#ParsedReport
27-04-2022
Assembling the Russian Nesting Doll: UNC2452 Merged into APT29
https://www.mandiant.com/resources/unc2452-merged-into-apt29
Actors/Campaigns:
Darkhalo (tags: proxy, dns, backdoor, phishing, malware)
Duke (tags: proxy, dns, backdoor, phishing, malware)
Threats:
Cobalt_strike
Sunburst
Domain_fronting_technique
Raindrop_tool
Teardrop_tool
Mamadogs_tool
Crimsonbox_tool
Guardrails_tool
Dcsync_technique
Kerberoasting_technique
Industry:
Government, Telco, Education, Healthcare
Geo:
Asia, America, Russia
TTPs:
Tactics: 12
Technics: 55
27-04-2022
Assembling the Russian Nesting Doll: UNC2452 Merged into APT29
https://www.mandiant.com/resources/unc2452-merged-into-apt29
Actors/Campaigns:
Darkhalo (tags: proxy, dns, backdoor, phishing, malware)
Duke (tags: proxy, dns, backdoor, phishing, malware)
Threats:
Cobalt_strike
Sunburst
Domain_fronting_technique
Raindrop_tool
Teardrop_tool
Mamadogs_tool
Crimsonbox_tool
Guardrails_tool
Dcsync_technique
Kerberoasting_technique
Industry:
Government, Telco, Education, Healthcare
Geo:
Asia, America, Russia
TTPs:
Tactics: 12
Technics: 55
Google Cloud Blog
UNC2452 Merged into APT29 | Russia-Based Espionage Group | Google Cloud Blog
UNC2452 Merged into APT29. Mandiant has gathered sufficient evidence to assess that the activity tracked as UNC2452 is attributable to APT29.
#ParsedReport
27-04-2022
A lookback under the TA410 umbrella: Its cyberespionage TTPs and activity
https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity
Actors/Campaigns:
Ta410 (tags: rat, malware, backdoor, dropper, rootkit, proxy, phishing, keylogger)
Stone_panda
A41apt
Equation
Threats:
Flowcloud_rat (tags: rootkit, backdoor)
Plugx_rat (tags: rat, backdoor)
Quasar_rat (tags: backdoor)
Proxylogon_exploit
Proxyshell_vuln
Lolbin
Htran
Earthworm_tool
Farfli
Gh0st_rat
Guardrails_tool
Metasploit_tool
Dnguard_tool
Rozena
Meterpreter_tool
Eternalblue_vuln
Industry:
Government, Education
Geo:
China, Africa, Israel, Ukraine, French, Japan, India, Asia
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 8.3,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
CVE-2019-0604 [Vulners]
Vulners: Score: 7.5, CVSS: 4.1,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- microsoft sharepoint foundation (2013)
- microsoft sharepoint server (2019, 2010)
- microsoft sharepoint enterprise server (2016)
TTPs:
Tactics: 10
Technics: 53
IOCs:
File: 25
Domain: 6
Hash: 43
Path: 7
Url: 7
Registry: 6
IP: 14
YARA: Found
Links:
27-04-2022
A lookback under the TA410 umbrella: Its cyberespionage TTPs and activity
https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity
Actors/Campaigns:
Ta410 (tags: rat, malware, backdoor, dropper, rootkit, proxy, phishing, keylogger)
Stone_panda
A41apt
Equation
Threats:
Flowcloud_rat (tags: rootkit, backdoor)
Plugx_rat (tags: rat, backdoor)
Quasar_rat (tags: backdoor)
Proxylogon_exploit
Proxyshell_vuln
Lolbin
Htran
Earthworm_tool
Farfli
Gh0st_rat
Guardrails_tool
Metasploit_tool
Dnguard_tool
Rozena
Meterpreter_tool
Eternalblue_vuln
Industry:
Government, Education
Geo:
China, Africa, Israel, Ukraine, French, Japan, India, Asia
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 8.3,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
CVE-2019-0604 [Vulners]
Vulners: Score: 7.5, CVSS: 4.1,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- microsoft sharepoint foundation (2013)
- microsoft sharepoint server (2019, 2010)
- microsoft sharepoint enterprise server (2016)
TTPs:
Tactics: 10
Technics: 53
IOCs:
File: 25
Domain: 6
Hash: 43
Path: 7
Url: 7
Registry: 6
IP: 14
YARA: Found
Links:
https://github.com/LOLBAS-Project/LOLBAS#user-content-the-history-of-the-lolbin
https://github.com/eset/malware-ioc
https://github.com/sin5678/gh0st
https://github.com/UndefinedIdentifier/LCX
https://github.com/quasar/Quasar
https://github.com/protocolbuffers/protobuf
https://github.com/a0rtega/pafish
https://github.com/rootkiter/EarthWormWeLiveSecurity
A lookback under the TA410 umbrella: Its cyberespionage TTPs and activity
ESET research reveals a detailed profile of TA410, a cyberespionage umbrella group that we believe consists of three different teams using different toolsets.
