PhD2022_IoCs_Scoring_v2.pdf
880.5 KB
Сегодня на PhDays рассказал про то как у нас в RST Cloud работает скоринг индикаторов.
Вот преза, кстати :)
Вот преза, кстати :)
🔥3
#ParsedReport
19-05-2022
Space Pirates: Explore the tools and connections of a new hacker group
https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/space-pirates-tools-and-connections
Actors/Campaigns:
Spacepirates (tags: dropper, malware, dns, backdoor, rat, phishing, proxy)
Axiom
Emissary_panda
Ta428
Red_delta
Redfoxtrot
Stealthytrident
Nightscout
Threats:
Zupdax (tags: rat)
Former_first_rat
Climax_loader
Rtlshare
Plugx_rat (tags: backdoor, dropper)
9002 (tags: rat)
Deed_rat (tags: dns, rat)
Pcshare
Poison_ivy
Shadowpad
Revbshell
Tmanger
Albaniiutas_rat
Bluetraveller_rat
Hyperbro
Smokeloader_backdoor
Reactorbot
Gh0st_rat
Chromepass_tool
Industry:
Aerospace, Financial, Government, Energy
Geo:
Asian, Chinese, Russia, Mongolia, Georgia, Japanese
CVEs:
CVE-2017-0213 [Vulners]
Vulners: Score: 1.9, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 7
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (1607, -, 1511, 1703)
- microsoft windows rt 8.1 (*)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2008 (r2, *)
- microsoft windows 8.1 (*)
have more...
TTPs:
Tactics: 10
Technics: 54
IOCs:
File: 51
Path: 20
Email: 1
IP: 23
Hash: 156
Registry: 8
Links:
19-05-2022
Space Pirates: Explore the tools and connections of a new hacker group
https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/space-pirates-tools-and-connections
Actors/Campaigns:
Spacepirates (tags: dropper, malware, dns, backdoor, rat, phishing, proxy)
Axiom
Emissary_panda
Ta428
Red_delta
Redfoxtrot
Stealthytrident
Nightscout
Threats:
Zupdax (tags: rat)
Former_first_rat
Climax_loader
Rtlshare
Plugx_rat (tags: backdoor, dropper)
9002 (tags: rat)
Deed_rat (tags: dns, rat)
Pcshare
Poison_ivy
Shadowpad
Revbshell
Tmanger
Albaniiutas_rat
Bluetraveller_rat
Hyperbro
Smokeloader_backdoor
Reactorbot
Gh0st_rat
Chromepass_tool
Industry:
Aerospace, Financial, Government, Energy
Geo:
Asian, Chinese, Russia, Mongolia, Georgia, Japanese
CVEs:
CVE-2017-0213 [Vulners]
Vulners: Score: 1.9, CVSS: 6.4,
Vulners: Exploitation: True
X-Force: Risk: 7
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (1607, -, 1511, 1703)
- microsoft windows rt 8.1 (*)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2008 (r2, *)
- microsoft windows 8.1 (*)
have more...
