#ParsedReport
30-05-2022
APT-C-53 (Gamaredon) New Round DDoS Attack Mission Analysis
https://mp-weixin-qq-com.translate.goog/s/gJFSlpIlbaI11lcClNN_Xw?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Actors/Campaigns:
Gamaredon (tags: ddos, phishing, trojan, malware)
Industry:
Government
IOCs:
Hash: 19
30-05-2022
APT-C-53 (Gamaredon) New Round DDoS Attack Mission Analysis
https://mp-weixin-qq-com.translate.goog/s/gJFSlpIlbaI11lcClNN_Xw?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Actors/Campaigns:
Gamaredon (tags: ddos, phishing, trojan, malware)
Industry:
Government
IOCs:
Hash: 19
微信公众平台
APT-C-53(Gamaredon)新一轮DDoS攻击任务分析
360安全大脑监测到APT-C-53(Gamaredon)组织相关的网络攻击活动愈加频繁,发现该组织开始下发开源DDoS木马程序“LOIC”进行DDoS攻击活动
#ParsedReport
30-05-2022
ASEC Weekly Malware Statistics ( 20220523 \~ 20220529 )
https://asec-ahnlab-com.translate.goog/ko/34862/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Threats:
Agent_tesla (tags: scan, malware, stealer)
Azorult
Formbook (tags: stealer)
Lokibot_stealer
Avemaria_rat
Beamwinhttp_loader
Garbage_cleaner
Cryptbot_stealer
Remcos_rat (tags: spam, malware, rat)
Nanocore_rat
Industry:
Transport
Geo:
Pacific, Korea
IOCs:
Domain: 4
IP: 3
Email: 5
File: 28
Url: 11
30-05-2022
ASEC Weekly Malware Statistics ( 20220523 \~ 20220529 )
https://asec-ahnlab-com.translate.goog/ko/34862/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Threats:
Agent_tesla (tags: scan, malware, stealer)
Azorult
Formbook (tags: stealer)
Lokibot_stealer
Avemaria_rat
Beamwinhttp_loader
Garbage_cleaner
Cryptbot_stealer
Remcos_rat (tags: spam, malware, rat)
Nanocore_rat
Industry:
Transport
Geo:
Pacific, Korea
IOCs:
Domain: 4
IP: 3
Email: 5
File: 28
Url: 11
ASEC BLOG
ASEC 주간 악성코드 통계 ( 20220523 ~ 20220529 ) - ASEC BLOG
ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2022년 5월 23일 월요일부터 5월 29일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 인포스틸러가 76.9%로 1위를 차지하였으며, 그 다음으로는 RAT (Remote Administration Tool) 악성코드가 16.6%, 다운로더 5.2%, 랜섬웨어 1.3%로 집계되었다.…
#ParsedReport
30-05-2022
GoodWill ransomware forces victims to donate to the poor and provides financial assistance to patients in need
https://cloudsek.com/threatintelligence/goodwill-ransomware-forces-victims-to-donate-to-the-poor-and-provides-financial-assistance-to-patients-in-need
Threats:
Goodwill (tags: malware, ransomware, rat)
Gozi (tags: ransomware)
Hiddentear
Industry:
Financial, Healthcare
Geo:
India, Turkish, Indian
TTPs:
Tactics: 1
Technics: 0
IOCs:
IP: 2
Hash: 4
Functions Names: 1
30-05-2022
GoodWill ransomware forces victims to donate to the poor and provides financial assistance to patients in need
https://cloudsek.com/threatintelligence/goodwill-ransomware-forces-victims-to-donate-to-the-poor-and-provides-financial-assistance-to-patients-in-need
Threats:
Goodwill (tags: malware, ransomware, rat)
Gozi (tags: ransomware)
Hiddentear
Industry:
Financial, Healthcare
Geo:
India, Turkish, Indian
TTPs:
Tactics: 1
Technics: 0
IOCs:
IP: 2
Hash: 4
Functions Names: 1
Cloudsek
GoodWill ransomware forces victims to donate to the poor and provides financial assistance to patients in need | Threat Intelligence…
Goodwill ransomware group propagates very unusual demands in exchange for the decryption key. The Robin Hood-like group is forcing its Victims to donate to the poor and provides financial assistance to the patients in need.
