#ParsedReport
25-05-2022
REvil Resurgence? Or a Copycat?
https://www.akamai.com/blog/security/revil-resurgence-or-copycat
Actors/Campaigns:
Lazarus
Threats:
Revil (tags: botnet, proxy, ransomware, ddos)
Meris_botnet (tags: botnet, proxy, malware, ddos)
Conti
Industry:
Financial, Government
Geo:
Russian
25-05-2022
REvil Resurgence? Or a Copycat?
https://www.akamai.com/blog/security/revil-resurgence-or-copycat
Actors/Campaigns:
Lazarus
Threats:
Revil (tags: botnet, proxy, ransomware, ddos)
Meris_botnet (tags: botnet, proxy, malware, ddos)
Conti
Industry:
Financial, Government
Geo:
Russian
Akamai
REvil Resurgence? Or a Copycat?
Has REvil returned? In this new post by Akamai's SIRT, see a DDoS incident by a threat actor claiming to be REvil.
#ParsedReport
25-05-2022
ASEC Weekly Malware Statistics ( 20220516 \~ 20220522 )
https://asec.ahnlab.com/ko/34734
Threats:
Agent_tesla (tags: malware, stealer)
Azorult
Formbook (tags: scan, stealer)
Lokibot_stealer
Avemaria_rat (tags: malware)
Redline_stealer
Beamwinhttp_loader
Industry:
Financial, Transport
Geo:
Korea
IOCs:
Domain: 4
IP: 23
Email: 5
File: 30
Url: 25
25-05-2022
ASEC Weekly Malware Statistics ( 20220516 \~ 20220522 )
https://asec.ahnlab.com/ko/34734
Threats:
Agent_tesla (tags: malware, stealer)
Azorult
Formbook (tags: scan, stealer)
Lokibot_stealer
Avemaria_rat (tags: malware)
Redline_stealer
Beamwinhttp_loader
Industry:
Financial, Transport
Geo:
Korea
IOCs:
Domain: 4
IP: 23
Email: 5
File: 30
Url: 25
ASEC BLOG
ASEC 주간 악성코드 통계 ( 20220516 ~ 20220522 ) - ASEC BLOG
ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2022년 5월 16일 월요일부터 5월 22일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 인포스틸러가 71.8%로 1위를 차지하였으며, 그 다음으로는 RAT (Remote Administration Tool) 악성코드가 19.1%, 다운로더 3.7%, 랜섬웨어 3.3%, 뱅킹 1.7%…
#ParsedReport
25-05-2022
Use of Obfuscated Beacons in pymafka Supply Chain Attack Signals a New Trend in macOS Attack TTPs
https://www.sentinelone.com/labs/use-of-obfuscated-beacons-in-pymafka-supply-chain-attack-signals-a-new-trend-in-macos-attack-ttps
Threats:
Beacon (tags: rat, malware, ransomware)
Dazzlespy
Cobalt_strike
Zuru
Poseidon_mythic
Findpos
IOCs:
File: 1
Hash: 5
IP: 2
25-05-2022
Use of Obfuscated Beacons in pymafka Supply Chain Attack Signals a New Trend in macOS Attack TTPs
https://www.sentinelone.com/labs/use-of-obfuscated-beacons-in-pymafka-supply-chain-attack-signals-a-new-trend-in-macos-attack-ttps
Threats:
Beacon (tags: rat, malware, ransomware)
Dazzlespy
Cobalt_strike
Zuru
Poseidon_mythic
Findpos
IOCs:
File: 1
Hash: 5
IP: 2
SentinelOne
Use of Obfuscated Beacons in ‘pymafka’ Supply Chain Attack Signals a New Trend in macOS Attack TTPs
A new typosquatting attack against the PyPI repository targets enterprise Macs with a distinctive obfuscation method.
#ParsedReport
25-05-2022
The New RansomHouse on The Block
https://cyberint.com/blog/research/ransomhouse
Actors/Campaigns:
Ransomhouse (tags: ransomware)
Lapsus
Industry:
Financial
25-05-2022
The New RansomHouse on The Block
https://cyberint.com/blog/research/ransomhouse
Actors/Campaigns:
Ransomhouse (tags: ransomware)
Lapsus
Industry:
Financial
Cyberint
The New RansomHouse on The Block
RansomHouse, a new group skips the encryption phase, requests payment for stolen data. Once paid, report the victim on their security gaps.
