2024-03-21
Numerous_Chinese_State_Sponsored_Groups_Are_Associated_With_Private_Contractor
LOW
+

Intel Source:
Recorded Future
Intel Name:
Numerous_Chinese_State_Sponsored_Groups_Are_Associated_With_Private_Contractor
Date of Scan:
2024-03-21
Impact:
LOW
Summary:
A fresh perspective on the latest i-SOON leak is provided by New Insight Group Research. China’s state-sponsored cyber espionage operations were made public on February 18, 2024, according to an anonymous document leak from Anxun Information Technology Co., Ltd. (i-SOON), a cybersecurity and IT company in China. The breach is noteworthy because it exposes the links between i-SOON and a number of state-sponsored cyber groups in China, including RedAlpha, RedHotel, and POISON CARP. These connections point to a complex web of espionage activities, including the theft of communications records in order for tracking down specific individuals.


Source:
https://go.recordedfuture.com/hubfs/reports/cta-2024-0320.pdf

2024-03-21
New_Sysrv_botnet_variant_spreads_XMRig_Miner
MEDIUM
+

Intel Source:
Imperva
Intel Name:
New_Sysrv_botnet_variant_spreads_XMRig_Miner
Date of Scan:
2024-03-21
Impact:
MEDIUM
Summary:
A new variant of the Sysrv botnet was observed exploiting vulnerabilities in Apache Struts and Atlassian Confluence to spread an XMRig cryptominer payload. The malware made use of a compromised Malaysian academic website and Google subdomain to distribute malicious files. Enhancements include obfuscation and architecture preparation functions. The malware connects to MoneroOcean mining pool endpoints and mines to a specific wallet. Defenders should block suspicious outbound connections and inspect seemingly legitimate sites for malicious files.


Source:
https://www.imperva.com/blog/new-sysrv-botnet-variant-makes-use-of-google-subdomain-to-spread-xmrig-miner/

2024-03-21
Caution_Regarding_Infostealer_Posing_as_Installer
LOW
+

Intel Source:
ASEC
Intel Name:
Caution_Regarding_Infostealer_Posing_as_Installer
Date of Scan:
2024-03-21
Impact:
LOW
Summary:
Researchers from ASEC have seen a widespread distribution of the StealC malware, which is disguising itself as an installer. It was found to be downloaded through Dropbox, GitHub, Discord, and other services. It is anticipated that victims will be redirected several times from a malicious webpage masquerading as a download page for a specific program to the download URL, given the incidents of dissemination via similar pathways.


Source:
https://asec.ahnlab.com/en/63308/

2024-03-21
AceCryptor_Malware_Increased_Throughout_Europe
LOW
+

Intel Source:
Welivesecurity
Intel Name:
AceCryptor_Malware_Increased_Throughout_Europe
Date of Scan:
2024-03-21
Impact:
LOW
Summary:
ESET researchers have been studying AceCryptor for years, and on Wednesday they said that the latest campaign differed from earlier versions due to the attackers’ increased arsenal of harmful code. Typically, AceCryptor is used in conjunction with malware called Remcos or Rescoms, a potent remote surveillance tool that researchers have frequently observed being utilized against Ukrainian businesses.


Source:
https://www.welivesecurity.com/en/eset-research/rescoms-rides-waves-acecryptor-spam/

2024-03-21
Sign1_malware_analysis
LOW
+

Intel Source:
Sucuri
Intel Name:
Sign1_malware_analysis
Date of Scan:
2024-03-21
Impact:
LOW
Summary:
The article titled “Sign1 Malware: Analysis, Campaign History & Indicators of Compromise” delves into the details of a recent malware campaign known as Sign1. The campaign has affected over 39,000 websites in the past 6 months and is typically injected through custom HTML widgets. The malware redirects users to malicious sites, often related to the VexTrio scam. The section provides a comprehensive analysis of the campaign, including its evolution since it was first noticed in 2023. The attackers have changed their obfuscation methods and use a timestamp trick in their URLs. The section also lists the various domains used by the attackers and their registration dates, as well as the number of infected sites associated with each domain. The author recommends securing the admin panel and using website monitoring tools to protect against this type of malware. The article also includes a case study of a client who experienced the Sign1 malware and how they traced it back to the campaign. The section discusses the various indicators of compromise for this malware, including its campaign history, obfuscation techniques, and how to detect and mitigate it. The author provides a breakdown of the JavaScript code used in the malware and how it dynamically generates URLs to redirect visitors to scam sites. The section concludes with a list of conditions that must be met for the malware to execute, including a specific cookie and correct referrer. Overall, the article provides a detailed overview of the Sign1 malware campaign and offers valuable insights for website owners to protect against it.


Source:
https://blog.sucuri.net/2024/03/sign1-malware-analysis-campaign-history-indicators-of-compromise.html

2024-03-21
The_Kimsuky_threat_actor_group_activity
MEDIUM
+

Intel Source:
Rapid7
Intel Name:
The_Kimsuky_threat_actor_group_activity
Date of Scan:
2024-03-21
Impact:
MEDIUM
Summary:
The article discusses the latest tactics and techniques used by the Kimsuky threat actor group, also known as Black Banshee or Thallium. The group, originating from North Korea, primarily focuses on intelligence gathering and has targeted South Korean government entities, individuals involved in the Korean peninsula’s unification process, and global experts in fields relevant to the regime’s interests. The section highlights the group’s evolving methods, such as using weaponized Office documents, ISO files, and shortcut files (LNK files) to bypass modern security measures. The latest findings reveal that the group is now using CHM files, which are compiled HTML help files, to distribute malware and gain access to their targets. The section provides a detailed analysis of a CHM file used by the group, including its file structure, language, and code snippets. It also explains how the group uses HTML and ActiveX to execute arbitrary commands on a victim’s machine and create persistence. The article also includes a visualization of the attack flow and a list of detections that Rapid7 customers can use to protect against this campaign. Overall, the article sheds light on the Kimsuky threat actor group’s tactics and provides valuable insights for organizations to protect themselves against this campaign.


Source:
https://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/

2024-03-21
Investigations_into_CVE_2024_21762_Vulnerability_and_Fortinet_FortiOS
LOW
+

Intel Source:
ISC.SANS
Intel Name:
Investigations_into_CVE_2024_21762_Vulnerability_and_Fortinet_FortiOS
Date of Scan:
2024-03-21
Impact:
LOW
Summary:
ISC.SANS researchers have noticed that an attack for CVE-2024-21762 has leaked on GitHub. The FortiOS operating system from Fortinet is vulnerable. February 8th saw the release of a patch. Device owners were given more than a month to apply the fix. A few days before the exploit was released on GitHub, it was made available on the Chinese QQ messaging network.


Source:
https://isc.sans.edu/diary/Scans+for+Fortinet+FortiOS+and+the+CVE202421762+vulnerability/30762/

2024-03-20
New_AcidPour_Data_Wiper_Targeting_Linux_x86_Network_Devices
LOW
+

Intel Source:
SentinelLabs
Intel Name:
New_AcidPour_Data_Wiper_Targeting_Linux_x86_Network_Devices
Date of Scan:
2024-03-20
Impact:
LOW
Summary:
Researchers at SentinelLabs have discovered AcidPour, a new harmful malware that targets Linux x86 networking and Internet of Things devices and has data-wiper functionality. While AcidPour and AcidRain target comparable directories and device paths found in embedded Linux distributions, there is an estimated 30% overlap in their codebases.


Source:
https://www.bleepingcomputer.com/news/security/new-acidpour-data-wiper-targets-linux-x86-network-devices/

2024-03-20
Exploits_For_TeamCity_Vulnerabilities_Lead_to_Jasmin_Ransomware
LOW
+

Intel Source:
Trend Micro
Intel Name:
Exploits_For_TeamCity_Vulnerabilities_Lead_to_Jasmin_Ransomware
Date of Scan:
2024-03-20
Impact:
LOW
Summary:
A serious risk to enterprises using TeamCity On-Premises for their CI/CD procedures is the active exploitation of vulnerabilities in the platform. According to Trend Micro telemetry, threat actors are using these vulnerabilities to infect infected TeamCity servers with ransomware, coinminers, and backdoor payloads.


Source:
https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html

2024-03-20
Androshield_malware_targets_networks
MEDIUM
+

Intel Source:
Juniper
Intel Name:
Androshield_malware_targets_networks
Date of Scan:
2024-03-20
Impact:
MEDIUM
Summary:
The article discusses the importance of patch management and network security measures in protecting networks from cyber threats. It specifically focuses on the Androxgh0st malware, which targets Laravel applications and exploits vulnerabilities such as CVE-2017-9841 and CVE-2018-15133. The article provides a technical analysis of the malware and its methods of exploitation, as well as ways to protect against it, such as encrypting sensitive information and using multi-factor authentication. It also highlights the use of Juniper IDS and ATP Cloud as a proactive defense against Androxgh0st and other cyber attacks. The article also discusses potential network disruptions caused by exploits of SMTP, AWS, SendGrid, and Twilio, and the risk of data breaches through the exploitation of .env files. It concludes by emphasizing the importance of regularly updating and patching systems, as well as implementing strong security measures to prevent unauthorized access and mitigate risks.


Source:
https://blogs.juniper.net/en-us/security/shielding-networks-against-androxgh0st

2024-03-19
Persistent_Cyber_Threats_Targeting_Korean_Corporations
LOW
+

Intel Source:
ASEC
Intel Name:
Persistent_Cyber_Threats_Targeting_Korean_Corporations
Date of Scan:
2024-03-19
Impact:
LOW
Summary:
AhnLab Security Intelligence Center (ASEC) has uncovered a series of ongoing attacks by the Andariel group targeting Korean companies. Notably, the group leverages installations of MeshAgent alongside other remote management tools to facilitate diverse remote control capabilities. Exploiting Korean asset management solutions, the group installs malware such as AndarLoader and ModeLoader during lateral movement phases. AndarLoader, a downloader, retrieves executable data like .NET assemblies from C&C servers. MeshAgent, a remote management tool, enables screen control and was used for the first time by the Andariel group. ModeLoader, a JavaScript malware, is externally downloaded via Mshta for execution.


Source:
https://asec.ahnlab.com/en/63192/

2024-03-19
The_GlorySprout_stealer_and_others
LOW
+

Intel Source:
Russian Panda
Intel Name:
The_GlorySprout_stealer_and_others
Date of Scan:
2024-03-19
Impact:
LOW
Summary:
A new information stealer named GlorySprout surfaced in cybercrime forums in March 2024. Technical analysis shows it is likely a clone of the older Taurus stealer, sharing code similarities but lacking some features like Anti-VM. GlorySprout is unlikely to gain popularity compared to other stealers.


Source:
https://russianpanda.com/2024/03/16/The-GlorySprout-Stealer-or-a-Failed-Clone-of-Taurus-Stealer/

2024-03-19
A_new_ransomware_gang_called_Donex
LOW
+

Intel Source:
Shadowstackre
Intel Name:
A_new_ransomware_gang_called_Donex
Date of Scan:
2024-03-19
Impact:
LOW
Summary:
The article discusses the operations of a new ransomware gang called Donex, specifically their ransomware variant known as ShadowStackRE. The section titled “Donex a new ransomware gang – ShadowStackRE” provides a thorough analysis of the pre-encryption setup, file and directory discovery, and encryption process used by this ransomware. The setup process involves creating a mutex, disabling file system redirection, and obtaining a cryptographic context. The file and directory discovery is carried out through multiple threads and targets specific processes for shutdown. The encryption process utilizes the Windows restart manager API and employs salsa20/chacha20 to encrypt data. The article also mentions the use of a blacklist, whitelist, and extensions in the configuration of the encryptor. The section concludes with a description of the cleanup process, which involves clearing event logs and restarting the system.


Source:
https://www.shadowstackre.com/analysis/donex

2024-03-19
Analysis_of_AutoIt_Malware
LOW
+

Intel Source:
Docguard
Intel Name:
Analysis_of_AutoIt_Malware
Date of Scan:
2024-03-19
Impact:
LOW
Summary:
This article provides a comprehensive analysis of a lnk-based malware, including the process of static and AutoIt deobfuscation. It examines the important fields of the lnk file and identifies a malicious command that downloads and executes an HTA file from a remote server. The HTA file is manually downloaded and analyzed, revealing the use of forfiles.exe and PowerShell. The analysis also uncovers an embedded zip file, which is extracted and examined. A script is used to parse variables and remove unnecessary ones, and a list of IOCs is provided for this specific malware.


Source:
https://www.docguard.io/analysis-of-lnk-based-obfuscated-autoit-malware/

2024-03-19
A_New_Phishing_Attack_That_Deploys_NetSupport_RAT
LOW
+

Intel Source:
Perception Point
Intel Name:
A_New_Phishing_Attack_That_Deploys_NetSupport_RAT
Date of Scan:
2024-03-19
Impact:
LOW
Summary:
Israeli researchers at Perception Point have discovered a latest spearphishing effort aimed at American companies with the goal of installing the remote access trojan NetSupport RAT, also known as Operation PhantomBlu. By using OLE (Object Linking and Embedding) template alteration to run malicious code while avoiding detection, the PhantomBlu operation presents a sophisticated exploitation technique that departs from the standard NetSupport RAT distribution methodology.


Source:
https://perception-point.io/blog/operation-phantomblu-new-and-evasive-method-delivers-netsupport-rat/

2024-03-19
The_Revival_of_a_Notorious_Ransomware_Threat
MEDIUM
+

Intel Source:
ASEC
Intel Name:
The_Revival_of_a_Notorious_Ransomware_Threat
Date of Scan:
2024-03-19
Impact:
MEDIUM
Summary:
AhnLab Security Intelligence Center (ASEC) has uncovered the resurgence of CryptoWire, a ransomware strain that wreaked havoc back in 2018. Utilizing Autoit scripting and distributed primarily through phishing emails, CryptoWire exhibits sophisticated features including self-replication, network exploration for file encryption, and data deletion measures to thwart recovery efforts. Unlike many ransomware variants, CryptoWire exposes decryption keys, either embedded within the malware or transmitted to the threat actor’s server. With its file encryption tactics and demand for ransom, users are urged to exercise caution, employ anti-malware solutions, and maintain up-to-date system security to thwart potential infections and safeguard against data loss.


Source:
https://asec.ahnlab.com/en/63200/

2024-03-19
RA_World_Ransomware_continued_activity
MEDIUM
+

Intel Source:
Fortinet
Intel Name:
RA_World_Ransomware_continued_activity
Date of Scan:
2024-03-19
Impact:
MEDIUM
Summary:
The blog provides an overview of the RA World ransomware, which encrypts files and steals data before demanding ransom for decryption and not leaking stolen files. The ransomware disables backups and deletes shadow copies to prevent recovery. It encrypts files and adds the .RAWLD extension, and drops a ransom note with contact info. The group operates TOR and non-TOR sites to publish stolen data. The blog covers infection vectors, victims, attack methods, protections, and mitigations.


Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-ra-world

2024-03-18
Open_Directory_Exposes_Phishing_Campaign_Targeting_Google_And_Naver_Credentials
MEDIUM
+

Intel Source:
Hunt.IO
Intel Name:
Open_Directory_Exposes_Phishing_Campaign_Targeting_Google_And_Naver_Credentials
Date of Scan:
2024-03-18
Impact:
MEDIUM
Summary:
Hunt.IO researchers have observed an ongoing phishing campaign by a possible North Korean threat actor that aims to steal login credentials for Google and Naver. Apart from the numerous fake Google and Naver pages, the public folder that guided us to the finding additionally contains an instance of the open-source malware, Xeno-RAT, and KakaoTalk conversation transcripts between unidentified people talking about cryptocurrency trading.


Source:
https://hunt.io/blog/open-directory-exposes-phishing-campaign-targeting-google-and-naver-credentials?utm_source=substack&utm_medium=email

2024-03-18
Hackers_From_APT28_Targeting_Europe_America_Asia_in_Widespread_Phishing_Scheme
MEDIUM
+

Intel Source:
IBM X-Force
Intel Name:
Hackers_From_APT28_Targeting_Europe_America_Asia_in_Widespread_Phishing_Scheme
Date of Scan:
2024-03-18
Impact:
MEDIUM
Summary:
IBM X-Force researchers have discovered that the threat actor APT28, which is associated with Russia, is involved in several active phishing attacks. These campaigns use lure documents that mimic government and non-governmental organizations (NGOs) throughout North and South America, Europe, the South Caucasus, Central Asia, and Asia. In addition to potentially actor-generated documents pertaining to finance, key infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production, the unearthed lures comprise a combination of internal and publicly available documents.


Source:
https://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/

2024-03-18
ScamClub_Malicious_VAST_Attack
LOW
+

Intel Source:
Geoedge
Intel Name:
ScamClub_Malicious_VAST_Attack
Date of Scan:
2024-03-18
Impact:
LOW
Summary:
A recent report details how a threat actor known as ScamClub has shifted to using video malvertising and VAST ads to distribute financial scams. The report analyzes ScamClub’s tactics, which involve exploiting the VAST protocol to embed malicious code in video ads that fingerprint users and redirect them to scam pages. The report highlights how ScamClub has infiltrated numerous ad platforms to reach a broad audience, with a focus on mobile users. It outlines the technical details of the attack flow, from crafting the malicious script to employing obfuscation techniques and evading detection. The report underscores the need for constant scanning of video assets to safeguard inventory and protect audiences.


Source:
https://www.geoedge.com/decoding-scamclubs-malicious-vast-attack

2024-03-18
Malicious_Attacks_on_Global_Government_Institutions
MEDIUM
+

Intel Source:
Trend Micro
Intel Name:
Malicious_Attacks_on_Global_Government_Institutions
Date of Scan:
2024-03-18
Impact:
MEDIUM
Summary:
Trend Micro researchers have found that a malicious actor targeting global government institutions. Exploiting compromised government infrastructure, the group employs two distinct malware families known in Earth Krahang’s attacks. Their analysis also highlights the broad range of their targets and malicious activities, gleaned from telemetry data and exposed server files.


Source:
https://www.trendmicro.com/en_us/research/24/c/earth-krahang.html

2024-03-18
Examining_Latest_DEEP_GOSU_Attack_Campaign
MEDIUM
+

Intel Source:
Securonix Threat Labs
Intel Name:
Examining_Latest_DEEP_GOSU_Attack_Campaign
Date of Scan:
2024-03-18
Impact:
MEDIUM
Summary:
Securonix researchers have been keeping an eye on a new campaign, identified as DEEP#GOSU, that appears to be connected to the Kimsuky organization. It includes both recycled and newly created code and stagers. Although the Kimsuky organization has previously targeted South Korean victims, it is clear from the tradecraft seen that the group has switched to use a new script-based attack chain that makes use of numerous PowerShell and VBScript stagers in order to covertly infect systems. The attackers can keep an eye on keystrokes, the clipboard, and other session activity through scripts that are used later on.


Source:
https://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/

2024-03-18
Hackers_Find_Vulnerable_Networks_by_Using_the_Aiohttp_Bug
LOW
+

Intel Source:
Cyble
Intel Name:
Hackers_Find_Vulnerable_Networks_by_Using_the_Aiohttp_Bug
Date of Scan:
2024-03-18
Impact:
LOW
Summary:
Researchers at Cyble have discovered that the ransomware actor “ShadowSyndicate” has been seen looking for servers that could be affected by CVE-2024-23334, a directory traversal vulnerability in the aiohttp Python module. Aiohttp is an open-source toolkit designed to manage massively concurrent HTTP requests without the need for conventional thread-based networking. It is built on top of Python’s Asyncio asynchronous I/O framework.


Source:
https://cyble.com/blog/cgsi-probes-shadowsyndicate-groups-possible-exploitation-of-aiohttp-vulnerability-cve-2024-23334/

2024-03-18
An_Intimidating_Azorult_Campaign_Operated_Via_Google_Sites
LOW
+

Intel Source:
Netskope
Intel Name:
An_Intimidating_Azorult_Campaign_Operated_Via_Google_Sites
Date of Scan:
2024-03-18
Impact:
LOW
Summary:
Researchers at Netskope have seen an evasive Azorult campaign in action that uses a variety of defense evasion strategies from delivery to execution in order to steal confidential information without drawing attention from the defense. This information thief was initially identified in 2016 and is capable of stealing private data, such as browser history, crypto wallet data, and user credentials.


