#ParsedReport
20-05-2022
XLL malware distributed through mail
https://asec-ahnlab-com.translate.goog/ko/34497/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Threats:
Lokibot_stealer (tags: malware)
Trojan/win.agent.c5025449 (tags: malware)
Ransomware/win.carlos.c5025252 (tags: malware)
Geo:
Korea
IOCs:
File: 4
Url: 3
Hash: 5
20-05-2022
XLL malware distributed through mail
https://asec-ahnlab-com.translate.goog/ko/34497/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Threats:
Lokibot_stealer (tags: malware)
Trojan/win.agent.c5025449 (tags: malware)
Ransomware/win.carlos.c5025252 (tags: malware)
Geo:
Korea
IOCs:
File: 4
Url: 3
Hash: 5
ASEC BLOG
메일을 통해 유포되는 XLL 악성코드 - ASEC BLOG
그동안 악성코드는 다양한 형태와 방식으로 변화하며 제작되고 유포되고 있다. 그러한 변화들을 안랩 분석팀에서는 적극적으로 모니터링하며 분석하고 제품에 진단 반영되도록 하고있다. 이번에는 작년부터 유포정황이 확인된 XLL형식의 악성코드에 대해 소개하고자 한다. .xll 확장자로 동작 가능한 XLL 파일은 Microsoft Excel(엑셀)의 추가 기능 파일로 해당 MS Excel을 통해 파일을 실행 할 수 있다. 특이한 점은 실행은 MS Excel로 되어…
#ParsedReport
20-05-2022
Weaponization of Excel Add-Ins Part 2: Dridex Infection Chain Case Studies
https://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain
Threats:
Dridex (tags: malware, rat, dropper)
Agent_tesla
Atomic_bombing_technique
Geo:
Japan, Apac, Emea, America
IOCs:
File: 2
Hash: 6338
Url: 1496
IP: 4
Links:
20-05-2022
Weaponization of Excel Add-Ins Part 2: Dridex Infection Chain Case Studies
https://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain
Threats:
Dridex (tags: malware, rat, dropper)
Agent_tesla
Atomic_bombing_technique
Geo:
Japan, Apac, Emea, America
IOCs:
File: 2
Hash: 6338
Url: 1496
IP: 4
Links:
https://github.com/pan-unit42/iocs/blob/master/Dridex%20Infection%20Chain%20Case%20StudiesUnit 42
Weaponization of Excel Add-Ins Part 2: Dridex Infection Chain Case Studies
We discuss XLL and XLM droppers that deliver Dridex samples. We cover examples of the Dridex infection chain.
#ParsedReport
20-05-2022
SpiderLabs Blog. Interactive Phishing: Using Chatbot-like Web Applications to Harvest Information
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/interactive-phishing-using-chatbot-like-web-applications-to-harvest-information
Actors/Campaigns:
Harvester (tags: phishing)
IOCs:
Url: 16
20-05-2022
SpiderLabs Blog. Interactive Phishing: Using Chatbot-like Web Applications to Harvest Information
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/interactive-phishing-using-chatbot-like-web-applications-to-harvest-information
Actors/Campaigns:
Harvester (tags: phishing)
IOCs:
Url: 16
Trustwave
Interactive Phishing: Using Chatbot-like Web Applications to Harvest Information | Trustwave
The Trustwave SpiderLabs Email Security team identified a phishing campaign pretending to be a missed package from DHL. What’s interesting about this campaign is that clicking on the link leads to a chatbot that discusses the missed package, provides pictures…
#ParsedReport
20-05-2022
PDF Malware Is Not Yet Dead
https://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead
Threats:
Snake_keylogger
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 8.3,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
IOCs:
File: 3
Hash: 6
Url: 3
Domain: 1
Links:
20-05-2022
PDF Malware Is Not Yet Dead
https://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead
Threats:
Snake_keylogger
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 8.3,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
IOCs:
File: 3
Hash: 6
Url: 3
Domain: 1
Links:
https://github.com/decalage2/oletools/wiki/oleidhttps://github.com/decalage2/oletools/wiki/rtfobjHP Wolf Security
PDF Malware Is Not Yet Dead | HP Wolf Security
Don’t let cyber threats get the best of you. Read our post, PDF Malware Is Not Yet Dead, to learn more about cyber threats and cyber security.
