#ParsedReport
28-04-2022
Peeking into PrivateLoader
https://www.zscaler.com/blogs/security-research/peeking-privateloader
Threats:
Privateloader (tags: ransomware, stealer, malware, rat)
Vidar_stealer
Redline_stealer
Smokeloader_backdoor
Beacon
Industry:
Financial
IOCs:
Path: 1
Url: 4
IP: 2
File: 1
Hash: 2
28-04-2022
Peeking into PrivateLoader
https://www.zscaler.com/blogs/security-research/peeking-privateloader
Threats:
Privateloader (tags: ransomware, stealer, malware, rat)
Vidar_stealer
Redline_stealer
Smokeloader_backdoor
Beacon
Industry:
Financial
IOCs:
Path: 1
Url: 4
IP: 2
File: 1
Hash: 2
Zscaler
Peeking into PrivateLoader | Zscaler
PrivateLoader's primary purpose is to download and execute additional malware for a pay-per-install (PPI) malware distribution service.
#ParsedReport
28-04-2022
Lazarus arsenal update: analysis of recent Andariel attack samples
https://mp-weixin-qq-com.translate.goog/s/QfbzuIKUPTXE4GdpBMsGbQ?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Actors/Campaigns:
Lazarus (tags: rat, malware, backdoor, proxy)
Industry:
Financial
Geo:
Korean, Asia
IOCs:
Hash: 13
IP: 2
Url: 4
File: 5
Domain: 1
28-04-2022
Lazarus arsenal update: analysis of recent Andariel attack samples
https://mp-weixin-qq-com.translate.goog/s/QfbzuIKUPTXE4GdpBMsGbQ?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Actors/Campaigns:
Lazarus (tags: rat, malware, backdoor, proxy)
Industry:
Financial
Geo:
Korean, Asia
IOCs:
Hash: 13
IP: 2
Url: 4
File: 5
Domain: 1
微信公众平台
Lazarus武器库更新:Andariel近期攻击样本分析
近日,奇安信威胁情报中心红雨滴团队在日常的威胁狩猎中捕获到一批与Lazarus APT组织的下属团体Andariel相关的攻击样本,均为PE可执行文件。根据这批样本上传VT的时间可知相关攻击活动至少从今年2月份开始发起。
#ParsedReport
28-04-2022
LAPSUS$: Recent techniques, tactics and procedures
https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-and-procedures
Actors/Campaigns:
Lapsus (tags: ransomware, malware, vpn, dns)
Threats:
Rvtools_tool
Adexplorer_tool
Industry:
Financial
TTPs:
Tactics: 4
Technics: 15
IOCs:
Domain: 1
IP: 3
Url: 1
Links:
28-04-2022
LAPSUS$: Recent techniques, tactics and procedures
https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-and-procedures
Actors/Campaigns:
Lapsus (tags: ransomware, malware, vpn, dns)
Threats:
Rvtools_tool
Adexplorer_tool
Industry:
Financial
TTPs:
Tactics: 4
Technics: 15
IOCs:
Domain: 1
IP: 3
Url: 1
Links:
https://docs.github.com/en/code-security/secret-scanning/about-secret-scanningNccgroup
Cyber Security Research
Cutting-edge cyber security research from NCC Group. Find public reports, technical advisories, analyses, & other novel insights from our global experts.
