#ParsedReport
24-05-2022
AgentTesla being distributed through Windows help files (*.chm)
https://asec-ahnlab-com.translate.goog/ko/34653/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Threats:
Agent_tesla (tags: malware, phishing, trojan)
Industry:
Transport
IOCs:
Url: 3
File: 1
Hash: 4
24-05-2022
AgentTesla being distributed through Windows help files (*.chm)
https://asec-ahnlab-com.translate.goog/ko/34653/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Threats:
Agent_tesla (tags: malware, phishing, trojan)
Industry:
Transport
IOCs:
Url: 3
File: 1
Hash: 4
ASEC BLOG
윈도우 도움말 파일(*.chm)을 통해 유포 중인 AgentTesla - ASEC BLOG
ASEC 분석팀은 최근 AgentTesla 악성코드가 새로운 방식으로 유포 중인 정황을 포착하였다. ASEC 블로그에도 여러 번 소개해왔던 AgentTesla 의 기존 유포 방식은 파워포인트(*.ppt) 문서 내 악성 VBA 매크로를 이용하였다면, 새로운 유포 방식은 윈도우 도움말 파일(*.chm) 을 이용하여 powershell 명령어를 실행하는 것으로 확인하였다. 악성 CHM 파일은 운송 회사인 DHL 을 사칭한 피싱 메일에 첨부되어 압축 파일 형태로…
#ParsedReport
23-05-2022
Sandworm uses a new version of ArguePatch to attack targets in Ukraine
https://www.welivesecurity.com/2022/05/20/sandworm-ukraine-new-version-arguepatch-malware-loader
Actors/Campaigns:
Sandworm (tags: ransomware, malware)
Threats:
Arguepatch_loader (tags: ransomware, malware)
Crashoverride
Killdisk
Hermeticwiper
Hermeticwizard
Partyticket
Isaacwiper
Industry:
Energy
Geo:
Ukraine
IOCs:
File: 1
Hash: 1
23-05-2022
Sandworm uses a new version of ArguePatch to attack targets in Ukraine
https://www.welivesecurity.com/2022/05/20/sandworm-ukraine-new-version-arguepatch-malware-loader
Actors/Campaigns:
Sandworm (tags: ransomware, malware)
Threats:
Arguepatch_loader (tags: ransomware, malware)
Crashoverride
Killdisk
Hermeticwiper
Hermeticwizard
Partyticket
Isaacwiper
Industry:
Energy
Geo:
Ukraine
IOCs:
File: 1
Hash: 1
WeLiveSecurity
Sandworm uses a new version of ArguePatch to attack targets in Ukraine
ESET researchers spot a new version of the ArguePatch malware loader that was previously used in the Industroyer2 and CaddyWiper attacks.
#ParsedReport
23-05-2022
The Evil Twin attack
https://www.telsy.com/the-evil-twin-attack
Threats:
Comrade_circle
Wifipineapple_tool
Industry:
Financial
23-05-2022
The Evil Twin attack
https://www.telsy.com/the-evil-twin-attack
Threats:
Comrade_circle
Wifipineapple_tool
Industry:
Financial
Telsy
The Evil Twin attack - Telsy
Evil Twin is a spoofing attack that works by tricking users into connecting to a fake Wi-Fi access point that mimics a legitimate network.
