#ParsedReport
25-04-2022
New Core Impact Backdoor Delivered Via VMWare Vulnerability
https://blog.morphisec.com/vmware-identity-manager-attack-backdoor
Actors/Campaigns:
Cleaver (tags: backdoor)
Woolen_goldfish
Threats:
Cobalt_strike (tags: backdoor)
Metasploit_tool (tags: backdoor)
Powertrash_tool
Log4shell_vuln
Jssloader
Geo:
London, Iran
CVEs:
CVE-2022-22958 [Vulners]
Vulners: Score: 6.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- vmware cloud foundation (<5.0)
- vmware identity manager (3.3.3, 3.3.4, 3.3.5, 3.3.6)
- vmware vrealize automation (7.6, <9.0)
- vmware vrealize suite lifecycle manager (<9.0)
- vmware workspace one access (20.10.0.0, 20.10.0.1, 21.08.0.0, 21.08.0.1)
have more...
CVE-2022-22957 [Vulners]
Vulners: Score: 6.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- vmware cloud foundation (<5.0)
- vmware identity manager (3.3.3, 3.3.4, 3.3.5, 3.3.6)
- vmware vrealize automation (7.6, <9.0)
- vmware vrealize suite lifecycle manager (<9.0)
- vmware workspace one access (20.10.0.0, 20.10.0.1, 21.08.0.0, 21.08.0.1)
have more...
CVE-2022-22954 [Vulners]
Vulners: Score: 10.0, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- vmware identity manager (3.3.3, 3.3.4, 3.3.5, 3.3.6)
- vmware vrealize automation (7.6, le8.6)
- vmware workspace one access (20.10.0.0, 20.10.0.1, 21.08.0.0, 21.08.0.1)
- vmware cloud foundation (le4.3.1)
- vmware vrealize suite lifecycle manager (le8.2)
have more...
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 1
IP: 1
Domain: 2
Url: 1
Hash: 2
25-04-2022
New Core Impact Backdoor Delivered Via VMWare Vulnerability
https://blog.morphisec.com/vmware-identity-manager-attack-backdoor
Actors/Campaigns:
Cleaver (tags: backdoor)
Woolen_goldfish
Threats:
Cobalt_strike (tags: backdoor)
Metasploit_tool (tags: backdoor)
Powertrash_tool
Log4shell_vuln
Jssloader
Geo:
London, Iran
CVEs:
CVE-2022-22958 [Vulners]
Vulners: Score: 6.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- vmware cloud foundation (<5.0)
- vmware identity manager (3.3.3, 3.3.4, 3.3.5, 3.3.6)
- vmware vrealize automation (7.6, <9.0)
- vmware vrealize suite lifecycle manager (<9.0)
- vmware workspace one access (20.10.0.0, 20.10.0.1, 21.08.0.0, 21.08.0.1)
have more...
CVE-2022-22957 [Vulners]
Vulners: Score: 6.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- vmware cloud foundation (<5.0)
- vmware identity manager (3.3.3, 3.3.4, 3.3.5, 3.3.6)
- vmware vrealize automation (7.6, <9.0)
- vmware vrealize suite lifecycle manager (<9.0)
- vmware workspace one access (20.10.0.0, 20.10.0.1, 21.08.0.0, 21.08.0.1)
have more...
CVE-2022-22954 [Vulners]
Vulners: Score: 10.0, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- vmware identity manager (3.3.3, 3.3.4, 3.3.5, 3.3.6)
- vmware vrealize automation (7.6, le8.6)
- vmware workspace one access (20.10.0.0, 20.10.0.1, 21.08.0.0, 21.08.0.1)
- vmware cloud foundation (le4.3.1)
- vmware vrealize suite lifecycle manager (le8.2)
have more...
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 1
IP: 1
Domain: 2
Url: 1
Hash: 2
Morphisec
VMWare Identity Manager Attack: New Backdoor Discovered
Morphisec Labs has discovered a new VMWare identity manager attack that delivers a sophisticated backdoor previously used by advanced cybercriminals.
