#ParsedReport
02-05-2022
Analysis on recent wiper attacks: examples and how wiper malware works
https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works
Actors/Campaigns:
Sandworm
Threats:
Whisperkill (tags: malware)
Hermeticwiper (tags: malware)
Isaacwiper (tags: malware)
Killdisk (tags: malware)
Doublezero (tags: malware)
Acidrain (tags: malware)
Log4shell_vuln
Whispergate
Hermeticwizard
Vpnfilter
Crashoverride
Industry:
Energy, Financial, Ics, Government
Geo:
Ukraine
TTPs:
IOCs:
Path: 1
Hash: 11
02-05-2022
Analysis on recent wiper attacks: examples and how wiper malware works
https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works
Actors/Campaigns:
Sandworm
Threats:
Whisperkill (tags: malware)
Hermeticwiper (tags: malware)
Isaacwiper (tags: malware)
Killdisk (tags: malware)
Doublezero (tags: malware)
Acidrain (tags: malware)
Log4shell_vuln
Whispergate
Hermeticwizard
Vpnfilter
Crashoverride
Industry:
Energy, Financial, Ics, Government
Geo:
Ukraine
TTPs:
IOCs:
Path: 1
Hash: 11
LevelBlue
Analysis on recent wiper attacks: examples and how wiper…
Executive summary 2022 has experienced an increase in the number of wiper variants targeting Ukrainian entities. This blog post looks to explain how wipers work, what makes them so effective and provides a short overview of the most recent samples that appeared…
#ParsedReport
02-05-2022
UNC3524: Eye Spy on Your Email
https://www.mandiant.com/resources/unc3524-eye-spy-email
Actors/Campaigns:
Unc3524 (tags: proxy, dns, botnet, backdoor, malware, rat)
Unc3452
Darkhalo
Duke
Fancy_bear
Threats:
Magnitude
Quietexit
Dropbear_tool
Regeorg
Dcsync_technique
Industry:
Financial, Iot
TTPs:
Tactics: 9
Technics: 25
IOCs:
IP: 1
File: 1
Hash: 1
YARA: Found
Links:
02-05-2022
UNC3524: Eye Spy on Your Email
https://www.mandiant.com/resources/unc3524-eye-spy-email
Actors/Campaigns:
Unc3524 (tags: proxy, dns, botnet, backdoor, malware, rat)
Unc3452
Darkhalo
Duke
Fancy_bear
Threats:
Magnitude
Quietexit
Dropbear_tool
Regeorg
Dcsync_technique
Industry:
Financial, Iot
TTPs:
Tactics: 9
Technics: 25
IOCs:
IP: 1
File: 1
Hash: 1
YARA: Found
Links:
https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.pyGoogle Cloud Blog
UNC3524: Eye Spy on Your Email | Mandiant | Google Cloud Blog
#ParsedReport
02-05-2022
AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell
https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html
Threats:
Avoslocker (tags: malware, rat, rootkit, scan, ransomware)
Log4shell_vuln (tags: malware, rat, rootkit, scan, ransomware)
Nmap_tool (tags: scan, ransomware)
Anydesk_tool (tags: scan, ransomware)
Netscan_tool (tags: scan, ransomware)
Mimikatz (tags: scan, ransomware)
Xenarmor_tool (tags: scan, ransomware)
Mespinoza (tags: scan, ransomware)
Backdoor.win32.cve202144228.yacah (tags: scan, ransomware)
CVEs:
CVE-2021-40539 [Vulners]
Vulners: Score: 7.5, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- zohocorp manageengine adselfservice plus (4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0.6, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.2, 5.2, 5.2, 5.2, 5.2, 5.2, 5.2, 5.2, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.4, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.6, 5.6, 5.6, 5.6, 5.6, 5.6, 5.6, 5.6, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1)
CVE-2021-44228 [Vulners]
Vulners: Score: 9.3, CVSS: 4.0,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.3.1, <2.12.2, <2.15.0)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens captial (<2019.1, 2019.1, 2019.1)
- siemens comos (*)
- siemens desigo cc advanced reports (4.0, 4.1, 4.2, 5.0, 5.1)
have more...
