#ParsedReport
29-04-2022
Distribution of malicious word documents related to the North Korean 4.25 military parade
https://asec-ahnlab-com.translate.goog/ko/33878/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Actors/Campaigns:
Kimsuky (tags: malware)
Threats:
Nuclear (tags: malware)
Anchor (tags: malware)
Geo:
Korea
IOCs:
File: 5
Hash: 1
Url: 1
29-04-2022
Distribution of malicious word documents related to the North Korean 4.25 military parade
https://asec-ahnlab-com.translate.goog/ko/33878/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Actors/Campaigns:
Kimsuky (tags: malware)
Threats:
Nuclear (tags: malware)
Anchor (tags: malware)
Geo:
Korea
IOCs:
File: 5
Hash: 1
Url: 1
ASEC
북한 4.25 열병식 관련 내용의 악성 워드 문서 유포 - ASEC
북한 4.25 열병식 관련 내용의 악성 워드 문서 유포 ASEC
#ParsedReport
30-04-2022
SpiderLabs Blog. Stormous: The Pro-Russian, Clout Hungry Ransomware Gang Targets the US and Ukraine
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/stormous-the-pro-russian-clout-hungry-ransomware-gang-targets-the-us-and-ukraine
Actors/Campaigns:
Lapsus (tags: ransomware)
Threats:
Clout_hungry (tags: ddos, ransomware)
Industry:
Financial, Government, Healthcare
Geo:
Ukrainian, Saudi, India, Chinese, American, Ukraine, Russia, Arabia
30-04-2022
SpiderLabs Blog. Stormous: The Pro-Russian, Clout Hungry Ransomware Gang Targets the US and Ukraine
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/stormous-the-pro-russian-clout-hungry-ransomware-gang-targets-the-us-and-ukraine
Actors/Campaigns:
Lapsus (tags: ransomware)
Threats:
Clout_hungry (tags: ddos, ransomware)
Industry:
Financial, Government, Healthcare
Geo:
Ukrainian, Saudi, India, Chinese, American, Ukraine, Russia, Arabia
Trustwave
Stormous: The Pro-Russian, Clout Hungry Ransomware Gang Targets the US and Ukraine | Trustwave
As part of our regular Dark Web and cybercriminal research, Trustwave SpiderLabs has uncovered and analyzed postings from a politically motivated, pro-Russian ransomware group named Stormous.
#ParsedReport
30-04-2022
THE LOTUS PANDA IS AWAKE, AGAIN. ANALYSIS OF ITS LAST STRIKE.
https://cluster25.io/2022/04/29/lotus-panda-awake-last-strike
Actors/Campaigns:
Naikon (tags: rat, malware, phishing)
Threats:
Beacon (tags: rat)
Viper_rat (tags: rat)
Cobalt_strike (tags: rat)
Arl_tool (tags: rat)
Meterpreter_tool
Powershell_shell_tool
Industry:
Government
Geo:
China, Malaysia, Asian, Philippines, Thailand, Singapore, Indonesia, Cambodia, Myanmar, Vietnam
TTPs:
Tactics: 4
Technics: 7
IOCs:
Path: 1
File: 3
Hash: 4
IP: 1
Links:
30-04-2022
THE LOTUS PANDA IS AWAKE, AGAIN. ANALYSIS OF ITS LAST STRIKE.
