#ParsedReport
28-04-2022

BRONZE PRESIDENT Targets Russian Speakers with Updated PlugX

https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx

Actors/Campaigns:
Red_delta (tags: malware, rat, dns)

Threats:
Plugx_rat (tags: rat, malware, dns)

Geo:
Poland, Belarus, Russian, Myanmar, Asia, Ukraine, Chinas, Lithuania, Vietnam, China, Latvia

IOCs:
File: 1
Path: 1
IP: 3
Hash: 4

#ParsedReport
27-04-2022

Assembling the Russian Nesting Doll: UNC2452 Merged into APT29

https://www.mandiant.com/resources/unc2452-merged-into-apt29

Actors/Campaigns:
Darkhalo (tags: proxy, dns, backdoor, phishing, malware)
Duke (tags: proxy, dns, backdoor, phishing, malware)

Threats:
Cobalt_strike
Sunburst
Domain_fronting_technique
Raindrop_tool
Teardrop_tool
Mamadogs_tool
Crimsonbox_tool
Guardrails_tool
Dcsync_technique
Kerberoasting_technique

Industry:
Government, Telco, Education, Healthcare

Geo:
Asia, America, Russia

TTPs:
Tactics: 12
Technics: 55

#ParsedReport
27-04-2022

A lookback under the TA410 umbrella: Its cyberespionage TTPs and activity

https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity

Actors/Campaigns:
Ta410 (tags: rat, malware, backdoor, dropper, rootkit, proxy, phishing, keylogger)
Stone_panda
A41apt
Equation

Threats:
Flowcloud_rat (tags: rootkit, backdoor)
Plugx_rat (tags: rat, backdoor)
Quasar_rat (tags: backdoor)
Proxylogon_exploit
Proxyshell_vuln
Lolbin
Htran
Earthworm_tool
Farfli
Gh0st_rat
Guardrails_tool
Metasploit_tool
Dnguard_tool
Rozena
Meterpreter_tool
Eternalblue_vuln

Industry:
Government, Education

Geo:
China, Africa, Israel, Ukraine, French, Japan, India, Asia

CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 8.3,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)

CVE-2019-0604 [Vulners]
Vulners: Score: 7.5, CVSS: 4.1,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- microsoft sharepoint foundation (2013)
- microsoft sharepoint server (2019, 2010)
- microsoft sharepoint enterprise server (2016)


TTPs:
Tactics: 10
Technics: 53

IOCs:
File: 25
Domain: 6
Hash: 43
Path: 7
Url: 7
Registry: 6
IP: 14

YARA: Found

Links:
https://github.com/LOLBAS-Project/LOLBAS#user-content-the-history-of-the-lolbin
https://github.com/eset/malware-ioc
https://github.com/sin5678/gh0st
https://github.com/UndefinedIdentifier/LCX
https://github.com/quasar/Quasar
https://github.com/protocolbuffers/protobuf
https://github.com/a0rtega/pafish
https://github.com/rootkiter/EarthWorm

#ParsedReport
28-04-2022

This isn't Optimus Prime's Bumblebee but it's Still Transforming

https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming

Threats:
Bumblebee (tags: botnet, malware, ransomware, trojan, rat)
Bazarbackdoor (tags: malware)
Icedid
Cobalt_strike
Sliver_tool
Meterpreter_tool
Conti (tags: malware)
Diavol
Prometheus
Kpot_stealer
Buer_loader
Gozi

Industry:
Financial

Geo:
Ukrainian

IOCs:
File: 13
Hash: 5

Links:
https://github.com/LordNoteworthy/al-khaser/blob/06d4a89e9ecc3e49e4d2df67fe0b2d6faf04166e/al-khaser/Shared/Utils.cpp#L950

#ParsedReport
28-04-2022

Diving into the Emotet Maldoc Boutade

https://labs.k7computing.com/index.php/diving-into-the-emotet-maldoc-boutade

Threats:
Emotet (tags: malware, spam, rat, trojan)
Vajraspy

IOCs:
File: 9
Path: 1
Url: 26
Hash: 5

#technique
Defence Evasion Technique: Timestomping Detection – NTFS Forensics

https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html

#ParsedReport
28-04-2022

Trello From the Other Side: Tracking APT29 Phishing Campaigns

https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns

Actors/Campaigns:
Duke (tags: dropper, malware, phishing, rat, proxy, backdoor, dns)
Darkhalo (tags: phishing)
Unc2542 (tags: phishing)