#ParsedReport
23-05-2022
Spoofed Saudi Purchase Order Drops GuLoader: Part 1
https://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader
Threats:
Cloudeye (tags: spam, ransomware, rat, phishing, malware)
Chaos
Agent_tesla
Formbook
Lokibot_stealer
Industry:
Energy, Petroleum
Geo:
Russia, Arabia, Saudi, Ukraine
IOCs:
Email: 1
Domain: 1
File: 1
Hash: 3
Links:
23-05-2022
Spoofed Saudi Purchase Order Drops GuLoader: Part 1
https://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader
Threats:
Cloudeye (tags: spam, ransomware, rat, phishing, malware)
Chaos
Agent_tesla
Formbook
Lokibot_stealer
Industry:
Energy, Petroleum
Geo:
Russia, Arabia, Saudi, Ukraine
IOCs:
Email: 1
Domain: 1
File: 1
Hash: 3
Links:
https://github.com/myfreeer/7z-build-nsisFortinet Blog
Spoofed Saudi Purchase Order Drops GuLoader: Part 1
FortiGuard Labs recently discovered a social engineering email lure with a message delivered to a company in Ukraine. In part I of our blog, we will analyze the phishing email and provide an analys…
#ParsedReport
24-05-2022
TURLAs new phishing-based reconnaissancecampaignin Eastern Europe. TURLAs new phishing-based reconnaissance campaign in Eastern Europe
https://blog.sekoia.io/turla-new-phishing-campaign-eastern-europe
Actors/Campaigns:
Curious_gorge
Fancy_bear
Coldriver
Ghostwriter
Turla
Molerats
Threats:
Turla (tags: phishing, malware)
Uroburos
Maze
Industry:
Government, Petroleum, Education
Geo:
Russia, Latvia, Usa, Chinese, Austria, Lithuania, Russian, Ukraine, Chinas, Estonia
TTPs:
IOCs:
Domain: 3
File: 4
IP: 3
Url: 1
Hash: 2
YARA: Found
24-05-2022
TURLAs new phishing-based reconnaissancecampaignin Eastern Europe. TURLAs new phishing-based reconnaissance campaign in Eastern Europe
https://blog.sekoia.io/turla-new-phishing-campaign-eastern-europe
Actors/Campaigns:
Curious_gorge
Fancy_bear
Coldriver
Ghostwriter
Turla
Molerats
Threats:
Turla (tags: phishing, malware)
Uroburos
Maze
Industry:
Government, Petroleum, Education
Geo:
Russia, Latvia, Usa, Chinese, Austria, Lithuania, Russian, Ukraine, Chinas, Estonia
TTPs:
IOCs:
Domain: 3
File: 4
IP: 3
Url: 1
Hash: 2
YARA: Found
Sekoia.io Blog
TURLA’s new phishing-based reconnaissance campaign in Eastern Europe
SEKOIA.IO's Threat & Detection Researchers expose a reconnaissance and espionage campaign from TURLA against eastern-EU institutions
#ParsedReport
23-05-2022
Metastealer filling the Racoon void. tl;dr
https://research.nccgroup.com/2022/05/20/metastealer-filling-the-racoon-void
Threats:
Meta_stealer (tags: stealer, keylogger, spam, malware)
Raccoon_stealer (tags: stealer, keylogger, spam, malware)
Hiddenvnc_tool
Industry:
E-commerce
Geo:
Israeli
TTPs:
Tactics: 2
Technics: 0
IOCs:
IP: 1
File: 5
Path: 3
YARA: Found
Links:
23-05-2022
Metastealer filling the Racoon void. tl;dr
https://research.nccgroup.com/2022/05/20/metastealer-filling-the-racoon-void
Threats:
Meta_stealer (tags: stealer, keylogger, spam, malware)
Raccoon_stealer (tags: stealer, keylogger, spam, malware)
Hiddenvnc_tool
Industry:
E-commerce
Geo:
Israeli
TTPs:
Tactics: 2
Technics: 0
IOCs:
IP: 1
File: 5
Path: 3
YARA: Found
Links:
https://github.com/yhirose/cpp-httplibhttps://github.com/Ybalrid/kissnethttps://github.com/nlohmann/jsonNccgroup
Cyber Security Research
Cutting-edge cyber security research from NCC Group. Find public reports, technical advisories, analyses, & other novel insights from our global experts.