https://cluster25.io/2022/04/29/lotus-panda-awake-last-strike
Actors/Campaigns:
Naikon (tags: rat, malware, phishing)
Threats:
Beacon (tags: rat)
Viper_rat (tags: rat)
Cobalt_strike (tags: rat)
Arl_tool (tags: rat)
Meterpreter_tool
Powershell_shell_tool
Industry:
Government
Geo:
China, Malaysia, Asian, Philippines, Thailand, Singapore, Indonesia, Cambodia, Myanmar, Vietnam
TTPs:
Tactics: 4
Technics: 7
IOCs:
Path: 1
File: 3
Hash: 4
IP: 1
Links:
https://github.com/FunnyWolf/Viper
https://github.com/TophantTechnology/ARL#ParsedReport
02-05-2022
Word Files Related to Diplomacy and National Defense Being Distributed
https://asec.ahnlab.com/en/33894
Actors/Campaigns:
Kimsuky
Threats:
Nuclear
Cobra
Geo:
Korea, Chinas
IOCs:
File: 4
Path: 2
Hash: 3
Url: 2
02-05-2022
Word Files Related to Diplomacy and National Defense Being Distributed
https://asec.ahnlab.com/en/33894
Actors/Campaigns:
Kimsuky
Threats:
Nuclear
Cobra
Geo:
Korea, Chinas
IOCs:
File: 4
Path: 2
Hash: 3
Url: 2
ASEC
Word Files Related to Diplomacy and National Defense Being Distributed - ASEC
Word Files Related to Diplomacy and National Defense Being Distributed ASEC
#ParsedReport
02-05-2022
Analysis on recent wiper attacks: examples and how wiper malware works
https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works
Actors/Campaigns:
Sandworm
Threats:
Whisperkill (tags: malware)
Hermeticwiper (tags: malware)
Isaacwiper (tags: malware)
Killdisk (tags: malware)
Doublezero (tags: malware)
Acidrain (tags: malware)
Log4shell_vuln
Whispergate
Hermeticwizard
Vpnfilter
Crashoverride
Industry:
Energy, Financial, Ics, Government
Geo:
Ukraine
TTPs:
IOCs:
Path: 1
Hash: 11
02-05-2022
Analysis on recent wiper attacks: examples and how wiper malware works
https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works
Actors/Campaigns:
Sandworm
Threats:
Whisperkill (tags: malware)
Hermeticwiper (tags: malware)
Isaacwiper (tags: malware)
Killdisk (tags: malware)
Doublezero (tags: malware)
Acidrain (tags: malware)
Log4shell_vuln
Whispergate
Hermeticwizard
Vpnfilter
Crashoverride
Industry:
Energy, Financial, Ics, Government
Geo:
Ukraine
TTPs:
IOCs:
Path: 1
Hash: 11
LevelBlue
Analysis on recent wiper attacks: examples and how wiper…
Executive summary 2022 has experienced an increase in the number of wiper variants targeting Ukrainian entities. This blog post looks to explain how wipers work, what makes them so effective and provides a short overview of the most recent samples that appeared…
#ParsedReport
02-05-2022
UNC3524: Eye Spy on Your Email
https://www.mandiant.com/resources/unc3524-eye-spy-email
Actors/Campaigns:
Unc3524 (tags: proxy, dns, botnet, backdoor, malware, rat)
Unc3452
Darkhalo
Duke
Fancy_bear
Threats:
Magnitude
Quietexit
Dropbear_tool
Regeorg
Dcsync_technique
Industry:
Financial, Iot
TTPs:
Tactics: 9
Technics: 25
IOCs:
IP: 1
File: 1
Hash: 1
YARA: Found
Links:
02-05-2022
UNC3524: Eye Spy on Your Email
https://www.mandiant.com/resources/unc3524-eye-spy-email
Actors/Campaigns:
Unc3524 (tags: proxy, dns, botnet, backdoor, malware, rat)
Unc3452
Darkhalo
Duke
Fancy_bear
Threats:
Magnitude
Quietexit
Dropbear_tool
Regeorg
Dcsync_technique
Industry:
Financial, Iot
TTPs:
Tactics: 9
Technics: 25
IOCs:
IP: 1
File: 1
Hash: 1
YARA: Found
Links:
https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.pyGoogle Cloud Blog
UNC3524: Eye Spy on Your Email | Mandiant | Google Cloud Blog
#ParsedReport
02-05-2022
AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell
https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html
Threats:
Avoslocker (tags: malware, rat, rootkit, scan, ransomware)
Log4shell_vuln (tags: malware, rat, rootkit, scan, ransomware)
Nmap_tool (tags: scan, ransomware)
Anydesk_tool (tags: scan, ransomware)
Netscan_tool (tags: scan, ransomware)
Mimikatz (tags: scan, ransomware)
Xenarmor_tool (tags: scan, ransomware)