#ParsedReport
26-04-2022
New Malware of Lazarus Threat Actor Group Exploiting INITECH Process
https://asec.ahnlab.com/en/33801
Actors/Campaigns:
Lazarus (tags: malware)
Threats:
Lazarshell (tags: malware)
Infostealer/win.outlook (tags: malware)
Trojan/win.agent (tags: malware)
Akdoor (tags: malware)
Lazarbinder (tags: malware)
Lazardoor (tags: malware)
Lazarkeyloger (tags: malware)
Lazarloader (tags: malware)
Lazarportscan (tags: malware)
Zvrek (tags: malware)
Trojan/win32.agent (tags: malware)
Industry:
Chemical
Geo:
Korean
IOCs:
File: 8
Hash: 49
Url: 7
Path: 2
IP: 6
26-04-2022
New Malware of Lazarus Threat Actor Group Exploiting INITECH Process
https://asec.ahnlab.com/en/33801
Actors/Campaigns:
Lazarus (tags: malware)
Threats:
Lazarshell (tags: malware)
Infostealer/win.outlook (tags: malware)
Trojan/win.agent (tags: malware)
Akdoor (tags: malware)
Lazarbinder (tags: malware)
Lazardoor (tags: malware)
Lazarkeyloger (tags: malware)
Lazarloader (tags: malware)
Lazarportscan (tags: malware)
Zvrek (tags: malware)
Trojan/win32.agent (tags: malware)
Industry:
Chemical
Geo:
Korean
IOCs:
File: 8
Hash: 49
Url: 7
Path: 2
IP: 6
ASEC
New Malware of Lazarus Threat Actor Group Exploiting INITECH Process - ASEC
The AhnLab ASEC analysis team has discovered that there are 47 companies and institutions—including defense companies—infected with the malware distributed by the Lazarus group in the first quarter of 2022. Considering the severity of the situation, the team…
#ParsedReport
26-04-2022
ASEC Weekly Malware Statistics (April 18th, 2022 April 24th, 2022)
https://asec.ahnlab.com/en/33798
Threats:
Agent_tesla (tags: malware)
Formbook (tags: malware)
Lokibot_stealer (tags: malware)
Beamwinhttp_loader (tags: malware)
Garbage_cleaner (tags: malware)
Snake_keylogger (tags: malware)
Industry:
Financial, Transport
Geo:
Korea
IOCs:
Domain: 5
IP: 5
Email: 10
File: 33
Url: 16
26-04-2022
ASEC Weekly Malware Statistics (April 18th, 2022 April 24th, 2022)
https://asec.ahnlab.com/en/33798
Threats:
Agent_tesla (tags: malware)
Formbook (tags: malware)
Lokibot_stealer (tags: malware)
Beamwinhttp_loader (tags: malware)
Garbage_cleaner (tags: malware)
Snake_keylogger (tags: malware)
Industry:
Financial, Transport
Geo:
Korea
IOCs:
Domain: 5
IP: 5
Email: 10
File: 33
Url: 16
ASEC BLOG
ASEC Weekly Malware Statistics (April 18th, 2022 – April 24th, 2022) - ASEC BLOG
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from April 18th, 2022 (Monday) to April 24th, 2022 (Sunday). For the main category, info-stealer…
#ParsedReport
26-04-2022
Emotet Tests New Delivery Techniques
https://www.proofpoint.com/us/blog/threat-insight/emotet-tests-new-delivery-techniques
Threats:
Emotet (tags: malware, botnet, trojan, spam)
IOCs:
File: 1
Url: 1
Hash: 3
26-04-2022
Emotet Tests New Delivery Techniques
https://www.proofpoint.com/us/blog/threat-insight/emotet-tests-new-delivery-techniques
Threats:
Emotet (tags: malware, botnet, trojan, spam)
IOCs:
File: 1
Url: 1
Hash: 3
Proofpoint
Emotet Malware Tests New Delivery Techniques | Proofpoint US
Low-volume Emotet malware activity has been detected by Proofpoint. Learn how this Emotet malware differs drastically from typical threat behaviors, and more.