Source:
https://www.netskope.com/blog/from-delivery-to-execution-an-evasive-azorult-campaign-smuggled-through-google-sites

2024-03-18
ObserverStealer_Story_Continues_with_AsukaStealer
LOW
+

Intel Source:
Any.Run
Intel Name:
ObserverStealer_Story_Continues_with_AsukaStealer
Date of Scan:
2024-03-18
Impact:
LOW
Summary:
AsukaStealer and ObserverStealer are fundamentally similar in that they both use XOR encryption and C2 communication. AsukaStealer distinguishes itself, nevertheless, by forgoing the need for external DLL dependencies for data parsing and decryption in favor of server-side processes, which increase stealth and reduce its digital footprint. The malware developers’ intention to improve the stealer based on prior criticisms and the unfavorable user comments are thought to be the driving forces behind the rebranding of ObserverStealer, although with a different moniker.


Source:
https://any.run/cybersecurity-blog/asukastealer-malware-analysis/#appendix-1-iocs-7288

2024-03-18
Mac_malware_analysis_using_osquery
LOW
+

Intel Source:
Uptycs
Intel Name:
Mac_malware_analysis_using_osquery
Date of Scan:
2024-03-18
Impact:
LOW
Summary:
This article discusses the use of osquery, an operating system instrumentation framework, for analyzing malware on macOS systems. It describes how malware can use commands like chown and chmod to gain control and persistence on a system. The article also provides a detailed overview of using osquery for malware analysis, including a comparison with sandboxing solutions and a step-by-step guide for analyzing a specific malware, OSX/Dummy. It concludes by highlighting the benefits of using osquery for dynamic malware analysis on macOS and Linux systems.


Source:
https://www.uptycs.com/blog/malware-analysis-using-osquery

2024-03-18
CryptoWire_ransomware_distribution
MEDIUM
+

Intel Source:
ASEC
Intel Name:
CryptoWire_ransomware_distribution
Date of Scan:
2024-03-18
Impact:
MEDIUM
Summary:
This report provides an analysis of the CryptoWire ransomware, an open-source malware initially spread in 2018 via phishing emails. The malware is written in Autoit and contains the decryption keys within the code, allowing files to be decrypted without payment. It encrypts files and leaves a ransom note demanding payment, but does not require payment due to the presence of the keys.


Source:
https://asec.ahnlab.com/ko/62868/

2024-03-15
Roblox_Users_Targeted_with_Tweaks_Malware
LOW
+

Intel Source:
Zscaler
Intel Name:
Roblox_Users_Targeted_with_Tweaks_Malware
Date of Scan:
2024-03-15
Impact:
LOW
Summary:
Zscaler’s Threat researchers observed a new attack campaign spreading an infostealer called Tweaks that targets Roblox users. Attackers are exploiting platforms, like YouTube and Discord, to distribute Tweaks to Roblox users, by evading detection by web filter block lists that typically block known malicious servers. Attackers share malicious files disguised as Frames Per Second (FPS) optimization packages with users and, in turn, users infect their systems with Tweaks malware.


Source:
https://www.zscaler.com/blogs/security-research/tweaks-stealer-targets-roblox-users-through-youtube-and-discord

2024-03-15
The_ActiveMQ_Vulnerability_Is_Being_Exploited_by_Messengers
LOW
+

Intel Source:
Cybereason
Intel Name:
The_ActiveMQ_Vulnerability_Is_Being_Exploited_by_Messengers
Date of Scan:
2024-03-15
Impact:
LOW
Summary:
Researchers from Cybereason have looked into an event on a Linux server where malicious shell (bash) executions occurred via a Java process that was utilizing Apache ActiveMQ. An open-source message broker called ActiveMQ is used to facilitate communication across disparate servers that may be running different operating systems or have different languages.


Source:
https://www.cybereason.com/blog/beware-of-the-messengers-exploiting-activemq-vulnerability

2024-03-15
An_increase_in_tax_themed_phishing_emails
LOW
+

Intel Source:
Esentire
Intel Name:
An_increase_in_tax_themed_phishing_emails
Date of Scan:
2024-03-15
Impact:
LOW
Summary:
This month, eSentire has seen a spike in malware delivered through tax-themed phishing emails. Threat Actors are trying to exploit the tax-related communications lures to trick individuals into opening malicious email links, leading to malware infections. The observed phishing campaigns utilize tax-themed lures, including tax documents, tax returns, and IRS letters. These emails often appear to be sent from legitimate tax authorities or financial institutions and include malicious links leading to malware payloads hosted on attacker-controlled infrastructure.


Source:
https://www.esentire.com/security-advisories/increase-in-tax-themed-email-lure

2024-03-15
The_Chinese_users_targeted_by_infected_text_editors
LOW
+

Intel Source:
Securelist
Intel Name:
The_Chinese_users_targeted_by_infected_text_editors
Date of Scan:
2024-03-15
Impact:
LOW
Summary:
Securelist analysts discovered two related cases where modified versions of popular text editors were distributed in this system: in the first case, the malicious resource appeared in the advertisement section; in the second case, at the top of the search results.


Source:
https://securelist.com/trojanized-text-editor-apps/112167/

2024-03-15
Online_Scam_campaign
LOW
+

Intel Source:
F1tym1
Intel Name:
Online_Scam_campaign
Date of Scan:
2024-03-15
Impact:
LOW
Summary:
Scammers aim for mobile phones because they are the most widespread, most utilized devices. They use subterfuge and scams to steal our money, information, and permissions.


Source:
https://f1tym1.com/2024/03/14/online-scam-scams-encountered-on-my-phone/

2024-03-15
DocLink_Defender_prevention_technology
LOW
+

Intel Source:
Checkpoint
Intel Name:
DocLink_Defender_prevention_technology
Date of Scan:
2024-03-15
Impact:
LOW
Summary:
DocLink Defender leverages the latest in analytical technology to intercept and neutralize malicious documents instantly.


Source:
https://blog.checkpoint.com/security/shield-your-documents-introducing-doclink-defender-for-real-time-malware-blockade/

2024-03-15
A_Fake_Forum_Post_Contamining_GootLoader_Infection
LOW
+

Intel Source:
PaloAlto
Intel Name:
A_Fake_Forum_Post_Contamining_GootLoader_Infection
Date of Scan:
2024-03-15
Impact:
LOW
Summary:
Researchers at Palo Alto have discovered that another fake forum post links to the GootLoader malware. Since at least 2021, this distribution strategy has shown remarkable consistency.


Source:
https://www.linkedin.com/posts/unit42_gootloader-timelythreatintel-unit42threatintel-ugcPost-7174049165306527746-aeLl?utm_source=share&utm_medium=member_ios

2024-03-15
DarkGate_Operators_Exploit_Microsoft_Windows_SmartScreen_Bypass
MEDIUM
+

Intel Source:
Trendmicro
Intel Name:
DarkGate_Operators_Exploit_Microsoft_Windows_SmartScreen_Bypass
Date of Scan:
2024-03-15
Impact:
MEDIUM
Summary:
The Zero Day Initiative tracked a DarkGate campaign which was observed last January 2024 where DarkGate operators exploited CVE-2024-21412 and linked to the Water Hydra APT zero-day analysis.


Source:
https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412–darkgate-operators-exploit-microsoft-windows-sma.html

2024-03-15
GhostSec_profile
LOW
+

Intel Source:
SOCRadar
Intel Name:
GhostSec_profile
Date of Scan:
2024-03-15
Impact:
LOW
Summary:
GhostSec’s primary target is online terrorism and violent extremism. GhostSec quickly gained recognition for its approach to confronting extremist groups online. The group even alleges that some of its members were employed by government agencies during an alleged meeting with the US government in those years. GhostSec’s initial goal revolved around the somewhat vague aim of disrupting the online presence and communication of terrorist organizations like ISIS (Islamic State of Iraq and Syria) and Al-Qaeda. However, while the group initially appeared neutral in the Israel-Hamas conflict, they later declared their support for Palestine against what they perceived as Israel’s war crimes.


Source:
https://socradar.io/dark-web-profile-ghostsec/

2024-03-15
Exdefacer_Turns_Seller_of_Discord_Stealer_aka_Nikki_Stealer
LOW
+

Intel Source:
CYFIRMA Research
Intel Name:
Exdefacer_Turns_Seller_of_Discord_Stealer_aka_Nikki_Stealer
Date of Scan:
2024-03-15
Impact:
LOW
Summary:
Researchers from CYFIRMA have discovered that a person who was formerly well-known for vandalizing websites has switched to offering a Discord stealer created using the Electron framework, named Nikki Stealer. The latest developments in Nikki Stealer v9 demonstrate how quickly this tool is evolving. Analysis of the Nikki Stealer Discord server’s conversation logs reveals that users are complaining about the device’s poor detection rate. Additionally, the stealer’s developer can be seen talking candidly about drug use in the conversation. Remarkable parallels have been noted between Fewer and Nikki Stealer.


Source:
https://media.licdn.com/dms/document/media/D561FAQEHMA1974p3pA/feedshare-document-pdf-analyzed/0/1710500504964?e=1711584000&v=beta&t=eC173BZYgGbUF25DLnBY-AgSTtSwfsTbN2aFuO9xOgE

2024-03-15
A_new_stealer_name_Xehook
MEDIUM
+

Intel Source:
Cyble
Intel Name:
A_new_stealer_name_Xehook
Date of Scan:
2024-03-15
Impact:
MEDIUM
Summary:
Cyble analysts discovered a new stealer named Xehook back in January 2024. Xehook Stealer attacks the Windows operating system and is coded in the .Net programming language. The Threat Actor is insisting that this stealer offers dynamic data collection from all Chromium and Gecko-based browsers, supporting over 110 cryptocurrencies and 2FA extensions.


Source:
https://cyble.com/blog/xehook-stealer-evolution-of-cinoshis-project-targeting-over-100-cryptocurrencies-and-2fa-extensions/

2024-03-15
BunnyLoader_3_analysis
MEDIUM
+

Intel Source:
Palo Alto
Intel Name:
BunnyLoader_3_analysis
Date of Scan:
2024-03-15
Impact:
MEDIUM
Summary:
Unit 42 Palo Alto shared their analysis of the new released BunnyLoader 3.0 and on the infrastructure and an overview of its capabilities. BunnyLoader is a constantly developing malware with the capability to steal information, credentials, and cryptocurrency, as well as deliver additional malware to its victims. The threat actor behind this malware is known as “Player” or “Player_Bunny.” The buyer determines what malware BunnyLoader delivers. The author of this malware prohibits its use against Russian systems.


Source:
https://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/

2024-03-15
Threat_actors_leverage_document_for_credential_and_session_token_theft
LOW
+

Intel Source:
Cisco Talos
Intel Name:
Threat_actors_leverage_document_for_credential_and_session_token_theft
Date of Scan:
2024-03-15
Impact:
LOW
Summary:
Cisco Talos Incident Response (Talos IR) has observed the ongoing use of legitimate digital document publishing (DDP) sites for phishing, credential theft, and session token theft during recent incident response and threat intelligence engagements.


Source:
https://blog.talosintelligence.com/threat-actors-leveraging-document-publishing-sites/

2024-03-13
Malicious_Advertising_Using_Search_Engines
LOW
+

Intel Source:
Securelist
Intel Name:
Malicious_Advertising_Using_Search_Engines
Date of Scan:
2024-03-13
Impact:
LOW
Summary:
Researchers at Securelist have noticed a rise in the quantity of malicious operations that disseminate and distribute malware via Google Advertising. Rhadamanthys and RedLine, two distinct stealers, were misusing the search engine promotion scheme to infect victims’ computers with malicious payloads. They appear to employ the same method of imitating a website connected to popular programs like Blender 3D and Notepad++.


Source:
https://securelist.com/malvertising-through-search-engines/108996/

2024-03-13
RisePro_Stealer_Is_Aiming_at_Github_Users
MEDIUM
+

Intel Source:
G DATA
Intel Name:
RisePro_Stealer_Is_Aiming_at_Github_Users
Date of Scan:
2024-03-13
Impact:
MEDIUM
Summary:
Researchers from G DATA Cyber Defense have found at least 13 of these repositories, which are part of a RisePro stealer campaign that the threat actors have dubbed “gitgub.” The repositories have a similar appearance and offer free cracked software in a README.md file. On Github, circles in the colors green and red are frequently used to indicate the status of automated builds. Four green Unicode circles that appear to show a status along with the current date and give the impression of validity and recentness were inserted by Gitgub threat actors to their README.md file.


Source:
https://www.gdatasoftware.com/blog/2024/03/37885-risepro-stealer-campaign-github

2024-03-13
Multiple_Ongoing_Malvertising_Activities_Used_to_Distribute_FakeBat
LOW
+

Intel Source:
Malwarebytes
Intel Name:
Multiple_Ongoing_Malvertising_Activities_Used_to_Distribute_FakeBat
Date of Scan:
2024-03-13
Impact:
LOW
Summary:
FakeBat malvertising campaigns using two kinds of ad URLs. They were misusing URL/analytics shorteners, which are perfect for cloaking, as seen in past malvertising efforts. This technique gives a threat actor the ability to select a “good” or “bad” destination URL according to their own predetermined criteria (such as the IP address, user agent, and time of day).


Source:
https://www.malwarebytes.com/blog/threat-intelligence/2024/03/fakebat-delivered-via-several-active-malvertising-campaigns

2024-03-13
Attackers_Using_GitHub_and_AWS_to_Spread_RATs_Through_Phishing_Campaigns
LOW
+

Intel Source:
Fortinet
Intel Name:
Attackers_Using_GitHub_and_AWS_to_Spread_RATs_Through_Phishing_Campaigns
Date of Scan:
2024-03-13
Impact:
LOW
Summary:
A recent phishing effort is discovered, in which attackers exploit publicly accessible platforms like GitHub and Amazon web servers to store malware, which is subsequently used via email to initiate an attack campaign and take over the newly compromised systems. According to FortiGuard Labs, the email tricks recipients into opening a dangerous, high-severity Java downloader that tries to disseminate the well-known STRRAT RAT and a brand-new VCURMS remote access trojan (RAT). Every platform that has Java installed is susceptible, and it can affect any kind of business.


Source:
https://www.fortinet.com/blog/threat-research/vcurms-a-simple-and-functional-weapon

2024-03-13
Decoding_Malicious_Scripts_Using_ChatGPT
LOW
+

Intel Source:
ISC.SANS
Intel Name:
Decoding_Malicious_Scripts_Using_ChatGPT
Date of Scan:
2024-03-13
Impact:
LOW
Summary:
Researchers from INC.SANS have discovered a malicious Python script that has a low VirusTotal score of 2/61. By the time they looked at it, it had been obfuscated. All of the intriguing strings were compressed, Base64-encoded, and hex-encoded.


Source:
https://isc.sans.edu/diary/rss/30740

2024-03-12
A_Dark_Web_Profile_of_Meow_Ransomware
LOW
+

Intel Source:
SOC Radar
Intel Name:
A_Dark_Web_Profile_of_Meow_Ransomware
Date of Scan:
2024-03-12
Impact:
LOW
Summary:
Four ransomware strains that are descended from Conti’s ransomware strain that was leaked were found in late 2022. The Meow ransomware was one of them. This crypto-ransomware was detected operating between the end of August and the first part of September 2022, and it continued to do so until February 2023. They stopped operating in March 2023 after a free decryptor for the Meow ransomware was made available. There is still an active organization called Meow that entered 2024 rather quickly and has already claimed nine victims. It appears that this gang uses the RaaS paradigm; yet, in March 2024 alone, three victims were reported, and the institutions they target are not insignificant ones.


Source:
https://socradar.io/dark-web-profile-meow-ransomware/

2024-03-12
Operators_Adapt_to_Disruption_as_Ransomware_Attacks_Rise
LOW
+

Intel Source:
Symantec
Intel Name:
Operators_Adapt_to_Disruption_as_Ransomware_Attacks_Rise
Date of Scan:
2024-03-12
Impact:
LOW
Summary:
Even though the number of attacks that ransomware operators claim to have carried out dropped by little more than 20% in the fourth quarter of 2023, ransomware activity is still on the rise. Attackers have continuously improved their strategies, shown that they can react quickly to disruptions, and discovered new means of infecting victims.


Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-attacks-exploits

2024-03-12
Attacks_on_Crypto_Wallet_Recovery_Passwords_by_Malicious_PyPI_Packages
LOW
+

Intel Source:
Reversing Labs
Intel Name:
Attacks_on_Crypto_Wallet_Recovery_Passwords_by_Malicious_PyPI_Packages
Date of Scan:
2024-03-12
Impact:
LOW
Summary:
Researchers at ReversingLabs have discovered a brand-new harmful campaign that consists of seven distinct open-source packages on the Python Package Index (PyPI) with 19 versions, the oldest of which was released in December 2022. The campaign aims to steal mnemonic phrases that are used to recover crypto wallets that have been lost or destroyed.


Source:
https://www.reversinglabs.com/blog/bipclip-malicious-pypi-packages-target-crypto-wallet-recovery-passwords

2024-03-12
Infostealer_Posing_as_Installer_For_Adobe_Reader
LOW
+

Intel Source:
ASEC
Intel Name:
Infostealer_Posing_as_Installer_For_Adobe_Reader
Date of Scan:
2024-03-12
Impact:
LOW
Summary:
Researchers from ASEC have found that an infostealer that poses as the installation for Adobe Reader is being distributed. The file is being distributed by the threat actor in PDF format, requesting that people download and execute it.


Source:
https://asec.ahnlab.com/en/62853/

2024-03-12
SnakeKeylogger_loader_technics_and_tactics
MEDIUM
+

Intel Source:
Splunk
Intel Name:
SnakeKeylogger_loader_technics_and_tactics
Date of Scan:
2024-03-12
Impact:
MEDIUM
Summary:
The Splunk Threat Research Team provided in their blog deep insights and details to share with security analysts and blue teamers on how to defend and be aware of these suspicious activities and tactics.


Source:
https://www.splunk.com/en_us/blog/security/under-the-hood-of-snakekeylogger-analyzing-its-loader-and-its-tactics-techniques-and-procedures.html

2024-03-11
Malicious_Campagin_Exploiting_Stored_XSS_in_Popup_Builder
LOW
+

Intel Source:
Sucuri
Intel Name:
Malicious_Campagin_Exploiting_Stored_XSS_in_Popup_Builder
Date of Scan:
2024-03-11
Impact:
LOW
Summary:
The malicious code that can be found in the Custom JS or CSS part of the WordPress admin interface which is internally saved in the wp_postmeta database table is injected by the attackers using a known vulnerability in the Popup Builder WordPress plugin.


Source:
https://blog.sucuri.net/2024/03/new-malware-campaign-found-exploiting-stored-xss-in-popup-builder-4-2-3.html?web_view=true

2024-03-11
Spread_of_Malware_MSIX_Pretended_to_Be_Notion_Installer
LOW
+

Intel Source:
ASEC
Intel Name:
Spread_of_Malware_MSIX_Pretended_to_Be_Notion_Installer
Date of Scan:
2024-03-11
Impact:
LOW
Summary:
The Notion installation is actually a ruse to transmit MSIX malware. The distribution website bears a resemblance to the main Notion homepage. When the user clicks the download button, a file called “Notion-x86.msix” is downloaded. This file, a Windows app installation, has a legitimate certificate used to certify it. When the user runs the file, the pop-up appears. When you click the Install button, malware infects Notion and installs on your computer.


Source:
https://asec.ahnlab.com/en/62815/

2024-03-11
The_TeamCity_Exploit_Leads_BianLian_to_Embrace_PowerShell
MEDIUM
+

Intel Source:
GuidePoint Security
Intel Name:
The_TeamCity_Exploit_Leads_BianLian_to_Embrace_PowerShell
Date of Scan:
2024-03-11
Impact:
MEDIUM
Summary:
Researchers at GuidePoint have discovered malicious activities on a client’s network. After locating a weak point in the TeamCity server, the threat actor used CVE-2024-27198 / CVE-2023-42793 to gain initial access to the system. Within TeamCity, the threat actor created users and executed malicious commands using the service account associated with the TeamCity product.


Source:
https://www.guidepointsecurity.com/blog/bianlian-gos-for-powershell-after-teamcity-exploitation/

2024-03-11
A_New_Phishing_Attack_Targeting_Dropbox
LOW
+

Intel Source:
Darktrace
Intel Name:
A_New_Phishing_Attack_Targeting_Dropbox
Date of Scan:
2024-03-11
Impact:
LOW
Summary:
Darktrace researchers have alerted users to a well-known new phishing and malspam campaign that uses Dropbox emails to target users of well-known Software-as-a-Service (SaaS) platforms. According to recent research, a fresh phishing attempt targeting Dropbox has been effective in getting over MFA (multi-factor authentication) safeguards. By tricking users into downloading malware, this hack seeks to reveal login information.