#ParsedReport
30-05-2022
research report. Analysis of Active Kthmimu Mining Trojans
https://www-antiy-cn.translate.goog/research/notice&report/research_report/20220527.html?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Threats:
Kthmimu
Log4shell_vuln
Xmrig_miner
Ymacco
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 2
Url: 7
IP: 4
Coin: 1
Hash: 8
30-05-2022
research report. Analysis of Active Kthmimu Mining Trojans
https://www-antiy-cn.translate.goog/research/notice&report/research_report/20220527.html?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Threats:
Kthmimu
Log4shell_vuln
Xmrig_miner
Ymacco
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 2
Url: 7
IP: 4
Coin: 1
Hash: 8
www-antiy-cn.translate.goog
活跃的Kthmimu挖矿木马分析
安天是引领威胁检测与防御能力发展的网络安全国家队,为客户构建端点防护、流量监测、边界防护、导流捕获、深度分析、应急处置的安全基石
#ParsedReport
31-05-2022
Patch Your WSO2: CVE-2022-29464 Exploited to Install Linux-Compatible Cobalt Strike Beacons, Other Malware
https://www.trendmicro.com/en_us/research/22/e/patch-your-wso2-cve-2022-29464-exploited-to-install-linux-compatible-cobalt-strike-beacons-other-malware.html
Threats:
Cobalt_strike (tags: rat, botnet, cryptomining, malware, trojan, scan, backdoor)
Beacon (tags: rat, botnet, cryptomining, malware, trojan, scan, backdoor)
Metasploit_tool (tags: malware)
Mirai (tags: malware)
Spring4shell (tags: malware)
Malxmr_miner (tags: malware)
Industry:
Energy, Education, Financial, Healthcare, Government
CVEs:
CVE-2022-22965 [Vulners]
Vulners: Score: 7.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- vmware spring framework (<5.3.18, <5.2.20)
- cisco cx cloud agent (<2.1.0)
- oracle sd-wan edge (9.0, 9.1)
- oracle retail xstore point of service (20.0.1, 21.0.0)
- oracle communications cloud native core security edge protection proxy (1.7.0, 22.1.0)
have more...
CVE-2022-29464 [Vulners]
Vulners: Score: 10.0, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- wso2 api manager (le4.0.0)
- wso2 enterprise integrator (le6.6.0)
- wso2 identity server (le5.11.0)
- wso2 identity server analytics (5.4.0, 5.4.1, 5.5.0, 5.6.0)
- wso2 identity server as key manager (le5.10.0)
have more...