Threats:
Beatdrop_loader (tags: phishing, malware)
Boommic_loader (tags: phishing, malware)
Envyscout (tags: malware)
Beacon (tags: malware)
Html_smuggling_technique
Cobalt_strike (tags: malware)
Bart
Timestomp_tool
Kerberoasting_technique

Industry:
Government

Geo:
Asia, Ukraine, Russia

TTPs:
Tactics: 13
Technics: 88

IOCs:
File: 10
Path: 3
Hash: 15
Registry: 1
Url: 1

#ParsedReport
28-04-2022

Malware Analysis Report (AR22-115B)

https://us-cert.cisa.gov/ncas/analysis-reports/ar22-115b

Threats:
Isaacwiper (tags: malware)
Hermeticwizard (tags: malware)
Hermeticwiper (tags: malware)
Trojan/win32.agent (tags: malware)
Trojan.win32.trjgen.jngwij (tags: malware)
Alureon (tags: malware)

IOCs:
Path: 1
Hash: 43
File: 2

#ParsedReport
28-04-2022

Malware Analysis Report (AR22-115A)

https://us-cert.cisa.gov/ncas/analysis-reports/ar22-115a

Threats:
Hermeticwiper (tags: malware)
Killdisk (tags: malware)
Trojan.win32.malware (tags: malware)

IOCs:
Path: 3
Coin: 3
Hash: 57
Registry: 2

#ParsedReport
28-04-2022

Malware Analysis Report (AR22-115C)

https://us-cert.cisa.gov/ncas/analysis-reports/ar22-115c

Threats:
Killdisk (tags: malware)
Alureon (tags: malware)
Trojan/win.agent (tags: malware)
Trojan/w32.agent.9216 (tags: malware)

IOCs:
Hash: 6

#ParsedReport
28-04-2022

Peeking into PrivateLoader

https://www.zscaler.com/blogs/security-research/peeking-privateloader

Threats:
Privateloader (tags: ransomware, stealer, malware, rat)
Vidar_stealer
Redline_stealer
Smokeloader_backdoor
Beacon

Industry:
Financial

IOCs:
Path: 1
Url: 4
IP: 2
File: 1
Hash: 2

#ParsedReport
28-04-2022

Lazarus arsenal update: analysis of recent Andariel attack samples

https://mp-weixin-qq-com.translate.goog/s/QfbzuIKUPTXE4GdpBMsGbQ?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp

Actors/Campaigns:
Lazarus (tags: rat, malware, backdoor, proxy)

Industry:
Financial

Geo:
Korean, Asia

IOCs:
Hash: 13
IP: 2
Url: 4
File: 5
Domain: 1

#ParsedReport
28-04-2022

LAPSUS$: Recent techniques, tactics and procedures

https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-and-procedures

Actors/Campaigns:
Lapsus (tags: ransomware, malware, vpn, dns)

Threats:
Rvtools_tool
Adexplorer_tool

Industry:
Financial

TTPs:
Tactics: 4
Technics: 15

IOCs:
Domain: 1
IP: 3
Url: 1

Links:
https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning

#ParsedReport
28-04-2022

eSentire Threat Intelligence Malware Analysis: SolarMarker

https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker

Threats:
Solarmarker (tags: rat, dns, backdoor, stealer, malware, phishing, vpn)
Fingerprintjs_tool
Velar
Arkei_stealer
Exodus (tags: stealer)
Grateful_pos (tags: stealer)

Geo:
Emea, Russian, America, Apac, Africa

IOCs:
File: 5
Path: 1
IP: 10
Hash: 14

YARA: Found

Links:
https://github.com/nicolauns/hunter-php-javascript-obfuscator

#ParsedReport
29-04-2022

Distribution of malicious word documents related to the North Korean 4.25 military parade

https://asec-ahnlab-com.translate.goog/ko/33878/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp

Actors/Campaigns:
Kimsuky (tags: malware)

Threats:
Nuclear (tags: malware)
Anchor (tags: malware)

Geo:
Korea

IOCs:
File: 5
Hash: 1
Url: 1

#ParsedReport
30-04-2022

SpiderLabs Blog. Stormous: The Pro-Russian, Clout Hungry Ransomware Gang Targets the US and Ukraine