Mespinoza (tags: scan, ransomware)
Backdoor.win32.cve202144228.yacah (tags: scan, ransomware)
CVEs:
CVE-2021-40539 [Vulners]
Vulners: Score: 7.5, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- zohocorp manageengine adselfservice plus (4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0.6, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.2, 5.2, 5.2, 5.2, 5.2, 5.2, 5.2, 5.2, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.4, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.6, 5.6, 5.6, 5.6, 5.6, 5.6, 5.6, 5.6, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1)
CVE-2021-44228 [Vulners]
Vulners: Score: 9.3, CVSS: 4.0,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.3.1, <2.12.2, <2.15.0)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens captial (<2019.1, 2019.1, 2019.1)
- siemens comos (*)
- siemens desigo cc advanced reports (4.0, 4.1, 4.2, 5.0, 5.1)
have more...
IOCs:
File: 16
Url: 1
Path: 3
Hash: 6
02-05-2022
AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell
https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html
Threats:
Avoslocker (tags: malware, rat, rootkit, scan, ransomware)
Log4shell_vuln (tags: malware, rat, rootkit, scan, ransomware)
Nmap_tool (tags: scan, ransomware)
Anydesk_tool (tags: scan, ransomware)
Netscan_tool (tags: scan, ransomware)
Mimikatz (tags: scan, ransomware)
Xenarmor_tool (tags: scan, ransomware)
Mespinoza (tags: scan, ransomware)
Backdoor.win32.cve202144228.yacah (tags: scan, ransomware)
CVEs:
CVE-2021-40539 [Vulners]
Vulners: Score: 7.5, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- zohocorp manageengine adselfservice plus (4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0.6, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.2, 5.2, 5.2, 5.2, 5.2, 5.2, 5.2, 5.2, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.4, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.6, 5.6, 5.6, 5.6, 5.6, 5.6, 5.6, 5.6, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1)
CVE-2021-44228 [Vulners]
Vulners: Score: 9.3, CVSS: 4.0,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.3.1, <2.12.2, <2.15.0)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens captial (<2019.1, 2019.1, 2019.1)
- siemens comos (*)
- siemens desigo cc advanced reports (4.0, 4.1, 4.2, 5.0, 5.1)
have more...
IOCs:
File: 16
Url: 1
Path: 3
Hash: 6
Trend Micro
AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell
We found an AvosLocker ransomware variant using a legitimate antivirus component to disable detection and blocking solutions.
#ParsedReport
02-05-2022
Moshen Dragons Triad-and-Error Approach \| Abusing Security Software to Sideload PlugX and ShadowPad
https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad
Actors/Campaigns:
Moshendragon
Nomadpanda
Redfoxtrot
Emissary_panda
Threats:
Plugx_rat (tags: proxy, backdoor, rat, malware)
Shadowpad (tags: proxy, backdoor, rat, malware)
Gunters (tags: backdoor, malware)
Talisman
Industry:
Telco
Geo:
Asia, Chinese
IOCs:
Path: 7
File: 2
Registry: 1
Hash: 13
Domain: 7
Links:
02-05-2022
Moshen Dragons Triad-and-Error Approach \| Abusing Security Software to Sideload PlugX and ShadowPad
https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad
Actors/Campaigns:
Moshendragon
Nomadpanda
Redfoxtrot
Emissary_panda
Threats:
Plugx_rat (tags: proxy, backdoor, rat, malware)
Shadowpad (tags: proxy, backdoor, rat, malware)
Gunters (tags: backdoor, malware)
Talisman
Industry:
Telco
Geo:
Asia, Chinese
IOCs:
Path: 7
File: 2
Registry: 1
Hash: 13
Domain: 7
Links:
https://github.com/SecureAuthCorp/impackethttps://github.com/GoSecure/DLLPasswordFilterImplantSentinelOne
Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad
Chinese-aligned APT group Moshen Dragon caught sideloading malware through multiple AV products to infect telecoms sector.