#ParsedReport
20-05-2022
Mirai Malware Variants for Linux Double Down on Stronger Chips in Q1 2022
https://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips
Threats:
Mirai (tags: rat, malware, proxy, botnet, ddos)
Log4shell_vuln
Satori
Mozi
Bashlite
Xorddos
Industry:
Iot
IOCs:
Hash: 10
20-05-2022
Mirai Malware Variants for Linux Double Down on Stronger Chips in Q1 2022
https://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips
Threats:
Mirai (tags: rat, malware, proxy, botnet, ddos)
Log4shell_vuln
Satori
Mozi
Bashlite
Xorddos
Industry:
Iot
IOCs:
Hash: 10
crowdstrike.com
Mirai Malware for Linux Double Down on Stronger Chips | CrowdStrike
Mirai malware variants that target Linux devices have doubled on stronger Intel-powered chips in Q1 2022.
#ParsedReport
23-05-2022
A peek behind the BPFDoor
https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article
Threats:
Bpfdoor (tags: rat, malware, vpn, scan, backdoor)
Bvp47
Industry:
Logistic, Iot, Telco, Ics, Government, Education
Geo:
Myanmar, India, Korea, Turkey, Taiwan, Asia, Vietnam, China
TTPs:
Tactics: 3
Technics: 0
IOCs:
Hash: 15
YARA: Found
Links:
23-05-2022
A peek behind the BPFDoor
https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article
Threats:
Bpfdoor (tags: rat, malware, vpn, scan, backdoor)
Bvp47
Industry:
Logistic, Iot, Telco, Ics, Government, Education
Geo:
Myanmar, India, Korea, Turkey, Taiwan, Asia, Vietnam, China
TTPs:
Tactics: 3
Technics: 0
IOCs:
Hash: 15
YARA: Found
Links:
https://github.com/elastic/detection-rules/blob/main/rules/linux/execution\_process\_started\_in\_shared\_memory\_directory.tomlhttps://github.com/rhysrehttps://github.com/elastic/detection-rules/blob/main/rules/linux/execution\_abnormal\_process\_id\_file\_created.tomlhttps://github.com/DefSecSentinelhttps://github.com/jtnkhttps://github.com/tabell#ParsedReport
23-05-2022
ASEC Weekly Malware Statistics (May 9th, 2022 May 15th, 2022)
https://asec.ahnlab.com/en/34624
Threats:
Agent_tesla (tags: malware)
Formbook (tags: malware)
Lokibot_stealer (tags: malware)
Avemaria_rat (tags: malware)
Redline_stealer (tags: malware)
Beamwinhttp_loader (tags: malware)
Industry:
Financial, Transport
Geo:
Korea
IOCs:
Domain: 4
IP: 8
Email: 6
File: 27
Url: 18
23-05-2022
ASEC Weekly Malware Statistics (May 9th, 2022 May 15th, 2022)
https://asec.ahnlab.com/en/34624
Threats:
Agent_tesla (tags: malware)
Formbook (tags: malware)
Lokibot_stealer (tags: malware)
Avemaria_rat (tags: malware)
Redline_stealer (tags: malware)
Beamwinhttp_loader (tags: malware)
Industry:
Financial, Transport
Geo:
Korea
IOCs:
Domain: 4
IP: 8
Email: 6
File: 27
Url: 18
ASEC BLOG
ASEC Weekly Malware Statistics (May 9th, 2022 – May 15th, 2022) - ASEC BLOG
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from May 9th, 2022 (Monday) to May 15th, 2022 (Sunday). For the main category, info-stealer…
#ParsedReport
23-05-2022
Beneath the surface: Uncovering the shift in web skimming
https://www.microsoft.com/security/blog/2022/05/23/beneath-the-surface-uncovering-the-shift-in-web-skimming
Actors/Campaigns:
Magecart
Threats:
Magento_skimmer
Industry:
Aerospace, Financial, E-commerce
