#ParsedReport
01-06-2022
Minerva Labs Blog
https://blog.minerva-labs.com/new-microsoft-office-follina-zero-day-already-shared-on-ransomware-forums
Threats:
Follina_vuln
Conti (tags: ransomware)
Blackcat (tags: ransomware)
Geo:
Russian
CVEs:
CVE-2022-30190 [Vulners]
01-06-2022
Minerva Labs Blog
https://blog.minerva-labs.com/new-microsoft-office-follina-zero-day-already-shared-on-ransomware-forums
Threats:
Follina_vuln
Conti (tags: ransomware)
Blackcat (tags: ransomware)
Geo:
Russian
CVEs:
CVE-2022-30190 [Vulners]
Minerva-Labs
New Microsoft Office “Follina” zero-day Already Shared on Ransomware Forums
A new zero-day discovered by Nao_Sec on May 27, 2022, titled 'Follina' (CVE-2022-30190) targeting Microsoft Office is being actively utilised by ransomware groups.
#ParsedReport
01-06-2022
Hazard Token Grabber. Upgraded version of Stealer Targeting Discord Users
https://blog.cyble.com/2022/06/01/hazard-token-grabber
Threats:
HazardToken_Grabber
Beacon
TTPs:
Tactics: 8
Technics: 15
IOCs:
Registry: 2
File: 6
Url: 1
Hash: 3
01-06-2022
Hazard Token Grabber. Upgraded version of Stealer Targeting Discord Users
https://blog.cyble.com/2022/06/01/hazard-token-grabber
Threats:
HazardToken_Grabber
Beacon
TTPs:
Tactics: 8
Technics: 15
IOCs:
Registry: 2
File: 6
Url: 1
Hash: 3
Cyble
Hazard Token Grabber
Cyble analyzes Hazard Token Grabber, an upgraded info stealer primarily targeting Discord users.
#ParsedReport
01-06-2022
Threat Brief: CVE-2022-30190 MSDT Code Execution Vulnerability
https://unit42.paloaltonetworks.com/cve-2022-30190-msdt-code-execution-vulnerability
Threats:
Follina_vuln
Geo:
Japanese, Apac, America, Japan, Emea, Belarus, Tokyo
CVEs:
CVE-2022-30190 [Vulners]
IOCs:
Url: 1
File: 4
01-06-2022
Threat Brief: CVE-2022-30190 MSDT Code Execution Vulnerability
https://unit42.paloaltonetworks.com/cve-2022-30190-msdt-code-execution-vulnerability
Threats:
Follina_vuln
Geo:
Japanese, Apac, America, Japan, Emea, Belarus, Tokyo
CVEs:
CVE-2022-30190 [Vulners]
IOCs:
Url: 1
File: 4
Unit 42
Threat Brief: CVE-2022-30190 – MSDT Code Execution Vulnerability
CVE-2022-30190 enables remote code execution, and there are proof-of-concept examples of zero-click variants. We recommend mitigations.
#ParsedReport
01-06-2022
SideWinder.AntiBot.Script
https://blog.group-ib.com/sidewinder-antibot
Actors/Campaigns:
Sidewinder
Blackmatter
Industry:
Education, Financial, Ngo, Government
Geo:
Bhutan, Indian, India, Asia, Pakistan, Afghanistan, Myanmar, Philippines, China, Pakistani, Singapore, Nepal, Bangladesh
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 6
Hash: 5
Url: 464
IP: 89
Domain: 10
01-06-2022
SideWinder.AntiBot.Script
https://blog.group-ib.com/sidewinder-antibot
Actors/Campaigns:
Sidewinder
Blackmatter
Industry:
Education, Financial, Ngo, Government
Geo:
Bhutan, Indian, India, Asia, Pakistan, Afghanistan, Myanmar, Philippines, China, Pakistani, Singapore, Nepal, Bangladesh
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 6
Hash: 5
Url: 464
IP: 89
Domain: 10
Group-IB
SideWinder.AntiBot.Script
Group-IB Threat Intelligence researchers have discovered a new malicious infrastructure and a custom tool of the APT group SideWinder. Check!