#ParsedReport
03-05-2022
Distribution of Malicious Word File Related to North Koreas April 25th Military Parade
https://asec.ahnlab.com/en/33936
Threats:
Nuclear (tags: malware)
Anchor (tags: malware)
Geo:
Koreas, Korean
IOCs:
File: 5
Hash: 1
Url: 1
03-05-2022
Distribution of Malicious Word File Related to North Koreas April 25th Military Parade
https://asec.ahnlab.com/en/33936
Threats:
Nuclear (tags: malware)
Anchor (tags: malware)
Geo:
Koreas, Korean
IOCs:
File: 5
Hash: 1
Url: 1
ASEC
Distribution of Malicious Word File Related to North Korea’s April 25th Military Parade - ASEC
Distribution of Malicious Word File Related to North Korea’s April 25th Military Parade ASEC
#ParsedReport
03-05-2022
Attackers Target Packages in Multiple Programming Languages in Recent Software Supply Chain Attacks. Intro
https://checkmarx.com/blog/attackers-target-packages-in-multiple-programming-languages-in-recent-software-supply-chain-attacks
IOCs:
Domain: 2
Url: 3
File: 2
03-05-2022
Attackers Target Packages in Multiple Programming Languages in Recent Software Supply Chain Attacks. Intro
https://checkmarx.com/blog/attackers-target-packages-in-multiple-programming-languages-in-recent-software-supply-chain-attacks
IOCs:
Domain: 2
Url: 3
File: 2
#ParsedReport
03-05-2022
Update on cyber activity in Eastern Europe
https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe
Actors/Campaigns:
Fancy_bear
Cold_river
Ghostwriter
Curious_gorge
Comment_crew
Threats:
Turla
Industry:
Petroleum, Government, Ngo, Telco, Logistic, Financial
Geo:
Belarusian, Russia, Iran, Korea, Ukraine, Lithuania, Russian, China, Asia
IOCs:
File: 1
Hash: 2
Domain: 14
Email: 1
03-05-2022
Update on cyber activity in Eastern Europe
https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe
Actors/Campaigns:
Fancy_bear
Cold_river
Ghostwriter
Curious_gorge
Comment_crew
Threats:
Turla
Industry:
Petroleum, Government, Ngo, Telco, Logistic, Financial
Geo:
Belarusian, Russia, Iran, Korea, Ukraine, Lithuania, Russian, China, Asia
IOCs:
File: 1
Hash: 2
Domain: 14
Email: 1
Google
Update on cyber activity in Eastern Europe
An update on cyber activity in eastern Europe.
#ParsedReport
03-05-2022
Analysis of BlackByte Ransomware's Go-Based Variants. Key Points
https://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants
Threats:
Blackbyte (tags: ransomware, malware, rat)
Revil
Lockbit
Industry:
Ics, Financial
Geo:
Russia, Russian, Ukrainian, Belarusian
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 9
Url: 4
Path: 20
File: 36
Registry: 7
IP: 1
Links:
03-05-2022
Analysis of BlackByte Ransomware's Go-Based Variants. Key Points
https://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants
Threats:
Blackbyte (tags: ransomware, malware, rat)
Revil
Lockbit
Industry:
Ics, Financial
Geo:
Russia, Russian, Ukrainian, Belarusian
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 9
Url: 4
Path: 20
File: 36
Registry: 7
IP: 1
Links:
https://github.com/golang/go/blob/master/src/crypto/des/cipher.gohttps://github.com/SpiderLabs/BlackByteDecryptor/blob/main/BlackByteDecryptor/Decryptor.cshttps://github.com/andrivet/ADVobfuscatorhttps://gist.github.com/api0cradle/d4aaef39db0d845627d819b2b6b30512Zscaler
Analyzing BlackByte Ransomware's Go-Based Variants | Zscaler
In this post, Zscaler ThreatLabz analyzes two variants of the Go-based implementation of BlackByte ransomware. Read more.