IOCs:
File: 16
Url: 1
Path: 3
Hash: 6
02-05-2022
AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell
https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html
Threats:
Avoslocker (tags: malware, rat, rootkit, scan, ransomware)
Log4shell_vuln (tags: malware, rat, rootkit, scan, ransomware)
Nmap_tool (tags: scan, ransomware)
Anydesk_tool (tags: scan, ransomware)
Netscan_tool (tags: scan, ransomware)
Mimikatz (tags: scan, ransomware)
Xenarmor_tool (tags: scan, ransomware)
Mespinoza (tags: scan, ransomware)
Backdoor.win32.cve202144228.yacah (tags: scan, ransomware)
CVEs:
CVE-2021-40539 [Vulners]
Vulners: Score: 7.5, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- zohocorp manageengine adselfservice plus (4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 4.5, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0, 5.0.6, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.1, 5.2, 5.2, 5.2, 5.2, 5.2, 5.2, 5.2, 5.2, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.3, 5.4, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.5, 5.6, 5.6, 5.6, 5.6, 5.6, 5.6, 5.6, 5.6, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.7, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 5.8, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1, 6.1)
CVE-2021-44228 [Vulners]
Vulners: Score: 9.3, CVSS: 4.0,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.3.1, <2.12.2, <2.15.0)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens captial (<2019.1, 2019.1, 2019.1)
- siemens comos (*)
- siemens desigo cc advanced reports (4.0, 4.1, 4.2, 5.0, 5.1)
have more...
IOCs:
File: 16
Url: 1
Path: 3
Hash: 6
Trend Micro
AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell
We found an AvosLocker ransomware variant using a legitimate antivirus component to disable detection and blocking solutions.
#ParsedReport
02-05-2022
Moshen Dragons Triad-and-Error Approach \| Abusing Security Software to Sideload PlugX and ShadowPad
https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad
Actors/Campaigns:
Moshendragon
Nomadpanda
Redfoxtrot
Emissary_panda
Threats:
Plugx_rat (tags: proxy, backdoor, rat, malware)
Shadowpad (tags: proxy, backdoor, rat, malware)
Gunters (tags: backdoor, malware)
Talisman
Industry:
Telco
Geo:
Asia, Chinese
IOCs:
Path: 7
File: 2
Registry: 1
Hash: 13
Domain: 7
Links:
02-05-2022
Moshen Dragons Triad-and-Error Approach \| Abusing Security Software to Sideload PlugX and ShadowPad
https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad
Actors/Campaigns:
Moshendragon
Nomadpanda
Redfoxtrot
Emissary_panda
Threats:
Plugx_rat (tags: proxy, backdoor, rat, malware)
Shadowpad (tags: proxy, backdoor, rat, malware)
Gunters (tags: backdoor, malware)
Talisman
Industry:
Telco
Geo:
Asia, Chinese
IOCs:
Path: 7
File: 2
Registry: 1
Hash: 13
Domain: 7
Links:
https://github.com/SecureAuthCorp/impackethttps://github.com/GoSecure/DLLPasswordFilterImplantSentinelOne
Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad
Chinese-aligned APT group Moshen Dragon caught sideloading malware through multiple AV products to infect telecoms sector.
#ParsedReport
03-05-2022
Distribution of Malicious Word File Related to North Koreas April 25th Military Parade
https://asec.ahnlab.com/en/33936
Threats:
Nuclear (tags: malware)
Anchor (tags: malware)
Geo:
Koreas, Korean
IOCs:
File: 5
Hash: 1
Url: 1
03-05-2022
Distribution of Malicious Word File Related to North Koreas April 25th Military Parade
https://asec.ahnlab.com/en/33936
Threats:
Nuclear (tags: malware)
Anchor (tags: malware)
Geo:
Koreas, Korean
IOCs:
File: 5
Hash: 1
Url: 1
ASEC
Distribution of Malicious Word File Related to North Korea’s April 25th Military Parade - ASEC
Distribution of Malicious Word File Related to North Korea’s April 25th Military Parade ASEC
#ParsedReport
03-05-2022
Attackers Target Packages in Multiple Programming Languages in Recent Software Supply Chain Attacks. Intro
https://checkmarx.com/blog/attackers-target-packages-in-multiple-programming-languages-in-recent-software-supply-chain-attacks
IOCs:
Domain: 2
Url: 3
File: 2
03-05-2022
Attackers Target Packages in Multiple Programming Languages in Recent Software Supply Chain Attacks. Intro
https://checkmarx.com/blog/attackers-target-packages-in-multiple-programming-languages-in-recent-software-supply-chain-attacks
IOCs:
Domain: 2
Url: 3
File: 2
#ParsedReport
03-05-2022
Update on cyber activity in Eastern Europe
https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe
Actors/Campaigns:
Fancy_bear
Cold_river
Ghostwriter
Curious_gorge
Comment_crew
Threats:
Turla
Industry:
Petroleum, Government, Ngo, Telco, Logistic, Financial
Geo:
Belarusian, Russia, Iran, Korea, Ukraine, Lithuania, Russian, China, Asia
IOCs:
File: 1
Hash: 2
Domain: 14
Email: 1
03-05-2022
Update on cyber activity in Eastern Europe
https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe
Actors/Campaigns:
Fancy_bear
Cold_river
Ghostwriter
Curious_gorge
Comment_crew
Threats:
Turla
Industry:
Petroleum, Government, Ngo, Telco, Logistic, Financial
Geo:
Belarusian, Russia, Iran, Korea, Ukraine, Lithuania, Russian, China, Asia
IOCs:
File: 1
Hash: 2
Domain: 14
Email: 1
Google
Update on cyber activity in Eastern Europe
An update on cyber activity in eastern Europe.