CVE-2012-4681 [Vulners]
Vulners: Score: 10.0, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- sun jdk (1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0.200, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0.210, 1.6.0, 1.4.2_13, 1.4.2_30, 1.4.2_12, 1.4.2_31, 1.4.2_3, 1.4.2_8, 1.4.2_16, 1.4.2_23, 1.4.2_32, 1.4.2_18, 1.4.2_19, 1.4.2_29, 1.4.2_6, 1.4.2_26, 1.4.2, 1.4.2_7, 1.4.2_27, 1.4.2_28, 1.4.2_35, 1.4.2_36, 1.4.2_4, 1.4.2_11, 1.4.2_22, 1.4.2_1, 1.4.2_2, 1.4.2_9, 1.4.2_10, 1.4.2_17, 1.4.2_37, 1.4.2_5, 1.4.2_14, 1.4.2_25, 1.4.2_33, 1.4.2_34, 1.4.2_15, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0)
- sun jre (1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.4.2_26, 1.4.2_7, 1.4.2_27, 1.4.2_16, 1.4.2_24, 1.4.2_4, 1.4.2_13, 1.4.2_29, 1.4.2_1, 1.4.2_8, 1.4.2_25, 1.4.2_15, 1.4.2_31, 1.4.2_2, 1.4.2_19, 1.4.2_14, 1.4.2_21, 1.4.2_22, 1.4.2_30, 1.4.2_37, 1.4.2_9, 1.4.2_17, 1.4.2_18, 1.4.2_33, 1.4.2_35, 1.4.2_23, 1.4.2_32, 1.4.2_3, 1.4.2_10, 1.4.2_11, 1.4.2_12, 1.4.2_20, 1.4.2_28, 1.4.2_36, 1.4.2_5, 1.4.2_34, 1.4.2_6, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0)
- oracle jre (1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, le1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.7.0, le1.7.0, 1.7.0, 1.7.0, 1.7.0, 1.7.0, 1.7.0, le1.4.2_38, le1.5.0)
- oracle jdk (1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, le1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, le1.7.0, 1.7.0, 1.7.0, 1.7.0, 1.7.0, 1.7.0, 1.7.0, le1.4.2_38, le1.5.0)
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 2
IP: 1
Hash: 13
Path: 1
Url: 1
Links:
31-05-2022
Patch Your WSO2: CVE-2022-29464 Exploited to Install Linux-Compatible Cobalt Strike Beacons, Other Malware
https://www.trendmicro.com/en_us/research/22/e/patch-your-wso2-cve-2022-29464-exploited-to-install-linux-compatible-cobalt-strike-beacons-other-malware.html
Threats:
Cobalt_strike (tags: rat, botnet, cryptomining, malware, trojan, scan, backdoor)
Beacon (tags: rat, botnet, cryptomining, malware, trojan, scan, backdoor)
Metasploit_tool (tags: malware)
Mirai (tags: malware)
Spring4shell (tags: malware)
Malxmr_miner (tags: malware)
Industry:
Energy, Education, Financial, Healthcare, Government
CVEs:
CVE-2022-22965 [Vulners]
Vulners: Score: 7.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- vmware spring framework (<5.3.18, <5.2.20)
- cisco cx cloud agent (<2.1.0)
- oracle sd-wan edge (9.0, 9.1)
- oracle retail xstore point of service (20.0.1, 21.0.0)
- oracle communications cloud native core security edge protection proxy (1.7.0, 22.1.0)
have more...
CVE-2022-29464 [Vulners]
Vulners: Score: 10.0, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- wso2 api manager (le4.0.0)
- wso2 enterprise integrator (le6.6.0)
- wso2 identity server (le5.11.0)
- wso2 identity server analytics (5.4.0, 5.4.1, 5.5.0, 5.6.0)
- wso2 identity server as key manager (le5.10.0)
have more...
CVE-2012-4681 [Vulners]
Vulners: Score: 10.0, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- sun jdk (1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0.200, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0.210, 1.6.0, 1.4.2_13, 1.4.2_30, 1.4.2_12, 1.4.2_31, 1.4.2_3, 1.4.2_8, 1.4.2_16, 1.4.2_23, 1.4.2_32, 1.4.2_18, 1.4.2_19, 1.4.2_29, 1.4.2_6, 1.4.2_26, 1.4.2, 1.4.2_7, 1.4.2_27, 1.4.2_28, 1.4.2_35, 1.4.2_36, 1.4.2_4, 1.4.2_11, 1.4.2_22, 1.4.2_1, 1.4.2_2, 1.4.2_9, 1.4.2_10, 1.4.2_17, 1.4.2_37, 1.4.2_5, 1.4.2_14, 1.4.2_25, 1.4.2_33, 1.4.2_34, 1.4.2_15, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0)