#ParsedReport
04-05-2022
Compromised Docker Honeypots Used for Pro-Ukrainian DoS Attack
https://www.crowdstrike.com/blog/compromised-docker-honeypots-used-for-pro-ukrainian-dos-attack
Threats:
Lemonduck
Industry:
Government, Retail, Financial, Energy, Chemical
Geo:
Belarusian, Russian, Ukraine
IOCs:
Hash: 5
04-05-2022
Compromised Docker Honeypots Used for Pro-Ukrainian DoS Attack
https://www.crowdstrike.com/blog/compromised-docker-honeypots-used-for-pro-ukrainian-dos-attack
Threats:
Lemonduck
Industry:
Government, Retail, Financial, Energy, Chemical
Geo:
Belarusian, Russian, Ukraine
IOCs:
Hash: 5
CrowdStrike.com
Compromised Docker Honeypots Used for Pro-Ukrainian DoS Attack
In February 2022, Docker Engine honeypots were compromised to execute different Docker images targeting Russian and Belarusian websites in a DoS attack.
#ParsedReport
04-05-2022
Tips for Automating IOC Extraction from GootLoader, a Changing JavaScript Malware
https://threatresearch.ext.hp.com/tips-for-automating-ioc-extraction-from-gootloader-a-changing-javascript-malware
Threats:
Gootloader (tags: malware)
IOCs:
Hash: 2
Url: 6
Links:
04-05-2022
Tips for Automating IOC Extraction from GootLoader, a Changing JavaScript Malware
https://threatresearch.ext.hp.com/tips-for-automating-ioc-extraction-from-gootloader-a-changing-javascript-malware
Threats:
Gootloader (tags: malware)
IOCs:
Hash: 2
Url: 6
Links:
https://github.com/hpthreatresearch/tools/blob/main/gootloader/decode.pyHP Wolf Security
Tips for Automating IOC Extraction from GootLoader, a Changing JavaScript Malware | HP Wolf Security
Don’t let cyber threats get the best of you. Read our post, Tips for Automating IOC Extraction from GootLoader, a Changing JavaScript Malware, to learn more about cyber threats and cyber security.
#ParsedReport
04-05-2022
SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse
https://www.recordedfuture.com/solardeflection-c2-infrastructure-used-by-nobelium-in-company-brand-misuse
Actors/Campaigns:
Solardeflection (tags: phishing,)
Darkhalo (tags: phishing)
Duke
Lunarreflection
Threats:
Cobalt_strike
Industry:
Government, Ngo
Geo:
Russian, Ukraine
IOCs:
Domain: 60
Hash: 11
04-05-2022
SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse
https://www.recordedfuture.com/solardeflection-c2-infrastructure-used-by-nobelium-in-company-brand-misuse
Actors/Campaigns:
Solardeflection (tags: phishing,)
Darkhalo (tags: phishing)
Duke
Lunarreflection
Threats:
Cobalt_strike
Industry:
Government, Ngo
Geo:
Russian, Ukraine
IOCs:
Domain: 60
Hash: 11
Recordedfuture
SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse
This report profiles the unique infrastructure used by Russian state-sponsored threat activity group NOBELIUM. The activity was identified through a combination of large-scale automated network traffic analytics and analysis derived from open source reporting.…
#ParsedReport
04-05-2022
AsyncRAT Activity
https://www.esentire.com/blog/asyncrat-activity
Threats:
Asyncrat_rat
More_eggs
Html_smuggling_technique
Geo:
America, Apac, Emea, Africa
IOCs:
File: 8
Path: 2
04-05-2022
AsyncRAT Activity
https://www.esentire.com/blog/asyncrat-activity
Threats:
Asyncrat_rat
More_eggs
Html_smuggling_technique
Geo:
America, Apac, Emea, Africa
IOCs:
File: 8
Path: 2
eSentire
AsyncRAT Activity
AsyncRAT is an open-source remote access trojan with varying capabilities including remote access, file exfiltration, and keylogging.