IOCs:
File: 1
Domain: 3
Hash: 3
Url: 8
23-05-2022
Beneath the surface: Uncovering the shift in web skimming
https://www.microsoft.com/security/blog/2022/05/23/beneath-the-surface-uncovering-the-shift-in-web-skimming
Actors/Campaigns:
Magecart
Threats:
Magento_skimmer
Industry:
Aerospace, Financial, E-commerce
IOCs:
File: 1
Domain: 3
Hash: 3
Url: 8
Microsoft Security Blog
Beneath the surface: Uncovering the shift in web skimming | Microsoft Security Blog
Web skimming campaigns now employ various obfuscation techniques to deliver and hide the skimming scripts. It’s a shift from earlier tactics where attackers conspicuously injected the malicious scripts into e-commerce platforms and content management systems…
#ParsedReport
24-05-2022
AgentTesla being distributed through Windows help files (*.chm)
https://asec-ahnlab-com.translate.goog/ko/34653/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Threats:
Agent_tesla (tags: malware, phishing, trojan)
Industry:
Transport
IOCs:
Url: 3
File: 1
Hash: 4
24-05-2022
AgentTesla being distributed through Windows help files (*.chm)
https://asec-ahnlab-com.translate.goog/ko/34653/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Threats:
Agent_tesla (tags: malware, phishing, trojan)
Industry:
Transport
IOCs:
Url: 3
File: 1
Hash: 4
ASEC BLOG
윈도우 도움말 파일(*.chm)을 통해 유포 중인 AgentTesla - ASEC BLOG
ASEC 분석팀은 최근 AgentTesla 악성코드가 새로운 방식으로 유포 중인 정황을 포착하였다. ASEC 블로그에도 여러 번 소개해왔던 AgentTesla 의 기존 유포 방식은 파워포인트(*.ppt) 문서 내 악성 VBA 매크로를 이용하였다면, 새로운 유포 방식은 윈도우 도움말 파일(*.chm) 을 이용하여 powershell 명령어를 실행하는 것으로 확인하였다. 악성 CHM 파일은 운송 회사인 DHL 을 사칭한 피싱 메일에 첨부되어 압축 파일 형태로…
#ParsedReport
23-05-2022
Sandworm uses a new version of ArguePatch to attack targets in Ukraine
https://www.welivesecurity.com/2022/05/20/sandworm-ukraine-new-version-arguepatch-malware-loader
Actors/Campaigns:
Sandworm (tags: ransomware, malware)
Threats:
Arguepatch_loader (tags: ransomware, malware)
Crashoverride
Killdisk
Hermeticwiper
Hermeticwizard
Partyticket
Isaacwiper
Industry:
Energy
Geo:
Ukraine
IOCs:
File: 1
Hash: 1
23-05-2022
Sandworm uses a new version of ArguePatch to attack targets in Ukraine
https://www.welivesecurity.com/2022/05/20/sandworm-ukraine-new-version-arguepatch-malware-loader
Actors/Campaigns:
Sandworm (tags: ransomware, malware)
Threats:
Arguepatch_loader (tags: ransomware, malware)
Crashoverride
Killdisk
Hermeticwiper
Hermeticwizard
Partyticket
Isaacwiper
Industry:
Energy
Geo:
Ukraine
IOCs:
File: 1
Hash: 1
WeLiveSecurity
Sandworm uses a new version of ArguePatch to attack targets in Ukraine
ESET researchers spot a new version of the ArguePatch malware loader that was previously used in the Industroyer2 and CaddyWiper attacks.
#ParsedReport
23-05-2022
The Evil Twin attack
https://www.telsy.com/the-evil-twin-attack
Threats:
Comrade_circle
Wifipineapple_tool
Industry:
Financial
23-05-2022
The Evil Twin attack
https://www.telsy.com/the-evil-twin-attack
Threats:
Comrade_circle
Wifipineapple_tool
Industry:
Financial
Telsy
The Evil Twin attack - Telsy
Evil Twin is a spoofing attack that works by tricking users into connecting to a fake Wi-Fi access point that mimics a legitimate network.