TTPs:
Tactics: 10
Technics: 54
IOCs:
File: 51
Path: 20
Email: 1
IP: 23
Hash: 156
Registry: 8
Links:
https://translate.google.com/website?sl=auto&tl=en&hl=ru&client=webapp&u=https://github.com/obfuscator-llvm/obfuscator/wiki/Control-Flow-Flattening
https://translate.google.com/website?sl=auto&tl=en&hl=ru&client=webapp&u=https://github.com/bitsadmin/ReVBShell
https://translate.google.com/website?sl=auto&tl=en&hl=ru&client=webapp&u=https://github.com/vzex/dog-tunnel
https://translate.google.com/website?sl=auto&tl=en&hl=ru&client=webapp&u=https://github.com/LiveMirror/pcshareptsecurity.com
Блог PT ESC Threat Intelligence
В этом блоге вы можете найти информацию об актуальных атаках хакерских группировок по всему миру, разбор их инструментов, информацию об инцидентах, TTP группировок, индикаторы компрометации и названия детектов в наших продуктах
#ParsedReport
19-05-2022
Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT / BitRAT / PandoraHVNC Part I
https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware
Actors/Campaigns:
Keksec (tags: malware, phishing)
Threats:
Avemaria_rat (tags: ransomware, spam, malware, phishing, rat, ddos, proxy, botnet)
Sbit_rat (tags: ransomware, spam, malware, phishing, rat, ddos, proxy, botnet)
Pandorahvnc (tags: spam, botnet, malware, phishing, rat, ddos, proxy, ransomware)
Emotet (tags: malware, phishing)
Enemybot (tags: malware, phishing)
Vba/agent.ddon!tr (tags: malware)
Industry:
Financial
IOCs:
File: 17
Url: 5
Path: 2
Hash: 3
19-05-2022
Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT / BitRAT / PandoraHVNC Part I
https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware
Actors/Campaigns:
Keksec (tags: malware, phishing)
Threats:
Avemaria_rat (tags: ransomware, spam, malware, phishing, rat, ddos, proxy, botnet)
Sbit_rat (tags: ransomware, spam, malware, phishing, rat, ddos, proxy, botnet)
Pandorahvnc (tags: spam, botnet, malware, phishing, rat, ddos, proxy, ransomware)
Emotet (tags: malware, phishing)
Enemybot (tags: malware, phishing)
Vba/agent.ddon!tr (tags: malware)
Industry:
Financial
IOCs:
File: 17
Url: 5
Path: 2
Hash: 3
Fortinet Blog
Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT / BitRAT / PandoraHVNC – Part I
FortiGuard Labs discovered a phishing campaign delivering fileless malware to steal sensitive information from a victim’s device. Read our analysis to find out more about how the campaign executes …
#ParsedReport
19-05-2022
The BlackByte ransomware group is striking users all over the globe
http://blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html
Threats:
Blackbyte (tags: vpn, phishing, malware, ransomware)
Lolbin
Anydesk_tool
Proxyshell_vuln
Psexec_tool
Industry:
Financial
Geo:
Mexico, Netherlands, America, China, Colombia, Vietnam
IOCs:
File: 5
Path: 1
Links:
19-05-2022
The BlackByte ransomware group is striking users all over the globe
http://blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html
Threats:
Blackbyte (tags: vpn, phishing, malware, ransomware)
Lolbin
Anydesk_tool
Proxyshell_vuln
Psexec_tool
Industry:
Financial
Geo:
Mexico, Netherlands, America, China, Colombia, Vietnam
IOCs:
File: 5
Path: 1
Links:
https://github.com/Neo23x0/RaccineCisco Talos Blog
The BlackByte ransomware group is striking users all over the globe
News summary
* Cisco Talos has been monitoring the BlackByte Ransomware Group for several months, infecting victims all over the world, from North America to Colombia, Netherlands, China, Mexico and Vietnam.
* The FBI released a joint cybersecurity advisory…
* Cisco Talos has been monitoring the BlackByte Ransomware Group for several months, infecting victims all over the world, from North America to Colombia, Netherlands, China, Mexico and Vietnam.