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/stormous-the-pro-russian-clout-hungry-ransomware-gang-targets-the-us-and-ukraine

Actors/Campaigns:
Lapsus (tags: ransomware)

Threats:
Clout_hungry (tags: ddos, ransomware)

Industry:
Financial, Government, Healthcare

Geo:
Ukrainian, Saudi, India, Chinese, American, Ukraine, Russia, Arabia

#ParsedReport
30-04-2022

THE LOTUS PANDA IS AWAKE, AGAIN. ANALYSIS OF ITS LAST STRIKE.

https://cluster25.io/2022/04/29/lotus-panda-awake-last-strike

Actors/Campaigns:
Naikon (tags: rat, malware, phishing)

Threats:
Beacon (tags: rat)
Viper_rat (tags: rat)
Cobalt_strike (tags: rat)
Arl_tool (tags: rat)
Meterpreter_tool
Powershell_shell_tool

Industry:
Government

Geo:
China, Malaysia, Asian, Philippines, Thailand, Singapore, Indonesia, Cambodia, Myanmar, Vietnam

TTPs:
Tactics: 4
Technics: 7

IOCs:
Path: 1
File: 3
Hash: 4
IP: 1

Links:
https://github.com/FunnyWolf/Viper
https://github.com/TophantTechnology/ARL

#ParsedReport
02-05-2022

Word Files Related to Diplomacy and National Defense Being Distributed

https://asec.ahnlab.com/en/33894

Actors/Campaigns:
Kimsuky

Threats:
Nuclear
Cobra

Geo:
Korea, Chinas

IOCs:
File: 4
Path: 2
Hash: 3
Url: 2

#ParsedReport
02-05-2022

Analysis on recent wiper attacks: examples and how wiper malware works

https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works

Actors/Campaigns:
Sandworm

Threats:
Whisperkill (tags: malware)
Hermeticwiper (tags: malware)
Isaacwiper (tags: malware)
Killdisk (tags: malware)
Doublezero (tags: malware)
Acidrain (tags: malware)
Log4shell_vuln
Whispergate
Hermeticwizard
Vpnfilter
Crashoverride

Industry:
Energy, Financial, Ics, Government

Geo:
Ukraine

TTPs:

IOCs:
Path: 1
Hash: 11

#ParsedReport
02-05-2022

UNC3524: Eye Spy on Your Email

https://www.mandiant.com/resources/unc3524-eye-spy-email

Actors/Campaigns:
Unc3524 (tags: proxy, dns, botnet, backdoor, malware, rat)
Unc3452
Darkhalo
Duke
Fancy_bear

Threats:
Magnitude
Quietexit
Dropbear_tool
Regeorg
Dcsync_technique

Industry:
Financial, Iot

TTPs:
Tactics: 9
Technics: 25

IOCs:
IP: 1
File: 1
Hash: 1

YARA: Found

Links:
https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py

#ParsedReport
02-05-2022

AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell

https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html

Threats:
Avoslocker (tags: malware, rat, rootkit, scan, ransomware)
Log4shell_vuln (tags: malware, rat, rootkit, scan, ransomware)
Nmap_tool (tags: scan, ransomware)
Anydesk_tool (tags: scan, ransomware)
Netscan_tool (tags: scan, ransomware)
Mimikatz (tags: scan, ransomware)
Xenarmor_tool (tags: scan, ransomware)
Mespinoza (tags: scan, ransomware)
Backdoor.win32.cve202144228.yacah (tags: scan, ransomware)

CVEs:
CVE-2021-40539 [Vulners]
Vulners: Score: 7.5, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- zohocorp manageengine adselfservice plus (4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0.6, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.2, 5.2, 5.2, 5.2, 5.2, 5.2, 5.2, 5.2, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.4, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.6, 5.6, 5.6, 5.6, 5.6, 5.6, 5.6, 5.6, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1)

CVE-2021-44228 [Vulners]
Vulners: Score: 9.3, CVSS: 4.0,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.3.1, <2.12.2, <2.15.0)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens captial (<2019.1, 2019.1, 2019.1)
- siemens comos (*)
- siemens desigo cc advanced reports (4.0, 4.1, 4.2, 5.0, 5.1)
have more...

IOCs:
File: 16
Url: 1
Path: 3
Hash: 6