#ParsedReport
01-06-2022
Follina: Zero-Day Vulnerability found in MS-MSDT
https://www.netskope.com/blog/follina-zero-day-vulnerability-found-in-ms-msdt
Threats:
Follina_vuln (tags: malware, stealer)
Log4shell_vuln
Emotet
Redline_stealer
Geo:
Italy, Belarus
CVEs:
CVE-2021-40444 [Vulners]
Vulners: Score: 6.8, CVSS: 2.1,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (-, 20h2, 21h1, 1607, 1809, 1909, 2004)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
- microsoft windows server 2008 (-, r2)
have more...
CVE-2022-30190 [Vulners]
IOCs:
File: 5
Path: 1
Registry: 2
Hash: 6
Url: 2
01-06-2022
Follina: Zero-Day Vulnerability found in MS-MSDT
https://www.netskope.com/blog/follina-zero-day-vulnerability-found-in-ms-msdt
Threats:
Follina_vuln (tags: malware, stealer)
Log4shell_vuln
Emotet
Redline_stealer
Geo:
Italy, Belarus
CVEs:
CVE-2021-40444 [Vulners]
Vulners: Score: 6.8, CVSS: 2.1,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (-, 20h2, 21h1, 1607, 1809, 1909, 2004)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
- microsoft windows server 2008 (-, r2)
have more...
CVE-2022-30190 [Vulners]
IOCs:
File: 5
Path: 1
Registry: 2
Hash: 6
Url: 2
Netskope
CVE-2022-30190: New Zero-Day Vulnerability (Follina) in Microsoft Support Diagnostic Tool
Gustavo Palazolo and Ghanashyam Satpathy Summary On May 27, 2022, a Microsoft Office document was submitted from Belarus to VirusTotal, using a novel
#ParsedReport
01-06-2022
CVE-2022-30190: New Zero-Day Vulnerability (Follina) in Microsoft Support Diagnostic Tool
https://www.netskope.com/blog/cve-2022-30190-new-zero-day-vulnerability-follina-in-microsoft-support-diagnostic-tool
Threats:
Follina_vuln (tags: malware, stealer, fraud)
Log4shell_vuln
Emotet
Redline_stealer
Geo:
Belarus, Italy
CVEs:
CVE-2022-30190 [Vulners]
CVE-2021-40444 [Vulners]
Vulners: Score: 6.8, CVSS: 2.1,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (-, 20h2, 21h1, 1607, 1809, 1909, 2004)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
- microsoft windows server 2008 (-, r2)
have more...
IOCs:
File: 5
Path: 1
Registry: 2
Hash: 6
Url: 2
01-06-2022
CVE-2022-30190: New Zero-Day Vulnerability (Follina) in Microsoft Support Diagnostic Tool
https://www.netskope.com/blog/cve-2022-30190-new-zero-day-vulnerability-follina-in-microsoft-support-diagnostic-tool
Threats:
Follina_vuln (tags: malware, stealer, fraud)
Log4shell_vuln
Emotet
Redline_stealer
Geo:
Belarus, Italy
CVEs:
CVE-2022-30190 [Vulners]
CVE-2021-40444 [Vulners]
Vulners: Score: 6.8, CVSS: 2.1,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (-, 20h2, 21h1, 1607, 1809, 1909, 2004)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
- microsoft windows server 2008 (-, r2)
have more...