#ParsedReport
03-05-2022
Analysis of BlackByte Ransomware's Go-Based Variants. Key Points
https://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants
Threats:
Blackbyte (tags: ransomware, malware, rat)
Revil
Lockbit
Industry:
Ics, Financial
Geo:
Russia, Russian, Ukrainian, Belarusian
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 9
Url: 4
Path: 20
File: 36
Registry: 7
IP: 1
Links:
03-05-2022
Analysis of BlackByte Ransomware's Go-Based Variants. Key Points
https://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants
Threats:
Blackbyte (tags: ransomware, malware, rat)
Revil
Lockbit
Industry:
Ics, Financial
Geo:
Russia, Russian, Ukrainian, Belarusian
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 9
Url: 4
Path: 20
File: 36
Registry: 7
IP: 1
Links:
https://github.com/golang/go/blob/master/src/crypto/des/cipher.gohttps://github.com/SpiderLabs/BlackByteDecryptor/blob/main/BlackByteDecryptor/Decryptor.cshttps://github.com/andrivet/ADVobfuscatorhttps://gist.github.com/api0cradle/d4aaef39db0d845627d819b2b6b30512Zscaler
Analyzing BlackByte Ransomware's Go-Based Variants | Zscaler
In this post, Zscaler ThreatLabz analyzes two variants of the Go-based implementation of BlackByte ransomware. Read more.
#ParsedReport
04-05-2022
Compromised Docker Honeypots Used for Pro-Ukrainian DoS Attack
https://www.crowdstrike.com/blog/compromised-docker-honeypots-used-for-pro-ukrainian-dos-attack
Threats:
Lemonduck
Industry:
Government, Retail, Financial, Energy, Chemical
Geo:
Belarusian, Russian, Ukraine
IOCs:
Hash: 5
04-05-2022
Compromised Docker Honeypots Used for Pro-Ukrainian DoS Attack
https://www.crowdstrike.com/blog/compromised-docker-honeypots-used-for-pro-ukrainian-dos-attack
Threats:
Lemonduck
Industry:
Government, Retail, Financial, Energy, Chemical
Geo:
Belarusian, Russian, Ukraine
IOCs:
Hash: 5
CrowdStrike.com
Compromised Docker Honeypots Used for Pro-Ukrainian DoS Attack
In February 2022, Docker Engine honeypots were compromised to execute different Docker images targeting Russian and Belarusian websites in a DoS attack.
#ParsedReport
04-05-2022
Tips for Automating IOC Extraction from GootLoader, a Changing JavaScript Malware
https://threatresearch.ext.hp.com/tips-for-automating-ioc-extraction-from-gootloader-a-changing-javascript-malware
Threats:
Gootloader (tags: malware)
IOCs:
Hash: 2
Url: 6
Links:
04-05-2022
Tips for Automating IOC Extraction from GootLoader, a Changing JavaScript Malware
https://threatresearch.ext.hp.com/tips-for-automating-ioc-extraction-from-gootloader-a-changing-javascript-malware
Threats:
Gootloader (tags: malware)
IOCs:
Hash: 2
Url: 6
Links:
https://github.com/hpthreatresearch/tools/blob/main/gootloader/decode.pyHP Wolf Security
Tips for Automating IOC Extraction from GootLoader, a Changing JavaScript Malware | HP Wolf Security
Don’t let cyber threats get the best of you. Read our post, Tips for Automating IOC Extraction from GootLoader, a Changing JavaScript Malware, to learn more about cyber threats and cyber security.