- sun jre (1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.4.2_26, 1.4.2_7, 1.4.2_27, 1.4.2_16, 1.4.2_24, 1.4.2_4, 1.4.2_13, 1.4.2_29, 1.4.2_1, 1.4.2_8, 1.4.2_25, 1.4.2_15, 1.4.2_31, 1.4.2_2, 1.4.2_19, 1.4.2_14, 1.4.2_21, 1.4.2_22, 1.4.2_30, 1.4.2_37, 1.4.2_9, 1.4.2_17, 1.4.2_18, 1.4.2_33, 1.4.2_35, 1.4.2_23, 1.4.2_32, 1.4.2_3, 1.4.2_10, 1.4.2_11, 1.4.2_12, 1.4.2_20, 1.4.2_28, 1.4.2_36, 1.4.2_5, 1.4.2_34, 1.4.2_6, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0, 1.5.0)
- oracle jre (1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, le1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.7.0, le1.7.0, 1.7.0, 1.7.0, 1.7.0, 1.7.0, 1.7.0, le1.4.2_38, le1.5.0)
- oracle jdk (1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, le1.6.0, 1.6.0, 1.6.0, 1.6.0, 1.6.0, le1.7.0, 1.7.0, 1.7.0, 1.7.0, 1.7.0, 1.7.0, 1.7.0, le1.4.2_38, le1.5.0)
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 2
IP: 1
Hash: 13
Path: 1
Url: 1
Links:
https://github.com/wso2/product-apim/issues?q=is%3Aopen+is%3Aissuehttps://github.com/hakivvihttps://github.com/shadow1ng/fscanhttps://github.com/hakivvi/CVE-2022-29464/blob/main/exploit.pyhttps://github.com/wso2/product-apimTrend Micro
Patch Your WSO2: CVE-2022-29464 Exploited to Install Linux-Compatible Cobalt Strike Beacons, Other Malware
Users of WSO2 products are advised to update their respective products and platforms or to apply the temporary mitigation steps immediately.
#ParsedReport
31-05-2022
New Black Basta Ransomware Group
https://cyberint.com/blog/research/blackbasta
Threats:
Blackbasta (tags: ransomware, malware)
Conti (tags: ransomware)
Avoslocker
Industry:
Financial, Retail
Geo:
Germany, Peru
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 3
Functions Names: 1
31-05-2022
New Black Basta Ransomware Group
https://cyberint.com/blog/research/blackbasta
Threats:
Blackbasta (tags: ransomware, malware)
Conti (tags: ransomware)
Avoslocker
Industry:
Financial, Retail
Geo:
Germany, Peru
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 3
Functions Names: 1
Cyberint
New Black Basta Ransomware Group
A new ransomware group, Black Basta, has emerged in the past month and has already claimed 29 victims. Learn more in our research report.
#ParsedReport
31-05-2022
XLoader Botnet: Find Me If You Can. Introduction
https://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can
Threats:
Formbook (tags: stealer, rat, malware, botnet, trojan)
IOCs:
Hash: 11
31-05-2022
XLoader Botnet: Find Me If You Can. Introduction
https://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can
Threats:
Formbook (tags: stealer, rat, malware, botnet, trojan)
IOCs:
Hash: 11
Check Point Research
XLoader Botnet: Find Me If You Can - Check Point Research
Research by: Alexey Bukhteyev & Raman Ladutska Introduction In July 2021, CPR released a series of three publications covering different aspects of how the Formbook and XLoader malware families function. We described how XLoader emerged in the Darknet community…
#ParsedReport
31-05-2022
Sneaky SiMay
https://labs.k7computing.com/index.php/sneaky-simay