#ParsedReport
23-05-2022
Spoofed Saudi Purchase Order Drops GuLoader: Part 1
https://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader
Threats:
Cloudeye (tags: spam, ransomware, rat, phishing, malware)
Chaos
Agent_tesla
Formbook
Lokibot_stealer
Industry:
Energy, Petroleum
Geo:
Russia, Arabia, Saudi, Ukraine
IOCs:
Email: 1
Domain: 1
File: 1
Hash: 3
Links:
23-05-2022
Spoofed Saudi Purchase Order Drops GuLoader: Part 1
https://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader
Threats:
Cloudeye (tags: spam, ransomware, rat, phishing, malware)
Chaos
Agent_tesla
Formbook
Lokibot_stealer
Industry:
Energy, Petroleum
Geo:
Russia, Arabia, Saudi, Ukraine
IOCs:
Email: 1
Domain: 1
File: 1
Hash: 3
Links:
https://github.com/myfreeer/7z-build-nsisFortinet Blog
Spoofed Saudi Purchase Order Drops GuLoader: Part 1
FortiGuard Labs recently discovered a social engineering email lure with a message delivered to a company in Ukraine. In part I of our blog, we will analyze the phishing email and provide an analys…
#ParsedReport
24-05-2022
TURLAs new phishing-based reconnaissancecampaignin Eastern Europe. TURLAs new phishing-based reconnaissance campaign in Eastern Europe
https://blog.sekoia.io/turla-new-phishing-campaign-eastern-europe
Actors/Campaigns:
Curious_gorge
Fancy_bear
Coldriver
Ghostwriter
Turla
Molerats
Threats:
Turla (tags: phishing, malware)
Uroburos
Maze
Industry:
Government, Petroleum, Education
Geo:
Russia, Latvia, Usa, Chinese, Austria, Lithuania, Russian, Ukraine, Chinas, Estonia
TTPs:
IOCs:
Domain: 3
File: 4
IP: 3
Url: 1
Hash: 2
YARA: Found
24-05-2022
TURLAs new phishing-based reconnaissancecampaignin Eastern Europe. TURLAs new phishing-based reconnaissance campaign in Eastern Europe
https://blog.sekoia.io/turla-new-phishing-campaign-eastern-europe
Actors/Campaigns:
Curious_gorge
Fancy_bear
Coldriver
Ghostwriter
Turla
Molerats
Threats:
Turla (tags: phishing, malware)
Uroburos
Maze
Industry:
Government, Petroleum, Education
Geo:
Russia, Latvia, Usa, Chinese, Austria, Lithuania, Russian, Ukraine, Chinas, Estonia
TTPs:
IOCs:
Domain: 3
File: 4
IP: 3
Url: 1
Hash: 2
YARA: Found
Sekoia.io Blog
TURLA’s new phishing-based reconnaissance campaign in Eastern Europe
SEKOIA.IO's Threat & Detection Researchers expose a reconnaissance and espionage campaign from TURLA against eastern-EU institutions
#ParsedReport
23-05-2022
Metastealer filling the Racoon void. tl;dr
https://research.nccgroup.com/2022/05/20/metastealer-filling-the-racoon-void
Threats:
Meta_stealer (tags: stealer, keylogger, spam, malware)
Raccoon_stealer (tags: stealer, keylogger, spam, malware)
Hiddenvnc_tool
Industry:
E-commerce
Geo:
Israeli
TTPs:
Tactics: 2
Technics: 0
IOCs:
IP: 1
File: 5
Path: 3
YARA: Found
Links:
23-05-2022
Metastealer filling the Racoon void. tl;dr
https://research.nccgroup.com/2022/05/20/metastealer-filling-the-racoon-void
Threats:
Meta_stealer (tags: stealer, keylogger, spam, malware)
Raccoon_stealer (tags: stealer, keylogger, spam, malware)
Hiddenvnc_tool
Industry:
E-commerce
Geo:
Israeli
TTPs:
Tactics: 2
Technics: 0
IOCs:
IP: 1
File: 5
Path: 3
YARA: Found
Links:
https://github.com/yhirose/cpp-httplibhttps://github.com/Ybalrid/kissnethttps://github.com/nlohmann/jsonNccgroup
Cyber Security Research
Cutting-edge cyber security research from NCC Group. Find public reports, technical advisories, analyses, & other novel insights from our global experts.