#ParsedReport
28-04-2022
eSentire Threat Intelligence Malware Analysis: SolarMarker
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker
Threats:
Solarmarker (tags: rat, dns, backdoor, stealer, malware, phishing, vpn)
Fingerprintjs_tool
Velar
Arkei_stealer
Exodus (tags: stealer)
Grateful_pos (tags: stealer)
Geo:
Emea, Russian, America, Apac, Africa
IOCs:
File: 5
Path: 1
IP: 10
Hash: 14
YARA: Found
Links:
28-04-2022
eSentire Threat Intelligence Malware Analysis: SolarMarker
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker
Threats:
Solarmarker (tags: rat, dns, backdoor, stealer, malware, phishing, vpn)
Fingerprintjs_tool
Velar
Arkei_stealer
Exodus (tags: stealer)
Grateful_pos (tags: stealer)
Geo:
Emea, Russian, America, Apac, Africa
IOCs:
File: 5
Path: 1
IP: 10
Hash: 14
YARA: Found
Links:
https://github.com/nicolauns/hunter-php-javascript-obfuscator#ParsedReport
29-04-2022
Distribution of malicious word documents related to the North Korean 4.25 military parade
https://asec-ahnlab-com.translate.goog/ko/33878/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Actors/Campaigns:
Kimsuky (tags: malware)
Threats:
Nuclear (tags: malware)
Anchor (tags: malware)
Geo:
Korea
IOCs:
File: 5
Hash: 1
Url: 1
29-04-2022
Distribution of malicious word documents related to the North Korean 4.25 military parade
https://asec-ahnlab-com.translate.goog/ko/33878/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Actors/Campaigns:
Kimsuky (tags: malware)
Threats:
Nuclear (tags: malware)
Anchor (tags: malware)
Geo:
Korea
IOCs:
File: 5
Hash: 1
Url: 1
ASEC
북한 4.25 열병식 관련 내용의 악성 워드 문서 유포 - ASEC
북한 4.25 열병식 관련 내용의 악성 워드 문서 유포 ASEC
#ParsedReport
30-04-2022
SpiderLabs Blog. Stormous: The Pro-Russian, Clout Hungry Ransomware Gang Targets the US and Ukraine
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/stormous-the-pro-russian-clout-hungry-ransomware-gang-targets-the-us-and-ukraine
Actors/Campaigns:
Lapsus (tags: ransomware)
Threats:
Clout_hungry (tags: ddos, ransomware)
Industry:
Financial, Government, Healthcare
Geo:
Ukrainian, Saudi, India, Chinese, American, Ukraine, Russia, Arabia
30-04-2022
SpiderLabs Blog. Stormous: The Pro-Russian, Clout Hungry Ransomware Gang Targets the US and Ukraine
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/stormous-the-pro-russian-clout-hungry-ransomware-gang-targets-the-us-and-ukraine
Actors/Campaigns:
Lapsus (tags: ransomware)
Threats:
Clout_hungry (tags: ddos, ransomware)
Industry:
Financial, Government, Healthcare
Geo:
Ukrainian, Saudi, India, Chinese, American, Ukraine, Russia, Arabia
Trustwave
Stormous: The Pro-Russian, Clout Hungry Ransomware Gang Targets the US and Ukraine | Trustwave
As part of our regular Dark Web and cybercriminal research, Trustwave SpiderLabs has uncovered and analyzed postings from a politically motivated, pro-Russian ransomware group named Stormous.
#ParsedReport
30-04-2022
THE LOTUS PANDA IS AWAKE, AGAIN. ANALYSIS OF ITS LAST STRIKE.
https://cluster25.io/2022/04/29/lotus-panda-awake-last-strike
Actors/Campaigns:
Naikon (tags: rat, malware, phishing)
Threats:
Beacon (tags: rat)
Viper_rat (tags: rat)
Cobalt_strike (tags: rat)
Arl_tool (tags: rat)
Meterpreter_tool
Powershell_shell_tool
Industry:
Government
Geo:
China, Malaysia, Asian, Philippines, Thailand, Singapore, Indonesia, Cambodia, Myanmar, Vietnam
TTPs:
Tactics: 4
Technics: 7
IOCs:
Path: 1
File: 3
Hash: 4
IP: 1
Links:
30-04-2022
THE LOTUS PANDA IS AWAKE, AGAIN. ANALYSIS OF ITS LAST STRIKE.