IOCs:
File: 5
Path: 1
Registry: 2
Hash: 6
Url: 2
Netskope
CVE-2022-30190: New Zero-Day Vulnerability (Follina) in Microsoft Support Diagnostic Tool
Gustavo Palazolo and Ghanashyam Satpathy Summary On May 27, 2022, a Microsoft Office document was submitted from Belarus to VirusTotal, using a novel
👍1
#ParsedReport
01-06-2022
Browser-in-the Browser sextortion scam makes victims pay by imitating Indian Gov
https://www.zscaler.com/blogs/security-research/browser-browser-sextortion-scam-makes-victims-pay-imitating-indian-gov
Industry:
Financial, Government
Geo:
India
IOCs:
Url: 2
Domain: 56
IP: 2
01-06-2022
Browser-in-the Browser sextortion scam makes victims pay by imitating Indian Gov
https://www.zscaler.com/blogs/security-research/browser-browser-sextortion-scam-makes-victims-pay-imitating-indian-gov
Industry:
Financial, Government
Geo:
India
IOCs:
Url: 2
Domain: 56
IP: 2
Zscaler
Browser-in-the Browser sextortion scam | Zscaler Blog
Browser-in-the Browser sextortion scam makes victims pay by imitating Indian Gov. Read for more details.
#ParsedReport
01-06-2022
The Popular Malware Downloader, GootLoader, Expands its Payloads Yet Again, Infecting a Law Firm with IcedID. Appendix
https://www.esentire.com/blog/gootloader-initial-access-as-a-service-malware-expands-its-payloads-yet-again-infecting-law-firm-with-icedid
Threats:
Gootloader (tags: ransomware, malware, rat, trojan)
Icedid (tags: ransomware, malware, trojan, rat)
Cobalt_strike (tags: ransomware, malware)
Beacon (tags: malware)
Conti (tags: malware)
Revil (tags: malware)
Fivehands (tags: malware)
Blackcat (tags: malware)
Gootkit
Industry:
Financial, Aerospace
IOCs:
Hash: 1
IP: 1
Domain: 1
File: 1
Links:
01-06-2022
The Popular Malware Downloader, GootLoader, Expands its Payloads Yet Again, Infecting a Law Firm with IcedID. Appendix
https://www.esentire.com/blog/gootloader-initial-access-as-a-service-malware-expands-its-payloads-yet-again-infecting-law-firm-with-icedid
Threats:
Gootloader (tags: ransomware, malware, rat, trojan)
Icedid (tags: ransomware, malware, trojan, rat)
Cobalt_strike (tags: ransomware, malware)
Beacon (tags: malware)
Conti (tags: malware)
Revil (tags: malware)
Fivehands (tags: malware)
Blackcat (tags: malware)
Gootkit
Industry:
Financial, Aerospace
IOCs:
Hash: 1
IP: 1
Domain: 1
File: 1
Links:
https://github.com/pan-unit42/tweets/blob/master/2022-01-27-IOCs-for-Contact-Forms-IcedID-with-Cobalt-Strike.txteSentire
GootLoader Expands its Payloads Infecting a Law Firm with IcedID
Read this security bulletin to learn about the most recent GootLoader attacks and find out how to protect your business from this cyber threat.
#ParsedReport
02-06-2022
Iranian Threat Actor Continues to Develop Mass Exploitation Tools
https://www.deepinstinct.com/blog/iranian-threat-actor-continues-to-develop-mass-exploitation-tools
Actors/Campaigns:
Cleaver
Cobalt_mirage
Threats:
Blister_loader
Log4shell_vuln (tags: malware)
Mirage
Plink
Proxyshell_vuln
Geo:
Iranian, Iran
CVEs:
CVE-2018-13379 [Vulners]
Vulners: Score: 5.0, CVSS: 4.0,
Vulners: Exploitation: True
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- fortinet fortios (le6.0.4, le5.6.7)
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 1
Path: 2
Hash: 34
IP: 7
Domain: 12
Links:
02-06-2022
Iranian Threat Actor Continues to Develop Mass Exploitation Tools
https://www.deepinstinct.com/blog/iranian-threat-actor-continues-to-develop-mass-exploitation-tools
Actors/Campaigns:
Cleaver
Cobalt_mirage
Threats:
Blister_loader
Log4shell_vuln (tags: malware)
Mirage
Plink
Proxyshell_vuln
Geo:
Iranian, Iran
CVEs:
CVE-2018-13379 [Vulners]
Vulners: Score: 5.0, CVSS: 4.0,
Vulners: Exploitation: True
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- fortinet fortios (le6.0.4, le5.6.7)
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 1
Path: 2
Hash: 34
IP: 7
Domain: 12
Links:
https://github.com/fatedier/frpDeep Instinct
Iranian Threat Actor & Mass Exploitation Tools | Deep Instinct
Deep Instinct researchers found an Iranian APT was attempting to compromise an Exchange server. Learn more about how we found additional new malware variants & related TTPs.