Source:
https://darktrace.com/blog/legitimate-services-malicious-intentions-getting-the-drop-on-phishing-attacks-abusing-dropbox

2024-03-08
Magnet_Goblin_Uses_1_Day_Vulnerabilities_to_Target_Publicly_Facing_Servers
MEDIUM
+

Intel Source:
Checkpoint
Intel Name:
Magnet_Goblin_Uses_1_Day_Vulnerabilities_to_Target_Publicly_Facing_Servers
Date of Scan:
2024-03-08
Impact:
MEDIUM
Summary:
A financially driven threat actor, Magnet Goblin swiftly embraces and makes use of one-day vulnerabilities in services that are accessible to the public as a means of spreading infection. In one instance using Ivanti Connect Secure VPN (CVE-2024-21887), the exploit was added to the group’s toolkit in less than a day following the publication of a proof of concept.


Source:
https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities/

2024-03-08
Compromised_Supply_Chain_and_Sophisticated_Toolkit_Exposed
LOW
+

Intel Source:
ESET
Intel Name:
Compromised_Supply_Chain_and_Sophisticated_Toolkit_Exposed
Date of Scan:
2024-03-08
Impact:
LOW
Summary:
ESET researchers identified a cyberespionage campaign directed at Tibetans across various regions. The threat actors deployed downloaders, droppers, and backdoors, such as the exclusive MgBot and the recently added Nightdoor, targeting networks in East Asia. Additionally, the attackers compromised the supply chain of a Tibetan language translation app developer.


Source:
https://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/

2024-03-08
An_emerging_information_stealing_Project_trojan
LOW
+

Intel Source:
Inquest
Intel Name:
An_emerging_information_stealing_Project_trojan
Date of Scan:
2024-03-08
Impact:
LOW
Summary:
The article discusses the emergence of a new trojan called Planet Stealer, which is designed to steal sensitive information from victim hosts. It is written in Go and is being sold in underground forums. This type of information-stealing malware is in high demand among financially motivated criminals, indicating a thriving market for such tools.


Source:
https://inquest.net/blog/around-we-go-planet-stealer-emerges/

2024-03-08
Navigating_the_tax_season_global_surge
MEDIUM
+

Intel Source:
Cisco Talos
Intel Name:
Navigating_the_tax_season_global_surge
Date of Scan:
2024-03-08
Impact:
MEDIUM
Summary:
As tax deadlines approach globally, individuals and businesses must be vigilant against an increase in tax-related scams and ransomware attacks. Scammers exploit this period to launch sophisticated phishing campaigns, aiming to steal personal information, financial data, or directly extract money through deceit. Notably, the collaboration between ransomware groups GhostSec and Stormous has marked a significant rise in ransomware threats, including the deployment of the STMX_GhostLocker ransomware-as-a-service.


Source:
https://blog.talosintelligence.com/threat-source-newsletter-march-7-2024/

2024-03-08
New_Fakext_Malware_Targeting_Latin_American_Banks
LOW
+

Intel Source:
Security Intelligence
Intel Name:
New_Fakext_Malware_Targeting_Latin_American_Banks
Date of Scan:
2024-03-08
Impact:
LOW
Summary:
IBM security researchers have discovered a new, widely distributed malware called Fakext which leverages a malicious Edge plugin to launch web-injection and man-in-the-browser attacks. Over 35,000 infected sessions have been seen by researchers since November 2023; the majority of these sessions originate from Latin America (LATAM), with a lesser proportion from North America and Europe.


Source:
https://securityintelligence.com/posts/fakext-targeting-latin-american-banks/

2024-03-07
Beware_of_Malware_Delivering_Spoofing_Websites
LOW
+

Intel Source:
Zscaler
Intel Name:
Beware_of_Malware_Delivering_Spoofing_Websites
Date of Scan:
2024-03-07
Impact:
LOW
Summary:
Researchers at Zscaler have identified a threat actor that creates fake websites for Zoom, Google Meet, and Skype in order to disseminate malware. The threat actor infects Windows users with NjRAT and DCRat and distributes SpyNote RAT to Android users. By using shared web hosting, the attacker was able to host all of these fake online meeting sites under a single IP address. As seen by all of the numbers below, the fake websites were all in Russian. Furthermore, the attackers used URLs that closely matched the real websites to host these fictitious ones.


Source:
https://www.zscaler.com/blogs/security-research/android-and-windows-rats-distributed-online-meeting-lures

2024-03-06
A_Thorough_Examination_of_I_SOONs_Commercial_Offering
LOW
+

Intel Source:
Harfanglab
Intel Name:
A_Thorough_Examination_of_I_SOONs_Commercial_Offering
Date of Scan:
2024-03-06
Impact:
LOW
Summary:
I-Soon’s business proposal indicates that processing gathered data is the primary problem, not initially failing to meet goals. Their products classify and sort stolen documents with the aid of deep learning. The business seems to have problems finding malware and usually uses rudimentary techniques (phishing, for example). But in the last ten years, they have violated numerous strategic targets all around the world.


Source:
https://harfanglab.io/en/insidethelab/isoon-leak-analysis/

2024-03-06
The_DDoSia_Project_of_NoName057_16
LOW
+

Intel Source:
Sekoia
Intel Name:
The_DDoSia_Project_of_NoName057_16
Date of Scan:
2024-03-06
Impact:
LOW
Summary:
Since the start of the conflict in Ukraine, a number of organizations dubbed “nationalist hacktivists” have surfaced, mostly on the Russian side, to fuel hostilities between Moscow and Kyiv. Of these organizations, the pro-Russian group NoName057(16) has gained notoriety for starting Project DDoSia, a group effort to launch massive distributed denial-of-service (DDoS) attacks against organizations (private companies, government agencies, and state institutions) that are part of nations that back Ukraine, primarily NATO members.


Source:
https://blog.sekoia.io/noname05716-ddosia-project-2024-updates-and-behavioural-shifts

2024-03-06
The_fake_video_connected_to_Russian_cyberscam_network
MEDIUM
+

Intel Source:
Qurium
Intel Name:
The_fake_video_connected_to_Russian_cyberscam_network
Date of Scan:
2024-03-06
Impact:
MEDIUM
Summary:
A deep fake video of Maria Ressa promoting a crypto-currency scam was released in early February 2024. The video was hosted on a domain that contained links to a Russian cyberscam network. Metadata analysis revealed Russian influence behind the creation of the deep fake and fake news articles designed to discredit Ressa.


Source:
https://www.qurium.org/alerts/philippines/deep-fake-video-of-maria-ressa-connected-to-cyberscam-network-in-russia/

2024-03-06
Distributed_WordPress_Brute_Force_Attack
MEDIUM
+

Intel Source:
Sucuri
Intel Name:
Distributed_WordPress_Brute_Force_Attack
Date of Scan:
2024-03-06
Impact:
MEDIUM
Summary:
The article discusses a recent attack on WordPress websites, where infected websites are used to launch a distributed brute force attack to guess passwords for other third-party sites. The attackers then visit the target sites to download valid credentials. The article provides statistics and tips for mitigating the risk of such attacks, as well as a new development in website hacks involving Web3 crypto wallet drainers. It also explains the process of uploading encrypted credentials and the different stages of the attack. The article concludes by offering assistance for those who believe their website may be infected.


Source:
https://blog.sucuri.net/2024/03/from-web3-drainer-to-distributed-wordpress-brute-force-attack.html

2024-03-06
Attackers_still_abusing_Terminator_tool_and_variants
MEDIUM
+

Intel Source:
Sophos, GitHub
Intel Name:
Attackers_still_abusing_Terminator_tool_and_variants
Date of Scan:
2024-03-06
Impact:
MEDIUM
Summary:
A threat intelligence report describes that threat actors continue to leverage vulnerable drivers like Zemana Anti-Logger and Anti-Malware to disable security products through Bring Your Own Vulnerable Driver attacks. Variants of the Terminator tool that exploits these drivers are still observed in the wild. The actors use the drivers for lateral movement and privilege escalation as part of ransomware campaigns targeting healthcare and other industries.


Source:
https://news.sophos.com/en-us/2024/03/04/itll-be-back-attackers-still-abusing-terminator-tool-and-variants/
https://github.com/sophoslabs/IoCs/blob/master/Zemana-driver-IoCs.csv

2024-03-06
TA4903_Using_Phishing_Attack_on_US_Government_and_Small_Businesses
MEDIUM
+

Intel Source:
Proofpoint
Intel Name:
TA4903_Using_Phishing_Attack_on_US_Government_and_Small_Businesses
Date of Scan:
2024-03-06
Impact:
MEDIUM
Summary:
Researchers at Proofpoint have noticed a rise in credential phishing and fraud efforts in the middle of 2023 and early 2024 that use themes other than TA4903. The performer started parodying small and medium-sized enterprises (SMBs) across a range of sectors, including as manufacturing, energy, finance, food and beverage, and construction. The pace of BEC themes has also increased, according to Proofpoint, with themes like “cyberattacks” being used to entice victims to divulge their banking and payment information.


Source:
https://www.proofpoint.com/us/blog/threat-insight/ta4903-actor-spoofs-us-government-small-businesses-phishing-bec-bids

2024-03-06
WebLogic_Server_Exploited_by_z0Miner
LOW
+

Intel Source:
ASEC
Intel Name:
WebLogic_Server_Exploited_by_z0Miner
Date of Scan:
2024-03-06
Impact:
LOW
Summary:
Researchers from ASEC have discovered multiple instances of threat actors targeting weak Korean servers. The following report describes a recent incident involving an attack against Korean WebLogic servers by the threat actor “z0Miner.”


Source:
https://asec.ahnlab.com/en/62564/

2024-03-06
New_Lighter_Ransomware_Targeting_Individuals_in_UK_and_US
MEDIUM
+

Intel Source:
Cyfirma Research
Intel Name:
New_Lighter_Ransomware_Targeting_Individuals_in_UK_and_US
Date of Scan:
2024-03-06
Impact:
MEDIUM
Summary:
Researchers at Cyfirma have identified a brand-new malware developed by the Lighter Extortion group, which they have named Lighter malware. An uncommon instance of triple extortion, in which the threat actors make threats against the victim if the ransom is not paid in addition to encrypting the data and exfiltrating it. The threat actors are probably going to target people in the US and the UK based on the ransom note.


Source:
https://www.linkedin.com/posts/cyfirma-research-6a8073245_our-researcher-kaush%C3%ADk-pa%C5%82-discovered-a-new-activity-7171078602367594496-4w2G?utm_source=li_share&utm_content=feedcontent&utm_medium=g_dt_web&utm_campaign=copy

2024-03-06
The_Spinning_Yarn_Linux_Malware_Campaign_Targeting_Misconfigured_Servers
MEDIUM
+

Intel Source:
Cado Security
Intel Name:
The_Spinning_Yarn_Linux_Malware_Campaign_Targeting_Misconfigured_Servers
Date of Scan:
2024-03-06
Impact:
MEDIUM
Summary:
Researchers at Cado Security Labs have discovered a new malware campaign that targets misconfigured servers that host web-facing services including Redis, Docker, Apache Hadoop YARN, and Confluence. The campaign makes use of several distinct and unreported payloads, such as four Golang binaries, which are instruments for automatically locating and infecting sites that are hosting the aforementioned services. By utilizing common misconfigurations and an n-day vulnerability, the attackers use these tools to generate exploit code that allows them to conduct Remote Code Execution (RCE) attacks and infect new hosts.


Source:
https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/

2024-03-06
Diving_Deep_into_Earth_Kapre_Group
LOW
+

Intel Source:
Trend Micro
Intel Name:
Diving_Deep_into_Earth_Kapre_Group
Date of Scan:
2024-03-06
Impact:
LOW
Summary:
Researchers at Trend Micro have investigated Earth Kapre, also known as RedCurl and Red Wolf. The successful investigation that revealed Earth Kapre’s intrusion sets used in a recent event, as well as the way the team used threat intelligence to link the evidence that was taken out to the cyberespionage threat organization.


Source:
https://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html

2024-03-06
Examining_Infrastructure_That_8Base_Using_in_Relation_to_Phobos_Ransomware
MEDIUM
+

Intel Source:
Intel-Ops
Intel Name:
Examining_Infrastructure_That_8Base_Using_in_Relation_to_Phobos_Ransomware
Date of Scan:
2024-03-06
Impact:
MEDIUM
Summary:
Intel-Ops is actively monitoring infrastructure that has been determined to be a part of the 8Base Ransomware organization, which is responsible for operating the Phobos ransomware. A dispersed group of affiliates with extremely similar TTPs, along with several variants (Eking, Eight, Elbie, Devos, and Faust), make Phobos an estimated Ransomware-as-a-Service (RaaS).


Source:
https://medium.com/@Intel_Ops/phobos-ransomware-analysing-associated-infrastructure-used-by-8base-646560302a8d

2024-03-05
A_surge_of_new_GhostLocker_2_ransomware_by_GhostSec_threat_group
MEDIUM
+

Intel Source:
Cisco Talos
Intel Name:
A_surge_of_new_GhostLocker_2_ransomware_by_GhostSec_threat_group
Date of Scan:
2024-03-05
Impact:
MEDIUM
Summary:
The article discusses the evolution and joint operation of GhostSec and Stormous, two hacking groups that have collaborated to conduct double extortion attacks using the GhostLocker and StormousX ransomware programs. It provides details on the various versions of GhostLocker, its C2 panels, and the features provided to affiliates. The article also mentions two new tools in GhostSec’s arsenal, the GhostSec Deep Scan toolset and GhostPresser, which are used for scanning and attacking legitimate websites. It discusses the groups’ focus on raising funds for hacktivists and threat actors and their new ransomware-as-a-service program. The article also provides information on the capabilities of GhostPresser, a tool used to target WordPress websites, and how Cisco Secure Endpoint and other Cisco products can prevent the execution of this malware. It also includes a list of indicators associated with this threat.


Source:
https://blog.talosintelligence.com/ghostsec-ghostlocker2-ransomware/

2024-03-05
An_Extremely_Harmful_Malware_WinDestroyer
LOW
+

Intel Source:
Cyfirma Research
Intel Name:
An_Extremely_Harmful_Malware_WinDestroyer
Date of Scan:
2024-03-05
Impact:
LOW
Summary:
Researchers from CYFIRMA have discovered WinDestroyer, a harmful malware. The ransomware does not seek a ransom, indicating that it is not motivated by money. This advanced threat uses sophisticated tactics to render systems unusable, including lateral movement capabilities, API hammering, and DLL reload attacks.


Source:
https://www.linkedin.com/posts/cyfirma-research-6a8073245_windestroyer-and-its-origin-activity-7170733140540346368-Rmvc?utm_source=li_share&utm_content=feedcontent&utm_medium=g_dt_web&utm_campaign=copy

2024-03-05
Remcos_RAT_and_Agent_Tesla_Deployed_by_Stego_Campaign
LOW
+

Intel Source:
Cyfirma
Intel Name:
Remcos_RAT_and_Agent_Tesla_Deployed_by_Stego_Campaign
Date of Scan:
2024-03-05
Impact:
LOW
Summary:
Researchers at Cyfirma have discovered a way to get around standard email security safeguards in a Microsoft Office document by using template injection. Opening the document initiates a multi-stage attack that includes the deployment of the malware known as “Agent Tesla” and the Remcos Remote Access Trojan (RAT), as well as the download and execution of scripts.


Source:
https://www.cyfirma.com/outofband/exploiting-document-templates-stego-campaign-deploying-remcos-rat-and-agent-tesla/

2024-03-05
New_variant_of_SupermanMiner_mining_malware
LOW
+

Intel Source:
Cert.360
Intel Name:
New_variant_of_SupermanMiner_mining_malware
Date of Scan:
2024-03-05
Impact:
LOW
Summary:
A new variant of the SupermanMiner cryptocurrency mining malware has been active for over 2 years, using techniques like vulnerability exploitation, SSH brute force, web shell injection and others to infect systems. It has evolved into multiple new branches, with heavy obfuscation and complex persistence mechanisms, posing a serious threat. Users should apply security patches, use strong passwords, and limit external access to prevent infection.


Source:
https://cert.360.cn/warning/detail?id=65deee7fc09f255b91b17e0f

2024-03-05
CHAVECLOAKS_Targeting_Brazilians_via_Malicious_PDFs
MEDIUM
+

Intel Source:
Fortinet
Intel Name:
CHAVECLOAKS_Targeting_Brazilians_via_Malicious_PDFs
Date of Scan:
2024-03-05
Impact:
MEDIUM
Summary:
Fortinet researchers have found CHAVECLOAK, a high-severity Trojan that targeting Brazilian bank customers. The malware targets Windows devices and gains access to online banking services, taking financial data and banking credentials with it.


Source:
https://www.fortinet.com/blog/threat-research/banking-trojan-chavecloak-targets-brazil

2024-03-05
The_security_threats_from_malicious_machine_learning_models
LOW
+

Intel Source:
NS Focus Global
Intel Name:
The_security_threats_from_malicious_machine_learning_models
Date of Scan:
2024-03-05
Impact:
LOW
Summary:
The article discusses the potential security threats posed by malicious machine learning (ML) models on the Hugging Face platform. It provides background information on a recent report that found some ML models on Hugging Face may be used to attack the user environment, leading to code execution and providing attackers with full control of the infected machine. The affected models, specifically the baller423/goober2 model, are discussed in detail, along with a technical analysis of how they work and how they can be loaded and executed. The article also highlights the potential risks associated with PyTorch and Tensorflow models. It concludes with mitigation methods, such as using Hugging Face’s new format Safetensors and implementing security measures like malware and Pickle scanning. The article emphasizes the importance of thorough scrutiny and safety measures when dealing with ML models from untrusted sources and the urgency of AI model security.


Source:
https://nsfocusglobal.com/ai-supply-chain-security-hugging-face-malicious-ml-models/

2024-03-05
A_novel_backdoor_GTPDOOR
LOW
+

Intel Source:
Double Agent
Intel Name:
A_novel_backdoor_GTPDOOR
Date of Scan:
2024-03-05
Impact:
LOW
Summary:
GTPDOOR is Linux malware that communicates C2 traffic over GTP-C signaling messages, blending in with normal telco traffic. It can execute commands sent in GTP echo requests and probe hosts covertly via TCP packets. Versions target x86 and i386 architectures.


Source:
https://doubleagent.net/telecommunications/backdoor/gtp/2024/02/27/GTPDOOR-COVERT-TELCO-BACKDOOR

2024-03-05
WogRAT_Malware_Exploiting_aNotepad
LOW
+

Intel Source:
ASEC
Intel Name:
WogRAT_Malware_Exploiting_aNotepad
Date of Scan:
2024-03-05
Impact:
LOW
Summary:
Researchers from ASEC have found that backdoor malware is distributed using the free online notepad tool aNotepad. Both the PE format, which targets Windows systems, and the ELF format, which targets Linux systems, are supported by said malware. The malware is categorized as WogRAT since the threat actor uses the string “WingOfGod” when creating it.


Source:
https://asec.ahnlab.com/en/62446/

2024-03-04
New_Wave_of_SocGholish_Infections
LOW
+

Intel Source:
Sucuri
Intel Name:
New_Wave_of_SocGholish_Infections
Date of Scan:
2024-03-04
Impact:
LOW
Summary:
The article discusses a new wave of SocGholish malware infections that are targeting WordPress websites. These malicious plugins are being uploaded to compromised websites and contain code that injects SocGholish payloads onto the site. The article provides examples of different plugins that have been modified to include this code and explains how the code is executed. It also mentions the TDS domains that are being used to host the SocGholish scripts and the recent registration dates of these domains. The article emphasizes the responsibility of website owners to keep their websites secure and provides tips for website owners to prevent the distribution of malware. It also warns against downloading software updates from unofficial sources and offers assistance for those who may have fallen victim to malware. The article also discusses the similarities between criminal organizations behind cyber attacks and regular IT companies. It highlights the importance of website visitors being vigilant and avoiding clicking on suspicious links. The article also warns against downloading software updates from unofficial sources and offers assistance for those who may have fallen victim to malware. The article concludes by emphasizing the importance of protecting websites from these types of attacks and provides information on the techniques used by attackers, such as “domain shadowing” and gaining access through compromised credentials.