#ParsedReport
04-05-2022
SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse
https://www.recordedfuture.com/solardeflection-c2-infrastructure-used-by-nobelium-in-company-brand-misuse
Actors/Campaigns:
Solardeflection (tags: phishing,)
Darkhalo (tags: phishing)
Duke
Lunarreflection
Threats:
Cobalt_strike
Industry:
Government, Ngo
Geo:
Russian, Ukraine
IOCs:
Domain: 60
Hash: 11
04-05-2022
SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse
https://www.recordedfuture.com/solardeflection-c2-infrastructure-used-by-nobelium-in-company-brand-misuse
Actors/Campaigns:
Solardeflection (tags: phishing,)
Darkhalo (tags: phishing)
Duke
Lunarreflection
Threats:
Cobalt_strike
Industry:
Government, Ngo
Geo:
Russian, Ukraine
IOCs:
Domain: 60
Hash: 11
Recordedfuture
SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse
This report profiles the unique infrastructure used by Russian state-sponsored threat activity group NOBELIUM. The activity was identified through a combination of large-scale automated network traffic analytics and analysis derived from open source reporting.…
#ParsedReport
04-05-2022
AsyncRAT Activity
https://www.esentire.com/blog/asyncrat-activity
Threats:
Asyncrat_rat
More_eggs
Html_smuggling_technique
Geo:
America, Apac, Emea, Africa
IOCs:
File: 8
Path: 2
04-05-2022
AsyncRAT Activity
https://www.esentire.com/blog/asyncrat-activity
Threats:
Asyncrat_rat
More_eggs
Html_smuggling_technique
Geo:
America, Apac, Emea, Africa
IOCs:
File: 8
Path: 2
eSentire
AsyncRAT Activity
AsyncRAT is an open-source remote access trojan with varying capabilities including remote access, file exfiltration, and keylogging.
#ParsedReport
04-05-2022
A new secret stash for fileless malware
https://securelist.com/a-new-secret-stash-for-fileless-malware/106393
Threats:
Cobalt_strike (tags: malware)
Netspi (tags: malware, trojan)
Blackbone (tags: malware, trojan)
Slingshot
Beacon
Mimikatz
IOCs:
File: 17
Path: 11
Domain: 7
Url: 1
IP: 2
Hash: 29
Links:
04-05-2022
A new secret stash for fileless malware
https://securelist.com/a-new-secret-stash-for-fileless-malware/106393
Threats:
Cobalt_strike (tags: malware)
Netspi (tags: malware, trojan)
Blackbone (tags: malware, trojan)
Slingshot
Beacon
Mimikatz
IOCs:
File: 17
Path: 11
Domain: 7
Url: 1
IP: 2
Hash: 29
Links:
https://github.com/silentbreaksec/ThrowbackSecurelist
A new secret stash for “fileless” malware
We observed the technique of putting the shellcode into Windows event logs for the first time “in the wild” during the malicious campaign.
#ParsedReport
04-05-2022
Operation CuckooBees: A Winnti Malware Arsenal Deep-Dive
https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive
Actors/Campaigns:
Axiom (tags: rootkit, rat, backdoor, proxy, malware)
Threats:
Deploylog (tags: rootkit, rat, malware)
Spyder (tags: malware)
Privatelog (tags: rootkit)
Winnkit (tags: rootkit, rat, malware)
Stashlog (tags: malware)
Sparklog
Lolbin
Cryptopp_tool
Industry:
Government
Geo:
Chinese
TTPs:
Tactics: 4
Technics: 0
IOCs:
File: 18
Path: 32
Registry: 1
Hash: 14
Links:
04-05-2022
Operation CuckooBees: A Winnti Malware Arsenal Deep-Dive
https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive
Actors/Campaigns:
Axiom (tags: rootkit, rat, backdoor, proxy, malware)
Threats:
Deploylog (tags: rootkit, rat, malware)
Spyder (tags: malware)
Privatelog (tags: rootkit)
Winnkit (tags: rootkit, rat, malware)
Stashlog (tags: malware)
Sparklog
Lolbin
Cryptopp_tool
Industry:
Government
Geo:
Chinese
TTPs:
Tactics: 4
Technics: 0
IOCs:
File: 18
Path: 32
Registry: 1
Hash: 14
Links:
https://github.com/securycore/Ikeext-PrivescCybereason
Operation CuckooBees: A Winnti Malware Arsenal Deep-Dive
This research zeroes in on the Winnti malware arsenal and includes analysis of the observed malware and the complex Winnti infection chain, including evasive maneuvers and stealth techniques that are baked-in to the malware code...