#ParsedReport
28-04-2022
This isn't Optimus Prime's Bumblebee but it's Still Transforming
https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming
Threats:
Bumblebee (tags: botnet, malware, ransomware, trojan, rat)
Bazarbackdoor (tags: malware)
Icedid
Cobalt_strike
Sliver_tool
Meterpreter_tool
Conti (tags: malware)
Diavol
Prometheus
Kpot_stealer
Buer_loader
Gozi
Industry:
Financial
Geo:
Ukrainian
IOCs:
File: 13
Hash: 5
Links:
28-04-2022
This isn't Optimus Prime's Bumblebee but it's Still Transforming
https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming
Threats:
Bumblebee (tags: botnet, malware, ransomware, trojan, rat)
Bazarbackdoor (tags: malware)
Icedid
Cobalt_strike
Sliver_tool
Meterpreter_tool
Conti (tags: malware)
Diavol
Prometheus
Kpot_stealer
Buer_loader
Gozi
Industry:
Financial
Geo:
Ukrainian
IOCs:
File: 13
Hash: 5
Links:
https://github.com/LordNoteworthy/al-khaser/blob/06d4a89e9ecc3e49e4d2df67fe0b2d6faf04166e/al-khaser/Shared/Utils.cpp#L950Proofpoint
This isn't Optimus Prime's Bumblebee but it's Still Transforming | Proofpoint US
Key Findings Proofpoint has tracked a new malware loader called Bumblebee used by multiple crimeware threat actors previously observed delivering BazaLoader and IcedID. Several threat
#ParsedReport
28-04-2022
Diving into the Emotet Maldoc Boutade
https://labs.k7computing.com/index.php/diving-into-the-emotet-maldoc-boutade
Threats:
Emotet (tags: malware, spam, rat, trojan)
Vajraspy
IOCs:
File: 9
Path: 1
Url: 26
Hash: 5
28-04-2022
Diving into the Emotet Maldoc Boutade
https://labs.k7computing.com/index.php/diving-into-the-emotet-maldoc-boutade
Threats:
Emotet (tags: malware, spam, rat, trojan)
Vajraspy
IOCs:
File: 9
Path: 1
Url: 26
Hash: 5
K7 Labs
Diving into the Emotet Maldoc Boutade - K7 Labs
Emotet is a malware that is spread mainly via e-mail spam campaigns. A typical spam email contains an infected/weaponized document. […]
#technique
Defence Evasion Technique: Timestomping Detection – NTFS Forensics
https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html
Defence Evasion Technique: Timestomping Detection – NTFS Forensics
https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html
Inversecos
Defence Evasion Technique: Timestomping Detection – NTFS Forensics
#ParsedReport
28-04-2022
Trello From the Other Side: Tracking APT29 Phishing Campaigns
https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns
Actors/Campaigns:
Duke (tags: dropper, malware, phishing, rat, proxy, backdoor, dns)
Darkhalo (tags: phishing)
Unc2542 (tags: phishing)
Threats:
Beatdrop_loader (tags: phishing, malware)
Boommic_loader (tags: phishing, malware)
Envyscout (tags: malware)
Beacon (tags: malware)
Html_smuggling_technique
Cobalt_strike (tags: malware)
Bart
Timestomp_tool
Kerberoasting_technique
Industry:
Government
Geo:
Asia, Ukraine, Russia
TTPs:
Tactics: 13
Technics: 88
IOCs:
File: 10
Path: 3
Hash: 15
Registry: 1
Url: 1
28-04-2022
Trello From the Other Side: Tracking APT29 Phishing Campaigns
https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns
Actors/Campaigns:
Duke (tags: dropper, malware, phishing, rat, proxy, backdoor, dns)