https://cluster25.io/2022/04/29/lotus-panda-awake-last-strike
Actors/Campaigns:
Naikon (tags: rat, malware, phishing)
Threats:
Beacon (tags: rat)
Viper_rat (tags: rat)
Cobalt_strike (tags: rat)
Arl_tool (tags: rat)
Meterpreter_tool
Powershell_shell_tool
Industry:
Government
Geo:
China, Malaysia, Asian, Philippines, Thailand, Singapore, Indonesia, Cambodia, Myanmar, Vietnam
TTPs:
Tactics: 4
Technics: 7
IOCs:
Path: 1
File: 3
Hash: 4
IP: 1
Links:
https://github.com/FunnyWolf/Viper
https://github.com/TophantTechnology/ARL#ParsedReport
02-05-2022
Word Files Related to Diplomacy and National Defense Being Distributed
https://asec.ahnlab.com/en/33894
Actors/Campaigns:
Kimsuky
Threats:
Nuclear
Cobra
Geo:
Korea, Chinas
IOCs:
File: 4
Path: 2
Hash: 3
Url: 2
02-05-2022
Word Files Related to Diplomacy and National Defense Being Distributed
https://asec.ahnlab.com/en/33894
Actors/Campaigns:
Kimsuky
Threats:
Nuclear
Cobra
Geo:
Korea, Chinas
IOCs:
File: 4
Path: 2
Hash: 3
Url: 2
ASEC
Word Files Related to Diplomacy and National Defense Being Distributed - ASEC
Word Files Related to Diplomacy and National Defense Being Distributed ASEC
#ParsedReport
02-05-2022
Analysis on recent wiper attacks: examples and how wiper malware works
https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works
Actors/Campaigns:
Sandworm
Threats:
Whisperkill (tags: malware)
Hermeticwiper (tags: malware)
Isaacwiper (tags: malware)
Killdisk (tags: malware)
Doublezero (tags: malware)
Acidrain (tags: malware)
Log4shell_vuln
Whispergate
Hermeticwizard
Vpnfilter
Crashoverride
Industry:
Energy, Financial, Ics, Government
Geo:
Ukraine
TTPs:
IOCs:
Path: 1
Hash: 11
02-05-2022
Analysis on recent wiper attacks: examples and how wiper malware works
https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works
Actors/Campaigns:
Sandworm
Threats:
Whisperkill (tags: malware)
Hermeticwiper (tags: malware)
Isaacwiper (tags: malware)
Killdisk (tags: malware)
Doublezero (tags: malware)
Acidrain (tags: malware)
Log4shell_vuln
Whispergate
Hermeticwizard
Vpnfilter
Crashoverride
Industry:
Energy, Financial, Ics, Government
Geo:
Ukraine
TTPs:
IOCs:
Path: 1
Hash: 11
LevelBlue
Analysis on recent wiper attacks: examples and how wiper…
Executive summary 2022 has experienced an increase in the number of wiper variants targeting Ukrainian entities. This blog post looks to explain how wipers work, what makes them so effective and provides a short overview of the most recent samples that appeared…
#ParsedReport
02-05-2022
UNC3524: Eye Spy on Your Email
https://www.mandiant.com/resources/unc3524-eye-spy-email
Actors/Campaigns:
Unc3524 (tags: proxy, dns, botnet, backdoor, malware, rat)
Unc3452
Darkhalo
Duke
Fancy_bear
Threats:
Magnitude
Quietexit
Dropbear_tool
Regeorg
Dcsync_technique
Industry:
Financial, Iot
TTPs:
Tactics: 9
Technics: 25
IOCs:
IP: 1
File: 1
Hash: 1
YARA: Found
Links:
02-05-2022
UNC3524: Eye Spy on Your Email
https://www.mandiant.com/resources/unc3524-eye-spy-email
Actors/Campaigns:
Unc3524 (tags: proxy, dns, botnet, backdoor, malware, rat)
Unc3452
Darkhalo
Duke
Fancy_bear
Threats:
Magnitude
Quietexit
Dropbear_tool
Regeorg
Dcsync_technique
Industry:
Financial, Iot
TTPs:
Tactics: 9
Technics: 25
IOCs:
IP: 1
File: 1
Hash: 1
YARA: Found
Links:
https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.pyGoogle Cloud Blog
UNC3524: Eye Spy on Your Email | Mandiant | Google Cloud Blog
#ParsedReport
02-05-2022
AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell
https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html
Threats:
Avoslocker (tags: malware, rat, rootkit, scan, ransomware)
Log4shell_vuln (tags: malware, rat, rootkit, scan, ransomware)
Nmap_tool (tags: scan, ransomware)
Anydesk_tool (tags: scan, ransomware)
Netscan_tool (tags: scan, ransomware)
Mimikatz (tags: scan, ransomware)
Xenarmor_tool (tags: scan, ransomware)
Mespinoza (tags: scan, ransomware)
Backdoor.win32.cve202144228.yacah (tags: scan, ransomware)
CVEs:
CVE-2021-40539 [Vulners]
Vulners: Score: 7.5, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- zohocorp manageengine adselfservice plus (4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0.6, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.2, 5.2, 5.2, 5.2, 5.2, 5.2, 5.2, 5.2, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.4, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.6, 5.6, 5.6, 5.6, 5.6, 5.6, 5.6, 5.6, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1)
CVE-2021-44228 [Vulners]
Vulners: Score: 9.3, CVSS: 4.0,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.3.1, <2.12.2, <2.15.0)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens captial (<2019.1, 2019.1, 2019.1)
- siemens comos (*)
- siemens desigo cc advanced reports (4.0, 4.1, 4.2, 5.0, 5.1)
have more...