Threats:
Simay_rat (tags: malware, stealer, rat, trojan)
Krbanker
Geo:
Korea, Chinese
TTPs:
Tactics: 1
Technics: 0
IOCs:
IP: 2
Hash: 3
Domain: 1
File: 9
Path: 7
31-05-2022
Sneaky SiMay
https://labs.k7computing.com/index.php/sneaky-simay
Threats:
Simay_rat (tags: malware, stealer, rat, trojan)
Krbanker
Geo:
Korea, Chinese
TTPs:
Tactics: 1
Technics: 0
IOCs:
IP: 2
Hash: 3
Domain: 1
File: 9
Path: 7
K7 Labs
Sneaky SiMay
Hackers have been abusing cloud services to host their malicious payloads and then use a downloader/loader to deploy them in […]
#ParsedReport
31-05-2022
caution! Microsoft Office Zero-Day Vulnerability Follina (CVE-2022-30190)
https://asec-ahnlab-com.translate.goog/ko/34919/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Threats:
Follina_vuln (tags: malware)
CVEs:
CVE-2022-30190 [Vulners]
IOCs:
File: 3
Registry: 1
Url: 1
Hash: 2
Functions Names: 1
31-05-2022
caution! Microsoft Office Zero-Day Vulnerability Follina (CVE-2022-30190)
https://asec-ahnlab-com.translate.goog/ko/34919/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Threats:
Follina_vuln (tags: malware)
CVEs:
CVE-2022-30190 [Vulners]
IOCs:
File: 3
Registry: 1
Url: 1
Hash: 2
Functions Names: 1
ASEC BLOG
주의! MS 오피스 제로데이 취약점 Follina (CVE-2022-30190) - ASEC BLOG
Follina라 지칭되는 신규 취약점 CVE-2022-30190이 공개되었다. MS에 따르면 해당 취약점은 Word와 같은 호출 응용 프로그램에서 URL 프로토콜을 사용하여 MSDT를 호출할 때 원격 코드 실행 취약점이 발생한다. 해당 취약점 발생 시 호출 응용 프로그램의 권한으로 임의 코드를 실행할 수 있으며 추가 프로그램을 설치하거나 데이터 확인 및 변경 또는 삭제가 가능하다. 1. 취약점 악성코드 예시 이 취약점이 확인된 Word문서에서는 기존에…
#ParsedReport
31-05-2022
Distributing AppleSeed disguised as Internet router installation file
https://asec-ahnlab-com.translate.goog/ko/34883/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Actors/Campaigns:
Kimsuky
Threats:
Appleseed (tags: rat, malware, dropper)
Filecoder
Tightvnc_tool
IOCs:
File: 5
Path: 4
Hash: 5
Url: 3
Functions Names: 1
31-05-2022
Distributing AppleSeed disguised as Internet router installation file
https://asec-ahnlab-com.translate.goog/ko/34883/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Actors/Campaigns:
Kimsuky
Threats:
Appleseed (tags: rat, malware, dropper)
Filecoder
Tightvnc_tool
IOCs:
File: 5
Path: 4
Hash: 5
Url: 3
Functions Names: 1
ASEC BLOG
인터넷 공유기 설치파일 위장한 AppleSeed 유포 - ASEC BLOG
ASEC 분석팀은 지난 05월 26일 AppleSeed 악성코드가 공유기 펌웨어 인스톨러로 위장하여 유포되는 정황을 포착하였다. 지금까지 알려진 AppleSeed는 주로 정상 문서 파일이나 그림 파일을 위장하여 유포되었다. AppleSeed를 생성하는 드로퍼 악성코드는 JS(Java Script), VBS(Visual Basic Script)와 같은 스크립트 포맷이 사용되거나 실행 파일 형태도 문서 파일을 위장한 pif 확장자를 가졌지만, 이번 사례에서는…
#ParsedReport
31-05-2022
Malicious Word doc taps previously unknown Microsoft Office vulnerability
https://news.sophos.com/en-us/2022/05/30/malicious-word-doc-taps-previously-unknown-microsoft-office-vulnerability
IOCs:
File: 3
Domain: 1
31-05-2022
Malicious Word doc taps previously unknown Microsoft Office vulnerability
https://news.sophos.com/en-us/2022/05/30/malicious-word-doc-taps-previously-unknown-microsoft-office-vulnerability
IOCs:
File: 3
Domain: 1
Sophos News
Malicious Word doc taps previously unknown Microsoft Office vulnerability
MSDT.exe misuse in May makes for Memorial Day Monday mayhem
Давно задавался вопросом: можно ли волновую функцию из квантовой механики переложить на ИБ, чтобы оценить вероятность перехода системы из текущего состояние в состояние "Похекано"...