Source:
https://blog.sucuri.net/2024/03/new-wave-of-socgholish-infections-impersonates-wordpress-plugins.html

2024-03-04
A_Multistage_Ransomware_Attack_Using_RA_World
MEDIUM
+

Intel Source:
Trend Micro
Intel Name:
A_Multistage_Ransomware_Attack_Using_RA_World
Date of Scan:
2024-03-04
Impact:
MEDIUM
Summary:
Researchers at Trend Micro have discovered a multi-stage attack known as RA World, which is aimed against multiple healthcare organizations in the Latin American region. The attack’s goal is to maximize the group’s operational impact and success.


Source:
https://www.trendmicro.com/en_us/research/24/c/multistage-ra-world-ransomware.html

2024-03-04
A_recent_Copybara_fraud_campaign
LOW
+

Intel Source:
Cleafy
Intel Name:
A_recent_Copybara_fraud_campaign
Date of Scan:
2024-03-04
Impact:
LOW
Summary:
The article discusses the rising threat of On-Device Fraud (ODF) in the banking sector, which involves fraudulent activities initiated directly on the victim’s device. It focuses on a recent Copybara fraud campaign and explains the use of remote control capabilities by malware to execute ODF scenarios. The article also provides an overview of phishing panels and the Copybara botnet’s associated C2 web panel. It describes the functionalities of the panel, including the ability to remotely control infected devices, steal credentials, and send fake push notifications. The article concludes by emphasizing the need for collaboration and innovation in combating ODF and other forms of banking fraud.


Source:
https://www.cleafy.com/cleafy-labs/on-device-fraud-on-the-rise-exposing-a-recent-copybara-fraud-campaign

2024-03-04
The_use_of_spyware_Predator_poses_significant_risks
LOW
+

Intel Source:
Recorded Future
Intel Name:
The_use_of_spyware_Predator_poses_significant_risks
Date of Scan:
2024-03-04
Impact:
LOW
Summary:
Recorded Future’s Insikt Group has observed new activity related to the operators of Predator, a mercenary mobile spyware. Spyware like Predator poses significant privacy, legality, and physical safety risks, especially when used outside serious crime and counterterrorism contexts. The Insikt Group’s research found out about a new multi-tiered Predator delivery infrastructure, with evidence from domain analysis and network intelligence data.


Source:
https://www.recordedfuture.com/predator-spyware-operators-rebuild-multi-tier-infrastructure-target-mobile-devices

2024-03-04
TA577_Cyber_Threat_Unmasked
LOW
+

Intel Source:
Proofpoint
Intel Name:
TA577_Cyber_Threat_Unmasked
Date of Scan:
2024-03-04
Impact:
LOW
Summary:
Proofpoint Researchers Uncover New Attack Chain by Cyber Threat Actor TA577, Focused on Uncommon NT LAN Manager (NTLM) Authentication Information Theft. Two Campaigns Detected on 26 and 27 February 2024, Targeting Hundreds of Global Organizations through Thread Hijacking with Zipped HTML Attachments.


Source:
https://www.proofpoint.com/us/blog/threat-insight/ta577s-unusual-attack-chain-leads-ntlm-data-theft

2024-03-04
Advanced_Phishing_Kit_Targeting_Cryptocurrency_Platforms_and_FCC
LOW
+

Intel Source:
Lookout
Intel Name:
Advanced_Phishing_Kit_Targeting_Cryptocurrency_Platforms_and_FCC
Date of Scan:
2024-03-04
Impact:
LOW
Summary:
Lookout researchers have identified an innovative phishing kit employing unique strategies to target both cryptocurrency platforms and the Federal Communications Commission (FCC) through mobile devices. Modeled after the techniques used by groups like Scattered Spider, this kit allows attackers to replicate single sign-on (SSO) pages. Subsequently, they employ a blend of email, SMS, and voice phishing to deceive targets into divulging usernames, passwords, password reset URLs, and even photo IDs from numerous victims, predominantly in the United States.


Source:
https://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit

2024-03-01
Bifrost_New_Tactics_of_Domain_Deception
MEDIUM
+

Intel Source:
PaloAlto
Intel Name:
Bifrost_New_Tactics_of_Domain_Deception
Date of Scan:
2024-03-01
Impact:
MEDIUM
Summary:
Researchers from Palo Alto have discovered a novel Linux version of Bifrost, also known as Bifrose, which demonstrates a creative way to avoid discovery. It makes use of a phony domain that imitates the official VMware domain. The goal of the most recent version of Bifrost is to sneak past security safeguards and infiltrate specific systems.


Source:
https://unit42.paloaltonetworks.com/new-linux-variant-bifrost-malware/

2024-03-01
Active_Exploitation_of_Ivanti_Gateway_Vulnerabilities
MEDIUM
+

Intel Source:
CISA
Intel Name:
Active_Exploitation_of_Ivanti_Gateway_Vulnerabilities
Date of Scan:
2024-03-01
Impact:
MEDIUM
Summary:
The Integrity Checker Tool (ICT) can be tricked into giving the impression of false security, according to a new cybersecurity advice from the Five Eyes intelligence alliance. Cyber threat actors are taking advantage of known security holes in the Ivanti Connect Secure and Ivanti Policy Secure gateways. Despite doing factory resets, a cyber threat actor may still be able to obtain root-level persistence, and Ivanti ICT is insufficient to identify penetration. Since January 10, 2024, Ivanti has published five security flaws affecting their products. Of those, four are now being actively exploited by various threat actors to spread malware.


Source:
https://www.cisa.gov/sites/default/files/2024-02/AA24-060B-Threat-Actors-Exploit-Multiple-Vulnerabilities-in-Ivanti-Connect-Secure-and-Policy-Secure-Gateways_0.pdf

2024-03-01
Exploring_Confluence_CVE_2022_26134
LOW
+

Intel Source:
ISC.SANS
Intel Name:
Exploring_Confluence_CVE_2022_26134
Date of Scan:
2024-03-01
Impact:
LOW
Summary:
Researchers from ISC SANS have added daemonlogger to capture packets and Arkime to view the packets that my DShield sensor captured. They noticed that, up until now, this activity had only gone to TCP/8090, which is base64 encoded and contains URLs. On February 12, 2024, the DShield sensor began recording this behavior as it came in from different IPs in different places.


Source:
https://isc.sans.edu/diary/Scanning+for+Confluence+CVE202226134/30704/

2024-03-01
Airbnb_scam
LOW
+

Intel Source:
Malwarebytes
Intel Name:
Airbnb_scam
Date of Scan:
2024-03-01
Impact:
LOW
Summary:
The scammers send people emails that claim to be from Tripadvisor with some links, but more alarm bells were triggered when the sender email showed up as [email protected] — not exactly the email address you’d expect from Tripadvisor itself. The scammer hoped people would click on the booking button on the fake Tripadvisor site. If they had done, they would have seen a prompt to register with ‘Tripadvisor’.


Source:
https://www.malwarebytes.com/blog/news/2024/02/airbnb-scam-sends-you-to-a-fake-tripadvisor-site-takes-your-money

2024-03-01
North_Korean_threat_actors_attacking_developers_with_suspicious_npm_packages
LOW
+

Intel Source:
The Hackers news, Phylum
Intel Name:
North_Korean_threat_actors_attacking_developers_with_suspicious_npm_packages
Date of Scan:
2024-03-01
Impact:
LOW
Summary:
Phylum in their blog explained the deep details of an npm package pretending as a code profiler that installs several malicious scripts including a cryptocurrency and credential stealer. And the hacker tried to hide the malicious code in a test file,


Source:
https://thehackernews.com/2024/02/north-korean-hackers-targeting.html
https://blog.phylum.io/smuggling-malware-in-test-code/

2024-03-01
The_DarkGate_Model_For_Malware_Delivery_and_Persistence
LOW
+

Intel Source:
ISC.SANS
Intel Name:
The_DarkGate_Model_For_Malware_Delivery_and_Persistence
Date of Scan:
2024-03-01
Impact:
LOW
Summary:
ISC.SANS researchers have examined a typical phishing PDF, which resulted in the delivery of a far more dubious MSI signed with a legitimate code signing certificate and having an unexpectedly low signature-based detection rate on VirusTotal because of the utilization of multiple layered stages.


Source:
https://isc.sans.edu/diary/rss/30700

2024-03-01
The_spread_of_Bladeroid_crypto_stealer_thru_npm_packages
LOW
+

Intel Source:
Sonatype
Intel Name:
The_spread_of_Bladeroid_crypto_stealer_thru_npm_packages
Date of Scan:
2024-03-01
Impact:
LOW
Summary:
Sonatype has identified multiple open source packages named sniperv1, and sniperv2, among others that infect npm developers with a Windows info-stealer and crypto-stealer called ‘Bladeroid.’ The info-stealer can be seen peeking into a user’s browser cookies and local storage data and attempting to steal saved (auto-fill) form data. The info-stealer can be seen peeking into a user’s browser cookies and local storage data and attempting to steal saved (auto-fill) form data.


Source:
https://blog.sonatype.com/npm-packages-caught-spreading-bladeroid-info-stealer

2024-02-29
Malvertising_Continues_to_Drop_Rhadamanthys
LOW
+

Intel Source:
Malwarebytes
Intel Name:
Malvertising_Continues_to_Drop_Rhadamanthys
Date of Scan:
2024-02-29
Impact:
LOW
Summary:
The first time the Rhadamanthys stealer was spotted in public, it was transmitted through malicious advertisements just over a year ago. Malwarebytes researchers have seen a persistence of software download-related malvertising chains in 2023.


Source:
https://www.malwarebytes.com/blog/threat-intelligence/2024/02/one-year-later-rhadamanthys-is-still-dropped-via-malvertising

2024-02-29
SPIKEDWINE_With_WINELOADER_Targets_European_Diplomats
MEDIUM
+

Intel Source:
Zscaler
Intel Name:
SPIKEDWINE_With_WINELOADER_Targets_European_Diplomats
Date of Scan:
2024-02-29
Impact:
MEDIUM
Summary:
Researchers at Zscaler have found a suspicious PDF file that was posted to VirusTotal on January 30, 2024, from Latvia. Disguised as a letter from the Indian ambassador, this PDF file invites ambassadors to a wine tasting in February 2024. Additionally, the PDF contained a link to a fictitious questionnaire that starts the infection chain by sending users to a malicious ZIP archive housed on a compromised website. They found another similar PDF file uploaded to VirusTotal from Latvia in July 2023 after conducting additional threat research.


Source:
https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader

2024-02-29
Affiliate_TTPs_For_BlackCat_Ransomware
HIGH
+

Intel Source:
Hunter
Intel Name:
Affiliate_TTPs_For_BlackCat_Ransomware
Date of Scan:
2024-02-29
Impact:
HIGH
Summary:
In less than three minutes, the threat actor was able to download a copy of the ransomware executable to the endpoint through the second identified ScreenConnect instance. In response to the file being quarantined, the threat actor temporarily disabled Windows Defender before downloading the executable file once more and successfully launching it.


Source:
https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps

2024-02-29
Savvy_Seahorse_tricks_victims_to_fake_investment_platforms
LOW
+

Intel Source:
Infloblox
Intel Name:
Savvy_Seahorse_tricks_victims_to_fake_investment_platforms
Date of Scan:
2024-02-29
Impact:
LOW
Summary:
Savvy Seahorse is a DNS threat actor who convinces victims to create accounts on fake investment platforms, make deposits to a personal account, and then transfers those deposits to a bank in Russia. This actor uses Facebook ads to lure users into their websites and ultimately enroll in fake investment platforms. The campaign themes often involve spoofing well-known companies like Tesla, Facebook/Meta, and Imperial Oil, among others.


Source:
https://blogs.infoblox.com/cyber-threat-intelligence/beware-the-shallow-waters-savvy-seahorse-lures-victims-to-fake-investment-platforms-through-facebook-ads/

2024-02-29
The_Phobos_ransomware_variants
MEDIUM
+

Intel Source:
CISA
Intel Name:
The_Phobos_ransomware_variants
Date of Scan:
2024-02-29
Impact:
MEDIUM
Summary:
The FBI, the CISA, and MS-ISAC are releasing this joint CSA, to disseminate known TTPs and IOCs associated with the Phobos ransomware variants observed as recently as February 2024, according to open source reporting. Phobos is structured as a ransomware-as-a-service (RaaS) model. Since May 2019, Phobos ransomware incidents impacting state, local, tribal, and territorial (SLTT) governments have been regularly reported to the MS-ISAC. These incidents targeted municipal and county governments, emergency services, education, public healthcare, and other critical infrastructure entities to successfully ransom several million U.S. dollars


Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a

2024-02-29
The_Lazarus_group_targets_blockchain_community
MEDIUM
+

Intel Source:
Hunt
Intel Name:
The_Lazarus_group_targets_blockchain_community
Date of Scan:
2024-02-29
Impact:
MEDIUM
Summary:
Hunt is tracking an ongoing sophisticated phishing campaign targeting individuals in the Telegram groups focused on the blockchain and angel investing communities, specifically entrepreneurs. The tactics described below are strikingly similar to those previously attributed to the Lazarus Group, a North Korean state-sponsored threat actor.


Source:
https://hunt.io/blog/suspected-north-korean-hackers-target-blockchain-community-via-telegram

2024-02-29
The_Escalation_of_Web_API_Cyber_Attacks_this_year
LOW
+

Intel Source:
Checkpoint
Intel Name:
The_Escalation_of_Web_API_Cyber_Attacks_this_year
Date of Scan:
2024-02-29
Impact:
LOW
Summary:
The landscape of cyber security is continuously evolving, with Web Application Programming Interfaces (APIs) becoming a focal point for cyber attackers. APIs, which facilitate communication between different software applications, present a broader attack surface than traditional web applications. This exposure is due to the inherent vulnerabilities within Web APIs that can lead to authentication bypasses, unauthorized data access, and a range of malicious activities.


Source:
https://blog.checkpoint.com/research/a-shadowed-menace-the-escalation-of-web-api-cyber-attacks-in-2024/

2024-02-29
Spread_Mac_Malware_thru_Calendar_Meeting_Links
LOW
+

Intel Source:
Krebsonsecurity
Intel Name:
Spread_Mac_Malware_thru_Calendar_Meeting_Links
Date of Scan:
2024-02-29
Impact:
LOW
Summary:
Malicious hackers are attacking customers in cryptocurrency in attacks that start with a link added to the target’s calendar at Calendly, an application for scheduling appointments and meetings. The attackers duplicated established cryptocurrency investors and asked to schedule a video conference call. But clicking the meeting link provided by the scammers prompts the user to run a script that quietly installs malware on macOS systems.


Source:
https://krebsonsecurity.com/2024/02/calendar-meeting-links-used-to-spread-mac-malware/

2024-02-29
GUloader_Encryption_Strategies_Unmasked
LOW
+

Intel Source:
McAfee Labs
Intel Name:
GUloader_Encryption_Strategies_Unmasked
Date of Scan:
2024-02-29
Impact:
LOW
Summary:
McAfee researchers have discovered that GUloader is now exposed, decrypting the threat posed by malicious SVG files. GUloader utilizes dynamic structural changes, employing polymorphic code and encryption to effectively hide from antivirus software and intrusion detection systems.


Source:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/guloader-unmasked-decrypting-the-threat-of-malicious-svg-files/

2024-02-28
Possible_Imposter_Ransomware_Impersonating_LOCKBIT_4
HIGH
+

Intel Source:
PaloAlto
Intel Name:
Possible_Imposter_Ransomware_Impersonating_LOCKBIT_4
Date of Scan:
2024-02-28
Impact:
HIGH
Summary:
There is a lot of interest in LockBit 4.0 now that it is back online following its disruption in February 2024. Similar to others, PaloAlto researchers have discovered potential imposters using the Lockbit 4.0 identity on VirusTotal.


Source:
https://twitter.com/Unit42_Intel/status/1762570867291070880

2024-02-28
New_Variant_of_Atomic_Stealer_in_the_wild
MEDIUM
+

Intel Source:
Bitdefender
Intel Name:
New_Variant_of_Atomic_Stealer_in_the_wild
Date of Scan:
2024-02-28
Impact:
MEDIUM
Summary:
During some investigations, the Bitdefender team was able to isolate multiple suspicious and undetected macOS disk image files that were surprisingly small for files of this kind (1.3 MB per file). The new variant drops and uses a Python script to stay covert. The malware also shares a similar code with the RustDoor backdoor.


Source:
https://www.bitdefender.com/blog/labs/when-stealers-converge-new-variant-of-atomic-stealer-in-the-wild/

2024-02-28
Ivanti_Connect_Secure_VPN_Vulnerabilities_Exploited_by_China_Linked_Threat_Actors
LOW
+

Intel Source:
Mandiant
Intel Name:
Ivanti_Connect_Secure_VPN_Vulnerabilities_Exploited_by_China_Linked_Threat_Actors
Date of Scan:
2024-02-28
Impact:
LOW
Summary:
This article explores the investigation into the exploitation and persistence attempts of Ivanti Connect Secure VPN vulnerabilities in a series called “Cutting Edge, Part 3.” Additionally, Mandiant has identified UNC5325 employing living-off-the-land techniques and deploying new malware like LITTLELAMB to enhance evasion of detection.


Source:
https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence

2024-02-28
Cactus_ransomware_attack_on_corporate_networks
MEDIUM
+

Intel Source:
Bitdefender
Intel Name:
Cactus_ransomware_attack_on_corporate_networks
Date of Scan:
2024-02-28
Impact:
MEDIUM
Summary:
Bitdefender Labs recently did an investigation that led to the predictions of the growing risk of ransomware attacks. This attack was orchestrated by the threat actor CACTUS, who began by exploiting a software vulnerability less than 24 hours after its initial disclosure. Bitdefender sees it as a commonly known Remote Code Execution (RCE) proof-of-concept (POC) that remains unaddressed for over 24 hours. They suspect that the systems have been compromised with a web shell.


Source:
https://www.bitdefender.com/blog/businessinsights/cactus-analyzing-a-coordinated-ransomware-attack-on-corporate-networks/

2024-02-28
MooBot_Threat_Detected_on_Ubiquiti_EdgeRouters
MEDIUM
+

Intel Source:
IC3
Intel Name:
MooBot_Threat_Detected_on_Ubiquiti_EdgeRouters
Date of Scan:
2024-02-28
Impact:
MEDIUM
Summary:
In a new joint advisory, cybersecurity and intelligence agencies from the U.S. and other countries are urging users of Ubiquiti EdgeRouter to take protective measures, weeks after a botnet comprising infected routers was felled by law enforcement as part of an operation codenamed Dying Ember. The MooBot botnet is being utilized by APT28, a threat actor associated with Russia, to enable clandestine cyber operations and disseminate personalized malware for subsequent exploitation. Connected to the Russian Federation’s Main Directorate of the General Staff (GRU), APT28 has been operational since at least 2007.


Source:
https://www.ic3.gov/Media/News/2024/240227.pdf

2024-02-28
The_ALPHV_Blackcat_ransomware_updates
HIGH
+

Intel Source:
CISA
Intel Name:
The_ALPHV_Blackcat_ransomware_updates
Date of Scan:
2024-02-28
Impact:
HIGH
Summary:
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) are releasing this joint CSA to disseminate known IOCs and TTPs associated with the ALPHV Blackcat ransomware as a service (RaaS) identified through FBI investigations as recently as February 2024.


Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a

2024-02-28
Exploring_DLL_Hijacking
MEDIUM
+

Intel Source:
Palo Alto
Intel Name:
Exploring_DLL_Hijacking
Date of Scan:
2024-02-28
Impact:
MEDIUM
Summary:
Unit 42 Palo Alto explained in their article how threat actors use DLL hijacking in malware attacks. It also shares ideas for how to better detect DLL hijacking and best practices on how to reduce the risk of attack. Dynamic-link library (DLL) hijacking is one of the oldest techniques that both threat actors and offensive security professionals continue to use today.