IOCs:
File: 16
Url: 1
Path: 3
Hash: 6
02-05-2022
AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell
https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html
Threats:
Avoslocker (tags: malware, rat, rootkit, scan, ransomware)
Log4shell_vuln (tags: malware, rat, rootkit, scan, ransomware)
Nmap_tool (tags: scan, ransomware)
Anydesk_tool (tags: scan, ransomware)
Netscan_tool (tags: scan, ransomware)
Mimikatz (tags: scan, ransomware)
Xenarmor_tool (tags: scan, ransomware)
Mespinoza (tags: scan, ransomware)
Backdoor.win32.cve202144228.yacah (tags: scan, ransomware)
CVEs:
CVE-2021-40539 [Vulners]
Vulners: Score: 7.5, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- zohocorp manageengine adselfservice plus (4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0.6, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.2, 5.2, 5.2, 5.2, 5.2, 5.2, 5.2, 5.2, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.4, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.6, 5.6, 5.6, 5.6, 5.6, 5.6, 5.6, 5.6, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1)
CVE-2021-44228 [Vulners]
Vulners: Score: 9.3, CVSS: 4.0,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.3.1, <2.12.2, <2.15.0)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens captial (<2019.1, 2019.1, 2019.1)
- siemens comos (*)
- siemens desigo cc advanced reports (4.0, 4.1, 4.2, 5.0, 5.1)
have more...
IOCs:
File: 16
Url: 1
Path: 3
Hash: 6
Trend Micro
AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell
We found an AvosLocker ransomware variant using a legitimate antivirus component to disable detection and blocking solutions.
#ParsedReport
02-05-2022
Moshen Dragons Triad-and-Error Approach \| Abusing Security Software to Sideload PlugX and ShadowPad
https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad
Actors/Campaigns:
Moshendragon
Nomadpanda
Redfoxtrot
Emissary_panda
Threats:
Plugx_rat (tags: proxy, backdoor, rat, malware)
Shadowpad (tags: proxy, backdoor, rat, malware)
Gunters (tags: backdoor, malware)
Talisman
Industry:
Telco
Geo:
Asia, Chinese
IOCs:
Path: 7
File: 2
Registry: 1
Hash: 13
Domain: 7
Links:
02-05-2022
Moshen Dragons Triad-and-Error Approach \| Abusing Security Software to Sideload PlugX and ShadowPad
https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad
Actors/Campaigns:
Moshendragon
Nomadpanda
Redfoxtrot
Emissary_panda
Threats:
Plugx_rat (tags: proxy, backdoor, rat, malware)
Shadowpad (tags: proxy, backdoor, rat, malware)
Gunters (tags: backdoor, malware)
Talisman
Industry:
Telco
Geo:
Asia, Chinese
IOCs:
Path: 7
File: 2
Registry: 1
Hash: 13
Domain: 7
Links:
https://github.com/SecureAuthCorp/impackethttps://github.com/GoSecure/DLLPasswordFilterImplantSentinelOne
Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad
Chinese-aligned APT group Moshen Dragon caught sideloading malware through multiple AV products to infect telecoms sector.