* The FBI released a joint cybersecurity advisory…
#ParsedReport
19-05-2022
Chaos Ransomware Variant Sides with Russia
https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia
Threats:
Chaos (tags: phishing, ransomware, malware)
Conti (tags: ransomware)
Lockbit (tags: ransomware)
Filecoder
Industry:
Financial
Geo:
Russia, Japanese, Ukraine
TTPs:
Tactics: 5
Technics: 6
IOCs:
File: 1
Hash: 1
19-05-2022
Chaos Ransomware Variant Sides with Russia
https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia
Threats:
Chaos (tags: phishing, ransomware, malware)
Conti (tags: ransomware)
Lockbit (tags: ransomware)
Filecoder
Industry:
Financial
Geo:
Russia, Japanese, Ukraine
TTPs:
Tactics: 5
Technics: 6
IOCs:
File: 1
Hash: 1
Fortinet Blog
Chaos Ransomware Variant Sides with Russia
FortiGuard Labs recently came across a variant of Chaos ransomware that appears to side with Russia. Read to find out more about the destructive outcome the variant beings to a compromised machine.…
#ParsedReport
19-05-2022
New SYK Crypter Distributed Via Discord
https://blog.morphisec.com/syk-crypter-discord
Threats:
Babadeda (tags: ransomware)
Dnetloader (tags: rat, ransomware, malware, stealer)
Asyncrat_rat (tags: ransomware)
Njrat_rat (tags: ransomware)
Quasar_rat (tags: ransomware)
Avemaria_rat (tags: ransomware)
Nanocore_rat (tags: ransomware)
Redline_stealer (tags: ransomware)
Agent_tesla
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 6
Url: 26
Domain: 17
IP: 2
Path: 5
Hash: 47
19-05-2022
New SYK Crypter Distributed Via Discord
https://blog.morphisec.com/syk-crypter-discord
Threats:
Babadeda (tags: ransomware)
Dnetloader (tags: rat, ransomware, malware, stealer)
Asyncrat_rat (tags: ransomware)
Njrat_rat (tags: ransomware)
Quasar_rat (tags: ransomware)
Avemaria_rat (tags: ransomware)
Nanocore_rat (tags: ransomware)
Redline_stealer (tags: ransomware)
Agent_tesla
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 6
Url: 26
Domain: 17
IP: 2
Path: 5
Hash: 47
Morphisec
SYK Crypter Distributing Malware Families Via Discord
As Discord’s popularity surges, a new SYK crypter is being used to deliver malware families via the community chat platform.
#ParsedReport
20-05-2022
Why Remediation Alone Is Not Enough When Infected by Malware
https://asec.ahnlab.com/en/34549
Actors/Campaigns:
Darkside (tags: malware)
Threats:
Cobalt_strike (tags: malware)
Runminer
Reverserdp_technique
Dropper/win.agent
Dropper/win32.agent
Nbtscan_tool
Malware/win64.generic
Win_loader
Geo:
Korean
CVEs:
CVE-2017-10271 [Vulners]
Vulners: Score: 5.0, CVSS: 4.9,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- oracle weblogic server (10.3.6.0.0, 12.2.1.1.0, 12.1.3.0.0, 12.2.1.2.0)
IOCs:
IP: 6
File: 4
Hash: 21
20-05-2022
Why Remediation Alone Is Not Enough When Infected by Malware
https://asec.ahnlab.com/en/34549
Actors/Campaigns:
Darkside (tags: malware)
Threats:
Cobalt_strike (tags: malware)
Runminer
Reverserdp_technique
Dropper/win.agent
Dropper/win32.agent
Nbtscan_tool
Malware/win64.generic
Win_loader
Geo:
Korean
CVEs:
CVE-2017-10271 [Vulners]
