#ParsedReport
25-05-2022
Dragon News Blog. Bablosoft; Lowering the Barrier of Entry for Malicious Actors
https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors
Actors/Campaigns:
Grim_spider
Threats:
Bumblebee (tags: malware)
Blackguard_stealer (tags: malware)
Redline_stealer (tags: malware)
Industry:
E-commerce
Geo:
Ukraine, Russia
IOCs:
Domain: 3
IP: 4
25-05-2022
Dragon News Blog. Bablosoft; Lowering the Barrier of Entry for Malicious Actors
https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors
Actors/Campaigns:
Grim_spider
Threats:
Bumblebee (tags: malware)
Blackguard_stealer (tags: malware)
Redline_stealer (tags: malware)
Industry:
E-commerce
Geo:
Ukraine, Russia
IOCs:
Domain: 3
IP: 4
Team Cymru
Bablosoft; Lowering the Barrier of Entry for Malicious Actors
Free-to-use browser automation framework creates thriving criminal community
SummaryEvidence suggests an increasing number of threat actor groups are making use of a free-to-use browser automation framework. The framework contains numerous features which…
SummaryEvidence suggests an increasing number of threat actor groups are making use of a free-to-use browser automation framework. The framework contains numerous features which…
#ParsedReport
25-05-2022
How the Saitama backdoor uses DNS tunnelling
https://blog.malwarebytes.com/threat-intelligence/2022/05/how-the-saitama-backdoor-uses-dns-tunnelling
Actors/Campaigns:
Oilrig (tags: backdoor)
Threats:
Dnstunnelling_technique (tags: malware, backdoor, dns)
Saitama (tags: malware, backdoor, dns)
Industry:
Government
Geo:
Jordan, Iranian
IOCs:
IP: 1
File: 1
Hash: 2
25-05-2022
How the Saitama backdoor uses DNS tunnelling
https://blog.malwarebytes.com/threat-intelligence/2022/05/how-the-saitama-backdoor-uses-dns-tunnelling
Actors/Campaigns:
Oilrig (tags: backdoor)
Threats:
Dnstunnelling_technique (tags: malware, backdoor, dns)
Saitama (tags: malware, backdoor, dns)
Industry:
Government
Geo:
Jordan, Iranian
IOCs:
IP: 1
File: 1
Hash: 2
#ParsedReport
25-05-2022
Attacker Caught Hijacking Packages Using Multiple Techniques to Steal AWS Credentials. What Happened?
https://checkmarx.com/blog/attacker-caught-hijacking-packages-using-multiple-techniques-to-steal-aws-credentials
IOCs:
Domain: 1
Links:
25-05-2022
Attacker Caught Hijacking Packages Using Multiple Techniques to Steal AWS Credentials. What Happened?
https://checkmarx.com/blog/attacker-caught-hijacking-packages-using-multiple-techniques-to-steal-aws-credentials
IOCs:
Domain: 1
Links:
https://github.com/optimistdigitalhttps://github.com/checkmarx/chainjackinghttps://github.com/hautelook/phpasshttps://github.com/optimistdigital/nova-tailwindhttps://github.com/bordoni/phpasshttps://github.com/hautelookhttps://github.com/outl1ne/nova-tailwindhttps://github.com/hautelook/phpass/commit/3119474dbd111f4f489e34cc72a9f95fc991858aCheckmarx.com
Attacker Caught Hijacking Packages Using Multiple Techniques to Steal AWS Credentials
This recent incident is part of a growing trend of attacks in open source packages. These attackers aren’t limited to one language, showing the need for a central repository, as we said in our previous blog post.
#ParsedReport
25-05-2022
New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices
https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
Threats:
Cheerscrypt (tags: malware, ransomware)
Lockbit (tags: ransomware)
Ransomexx (tags: ransomware)
IOCs:
File: 2
25-05-2022
New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices
https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
Threats:
Cheerscrypt (tags: malware, ransomware)
Lockbit (tags: ransomware)
Ransomexx (tags: ransomware)
IOCs:
File: 2
Trend Micro
New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices
New findings showed that Cheerscrypt, a new Linux-based ransomware variant that compromises ESXi servers, was derived from the leaked Babuk source code. We discuss our analysis in this report.
#ParsedReport
25-05-2022
ChromeLoader: a pushy malvertiser
https://redcanary.com/blog/chromeloader
Threats:
Gootloader
Kerberoasting_technique
Raspberry_robin
Chromeloader
Industry:
Media
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 7
Path: 1
25-05-2022
ChromeLoader: a pushy malvertiser
https://redcanary.com/blog/chromeloader
Threats:
Gootloader
Kerberoasting_technique
Raspberry_robin
Chromeloader
Industry:
Media
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 7
Path: 1
Red Canary
ChromeLoader: a pushy malvertiser
ChromeLoader might seem like a run-of-the-mill browser hijacker, but its peculiar use of PowerShell could spell deeper trouble.