#ParsedReport
23-05-2022
Malware Campaign Targets InfoSec Community: Threat Actor Uses Fake Proof of Concept to Deliver Cobalt-Strike Beacon
https://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon
Threats:
Cobalt_strike (tags: phishing, malware, rat)
Beacon (tags: phishing, rat, malware)
Confuserex_tool
CVEs:
CVE-2022-1388 [Vulners]
Vulners: Score: 7.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- f5 big-ip access policy manager (le11.6.5, le12.1.6, <16.1.2.2, <15.1.5.1, <14.1.4.6, <13.1.5)
- f5 big-ip advanced firewall manager (le11.6.5, le12.1.6, <15.1.5.1, <14.1.4.6, <13.1.5, <16.1.2.2)
- f5 big-ip analytics (le11.6.5, le12.1.6, <16.1.2.2, <15.1.5.1, <14.1.4.6, <13.1.5)
- f5 big-ip application acceleration manager (le11.6.5, le12.1.6, <16.1.2.2, <15.1.5.1, <14.1.4.6, <13.1.5)
- f5 big-ip application security manager (le11.6.5, le12.1.6, <16.1.2.2, <15.1.5.1, <14.1.4.6, <13.1.5)
have more...
CVE-2022-26809 [Vulners]
Vulners: Score: 10.0, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (-, 20h2, 21h1, 21h2, 1607, 1809, 1909)
- microsoft windows 11 (-, -)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
have more...
CVE-2022-24500 [Vulners]
Vulners: Score: 6.8, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (-, 20h2, 21h1, 21h2, 1607, 1809, 1909)
- microsoft windows 11 (-, -)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
have more...
TTPs:
Tactics: 3
Technics: 3
IOCs:
File: 1
IP: 2
Hash: 2
23-05-2022
Malware Campaign Targets InfoSec Community: Threat Actor Uses Fake Proof of Concept to Deliver Cobalt-Strike Beacon
https://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon
Threats:
Cobalt_strike (tags: phishing, malware, rat)
Beacon (tags: phishing, rat, malware)
Confuserex_tool
CVEs:
CVE-2022-1388 [Vulners]
Vulners: Score: 7.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- f5 big-ip access policy manager (le11.6.5, le12.1.6, <16.1.2.2, <15.1.5.1, <14.1.4.6, <13.1.5)
- f5 big-ip advanced firewall manager (le11.6.5, le12.1.6, <15.1.5.1, <14.1.4.6, <13.1.5, <16.1.2.2)
- f5 big-ip analytics (le11.6.5, le12.1.6, <16.1.2.2, <15.1.5.1, <14.1.4.6, <13.1.5)
- f5 big-ip application acceleration manager (le11.6.5, le12.1.6, <16.1.2.2, <15.1.5.1, <14.1.4.6, <13.1.5)
- f5 big-ip application security manager (le11.6.5, le12.1.6, <16.1.2.2, <15.1.5.1, <14.1.4.6, <13.1.5)
have more...
CVE-2022-26809 [Vulners]
Vulners: Score: 10.0, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (-, 20h2, 21h1, 21h2, 1607, 1809, 1909)
- microsoft windows 11 (-, -)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
have more...
CVE-2022-24500 [Vulners]
Vulners: Score: 6.8, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (-, 20h2, 21h1, 21h2, 1607, 1809, 1909)
- microsoft windows 11 (-, -)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
have more...
TTPs:
Tactics: 3
Technics: 3
IOCs:
File: 1
IP: 2
Hash: 2
Cyble
Malware Targets InfoSec: Fake PoC Delivers Cobalt Strike
It becomes essential for the Infosec Community members to check the credibility of sources before downloading any proof of concept.