Vulners: Score: 5.0, CVSS: 4.9,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- oracle weblogic server (10.3.6.0.0, 12.2.1.1.0, 12.1.3.0.0, 12.2.1.2.0)
IOCs:
IP: 6
File: 4
Hash: 21
ASEC
Why Remediation Alone Is Not Enough When Infected by Malware - ASEC
In January 2022, a prominent Korean company in the manufacturing industry had many of its internal systems infected by the Darkside ransomware. As the ransomware was found to be distributed using the AD group policy, AhnLab attempted to conduct a DC server…
#ParsedReport
20-05-2022
Emotet Being Distributed Using Various Files
https://asec.ahnlab.com/en/34556
Threats:
Emotet (tags: rat, trojan, malware)
Findpos
Trojan/win.agent.r488899
Industry:
Financial
Geo:
Korea
IOCs:
Url: 18
File: 24
Path: 1
Hash: 4
20-05-2022
Emotet Being Distributed Using Various Files
https://asec.ahnlab.com/en/34556
Threats:
Emotet (tags: rat, trojan, malware)
Findpos
Trojan/win.agent.r488899
Industry:
Financial
Geo:
Korea
IOCs:
Url: 18
File: 24
Path: 1
Hash: 4
ASEC BLOG
Emotet Being Distributed Using Various Files - ASEC BLOG
The ASEC analysis team has recently discovered the distribution of Emotet through link files (.lnk). The malware has been steadily distributed in the past, but starting from April, it was found that the Emotet downloader uses Excel files as well as link files…
#ParsedReport
20-05-2022
XLL malware distributed through mail
https://asec-ahnlab-com.translate.goog/ko/34497/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Threats:
Lokibot_stealer (tags: malware)
Trojan/win.agent.c5025449 (tags: malware)
Ransomware/win.carlos.c5025252 (tags: malware)
Geo:
Korea
IOCs:
File: 4
Url: 3
Hash: 5
20-05-2022
XLL malware distributed through mail
https://asec-ahnlab-com.translate.goog/ko/34497/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Threats:
Lokibot_stealer (tags: malware)
Trojan/win.agent.c5025449 (tags: malware)
Ransomware/win.carlos.c5025252 (tags: malware)
Geo:
Korea
IOCs:
File: 4
Url: 3
Hash: 5
ASEC BLOG
메일을 통해 유포되는 XLL 악성코드 - ASEC BLOG
그동안 악성코드는 다양한 형태와 방식으로 변화하며 제작되고 유포되고 있다. 그러한 변화들을 안랩 분석팀에서는 적극적으로 모니터링하며 분석하고 제품에 진단 반영되도록 하고있다. 이번에는 작년부터 유포정황이 확인된 XLL형식의 악성코드에 대해 소개하고자 한다. .xll 확장자로 동작 가능한 XLL 파일은 Microsoft Excel(엑셀)의 추가 기능 파일로 해당 MS Excel을 통해 파일을 실행 할 수 있다. 특이한 점은 실행은 MS Excel로 되어…
#ParsedReport
20-05-2022
Weaponization of Excel Add-Ins Part 2: Dridex Infection Chain Case Studies
https://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain
Threats:
Dridex (tags: malware, rat, dropper)
Agent_tesla
Atomic_bombing_technique
Geo:
Japan, Apac, Emea, America
IOCs:
File: 2
Hash: 6338
Url: 1496
IP: 4
Links:
20-05-2022
Weaponization of Excel Add-Ins Part 2: Dridex Infection Chain Case Studies
https://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain
Threats:
Dridex (tags: malware, rat, dropper)
Agent_tesla
Atomic_bombing_technique
Geo:
Japan, Apac, Emea, America
IOCs:
File: 2
Hash: 6338
Url: 1496
IP: 4
Links:
https://github.com/pan-unit42/iocs/blob/master/Dridex%20Infection%20Chain%20Case%20StudiesUnit 42
Weaponization of Excel Add-Ins Part 2: Dridex Infection Chain Case Studies
We discuss XLL and XLM droppers that deliver Dridex samples. We cover examples of the Dridex infection chain.