#ParsedReport
25-05-2022
ERMAC Back In Action. Latest Version of Android Banking Trojan Targets over 400 Applications
https://blog.cyble.com/2022/05/25/ermac-back-in-action
Threats:
Ermac (tags: trojan, malware, botnet, phishing)
Cerberus
Industry:
Financial
Geo:
Polish, Poland
TTPs:
Tactics: 6
Technics: 2
IOCs:
File: 2
Url: 5
Hash: 2
25-05-2022
ERMAC Back In Action. Latest Version of Android Banking Trojan Targets over 400 Applications
https://blog.cyble.com/2022/05/25/ermac-back-in-action
Threats:
Ermac (tags: trojan, malware, botnet, phishing)
Cerberus
Industry:
Financial
Geo:
Polish, Poland
TTPs:
Tactics: 6
Technics: 2
IOCs:
File: 2
Url: 5
Hash: 2
Cyble
ERMAC Malware Back In Action: New Threats And Attack Methods
ERMAC malware is back with improved capabilities, targeting Android devices with enhanced threat techniques. Learn about its actions, impact, and how to defend against this evolving mobile malware
#ParsedReport
25-05-2022
Unknown APT group has targeted Russia repeatedly since Ukraine invasion
https://blog.malwarebytes.com/malwarebytes-news/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion
Actors/Campaigns:
Shell_crew
Pirate_panda
Lazarus
Threats:
Log4shell_vuln (tags: phishing, malware)
Sakula_rat
Trickbot
Bazarbackdoor
Industry:
Media, Telco, Government
Geo:
Saudi, Russian, Ukraine, Chinese, Russia
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 9
Path: 2
Domain: 4
IP: 5
Hash: 48
Links:
25-05-2022
Unknown APT group has targeted Russia repeatedly since Ukraine invasion
https://blog.malwarebytes.com/malwarebytes-news/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion
Actors/Campaigns:
Shell_crew
Pirate_panda
Lazarus
Threats:
Log4shell_vuln (tags: phishing, malware)
Sakula_rat
Trickbot
Bazarbackdoor
Industry:
Media, Telco, Government
Geo:
Saudi, Russian, Ukraine, Chinese, Russia
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 9
Path: 2
Domain: 4
IP: 5
Hash: 48
Links:
https://github.com/wolfSSL/wolfsslhttps://github.com/wolfSSL/wolfssl/blob/c9ae021427fd21f1a91e4020bf50bb3573c15abe/src/x509.c#L4539https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/net/lib/http/http\_parser.chttps://github.com/obfuscator-llvm/obfuscatorhttps://github.com/obfuscator-llvm/obfuscator/wiki/Bogus-Control-FlowMalwarebytes
Unknown APT group has targeted Russia repeatedly since Ukraine invasion
An in-depth look at the attack chain used by an unknown APT group that has launched four campaigns against Russian targets since February.
#ParsedReport
25-05-2022
REvil Resurgence? Or a Copycat?
https://www.akamai.com/blog/security/revil-resurgence-or-copycat
Actors/Campaigns:
Lazarus
Threats:
Revil (tags: botnet, proxy, ransomware, ddos)
Meris_botnet (tags: botnet, proxy, malware, ddos)
Conti
Industry:
Financial, Government
Geo:
Russian
25-05-2022
REvil Resurgence? Or a Copycat?
https://www.akamai.com/blog/security/revil-resurgence-or-copycat
Actors/Campaigns:
Lazarus
Threats:
Revil (tags: botnet, proxy, ransomware, ddos)
Meris_botnet (tags: botnet, proxy, malware, ddos)
Conti
Industry:
Financial, Government
Geo:
Russian
Akamai
REvil Resurgence? Or a Copycat?
Has REvil returned? In this new post by Akamai's SIRT, see a DDoS incident by a threat actor claiming to be REvil.