#ParsedReport
02-06-2022
AgentTesla Being Distributed Through Windows Help File (*.chm)
https://asec.ahnlab.com/en/34793
Threats:
Agent_tesla (tags: malware, phishing, trojan)
IOCs:
Url: 3
File: 1
Hash: 4
Functions Names: 1
02-06-2022
AgentTesla Being Distributed Through Windows Help File (*.chm)
https://asec.ahnlab.com/en/34793
Threats:
Agent_tesla (tags: malware, phishing, trojan)
IOCs:
Url: 3
File: 1
Hash: 4
Functions Names: 1
ASEC BLOG
AgentTesla Being Distributed Through Windows Help File (*.chm) - ASEC BLOG
The ASEC analysis team recently discovered AgentTesla being distributed with a new method. Previously, AgentTesla discussed in multiple ASEC blog posts was distributed by the malicious VBA macro inside PowerPoint files (*.ppt). However, the new method uses…
#ParsedReport
02-06-2022
ASEC Weekly Malware Statistics (May 23rd, 2022 May 29th, 2022)
https://asec.ahnlab.com/en/34876
Threats:
Agent_tesla (tags: malware, scan, dropper, spam, stealer, rat)
Formbook
Lokibot_stealer
Beamwinhttp_loader
Garbage_cleaner
Remcos_rat
Nanocore_rat
Industry:
Transport
Geo:
Pacific
IOCs:
Domain: 4
IP: 3
Email: 5
File: 28
Url: 11
02-06-2022
ASEC Weekly Malware Statistics (May 23rd, 2022 May 29th, 2022)
https://asec.ahnlab.com/en/34876
Threats:
Agent_tesla (tags: malware, scan, dropper, spam, stealer, rat)
Formbook
Lokibot_stealer
Beamwinhttp_loader
Garbage_cleaner
Remcos_rat
Nanocore_rat
Industry:
Transport
Geo:
Pacific
IOCs:
Domain: 4
IP: 3
Email: 5
File: 28
Url: 11
ASEC BLOG
ASEC Weekly Malware Statistics (May 23rd, 2022 - May 29th, 2022) - ASEC BLOG
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from May 23rd, 2022 (Monday) to May 29th, 2022 (Sunday). For the main category, info-stealer…
#ParsedReport
02-06-2022
NSIS Installer Malware Included with Various Malicious Files
https://asec.ahnlab.com/en/34955
Threats:
Agent_tesla (tags: malware)
Redline_stealer (tags: malware)
Smokeloader_backdoor (tags: malware)
Beamwinhttp_loader (tags: malware)
Cold_stealer (tags: malware)
Ransomware/win.stop.r484442 (tags: malware)
IOCs:
File: 2
Hash: 5
02-06-2022
NSIS Installer Malware Included with Various Malicious Files
https://asec.ahnlab.com/en/34955
Threats:
Agent_tesla (tags: malware)
Redline_stealer (tags: malware)
Smokeloader_backdoor (tags: malware)
Beamwinhttp_loader (tags: malware)
Cold_stealer (tags: malware)
Ransomware/win.stop.r484442 (tags: malware)
IOCs:
File: 2
Hash: 5
ASEC BLOG
NSIS Installer Malware Included with Various Malicious Files - ASEC BLOG
The ASEC analysis team recently discovered attackers distributing multiple malicious files with NSIS installers. NSIS (Nullsoft Scriptable Install System) is normally used to create installers for certain programs. It can be also used for creating malware…
#ParsedReport
02-06-2022
WinDealer dealing on the side
https://securelist.com/windealer-dealing-on-the-side/105946
Actors/Campaigns:
Luoyu
Threats:
Windealer
Spydealer
Demsty
Watering_hole_technique
Industry:
Telco, Logistic
Geo:
Russia, Austria, Asia, India, China, Germany, Czech, Japan
IOCs:
File: 2
Hash: 38
Url: 3
02-06-2022
WinDealer dealing on the side
https://securelist.com/windealer-dealing-on-the-side/105946
Actors/Campaigns:
Luoyu
Threats:
Windealer
Spydealer
Demsty
Watering_hole_technique
Industry:
Telco, Logistic
Geo:
Russia, Austria, Asia, India, China, Germany, Czech, Japan
IOCs:
File: 2
Hash: 38
Url: 3
Securelist
WinDealer dealing on the side
We have discovered that malware dubbed WinDealer, spread by Chinese-speaking APT actor LuoYu, has an ability to perform intrusions through a man-on-the-side attack.