#ParsedReport
20-05-2022
SpiderLabs Blog. Interactive Phishing: Using Chatbot-like Web Applications to Harvest Information
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/interactive-phishing-using-chatbot-like-web-applications-to-harvest-information
Actors/Campaigns:
Harvester (tags: phishing)
IOCs:
Url: 16
20-05-2022
SpiderLabs Blog. Interactive Phishing: Using Chatbot-like Web Applications to Harvest Information
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/interactive-phishing-using-chatbot-like-web-applications-to-harvest-information
Actors/Campaigns:
Harvester (tags: phishing)
IOCs:
Url: 16
Trustwave
Interactive Phishing: Using Chatbot-like Web Applications to Harvest Information | Trustwave
The Trustwave SpiderLabs Email Security team identified a phishing campaign pretending to be a missed package from DHL. What’s interesting about this campaign is that clicking on the link leads to a chatbot that discusses the missed package, provides pictures…
#ParsedReport
20-05-2022
PDF Malware Is Not Yet Dead
https://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead
Threats:
Snake_keylogger
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 8.3,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
IOCs:
File: 3
Hash: 6
Url: 3
Domain: 1
Links:
20-05-2022
PDF Malware Is Not Yet Dead
https://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead
Threats:
Snake_keylogger
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 8.3,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
IOCs:
File: 3
Hash: 6
Url: 3
Domain: 1
Links:
https://github.com/decalage2/oletools/wiki/oleidhttps://github.com/decalage2/oletools/wiki/rtfobjHP Wolf Security
PDF Malware Is Not Yet Dead | HP Wolf Security
Don’t let cyber threats get the best of you. Read our post, PDF Malware Is Not Yet Dead, to learn more about cyber threats and cyber security.
#ParsedReport
20-05-2022
Mirai Malware Variants for Linux Double Down on Stronger Chips in Q1 2022
https://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips
Threats:
Mirai (tags: rat, malware, proxy, botnet, ddos)
Log4shell_vuln
Satori
Mozi
Bashlite
Xorddos
Industry:
Iot
IOCs:
Hash: 10
20-05-2022
Mirai Malware Variants for Linux Double Down on Stronger Chips in Q1 2022
https://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips
Threats:
Mirai (tags: rat, malware, proxy, botnet, ddos)
Log4shell_vuln
Satori
Mozi
Bashlite
Xorddos
Industry:
Iot
IOCs:
Hash: 10
crowdstrike.com
Mirai Malware for Linux Double Down on Stronger Chips | CrowdStrike
Mirai malware variants that target Linux devices have doubled on stronger Intel-powered chips in Q1 2022.
#ParsedReport
23-05-2022
A peek behind the BPFDoor
https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article
Threats:
Bpfdoor (tags: rat, malware, vpn, scan, backdoor)
Bvp47
Industry:
Logistic, Iot, Telco, Ics, Government, Education
Geo:
Myanmar, India, Korea, Turkey, Taiwan, Asia, Vietnam, China
TTPs:
Tactics: 3
Technics: 0
IOCs:
Hash: 15
YARA: Found
Links:
23-05-2022
A peek behind the BPFDoor
https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article
Threats:
Bpfdoor (tags: rat, malware, vpn, scan, backdoor)
Bvp47
Industry:
Logistic, Iot, Telco, Ics, Government, Education
Geo:
Myanmar, India, Korea, Turkey, Taiwan, Asia, Vietnam, China
TTPs:
Tactics: 3
Technics: 0
IOCs:
Hash: 15
YARA: Found
Links:
https://github.com/elastic/detection-rules/blob/main/rules/linux/execution\_process\_started\_in\_shared\_memory\_directory.tomlhttps://github.com/rhysrehttps://github.com/elastic/detection-rules/blob/main/rules/linux/execution\_abnormal\_process\_id\_file\_created.tomlhttps://github.com/DefSecSentinelhttps://github.com/jtnkhttps://github.com/tabell#ParsedReport
23-05-2022
ASEC Weekly Malware Statistics (May 9th, 2022 May 15th, 2022)
https://asec.ahnlab.com/en/34624
Threats:
Agent_tesla (tags: malware)
Formbook (tags: malware)
Lokibot_stealer (tags: malware)
Avemaria_rat (tags: malware)
Redline_stealer (tags: malware)
Beamwinhttp_loader (tags: malware)
Industry:
Financial, Transport
Geo:
Korea
IOCs:
Domain: 4
IP: 8
Email: 6
File: 27
Url: 18
23-05-2022
ASEC Weekly Malware Statistics (May 9th, 2022 May 15th, 2022)
https://asec.ahnlab.com/en/34624
Threats:
Agent_tesla (tags: malware)
Formbook (tags: malware)
Lokibot_stealer (tags: malware)
Avemaria_rat (tags: malware)
Redline_stealer (tags: malware)
Beamwinhttp_loader (tags: malware)
Industry:
Financial, Transport
Geo:
Korea
IOCs:
Domain: 4
IP: 8
Email: 6
File: 27
Url: 18
ASEC BLOG
ASEC Weekly Malware Statistics (May 9th, 2022 – May 15th, 2022) - ASEC BLOG
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from May 9th, 2022 (Monday) to May 15th, 2022 (Sunday). For the main category, info-stealer…
#ParsedReport
23-05-2022
Beneath the surface: Uncovering the shift in web skimming
https://www.microsoft.com/security/blog/2022/05/23/beneath-the-surface-uncovering-the-shift-in-web-skimming
Actors/Campaigns:
Magecart
Threats:
Magento_skimmer
Industry:
Aerospace, Financial, E-commerce
IOCs:
File: 1
Domain: 3
Hash: 3
Url: 8
23-05-2022
Beneath the surface: Uncovering the shift in web skimming
https://www.microsoft.com/security/blog/2022/05/23/beneath-the-surface-uncovering-the-shift-in-web-skimming
Actors/Campaigns:
Magecart
Threats:
Magento_skimmer
Industry:
Aerospace, Financial, E-commerce
IOCs:
File: 1
Domain: 3
Hash: 3
Url: 8
Microsoft Security Blog
Beneath the surface: Uncovering the shift in web skimming | Microsoft Security Blog
Web skimming campaigns now employ various obfuscation techniques to deliver and hide the skimming scripts. It’s a shift from earlier tactics where attackers conspicuously injected the malicious scripts into e-commerce platforms and content management systems…
#ParsedReport
24-05-2022
AgentTesla being distributed through Windows help files (*.chm)
https://asec-ahnlab-com.translate.goog/ko/34653/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Threats:
Agent_tesla (tags: malware, phishing, trojan)
Industry:
Transport
IOCs:
Url: 3
File: 1
Hash: 4
24-05-2022
AgentTesla being distributed through Windows help files (*.chm)
https://asec-ahnlab-com.translate.goog/ko/34653/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Threats:
Agent_tesla (tags: malware, phishing, trojan)
Industry:
Transport
IOCs:
Url: 3
File: 1
Hash: 4
ASEC BLOG
윈도우 도움말 파일(*.chm)을 통해 유포 중인 AgentTesla - ASEC BLOG
ASEC 분석팀은 최근 AgentTesla 악성코드가 새로운 방식으로 유포 중인 정황을 포착하였다. ASEC 블로그에도 여러 번 소개해왔던 AgentTesla 의 기존 유포 방식은 파워포인트(*.ppt) 문서 내 악성 VBA 매크로를 이용하였다면, 새로운 유포 방식은 윈도우 도움말 파일(*.chm) 을 이용하여 powershell 명령어를 실행하는 것으로 확인하였다. 악성 CHM 파일은 운송 회사인 DHL 을 사칭한 피싱 메일에 첨부되어 압축 파일 형태로…
#ParsedReport
23-05-2022
Sandworm uses a new version of ArguePatch to attack targets in Ukraine
https://www.welivesecurity.com/2022/05/20/sandworm-ukraine-new-version-arguepatch-malware-loader
Actors/Campaigns:
Sandworm (tags: ransomware, malware)
Threats:
Arguepatch_loader (tags: ransomware, malware)
Crashoverride
Killdisk
Hermeticwiper
Hermeticwizard
Partyticket
Isaacwiper
Industry:
Energy
Geo:
Ukraine
IOCs:
File: 1
Hash: 1
23-05-2022
Sandworm uses a new version of ArguePatch to attack targets in Ukraine
https://www.welivesecurity.com/2022/05/20/sandworm-ukraine-new-version-arguepatch-malware-loader
Actors/Campaigns:
Sandworm (tags: ransomware, malware)
Threats:
Arguepatch_loader (tags: ransomware, malware)
Crashoverride
Killdisk
Hermeticwiper
Hermeticwizard
Partyticket
Isaacwiper
Industry:
Energy
Geo:
Ukraine
IOCs:
File: 1
Hash: 1
WeLiveSecurity
Sandworm uses a new version of ArguePatch to attack targets in Ukraine
ESET researchers spot a new version of the ArguePatch malware loader that was previously used in the Industroyer2 and CaddyWiper attacks.