#ParsedReport
23-05-2022
Malware Campaign Targets InfoSec Community: Threat Actor Uses Fake Proof of Concept to Deliver Cobalt-Strike Beacon
https://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon
Threats:
Cobalt_strike (tags: phishing, malware, rat)
Beacon (tags: phishing, rat, malware)
Confuserex_tool
CVEs:
CVE-2022-1388 [Vulners]
Vulners: Score: 7.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- f5 big-ip access policy manager (le11.6.5, le12.1.6, <16.1.2.2, <15.1.5.1, <14.1.4.6, <13.1.5)
- f5 big-ip advanced firewall manager (le11.6.5, le12.1.6, <15.1.5.1, <14.1.4.6, <13.1.5, <16.1.2.2)
- f5 big-ip analytics (le11.6.5, le12.1.6, <16.1.2.2, <15.1.5.1, <14.1.4.6, <13.1.5)
- f5 big-ip application acceleration manager (le11.6.5, le12.1.6, <16.1.2.2, <15.1.5.1, <14.1.4.6, <13.1.5)
- f5 big-ip application security manager (le11.6.5, le12.1.6, <16.1.2.2, <15.1.5.1, <14.1.4.6, <13.1.5)
have more...
CVE-2022-26809 [Vulners]
Vulners: Score: 10.0, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (-, 20h2, 21h1, 21h2, 1607, 1809, 1909)
- microsoft windows 11 (-, -)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
have more...
CVE-2022-24500 [Vulners]
Vulners: Score: 6.8, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (-, 20h2, 21h1, 21h2, 1607, 1809, 1909)
- microsoft windows 11 (-, -)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
have more...
TTPs:
Tactics: 3
Technics: 3
IOCs:
File: 1
IP: 2
Hash: 2
23-05-2022
Malware Campaign Targets InfoSec Community: Threat Actor Uses Fake Proof of Concept to Deliver Cobalt-Strike Beacon
https://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon
Threats:
Cobalt_strike (tags: phishing, malware, rat)
Beacon (tags: phishing, rat, malware)
Confuserex_tool
CVEs:
CVE-2022-1388 [Vulners]
Vulners: Score: 7.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- f5 big-ip access policy manager (le11.6.5, le12.1.6, <16.1.2.2, <15.1.5.1, <14.1.4.6, <13.1.5)
- f5 big-ip advanced firewall manager (le11.6.5, le12.1.6, <15.1.5.1, <14.1.4.6, <13.1.5, <16.1.2.2)
- f5 big-ip analytics (le11.6.5, le12.1.6, <16.1.2.2, <15.1.5.1, <14.1.4.6, <13.1.5)
- f5 big-ip application acceleration manager (le11.6.5, le12.1.6, <16.1.2.2, <15.1.5.1, <14.1.4.6, <13.1.5)
- f5 big-ip application security manager (le11.6.5, le12.1.6, <16.1.2.2, <15.1.5.1, <14.1.4.6, <13.1.5)
have more...
CVE-2022-26809 [Vulners]
Vulners: Score: 10.0, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (-, 20h2, 21h1, 21h2, 1607, 1809, 1909)
- microsoft windows 11 (-, -)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
have more...
CVE-2022-24500 [Vulners]
Vulners: Score: 6.8, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (-, 20h2, 21h1, 21h2, 1607, 1809, 1909)
- microsoft windows 11 (-, -)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
have more...
TTPs:
Tactics: 3
Technics: 3
IOCs:
File: 1
IP: 2
Hash: 2
Cyble
Malware Targets InfoSec: Fake PoC Delivers Cobalt Strike
It becomes essential for the Infosec Community members to check the credibility of sources before downloading any proof of concept.