Source:
https://unit42.paloaltonetworks.com/dll-hijacking-techniques/#post-132679-_ydqdbjg0dngh

2024-02-28
Iranian_Threat_Actor_UNC1549_Targets_Israeli_and_Middle_East_Aerospace_and_Defense_Sectors
MEDIUM
+

Intel Source:
Mandiant
Intel Name:
Iranian_Threat_Actor_UNC1549_Targets_Israeli_and_Middle_East_Aerospace_and_Defense_Sectors
Date of Scan:
2024-02-28
Impact:
MEDIUM
Summary:
Mandiant shared their blog post about suspected Iran espionage activity attacking the aerospace, aviation, and defense industries in Middle Eastern countries, including Israel and the United Arab Emirates (UAE) and possibly Turkey, India, and Albania. Mandiant links this activity with some confidence to the Iranian actor UNC1549, which overlaps with Tortoiseshell—a threat actor that has been publicly linked to Iran’s Islamic Revolutionary Guard Corps (IRGC).


Source:
https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east

2024-02-28
Lazarus_new_malicious_PyPI_packages
MEDIUM
+

Intel Source:
JPCert
Intel Name:
Lazarus_new_malicious_PyPI_packages
Date of Scan:
2024-02-28
Impact:
MEDIUM
Summary:
JPCERT/CC has confirmed that Lazarus has released malicious Python packages to PyPI, the official Python package repository


Source:
https://blogs.jpcert.or.jp/en/2024/02/lazarus_pypi.html

2024-02-27
The_Abyss_Locker_ransomware_roundup_report
MEDIUM
+

Intel Source:
Fortinet
Intel Name:
The_Abyss_Locker_ransomware_roundup_report
Date of Scan:
2024-02-27
Impact:
MEDIUM
Summary:
FortiGuard Labs monitors and collects data on ransomware variants of interest that have been gaining traction within their datasets and the OSINT community. This time they reported that the ransomware roundup covers the Abyss Locker (AbyssLocker) ransomware.


Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-abyss-locker

2024-02-27
InstallsKey_PPI_Service_Malware
LOW
+

Intel Source:
Bitsight
Intel Name:
InstallsKey_PPI_Service_Malware
Date of Scan:
2024-02-27
Impact:
LOW
Summary:
A new string encryption method and an alternate communication protocol have been added to PrivateLoader, a popular malware downloader. In addition, it is now downloading a duplicate of itself in addition to its other payloads. The commercial packer VMProtect is used to pack recent samples, which makes them more difficult to decipher and reverse engineer.


Source:
https://www.bitsight.com/blog/hunting-privateloader-malware-behind-installskey-ppi-service

2024-02-27
The_observed_new_PIKABOT_campaigns
LOW
+

Intel Source:
Elastic
Intel Name:
The_observed_new_PIKABOT_campaigns
Date of Scan:
2024-02-27
Impact:
LOW
Summary:
Elastic Security Labs discovered updated new PIKABOT campaigns, including an updated version. PIKABOT is a widely deployed loader malicious actors utilize to distribute additional payloads.


Source:
https://www.elastic.co/security-labs/pikabot-i-choose-you

2024-02-27
Examining_DCRat_in_Depth
LOW
+

Intel Source:
Any.Run
Intel Name:
Examining_DCRat_in_Depth
Date of Scan:
2024-02-27
Impact:
LOW
Summary:
Initially released in 2018, DCrat, also referred to as Dark Crystal RAT, is a remote access trojan (RAT). This malware is modular, meaning it may be altered to carry out various functions. For example, it can take over Steam and Telegram accounts, steal passwords, and get information from cryptocurrency wallets. DCrat can be distributed by attackers in a number of ways, although phishing email operations are the most popular.


Source:
https://any.run/malware-trends/dcrat

2024-02-27
The_Dark_Web_Profile_of_Patchwork_APT
LOW
+

Intel Source:
SOC Radar
Intel Name:
The_Dark_Web_Profile_of_Patchwork_APT
Date of Scan:
2024-02-27
Impact:
LOW
Summary:
The Patchwork APT group is an Indian cyber espionage group that was discovered in December 2015, however it is likely that it has been operating since 2009. Targeting high-profile organizations in South and Southeast Asia, but increasingly expanding to other regions, it primarily targets defense, diplomatic, and government agencies. Patchwork is a prominent threat in the cyber threat landscape because it uses a variety of specialized tools and techniques for espionage, including spear phishing and watering hole attacks.


Source:
https://socradar.io/dark-web-profile-patchwork-apt/

2024-02-27
Phishing_Scripts_Exploit_Telegram_for_User_Information_Theft
MEDIUM
+

Intel Source:
ASEC
Intel Name:
Phishing_Scripts_Exploit_Telegram_for_User_Information_Theft
Date of Scan:
2024-02-27
Impact:
MEDIUM
Summary:
AhnLab Security Intelligence Center (ASEC) has identified a surge in phishing scripts utilizing Telegram for the indiscriminate distribution of malicious content, often themed around remittances and receipts. These sophisticated scripts, unlike their predecessors, employ obfuscation techniques to evade detection. Upon interaction, users are prompted to enter a password, enabling threat actors to steal sensitive information, including email addresses and passwords. The stolen data is then transmitted to the attackers via the Telegram API. This method of leveraging Telegram for information theft is becoming increasingly prevalent, emphasizing the importance of vigilance against suspicious files and websites.


Source:
https://asec.ahnlab.com/en/62177/

2024-02-27
The_Gootloader_Tale_Goes_On
LOW
+

Intel Source:
The DFIR Report
Intel Name:
The_Gootloader_Tale_Goes_On
Date of Scan:
2024-02-27
Impact:
LOW
Summary:
Researchers from the DFIR report have discovered an intrusion in February 2023. The intrusion was caused by a user downloading and running a file from an SEO-poisoned search result, which resulted in a Gootloader infection. By using SystemBC to tunnel RDP access into the network, the threat actor was able to compromise backup servers, domain controllers, and other important systems.


Source:
https://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/

2024-02-27
Adversaries_Exploiting_ScreenConnect_Vulnerability_SlashAndGrab
LOW
+

Intel Source:
Huntress
Intel Name:
Adversaries_Exploiting_ScreenConnect_Vulnerability_SlashAndGrab
Date of Scan:
2024-02-27
Impact:
LOW
Summary:
Huntress has observed a surge in threat actor activity exploiting the ScreenConnect vulnerability dubbed “SlashAndGrab.” This article details various post-exploitation tradecraft employed by adversaries, including deploying ransomware (e.g., LockBit), running cryptocurrency miners, installing additional remote access tools (e.g., Simple Help, SSH, Google Chrome Remote Desktop), dropping Cobalt Strike beacons, and establishing persistence through user creation and reverse shell techniques. The article emphasizes the need for continued vigilance and highlights the importance of a proactive and experienced security approach to thwart adversaries.


Source:
https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708

2024-02-27
New_Version_of_IDAT_Loader_Pushes_Remcos_RAT_with_Steganography
LOW
+

Intel Source:
Morphisec
Intel Name:
New_Version_of_IDAT_Loader_Pushes_Remcos_RAT_with_Steganography
Date of Scan:
2024-02-27
Impact:
LOW
Summary:
Researchers at Morphisec Threat Labs have found several signs of attacks that led to threat actor UAC-0184. The infamous IDAT loader that sent the Remcos Remote Access Trojan (RAT) to a Ukrainian organization with headquarters in Finland is clarified by this finding.


Source:
https://blog.morphisec.com/unveiling-uac-0184-the-remcos-rat-steganography-saga

2024-02-27
Black_Basta_Exploiting_ScreenConnect_Vulnerabilities
HIGH
+

Intel Source:
TrendMicro
Intel Name:
Black_Basta_Exploiting_ScreenConnect_Vulnerabilities
Date of Scan:
2024-02-27
Impact:
HIGH
Summary:
Researchers from TrendMicro have thoroughly examined the most recent ScreenConnect vulnerabilities. They also talk about how the data led them to identify threat actor groups that are actively using CVE-2024-1708 and CVE-2024-1709, such as the Black Basta and Bl00dy Ransomware gangs.


Source:
https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html

2024-02-27
TimbreStealer_campaign_targets_Mexican_users
LOW
+

Intel Source:
Cisco Talos
Intel Name:
TimbreStealer_campaign_targets_Mexican_users
Date of Scan:
2024-02-27
Impact:
LOW
Summary:
Cisco Talos has discovered a new campaign operated by a threat actor distributing a previously unknown malware we’re calling “TimbreStealer.” This threat actor was observed distributing TimbreStealer via a spam campaign using Mexican tax-related themes starting in at least November 2023. The threat actor has previously used similar tactics, techniques, and procedures (TTPs) to distribute a banking trojan known as “Mispadu.”


Source:
https://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/

2024-02-27
Agent_Tesla_malware_targets_travel_industry
LOW
+

Intel Source:
Forcepoint
Intel Name:
Agent_Tesla_malware_targets_travel_industry
Date of Scan:
2024-02-27
Impact:
LOW
Summary:
Forcepoint analysts analyzed one of the Agent Tesla similar campaigns which is delivered via email as a PDF attachment and ends up downloading a RAT leaving the system infected. The email was an example of scamming and brand impersonation where the sender is seeking a refund of a reservation made at Booking.com and asking the recipient to check the attached PDF for the card statement.


Source:
https://www.forcepoint.com/blog/x-labs/agent-tesla-malware-attacks-travel-industry

2024-02-26
Targeted_Cyber_Attack_Against_Ukrainian_Defense_Forces_Thwarted
LOW
+

Intel Source:
CERT-UA
Intel Name:
Targeted_Cyber_Attack_Against_Ukrainian_Defense_Forces_Thwarted
Date of Scan:
2024-02-26
Impact:
LOW
Summary:
Ukrainian cybersecurity teams thwarted a targeted cyber attack against the Ukrainian Defense Forces, delivered via a malicious Excel document spread through Signal messenger. The attack involved a complex chain of actions including the execution of a malicious PowerShell script, COOKBOX, designed to compromise and control affected systems. The attack, part of ongoing efforts since autumn 2023, exploited systems lacking basic security measures. The response highlighted the critical role of advanced security technologies like EDR in preventing such breaches and underscored the necessity for immediate implementation of comprehensive security policies to protect against sophisticated cyber threats.


Source:
https://cert.gov.ua/article/6277849

2024-02-26
TikTok_Misinformation_Combat
LOW
+

Intel Source:
Talos
Intel Name:
TikTok_Misinformation_Combat
Date of Scan:
2024-02-26
Impact:
LOW
Summary:
The article discusses TikTok’s efforts to address misinformation and disinformation on their platform, emphasizing that this is a global issue. It also mentions the use of Google Cloud Run for distributing malware and provides updates on cybersecurity news and events.


Source:
https://blog.talosintelligence.com/threat-source-newsletter-feb-22-2024/

2024-02-26
Analysis_of_the_PyRation_family_malware
LOW
+

Intel Source:
Stratosphereips Blog
Intel Name:
Analysis_of_the_PyRation_family_malware
Date of Scan:
2024-02-26
Impact:
LOW
Summary:
Stratosphereips researchers wrote the blog about the technical analysis of malware they link to the variant of the “PyRation” family. This malware is a Python executable packaged as a Windows PE file, meaning it works only on Windows.


Source:
https://www.stratosphereips.org/blog/2024/2/23/analysis-and-understanding-of-malware-of-the-pyration-family

2024-02-26
Dissecting_Earth_Luscas_Espionage_Campaign_Leveraging_Geopolitical_Lures
LOW
+

Intel Source:
Trendmicro
Intel Name:
Dissecting_Earth_Luscas_Espionage_Campaign_Leveraging_Geopolitical_Lures
Date of Scan:
2024-02-26
Impact:
LOW
Summary:
Trend Micro’s investigation has uncovered a cyber espionage campaign by Earth Lusca, a China-linked threat actor, exploiting Chinese-Taiwanese tensions. Active around the Taiwanese national elections in late 2023 to early 2024, the campaign used spear-phishing with geopolitical lures to deliver a complex, multi-stage infection process, ultimately deploying Cobalt Strike payloads. Further analysis suggests a link between Earth Lusca and the Chinese company I-Soon, indicating a broader network of cyber espionage tied to Chinese interests. This campaign highlights the ongoing risks of state-linked cyber operations targeting politically sensitive entities.


Source:
https://www.trendmicro.com/en_us/research/24/b/earth-lusca-uses-geopolitical-lure-to-target-taiwan.html

2024-02-26
Uncovering_Nood_RAT_Persistent_Linux_Threat
MEDIUM
+

Intel Source:
ASEC
Intel Name:
Uncovering_Nood_RAT_Persistent_Linux_Threat
Date of Scan:
2024-02-26
Impact:
MEDIUM
Summary:
The AhnLab Security Intelligence Center (ASEC) has reported the discovery and ongoing analysis of Nood RAT, a Linux-targeting malware variant of the widely known Gh0st RAT. Originating from a lineage of malware with open-source roots primarily utilized by Chinese-speaking threat actors, Nood RAT has been actively used in cyber attacks since 2018, exploiting vulnerabilities across various systems. This malware exhibits sophisticated capabilities, including masquerading as legitimate processes, encrypted communication with command and control (C&C) servers, and executing malicious activities such as file manipulation and proxy usage. Despite its simplicity, Nood RAT’s evasion techniques and the breadth of its deployment highlight the critical need for up-to-date system security and vigilant monitoring to combat such threats.


Source:
https://asec.ahnlab.com/en/62144/

2024-02-26
A_new_remote_access_trojan_Xeno_RAT
LOW
+

Intel Source:
Cyfirma
Intel Name:
A_new_remote_access_trojan_Xeno_RAT
Date of Scan:
2024-02-26
Impact:
LOW
Summary:
Cyfirma provided deep analyses on the proliferation of Xeno RAT malware, crafted with advanced functionalities, conveniently accessible at no cost on GitHub. Xeno RAT possesses sophisticated functionalities and characteristics of advanced malware. A threat actor customized its settings and disseminated it via the Discord CDN.


Source:
https://www.cyfirma.com/outofband/xeno-rat-a-new-remote-access-trojan-with-advance-capabilities/

2024-02-26
Unmasking_Lorenz_Ransomware
MEDIUM
+

Intel Source:
NCC Group
Intel Name:
Unmasking_Lorenz_Ransomware
Date of Scan:
2024-02-26
Impact:
MEDIUM
Summary:
The article discusses the evolving tactics of the ransomware group Lorenz, which has been targeting small to medium businesses globally. The group has recently adopted double-extortion tactics and made changes to their encryption methods and file names. They also use scheduled tasks and local admin accounts for persistence. The article provides indicators of compromise and stresses the need for continuous monitoring to stay protected against ransomware threats.


Source:
https://research.nccgroup.com/2024/02/22/unmasking-lorenz-ransomware-a-dive-into-recent-tactics-techniques-and-procedures/

2024-02-26
Critical_ConnectWise_ScreenConnect_Authentication_Bypass
HIGH
+

Intel Source:
Bitdefender
Intel Name:
Critical_ConnectWise_ScreenConnect_Authentication_Bypass
Date of Scan:
2024-02-26
Impact:
HIGH
Summary:
On February 19, 2024, ConnectWise released a security patch addressing two vulnerabilities in the ScreenConnect software, potentially leading to Remote Code Execution (RCE). These vulnerabilities, identified as CVE-2024-1709 and CVE-2024-1708, allow attackers to bypass authentication and perform path traversal, respectively, enabling unauthorized access and administrative privilege escalation.


Source:
https://www.bitdefender.com/blog/businessinsights/technical-advisory-critical-connectwise-screenconnect-authentication-bypass/

2024-02-26
Blind_Eagle_Targets_Manufacturing_with_Advanced_Crypters_and_Payloads
LOW
+

Intel Source:
Esentire
Intel Name:
Blind_Eagle_Targets_Manufacturing_with_Advanced_Crypters_and_Payloads
Date of Scan:
2024-02-26
Impact:
LOW
Summary:
Blind Eagle threat actors have been observed targeting the manufacturing sector, distributing malicious VBS files through phishing emails containing links to RAR and BZ2 archives. They observed Blind Eagle threat actor(s) targeting Spanish-speaking users in the manufacturing industry based in North America.


Source:
https://www.esentire.com/blog/blind-eagles-north-american-journey

2024-02-26
NovaStealer_Deployer
LOW
+

Intel Source:
Phylum
Intel Name:
NovaStealer_Deployer
Date of Scan:
2024-02-26
Impact:
LOW
Summary:
The article discusses a recent discovery by the Phylum Research Team of a dormant PyPI package, django-log-tracker, that was updated to deploy the NovaSentinel stealer. The update included malicious code, indicating a calculated strategy by an attacker or a compromise of the PyPI account. The malware was found to be a form of steal-everything-you-can-find, designed to steal sensitive information. The section also highlights the risks of supply-chain attacks through compromised PyPI accounts and urges developers to be cautious when using open-source software.


Source:
https://blog.phylum.io/dormant-pypi-package-updated-to-deploy-novasentinel-stealer/

2024-02-23
New_MaaS_InfoStealer_Malware_Campaign
LOW
+

Intel Source:
Cofense
Intel Name:
New_MaaS_InfoStealer_Malware_Campaign
Date of Scan:
2024-02-23
Impact:
LOW
Summary:
Cofense researchers discussed in their post a new phishing campaign targeting the oil and gas industry, which uses a recently updated Malware-as-a-Service called Rhadamanthys Stealer. The campaign starts with a phishing email and leads to a clickable PDF file that downloads the malware. The Rhadamanthys Stealer is written in C++ and has various features to steal information. The article also mentions that the malware recently received a major update, making it more customizable for threat actors. A table of indicators of compromise is provided, and the article concludes by stating that more details will be provided in the future.


Source:
https://cofense.com/blog/new-maas-infostealer-malware-campaign-targeting-oil-gas-sector/

2024-02-23
Anti_Sandbox_Techniques
LOW
+

Intel Source:
ISC.SANS
Intel Name:
Anti_Sandbox_Techniques
Date of Scan:
2024-02-23
Impact:
LOW
Summary:
ISC.SANS researchers have examined a malware sample and discovered that several methods rely on simple checks that are easily performed in a simple Windows script (.bat) file. Additionally, they came over an intriguing one that downloads the subsequent payload after doing a simple check.


Source:
https://isc.sans.edu/diary/Simple+AntiSandbox+Technique+Wheres+The+Mouse/30684/

2024-02-23
Angel_Crypto_Drainer
LOW
+

Intel Source:
Sucuri
Intel Name:
Angel_Crypto_Drainer
Date of Scan:
2024-02-23
Impact:
LOW
Summary:
The article discusses the growing threat of Web3 crypto malware, specifically the Angel Drainer, which targets individuals interested in cryptocurrencies and NFTs. The authors provide an overview of the current list of top level domains maintained by IANA and mention a placeholder domain used by the malware. They also discuss the use of the “Ipsum” domain in phishing sites and the high number of scans recorded by URLScan.io. The article provides statistics on the number of unique domain names and titles associated with the malware, as well as the top three second level domains used. It also discusses the steps website owners can take to protect their sites from these types of attacks. The authors then delve into the specifics of the Angel Drainer malware, including its use of crypto drainers to steal and redistribute assets from compromised wallets. They also mention the surge in malicious activity linked to recent security breaches and the use of phishing tactics to trick users into giving up their cryptocurrency assets. The article also discusses the benefits of using a web application firewall and offers services to remove malware infections and secure websites. The authors provide an analysis of the threat of malicious injections in the Web3 ecosystem and describe a specific malware injection targeting WordPress sites. They also discuss the various waves of attacks carried out by the Angel Drainer malware and provide information on the top 50 most common titles for phishing pages used by the drainer. The article also mentions the use of an ACCESS_KEY by the drainer and its connection to the Rilide Stealer. It also provides information on phishing subdomains on the website Vercel.app and the number of phishing web.app subdomains found in relation to Firebase Hosting. The authors also discuss a new type of malware that targets Web3 crypto users and provides details on the different versions of the malware. They also mention the investigation into a malware that impersonates the BillionAir Web3 gambling platform and provide information on suspicious requests made by the drainer. The article concludes by mentioning the 530 phishing pages found on subdomains of the website pages.dev, which is hosted on Cloudflare Pages.