#ParsedReport
23-05-2022
The Evil Twin attack
https://www.telsy.com/the-evil-twin-attack
Threats:
Comrade_circle
Wifipineapple_tool
Industry:
Financial
23-05-2022
The Evil Twin attack
https://www.telsy.com/the-evil-twin-attack
Threats:
Comrade_circle
Wifipineapple_tool
Industry:
Financial
Telsy
The Evil Twin attack - Telsy
Evil Twin is a spoofing attack that works by tricking users into connecting to a fake Wi-Fi access point that mimics a legitimate network.
#ParsedReport
23-05-2022
Spoofed Saudi Purchase Order Drops GuLoader: Part 1
https://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader
Threats:
Cloudeye (tags: spam, ransomware, rat, phishing, malware)
Chaos
Agent_tesla
Formbook
Lokibot_stealer
Industry:
Energy, Petroleum
Geo:
Russia, Arabia, Saudi, Ukraine
IOCs:
Email: 1
Domain: 1
File: 1
Hash: 3
Links:
23-05-2022
Spoofed Saudi Purchase Order Drops GuLoader: Part 1
https://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader
Threats:
Cloudeye (tags: spam, ransomware, rat, phishing, malware)
Chaos
Agent_tesla
Formbook
Lokibot_stealer
Industry:
Energy, Petroleum
Geo:
Russia, Arabia, Saudi, Ukraine
IOCs:
Email: 1
Domain: 1
File: 1
Hash: 3
Links:
https://github.com/myfreeer/7z-build-nsisFortinet Blog
Spoofed Saudi Purchase Order Drops GuLoader: Part 1
FortiGuard Labs recently discovered a social engineering email lure with a message delivered to a company in Ukraine. In part I of our blog, we will analyze the phishing email and provide an analys…
#ParsedReport
24-05-2022
TURLAs new phishing-based reconnaissancecampaignin Eastern Europe. TURLAs new phishing-based reconnaissance campaign in Eastern Europe
https://blog.sekoia.io/turla-new-phishing-campaign-eastern-europe
Actors/Campaigns:
Curious_gorge
Fancy_bear
Coldriver
Ghostwriter
Turla
Molerats
Threats:
Turla (tags: phishing, malware)
Uroburos
Maze
Industry:
Government, Petroleum, Education
Geo:
Russia, Latvia, Usa, Chinese, Austria, Lithuania, Russian, Ukraine, Chinas, Estonia
TTPs:
IOCs:
Domain: 3
File: 4
IP: 3
Url: 1
Hash: 2
YARA: Found
24-05-2022
TURLAs new phishing-based reconnaissancecampaignin Eastern Europe. TURLAs new phishing-based reconnaissance campaign in Eastern Europe
https://blog.sekoia.io/turla-new-phishing-campaign-eastern-europe
Actors/Campaigns:
Curious_gorge
Fancy_bear
Coldriver
Ghostwriter
Turla
Molerats
Threats:
Turla (tags: phishing, malware)
Uroburos
Maze
Industry:
Government, Petroleum, Education
Geo:
Russia, Latvia, Usa, Chinese, Austria, Lithuania, Russian, Ukraine, Chinas, Estonia
TTPs:
IOCs:
Domain: 3
File: 4
IP: 3
Url: 1
Hash: 2
YARA: Found
Sekoia.io Blog
TURLA’s new phishing-based reconnaissance campaign in Eastern Europe
SEKOIA.IO's Threat & Detection Researchers expose a reconnaissance and espionage campaign from TURLA against eastern-EU institutions