#ParsedReport
26-05-2022
SpiderLabs Blog. Grandoreiro Banking Malware Resurfaces for Tax Season
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/grandoreiro-banking-malware-resurfaces-for-tax-season
Threats:
Grandoreiro (tags: dns, backdoor, malware, phishing, spam, rat, trojan)
Javali (tags: trojan)
Fake-trusteer (tags: trojan)
Industry:
Financial
Geo:
Mexico, Spain, Brazil, America, American
IOCs:
Url: 4
Path: 1
Registry: 1
Hash: 6
File: 3
Domain: 1
IP: 1
Links:
26-05-2022
SpiderLabs Blog. Grandoreiro Banking Malware Resurfaces for Tax Season
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/grandoreiro-banking-malware-resurfaces-for-tax-season
Threats:
Grandoreiro (tags: dns, backdoor, malware, phishing, spam, rat, trojan)
Javali (tags: trojan)
Fake-trusteer (tags: trojan)
Industry:
Financial
Geo:
Mexico, Spain, Brazil, America, American
IOCs:
Url: 4
Path: 1
Registry: 1
Hash: 6
File: 3
Domain: 1
IP: 1
Links:
https://github.com/SpiderLabs/Grandoreiro-decryptor/blob/main/grandoreiro\_string\_decryptor.pyhttps://github.com/SpiderLabs/Grandoreiro-decryptor/blob/main/grandoreiro\_dga\_gen.pyTrustwave
Grandoreiro Banking Malware Resurfaces for Tax Season
Trustwave SpiderLabs in early April observed a Grandoreiro malware campaign targeting bank users from Brazil, Spain, and Mexico. The campaign exploits the tax season in target countries by sending out tax-themed phishing emails.
#ParsedReport
26-05-2022
Country Extortion: Ransomware expands business to include the government sector
https://blog.checkpoint.com/2022/05/26/country-extortion-ransomware-expands-business-to-the-governmental-sector
Threats:
Conti (tags: ransomware)
Smokeloader_backdoor (tags: ransomware)
Industry:
Government, Education, Financial
Geo:
Ukraine, America, Russia, Russian, Peru, Americans
IOCs:
File: 7
26-05-2022
Country Extortion: Ransomware expands business to include the government sector
https://blog.checkpoint.com/2022/05/26/country-extortion-ransomware-expands-business-to-the-governmental-sector
Threats:
Conti (tags: ransomware)
Smokeloader_backdoor (tags: ransomware)
Industry:
Government, Education, Financial
Geo:
Ukraine, America, Russia, Russian, Peru, Americans
IOCs:
File: 7
Check Point Software
Country Extortion: Ransomware expands business to include the government sector - Check Point Software
Currently Conti is conducting a wide extortion operation against two governments in Latin America – Costa Rica and Peru It is unprecedented for a country
#ParsedReport
26-05-2022
Tandem Espionage
https://inquest.net/blog/2022/05/25/tandem-espionage
Threats:
Arkei_stealer
Eternity_stealer
IOCs:
Hash: 9
File: 1
Url: 26
Domain: 12
Links:
26-05-2022
Tandem Espionage
https://inquest.net/blog/2022/05/25/tandem-espionage
Threats:
Arkei_stealer
Eternity_stealer
IOCs:
Hash: 9
File: 1
Url: 26
Domain: 12
Links:
https://github.com/inquest/python-inquestlabsinquest.net
Tandem Espionage
Some time ago, we discovered an interesting campaign distributing malicious documents. Which used the download chain as well as legitimate payload hosting services. In this report, we will show the technical side of this campaign and provide additional indicators.