#ParsedReport
03-05-2022
Distribution of Malicious Word File Related to North Koreas April 25th Military Parade
https://asec.ahnlab.com/en/33936
Threats:
Nuclear (tags: malware)
Anchor (tags: malware)
Geo:
Koreas, Korean
IOCs:
File: 5
Hash: 1
Url: 1
03-05-2022
Distribution of Malicious Word File Related to North Koreas April 25th Military Parade
https://asec.ahnlab.com/en/33936
Threats:
Nuclear (tags: malware)
Anchor (tags: malware)
Geo:
Koreas, Korean
IOCs:
File: 5
Hash: 1
Url: 1
ASEC
Distribution of Malicious Word File Related to North Korea’s April 25th Military Parade - ASEC
Distribution of Malicious Word File Related to North Korea’s April 25th Military Parade ASEC
#ParsedReport
03-05-2022
Attackers Target Packages in Multiple Programming Languages in Recent Software Supply Chain Attacks. Intro
https://checkmarx.com/blog/attackers-target-packages-in-multiple-programming-languages-in-recent-software-supply-chain-attacks
IOCs:
Domain: 2
Url: 3
File: 2
03-05-2022
Attackers Target Packages in Multiple Programming Languages in Recent Software Supply Chain Attacks. Intro
https://checkmarx.com/blog/attackers-target-packages-in-multiple-programming-languages-in-recent-software-supply-chain-attacks
IOCs:
Domain: 2
Url: 3
File: 2
#ParsedReport
03-05-2022
Update on cyber activity in Eastern Europe
https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe
Actors/Campaigns:
Fancy_bear
Cold_river
Ghostwriter
Curious_gorge
Comment_crew
Threats:
Turla
Industry:
Petroleum, Government, Ngo, Telco, Logistic, Financial
Geo:
Belarusian, Russia, Iran, Korea, Ukraine, Lithuania, Russian, China, Asia
IOCs:
File: 1
Hash: 2
Domain: 14
Email: 1
03-05-2022
Update on cyber activity in Eastern Europe
https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe
Actors/Campaigns:
Fancy_bear
Cold_river
Ghostwriter
Curious_gorge
Comment_crew
Threats:
Turla
Industry:
Petroleum, Government, Ngo, Telco, Logistic, Financial
Geo:
Belarusian, Russia, Iran, Korea, Ukraine, Lithuania, Russian, China, Asia
IOCs:
File: 1
Hash: 2
Domain: 14
Email: 1
Google
Update on cyber activity in Eastern Europe
An update on cyber activity in eastern Europe.
#ParsedReport
03-05-2022
Analysis of BlackByte Ransomware's Go-Based Variants. Key Points
https://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants
Threats:
Blackbyte (tags: ransomware, malware, rat)
Revil
Lockbit
Industry:
Ics, Financial
Geo:
Russia, Russian, Ukrainian, Belarusian
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 9
Url: 4
Path: 20
File: 36
Registry: 7
IP: 1
Links:
03-05-2022
Analysis of BlackByte Ransomware's Go-Based Variants. Key Points
https://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants
Threats:
Blackbyte (tags: ransomware, malware, rat)
Revil
Lockbit
Industry:
Ics, Financial
Geo:
Russia, Russian, Ukrainian, Belarusian
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 9
Url: 4
Path: 20
File: 36
Registry: 7
IP: 1
Links:
https://github.com/golang/go/blob/master/src/crypto/des/cipher.gohttps://github.com/SpiderLabs/BlackByteDecryptor/blob/main/BlackByteDecryptor/Decryptor.cshttps://github.com/andrivet/ADVobfuscatorhttps://gist.github.com/api0cradle/d4aaef39db0d845627d819b2b6b30512Zscaler
Analyzing BlackByte Ransomware's Go-Based Variants | Zscaler
In this post, Zscaler ThreatLabz analyzes two variants of the Go-based implementation of BlackByte ransomware. Read more.
#ParsedReport
04-05-2022
Compromised Docker Honeypots Used for Pro-Ukrainian DoS Attack
https://www.crowdstrike.com/blog/compromised-docker-honeypots-used-for-pro-ukrainian-dos-attack
Threats:
Lemonduck
Industry:
Government, Retail, Financial, Energy, Chemical
Geo:
Belarusian, Russian, Ukraine
IOCs:
Hash: 5
04-05-2022
Compromised Docker Honeypots Used for Pro-Ukrainian DoS Attack
https://www.crowdstrike.com/blog/compromised-docker-honeypots-used-for-pro-ukrainian-dos-attack
Threats:
Lemonduck
Industry:
Government, Retail, Financial, Energy, Chemical
Geo:
Belarusian, Russian, Ukraine
IOCs:
Hash: 5
CrowdStrike.com
Compromised Docker Honeypots Used for Pro-Ukrainian DoS Attack
In February 2022, Docker Engine honeypots were compromised to execute different Docker images targeting Russian and Belarusian websites in a DoS attack.