#ParsedReport
24-05-2022
Malware Analysis: Trickbot
https://thehackernews.com/2022/05/malware-analysis-trickbot.html
Actors/Campaigns:
Wizard_spider
Shathak
Threats:
Trickbot (tags: phishing, scan, ransomware, trojan, malware)
Cobalt_strike (tags: malware)
Ryuk (tags: malware)
Conti (tags: malware)
Comrade_circle
Bazarbackdoor
Industry:
Financial
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 5
Hash: 1
IP: 2
24-05-2022
Malware Analysis: Trickbot
https://thehackernews.com/2022/05/malware-analysis-trickbot.html
Actors/Campaigns:
Wizard_spider
Shathak
Threats:
Trickbot (tags: phishing, scan, ransomware, trojan, malware)
Cobalt_strike (tags: malware)
Ryuk (tags: malware)
Conti (tags: malware)
Comrade_circle
Bazarbackdoor
Industry:
Financial
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 5
Hash: 1
IP: 2
#ParsedReport
24-05-2022
Yashma Ransomware, Tracing the Chaos Family Tree
https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree
Actors/Campaigns:
Wizard_spider
Threats:
Yashma (tags: malware, ransomware, rat)
Chaos (tags: malware, ransomware, rat)
Onyx (tags: malware, ransomware)
Ryuk (tags: ransomware)
Industry:
Healthcare, Financial
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 3
Path: 1
Hash: 14
YARA: Found
24-05-2022
Yashma Ransomware, Tracing the Chaos Family Tree
https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree
Actors/Campaigns:
Wizard_spider
Threats:
Yashma (tags: malware, ransomware, rat)
Chaos (tags: malware, ransomware, rat)
Onyx (tags: malware, ransomware)
Ryuk (tags: ransomware)
Industry:
Healthcare, Financial
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 3
Path: 1
Hash: 14
YARA: Found
BlackBerry
Yashma Ransomware, Tracing the Chaos Family Tree
It’s not often that we get to observe the 'behind-the-scenes' drama that can accompany the creation of new malware. One such glimpse gave us new insights into the origins of Chaos malware, revealing a twisted family tree that links it to both Onyx and Yashma…
#ParsedReport
24-05-2022
New Nokoyawa Variant Catching Up to Peers with Blatant Code Reuse
https://www.fortinet.com/blog/threat-research/nokoyawa-variant-catching-up
Actors/Campaigns:
Keksec
Threats:
Nokoyawa (tags: cryptomining, malware, botnet, phishing, ddos, ransomware)
Chaos
Pandora
Enemybot
Karma (tags: ransomware)
Nemty
Babuk (tags: ransomware)
Filecoder
Industry:
Financial
Geo:
Russia
IOCs:
File: 33
Hash: 2
24-05-2022
New Nokoyawa Variant Catching Up to Peers with Blatant Code Reuse
https://www.fortinet.com/blog/threat-research/nokoyawa-variant-catching-up
Actors/Campaigns:
Keksec
Threats:
Nokoyawa (tags: cryptomining, malware, botnet, phishing, ddos, ransomware)
Chaos
Pandora
Enemybot
Karma (tags: ransomware)
Nemty
Babuk (tags: ransomware)
Filecoder
Industry:
Financial
Geo:
Russia
IOCs:
File: 33
Hash: 2
Fortinet Blog
New Nokoyawa Variant Catching Up to Peers with Blatant Code Reuse
FortiGuard Labs discovered a new variant of the Nokoyawa ransomware and observed that it has been evolving by reusing code from publicly available sources. Read our blog to learn more about the beh…
#ParsedReport
25-05-2022
Method that Tricks Users to Perceive Attachment of PDF File as Safe File
https://asec.ahnlab.com/en/34707
Threats:
Formbook
Lokibot_stealer
Trojan/win.nsisinject.r491618
Trojan/win.nsisinject.r487995
Trojan/win.generic.r481309
Geo:
Korean
CVEs:
CVE-2018-0798 [Vulners]
Vulners: Score: 9.3, CVSS: 9.3,
Vulners: Exploitation: Unknown
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft office (2010, 2016, 2016, 2007, 2013)
- microsoft word (2013, 2016, 2007, 2010, 2013)
- microsoft office compatibility pack (-)
CVE-2017-0199 [Vulners]
Vulners: Score: 9.3, CVSS: 9.6,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2, *)
- microsoft windows server 2012 (-)
- microsoft windows vista (*)
- microsoft office (2010, 2013, 2016, 2007)
- microsoft windows 7 (*)
have more...
IOCs:
File: 7
Url: 6
Hash: 9
25-05-2022
Method that Tricks Users to Perceive Attachment of PDF File as Safe File
https://asec.ahnlab.com/en/34707
Threats:
Formbook
Lokibot_stealer
Trojan/win.nsisinject.r491618
Trojan/win.nsisinject.r487995
Trojan/win.generic.r481309
Geo:
Korean
CVEs:
CVE-2018-0798 [Vulners]
Vulners: Score: 9.3, CVSS: 9.3,
Vulners: Exploitation: Unknown
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft office (2010, 2016, 2016, 2007, 2013)
- microsoft word (2013, 2016, 2007, 2010, 2013)
- microsoft office compatibility pack (-)
CVE-2017-0199 [Vulners]
Vulners: Score: 9.3, CVSS: 9.6,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2, *)
- microsoft windows server 2012 (-)
- microsoft windows vista (*)
- microsoft office (2010, 2013, 2016, 2007)
- microsoft windows 7 (*)
have more...
