgholish_loader (tags: backdoor, rat, ransomware, malware, scan, phishing, proxy)
Z_loader (tags: backdoor, rat, ransomware, malware, scan, phishing, proxy)
Cobalt_strike
Egregor
Ryuk
Atera_tool
Nsudo_tool
Industry:
Government
Geo:
Russia
CVEs:
CVE-2013-3900 [Vulners]
Vulners: Score: 7.6, CVSS: 7.3,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, r2, -)
- microsoft windows 7 (-)
- microsoft windows rt (-)
- microsoft windows 8.1 (-)
- microsoft windows server 2003 (-)
have more...
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 20
IP: 6
Domain: 10
Path: 27
Hash: 8
Links:
25-04-2022
THREAT ANALYSIS REPORT: SocGholish and Zloader From Fake Updates and Installers to Owning Your Systems. MITRE ATT&CK Techniques
https://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems
Threats:
Socgholish_loader (tags: backdoor, rat, ransomware, malware, scan, phishing, proxy)
Z_loader (tags: backdoor, rat, ransomware, malware, scan, phishing, proxy)
Cobalt_strike
Egregor
Ryuk
Atera_tool
Nsudo_tool
Industry:
Government
Geo:
Russia
CVEs:
CVE-2013-3900 [Vulners]
Vulners: Score: 7.6, CVSS: 7.3,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, r2, -)
- microsoft windows 7 (-)
- microsoft windows rt (-)
- microsoft windows 8.1 (-)
- microsoft windows server 2003 (-)
have more...
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 20
IP: 6
Domain: 10
Path: 27
Hash: 8
Links:
https://github.com/M2Team/NSudoCybereason
THREAT ANALYSIS REPORT: SocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems
This report provides unique insight into SocGholish and Zloader attacks and provides an overview of the common tactics and techniques in SocGholish infections...
#ParsedReport
25-04-2022
New Core Impact Backdoor Delivered Via VMWare Vulnerability
https://blog.morphisec.com/vmware-identity-manager-attack-backdoor
Actors/Campaigns:
Cleaver (tags: backdoor)
Woolen_goldfish
Threats:
Cobalt_strike (tags: backdoor)
Metasploit_tool (tags: backdoor)
Powertrash_tool
Log4shell_vuln
Jssloader
Geo:
London, Iran
CVEs:
CVE-2022-22958 [Vulners]
Vulners: Score: 6.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- vmware cloud foundation (<5.0)
- vmware identity manager (3.3.3, 3.3.4, 3.3.5, 3.3.6)
- vmware vrealize automation (7.6, <9.0)
- vmware vrealize suite lifecycle manager (<9.0)
- vmware workspace one access (20.10.0.0, 20.10.0.1, 21.08.0.0, 21.08.0.1)
have more...
CVE-2022-22957 [Vulners]
Vulners: Score: 6.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- vmware cloud foundation (<5.0)
- vmware identity manager (3.3.3, 3.3.4, 3.3.5, 3.3.6)
- vmware vrealize automation (7.6, <9.0)
- vmware vrealize suite lifecycle manager (<9.0)
- vmware workspace one access (20.10.0.0, 20.10.0.1, 21.08.0.0, 21.08.0.1)
have more...
CVE-2022-22954 [Vulners]
Vulners: Score: 10.0, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- vmware identity manager (3.3.3, 3.3.4, 3.3.5, 3.3.6)
- vmware vrealize automation (7.6, le8.6)
- vmware workspace one access (20.10.0.0, 20.10.0.1, 21.08.0.0, 21.08.0.1)
- vmware cloud foundation (le4.3.1)
- vmware vrealize suite lifecycle manager (le8.2)
have more...
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 1
IP: 1
Domain: 2
Url: 1
Hash: 2
25-04-2022
New Core Impact Backdoor Delivered Via VMWare Vulnerability
https://blog.morphisec.com/vmware-identity-manager-attack-backdoor
Actors/Campaigns:
Cleaver (tags: backdoor)
Woolen_goldfish
Threats:
Cobalt_strike (tags: backdoor)
Metasploit_tool (tags: backdoor)
Powertrash_tool
Log4shell_vuln
Jssloader
Geo:
London, Iran
CVEs:
CVE-2022-22958 [Vulners]
Vulners: Score: 6.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- vmware cloud foundation (<5.0)
- vmware identity manager (3.3.3, 3.3.4, 3.3.5, 3.3.6)
- vmware vrealize automation (7.6, <9.0)
- vmware vrealize suite lifecycle manager (<9.0)
- vmware workspace one access (20.10.0.0, 20.10.0.1, 21.08.0.0, 21.08.0.1)
have more...
CVE-2022-22957 [Vulners]
Vulners: Score: 6.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- vmware cloud foundation (<5.0)
- vmware identity manager (3.3.3, 3.3.4, 3.3.5, 3.3.6)
- vmware vrealize automation (7.6, <9.0)
- vmware vrealize suite lifecycle manager (<9.0)
- vmware workspace one access (20.10.0.0, 20.10.0.1, 21.08.0.0, 21.08.0.1)
have more...