Source:
https://blog.sucuri.net/2024/02/web3-crypto-malware-angel-drainer.html

2024-02-23
The_DarkVNC_Technical_Analysis
LOW
+

Intel Source:
Esentire
Intel Name:
The_DarkVNC_Technical_Analysis
Date of Scan:
2024-02-23
Impact:
LOW
Summary:
DarkVNC is a hidden utility based on VNC technology, used for stealthy remote access. It was advertised in 2016 and received updates until 2017. DarkVNC has been used by threat actors associated with IcedID and SolarMarker campaigns. This analysis focuses on a DarkVNC sample that uses ‘vncdll64.dll’ for exporting functions. It generates a unique ID to send to the C2 server along with system info. DarkVNC can search for and manipulate windows related to the desktop environment. It can also control the state of devices like keyboard and mouse, and block user input. The malware gathers details on the Chrome browser install and runs cmd prompts. Detection and prevention controls like EDR solutions and training programs are recommended.


Source:
https://www.esentire.com/blog/technical-analysis-of-darkvnc

2024-02-23
The_Pikabot_rising_threat
MEDIUM
+

Intel Source:
Esentire
Intel Name:
The_Pikabot_rising_threat
Date of Scan:
2024-02-23
Impact:
MEDIUM
Summary:
The article “The Rising Threat of Pikabot” by eSentire discusses the increasing danger of the Pikabot malware and the capabilities of eSentire’s 24/7 Security Operations Centers (SOCs) in responding to threats. The article also highlights the TRU team’s discovery of other dangerous threats, such as the Kaseya MSP breach and the more_eggs malware. The article provides a detailed analysis of the Pikabot malware, including its initial infection through a phishing email and its use of obfuscation techniques. It also explains how Pikabot is injected into the SearchProtocolHost.exe process and its functionality to gather host information and check for specific language settings. The article also discusses additional insights, such as unsuccessful infection attempts and recommendations from the TRU team for the prevention and detection of Pikabot.


Source:
https://www.esentire.com/blog/the-rising-threat-of-pikabot

2024-02-23
LATAM_Malware_Variants
LOW
+

Intel Source:
Crowdstrike
Intel Name:
LATAM_Malware_Variants
Date of Scan:
2024-02-23
Impact:
LOW
Summary:
The article provides an overview of updates and changes made to various malware families targeting users in Latin America (LATAM) in 2023. These include Mispadu, Kiron, Caiman, Culebra, Salve, and Astaroth, which primarily target users in Brazil, Spain, Italy, and Australia. The updates include the use of CAPTCHAs, new components in the infection chain, and new obfuscation methods. The article also discusses the potential overlap between Mispadu and Astaroth, as well as a new threat called Doit. It then delves into the technical details of these malware variants, including encryption and decryption methods, deployment chains, and C2 protocols. The article also provides recommendations to avoid or detect eCrime commodity malware infections and lists indicators of compromise. It concludes by discussing a new Brazilian-based adversary, SAMBA SPIDER, and providing details on specific malware families and their tactics, techniques, and procedures. The article also includes a case study of updates made to the Caiman downloader in September 2023.


Source:
https://www.crowdstrike.com/blog/latin-america-malware-update/

2024-02-23
Kimsuky_abuses_a_valid_certificate_to_distribute_TrollAgent
MEDIUM
+

Intel Source:
ASEC
Intel Name:
Kimsuky_abuses_a_valid_certificate_to_distribute_TrollAgent
Date of Scan:
2024-02-23
Impact:
MEDIUM
Summary:
A malicious TrollAgent malware was found to be downloaded when attempting to install security software from a South Korean construction association website. The malware can steal information and receive commands from attackers. Users should keep antivirus software updated to prevent infection.


Source:
https://asec.ahnlab.com/ko/61666/

2024-02-23
8220_Group_Gang_Launches_Cryptomining_Campaign
LOW
+

Intel Source:
Uptycs
Intel Name:
8220_Group_Gang_Launches_Cryptomining_Campaign
Date of Scan:
2024-02-23
Impact:
LOW
Summary:
Uptycs researchers have discovered a new cryptomining campaign conducted by the 8220 Group, targeting both Linux and Windows systems. This recent campaign stands out due to the use of Windows PowerShell for fileless execution, resulting in the deployment of a cryptominer. What distinguishes this campaign is its adoption of unique techniques, such as DLL sideloading, User Account Control (UAC) bypass, and modifications to AMSIscanBuffer and ETWEventWrite. These tactics represent a novel approach, highlighting the group’s innovative methods to enhance stealth and evasion, setting it apart from previous incidents. Notably, the Linux campaign showed no significant alterations in its tactics.


Source:
https://www.uptycs.com/blog/8220-gang-cryptomining-cloud-based-infrastructure-cyber-threat

2024-02-23
Russian_Aligned_Influence_Operation_Affecting_German_Audiences
LOW
+

Intel Source:
Sentinel Labs
Intel Name:
Russian_Aligned_Influence_Operation_Affecting_German_Audiences
Date of Scan:
2024-02-23
Impact:
LOW
Summary:
Researchers at SentinelLabs have closely monitored the activities of an alleged Russia-aligned influence operation network named Doppelgänger. Their observations reveal that Doppelgänger has been specifically targeting German audiences, a trend aligned with recent reports from the German Ministry of Foreign Affairs and Der Spiegel.


Source:
https://www.sentinelone.com/labs/doppelganger-russia-aligned-influence-operation-targets-germany/

2024-02-22
Malware_Compromises_Personal_Data_Through_Vibrator_Infection
LOW
+

Intel Source:
Malwarebytes
Intel Name:
Malware_Compromises_Personal_Data_Through_Vibrator_Infection
Date of Scan:
2024-02-22
Impact:
LOW
Summary:
The article explores an incident involving the infection of a vibrator, specifically the Spencer’s Sexology Pussy Power 8-Function Rechargeable Bullet Vibrator, with an information stealer named Lumma. Lumma operates on a Malware-as-a-Service (MaaS) model, where cybercriminals acquire access to malicious software and its infrastructure by paying other cybercriminals. Lumma’s primary function is to steal information from cryptocurrency wallets, browser extensions, and two-factor authentication details. While Lumma is commonly distributed through email campaigns, this case highlights its potential spread through infected USB drives as well.


Source:
https://www.malwarebytes.com/blog/news/2024/02/vibrator-virus-steals-your-personal-information

2024-02-22
DDoS_Botnet_Lucifer_Targeting_Apache_Big_Data_Stack
MEDIUM
+

Intel Source:
Aqua Sec
Intel Name:
DDoS_Botnet_Lucifer_Targeting_Apache_Big_Data_Stack
Date of Scan:
2024-02-22
Impact:
MEDIUM
Summary:
Researchers from AquaSec have revealed a new effort that aims to take down the Apache Hadoop and Apache Druid big-data stacks. After more research, it was found that the attacker uses known vulnerabilities and misconfigurations in the Apache cloud honeypots to carry out the attacks.


Source:
https://www.aquasec.com/blog/lucifer-ddos-botnet-malware-is-targeting-apache-big-data-stack/

2024-02-22
Konni_RAT_Malware_Backdoored_into_Russian_Government_Software
LOW
+

Intel Source:
Medium
Intel Name:
Konni_RAT_Malware_Backdoored_into_Russian_Government_Software
Date of Scan:
2024-02-22
Impact:
LOW
Summary:
A backdoor has been included in an installer for a utility that is probably used by the Ministry of Foreign Affairs (MID)’s Russian Consular Department to distribute the remote access trojan Konni RAT (also known as UpDog). As per DCSO experts, the Konni RAT package detected in software installers is a tactic that the gang used back in October 2023, when it was discovered that the trojan was being distributed using a Russian tax filing software called Spravki BK that had a backdoor. The utility named ‘Statistika KZU’ (Cтатистика ОЗY) appears to be the target of this backdoored installer.


Source:
https://medium.com/@DCSO_CyTec/to-russia-with-love-assessing-a-konni-backdoored-suspected-russian-consular-software-installer-ce618ea4b8f3

2024-02-22
A_discovery_of_the_phishing_as_a_service_Tycoon_Group
LOW
+

Intel Source:
Trustwave
Intel Name:
A_discovery_of_the_phishing_as_a_service_Tycoon_Group
Date of Scan:
2024-02-22
Impact:
LOW
Summary:
A phishing-as-a-service called Tycoon Group was discovered recently. It uses sophisticated techniques like WebSocket for data exfiltration and Cloudflare for evading detection. Available since August 2023, it enables easy deployment of phishing pages mimicking Microsoft and Google login. It provides an admin panel to manage campaigns and view stolen credentials.


Source:
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/breakdown-of-tycoon-phishing-as-a-service-system/

2024-02-21
Information_Campaign_Regarding_War_That_Targets_Speakers_of_Ukrainian
LOW
+

Intel Source:
Welivesecurity
Intel Name:
Information_Campaign_Regarding_War_That_Targets_Speakers_of_Ukrainian
Date of Scan:
2024-02-21
Impact:
LOW
Summary:
Operation Texonto is a disinformation/PSYOP campaign that primarily distributes its message via spam emails. Remarkably, it doesn’t appear that the offenders disseminated their statements via popular platforms like Telegram or phony websites. In November 2023 and at the end of December 2023, respectively, they identified two distinct waves. The emails’ topics, which are common in Russian propaganda, included food shortages, medicine shortages, and heating outages.


Source:
https://www.welivesecurity.com/en/eset-research/operation-texonto-information-operation-targeting-ukrainian-speakers-context-war/

2024-02-21
The_deployment_of_the_Kazuar_malware
LOW
+

Intel Source:
Lab52 blog
Intel Name:
The_deployment_of_the_Kazuar_malware
Date of Scan:
2024-02-21
Impact:
LOW
Summary:
This article focuses on a new sample used by the Turla APT group in their attacks, which uses a wrapper called Pelmeni and deploys the Kazuar malware. The article compares this sample with a previous one and confirms the use of a substitution algorithm similar to Kazuar. It also discusses the use of a new protocol for exfiltration and a different log’s folder. The article provides indicators of compromise and hashes for the samples used. The section titled “Pelmeni Wrapper” provides a detailed analysis of the wrapper, its structure, and functions. The article also discusses the Turla group’s history and their use of the Sideload DLL technique. The following section delves into the analysis of the.NET binary extracted from the wrapper.


Source:
https://lab52.io/blog/pelmeni-wrapper-new-wrapper-of-kazuar-turla-backdoor/

2024-02-21
Decrypted_HomuWitch_Ransomware
LOW
+

Intel Source:
Huntress
Intel Name:
Decrypted_HomuWitch_Ransomware
Date of Scan:
2024-02-21
Impact:
LOW
Summary:
During the investigation of the threat, it was discovered the vulnerability, which allowed Hintress analysts to create a free decryption tool for all the HomuWitch victims. HomuWitch is a ransomware strain that initially emerged in July 2023. HomuWitch contains a vulnerability present during the encryption process that allows the victims to retrieve all their files without paying the ransom.


Source:
https://malware.news/t/decrypted-homuwitch-ransomware/78949

2024-02-21
Malicious_Actors_Exploiting_Open_Source_Code_in_Software_Supply_Chains
LOW
+

Intel Source:
Reversing Labs
Intel Name:
Malicious_Actors_Exploiting_Open_Source_Code_in_Software_Supply_Chains
Date of Scan:
2024-02-21
Impact:
LOW
Summary:
The article explores the growing trend of cybercriminals utilizing open-source code and package managers for malicious activities. Instead of relying on traditional methods like spearphishing, attackers are now planting malware in open-source repositories. The emergence of DLL sideloading attacks, typically associated with compromised environments, is now evident in open-source incidents. The identification of malicious PyPI packages underscores a broader pattern of cyber threats leveraging DLL sideloading to compromise software supply chains. This highlights the importance of increased security monitoring and integrity checks for both software producers and organizations.


Source:
https://www.reversinglabs.com/blog/attackers-leverage-pypi-to-sideload-malicious-dlls

2024-02-21
Malicious_Campaigns_Exploiting_Google_Cloud_Run_in_LATAM
MEDIUM
+

Intel Source:
Cisco Talos
Intel Name:
Malicious_Campaigns_Exploiting_Google_Cloud_Run_in_LATAM
Date of Scan:
2024-02-21
Impact:
MEDIUM
Summary:
Researchers from Cisco Talos have noticed that a number of banking trojans, including Astaroth (also known as Guildma), Mekotio, and Ousaban, are presently being distributed to targets throughout Europe and Latin America through the misuse of Google Cloud Run in high-volume malware distribution campaigns. Since September 2023, the amount of emails related to these initiatives has grown dramatically, and they are still always keeping an eye out for fresh email distribution programs. Malicious Microsoft Installers (MSIs), which serve as droppers or downloaders for the final malware payloads, are a feature of the infection chains linked to various malware families.


Source:
https://blog.talosintelligence.com/google-cloud-run-abuse/

2024-02-21
Migo_Malware_Targeting_Redis_for_Cryptocurrency_Mining
LOW
+

Intel Source:
Cado Security Labs
Intel Name:
Migo_Malware_Targeting_Redis_for_Cryptocurrency_Mining
Date of Scan:
2024-02-21
Impact:
LOW
Summary:
Researchers from Cado Security Labs have encountered a new malware campaign that focuses on exploiting Redis for initial access. Although Redis has been a common target for Linux and cloud-centric attackers, this specific campaign employs unique system weakening techniques against the data store. The malware, known as Migo, is designed by its developers to compromise Redis servers with the goal of cryptocurrency mining on the underlying Linux host.


Source:
https://www.cadosecurity.com/migo-a-redis-miner-with-novel-system-weakening-techniques/

2024-02-20
The_technical_analysis_of_the_Backmydata_ransomware
LOW
+

Intel Source:
CyberGeeks
Intel Name:
The_technical_analysis_of_the_Backmydata_ransomware
Date of Scan:
2024-02-20
Impact:
LOW
Summary:
The article provides a technical analysis of the BackMyData ransomware, which was used to attack hospitals in Romania. The Abstract section gives an overview of the ransomware’s actions, including encryption of files using AES256 and dropping ransom notes. The Technical Analysis section delves into the ransomware’s code and methods, such as disabling the firewall and deleting Volume Shadow Copies. It also explains how the ransomware establishes persistence and encrypts files with specific extensions. The article also provides indicators of compromise and references for further information on the ransomware.


Source:
https://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-used-to-attack-hospitals-in-romania/

2024-02-20
RemoteRATRemoval_types_and_mitigation
LOW
+

Intel Source:
Sucuri
Intel Name:
RemoteRATRemoval_types_and_mitigation
Date of Scan:
2024-02-20
Impact:
LOW
Summary:
The article titled “Remote Access Trojan (RAT): Types, Mitigation & Removal” provides a comprehensive overview of RATs, a type of malware that allows attackers to gain remote access and control over infected systems. The article discusses the various types of RATs, their infiltration techniques, command-and-control communication, and stealth mechanisms. It also highlights the dangers of RAT attacks, including data theft, botnets, and ransomware deployment. The article emphasizes the importance of website security in preventing the spread of RATs and provides tips for removing RATs and protecting against them. It also discusses the role of RATs in website security and provides examples of how websites can spread RAT infections. The article concludes by recommending website security best practices and the use of a web application firewall to protect against RATs.


Source:
https://blog.sucuri.net/2024/02/remote-access-trojan-rat-types-mitigation-removal.html

2024-02-20
Hackers_from_North_Korea_Linked_to_Defense_Sector_Supply_Chain_Attack
MEDIUM
+

Intel Source:
BfV & NIS
Intel Name:
Hackers_from_North_Korea_Linked_to_Defense_Sector_Supply_Chain_Attack
Date of Scan:
2024-02-20
Impact:
MEDIUM
Summary:
Both the National Intelligence Service (NIS) of South Korea and the Federal Intelligence Agency (BfV) of Germany have issued an advisory alert regarding an ongoing cyber-espionage campaign on behalf of the North Korean government that targets the global defense sector. The strikes are intended to steal information on cutting-edge military technology and assist North Korea in modernizing its conventional weapons and creating new military capabilities.


Source:
https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2

2024-02-20
Dynamic_Sandbox_Detection_in_Python_InfoStealer
LOW
+

Intel Source:
ISC.SANS
Intel Name:
Dynamic_Sandbox_Detection_in_Python_InfoStealer
Date of Scan:
2024-02-20
Impact:
LOW
Summary:
Python-based infostealers are not new. Additionally, they incorporate several sandbox detection methods to evade execution (and likely detection) through automated analysis. Researchers from ISC.SANS discovered one last week that takes a similar but distinct method. Typically, the scripts include a list of “bad stuff” to look for, such as users, processes, MAC addresses, etc.


Source:
https://isc.sans.edu/diary/Python+InfoStealer+With+Dynamic+Sandbox+Detection/30668/

2024-02-20
Iranian_and_Hezbollah_Hackers_Attack_to_Influence_Israel_Hamas_Narrative
MEDIUM
+

Intel Source:
Google Blog
Intel Name:
Iranian_and_Hezbollah_Hackers_Attack_to_Influence_Israel_Hamas_Narrative
Date of Scan:
2024-02-20
Impact:
MEDIUM
Summary:
Cybercriminals supported by Hezbollah and Iran orchestrated cyberattacks with the intention of eroding public support for the Israel-Hamas conflict following October 2023. This includes devasting attacks on important Israeli institutions, hack-and-leak schemes aimed at American and Israeli organizations, phishing scams intended to obtain intelligence, and disinformation tactics to sway public opinion against Israel. In the six months preceding the attacks on October 7, Iran was responsible for almost eighty percent of all government-sponsored phishing attempts directed towards Israel.


Source:
https://blog.google/technology/safety-security/tool-of-first-resort-israel-hamas-war-in-cyber/

2024-02-20
Earth_Preta_Campaign_Targets_Asian_Countries_with_DOPLUGS
MEDIUM
+

Intel Source:
Trendmicro
Intel Name:
Earth_Preta_Campaign_Targets_Asian_Countries_with_DOPLUGS
Date of Scan:
2024-02-20
Impact:
MEDIUM
Summary:
Researchers from TrendMicro have noted that the customized PlugX malware is not the same as the standard PlugX malware, which is merely used to download the latter and does not contain a finished backdoor command module. They chose to rename this piece of modified PlugX malware as DOPLUGS because of its unique features. Investigating further, they discovered that the KillSomeOne module was being used by the DOPLUGS malware.


Source:
https://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html

2024-02-20
Advanced_version_of_ObserverStealer_AsukaStealer_malware
MEDIUM
+

Intel Source:
Cyble
Intel Name:
Advanced_version_of_ObserverStealer_AsukaStealer_malware
Date of Scan:
2024-02-20
Impact:
MEDIUM
Summary:
The article discusses a new type of information-stealing malware called AsukaStealer, which is being offered as a service on Russian cybercrime forums. It is a revamped version of the ObserverStealer and uses tactics, techniques, and procedures (TTPs) identified by the MITRE ATT&CK framework, including credential access, discovery, and collection, as well as remote system discovery and data collection. The article also provides a list of indicators of compromise (IoCs) associated with AsukaStealer, such as IP addresses and file hashes.


Source:
https://cyble.com/blog/asukastealer-a-revamped-version-of-the-observerstealer-advertised-as-malware-as-a-service/

2024-02-20
Hackers_Exploit_Critical_RCE_Flaw_In_Bricks_Builder_Theme
LOW
+

Intel Source:
bleepingcomputer
Intel Name:
Hackers_Exploit_Critical_RCE_Flaw_In_Bricks_Builder_Theme
Date of Scan:
2024-02-20
Impact:
LOW
Summary:
The article highlights the active exploitation of a significant vulnerability in the widely-used Brick Builder Theme for WordPress, boasting approximately 25,000 installations. This flaw permits RCE and the possible execution of harmful PHP code. The security concern arises from an eval function call within the ‘prepare_query_vars_from_settings’ function, providing an avenue for unauthorized users to exploit it. The Patchstack platform promptly reported the vulnerability to the Bricks team, resulting in the release of a fix in version 1.9.6.1 on February 13. Despite the absence of evidence of exploitation, users are strongly advised to upgrade to ensure heightened security.


Source:
https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-rce-flaw-in-bricks-wordpress-site-builder/#google_vignette

2024-02-19
TAG_70_Hackers_Targeting_European_Government_and_Military_Mail_Servers
LOW
+

Intel Source:
Recorded Future
Intel Name:
TAG_70_Hackers_Targeting_European_Government_and_Military_Mail_Servers
Date of Scan:
2024-02-19
Impact:
LOW
Summary:
Recorded Future researchers have spotted TAG-70 using cross-site scripting (XSS) vulnerabilities against European Roundcube webmail servers, specifically targeting organizations associated to national infrastructure, the military, and government. Activity reported by other security vendors with the identities Winter Vivern, TA473, and UAC-0114 overlaps with TAG-70. The organization has been active since at least December 2020 and mainly targets governments in Europe and Central Asia. It probably runs cyber-espionage operations to further the objectives of Belarus and Russia.