До сих пор руки так и не дошли разобраться с уравнениями ((((
До сих пор руки так и не дошли разобраться с уравнениями ((((
#technique
Arbitrary File Upload Tricks In Java
https://pyn3rd.github.io/2022/05/07/Arbitrary-File-Upload-Tricks-In-Java/
Arbitrary File Upload Tricks In Java
https://pyn3rd.github.io/2022/05/07/Arbitrary-File-Upload-Tricks-In-Java/
Pyn3Rd
Arbitrary File Upload Tricks In Java
0x01 ForewordsRecently I see some discussions about arbitrary file upload in Java environment on Internet. The main takling points are how to bypass file name detection when uploading arbitrary file.
Кстати, на PhD касался этой темы в своем докладе
End of Life of an Indicator of Compromise (IOC)
https://www.dragos.com/blog/end-of-life-of-an-indicator-of-compromise-ioc/
End of Life of an Indicator of Compromise (IOC)
https://www.dragos.com/blog/end-of-life-of-an-indicator-of-compromise-ioc/
#ParsedReport
31-05-2022
Staying Ahead of CVE-2022-30190 (Follina)
https://www.sentinelone.com/blog/staying-ahead-of-cve-2022-30190-follina
Threats:
Follina_vuln (tags: malware)
Log4shell_vuln
Beacon
Geo:
Chinese, Ukraine, Russian, Belarus
CVEs:
CVE-2022-30190 [Vulners]
IOCs:
Hash: 2
Domain: 2
IP: 1
Registry: 2
File: 5
Functions Names: 1
31-05-2022
Staying Ahead of CVE-2022-30190 (Follina)
https://www.sentinelone.com/blog/staying-ahead-of-cve-2022-30190-follina
Threats:
Follina_vuln (tags: malware)
Log4shell_vuln
Beacon
Geo:
Chinese, Ukraine, Russian, Belarus
CVEs:
CVE-2022-30190 [Vulners]
IOCs:
Hash: 2
Domain: 2
IP: 1
Registry: 2
File: 5
Functions Names: 1
SentinelOne
CVE-2022-30190 (Follina): Detection and Mitigation
Learn how to detect and mitigate CVE-2022-30190 (Follina), a critical vulnerability. Discover effective strategies to protect your systems from exploitation.
#ParsedReport
01-06-2022
MSDT abused to achieve RCE on Microsoft Office
https://blog.sekoia.io/msdt-abused-to-achieve-rce-on-microsoft-office
Threats:
Follina_vuln
Cobalt_strike
Beacon
Plugx_rat
Lolbas_technique
Geo:
Chinese, Philippines, Russian, Nepal, Ukraine
CVEs:
CVE-2022-30190 [Vulners]
TTPs:
IOCs:
Hash: 9
File: 4
Domain: 6
Url: 5
IP: 3
YARA: Found
SIGMA: Found
01-06-2022
MSDT abused to achieve RCE on Microsoft Office
https://blog.sekoia.io/msdt-abused-to-achieve-rce-on-microsoft-office
Threats:
Follina_vuln
Cobalt_strike
Beacon
Plugx_rat
Lolbas_technique
Geo:
Chinese, Philippines, Russian, Nepal, Ukraine
CVEs:
CVE-2022-30190 [Vulners]
TTPs:
IOCs:
Hash: 9
File: 4
Domain: 6
Url: 5
IP: 3
YARA: Found
SIGMA: Found
Sekoia.io Blog
MSDT abused to achieve RCE on Microsoft Office
Discover through our article, how attackers hijack the Microsoft Support Diagnostic Tool to remotely execute arbitrary code under Windows
#ParsedReport
01-06-2022
Minerva Labs Blog
https://blog.minerva-labs.com/new-microsoft-office-follina-zero-day-already-shared-on-ransomware-forums
Threats:
Follina_vuln
Conti (tags: ransomware)
Blackcat (tags: ransomware)
Geo:
Russian
CVEs:
CVE-2022-30190 [Vulners]
01-06-2022
Minerva Labs Blog
https://blog.minerva-labs.com/new-microsoft-office-follina-zero-day-already-shared-on-ransomware-forums
Threats:
Follina_vuln
Conti (tags: ransomware)
Blackcat (tags: ransomware)
Geo:
Russian
CVEs:
CVE-2022-30190 [Vulners]
Minerva-Labs
New Microsoft Office “Follina” zero-day Already Shared on Ransomware Forums
A new zero-day discovered by Nao_Sec on May 27, 2022, titled 'Follina' (CVE-2022-30190) targeting Microsoft Office is being actively utilised by ransomware groups.