IOCs:
File: 7
Url: 6
Hash: 9
ASEC BLOG
Method that Tricks Users to Perceive Attachment of PDF File as Safe File - ASEC BLOG
The ASEC analysis team has discovered the distribution of info-stealer malware using Attachment feature of PDF files. This attack method was discovered previously, but as the malware of this type has resurfaced and is being actively distributed, the team…
#ParsedReport
25-05-2022
Kimsukys Attack Attempts Disguised as Press Releases of Various Topics
https://asec.ahnlab.com/en/34694
Actors/Campaigns:
Kimsuky (tags: malware)
Threats:
Trojan/win.msilkrypt.r492841
Industry:
Education
Geo:
Korea, North-korea
IOCs:
File: 3
Url: 11
Path: 1
Hash: 6
25-05-2022
Kimsukys Attack Attempts Disguised as Press Releases of Various Topics
https://asec.ahnlab.com/en/34694
Actors/Campaigns:
Kimsuky (tags: malware)
Threats:
Trojan/win.msilkrypt.r492841
Industry:
Education
Geo:
Korea, North-korea
IOCs:
File: 3
Url: 11
Path: 1
Hash: 6
ASEC BLOG
Kimsuky's Attack Attempts Disguised as Press Releases of Various Topics - ASEC BLOG
The ASEC analysis team has discovered that a malware strain disguised as press releases is being distributed. When this malware is run, it loads a normal document file and attempts to access malicious URLs. If the access is successful, the script existing…
#ParsedReport
25-05-2022
Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun
https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant
Actors/Campaigns:
Lightbasin
Threats:
Red_menshen (tags: malware, rat)
Bpfdoor (tags: malware, rat)
Sysvinit_tool
Mimikatz
Psexec_tool
Industry:
Logistic, Telco
CVEs:
CVE-2019-3010 [Vulners]
Vulners: Score: 4.6, CVSS: 5.2,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- oracle solaris (11)
TTPs:
Tactics: 1
Technics: 0
IOCs:
Url: 1
Path: 1
25-05-2022
Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun
https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant
Actors/Campaigns:
Lightbasin
Threats:
Red_menshen (tags: malware, rat)
Bpfdoor (tags: malware, rat)
Sysvinit_tool
Mimikatz
Psexec_tool
Industry:
Logistic, Telco
CVEs:
CVE-2019-3010 [Vulners]
Vulners: Score: 4.6, CVSS: 5.2,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- oracle solaris (11)
TTPs:
Tactics: 1
Technics: 0
IOCs:
Url: 1
Path: 1
CrowdStrike.com
How to Hunt for DecisiveArchitect and Its JustForFun Implant | CrowdStrike
CrowdStrike outlines the best methods to hunt for the JustForFun implant used by DecisiveArchitect to target global telecommunications companies.
#ParsedReport
25-05-2022
Blame the Messenger: 3 Types of Dropper Malware in Microsoft Office & How to Detect Them
https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office
Actors/Campaigns:
Aggaa (tags: malware)
Threats:
Emotet (tags: malware, dropper)
Revenge_rat (tags: malware)
Dridex (tags: dropper)
IOCs:
Url: 1
Path: 1
File: 2
Hash: 7
Links:
25-05-2022
Blame the Messenger: 3 Types of Dropper Malware in Microsoft Office & How to Detect Them
https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office
Actors/Campaigns:
Aggaa (tags: malware)
Threats:
Emotet (tags: malware, dropper)
Revenge_rat (tags: malware)
Dridex (tags: dropper)
IOCs:
Url: 1
Path: 1
File: 2
Hash: 7
Links:
https://github.com/deepinstinct/Excellerhttps://github.com/DidierStevens/DidierStevensSuite/blob/master/oledump.pyDeep Instinct
4 Types of Dropper Malware in Microsoft Office & How to Detect Them | Deep Instinct
Read up on the newest types of dropper malware affecting Microsoft Office. Deep Instinct’s experts have put together a guide for detecting & preventing these malicious threats.