#ParsedReport
02-06-2022
Tales From the Honeypot: WatchDog Evolves With a New Multi-Stage Cryptojacking Attack
https://www.cadosecurity.com/tales-from-the-honeypot-watchdog-evolves-with-a-new-multi-stage-cryptojacking-attack
Actors/Campaigns:
Teamtnt
Threats:
Zgrab_scanner_tool
Masscan_tool
Xmrig_miner
Pnscan_tool
Log4shell_vuln
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 2
File: 2
IP: 2
Hash: 6
Url: 10
Coin: 1
Links:
02-06-2022
Tales From the Honeypot: WatchDog Evolves With a New Multi-Stage Cryptojacking Attack
https://www.cadosecurity.com/tales-from-the-honeypot-watchdog-evolves-with-a-new-multi-stage-cryptojacking-attack
Actors/Campaigns:
Teamtnt
Threats:
Zgrab_scanner_tool
Masscan_tool
Xmrig_miner
Pnscan_tool
Log4shell_vuln
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 2
File: 2
IP: 2
Hash: 6
Url: 10
Coin: 1
Links:
https://github.com/zmap/zgrab2https://github.com/robertdavidgraham/masscanhttps://github.com/ptrrkssn/pnscanCado Security | Cloud Forensics & Incident Response
Tales From the Honeypot: WatchDog Evolves With a New Multi-Stage Cryptojacking Attack - Cado Security | Cloud Forensics & Incident…
One recent attack caught our eye as it involved a complex, multi-stage lifecycle, with several payloads leveraged at our honeypot machine
#ParsedReport
02-06-2022
YourCyanide: A CMD-based Ransomware With Multiple Layers of Obfuscation. YourCyanide technical analysis
https://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html
Threats:
Passview_tool
Ransom.win32.gonnacope.yxcew
Trojan.vbs.gonnacope.a
Trojan.win64.kekpop.yxcet
Trojan.win64.kekpop.yxcest
Trojan.win64.kekpop.yxcert
Industry:
Financial
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 27
Url: 2
Registry: 2
Hash: 56
Functions Names: 1
02-06-2022
YourCyanide: A CMD-based Ransomware With Multiple Layers of Obfuscation. YourCyanide technical analysis
https://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html
Threats:
Passview_tool
Ransom.win32.gonnacope.yxcew
Trojan.vbs.gonnacope.a
Trojan.win64.kekpop.yxcet
Trojan.win64.kekpop.yxcest
Trojan.win64.kekpop.yxcert
Industry:
Financial
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 27
Url: 2
Registry: 2
Hash: 56
Functions Names: 1
Trend Micro
YourCyanide: A CMD-Based Ransomware With Multiple Layers of Obfuscation
The Trend Micro Threat Hunting team recently analyzed a series of CMD-based ransomware variants with a number capabilities such as stealing user information, bypassing remote desktop connections, and propagating through email and physical drives.