#ParsedReport
04-05-2022
Tips for Automating IOC Extraction from GootLoader, a Changing JavaScript Malware
https://threatresearch.ext.hp.com/tips-for-automating-ioc-extraction-from-gootloader-a-changing-javascript-malware
Threats:
Gootloader (tags: malware)
IOCs:
Hash: 2
Url: 6
Links:
04-05-2022
Tips for Automating IOC Extraction from GootLoader, a Changing JavaScript Malware
https://threatresearch.ext.hp.com/tips-for-automating-ioc-extraction-from-gootloader-a-changing-javascript-malware
Threats:
Gootloader (tags: malware)
IOCs:
Hash: 2
Url: 6
Links:
https://github.com/hpthreatresearch/tools/blob/main/gootloader/decode.pyHP Wolf Security
Tips for Automating IOC Extraction from GootLoader, a Changing JavaScript Malware | HP Wolf Security
Don’t let cyber threats get the best of you. Read our post, Tips for Automating IOC Extraction from GootLoader, a Changing JavaScript Malware, to learn more about cyber threats and cyber security.
#ParsedReport
04-05-2022
SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse
https://www.recordedfuture.com/solardeflection-c2-infrastructure-used-by-nobelium-in-company-brand-misuse
Actors/Campaigns:
Solardeflection (tags: phishing,)
Darkhalo (tags: phishing)
Duke
Lunarreflection
Threats:
Cobalt_strike
Industry:
Government, Ngo
Geo:
Russian, Ukraine
IOCs:
Domain: 60
Hash: 11
04-05-2022
SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse
https://www.recordedfuture.com/solardeflection-c2-infrastructure-used-by-nobelium-in-company-brand-misuse
Actors/Campaigns:
Solardeflection (tags: phishing,)
Darkhalo (tags: phishing)
Duke
Lunarreflection
Threats:
Cobalt_strike
Industry:
Government, Ngo
Geo:
Russian, Ukraine
IOCs:
Domain: 60
Hash: 11
Recordedfuture
SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse
This report profiles the unique infrastructure used by Russian state-sponsored threat activity group NOBELIUM. The activity was identified through a combination of large-scale automated network traffic analytics and analysis derived from open source reporting.…
#ParsedReport
04-05-2022
AsyncRAT Activity
https://www.esentire.com/blog/asyncrat-activity
Threats:
Asyncrat_rat
More_eggs
Html_smuggling_technique
Geo:
America, Apac, Emea, Africa
IOCs:
File: 8
Path: 2
04-05-2022
AsyncRAT Activity
https://www.esentire.com/blog/asyncrat-activity
Threats:
Asyncrat_rat
More_eggs
Html_smuggling_technique
Geo:
America, Apac, Emea, Africa
IOCs:
File: 8
Path: 2
eSentire
AsyncRAT Activity
AsyncRAT is an open-source remote access trojan with varying capabilities including remote access, file exfiltration, and keylogging.
#ParsedReport
04-05-2022
A new secret stash for fileless malware
https://securelist.com/a-new-secret-stash-for-fileless-malware/106393
Threats:
Cobalt_strike (tags: malware)
Netspi (tags: malware, trojan)
Blackbone (tags: malware, trojan)
Slingshot
Beacon
Mimikatz
IOCs:
File: 17
Path: 11
Domain: 7
Url: 1
IP: 2
Hash: 29
Links:
04-05-2022
A new secret stash for fileless malware
https://securelist.com/a-new-secret-stash-for-fileless-malware/106393
Threats:
Cobalt_strike (tags: malware)
Netspi (tags: malware, trojan)
Blackbone (tags: malware, trojan)
Slingshot
Beacon
Mimikatz
IOCs:
File: 17
Path: 11
Domain: 7
Url: 1
IP: 2
Hash: 29
Links:
https://github.com/silentbreaksec/ThrowbackSecurelist
A new secret stash for “fileless” malware
We observed the technique of putting the shellcode into Windows event logs for the first time “in the wild” during the malicious campaign.