#ParsedReport
25-05-2022
Dragon News Blog. Bablosoft; Lowering the Barrier of Entry for Malicious Actors
https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors
Actors/Campaigns:
Grim_spider
Threats:
Bumblebee (tags: malware)
Blackguard_stealer (tags: malware)
Redline_stealer (tags: malware)
Industry:
E-commerce
Geo:
Ukraine, Russia
IOCs:
Domain: 3
IP: 4
25-05-2022
Dragon News Blog. Bablosoft; Lowering the Barrier of Entry for Malicious Actors
https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors
Actors/Campaigns:
Grim_spider
Threats:
Bumblebee (tags: malware)
Blackguard_stealer (tags: malware)
Redline_stealer (tags: malware)
Industry:
E-commerce
Geo:
Ukraine, Russia
IOCs:
Domain: 3
IP: 4
Team Cymru
Bablosoft; Lowering the Barrier of Entry for Malicious Actors
Free-to-use browser automation framework creates thriving criminal community
SummaryEvidence suggests an increasing number of threat actor groups are making use of a free-to-use browser automation framework. The framework contains numerous features which…
SummaryEvidence suggests an increasing number of threat actor groups are making use of a free-to-use browser automation framework. The framework contains numerous features which…
#ParsedReport
25-05-2022
How the Saitama backdoor uses DNS tunnelling
https://blog.malwarebytes.com/threat-intelligence/2022/05/how-the-saitama-backdoor-uses-dns-tunnelling
Actors/Campaigns:
Oilrig (tags: backdoor)
Threats:
Dnstunnelling_technique (tags: malware, backdoor, dns)
Saitama (tags: malware, backdoor, dns)
Industry:
Government
Geo:
Jordan, Iranian
IOCs:
IP: 1
File: 1
Hash: 2
25-05-2022
How the Saitama backdoor uses DNS tunnelling
https://blog.malwarebytes.com/threat-intelligence/2022/05/how-the-saitama-backdoor-uses-dns-tunnelling
Actors/Campaigns:
Oilrig (tags: backdoor)
Threats:
Dnstunnelling_technique (tags: malware, backdoor, dns)
Saitama (tags: malware, backdoor, dns)
Industry:
Government
Geo:
Jordan, Iranian
IOCs:
IP: 1
File: 1
Hash: 2
#ParsedReport
25-05-2022
Attacker Caught Hijacking Packages Using Multiple Techniques to Steal AWS Credentials. What Happened?
https://checkmarx.com/blog/attacker-caught-hijacking-packages-using-multiple-techniques-to-steal-aws-credentials
IOCs:
Domain: 1
Links:
25-05-2022
Attacker Caught Hijacking Packages Using Multiple Techniques to Steal AWS Credentials. What Happened?
https://checkmarx.com/blog/attacker-caught-hijacking-packages-using-multiple-techniques-to-steal-aws-credentials
IOCs:
Domain: 1
Links:
https://github.com/optimistdigitalhttps://github.com/checkmarx/chainjackinghttps://github.com/hautelook/phpasshttps://github.com/optimistdigital/nova-tailwindhttps://github.com/bordoni/phpasshttps://github.com/hautelookhttps://github.com/outl1ne/nova-tailwindhttps://github.com/hautelook/phpass/commit/3119474dbd111f4f489e34cc72a9f95fc991858aCheckmarx.com
Attacker Caught Hijacking Packages Using Multiple Techniques to Steal AWS Credentials
This recent incident is part of a growing trend of attacks in open source packages. These attackers aren’t limited to one language, showing the need for a central repository, as we said in our previous blog post.