#ParsedReport
26-04-2022
Attacker Adds Evasive Technique to Their Ongoing Attacks on NPM. Intro
https://checkmarx.com/blog/attacker-adds-evasive-technique-to-their-ongoing-attacks-on-npm
Actors/Campaigns:
Red_lili (tags: malware)
Threats:
Incontroller_tool
IOCs:
File: 3
Domain: 7
Links:
26-04-2022
Attacker Adds Evasive Technique to Their Ongoing Attacks on NPM. Intro
https://checkmarx.com/blog/attacker-adds-evasive-technique-to-their-ongoing-attacks-on-npm
Actors/Campaigns:
Red_lili (tags: malware)
Threats:
Incontroller_tool
IOCs:
File: 3
Domain: 7
Links:
https://github.com/raincatcher-beta/raincatcher-file#supported-storage-enginesCheckmarx.com
Attacker Adds Evasive Technique to Their Ongoing Attacks on NPM
A few weeks ago, we wrote about a new threat actor we called RED-LILI and described their capabilities, including an in-depth walkthrough of the automated system for publishing malicious NPM packages from automatically created user accounts. After our publication…
#ParsedReport
26-04-2022
A "Naver"-ending game of Lazarus APT
https://www.zscaler.com/blogs/security-research/naver-ending-game-lazarus-apt
Actors/Campaigns:
Lazarus (tags: malware, dropper, phishing, dns, ransomware)
Threats:
Aspacked
Industry:
Telco
Geo:
Korea
IOCs:
IP: 4
Hash: 49
Domain: 53
File: 14
Path: 2
Email: 2
26-04-2022
A "Naver"-ending game of Lazarus APT
https://www.zscaler.com/blogs/security-research/naver-ending-game-lazarus-apt
Actors/Campaigns:
Lazarus (tags: malware, dropper, phishing, dns, ransomware)
Threats:
Aspacked
Industry:
Telco
Geo:
Korea
IOCs:
IP: 4
Hash: 49
Domain: 53
File: 14
Path: 2
Email: 2
Zscaler
Lazarus Group APT Targeting South Korean Users | Zscaler
Technical details of several attack chains used over the last year in a Lazarus Group APT campaign targeting South Korean users.
CERT-FR THREATS AND INCIDENTS REPORT. The FIN7 cybercriminal group
https://www.cert.ssi.gouv.fr/cti/CERTFR-2022-CTI-003/
https://www.cert.ssi.gouv.fr/cti/CERTFR-2022-CTI-003/
#ParsedReport
27-04-2022
Microsoft finds new elevation of privilege Linux vulnerability, Nimbuspwn
https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn
Threats:
Nimbuspwn_vuln
Toctou_vuln
CVEs:
CVE-2022-29800 [Vulners]
CVE-2022-29799 [Vulners]
CVE-2022-0987 [Vulners]
IOCs:
File: 3
Links:
27-04-2022
Microsoft finds new elevation of privilege Linux vulnerability, Nimbuspwn
https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn
Threats:
Nimbuspwn_vuln
Toctou_vuln
CVEs:
CVE-2022-29800 [Vulners]
CVE-2022-29799 [Vulners]
CVE-2022-0987 [Vulners]
IOCs:
File: 3
Links:
https://github.com/blueman-project/blueman/security/advisories/GHSA-3r9p-m5c8-8mw8Microsoft News
Microsoft finds new elevation of privilege Linux vulnerability, Nimbuspwn
Microsoft has discovered several vulnerabilities, collectively referred to as Nimbuspwn, that could be chained together, allowing an attacker to elevate privileges to root on many Linux desktop endpoints. Leveraging Nimbuspwn as a vector for root access could…
#ParsedReport
27-04-2022
Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage
Actors/Campaigns:
Lazarus
Dream_job
Threats:
Log4shell_vuln
Dtrack_rat
Mimikatz
Putty_tool
Industry:
Government, Financial, Aerospace, Energy
Geo:
Korean
CVEs:
CVE-2021-44228 [Vulners]
Vulners: Score: 9.3, CVSS: 4.0,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.3.1, <2.12.2, <2.15.0)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens captial (<2019.1, 2019.1, 2019.1)
- siemens comos (*)
- siemens desigo cc advanced reports (4.0, 4.1, 4.2, 5.0, 5.1)
have more...