#ParsedReport
04-05-2022
A new secret stash for fileless malware
https://securelist.com/a-new-secret-stash-for-fileless-malware/106393
Threats:
Cobalt_strike (tags: malware)
Netspi (tags: malware, trojan)
Blackbone (tags: malware, trojan)
Slingshot
Beacon
Mimikatz
IOCs:
File: 17
Path: 11
Domain: 7
Url: 1
IP: 2
Hash: 29
Links:
04-05-2022
A new secret stash for fileless malware
https://securelist.com/a-new-secret-stash-for-fileless-malware/106393
Threats:
Cobalt_strike (tags: malware)
Netspi (tags: malware, trojan)
Blackbone (tags: malware, trojan)
Slingshot
Beacon
Mimikatz
IOCs:
File: 17
Path: 11
Domain: 7
Url: 1
IP: 2
Hash: 29
Links:
https://github.com/silentbreaksec/ThrowbackSecurelist
A new secret stash for “fileless” malware
We observed the technique of putting the shellcode into Windows event logs for the first time “in the wild” during the malicious campaign.
#ParsedReport
04-05-2022
Operation CuckooBees: A Winnti Malware Arsenal Deep-Dive
https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive
Actors/Campaigns:
Axiom (tags: rootkit, rat, backdoor, proxy, malware)
Threats:
Deploylog (tags: rootkit, rat, malware)
Spyder (tags: malware)
Privatelog (tags: rootkit)
Winnkit (tags: rootkit, rat, malware)
Stashlog (tags: malware)
Sparklog
Lolbin
Cryptopp_tool
Industry:
Government
Geo:
Chinese
TTPs:
Tactics: 4
Technics: 0
IOCs:
File: 18
Path: 32
Registry: 1
Hash: 14
Links:
04-05-2022
Operation CuckooBees: A Winnti Malware Arsenal Deep-Dive
https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive
Actors/Campaigns:
Axiom (tags: rootkit, rat, backdoor, proxy, malware)
Threats:
Deploylog (tags: rootkit, rat, malware)
Spyder (tags: malware)
Privatelog (tags: rootkit)
Winnkit (tags: rootkit, rat, malware)
Stashlog (tags: malware)
Sparklog
Lolbin
Cryptopp_tool
Industry:
Government
Geo:
Chinese
TTPs:
Tactics: 4
Technics: 0
IOCs:
File: 18
Path: 32
Registry: 1
Hash: 14
Links:
https://github.com/securycore/Ikeext-PrivescCybereason
Operation CuckooBees: A Winnti Malware Arsenal Deep-Dive
This research zeroes in on the Winnti malware arsenal and includes analysis of the observed malware and the complex Winnti infection chain, including evasive maneuvers and stealth techniques that are baked-in to the malware code...
#ParsedReport
04-05-2022
Minerva Labs Blog
https://blog.minerva-labs.com/new-black-basta-ransomware-hijacks-windows-fax-service
Threats:
Blackbasta (tags: ransomware, cryptomining)
Geo:
American, Deutsche
IOCs:
Path: 1
File: 3
Registry: 2
Hash: 3
04-05-2022
Minerva Labs Blog
https://blog.minerva-labs.com/new-black-basta-ransomware-hijacks-windows-fax-service
Threats:
Blackbasta (tags: ransomware, cryptomining)
Geo:
American, Deutsche
IOCs:
Path: 1
File: 3
Registry: 2
Hash: 3
Minerva-Labs
New Black Basta Ransomware Hijacks Windows Fax Service
We take a deep dive into how the Black Basta ransomware works, from infection to decryption.