#ParsedReport
24-05-2022
Malware Analysis: Trickbot
https://thehackernews.com/2022/05/malware-analysis-trickbot.html
Actors/Campaigns:
Wizard_spider
Shathak
Threats:
Trickbot (tags: phishing, scan, ransomware, trojan, malware)
Cobalt_strike (tags: malware)
Ryuk (tags: malware)
Conti (tags: malware)
Comrade_circle
Bazarbackdoor
Industry:
Financial
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 5
Hash: 1
IP: 2
24-05-2022
Malware Analysis: Trickbot
https://thehackernews.com/2022/05/malware-analysis-trickbot.html
Actors/Campaigns:
Wizard_spider
Shathak
Threats:
Trickbot (tags: phishing, scan, ransomware, trojan, malware)
Cobalt_strike (tags: malware)
Ryuk (tags: malware)
Conti (tags: malware)
Comrade_circle
Bazarbackdoor
Industry:
Financial
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 5
Hash: 1
IP: 2
#ParsedReport
24-05-2022
Yashma Ransomware, Tracing the Chaos Family Tree
https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree
Actors/Campaigns:
Wizard_spider
Threats:
Yashma (tags: malware, ransomware, rat)
Chaos (tags: malware, ransomware, rat)
Onyx (tags: malware, ransomware)
Ryuk (tags: ransomware)
Industry:
Healthcare, Financial
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 3
Path: 1
Hash: 14
YARA: Found
24-05-2022
Yashma Ransomware, Tracing the Chaos Family Tree
https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree
Actors/Campaigns:
Wizard_spider
Threats:
Yashma (tags: malware, ransomware, rat)
Chaos (tags: malware, ransomware, rat)
Onyx (tags: malware, ransomware)
Ryuk (tags: ransomware)
Industry:
Healthcare, Financial
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 3
Path: 1
Hash: 14
YARA: Found
BlackBerry
Yashma Ransomware, Tracing the Chaos Family Tree
It’s not often that we get to observe the 'behind-the-scenes' drama that can accompany the creation of new malware. One such glimpse gave us new insights into the origins of Chaos malware, revealing a twisted family tree that links it to both Onyx and Yashma…
#ParsedReport
24-05-2022
New Nokoyawa Variant Catching Up to Peers with Blatant Code Reuse
https://www.fortinet.com/blog/threat-research/nokoyawa-variant-catching-up
Actors/Campaigns:
Keksec
Threats:
Nokoyawa (tags: cryptomining, malware, botnet, phishing, ddos, ransomware)
Chaos
Pandora
Enemybot
Karma (tags: ransomware)
Nemty
Babuk (tags: ransomware)
Filecoder
Industry:
Financial
Geo:
Russia
IOCs:
File: 33
Hash: 2
24-05-2022
New Nokoyawa Variant Catching Up to Peers with Blatant Code Reuse
https://www.fortinet.com/blog/threat-research/nokoyawa-variant-catching-up
Actors/Campaigns:
Keksec
Threats:
Nokoyawa (tags: cryptomining, malware, botnet, phishing, ddos, ransomware)
Chaos
Pandora
Enemybot
Karma (tags: ransomware)
Nemty
Babuk (tags: ransomware)
Filecoder
Industry:
Financial
Geo:
Russia
IOCs:
File: 33
Hash: 2
Fortinet Blog
New Nokoyawa Variant Catching Up to Peers with Blatant Code Reuse
FortiGuard Labs discovered a new variant of the Nokoyawa ransomware and observed that it has been evolving by reusing code from publicly available sources. Read our blog to learn more about the beh…
#ParsedReport
25-05-2022
Method that Tricks Users to Perceive Attachment of PDF File as Safe File
https://asec.ahnlab.com/en/34707
Threats:
Formbook
Lokibot_stealer
Trojan/win.nsisinject.r491618
Trojan/win.nsisinject.r487995
Trojan/win.generic.r481309
Geo:
Korean
CVEs:
CVE-2018-0798 [Vulners]
Vulners: Score: 9.3, CVSS: 9.3,
Vulners: Exploitation: Unknown
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft office (2010, 2016, 2016, 2007, 2013)
- microsoft word (2013, 2016, 2007, 2010, 2013)
- microsoft office compatibility pack (-)
CVE-2017-0199 [Vulners]
Vulners: Score: 9.3, CVSS: 9.6,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2, *)
- microsoft windows server 2012 (-)
- microsoft windows vista (*)
- microsoft office (2010, 2013, 2016, 2007)
- microsoft windows 7 (*)
have more...