IOCs:
File: 9
Hash: 28
Domain: 4
Url: 6
Links:
27-04-2022
Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage
Actors/Campaigns:
Lazarus
Dream_job
Threats:
Log4shell_vuln
Dtrack_rat
Mimikatz
Putty_tool
Industry:
Government, Financial, Aerospace, Energy
Geo:
Korean
CVEs:
CVE-2021-44228 [Vulners]
Vulners: Score: 9.3, CVSS: 4.0,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.3.1, <2.12.2, <2.15.0)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens captial (<2019.1, 2019.1, 2019.1)
- siemens comos (*)
- siemens desigo cc advanced reports (4.0, 4.1, 4.2, 5.0, 5.1)
have more...
IOCs:
File: 9
Hash: 28
Domain: 4
Url: 6
Links:
https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.pyhttps://github.com/3proxy/3proxyhttps://github.com/Kevin-Robertson/Invoke-TheHashSecurity
Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets
Espionage group focuses on obtaining classified or sensitive intellectual property that has civilian and military applications.
#ParsedReport
27-04-2022
Malware analysis report on SparrowDoor malware
https://www.ncsc.gov.uk/report/mar-sparrowdoor
Threats:
Sparrowdoor (tags: backdoor, malware)
IOCs:
File: 3
Domain: 1
Registry: 2
Hash: 2
YARA: Found
SIGMA: Found
27-04-2022
Malware analysis report on SparrowDoor malware
https://www.ncsc.gov.uk/report/mar-sparrowdoor
Threats:
Sparrowdoor (tags: backdoor, malware)
IOCs:
File: 3
Domain: 1
Registry: 2
Hash: 2
YARA: Found
SIGMA: Found
www.ncsc.gov.uk
Malware analysis report on SparrowDoor malware
A technical analysis of a new variant of the SparrowDoor malware.
#ParsedReport
27-04-2022
Hive0117 Continues Fileless Malware Delivery in Eastern Europe
https://securityintelligence.com/posts/hive00117-fileless-malware-delivery-eastern-europe
Actors/Campaigns:
Hive0117 (tags: keylogger, malware, trojan, phishing, rat, backdoor)
Threats:
Darkwatchman (tags: malware)
Industry:
Telco, Financial, Energy, Logistic, Government
Geo:
German, Ukraine, Lithuania, Estonia, Russia
IOCs:
Domain: 3
File: 4
IP: 2
Email: 1
Url: 1
Hash: 7
27-04-2022
Hive0117 Continues Fileless Malware Delivery in Eastern Europe
https://securityintelligence.com/posts/hive00117-fileless-malware-delivery-eastern-europe
Actors/Campaigns:
Hive0117 (tags: keylogger, malware, trojan, phishing, rat, backdoor)
Threats:
Darkwatchman (tags: malware)
Industry:
Telco, Financial, Energy, Logistic, Government
Geo:
German, Ukraine, Lithuania, Estonia, Russia
IOCs:
Domain: 3
File: 4
IP: 2
Email: 1
Url: 1
Hash: 7
Security Intelligence
Hive0117 continues fileless malware delivery in Eastern Europe
Get an in-depth look at a phishing email campaign by Hive0117, likely a financially motivated cybercriminal group. IBM Security X-Force breaks down the analysis.