#ParsedReport
04-05-2022
Attacking Emotets Control Flow Flattening
https://news.sophos.com/en-us/2022/05/04/attacking-emotets-control-flow-flattening
Actors/Campaigns:
Stone_panda
Threats:
Emotet (tags: spam, botnet, malware)
Stantinko
IOCs:
Hash: 2
Links:
04-05-2022
Attacking Emotets Control Flow Flattening
https://news.sophos.com/en-us/2022/05/04/attacking-emotets-control-flow-flattening
Actors/Campaigns:
Stone_panda
Threats:
Emotet (tags: spam, botnet, malware)
Stantinko
IOCs:
Hash: 2
Links:
https://github.com/obfuscator-llvm/obfuscator/wikihttps://github.com/eset/stadeohttps://github.com/sophoslabs/emotet\_unflatten\_pocSophos News
Attacking Emotet’s Control Flow Flattening
Sweeping aside one obfuscation technique in a notorious strain of malware
#ParsedReport
04-05-2022
Old Services, New Tricks: Cloud Metadata Abuse by UNC2903
https://www.mandiant.com/resources/cloud-metadata-abuse-unc2903
Actors/Campaigns:
Unc2903 (tags: scan, rat, malware, proxy, vpn)
Industry:
Financial
CVEs:
CVE-2021-21311 [Vulners]
Vulners: Score: 6.4, CVSS: 4.5,
Vulners: Exploitation: Unknown
X-Force: Risk: 5.3
X-Force: Patch: Official fix
Soft:
- adminer (<4.7.9)
- debian debian linux (9.0)
CVE-2019-0211 [Vulners]
Vulners: Score: 7.2, CVSS: 3.9,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.2
X-Force: Patch: Official fix
Soft:
- apache http server (le2.4.38)
- fedoraproject fedora (29, 30)
- canonical ubuntu linux (16.04, 18.04, 18.10, 14.04)
- debian debian linux (9.0)
- opensuse leap (42.3, 15.0)
have more...
TTPs:
Tactics: 5
Technics: 6
IOCs:
IP: 5
Url: 3
File: 3
Coin: 3
Hash: 1
Links:
04-05-2022
Old Services, New Tricks: Cloud Metadata Abuse by UNC2903
https://www.mandiant.com/resources/cloud-metadata-abuse-unc2903
Actors/Campaigns:
Unc2903 (tags: scan, rat, malware, proxy, vpn)
Industry:
Financial
CVEs:
CVE-2021-21311 [Vulners]
Vulners: Score: 6.4, CVSS: 4.5,
Vulners: Exploitation: Unknown
X-Force: Risk: 5.3
X-Force: Patch: Official fix
Soft:
- adminer (<4.7.9)
- debian debian linux (9.0)
CVE-2019-0211 [Vulners]
Vulners: Score: 7.2, CVSS: 3.9,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.2
X-Force: Patch: Official fix
Soft:
- apache http server (le2.4.38)
- fedoraproject fedora (29, 30)
- canonical ubuntu linux (16.04, 18.04, 18.10, 14.04)
- debian debian linux (9.0)
- opensuse leap (42.3, 15.0)
have more...
TTPs:
Tactics: 5
Technics: 6
IOCs:
IP: 5
Url: 3
File: 3
Coin: 3
Hash: 1
Links:
https://github.com/duo-labs/cloudmapperhttps://github.com/latacora/remediate-AWS-IMDSv1https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6https://github.com/salesforce/metabadgerhttps://github.com/prowler-cloud/prowler/blob/master/checks/check\_extra786Google Cloud Blog
Old Services, New Tricks: Cloud Metadata Abuse by UNC2903 | Google Cloud Blog