Darkhalo (tags: phishing)
Unc2542 (tags: phishing)
Threats:
Beatdrop_loader (tags: phishing, malware)
Boommic_loader (tags: phishing, malware)
Envyscout (tags: malware)
Beacon (tags: malware)
Html_smuggling_technique
Cobalt_strike (tags: malware)
Bart
Timestomp_tool
Kerberoasting_technique
Industry:
Government
Geo:
Asia, Ukraine, Russia
TTPs:
Tactics: 13
Technics: 88
IOCs:
File: 10
Path: 3
Hash: 15
Registry: 1
Url: 1
Google Cloud Blog
Tracking APT29 Phishing Campaigns | Atlassian Trello | Google Cloud Blog
Mandiant has been tracking extensive APT29 phishing campaigns targeting diplomatic organizations in Europe
#ParsedReport
28-04-2022
Malware Analysis Report (AR22-115B)
https://us-cert.cisa.gov/ncas/analysis-reports/ar22-115b
Threats:
Isaacwiper (tags: malware)
Hermeticwizard (tags: malware)
Hermeticwiper (tags: malware)
Trojan/win32.agent (tags: malware)
Trojan.win32.trjgen.jngwij (tags: malware)
Alureon (tags: malware)
IOCs:
Path: 1
Hash: 43
File: 2
28-04-2022
Malware Analysis Report (AR22-115B)
https://us-cert.cisa.gov/ncas/analysis-reports/ar22-115b
Threats:
Isaacwiper (tags: malware)
Hermeticwizard (tags: malware)
Hermeticwiper (tags: malware)
Trojan/win32.agent (tags: malware)
Trojan.win32.trjgen.jngwij (tags: malware)
Alureon (tags: malware)
IOCs:
Path: 1
Hash: 43
File: 2
#ParsedReport
28-04-2022
Malware Analysis Report (AR22-115A)
https://us-cert.cisa.gov/ncas/analysis-reports/ar22-115a
Threats:
Hermeticwiper (tags: malware)
Killdisk (tags: malware)
Trojan.win32.malware (tags: malware)
IOCs:
Path: 3
Coin: 3
Hash: 57
Registry: 2
28-04-2022
Malware Analysis Report (AR22-115A)
https://us-cert.cisa.gov/ncas/analysis-reports/ar22-115a
Threats:
Hermeticwiper (tags: malware)
Killdisk (tags: malware)
Trojan.win32.malware (tags: malware)
IOCs:
Path: 3
Coin: 3
Hash: 57
Registry: 2
#ParsedReport
28-04-2022
Malware Analysis Report (AR22-115C)
https://us-cert.cisa.gov/ncas/analysis-reports/ar22-115c
Threats:
Killdisk (tags: malware)
Alureon (tags: malware)
Trojan/win.agent (tags: malware)
Trojan/w32.agent.9216 (tags: malware)
IOCs:
Hash: 6
28-04-2022
Malware Analysis Report (AR22-115C)
https://us-cert.cisa.gov/ncas/analysis-reports/ar22-115c
Threats:
Killdisk (tags: malware)
Alureon (tags: malware)
Trojan/win.agent (tags: malware)
Trojan/w32.agent.9216 (tags: malware)
IOCs:
Hash: 6
#ParsedReport
28-04-2022
Peeking into PrivateLoader
https://www.zscaler.com/blogs/security-research/peeking-privateloader
Threats:
Privateloader (tags: ransomware, stealer, malware, rat)
Vidar_stealer
Redline_stealer
Smokeloader_backdoor
Beacon
Industry:
Financial
IOCs:
Path: 1
Url: 4
IP: 2
File: 1
Hash: 2
28-04-2022
Peeking into PrivateLoader
https://www.zscaler.com/blogs/security-research/peeking-privateloader
Threats:
Privateloader (tags: ransomware, stealer, malware, rat)
Vidar_stealer
Redline_stealer
Smokeloader_backdoor
Beacon
Industry:
Financial
IOCs:
Path: 1
Url: 4
IP: 2
File: 1
Hash: 2
Zscaler
Peeking into PrivateLoader | Zscaler
PrivateLoader's primary purpose is to download and execute additional malware for a pay-per-install (PPI) malware distribution service.