Source:
https://go.recordedfuture.com/hubfs/reports/cta-2024-0217.pdf

2024-02-19
Cybercriminals_Using_RustDoor_and_GateDoor_as_Fake_Software
LOW
+

Intel Source:
S2W Blog
Intel Name:
Cybercriminals_Using_RustDoor_and_GateDoor_as_Fake_Software
Date of Scan:
2024-02-19
Impact:
LOW
Summary:
The Rust-based macOS malware known as RustDoor was identified and actively monitored by S2W’s threat intelligence center in December 2023. They discovered the Windows version of RustDoor after additional investigation, and since it was created in Golang rather than Rust, they called it GateDoor. It has been verified that RustDoor and GateDoor are both issued as regular software updates or programs.


Source:
https://medium.com/s2wblog/rustdoor-and-gatedoor-a-new-pair-of-weapons-disguised-as-legitimate-software-by-suspected-34c94e558b40

2024-02-19
An_Analysis_of_BackMyData_Ransomware_That_Attacked_Romanian_Hospitals
LOW
+

Intel Source:
CyberMasterV
Intel Name:
An_Analysis_of_BackMyData_Ransomware_That_Attacked_Romanian_Hospitals
Date of Scan:
2024-02-19
Impact:
LOW
Summary:
Researchers report that a ransomware attack that began on February 11 resulted in 100 hospitals in Romania to shut down their computer systems. The BackMyData ransomware, which claimed responsibility for it, is a member of the Phobos family. The malware included an AES key that is used to decrypt its configuration, which includes information on whitelisted files, directories, and extensions in addition to a public RSA key that is used to encrypt AES keys used to encrypt data.


Source:
https://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-used-to-attack-hospitals-in-romania/

2024-02-19
Deep_Dive_into_MrAgent_and_Ransomware_Negotiations
MEDIUM
+

Intel Source:
Trellix
Intel Name:
Deep_Dive_into_MrAgent_and_Ransomware_Negotiations
Date of Scan:
2024-02-19
Impact:
MEDIUM
Summary:
Ransomware-as-a-Service group known for its MrAgent tool, which automates ransomware deployment. Highlighting the group’s focus on double extortion schemes, the analysis covers their targeting strategy, negotiation tactics with victims, and the technical workings of MrAgent. Additionally, it examines the financial trail of ransom payments, offering insights into the group’s operational and financial tactics


Source:
https://www.trellix.com/blogs/research/ransomhouse-am-see/

2024-02-19
Attackers_Using_Mirai_Botnet_on_Open_Internet
LOW
+

Intel Source:
ISC.SANS
Intel Name:
Attackers_Using_Mirai_Botnet_on_Open_Internet
Date of Scan:
2024-02-19
Impact:
LOW
Summary:
ISC.SANS researchers have examined how hackers are utilizing the Mirai Botnet malware to target openly accessible Internet of Things devices and take advantage of security holes.


Source:
https://isc.sans.edu/diary/MiraiMirai+On+The+Wall+Guest+Diary/30658

2024-02-16
Unauthorized_access_to_two_publicly_facing_Confluence_servers
MEDIUM
+

Intel Source:
Rapid7
Intel Name:
Unauthorized_access_to_two_publicly_facing_Confluence_servers
Date of Scan:
2024-02-16
Impact:
MEDIUM
Summary:
Rapid7 Incident Response investigated an incident involving unauthorized access to two publicly-facing Confluence servers that were the source of multiple malware executions. Rapid7 identified evidence of exploitation for CVE-2023-22527 within available Confluence logs. During the investigation, Rapid7 identified cryptomining software and a Sliver Command and Control (C2) payload on in-scope servers.


Source:
https://www.rapid7.com/blog/post/2024/02/15/rce-to-sliver-ir-tales-from-the-field/

2024-02-16
The_spread_of_utility_scam_campaign_thru_online_ads
LOW
+

Intel Source:
Malwarebytes
Intel Name:
The_spread_of_utility_scam_campaign_thru_online_ads
Date of Scan:
2024-02-16
Impact:
LOW
Summary:
Malwarebytes blog shared a point of the problem of how it works and how criminals pretend to be the utility company so they can threaten and extort as much money from you as they can. And how analysts observed and collected many ads and fake sites of fraudulent utility scam ads.


Source:
https://www.malwarebytes.com/blog/threat-intelligence/2024/02/massive-utility-scam-campaign-spreads-via-online-ads

2024-02-16
A_Novel_AWS_SNS_based_Smishing_Attack_Tool
LOW
+

Intel Source:
SentinelLabs
Intel Name:
A_Novel_AWS_SNS_based_Smishing_Attack_Tool
Date of Scan:
2024-02-16
Impact:
LOW
Summary:
SentinelLabs discovered SNS Sender, a pioneering tool exploiting AWS’s Simple Notification Service (SNS) for smishing (SMS phishing) campaigns. Authored by ARDUINO_DAS, a figure already known in the phishing scene, this tool signifies a shift in how threat actors leverage cloud services for malicious activities. SNS Sender uniquely uses AWS SNS for bulk SMS spamming to distribute phishing links, often under the guise of USPS notifications about missed package deliveries.


Source:
https://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/

2024-02-16
Agniane_information_stealer_malware
LOW
+

Intel Source:
Cisco Talos
Intel Name:
Agniane_information_stealer_malware
Date of Scan:
2024-02-16
Impact:
LOW
Summary:
The Agniane Stealer is an information-stealing malware that attacks the cryptocurrency wallets of its victims. It was observed recently a campaign of these attacks and Cisco Talos analysts identified and detailed analysis of a previously unrecognized network URL pattern. Plus uncovered more information on the malware’s methods for file collection and the intricacies of its command and control (C2) protocol.


Source:
https://blogs.cisco.com/security/agniane-stealer-information-stealer-targeting-cryptocurrency-users

2024-02-16
TA544_Exploiting_Danabot_Malware_Again
LOW
+

Intel Source:
CERT-AGID
Intel Name:
TA544_Exploiting_Danabot_Malware_Again
Date of Scan:
2024-02-16
Impact:
LOW
Summary:
Three months have passed since the last wave in November 2023, and there is still a significant effort targeting Italian users that uses the “Revenue Agency” concept to disseminate malware. This new threat seeks to install the Danabot malware on victims’ devices in order to obtain unauthorized access to sensitive data. It has been identified as the work of the criminal group TA544, which is skilled in targeted attacks using spear phishing and social engineering and is notorious for spreading the Gozi Ursnif malware.


Source:
https://cert-agid.gov.it/news/il-gruppo-ta544-cambia-ancora-strategia-sfruttando-lutilizzo-del-malware-danabot/

2024-02-16
Comparative_Analysis_of_Alpha_and_NetWalker_Ransomware_Versions
LOW
+

Intel Source:
Symantec
Intel Name:
Comparative_Analysis_of_Alpha_and_NetWalker_Ransomware_Versions
Date of Scan:
2024-02-16
Impact:
LOW
Summary:
Analyzing Alpha reveals that it is a lot like the previous version of the NetWalker ransomware. The payload is delivered by a similar PowerShell-based loader in both threats. Furthermore, there is a substantial amount of code overlap between the payloads for Alpha and NetWalker.


Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/alpha-netwalker-ransomware

2024-02-15
Data_Leakage_via_Finger
LOW
+

Intel Source:
Huntress
Intel Name:
Data_Leakage_via_Finger
Date of Scan:
2024-02-15
Impact:
LOW
Summary:
Researchers at Huntress have examined a Windows Defender detection from the past, or what they call a “Managed Antivirus” (MAV) warning, looking for the finger.exe command line that sent a series of digits to the IP address linked to the November activity.


Source:
https://www.huntress.com/blog/threat-intel-accelerates-detection-and-response

2024-02-15
Advanced_Cybercriminals_rapidly_diversify_cyberattack_channels
MEDIUM
+

Intel Source:
Eclecticiq
Intel Name:
Advanced_Cybercriminals_rapidly_diversify_cyberattack_channels
Date of Scan:
2024-02-15
Impact:
MEDIUM
Summary:
EclecticIQ analysts looked at recent Ivanti vulnerabilities and the infrastructure connected to the recent activities. The analysts described new, previously unreported infrastructure that may be linked to similar exploit attempts. EclecticIQ analysts looked at recent Ivanti vulnerabilities and the infrastructure tied to the earliest reporting.


Source:
https://blog.eclecticiq.com/advanced-cybercriminals-rapidly-diversify-cyberattack-channels-following-public-vulnerability-disclosure

2024-02-15
TinyTurla_Next_Generation
LOW
+

Intel Source:
Cisco Talos
Intel Name:
TinyTurla_Next_Generation
Date of Scan:
2024-02-15
Impact:
LOW
Summary:
Cisco Talos has observed a new backdoor managed by the Turla APT group, a Russian cyber espionage threat group. This new backdoor called “TinyTurla-NG” (TTNG) is similar to Turla’s another backddor, TinyTurla, in coding style and functionality implementation.


Source:
https://blog.talosintelligence.com/tinyturla-next-generation/

2024-02-15
New_Tax_Fraud_Scheme
LOW
+

Intel Source:
Zerofox
Intel Name:
New_Tax_Fraud_Scheme
Date of Scan:
2024-02-15
Impact:
LOW
Summary:
This month the Russian threat actor “Journalist” shared a method of leveraging the legitimate gocardless[.]com service to discover corporate employee identification numbers (EINs) to perform tax fraud schemes against U.S. citizens, on the Russian-speaking community “Coockie Pro.”


Source:
https://www.zerofox.com/blog/flash-report-new-tax-fraud-scheme-leveraging-employee-identification-numbers/

2024-02-15
TicTacToe_Dropper_Analysis
MEDIUM
+

Intel Source:
Fortinet
Intel Name:
TicTacToe_Dropper_Analysis
Date of Scan:
2024-02-15
Impact:
MEDIUM
Summary:
While analyzing new malware samples collected from several victims, the FortiGuard researchers identified a grouping of malware droppers used to deliver various final-stage payloads throughout 2023.


Source:
https://www.fortinet.com/blog/threat-research/tictactoe-dropper

2024-02-15
Kryptina_RaaS
LOW
+

Intel Source:
Sentilone
Intel Name:
Kryptina_RaaS
Date of Scan:
2024-02-15
Impact:
LOW
Summary:
Sentilone analysts detailed out in ther blogthe development, technicalities and implications of Kryptina RaaS and its move into open-source crimeware.


Source:
https://www.sentinelone.com/blog/kryptina-raas-from-underground-commodity-to-open-source-threat/

2024-02-14
Emergence_of_Novel_SocGholish_Infection_Chain
LOW
+

Intel Source:
ReliaQuest
Intel Name:
Emergence_of_Novel_SocGholish_Infection_Chain
Date of Scan:
2024-02-14
Impact:
LOW
Summary:
Researchers from ReliaQuest have found suspicious JavaScript files in client environments, such as “update.js,” which is a file name frequently used by malware versions pretending to be updates, such as SocGholish. Upon examining the first-stage payload’s execution, they discovered a novel characteristic of this malware, the intrusion of Python for persistence.


Source:
https://www.reliaquest.com/blog/new-python-socgholish-infection-chain/

2024-02-14
Malware_development_competition
LOW
+

Intel Source:
Cyfirma
Intel Name:
Malware_development_competition
Date of Scan:
2024-02-14
Impact:
LOW
Summary:
The CYFIRMA research team has observed a sharp rise in malware being distributed on a Russian hacking forum at no cost. The forum administrators had announced a malware development competition on 1st November 2023.


Source:
https://www.cyfirma.com/outofband/malware-development-competition-fuels-creation-of-20-malware/

2024-02-14
Malware_spread_via_YouTube_Videos
LOW
+

Intel Source:
Cyfirma
Intel Name:
Malware_spread_via_YouTube_Videos
Date of Scan:
2024-02-14
Impact:
LOW
Summary:
Cybereason has observed threat actors exploiting older YouTube accounts to host links to malware (including infostealers like Redline and Racoonstealer and other commodity malware like SmokeLoader) that masquerade as cracked versions of popular paid software.


Source:
https://www.cyfirma.com/outofband/malware-development-competition-fuels-creation-of-20-malware/

2024-02-14
Phishing_Attacks_Using_Remote_Monitoring_and_Management_Software
LOW
+

Intel Source:
Malwarebytes
Intel Name:
Phishing_Attacks_Using_Remote_Monitoring_and_Management_Software
Date of Scan:
2024-02-14
Impact:
LOW
Summary:
Researchers at Malwarebytes have investigated a specific phishing scheme using the AnyDesk remote software to target business users. IT administrators may streamline activities and ensure network integrity remotely with the use of popular products like AnyDesk, Atera, and Splashtop, which are examples of remote monitoring and management (RMM) software. Cybercriminals, however, have noticed these same tools and are using them to breach corporate networks and steal confidential information.


Source:
https://www.malwarebytes.com/blog/news/2024/02/remote-monitoring-management-software-used-in-phishing-attacks

2024-02-14
CharmingCypress_malware_family
LOW
+

Intel Source:
Violexity
Intel Name:
CharmingCypress_malware_family
Date of Scan:
2024-02-14
Impact:
LOW
Summary:
The Violexity’s post was published to share the observation of CharmingCypress malware family activity from 2023 to early 2024 including details on techniques the threat actor has used to distribute them.


Source:
https://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/

2024-02-14
Water_Hydra_Exploits_Zero_Day_Vulnerabilities
LOW
+

Intel Source:
trendmicro
Intel Name:
Water_Hydra_Exploits_Zero_Day_Vulnerabilities
Date of Scan:
2024-02-14
Impact:
LOW
Summary:
In its attacks aimed at financial market traders, the APT organization Water Hydra has been taking advantage of the Microsoft Defender SmartScreen vulnerability (CVE-2024-21412). The Trend Micro Zero Day Initiative found and made public this vulnerability, which Microsoft has now fixed.


Source:
https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html

2024-02-14
A_new_sophisticated_GoBased_JKwerlo_ransomware_variant
LOW
+

Intel Source:
Cyble
Intel Name:
A_new_sophisticated_GoBased_JKwerlo_ransomware_variant
Date of Scan:
2024-02-14
Impact:
LOW
Summary:
Cyble researchers analyzed a new sophisticated Go-Based JKwerlo ransomware variant that attacked French And Spanish-speaking users.


Source:
https://cyble.com/blog/new-go-based-jkwerlo-ransomware-poses-a-risk-to-french-and-spanish-users/

2024-02-13
MSSQL_Server_Compromise_and_Ransomware_Threat
MEDIUM
+

Intel Source:
Huntress
Intel Name:
MSSQL_Server_Compromise_and_Ransomware_Threat
Date of Scan:
2024-02-13
Impact:
MEDIUM
Summary:
Huntress researchers have unveils sophisticated tactics used by attackers targeting MSSQL servers, including the use of the bulk copy command for file extraction and the deployment of scripts for unauthorized account creation and remote access tool installation.


Source:
https://www.huntress.com/blog/attacking-mssql-servers

2024-02-13
RAT_Distribution_Leveraging_Legitimate_Tools_for_Stealth
MEDIUM
+

Intel Source:
ASEC
Intel Name:
RAT_Distribution_Leveraging_Legitimate_Tools_for_Stealth
Date of Scan:
2024-02-13
Impact:
MEDIUM
Summary:
ASEC researchers have uncovered a complex cyberattack scheme employing legitimate software tools alongside malicious files to distribute Revenge RAT malware stealthily. Attackers cleverly execute a malicious setup.exe file under the guise of running legitimate tools such as smtp-validator and Email To Sms, making detection by users challenging. The malware establishes persistence by hiding its components and manipulating Windows registry for autorun, further downloading additional payloads from a C2 server disguised as a benign blog. This multi-stage attack involves evasion techniques, such as using the CMSTP method for bypassing antivirus detection and employing fileless execution of Revenge RAT, to perform various malicious activities including data theft.


Source:
https://asec.ahnlab.com/en/61584/

2024-02-13
Bumblebee_is_Back
LOW
+

Intel Source:
Proofpoint
Intel Name:
Bumblebee_is_Back
Date of Scan:
2024-02-13
Impact:
LOW
Summary:
On February 8, 2024, Proofpoint researchers have discovered that the Bumblebee malware had reappeared in the cybercriminal threat landscape following a four-month hiatus. Cybercriminal threat actors employ the sophisticated downloader known as Bumblebee, which was a preferred payload during its initial release in March 2022 and continued to be used until October 2023, when it vanished.


Source:
https://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-black

2024-02-13
Glupteba_botnet_using_undocumented_UEFI_Bootkit_to_Avoid_Detection
LOW
+

Intel Source:
Palo Alto
Intel Name:
Glupteba_botnet_using_undocumented_UEFI_Bootkit_to_Avoid_Detection
Date of Scan:
2024-02-13
Impact:
LOW
Summary:
It has been discovered that the Glupteba botnet using a previously unreported Unified Extensible Firmware Interface (UEFI) bootkit functionality, which gives the malware an extra degree of stealth and sophistication. By interfering with and controlling the [operating system] boot process, this bootkit allows Glupteba to conceal itself and develop a covert persistence that can be very challenging to find and eliminate.


Source:
https://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/#post-132484-_ydqdbjg0dngh

2024-02-13
Cyberattack_Targeting_Executives_Using_Microsoft_Azure
MEDIUM
+

Intel Source:
Proofpoint
Intel Name:
Cyberattack_Targeting_Executives_Using_Microsoft_Azure
Date of Scan:
2024-02-13
Impact:
MEDIUM
Summary:
Proofpoint researchers have identified an active cloud account takeover campaign targeting Microsoft Azure environments. The attack, combining credential phishing and cloud account takeover tactics, has impacted various organizations globally. Threat actors utilize individualized phishing lures within shared documents, directing users to malicious webpages. Diverse roles, including senior executives, are targeted, with a specific Linux user-agent identified. Post-compromise activities involve MFA manipulation, data exfiltration, internal and external phishing, financial fraud attempts, and mailbox rule creation. The attackers’ operational infrastructure includes proxies, data hosting services, and hijacked domains, posing challenges for defenders. While no specific attribution is provided, Russian and Nigerian attackers are noted as potential actors. The Proofpoint team recommends enhanced security measures, including user training, multi-factor authentication, and continuous monitoring.


Source:
https://www.proofpoint.com/us/blog/cloud-security/community-alert-ongoing-malicious-campaign-impacting-azure-cloud-environments

2024-02-13
The_Mirai_Bot_Exploits_Bytevalue_Router_Vulnerability
LOW
+

Intel Source:
ISC.SANS
Intel Name:
The_Mirai_Bot_Exploits_Bytevalue_Router_Vulnerability
Date of Scan:
2024-02-13
Impact:
LOW
Summary:
Researchers at INC.SANS have examined a URL that surfaced in their “First Seen” list. At first, the sensors picked up requests for “goform/webRead/open” alone. “Goform”-containing URLs are usually connected to the RealTek SDK. The SDK is typically used by routers built around RealTek SoCs (Systems on a Chip) to implement web-based access features. There were formerly a lot of vulnerabilities in the RealTek SDK. Currently, they use a “/goform/” URL to track more than 900 distinct URLs within the honeypots.


Source:
https://isc.sans.edu/diary/Exploit+against+Unnamed+Bytevalue+router+vulnerability+included+in+Mirai+Bot/30642/

2024-02-13
Attackers_Exploiting_Ivanti_SSRF_Flow_to_Deploy_DSLog_Backdoor
MEDIUM
+

Intel Source:
Orange Cyberdefense
Intel Name:
Attackers_Exploiting_Ivanti_SSRF_Flow_to_Deploy_DSLog_Backdoor
Date of Scan:
2024-02-13
Impact:
MEDIUM
Summary:
In order to install the new DSLog backdoor on susceptible devices, hackers are taking use of a server-side request forgery (SSRF) weakness in the ZTA, Policy Secure, and Ivanti Connect Secure gateways. On Ivanti gateways running versions 9.x and 22.x, the vulnerability affects the SAML component of the aforementioned products and enables attackers to get around authentication and access resources that are blocked.