#ParsedReport
04-05-2022
Minerva Labs Blog
https://blog.minerva-labs.com/new-black-basta-ransomware-hijacks-windows-fax-service
Threats:
Blackbasta (tags: ransomware, cryptomining)
Geo:
American, Deutsche
IOCs:
Path: 1
File: 3
Registry: 2
Hash: 3
04-05-2022
Minerva Labs Blog
https://blog.minerva-labs.com/new-black-basta-ransomware-hijacks-windows-fax-service
Threats:
Blackbasta (tags: ransomware, cryptomining)
Geo:
American, Deutsche
IOCs:
Path: 1
File: 3
Registry: 2
Hash: 3
Minerva-Labs
New Black Basta Ransomware Hijacks Windows Fax Service
We take a deep dive into how the Black Basta ransomware works, from infection to decryption.
#ParsedReport
04-05-2022
Attacking Emotets Control Flow Flattening
https://news.sophos.com/en-us/2022/05/04/attacking-emotets-control-flow-flattening
Actors/Campaigns:
Stone_panda
Threats:
Emotet (tags: spam, botnet, malware)
Stantinko
IOCs:
Hash: 2
Links:
04-05-2022
Attacking Emotets Control Flow Flattening
https://news.sophos.com/en-us/2022/05/04/attacking-emotets-control-flow-flattening
Actors/Campaigns:
Stone_panda
Threats:
Emotet (tags: spam, botnet, malware)
Stantinko
IOCs:
Hash: 2
Links:
https://github.com/obfuscator-llvm/obfuscator/wikihttps://github.com/eset/stadeohttps://github.com/sophoslabs/emotet\_unflatten\_pocSophos News
Attacking Emotet’s Control Flow Flattening
Sweeping aside one obfuscation technique in a notorious strain of malware
#ParsedReport
04-05-2022
Old Services, New Tricks: Cloud Metadata Abuse by UNC2903
https://www.mandiant.com/resources/cloud-metadata-abuse-unc2903
Actors/Campaigns:
Unc2903 (tags: scan, rat, malware, proxy, vpn)
Industry:
Financial
CVEs:
CVE-2021-21311 [Vulners]
Vulners: Score: 6.4, CVSS: 4.5,
Vulners: Exploitation: Unknown
X-Force: Risk: 5.3
X-Force: Patch: Official fix
Soft:
- adminer (<4.7.9)
- debian debian linux (9.0)
CVE-2019-0211 [Vulners]
Vulners: Score: 7.2, CVSS: 3.9,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.2
X-Force: Patch: Official fix
Soft:
- apache http server (le2.4.38)
- fedoraproject fedora (29, 30)
- canonical ubuntu linux (16.04, 18.04, 18.10, 14.04)
- debian debian linux (9.0)
- opensuse leap (42.3, 15.0)
have more...
TTPs:
Tactics: 5
Technics: 6
IOCs:
IP: 5
Url: 3
File: 3
Coin: 3
Hash: 1
Links:
04-05-2022
Old Services, New Tricks: Cloud Metadata Abuse by UNC2903
https://www.mandiant.com/resources/cloud-metadata-abuse-unc2903
Actors/Campaigns:
Unc2903 (tags: scan, rat, malware, proxy, vpn)
Industry:
Financial
CVEs:
CVE-2021-21311 [Vulners]
Vulners: Score: 6.4, CVSS: 4.5,
Vulners: Exploitation: Unknown
X-Force: Risk: 5.3
X-Force: Patch: Official fix
Soft:
- adminer (<4.7.9)
- debian debian linux (9.0)
CVE-2019-0211 [Vulners]
Vulners: Score: 7.2, CVSS: 3.9,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.2
X-Force: Patch: Official fix
Soft:
- apache http server (le2.4.38)
- fedoraproject fedora (29, 30)
- canonical ubuntu linux (16.04, 18.04, 18.10, 14.04)
- debian debian linux (9.0)
- opensuse leap (42.3, 15.0)
have more...