#ParsedReport
02-06-2022
Exposing POLONIUM activity and infrastructure targeting Israeli organizations
https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations
Actors/Campaigns:
Polonium (tags: trojan, vpn, malware, backdoor)
Volatile_cedar
Muddywater
Siamesekitten
Copykittens
Threats:
Creepydrive
Creepysnail
Creepyring
Industry:
Financial, Government, Aerospace, Healthcare
Geo:
Iran, Israel
CVEs:
CVE-2018-13379 [Vulners]
Vulners: Score: 5.0, CVSS: 4.0,
Vulners: Exploitation: True
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- fortinet fortios (le6.0.4, le5.6.7)
IOCs:
File: 3
IP: 11
Links:
02-06-2022
Exposing POLONIUM activity and infrastructure targeting Israeli organizations
https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations
Actors/Campaigns:
Polonium (tags: trojan, vpn, malware, backdoor)
Volatile_cedar
Muddywater
Siamesekitten
Copykittens
Threats:
Creepydrive
Creepysnail
Creepyring
Industry:
Financial, Government, Aerospace, Healthcare
Geo:
Iran, Israel
CVEs:
CVE-2018-13379 [Vulners]
Vulners: Score: 5.0, CVSS: 4.0,
Vulners: Exploitation: True
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- fortinet fortios (le6.0.4, le5.6.7)
IOCs:
File: 3
IP: 11
Links:
https://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/POLONIUMIPIoC.yaml
https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/CommonSecurityLog/RiskyCommandB64EncodedInUrl.yaml
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepyDriveURLs.yaml
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepySnailURLParameters.yaml
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepyDriveRequestSequence.yaml
https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/CommonSecurityLog/B64IPInURL.yaml
https://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/B64IPInURLFromMDE.yaml
https://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/B64UserInWebURIFromMDE.yamlMicrosoft News
Exposing POLONIUM activity and infrastructure targeting Israeli organizations
Microsoft successfully detected and disabled attack activity abusing OneDrive by a previously undocumented Lebanon-based activity group Microsoft Threat Intelligence Center (MSTIC) tracks as POLONIUM.
#ParsedReport
02-06-2022
Avoid Taking Shortcuts New Emotet Technique
https://cyberint.com/blog/research/avoid-taking-shortcuts-new-emotet-technique
Threats:
Emotet (tags: malware, rat, botnet, stealer, trojan)
Ryuk
Trickbot
Saintbot
Outsteel
Industry:
Financial
IOCs:
File: 1
Hash: 4
Url: 1
IP: 1
02-06-2022
Avoid Taking Shortcuts New Emotet Technique
https://cyberint.com/blog/research/avoid-taking-shortcuts-new-emotet-technique
Threats:
Emotet (tags: malware, rat, botnet, stealer, trojan)
Ryuk
Trickbot
Saintbot
Outsteel
Industry:
Financial
IOCs:
File: 1
Hash: 4
Url: 1
IP: 1
Cyberint
Avoid Taking Shortcuts - New Emotet Technique
Emotet, one of the first MaaS, an ever-evolving botnet and banking trojan, active since 2014, recently added new techniques to its arsenal.
#ParsedReport
02-06-2022
Hacker group "Ocean Lotus" combat weapon "Buni" latest exposure, targeting Linux platform
https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en
Actors/Campaigns:
Oceanlotus
Blacktech
Threats:
Doubleheaded_dragon
Wannacry
Industry:
Government, Iot, Transport, Financial, Energy, Healthcare
Geo:
China, Asia
TTPs:
Tactics: 1
Technics: 0
IOCs:
IP: 1
02-06-2022
Hacker group "Ocean Lotus" combat weapon "Buni" latest exposure, targeting Linux platform
https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en
Actors/Campaigns:
Oceanlotus
Blacktech
Threats:
Doubleheaded_dragon
Wannacry
Industry:
Government, Iot, Transport, Financial, Energy, Healthcare
Geo:
China, Asia
TTPs:
Tactics: 1
Technics: 0
IOCs:
IP: 1
微信公众平台
黑客组织“海莲花”作战武器“Buni”最新曝光,瞄准Linux平台
海莲花超强过杀软作战武器曝光,你中招了吗?