#ParsedReport
28-04-2022
Lazarus arsenal update: analysis of recent Andariel attack samples
https://mp-weixin-qq-com.translate.goog/s/QfbzuIKUPTXE4GdpBMsGbQ?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Actors/Campaigns:
Lazarus (tags: rat, malware, backdoor, proxy)
Industry:
Financial
Geo:
Korean, Asia
IOCs:
Hash: 13
IP: 2
Url: 4
File: 5
Domain: 1
28-04-2022
Lazarus arsenal update: analysis of recent Andariel attack samples
https://mp-weixin-qq-com.translate.goog/s/QfbzuIKUPTXE4GdpBMsGbQ?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Actors/Campaigns:
Lazarus (tags: rat, malware, backdoor, proxy)
Industry:
Financial
Geo:
Korean, Asia
IOCs:
Hash: 13
IP: 2
Url: 4
File: 5
Domain: 1
微信公众平台
Lazarus武器库更新:Andariel近期攻击样本分析
近日,奇安信威胁情报中心红雨滴团队在日常的威胁狩猎中捕获到一批与Lazarus APT组织的下属团体Andariel相关的攻击样本,均为PE可执行文件。根据这批样本上传VT的时间可知相关攻击活动至少从今年2月份开始发起。
#ParsedReport
28-04-2022
LAPSUS$: Recent techniques, tactics and procedures
https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-and-procedures
Actors/Campaigns:
Lapsus (tags: ransomware, malware, vpn, dns)
Threats:
Rvtools_tool
Adexplorer_tool
Industry:
Financial
TTPs:
Tactics: 4
Technics: 15
IOCs:
Domain: 1
IP: 3
Url: 1
Links:
28-04-2022
LAPSUS$: Recent techniques, tactics and procedures
https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-and-procedures
Actors/Campaigns:
Lapsus (tags: ransomware, malware, vpn, dns)
Threats:
Rvtools_tool
Adexplorer_tool
Industry:
Financial
TTPs:
Tactics: 4
Technics: 15
IOCs:
Domain: 1
IP: 3
Url: 1
Links:
https://docs.github.com/en/code-security/secret-scanning/about-secret-scanningNccgroup
Cyber Security Research
Cutting-edge cyber security research from NCC Group. Find public reports, technical advisories, analyses, & other novel insights from our global experts.