#ParsedReport
27-04-2022
Diplomatic/security-related word documents are being distributed
https://asec-ahnlab-com.translate.goog/ko/33827/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Actors/Campaigns:
Kimsuky
Geo:
Korea, China
IOCs:
File: 5
Path: 2
Hash: 3
Url: 1
27-04-2022
Diplomatic/security-related word documents are being distributed
https://asec-ahnlab-com.translate.goog/ko/33827/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Actors/Campaigns:
Kimsuky
Geo:
Korea, China
IOCs:
File: 5
Path: 2
Hash: 3
Url: 1
ASEC BLOG
외교/안보 관련 내용의 워드문서 유포 중 - ASEC BLOG
ASEC 분석팀은 대북 관련 파일명으로 악성 워드 문서가 지속적으로 유포되고 있음을 확인하였다. 워드 문서에는 악성 VBA 매크로 코드가 포함되어 있으며 <대북 관련 본문 내용 악성 워드의 지속 유포 정황 확인>에서 소개한 문서 파일과 동일한 유형으로 확인된다. 최근 유포가 확인된 워드 문서의 파일명은 다음과 같다. 220426-북한의 외교정책과 우리의 대응방향(정**박사).doc (4/26) 북한의 외교정책과 우리의 대응방향.doc (4/26) 중국의…
Forwarded from Пост Лукацкого
Интересная история. После оформления договоренности о покупке Twitter'а Маском руководство соцсети запретило внесение любых изменений в код платформы (для внесения нужно согласование на уровне вице-президента), опасаясь саботажа со стороны сотрудников, которым могла не понравиться продажа компании и личность Маска, что могло заставить их внести в код какую-нибудь бяку. Управление безопасной разработкой становится все более модной темой 😊
Bloomberg.com
Twitter Locks Down Product Changes After Agreeing to Musk Bid
Twitter Inc. locked down changes to its social networking platform through Friday after accepting a $44 billion bid from billionaire Elon Musk, making it harder for employees to make unauthorized changes, according to people familiar with the matter.
#ParsedReport
27-04-2022
Targeted attack on Thailand Pass customers delivers AsyncRAT
https://www.zscaler.com/blogs/security-research/targeted-attack-thailand-pass-customers-delivers-asyncrat
Threats:
Asyncrat_rat (tags: phishing, malware, ransomware, spam, trojan)
Industry:
Aerospace
Geo:
Thailand
IOCs:
Domain: 3
Url: 3
File: 23
IP: 1
Hash: 15
27-04-2022
Targeted attack on Thailand Pass customers delivers AsyncRAT
https://www.zscaler.com/blogs/security-research/targeted-attack-thailand-pass-customers-delivers-asyncrat
Threats:
Asyncrat_rat (tags: phishing, malware, ransomware, spam, trojan)
Industry:
Aerospace
Geo:
Thailand
IOCs:
Domain: 3
Url: 3
File: 23
IP: 1
Hash: 15
Zscaler
Targeted attack on Thailand Pass customers delivers AsyncRAT | Zscaler
Thailand Pass web system delivers AsyncRAT and its technical details
#ParsedReport
27-04-2022
Industroyer2: Nozomi Networks Labs Analyzes the IEC 104 Payload
https://www.nozominetworks.com/blog/industroyer2-nozomi-networks-labs-analyzes-the-iec-104-payload
Actors/Campaigns:
Sandworm
Threats:
Crashoverride (tags: rat, ransomware, scan, malware)
Botenago
Incontroller_tool
Log4shell_vuln
Industry:
Iot, Energy
Geo:
Ukraine
IOCs:
File: 6
Path: 1
Hash: 2
YARA: Found
27-04-2022
Industroyer2: Nozomi Networks Labs Analyzes the IEC 104 Payload
https://www.nozominetworks.com/blog/industroyer2-nozomi-networks-labs-analyzes-the-iec-104-payload
Actors/Campaigns:
Sandworm
Threats:
Crashoverride (tags: rat, ransomware, scan, malware)
Botenago
Incontroller_tool
Log4shell_vuln
Industry:
Iot, Energy
Geo:
Ukraine
IOCs:
File: 6
Path: 1
Hash: 2
YARA: Found
Nozomi Networks
Industroyer2: Nozomi Networks Labs Analyzes the IEC 104 Payload
Nozomi Networks Labs presents findings from their analysis of an Industroyer2 malware sample, along with recommendations to increase protection.