#ParsedReport
26-05-2022
Detecting and preventing privilege escalation attacks leveraging Kerberos relaying (KrbRelayUp)
https://www.microsoft.com/security/blog/2022/05/25/detecting-and-preventing-privilege-escalation-attacks-leveraging-kerberos-relaying-krbrelayup
Threats:
Krbrelayup_tool (tags: malware)
Rubeus_tool
Krbrelay_tool
Scmuacbypass_tool
Whisker_tool
Adcspwn_tool
Links:
26-05-2022
Detecting and preventing privilege escalation attacks leveraging Kerberos relaying (KrbRelayUp)
https://www.microsoft.com/security/blog/2022/05/25/detecting-and-preventing-privilege-escalation-attacks-leveraging-kerberos-relaying-krbrelayup
Threats:
Krbrelayup_tool (tags: malware)
Rubeus_tool
Krbrelay_tool
Scmuacbypass_tool
Whisker_tool
Adcspwn_tool
Links:
https://github.com/Dec0ne/KrbRelayUpMicrosoft News
Detecting and preventing privilege escalation attacks leveraging Kerberos relaying (KrbRelayUp)
The privilege escalation hacking tool KrbRelayUp is a wrapper that can streamline the use of some features in Rubeus, KrbRelay, SCMUACBypass, PowerMad/ SharpMad, Whisker, and ADCSPwn tools in attacks. Although this attack won’t function for Azure Active Directory…
#ParsedReport
26-05-2022
Blame the Messenger: 4 Types of Dropper Malware in Microsoft Office & How to Detect Them
https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office
Actors/Campaigns:
Aggaa (tags: malware)
Threats:
Emotet (tags: dropper, malware)
Revenge_rat (tags: malware)
Dridex (tags: dropper)
IOCs:
Url: 1
Path: 1
File: 2
Hash: 7
Links:
26-05-2022
Blame the Messenger: 4 Types of Dropper Malware in Microsoft Office & How to Detect Them
https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office
Actors/Campaigns:
Aggaa (tags: malware)
Threats:
Emotet (tags: dropper, malware)
Revenge_rat (tags: malware)
Dridex (tags: dropper)
IOCs:
Url: 1
Path: 1
File: 2
Hash: 7
Links:
https://github.com/deepinstinct/Excellerhttps://github.com/DidierStevens/DidierStevensSuite/blob/master/oledump.pyDeep Instinct
4 Types of Dropper Malware in Microsoft Office & How to Detect Them | Deep Instinct
Read up on the newest types of dropper malware affecting Microsoft Office. Deep Instinct’s experts have put together a guide for detecting & preventing these malicious threats.
#ParsedReport
26-05-2022
New malware Campaign delivers Android RAT. Sophisticated RAT spying on Mobile Devices
https://blog.cyble.com/2022/05/26/new-malware-campaign-delivers-android-rat
Industry:
Financial
TTPs:
Tactics: 4
Technics: 0
IOCs:
File: 5
Domain: 1
Hash: 5
26-05-2022
New malware Campaign delivers Android RAT. Sophisticated RAT spying on Mobile Devices
https://blog.cyble.com/2022/05/26/new-malware-campaign-delivers-android-rat
Industry:
Financial
TTPs:
Tactics: 4
Technics: 0
IOCs:
File: 5
Domain: 1
Hash: 5
#ParsedReport
26-05-2022
Black Basta Besting Your Network?
https://securityintelligence.com/posts/black-basta-ransomware-group-besting-network
Threats:
Blackbasta (tags: malware, ransomware)
Conti
Industry:
Financial
IOCs:
Coin: 1
Hash: 7
File: 2
26-05-2022
Black Basta Besting Your Network?
https://securityintelligence.com/posts/black-basta-ransomware-group-besting-network
Threats:
Blackbasta (tags: malware, ransomware)
Conti
Industry:
Financial
IOCs:
Coin: 1
Hash: 7
File: 2
Security Intelligence
Black Basta besting your network?
Explore in-depth insights behind the Black Basta ransomware group. IBM Security X-Force shares the analysis.
#ParsedReport
27-05-2022
XLL Malware Distributed Through Email
https://asec.ahnlab.com/en/34756
Threats:
Lokibot_stealer (tags: malware)
Trojan/win.agent.c5025449 (tags: malware)
Ransomware/win.carlos.c5025252 (tags: malware)
IOCs:
File: 5
Url: 3
Hash: 5
27-05-2022
XLL Malware Distributed Through Email
https://asec.ahnlab.com/en/34756
Threats:
Lokibot_stealer (tags: malware)
Trojan/win.agent.c5025449 (tags: malware)
Ransomware/win.carlos.c5025252 (tags: malware)
IOCs:
File: 5
Url: 3
Hash: 5
ASEC
XLL Malware Distributed Through Email - ASEC
Malware strains have been created and distributed in various forms and types. As such, the ASEC analysis team is actively monitoring and analyzing such changes to allow AhnLab products to detect them. This post will introduce XLL malware that was discovered…
#ParsedReport
27-05-2022
The Four Horsemen of Software Supply Chain Attacks
https://www.esentire.com/blog/the-four-horsemen-of-software-supply-chain-attacks
Threats:
Log4shell_vuln
Revil (tags: ransomware)
Industry:
Financial
Geo:
Apac, America, Africa, Emea
IOCs:
File: 6
27-05-2022
The Four Horsemen of Software Supply Chain Attacks
https://www.esentire.com/blog/the-four-horsemen-of-software-supply-chain-attacks
Threats:
Log4shell_vuln
Revil (tags: ransomware)
Industry:
Financial
Geo:
Apac, America, Africa, Emea
IOCs:
File: 6
eSentire
The Four Horsemen of software supply chain attacks.