#ParsedReport
02-06-2022
Alert (AA22-152A)
https://www.cisa.gov/uscert/ncas/alerts/aa22-152a
Actors/Campaigns:
Karakurt
Threats:
Log4shell_vuln
Cobalt_strike
Beacon
Mimikatz
Blister_loader
Industry:
Government, Healthcare, Financial
Geo:
America
CVEs:
CVE-2021-44228 [Vulners]
Vulners: Score: 9.3, CVSS: 4.0,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.15.0, <2.3.1, <2.12.2)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens logo\! soft comfort (*)
- siemens spectrum power 4 (4.70, 4.70, <4.70, 4.70)
- siemens siveillance control pro (*)
have more...
TTPs:
Tactics: 4
Technics: 12
IOCs:
Url: 1
File: 6
Email: 9
Hash: 11
02-06-2022
Alert (AA22-152A)
https://www.cisa.gov/uscert/ncas/alerts/aa22-152a
Actors/Campaigns:
Karakurt
Threats:
Log4shell_vuln
Cobalt_strike
Beacon
Mimikatz
Blister_loader
Industry:
Government, Healthcare, Financial
Geo:
America
CVEs:
CVE-2021-44228 [Vulners]
Vulners: Score: 9.3, CVSS: 4.0,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.15.0, <2.3.1, <2.12.2)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens logo\! soft comfort (*)
- siemens spectrum power 4 (4.70, 4.70, <4.70, 4.70)
- siemens siveillance control pro (*)
have more...
TTPs:
Tactics: 4
Technics: 12
IOCs:
Url: 1
File: 6
Email: 9
Hash: 11
#ParsedReport
02-06-2022
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
Actors/Campaigns:
Silverfish (tags: trojan, rat, dns, malware, ransomware, vpn, dropper)
Evil_corp (tags: trojan, rat, malware, ransomware, vpn)
Unc1543
Gold_winter
Unc2758
Threats:
Hades (tags: trojan, rat, dns, malware, ransomware, vpn, dropper)
Lockbit (tags: trojan, rat, dns, malware, ransomware, vpn, dropper)
Blister_loader
Dridex
Wastedlocker
Cridex
Friedex
Doppelpaymer
Beacon
Phoenix_locker
Macaw
Fakeudpate
Netsupportmanager_rat
Cobalt_strike
Donut
Mimikatz
Kerberoasting_technique
Keethief_tool
Secretserversecretstealer
Putty_tool
Megasync_tool
Psexec_tool
Timestomp_tool
Domain_fronting_technique
Industry:
Government, Financial
Geo:
Russia
TTPs:
Tactics: 13
Technics: 85
IOCs:
Domain: 17
File: 1
Path: 1
YARA: Found
Links:
02-06-2022
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
Actors/Campaigns:
Silverfish (tags: trojan, rat, dns, malware, ransomware, vpn, dropper)
Evil_corp (tags: trojan, rat, malware, ransomware, vpn)
Unc1543
Gold_winter
Unc2758
Threats:
Hades (tags: trojan, rat, dns, malware, ransomware, vpn, dropper)
Lockbit (tags: trojan, rat, dns, malware, ransomware, vpn, dropper)
Blister_loader
Dridex
Wastedlocker
Cridex
Friedex
Doppelpaymer
Beacon
Phoenix_locker
Macaw
Fakeudpate
Netsupportmanager_rat
Cobalt_strike
Donut
Mimikatz
Kerberoasting_technique
Keethief_tool
Secretserversecretstealer
Putty_tool
Megasync_tool
Psexec_tool
Timestomp_tool
Domain_fronting_technique
Industry:
Government, Financial
Geo:
Russia
TTPs:
Tactics: 13
Technics: 85
IOCs:
Domain: 17
File: 1
Path: 1
YARA: Found
Links:
https://github.com/TheWover/donutMandiant
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions | Mandiant