#ParsedReport
27-04-2022
LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility
https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility
Threats:
Cobalt_strike (tags: malware, scan, ransomware, rat)
Lockbit (tags: malware, scan, ransomware, rat)
Reflectiveloader
Stealbit
IOCs:
File: 4
Path: 6
Url: 3
Hash: 6
IP: 2
YARA: Found
27-04-2022
LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility
https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility
Threats:
Cobalt_strike (tags: malware, scan, ransomware, rat)
Lockbit (tags: malware, scan, ransomware, rat)
Reflectiveloader
Stealbit
IOCs:
File: 4
Path: 6
Url: 3
Hash: 6
IP: 2
YARA: Found
SentinelOne
LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility
Long-running LockBit ransomware attempts to evade Windows ETW, AMSI and EDR by leveraging legitimate VMware logging command line utility.
#ParsedReport
28-04-2022
New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware. Technical analysis
https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html
Actors/Campaigns:
Earth_berberoka (tags: rat, dropper, proxy, malware, backdoor)
Threats:
Gh0st_rat (tags: malware)
Plugx_rat (tags: malware)
Puppetloader (tags: malware)
Tigerplug
Basicloader
Quasar_rat
Asyncrat_rat
IOCs:
Hash: 1
File: 12
Path: 1
Links:
28-04-2022
New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware. Technical analysis
https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html
Actors/Campaigns:
Earth_berberoka (tags: rat, dropper, proxy, malware, backdoor)
Threats:
Gh0st_rat (tags: malware)
Plugx_rat (tags: malware)
Puppetloader (tags: malware)
Tigerplug
Basicloader
Quasar_rat
Asyncrat_rat
IOCs:
Hash: 1
File: 12
Path: 1
Links:
https://github.com/denji/golang-tlshttps://github.com/lucas-clemente/quic-goTrend Micro
New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware
#ParsedReport
28-04-2022
BRONZE PRESIDENT Targets Russian Speakers with Updated PlugX
https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx
Actors/Campaigns:
Red_delta (tags: malware, rat, dns)
Threats:
Plugx_rat (tags: rat, malware, dns)
Geo:
Poland, Belarus, Russian, Myanmar, Asia, Ukraine, Chinas, Lithuania, Vietnam, China, Latvia
IOCs:
File: 1
Path: 1
IP: 3
Hash: 4
28-04-2022
BRONZE PRESIDENT Targets Russian Speakers with Updated PlugX
https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx
Actors/Campaigns:
Red_delta (tags: malware, rat, dns)
Threats:
Plugx_rat (tags: rat, malware, dns)
Geo:
Poland, Belarus, Russian, Myanmar, Asia, Ukraine, Chinas, Lithuania, Vietnam, China, Latvia
IOCs:
File: 1
Path: 1
IP: 3
Hash: 4
Secureworks
BRONZE PRESIDENT targets Russian speakers with updated PlugX - Blog
: The threat group’s targeting shift could reflect a change in China’s intelligence collection requirements due to the war in Ukraine.
#ParsedReport
27-04-2022
Assembling the Russian Nesting Doll: UNC2452 Merged into APT29
https://www.mandiant.com/resources/unc2452-merged-into-apt29
Actors/Campaigns:
Darkhalo (tags: proxy, dns, backdoor, phishing, malware)
Duke (tags: proxy, dns, backdoor, phishing, malware)
Threats:
Cobalt_strike
Sunburst
Domain_fronting_technique
Raindrop_tool
Teardrop_tool
Mamadogs_tool
Crimsonbox_tool
Guardrails_tool
Dcsync_technique
Kerberoasting_technique
Industry:
Government, Telco, Education, Healthcare
Geo:
Asia, America, Russia
TTPs:
Tactics: 12
Technics: 55
27-04-2022
Assembling the Russian Nesting Doll: UNC2452 Merged into APT29
https://www.mandiant.com/resources/unc2452-merged-into-apt29
Actors/Campaigns:
Darkhalo (tags: proxy, dns, backdoor, phishing, malware)
Duke (tags: proxy, dns, backdoor, phishing, malware)
Threats:
Cobalt_strike
Sunburst
Domain_fronting_technique
Raindrop_tool
Teardrop_tool
Mamadogs_tool
Crimsonbox_tool
Guardrails_tool
Dcsync_technique
Kerberoasting_technique
Industry:
Government, Telco, Education, Healthcare
Geo:
Asia, America, Russia
TTPs:
Tactics: 12
Technics: 55
Google Cloud Blog
UNC2452 Merged into APT29 | Russia-Based Espionage Group | Google Cloud Blog
UNC2452 Merged into APT29. Mandiant has gathered sufficient evidence to assess that the activity tracked as UNC2452 is attributable to APT29.