CVE-2022-22954 [Vulners]
Vulners: Score: 10.0, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- vmware identity manager (3.3.3, 3.3.4, 3.3.5, 3.3.6)
- vmware vrealize automation (7.6, le8.6)
- vmware workspace one access (20.10.0.0, 20.10.0.1, 21.08.0.0, 21.08.0.1)
- vmware cloud foundation (le4.3.1)
- vmware vrealize suite lifecycle manager (le8.2)
have more...
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 1
IP: 1
Domain: 2
Url: 1
Hash: 2
Morphisec
VMWare Identity Manager Attack: New Backdoor Discovered
Morphisec Labs has discovered a new VMWare identity manager attack that delivers a sophisticated backdoor previously used by advanced cybercriminals.
#ParsedReport
26-04-2022
New Malware of Lazarus Threat Actor Group Exploiting INITECH Process
https://asec.ahnlab.com/en/33801
Actors/Campaigns:
Lazarus (tags: malware)
Threats:
Lazarshell (tags: malware)
Infostealer/win.outlook (tags: malware)
Trojan/win.agent (tags: malware)
Akdoor (tags: malware)
Lazarbinder (tags: malware)
Lazardoor (tags: malware)
Lazarkeyloger (tags: malware)
Lazarloader (tags: malware)
Lazarportscan (tags: malware)
Zvrek (tags: malware)
Trojan/win32.agent (tags: malware)
Industry:
Chemical
Geo:
Korean
IOCs:
File: 8
Hash: 49
Url: 7
Path: 2
IP: 6
26-04-2022
New Malware of Lazarus Threat Actor Group Exploiting INITECH Process
https://asec.ahnlab.com/en/33801
Actors/Campaigns:
Lazarus (tags: malware)
Threats:
Lazarshell (tags: malware)
Infostealer/win.outlook (tags: malware)
Trojan/win.agent (tags: malware)
Akdoor (tags: malware)
Lazarbinder (tags: malware)
Lazardoor (tags: malware)
Lazarkeyloger (tags: malware)
Lazarloader (tags: malware)
Lazarportscan (tags: malware)
Zvrek (tags: malware)
Trojan/win32.agent (tags: malware)
Industry:
Chemical
Geo:
Korean
IOCs:
File: 8
Hash: 49
Url: 7
Path: 2
IP: 6
ASEC
New Malware of Lazarus Threat Actor Group Exploiting INITECH Process - ASEC
The AhnLab ASEC analysis team has discovered that there are 47 companies and institutions—including defense companies—infected with the malware distributed by the Lazarus group in the first quarter of 2022. Considering the severity of the situation, the team…
#ParsedReport
26-04-2022
ASEC Weekly Malware Statistics (April 18th, 2022 April 24th, 2022)
https://asec.ahnlab.com/en/33798
Threats:
Agent_tesla (tags: malware)
Formbook (tags: malware)
Lokibot_stealer (tags: malware)
Beamwinhttp_loader (tags: malware)
Garbage_cleaner (tags: malware)
Snake_keylogger (tags: malware)
Industry:
Financial, Transport
Geo:
Korea
IOCs:
Domain: 5
IP: 5
Email: 10
File: 33
Url: 16
26-04-2022
ASEC Weekly Malware Statistics (April 18th, 2022 April 24th, 2022)
https://asec.ahnlab.com/en/33798
Threats:
Agent_tesla (tags: malware)
Formbook (tags: malware)
Lokibot_stealer (tags: malware)
Beamwinhttp_loader (tags: malware)
Garbage_cleaner (tags: malware)
Snake_keylogger (tags: malware)
Industry:
Financial, Transport
Geo:
Korea
IOCs:
Domain: 5
IP: 5
Email: 10
File: 33
Url: 16
ASEC BLOG
ASEC Weekly Malware Statistics (April 18th, 2022 – April 24th, 2022) - ASEC BLOG
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from April 18th, 2022 (Monday) to April 24th, 2022 (Sunday). For the main category, info-stealer…
#ParsedReport
26-04-2022
Emotet Tests New Delivery Techniques
https://www.proofpoint.com/us/blog/threat-insight/emotet-tests-new-delivery-techniques
Threats:
Emotet (tags: malware, botnet, trojan, spam)
IOCs:
File: 1
Url: 1
Hash: 3
26-04-2022
Emotet Tests New Delivery Techniques
https://www.proofpoint.com/us/blog/threat-insight/emotet-tests-new-delivery-techniques
Threats:
Emotet (tags: malware, botnet, trojan, spam)
IOCs:
File: 1
Url: 1
Hash: 3
Proofpoint
Emotet Malware Tests New Delivery Techniques | Proofpoint US
Low-volume Emotet malware activity has been detected by Proofpoint. Learn how this Emotet malware differs drastically from typical threat behaviors, and more.