#ParsedReport
01-06-2022
Hazard Token Grabber. Upgraded version of Stealer Targeting Discord Users
https://blog.cyble.com/2022/06/01/hazard-token-grabber
Threats:
HazardToken_Grabber
Beacon
TTPs:
Tactics: 8
Technics: 15
IOCs:
Registry: 2
File: 6
Url: 1
Hash: 3
01-06-2022
Hazard Token Grabber. Upgraded version of Stealer Targeting Discord Users
https://blog.cyble.com/2022/06/01/hazard-token-grabber
Threats:
HazardToken_Grabber
Beacon
TTPs:
Tactics: 8
Technics: 15
IOCs:
Registry: 2
File: 6
Url: 1
Hash: 3
Cyble
Hazard Token Grabber
Cyble analyzes Hazard Token Grabber, an upgraded info stealer primarily targeting Discord users.
#ParsedReport
01-06-2022
Threat Brief: CVE-2022-30190 MSDT Code Execution Vulnerability
https://unit42.paloaltonetworks.com/cve-2022-30190-msdt-code-execution-vulnerability
Threats:
Follina_vuln
Geo:
Japanese, Apac, America, Japan, Emea, Belarus, Tokyo
CVEs:
CVE-2022-30190 [Vulners]
IOCs:
Url: 1
File: 4
01-06-2022
Threat Brief: CVE-2022-30190 MSDT Code Execution Vulnerability
https://unit42.paloaltonetworks.com/cve-2022-30190-msdt-code-execution-vulnerability
Threats:
Follina_vuln
Geo:
Japanese, Apac, America, Japan, Emea, Belarus, Tokyo
CVEs:
CVE-2022-30190 [Vulners]
IOCs:
Url: 1
File: 4
Unit 42
Threat Brief: CVE-2022-30190 – MSDT Code Execution Vulnerability
CVE-2022-30190 enables remote code execution, and there are proof-of-concept examples of zero-click variants. We recommend mitigations.
#ParsedReport
01-06-2022
SideWinder.AntiBot.Script
https://blog.group-ib.com/sidewinder-antibot
Actors/Campaigns:
Sidewinder
Blackmatter
Industry:
Education, Financial, Ngo, Government
Geo:
Bhutan, Indian, India, Asia, Pakistan, Afghanistan, Myanmar, Philippines, China, Pakistani, Singapore, Nepal, Bangladesh
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 6
Hash: 5
Url: 464
IP: 89
Domain: 10
01-06-2022
SideWinder.AntiBot.Script
https://blog.group-ib.com/sidewinder-antibot
Actors/Campaigns:
Sidewinder
Blackmatter
Industry:
Education, Financial, Ngo, Government
Geo:
Bhutan, Indian, India, Asia, Pakistan, Afghanistan, Myanmar, Philippines, China, Pakistani, Singapore, Nepal, Bangladesh
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 6
Hash: 5
Url: 464
IP: 89
Domain: 10
Group-IB
SideWinder.AntiBot.Script
Group-IB Threat Intelligence researchers have discovered a new malicious infrastructure and a custom tool of the APT group SideWinder. Check!