#ParsedReport
27-04-2022
A lookback under the TA410 umbrella: Its cyberespionage TTPs and activity
https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity
Actors/Campaigns:
Ta410 (tags: rat, malware, backdoor, dropper, rootkit, proxy, phishing, keylogger)
Stone_panda
A41apt
Equation
Threats:
Flowcloud_rat (tags: rootkit, backdoor)
Plugx_rat (tags: rat, backdoor)
Quasar_rat (tags: backdoor)
Proxylogon_exploit
Proxyshell_vuln
Lolbin
Htran
Earthworm_tool
Farfli
Gh0st_rat
Guardrails_tool
Metasploit_tool
Dnguard_tool
Rozena
Meterpreter_tool
Eternalblue_vuln
Industry:
Government, Education
Geo:
China, Africa, Israel, Ukraine, French, Japan, India, Asia
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 8.3,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
CVE-2019-0604 [Vulners]
Vulners: Score: 7.5, CVSS: 4.1,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- microsoft sharepoint foundation (2013)
- microsoft sharepoint server (2019, 2010)
- microsoft sharepoint enterprise server (2016)
TTPs:
Tactics: 10
Technics: 53
IOCs:
File: 25
Domain: 6
Hash: 43
Path: 7
Url: 7
Registry: 6
IP: 14
YARA: Found
Links:
27-04-2022
A lookback under the TA410 umbrella: Its cyberespionage TTPs and activity
https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity
Actors/Campaigns:
Ta410 (tags: rat, malware, backdoor, dropper, rootkit, proxy, phishing, keylogger)
Stone_panda
A41apt
Equation
Threats:
Flowcloud_rat (tags: rootkit, backdoor)
Plugx_rat (tags: rat, backdoor)
Quasar_rat (tags: backdoor)
Proxylogon_exploit
Proxyshell_vuln
Lolbin
Htran
Earthworm_tool
Farfli
Gh0st_rat
Guardrails_tool
Metasploit_tool
Dnguard_tool
Rozena
Meterpreter_tool
Eternalblue_vuln
Industry:
Government, Education
Geo:
China, Africa, Israel, Ukraine, French, Japan, India, Asia
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 8.3,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
CVE-2019-0604 [Vulners]
Vulners: Score: 7.5, CVSS: 4.1,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- microsoft sharepoint foundation (2013)
- microsoft sharepoint server (2019, 2010)
- microsoft sharepoint enterprise server (2016)
TTPs:
Tactics: 10
Technics: 53
IOCs:
File: 25
Domain: 6
Hash: 43
Path: 7
Url: 7
Registry: 6
IP: 14
YARA: Found
Links:
https://github.com/LOLBAS-Project/LOLBAS#user-content-the-history-of-the-lolbin
https://github.com/eset/malware-ioc
https://github.com/sin5678/gh0st
https://github.com/UndefinedIdentifier/LCX
https://github.com/quasar/Quasar
https://github.com/protocolbuffers/protobuf
https://github.com/a0rtega/pafish
https://github.com/rootkiter/EarthWormWeLiveSecurity
A lookback under the TA410 umbrella: Its cyberespionage TTPs and activity
ESET research reveals a detailed profile of TA410, a cyberespionage umbrella group that we believe consists of three different teams using different toolsets.