#ParsedReport
28-04-2022
eSentire Threat Intelligence Malware Analysis: SolarMarker
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker
Threats:
Solarmarker (tags: rat, dns, backdoor, stealer, malware, phishing, vpn)
Fingerprintjs_tool
Velar
Arkei_stealer
Exodus (tags: stealer)
Grateful_pos (tags: stealer)
Geo:
Emea, Russian, America, Apac, Africa
IOCs:
File: 5
Path: 1
IP: 10
Hash: 14
YARA: Found
Links:
28-04-2022
eSentire Threat Intelligence Malware Analysis: SolarMarker
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker
Threats:
Solarmarker (tags: rat, dns, backdoor, stealer, malware, phishing, vpn)
Fingerprintjs_tool
Velar
Arkei_stealer
Exodus (tags: stealer)
Grateful_pos (tags: stealer)
Geo:
Emea, Russian, America, Apac, Africa
IOCs:
File: 5
Path: 1
IP: 10
Hash: 14
YARA: Found
Links:
https://github.com/nicolauns/hunter-php-javascript-obfuscator#ParsedReport
29-04-2022
Distribution of malicious word documents related to the North Korean 4.25 military parade
https://asec-ahnlab-com.translate.goog/ko/33878/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Actors/Campaigns:
Kimsuky (tags: malware)
Threats:
Nuclear (tags: malware)
Anchor (tags: malware)
Geo:
Korea
IOCs:
File: 5
Hash: 1
Url: 1
29-04-2022
Distribution of malicious word documents related to the North Korean 4.25 military parade
https://asec-ahnlab-com.translate.goog/ko/33878/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Actors/Campaigns:
Kimsuky (tags: malware)
Threats:
Nuclear (tags: malware)
Anchor (tags: malware)
Geo:
Korea
IOCs:
File: 5
Hash: 1
Url: 1
ASEC
북한 4.25 열병식 관련 내용의 악성 워드 문서 유포 - ASEC
북한 4.25 열병식 관련 내용의 악성 워드 문서 유포 ASEC
#ParsedReport
30-04-2022
SpiderLabs Blog. Stormous: The Pro-Russian, Clout Hungry Ransomware Gang Targets the US and Ukraine
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/stormous-the-pro-russian-clout-hungry-ransomware-gang-targets-the-us-and-ukraine
Actors/Campaigns:
Lapsus (tags: ransomware)
Threats:
Clout_hungry (tags: ddos, ransomware)
Industry:
Financial, Government, Healthcare
Geo:
Ukrainian, Saudi, India, Chinese, American, Ukraine, Russia, Arabia
30-04-2022
SpiderLabs Blog. Stormous: The Pro-Russian, Clout Hungry Ransomware Gang Targets the US and Ukraine
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/stormous-the-pro-russian-clout-hungry-ransomware-gang-targets-the-us-and-ukraine
Actors/Campaigns:
Lapsus (tags: ransomware)
Threats:
Clout_hungry (tags: ddos, ransomware)
Industry:
Financial, Government, Healthcare
Geo:
Ukrainian, Saudi, India, Chinese, American, Ukraine, Russia, Arabia
Trustwave
Stormous: The Pro-Russian, Clout Hungry Ransomware Gang Targets the US and Ukraine | Trustwave
As part of our regular Dark Web and cybercriminal research, Trustwave SpiderLabs has uncovered and analyzed postings from a politically motivated, pro-Russian ransomware group named Stormous.
#ParsedReport
30-04-2022
THE LOTUS PANDA IS AWAKE, AGAIN. ANALYSIS OF ITS LAST STRIKE.
https://cluster25.io/2022/04/29/lotus-panda-awake-last-strike
Actors/Campaigns:
Naikon (tags: rat, malware, phishing)
Threats:
Beacon (tags: rat)
Viper_rat (tags: rat)
Cobalt_strike (tags: rat)
Arl_tool (tags: rat)
Meterpreter_tool
Powershell_shell_tool
Industry:
Government
Geo:
China, Malaysia, Asian, Philippines, Thailand, Singapore, Indonesia, Cambodia, Myanmar, Vietnam
TTPs:
Tactics: 4
Technics: 7
IOCs:
Path: 1
File: 3
Hash: 4
IP: 1
Links:
30-04-2022
THE LOTUS PANDA IS AWAKE, AGAIN. ANALYSIS OF ITS LAST STRIKE.