Although security leaders can expect business disruption and reputational damage to occur by default, the consequences of supply chain attacks are dire. Read this blog to learn about the four…
#ParsedReport
27-05-2022
ASEC Weekly Malware Statistics (May 16th, 2022 May 22nd, 2022)
https://asec.ahnlab.com/en/34785
Threats:
Agent_tesla (tags: malware)
Formbook (tags: malware)
Lokibot_stealer (tags: malware)
Redline_stealer (tags: malware)
Beamwinhttp_loader (tags: malware)
Avemaria_rat (tags: malware)
Industry:
Financial, Transport
IOCs:
Domain: 4
IP: 23
Email: 5
File: 30
Url: 25
27-05-2022
ASEC Weekly Malware Statistics (May 16th, 2022 May 22nd, 2022)
https://asec.ahnlab.com/en/34785
Threats:
Agent_tesla (tags: malware)
Formbook (tags: malware)
Lokibot_stealer (tags: malware)
Redline_stealer (tags: malware)
Beamwinhttp_loader (tags: malware)
Avemaria_rat (tags: malware)
Industry:
Financial, Transport
IOCs:
Domain: 4
IP: 23
Email: 5
File: 30
Url: 25
ASEC BLOG
ASEC Weekly Malware Statistics (May 16th, 2022 - May 22nd, 2022) - ASEC BLOG
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from May 16th, 2022 (Monday) to May 22nd, 2022 (Sunday). For the main category, info-stealer…
#ParsedReport
27-05-2022
BAZARLOADER: Analysing The Main Loader. Step 1: Checking System Languages
https://www.0ffset.net/reverse-engineering/analysing-the-main-bazarloader/?utm_source=rss&utm_medium=rss&utm_campaign=analysing-the-main-bazarloader
Threats:
Bazarbackdoor (tags: malware, dns)
Cobalt_strike
Conti
Geo:
Russia
IOCs:
File: 1
Functions Names: 37
Links:
27-05-2022
BAZARLOADER: Analysing The Main Loader. Step 1: Checking System Languages
https://www.0ffset.net/reverse-engineering/analysing-the-main-bazarloader/?utm_source=rss&utm_medium=rss&utm_campaign=analysing-the-main-bazarloader
Threats:
Bazarbackdoor (tags: malware, dns)
Cobalt_strike
Conti
Geo:
Russia
IOCs:
File: 1
Functions Names: 37
Links:
https://github.com/m0n0ph1/Process-Hollowing0ffset Training Solutions | Practical and Affordable Cyber Security Training
BAZARLOADER: Analysing The Main Loader | 0ffset Training Solutions
This post is a follow up on the last one on BAZARLOADER. If you’re interested in how to unpack the initial stages of this malware, you can check it out here. In this post, we’ll cover the final stage of this loader, which has the capability to download and…
#ParsedReport
27-05-2022
APT-C-53 (Gamaredon) New Round DDoS Attack Mission Analysis
https://mp-weixin-qq-com.translate.goog/s/gJFSlpIlbaI11lcClNN_Xw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en
Actors/Campaigns:
Gamaredon (tags: malware, phishing, ddos, trojan)
Industry:
Government
IOCs:
Hash: 19
27-05-2022
APT-C-53 (Gamaredon) New Round DDoS Attack Mission Analysis
https://mp-weixin-qq-com.translate.goog/s/gJFSlpIlbaI11lcClNN_Xw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en
Actors/Campaigns:
Gamaredon (tags: malware, phishing, ddos, trojan)
Industry:
Government
IOCs:
Hash: 19
微信公众平台
APT-C-53(Gamaredon)新一轮DDoS攻击任务分析
360安全大脑监测到APT-C-53(Gamaredon)组织相关的网络攻击活动愈加频繁,发现该组织开始下发开源DDoS木马程序“LOIC”进行DDoS攻击活动
#ParsedReport
27-05-2022
Blog. Win11 users beware! Magniber ransomware has been upgraded again, aiming at win11
https://blog.360totalsecurity.com/en/win11-users-beware-magniber-ransomware-has-been-upgraded-again-aiming-at-win11
Threats:
Magniber (tags: ransomware)
Industry:
Financial
Geo:
Ukraines
IOCs:
File: 2
Url: 4
Hash: 5
27-05-2022
Blog. Win11 users beware! Magniber ransomware has been upgraded again, aiming at win11
https://blog.360totalsecurity.com/en/win11-users-beware-magniber-ransomware-has-been-upgraded-again-aiming-at-win11
Threats:
Magniber (tags: ransomware)
Industry:
Financial
Geo:
Ukraines
IOCs:
File: 2
Url: 4
Hash: 5
360 Total Security Blog
Win11 users beware! Magniber ransomware has been upgraded again, aiming at win11 | 360 Total Security Blog
At the end of April this year, the Magniber ransomware disguised as a Windows 10 upgrade patch package and spread widely, and 360 Security Center...
#ParsedReport
27-05-2022
Threat Source newsletter (May 26, 2022) BlackByte adds itself to the grocery list of big game hunters
http://blog.talosintelligence.com/2022/05/threat-source-newsletter-may-26-2022.html
Actors/Campaigns:
Red_delta
Threats:
Blackbyte (tags: spyware, trojan, cryptomining, ransomware, malware)
Conti
Predator
Cytrox
Industry:
Government
Geo:
Netherlands, Mexico, Indonesia, Greece, Colombia, Armenia, America, Madagascar, Spain, Egypt, Vietnam, China, Ukraine, Serbia
IOCs:
Hash: 10
File: 4
27-05-2022
Threat Source newsletter (May 26, 2022) BlackByte adds itself to the grocery list of big game hunters
http://blog.talosintelligence.com/2022/05/threat-source-newsletter-may-26-2022.html
Actors/Campaigns:
Red_delta
Threats:
Blackbyte (tags: spyware, trojan, cryptomining, ransomware, malware)
Conti
Predator
Cytrox
Industry:
Government
Geo:
Netherlands, Mexico, Indonesia, Greece, Colombia, Armenia, America, Madagascar, Spain, Egypt, Vietnam, China, Ukraine, Serbia
IOCs:
Hash: 10
File: 4
Talosintelligence
Threat Source newsletter (May 26, 2022) — BlackByte adds itself to the grocery list of big game hunters
A blog from the world class Intelligence Group, Talos, Cisco's Intelligence Group
Докручиваю автоматический парсер отчетов.
Научил его вытаскивать:
- Windows KB
- Расширения файлов (указанные по тексту, без самого имени файла)
- Имена функций (пока что только Camel-case. Но теперь можно запоминать какая малварь какие ф-ции дергает, если это, конечно, указано в отчете).
Научил его вытаскивать:
- Windows KB
- Расширения файлов (указанные по тексту, без самого имени файла)
- Имена функций (пока что только Camel-case. Но теперь можно запоминать какая малварь какие ф-ции дергает, если это, конечно, указано в отчете).
#ParsedReport
30-05-2022
Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT / BitRAT / PandoraHVNC Part II
https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware-part-two
Threats:
Avemaria_rat
Sbit_rat
Pandorahvnc_rat
Vba/agent.ddon!tr (tags: malware)
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 3
Path: 1
Domain: 5
Coin: 1
Functions Names: 1
30-05-2022
Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT / BitRAT / PandoraHVNC Part II
https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware-part-two
Threats:
Avemaria_rat
Sbit_rat
Pandorahvnc_rat
Vba/agent.ddon!tr (tags: malware)
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 3
Path: 1
Domain: 5
Coin: 1
Functions Names: 1
Fortinet Blog
Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT / BitRAT / PandoraHVNC – Part II
FortiGuard Labs discovered a phishing campaign delivering fileless malware AveMariaRAT, BitRAT, and PandoraHVNC to steal sensitive information from a victim’s device. Read part II of our analysis t…