#ParsedReport
25-05-2022
New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices
https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
Threats:
Cheerscrypt (tags: malware, ransomware)
Lockbit (tags: ransomware)
Ransomexx (tags: ransomware)
IOCs:
File: 2
25-05-2022
New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices
https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
Threats:
Cheerscrypt (tags: malware, ransomware)
Lockbit (tags: ransomware)
Ransomexx (tags: ransomware)
IOCs:
File: 2
Trend Micro
New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices
New findings showed that Cheerscrypt, a new Linux-based ransomware variant that compromises ESXi servers, was derived from the leaked Babuk source code. We discuss our analysis in this report.
#ParsedReport
25-05-2022
ChromeLoader: a pushy malvertiser
https://redcanary.com/blog/chromeloader
Threats:
Gootloader
Kerberoasting_technique
Raspberry_robin
Chromeloader
Industry:
Media
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 7
Path: 1
25-05-2022
ChromeLoader: a pushy malvertiser
https://redcanary.com/blog/chromeloader
Threats:
Gootloader
Kerberoasting_technique
Raspberry_robin
Chromeloader
Industry:
Media
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 7
Path: 1
Red Canary
ChromeLoader: a pushy malvertiser
ChromeLoader might seem like a run-of-the-mill browser hijacker, but its peculiar use of PowerShell could spell deeper trouble.
#ParsedReport
25-05-2022
ERMAC Back In Action. Latest Version of Android Banking Trojan Targets over 400 Applications
https://blog.cyble.com/2022/05/25/ermac-back-in-action
Threats:
Ermac (tags: trojan, malware, botnet, phishing)
Cerberus
Industry:
Financial
Geo:
Polish, Poland
TTPs:
Tactics: 6
Technics: 2
IOCs:
File: 2
Url: 5
Hash: 2
25-05-2022
ERMAC Back In Action. Latest Version of Android Banking Trojan Targets over 400 Applications
https://blog.cyble.com/2022/05/25/ermac-back-in-action
Threats:
Ermac (tags: trojan, malware, botnet, phishing)
Cerberus
Industry:
Financial
Geo:
Polish, Poland
TTPs:
Tactics: 6
Technics: 2
IOCs:
File: 2
Url: 5
Hash: 2
Cyble
ERMAC Malware Back In Action: New Threats And Attack Methods
ERMAC malware is back with improved capabilities, targeting Android devices with enhanced threat techniques. Learn about its actions, impact, and how to defend against this evolving mobile malware
#ParsedReport
25-05-2022
Unknown APT group has targeted Russia repeatedly since Ukraine invasion
https://blog.malwarebytes.com/malwarebytes-news/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion
Actors/Campaigns:
Shell_crew
Pirate_panda
Lazarus
Threats:
Log4shell_vuln (tags: phishing, malware)
Sakula_rat
Trickbot
Bazarbackdoor
Industry:
Media, Telco, Government
Geo:
Saudi, Russian, Ukraine, Chinese, Russia
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 9
Path: 2
Domain: 4
IP: 5
Hash: 48
Links:
25-05-2022
Unknown APT group has targeted Russia repeatedly since Ukraine invasion
https://blog.malwarebytes.com/malwarebytes-news/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion
Actors/Campaigns:
Shell_crew
Pirate_panda
Lazarus
Threats:
Log4shell_vuln (tags: phishing, malware)
Sakula_rat
Trickbot
Bazarbackdoor
Industry:
Media, Telco, Government
Geo:
Saudi, Russian, Ukraine, Chinese, Russia
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 9
Path: 2
Domain: 4
IP: 5
Hash: 48
Links:
https://github.com/wolfSSL/wolfsslhttps://github.com/wolfSSL/wolfssl/blob/c9ae021427fd21f1a91e4020bf50bb3573c15abe/src/x509.c#L4539https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/net/lib/http/http\_parser.chttps://github.com/obfuscator-llvm/obfuscatorhttps://github.com/obfuscator-llvm/obfuscator/wiki/Bogus-Control-FlowMalwarebytes
Unknown APT group has targeted Russia repeatedly since Ukraine invasion
An in-depth look at the attack chain used by an unknown APT group that has launched four campaigns against Russian targets since February.