https://cluster25.io/2022/04/29/lotus-panda-awake-last-strike
Actors/Campaigns:
Naikon (tags: rat, malware, phishing)
Threats:
Beacon (tags: rat)
Viper_rat (tags: rat)
Cobalt_strike (tags: rat)
Arl_tool (tags: rat)
Meterpreter_tool
Powershell_shell_tool
Industry:
Government
Geo:
China, Malaysia, Asian, Philippines, Thailand, Singapore, Indonesia, Cambodia, Myanmar, Vietnam
TTPs:
Tactics: 4
Technics: 7
IOCs:
Path: 1
File: 3
Hash: 4
IP: 1
Links:
https://github.com/FunnyWolf/Viper
https://github.com/TophantTechnology/ARL#ParsedReport
02-05-2022
Word Files Related to Diplomacy and National Defense Being Distributed
https://asec.ahnlab.com/en/33894
Actors/Campaigns:
Kimsuky
Threats:
Nuclear
Cobra
Geo:
Korea, Chinas
IOCs:
File: 4
Path: 2
Hash: 3
Url: 2
02-05-2022
Word Files Related to Diplomacy and National Defense Being Distributed
https://asec.ahnlab.com/en/33894
Actors/Campaigns:
Kimsuky
Threats:
Nuclear
Cobra
Geo:
Korea, Chinas
IOCs:
File: 4
Path: 2
Hash: 3
Url: 2
ASEC
Word Files Related to Diplomacy and National Defense Being Distributed - ASEC
Word Files Related to Diplomacy and National Defense Being Distributed ASEC
#ParsedReport
02-05-2022
Analysis on recent wiper attacks: examples and how wiper malware works
https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works
Actors/Campaigns:
Sandworm
Threats:
Whisperkill (tags: malware)
Hermeticwiper (tags: malware)
Isaacwiper (tags: malware)
Killdisk (tags: malware)
Doublezero (tags: malware)
Acidrain (tags: malware)
Log4shell_vuln
Whispergate
Hermeticwizard
Vpnfilter
Crashoverride
Industry:
Energy, Financial, Ics, Government
Geo:
Ukraine
TTPs:
IOCs:
Path: 1
Hash: 11
02-05-2022
Analysis on recent wiper attacks: examples and how wiper malware works
https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works
Actors/Campaigns:
Sandworm
Threats:
Whisperkill (tags: malware)
Hermeticwiper (tags: malware)
Isaacwiper (tags: malware)
Killdisk (tags: malware)
Doublezero (tags: malware)
Acidrain (tags: malware)
Log4shell_vuln
Whispergate
Hermeticwizard
Vpnfilter
Crashoverride
Industry:
Energy, Financial, Ics, Government
Geo:
Ukraine
TTPs:
IOCs:
Path: 1
Hash: 11
LevelBlue
Analysis on recent wiper attacks: examples and how wiper…
Executive summary 2022 has experienced an increase in the number of wiper variants targeting Ukrainian entities. This blog post looks to explain how wipers work, what makes them so effective and provides a short overview of the most recent samples that appeared…
#ParsedReport
02-05-2022
UNC3524: Eye Spy on Your Email
https://www.mandiant.com/resources/unc3524-eye-spy-email
Actors/Campaigns:
Unc3524 (tags: proxy, dns, botnet, backdoor, malware, rat)
Unc3452
Darkhalo
Duke
Fancy_bear
Threats:
Magnitude
Quietexit
Dropbear_tool
Regeorg
Dcsync_technique
Industry:
Financial, Iot
TTPs:
Tactics: 9
Technics: 25
IOCs:
IP: 1
File: 1
Hash: 1
YARA: Found
Links:
02-05-2022
UNC3524: Eye Spy on Your Email
https://www.mandiant.com/resources/unc3524-eye-spy-email
Actors/Campaigns:
Unc3524 (tags: proxy, dns, botnet, backdoor, malware, rat)
Unc3452
Darkhalo
Duke
Fancy_bear
Threats:
Magnitude
Quietexit
Dropbear_tool
Regeorg
Dcsync_technique
Industry:
Financial, Iot
TTPs:
Tactics: 9
Technics: 25
IOCs:
IP: 1
File: 1
Hash: 1
YARA: Found
Links:
https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.pyGoogle Cloud Blog
UNC3524: Eye Spy on Your Email | Mandiant | Google Cloud Blog
#ParsedReport
02-05-2022
AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell
https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html
Threats:
Avoslocker (tags: malware, rat, rootkit, scan, ransomware)
Log4shell_vuln (tags: malware, rat, rootkit, scan, ransomware)
Nmap_tool (tags: scan, ransomware)
Anydesk_tool (tags: scan, ransomware)
Netscan_tool (tags: scan, ransomware)
Mimikatz (tags: scan, ransomware)
Xenarmor_tool (tags: scan, ransomware)
Mespinoza (tags: scan, ransomware)
Backdoor.win32.cve202144228.yacah (tags: scan, ransomware)
CVEs:
CVE-2021-40539 [Vulners]
Vulners: Score: 7.5, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- zohocorp manageengine adselfservice plus (4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0.6, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.2, 5.2, 5.2, 5.2, 5.2, 5.2, 5.2, 5.2, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.4, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.6, 5.6, 5.6, 5.6, 5.6, 5.6, 5.6, 5.6, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1)
CVE-2021-44228 [Vulners]
Vulners: Score: 9.3, CVSS: 4.0,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.3.1, <2.12.2, <2.15.0)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens captial (<2019.1, 2019.1, 2019.1)
- siemens comos (*)
- siemens desigo cc advanced reports (4.0, 4.1, 4.2, 5.0, 5.1)
have more...