IOCs:
File: 7
Url: 6
Hash: 9
25-05-2022
Method that Tricks Users to Perceive Attachment of PDF File as Safe File
https://asec.ahnlab.com/en/34707
Threats:
Formbook
Lokibot_stealer
Trojan/win.nsisinject.r491618
Trojan/win.nsisinject.r487995
Trojan/win.generic.r481309
Geo:
Korean
CVEs:
CVE-2018-0798 [Vulners]
Vulners: Score: 9.3, CVSS: 9.3,
Vulners: Exploitation: Unknown
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft office (2010, 2016, 2016, 2007, 2013)
- microsoft word (2013, 2016, 2007, 2010, 2013)
- microsoft office compatibility pack (-)
CVE-2017-0199 [Vulners]
Vulners: Score: 9.3, CVSS: 9.6,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2, *)
- microsoft windows server 2012 (-)
- microsoft windows vista (*)
- microsoft office (2010, 2013, 2016, 2007)
- microsoft windows 7 (*)
have more...
IOCs:
File: 7
Url: 6
Hash: 9
ASEC BLOG
Method that Tricks Users to Perceive Attachment of PDF File as Safe File - ASEC BLOG
The ASEC analysis team has discovered the distribution of info-stealer malware using Attachment feature of PDF files. This attack method was discovered previously, but as the malware of this type has resurfaced and is being actively distributed, the team…
#ParsedReport
25-05-2022
Kimsukys Attack Attempts Disguised as Press Releases of Various Topics
https://asec.ahnlab.com/en/34694
Actors/Campaigns:
Kimsuky (tags: malware)
Threats:
Trojan/win.msilkrypt.r492841
Industry:
Education
Geo:
Korea, North-korea
IOCs:
File: 3
Url: 11
Path: 1
Hash: 6
25-05-2022
Kimsukys Attack Attempts Disguised as Press Releases of Various Topics
https://asec.ahnlab.com/en/34694
Actors/Campaigns:
Kimsuky (tags: malware)
Threats:
Trojan/win.msilkrypt.r492841
Industry:
Education
Geo:
Korea, North-korea
IOCs:
File: 3
Url: 11
Path: 1
Hash: 6
ASEC BLOG
Kimsuky's Attack Attempts Disguised as Press Releases of Various Topics - ASEC BLOG
The ASEC analysis team has discovered that a malware strain disguised as press releases is being distributed. When this malware is run, it loads a normal document file and attempts to access malicious URLs. If the access is successful, the script existing…
#ParsedReport
25-05-2022
Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun
https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant
Actors/Campaigns:
Lightbasin
Threats:
Red_menshen (tags: malware, rat)
Bpfdoor (tags: malware, rat)
Sysvinit_tool
Mimikatz
Psexec_tool
Industry:
Logistic, Telco
CVEs:
CVE-2019-3010 [Vulners]
Vulners: Score: 4.6, CVSS: 5.2,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- oracle solaris (11)
TTPs:
Tactics: 1
Technics: 0
IOCs:
Url: 1
Path: 1
25-05-2022
Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun
https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant
Actors/Campaigns:
Lightbasin
Threats:
Red_menshen (tags: malware, rat)
Bpfdoor (tags: malware, rat)
Sysvinit_tool
Mimikatz
Psexec_tool
Industry:
Logistic, Telco
CVEs:
CVE-2019-3010 [Vulners]
Vulners: Score: 4.6, CVSS: 5.2,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- oracle solaris (11)
TTPs:
Tactics: 1
Technics: 0
IOCs:
Url: 1
Path: 1
CrowdStrike.com
How to Hunt for DecisiveArchitect and Its JustForFun Implant | CrowdStrike
CrowdStrike outlines the best methods to hunt for the JustForFun implant used by DecisiveArchitect to target global telecommunications companies.