#ParsedReport
25-05-2022
ASEC Weekly Malware Statistics ( 20220516 \~ 20220522 )
https://asec.ahnlab.com/ko/34734
Threats:
Agent_tesla (tags: malware, stealer)
Azorult
Formbook (tags: scan, stealer)
Lokibot_stealer
Avemaria_rat (tags: malware)
Redline_stealer
Beamwinhttp_loader
Industry:
Financial, Transport
Geo:
Korea
IOCs:
Domain: 4
IP: 23
Email: 5
File: 30
Url: 25
25-05-2022
ASEC Weekly Malware Statistics ( 20220516 \~ 20220522 )
https://asec.ahnlab.com/ko/34734
Threats:
Agent_tesla (tags: malware, stealer)
Azorult
Formbook (tags: scan, stealer)
Lokibot_stealer
Avemaria_rat (tags: malware)
Redline_stealer
Beamwinhttp_loader
Industry:
Financial, Transport
Geo:
Korea
IOCs:
Domain: 4
IP: 23
Email: 5
File: 30
Url: 25
ASEC BLOG
ASEC 주간 악성코드 통계 ( 20220516 ~ 20220522 ) - ASEC BLOG
ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2022년 5월 16일 월요일부터 5월 22일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 인포스틸러가 71.8%로 1위를 차지하였으며, 그 다음으로는 RAT (Remote Administration Tool) 악성코드가 19.1%, 다운로더 3.7%, 랜섬웨어 3.3%, 뱅킹 1.7%…
#ParsedReport
25-05-2022
Use of Obfuscated Beacons in pymafka Supply Chain Attack Signals a New Trend in macOS Attack TTPs
https://www.sentinelone.com/labs/use-of-obfuscated-beacons-in-pymafka-supply-chain-attack-signals-a-new-trend-in-macos-attack-ttps
Threats:
Beacon (tags: rat, malware, ransomware)
Dazzlespy
Cobalt_strike
Zuru
Poseidon_mythic
Findpos
IOCs:
File: 1
Hash: 5
IP: 2
25-05-2022
Use of Obfuscated Beacons in pymafka Supply Chain Attack Signals a New Trend in macOS Attack TTPs
https://www.sentinelone.com/labs/use-of-obfuscated-beacons-in-pymafka-supply-chain-attack-signals-a-new-trend-in-macos-attack-ttps
Threats:
Beacon (tags: rat, malware, ransomware)
Dazzlespy
Cobalt_strike
Zuru
Poseidon_mythic
Findpos
IOCs:
File: 1
Hash: 5
IP: 2
SentinelOne
Use of Obfuscated Beacons in ‘pymafka’ Supply Chain Attack Signals a New Trend in macOS Attack TTPs
A new typosquatting attack against the PyPI repository targets enterprise Macs with a distinctive obfuscation method.
#ParsedReport
25-05-2022
The New RansomHouse on The Block
https://cyberint.com/blog/research/ransomhouse
Actors/Campaigns:
Ransomhouse (tags: ransomware)
Lapsus
Industry:
Financial
25-05-2022
The New RansomHouse on The Block
https://cyberint.com/blog/research/ransomhouse
Actors/Campaigns:
Ransomhouse (tags: ransomware)
Lapsus
Industry:
Financial
Cyberint
The New RansomHouse on The Block
RansomHouse, a new group skips the encryption phase, requests payment for stolen data. Once paid, report the victim on their security gaps.
#ParsedReport
26-05-2022
SpiderLabs Blog. Grandoreiro Banking Malware Resurfaces for Tax Season
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/grandoreiro-banking-malware-resurfaces-for-tax-season
Threats:
Grandoreiro (tags: dns, backdoor, malware, phishing, spam, rat, trojan)
Javali (tags: trojan)
Fake-trusteer (tags: trojan)
Industry:
Financial
Geo:
Mexico, Spain, Brazil, America, American
IOCs:
Url: 4
Path: 1
Registry: 1
Hash: 6
File: 3
Domain: 1
IP: 1
Links:
26-05-2022
SpiderLabs Blog. Grandoreiro Banking Malware Resurfaces for Tax Season
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/grandoreiro-banking-malware-resurfaces-for-tax-season
Threats:
Grandoreiro (tags: dns, backdoor, malware, phishing, spam, rat, trojan)
Javali (tags: trojan)
Fake-trusteer (tags: trojan)
Industry:
Financial
Geo:
Mexico, Spain, Brazil, America, American
IOCs:
Url: 4
Path: 1
Registry: 1
Hash: 6
File: 3
Domain: 1
IP: 1
Links:
https://github.com/SpiderLabs/Grandoreiro-decryptor/blob/main/grandoreiro\_string\_decryptor.pyhttps://github.com/SpiderLabs/Grandoreiro-decryptor/blob/main/grandoreiro\_dga\_gen.pyTrustwave
Grandoreiro Banking Malware Resurfaces for Tax Season
Trustwave SpiderLabs in early April observed a Grandoreiro malware campaign targeting bank users from Brazil, Spain, and Mexico. The campaign exploits the tax season in target countries by sending out tax-themed phishing emails.