IOCs:
File: 16
Url: 1
Path: 3
Hash: 6
02-05-2022
AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell
https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html
Threats:
Avoslocker (tags: malware, rat, rootkit, scan, ransomware)
Log4shell_vuln (tags: malware, rat, rootkit, scan, ransomware)
Nmap_tool (tags: scan, ransomware)
Anydesk_tool (tags: scan, ransomware)
Netscan_tool (tags: scan, ransomware)
Mimikatz (tags: scan, ransomware)
Xenarmor_tool (tags: scan, ransomware)
Mespinoza (tags: scan, ransomware)
Backdoor.win32.cve202144228.yacah (tags: scan, ransomware)
CVEs:
CVE-2021-40539 [Vulners]
Vulners: Score: 7.5, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- zohocorp manageengine adselfservice plus (4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0.6, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.2, 5.2, 5.2, 5.2, 5.2, 5.2, 5.2, 5.2, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.4, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.6, 5.6, 5.6, 5.6, 5.6, 5.6, 5.6, 5.6, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1)
CVE-2021-44228 [Vulners]
Vulners: Score: 9.3, CVSS: 4.0,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.3.1, <2.12.2, <2.15.0)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens captial (<2019.1, 2019.1, 2019.1)
- siemens comos (*)
- siemens desigo cc advanced reports (4.0, 4.1, 4.2, 5.0, 5.1)
have more...
IOCs:
File: 16
Url: 1
Path: 3
Hash: 6
Trend Micro
AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell
We found an AvosLocker ransomware variant using a legitimate antivirus component to disable detection and blocking solutions.
#ParsedReport
02-05-2022
Moshen Dragons Triad-and-Error Approach \| Abusing Security Software to Sideload PlugX and ShadowPad
https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad
Actors/Campaigns:
Moshendragon
Nomadpanda
Redfoxtrot
Emissary_panda
Threats:
Plugx_rat (tags: proxy, backdoor, rat, malware)
Shadowpad (tags: proxy, backdoor, rat, malware)
Gunters (tags: backdoor, malware)
Talisman
Industry:
Telco
Geo:
Asia, Chinese
IOCs:
Path: 7
File: 2
Registry: 1
Hash: 13
Domain: 7
Links:
02-05-2022
Moshen Dragons Triad-and-Error Approach \| Abusing Security Software to Sideload PlugX and ShadowPad
https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad
Actors/Campaigns:
Moshendragon
Nomadpanda
Redfoxtrot
Emissary_panda
Threats:
Plugx_rat (tags: proxy, backdoor, rat, malware)
Shadowpad (tags: proxy, backdoor, rat, malware)
Gunters (tags: backdoor, malware)
Talisman
Industry:
Telco
Geo:
Asia, Chinese
IOCs:
Path: 7
File: 2
Registry: 1
Hash: 13
Domain: 7
Links:
https://github.com/SecureAuthCorp/impackethttps://github.com/GoSecure/DLLPasswordFilterImplantSentinelOne
Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad
Chinese-aligned APT group Moshen Dragon caught sideloading malware through multiple AV products to infect telecoms sector.