TTPs:
Tactics: 5
Technics: 6
IOCs:
IP: 5
Url: 3
File: 3
Coin: 3
Hash: 1
Links:
https://github.com/duo-labs/cloudmapperhttps://github.com/latacora/remediate-AWS-IMDSv1https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6https://github.com/salesforce/metabadgerhttps://github.com/prowler-cloud/prowler/blob/master/checks/check\_extra786Google Cloud Blog
Old Services, New Tricks: Cloud Metadata Abuse by UNC2903 | Google Cloud Blog
#ParsedReport
04-05-2022
Minerva Labs Blog
https://blog.minerva-labs.com/a-new-blustealer-loader-uses-direct-syscalls-to-evade-edrs
Threats:
Blu_stealer (tags: phishing, stealer, malware, cryptomining, ransomware)
Spyex
Hallowing_technique
Exodus
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 4
Path: 4
Registry: 2
Hash: 4
04-05-2022
Minerva Labs Blog
https://blog.minerva-labs.com/a-new-blustealer-loader-uses-direct-syscalls-to-evade-edrs
Threats:
Blu_stealer (tags: phishing, stealer, malware, cryptomining, ransomware)
Spyex
Hallowing_technique
Exodus
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 4
Path: 4
Registry: 2
Hash: 4
Rapid7
Rapid7 Cybersecurity - Command Your Attack Surface
Level up SecOps with the only endpoint to cloud, unified cybersecurity platform. Confidently act to prevent breaches with a leading MDR partner. Request demo!
#ParsedReport
04-05-2022
Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation
https://www.cybereason.com/blog/operation-cuckoobees-cybereason-uncovers-massive-chinese-intellectual-property-theft-operation
Actors/Campaigns:
Axiom (tags: malware)
Threats:
Deploylog
Spyder
Privatelog
Winnkit
Stashlog
Eternal_petya
Industry:
Government, E-commerce
Geo:
America, Asia, Chinese, China
04-05-2022
Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation
https://www.cybereason.com/blog/operation-cuckoobees-cybereason-uncovers-massive-chinese-intellectual-property-theft-operation
Actors/Campaigns:
Axiom (tags: malware)
Threats:
Deploylog
Spyder
Privatelog
Winnkit
Stashlog
Eternal_petya
Industry:
Government, E-commerce
Geo:
America, Asia, Chinese, China
Cybereason
Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation
Cybereason recently an attack assessed to be the work of Chinese APT Winnti that operated undetected, siphoning intellectual property and sensitive data - the two companion reports examine the tactics and techniques of the overall campaign as well as more…
#ParsedReport
05-05-2022
NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service. Attack overview
https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html
Threats:
Netdooka (tags: botnet, backdoor, trojan, malware, dropper, rat, ddos)
Privateloader (tags: botnet, backdoor, trojan, malware, dropper, rat, ddos)
Smokeloader_backdoor (tags: malware)
Redline_stealer (tags: malware)
Anubis (tags: malware)
Viper_rat
Trojan.win32.stop.el
Trojan.win64.protdrive.a
Trojan.win32.vindor.a
IOCs:
File: 4
Path: 3
IP: 3
Hash: 38
Url: 5
Links:
05-05-2022
NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service. Attack overview
https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html
Threats:
Netdooka (tags: botnet, backdoor, trojan, malware, dropper, rat, ddos)
Privateloader (tags: botnet, backdoor, trojan, malware, dropper, rat, ddos)
Smokeloader_backdoor (tags: malware)
Redline_stealer (tags: malware)
Anubis (tags: malware)
Viper_rat
Trojan.win32.stop.el
Trojan.win64.protdrive.a
Trojan.win32.vindor.a
IOCs:
File: 4
Path: 3
IP: 3
Hash: 38
Url: 5
Links:
https://github.com/microsoft/Windows-driver-samples/tree/master/general/obcallbackhttps://github.com/SweetIceLolly/Prevent\_File\_DeletionTrend Micro
NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service
This report focuses on the components and infection chain of the NetDooka framework. Its scope ranges from the release of the first payload up until the release of the final RAT that is protected by a kernel driver.
#ParsedReport
05-05-2022
Top Cyber Threats to the Telecom Industry
https://www.intezer.com/blog/incident-response/cyber-threats-telecom-industry
Actors/Campaigns:
Lightbasin
Lapsus
Evil_corp
Threats:
Macaw
Cobalt_strike
Beacon
Vermilion
Industry:
Telco, Iot, Aerospace, Media
Geo:
Russian, Iranian, Polish
05-05-2022
Top Cyber Threats to the Telecom Industry
https://www.intezer.com/blog/incident-response/cyber-threats-telecom-industry
Actors/Campaigns:
Lightbasin
Lapsus
Evil_corp
Threats:
Macaw
Cobalt_strike
Beacon
Vermilion
Industry:
Telco, Iot, Aerospace, Media
Geo:
Russian, Iranian, Polish
Intezer
Top Cyber Threats to the Telecom Industry
Learn about top threats to the telecom industry and how teams are using automation to keep up with alert triage, incident response, and threat hunting.