#ParsedReport
26-05-2022
Country Extortion: Ransomware expands business to include the government sector
https://blog.checkpoint.com/2022/05/26/country-extortion-ransomware-expands-business-to-the-governmental-sector
Threats:
Conti (tags: ransomware)
Smokeloader_backdoor (tags: ransomware)
Industry:
Government, Education, Financial
Geo:
Ukraine, America, Russia, Russian, Peru, Americans
IOCs:
File: 7
26-05-2022
Country Extortion: Ransomware expands business to include the government sector
https://blog.checkpoint.com/2022/05/26/country-extortion-ransomware-expands-business-to-the-governmental-sector
Threats:
Conti (tags: ransomware)
Smokeloader_backdoor (tags: ransomware)
Industry:
Government, Education, Financial
Geo:
Ukraine, America, Russia, Russian, Peru, Americans
IOCs:
File: 7
Check Point Software
Country Extortion: Ransomware expands business to include the government sector - Check Point Software
Currently Conti is conducting a wide extortion operation against two governments in Latin America – Costa Rica and Peru It is unprecedented for a country
#ParsedReport
26-05-2022
Tandem Espionage
https://inquest.net/blog/2022/05/25/tandem-espionage
Threats:
Arkei_stealer
Eternity_stealer
IOCs:
Hash: 9
File: 1
Url: 26
Domain: 12
Links:
26-05-2022
Tandem Espionage
https://inquest.net/blog/2022/05/25/tandem-espionage
Threats:
Arkei_stealer
Eternity_stealer
IOCs:
Hash: 9
File: 1
Url: 26
Domain: 12
Links:
https://github.com/inquest/python-inquestlabsinquest.net
Tandem Espionage
Some time ago, we discovered an interesting campaign distributing malicious documents. Which used the download chain as well as legitimate payload hosting services. In this report, we will show the technical side of this campaign and provide additional indicators.
#ParsedReport
26-05-2022
Detecting and preventing privilege escalation attacks leveraging Kerberos relaying (KrbRelayUp)
https://www.microsoft.com/security/blog/2022/05/25/detecting-and-preventing-privilege-escalation-attacks-leveraging-kerberos-relaying-krbrelayup
Threats:
Krbrelayup_tool (tags: malware)
Rubeus_tool
Krbrelay_tool
Scmuacbypass_tool
Whisker_tool
Adcspwn_tool
Links:
26-05-2022
Detecting and preventing privilege escalation attacks leveraging Kerberos relaying (KrbRelayUp)
https://www.microsoft.com/security/blog/2022/05/25/detecting-and-preventing-privilege-escalation-attacks-leveraging-kerberos-relaying-krbrelayup
Threats:
Krbrelayup_tool (tags: malware)
Rubeus_tool
Krbrelay_tool
Scmuacbypass_tool
Whisker_tool
Adcspwn_tool
Links:
https://github.com/Dec0ne/KrbRelayUpMicrosoft News
Detecting and preventing privilege escalation attacks leveraging Kerberos relaying (KrbRelayUp)
The privilege escalation hacking tool KrbRelayUp is a wrapper that can streamline the use of some features in Rubeus, KrbRelay, SCMUACBypass, PowerMad/ SharpMad, Whisker, and ADCSPwn tools in attacks. Although this attack won’t function for Azure Active Directory…
#ParsedReport
26-05-2022
Blame the Messenger: 4 Types of Dropper Malware in Microsoft Office & How to Detect Them
https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office
Actors/Campaigns:
Aggaa (tags: malware)
Threats:
Emotet (tags: dropper, malware)
Revenge_rat (tags: malware)
Dridex (tags: dropper)
IOCs:
Url: 1
Path: 1
File: 2
Hash: 7
Links:
26-05-2022
Blame the Messenger: 4 Types of Dropper Malware in Microsoft Office & How to Detect Them
https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office
Actors/Campaigns:
Aggaa (tags: malware)
Threats:
Emotet (tags: dropper, malware)
Revenge_rat (tags: malware)
Dridex (tags: dropper)
IOCs:
Url: 1
Path: 1
File: 2
Hash: 7
Links:
https://github.com/deepinstinct/Excellerhttps://github.com/DidierStevens/DidierStevensSuite/blob/master/oledump.pyDeep Instinct
4 Types of Dropper Malware in Microsoft Office & How to Detect Them | Deep Instinct
Read up on the newest types of dropper malware affecting Microsoft Office. Deep Instinct’s experts have put together a guide for detecting & preventing these malicious threats.
#ParsedReport
26-05-2022
New malware Campaign delivers Android RAT. Sophisticated RAT spying on Mobile Devices
https://blog.cyble.com/2022/05/26/new-malware-campaign-delivers-android-rat
Industry:
Financial
TTPs:
Tactics: 4
Technics: 0
IOCs:
File: 5
Domain: 1
Hash: 5
26-05-2022
New malware Campaign delivers Android RAT. Sophisticated RAT spying on Mobile Devices
https://blog.cyble.com/2022/05/26/new-malware-campaign-delivers-android-rat
Industry:
Financial
TTPs:
Tactics: 4
Technics: 0
IOCs:
File: 5
Domain: 1
Hash: 5
#ParsedReport
26-05-2022
Black Basta Besting Your Network?
https://securityintelligence.com/posts/black-basta-ransomware-group-besting-network
Threats:
Blackbasta (tags: malware, ransomware)
Conti
Industry:
Financial
IOCs:
Coin: 1
Hash: 7
File: 2
26-05-2022
Black Basta Besting Your Network?
https://securityintelligence.com/posts/black-basta-ransomware-group-besting-network
Threats:
Blackbasta (tags: malware, ransomware)
Conti
Industry:
Financial
IOCs:
Coin: 1
Hash: 7
File: 2
Security Intelligence
Black Basta besting your network?
Explore in-depth insights behind the Black Basta ransomware group. IBM Security X-Force shares the analysis.
#ParsedReport
27-05-2022
XLL Malware Distributed Through Email
https://asec.ahnlab.com/en/34756
Threats:
Lokibot_stealer (tags: malware)
Trojan/win.agent.c5025449 (tags: malware)
Ransomware/win.carlos.c5025252 (tags: malware)
IOCs:
File: 5
Url: 3
Hash: 5
27-05-2022
XLL Malware Distributed Through Email
https://asec.ahnlab.com/en/34756
Threats:
Lokibot_stealer (tags: malware)
Trojan/win.agent.c5025449 (tags: malware)
Ransomware/win.carlos.c5025252 (tags: malware)
IOCs:
File: 5
Url: 3
Hash: 5
ASEC
XLL Malware Distributed Through Email - ASEC
Malware strains have been created and distributed in various forms and types. As such, the ASEC analysis team is actively monitoring and analyzing such changes to allow AhnLab products to detect them. This post will introduce XLL malware that was discovered…
#ParsedReport
27-05-2022
The Four Horsemen of Software Supply Chain Attacks
https://www.esentire.com/blog/the-four-horsemen-of-software-supply-chain-attacks
Threats:
Log4shell_vuln
Revil (tags: ransomware)
Industry:
Financial
Geo:
Apac, America, Africa, Emea
IOCs:
File: 6
27-05-2022
The Four Horsemen of Software Supply Chain Attacks
https://www.esentire.com/blog/the-four-horsemen-of-software-supply-chain-attacks
Threats:
Log4shell_vuln
Revil (tags: ransomware)
Industry:
Financial
Geo:
Apac, America, Africa, Emea
IOCs:
File: 6
eSentire
The Four Horsemen of software supply chain attacks.
Although security leaders can expect business disruption and reputational damage to occur by default, the consequences of supply chain attacks are dire. Read this blog to learn about the four…
#ParsedReport
27-05-2022
ASEC Weekly Malware Statistics (May 16th, 2022 May 22nd, 2022)
https://asec.ahnlab.com/en/34785
Threats:
Agent_tesla (tags: malware)
Formbook (tags: malware)
Lokibot_stealer (tags: malware)
Redline_stealer (tags: malware)
Beamwinhttp_loader (tags: malware)
Avemaria_rat (tags: malware)
Industry:
Financial, Transport
IOCs:
Domain: 4
IP: 23
Email: 5
File: 30
Url: 25
27-05-2022
ASEC Weekly Malware Statistics (May 16th, 2022 May 22nd, 2022)
https://asec.ahnlab.com/en/34785
Threats:
Agent_tesla (tags: malware)
Formbook (tags: malware)
Lokibot_stealer (tags: malware)
Redline_stealer (tags: malware)
Beamwinhttp_loader (tags: malware)
Avemaria_rat (tags: malware)
Industry:
Financial, Transport
IOCs:
Domain: 4
IP: 23
Email: 5
File: 30
Url: 25
ASEC BLOG
ASEC Weekly Malware Statistics (May 16th, 2022 - May 22nd, 2022) - ASEC BLOG
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from May 16th, 2022 (Monday) to May 22nd, 2022 (Sunday). For the main category, info-stealer…