Source:
https://www.orangecyberdefense.com/fileadmin/general/pdf/Ivanti_Connect_Secure_-_Journey_to_the_core_of_the_DSLog_backdoor.pdf

2024-02-13
In_depth_examination_of_Akira_ransomware
LOW
+

Intel Source:
HHS GOV
Intel Name:
In_depth_examination_of_Akira_ransomware
Date of Scan:
2024-02-13
Impact:
LOW
Summary:
In its brief existence, the Akira ransomware group has shown to be a formidable and proficient adversary to the American healthcare industry. Akira makes use of a lot of shared elements in its operations and targeting. They function as ransomware-as-a-service (RaaS), meaning they concentrate on ransomware operations while collaborating with other cybercriminals to launch targeted assaults and split the extorted money.


Source:
https://www.hhs.gov/sites/default/files/akira-randsomware-analyst-note-feb2024.pdf

2024-02-13
PikaBot_Appears_Again_with_Simplified_Code_and_Clever_Strategies
LOW
+

Intel Source:
Zscaler
Intel Name:
PikaBot_Appears_Again_with_Simplified_Code_and_Clever_Strategies
Date of Scan:
2024-02-13
Impact:
LOW
Summary:
Zscaler researchers have discovered that the threat actors responsible for the PikaBot malware have undergone a “devolution” in which they have made notable modifications to the virus. The developers have removed sophisticated obfuscation techniques and altered the network interactions, which has reduced the complexity of the code even though it looks to be in a new development cycle and testing phase.


Source:
https://www.zscaler.com/blogs/security-research/d-evolution-pikabot

2024-02-13
Warzone_RAT_Cybercriminals_caught
LOW
+

Intel Source:
Malwarebytes
Intel Name:
Warzone_RAT_Cybercriminals_caught
Date of Scan:
2024-02-13
Impact:
LOW
Summary:
The article highlights an international operation that acquired domains involved in the sale of information-stealing malware. Federal authorities in Boston took control of www.warzone.ws and three associated domains, which were selling the sophisticated Warzone RAT malware. This Remote Access Trojan (RAT) allowed cybercriminals to access victims’ file systems, capture screenshots, record keystrokes, steal usernames and passwords, and even monitor victims through their web cameras, all without their awareness or consent.


Source:
https://www.malwarebytes.com/blog/news/2024/02/warzone-rat-infrastructure-seized

2024-02-12
Cyber_spies_Sticky_Werewolf_activity_in_Belarus
LOW
+

Intel Source:
Habr
Intel Name:
Cyber_spies_Sticky_Werewolf_activity_in_Belarus
Date of Scan:
2024-02-12
Impact:
LOW
Summary:
The cyberspyware APT group Sticky Werewolf probably tried to attack Belarusian companies by distributing the Ozone RAT remote access Trojan under the guise of computer cleaning and optimization software CCleaner.


Source:
https://habr.com/ru/companies/f_a_c_c_t/news/792672/

2024-02-12
A_new_Ivanti_critical_Remote_Code_Execution_vulnerability_in_FortiOS
HIGH
+

Intel Source:
SOCRadar
Intel Name:
A_new_Ivanti_critical_Remote_Code_Execution_vulnerability_in_FortiOS
Date of Scan:
2024-02-12
Impact:
HIGH
Summary:
Fortinet has revealed a new critical Remote Code Execution vulnerability in FortiOS SSL VPN, cautioning about potential exploitation in ongoing attacks. Latest Ivanti Flaw Possibly Exploited (CVE-2024-21762, CVE-2023-40547, CVE-2024-22024).


Source:
https://socradar.io/rces-in-fortios-ssl-vpn-shim-latest-ivanti-flaw-possibly-exploited-cve-2024-21762-cve-2023-40547-cve-2024-22024/

2024-02-12
LuaJIT_based_modular_backdoor_LuaDream_activity_by_Sandman_APT
LOW
+

Intel Source:
SOCRadar
Intel Name:
LuaJIT_based_modular_backdoor_LuaDream_activity_by_Sandman_APT
Date of Scan:
2024-02-12
Impact:
LOW
Summary:
SOCRadar wrote in their article that research provided by SentinelOne and QGroup, the Sandman APT group gained highly sophisticated and stealthy attack methods, with an accent focus on a new modular backdoor known as LuaDream, which is built on the LuaJIT platform. LuaDream’s strategy is targeted to minimize detection risks and showcases a continuous development approach.


Source:
https://socradar.io/dark-web-profile-sandman-apt/

2024-02-12
A_malicious_PowerShell_payload_Rabby_Wallet
LOW
+

Intel Source:
ISC.SANS
Intel Name:
A_malicious_PowerShell_payload_Rabby_Wallet
Date of Scan:
2024-02-12
Impact:
LOW
Summary:
ISC.Sans researcher Xavier Mertens in his research, YARA rule triggered a new sample called “Rabby-Wallet.msix”, the file has a VT score of 8/58. After his analysis, the file appears to implement the same technique to execute a malicious PowerShell payload.


Source:
https://isc.sans.edu/diary/rss/30636

2024-02-12
Examination_of_new_ShadowPad_infrastructure_new_threat_actor
LOW
+

Intel Source:
Hunt.io
Intel Name:
Examination_of_new_ShadowPad_infrastructure_new_threat_actor
Date of Scan:
2024-02-12
Impact:
LOW
Summary:
This post will examine ShadowPad infrastructure linked to a yet-to-be-identified threat actor. What makes this activity different is a slight change in the HTTP response headers and the use of a certificate attempting to spoof American technology company, Dell. Within this group of IPs, there are additional subsets of activity utilizing different port configurations and some interesting domains, discussed later in this article.


Source:
https://hunt.io/blog/tracking-shadowpad-infrastructure-via-non-standard-certificates

2024-02-12
Increased_delivery_of_the_DarkGate_loader
LOW
+

Intel Source:
Eclecticiq
Intel Name:
Increased_delivery_of_the_DarkGate_loader
Date of Scan:
2024-02-12
Impact:
LOW
Summary:
EclecticIQ analysts observed increased delivery of the DarkGate loader which was takedown of Qakbot infrastructure last year. EclecticIQ analysts are sure that financially motivated threat actors, including groups like TA577 and Ducktail, along with Ransomware-as-a-Service (RaaS) organizations such as BianLian and Black Basta, primarily use DarkGate. These threat actors target financial institutions in Europe and the USA, focusing mainly on double extortion tactics


Source:
https://blog.eclecticiq.com/darkgate-opening-gates-for-financially-motivated-threat-actors

2024-02-09
The_injection_of_RemcosRAT_into_the_winhlp32_exe_file_process
MEDIUM
+

Intel Source:
Esentire
Intel Name:
The_injection_of_RemcosRAT_into_the_winhlp32_exe_file_process
Date of Scan:
2024-02-09
Impact:
MEDIUM
Summary:
The article discusses a recent threat investigation conducted by eSentire’s Threat Response Unit (TRU). The investigation involved a suspicious ZIP archive containing an AnyDesk executable and a VBS file, delivered via a Discord CDN link. Further investigation revealed that the VBS file executed another VBS file hosted on paste[.]ee, which contained the DcRat malware. The DcRat malware had encrypted configuration and supported dynamic loading and execution of plugins. The final payload retrieved via the plugin was a VBS file containing the RemcosRAT malware and dynwrapx.dll. The RemcosRAT malware was injected into the winhlp32.exe process and allowed for remote control of the infected machine. The TRU team isolated the system and provided recommendations for protection against similar threats, such as user training and using Next-Gen AV or Endpoint Detection and Response tools. The section also includes indicators of compromise and references for further information.


Source:
https://www.esentire.com/blog/from-onlydcratfans-to-remcosrat

2024-02-09
SolarMarker_infections
LOW
+

Intel Source:
Esentire
Intel Name:
SolarMarker_infections
Date of Scan:
2024-02-09
Impact:
LOW
Summary:
The article discusses the increasing prevalence of SolarMarker infections and the evolving tactics of the threat actor behind it. The eSentire Threat Response Unit (TRU) has been tracking SolarMarker since 2021 and has observed a significant increase in infections since November 2023. The threat actor has been using Inno Setup and PS2EXE tools to generate payloads, with recent payloads being modified using string replacements. The article also includes details on the PowerShell script used by SolarMarker, the loading of second-stage payloads, and the addition of junk instructions and byte arrays to evade detection. The TRU team recommends implementing controls such as Endpoint Detection and Response (EDR) solutions and security awareness training to protect against SolarMarker. The article also provides indicators of compromise and decrypted payloads for reference.


Source:
https://www.esentire.com/blog/the-oncoming-wave-of-solarmarker

2024-02-09
New_Zardoor_backdoor_used_in_the_cyber_espionage_operation
LOW
+

Intel Source:
Cisco Talos
Intel Name:
New_Zardoor_backdoor_used_in_the_cyber_espionage_operation
Date of Scan:
2024-02-09
Impact:
LOW
Summary:
The article discusses a new cyber espionage campaign, known as Zardoor, targeting an Islamic non-profit organization. The campaign uses a previously unreported malware family and advanced techniques to maintain access to the victim’s network without detection. The article provides details on the execution flow of the Zardoor backdoor and how the threat actor maintains persistence using a dropper and malicious DLL files. It also describes the use of reverse proxy tools to bypass network security measures and provides information on how to detect and block this threat. The article concludes with a list of MITRE ATT&CK techniques used by the threat actor and a list of IOCs for further investigation.


Source:
https://blog.talosintelligence.com/new-zardoor-backdoor/

2024-02-09
Attacks_on_Critical_Infrastructure_Exploiting_FortiOS_Vulnerabilities
LOW
+

Intel Source:
Fortinet
Intel Name:
Attacks_on_Critical_Infrastructure_Exploiting_FortiOS_Vulnerabilities
Date of Scan:
2024-02-09
Impact:
LOW
Summary:
Researchers from Fortinet alerted companies on Wednesday that attacks targeting vital infrastructure and other sectors have been made possible by APTs associated with China and other nations, which have been taking use of two known FortiOS vulnerabilities.


Source:
https://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities

2024-02-09
A_New_Rust_Written_MacOS_Backdoor_Ties_to_Windows_Ransomware
LOW
+

Intel Source:
Bitdefender
Intel Name:
A_New_Rust_Written_MacOS_Backdoor_Ties_to_Windows_Ransomware
Date of Scan:
2024-02-09
Impact:
LOW
Summary:
Researchers at Bitdefender have uncovered a brand-new backdoor that targets Mac OS users. This family of malware, which had not been previously described, is written in Rust and has a number of intriguing properties. All detected files are distributed directly as FAT binaries with Mach-O files for both x86_64 Intel and ARM architectures, and the backdoor appears to be posing as a Visual Studio update.


Source:
https://www.bitdefender.com/blog/labs/new-macos-backdoor-written-in-rust-shows-possible-link-with-windows-ransomware-group/

2024-02-09
The_HijackLoader_Expands_Its_Evasion_Techniques
LOW
+

Intel Source:
Crowdstrike
Intel Name:
The_HijackLoader_Expands_Its_Evasion_Techniques
Date of Scan:
2024-02-09
Impact:
LOW
Summary:
Researchers at CrowdStrike have discovered that, as other threat actors use the loader malware known as HijackLoader more frequently to deliver more payloads and tooling, the threat actors behind it have developed new security evasion strategies.


Source:
https://www.crowdstrike.com/blog/hijackloader-expands-techniques/

2024-02-09
The_malicious_use_of_maldocs
LOW
+

Intel Source:
Checkpoint
Intel Name:
The_malicious_use_of_maldocs
Date of Scan:
2024-02-09
Impact:
LOW
Summary:
The article discusses the use of maldocs, or malicious documents, in spreading malware. It introduces the concept of maldocs and provides examples of different types of malware. The article also focuses on old and well-known CVEs used in Microsoft Word and Excel, and their continued threat to the cyber community. It discusses the techniques used by maldoc operators to evade detection and the challenges faced by researchers in analyzing them. The article concludes by emphasizing the need for different methods to deal with maldocs and providing resources for further reading.


Source:
https://research.checkpoint.com/2024/maldocs-of-word-and-excel-vigor-of-the-ages/

2024-02-09
Exploitation_of_Confluence_Server_Vulnerability_CVE_2023_22527
LOW
+

Intel Source:
ArcticWolf
Intel Name:
Exploitation_of_Confluence_Server_Vulnerability_CVE_2023_22527
Date of Scan:
2024-02-09
Impact:
LOW
Summary:
Researchers from Arctic Wolf have seen proof of the C3RB3R ransomware and a number of other malicious payloads being used after the CVE-2023-22527 vulnerability was exploited. CVE-2023-22527 is being used by a number of threat actors to distribute payloads for trojans that gain remote access and mine cryptocurrencies.


Source:
https://arcticwolf.com/resources/blog-uk/exploitation-of-confluence-server-vulnerability-cve-2023-22527-leading-to-c3rb3r-ransomware/

2024-02-08
A_Malicious_Python_Scripts_Targeting_Windows_Users
LOW
+

Intel Source:
ISC.SANS
Intel Name:
A_Malicious_Python_Scripts_Targeting_Windows_Users
Date of Scan:
2024-02-08
Impact:
LOW
Summary:
Researchers at ISC.SANS have identified a threat where malicious Python scripts are employed by threat actors to target Windows users, incorporating a keylogger. The recorded keystrokes are transmitted to a basic TCP connection established with the command and control server (C2), lacking any form of encryption, essentially sending raw keycodes.


Source:
https://isc.sans.edu/diary/rss/30632

2024-02-08
The_PAPERWALL_malicious_campaign
LOW
+

Intel Source:
Citizenlab
Intel Name:
The_PAPERWALL_malicious_campaign
Date of Scan:
2024-02-08
Impact:
LOW
Summary:
The article discusses the PAPERWALL network, a large and fast-growing network of Chinese websites posing as local news outlets. It provides information on the number of websites targeting various countries and the high-confidence host IP addresses. The article also discusses the attribution of PAPERWALL to a Chinese PR firm and the evidence linking it to the websites. It also mentions the use of hypestat.com to measure website traffic and the negligible traffic for most PAPERWALL domains. The article highlights the network’s tactics, including the use of commercial press releases to disseminate pro-Beijing disinformation and ad hominem attacks. It also discusses the potential impact of these influence operations and the role of private firms in managing them. The article provides a breakdown of the types of content published on the PAPERWALL websites, including conspiracy theories, Chinese state media reposts, and scraping of local mainstream media. It also discusses the infrastructure and hosting of these websites, as well as the small number of content author names used. The article concludes by listing the confirmed domains and targeted countries, as well as acknowledging the research support and peer review from various individuals and organizations.


Source:
https://citizenlab.ca/2024/02/paperwall-chinese-websites-posing-as-local-news-outlets-with-pro-beijing-content/

2024-02-08
The_Raspberry_Robin_worm
LOW
+

Intel Source:
Checkpoint
Intel Name:
The_Raspberry_Robin_worm
Date of Scan:
2024-02-08
Impact:
LOW
Summary:
The article discusses the latest version of the malware Raspberry Robin and its evasion techniques, including NtTraceEvent hooking and new evasion tricks. It also explains the changes in the malware’s lateral movement logic and communication method. The article provides a comparison between the previous and current versions of the malware and describes its persistence method. It also discusses the ongoing threat of Raspberry Robin and how Check Point customers remain protected against it. The article includes a detailed analysis of the first stage of the malware and its use of APIs. It also provides a list of IOCs and onion domains associated with the malware.


Source:
https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/

2024-02-08
The_Golang_Stealer_Troll_and_GoBear_Backdoor
LOW
+

Intel Source:
S2W Blog
Intel Name:
The_Golang_Stealer_Troll_and_GoBear_Backdoor
Date of Scan:
2024-02-08
Impact:
LOW
Summary:
S2W threat researchers have discovered a new malware sample associated with the Kimsuky group, named Troll Stealer. It is distributed through a Dropper disguised as SGA Solutions’ Trusted PKI installer. Troll Stealer is capable of Stealing the GPKI folder on infected systems, indicating a potential focus on devices within administrative and public organizations in South Korea. Furthermore, the identification of additional malware signed with the same legitimate certificate raises the possibility of future distributions using that certificate.


Source:
https://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2

2024-02-08
Avast_Q4_2023_Threat_Report
LOW
+

Intel Source:
Avast
Intel Name:
Avast_Q4_2023_Threat_Report
Date of Scan:
2024-02-08
Impact:
LOW
Summary:
The Avast Q4/2023 Threat Report provides a comprehensive overview of the cyber threat landscape in the fourth quarter of 2023. It covers both desktop and mobile threats, highlighting the significant increase in blocked attacks and the resurgence of Qakbot. The report also discusses the use of Google OAuth API for malicious activities and the rise of malicious coinmining. It also covers the evolving mobile threat landscape, including the resurgence of the Chameleon banker and the spread of SpyLoans on the PlayStore. The report concludes with predictions for 2024 and emphasizes Avast’s commitment to ensuring the safety of its users. The methodology used in the report is also explained, including the calculation of the “risk ratio” to measure the severity of specific threats. The report also discusses the prevalence and impact of RATs, rootkits, and web-based threats on mobile devices. It also covers the growing trend of mobile scams and the use of cell phones for online presence management. The report also highlights the dangers of adware and the need for dynamic and adaptive measures to counter it. It also discusses the prevalence of financial and dating scams, as well as the increase in fake online shops and phishing scams targeting post-holiday online shoppers. The report also mentions the use of standard tools and vulnerabilities by rootkits and APT groups, as well as Avast’s efforts to address scam push notifications. It also discusses the distribution of malicious mods for popular messaging apps and the risk ratio for mobile spyware. The report also provides insights into the prevalence and impact of bots and coinminers, with a focus on specific threats and countries. Overall, the report highlights the constantly evolving and sophisticated nature of cyber threats and the need for increased cybersecurity measures to protect against them.


Source:
https://decoded.avast.io/threatresearch/avast-q4-2023-threat-report/

2024-02-08
Abuse_of_Squirrel_Installation_by_Multi_Stage_Banking_Trojan
LOW
+

Intel Source:
Securelist
Intel Name:
Abuse_of_Squirrel_Installation_by_Multi_Stage_Banking_Trojan
Date of Scan:
2024-02-08
Impact:
LOW
Summary:
Securelist researchers have discovered a new malware that is targeting consumers of over 60 banking institutions, primarily in Brazil. Using a variety of cutting-edge technologies, it differs from well-known banking Trojan attacks.


Source:
https://securelist.com/coyote-multi-stage-banking-trojan/111846/

2024-02-08
BlueShell_Targeting_Linux_Systems_in_Korean_Attacks
LOW
+

Intel Source:
ASEC
Intel Name:
BlueShell_Targeting_Linux_Systems_in_Korean_Attacks
Date of Scan:
2024-02-08
Impact:
LOW
Summary:
ASEC researchers have identified ongoing attacks on Korean Linux systems, where the BlueShell backdoor malware, upon installation, grants the threat actor full control over the compromised system.


Source:
https://asec.ahnlab.com/en/61549/

2024-02-08
Its_Not_A_Comeback_of_KV_Botnet
LOW
+

Intel Source:
Lumen
Intel Name:
Its_Not_A_Comeback_of_KV_Botnet
Date of Scan:
2024-02-08
Impact:
LOW
Summary:
According to Black Lotus Labs, since users are unlikely to notice an impact or possess the required monitoring forensic tools to detect an infection, KV-botnet attackers will likely continue to use medium- to high-bandwidth devices as a springboard in the geographic areas of their targets. Additionally, the Federal Bureau of Investigation (FBI) carried out a court-authorized takedown of the KV-botnet in early December 2023, according to a press release from the Department of Justice (DOJ).


Source:
https://blog.lumen.com/kv-botnet-dont-call-it-a-comeback/?utm_source=rss&utm_medium=rss&utm_campaign=kv-botnet-dont-call-it-a-comeback

2024-02-08
The_analysis_of_a_new_Clipper_dubbed_XPhase
LOW
+

Intel Source:
Cyble
Intel Name:
The_analysis_of_a_new_Clipper_dubbed_XPhase
Date of Scan:
2024-02-08
Impact:
LOW
Summary:
The article discusses a new malware campaign, known as the “Doppelganger Dilemma,” which targets cryptocurrency users through deceptive websites and mimicking legitimate crypto applications. The campaign primarily targets Indian users but also has phishing sites tailored to Russian users. The malware, named “XPhase Clipper,” intercepts and modifies cryptocurrency wallet addresses copied by users. The campaign is linked to a previous phishing campaign and is believed to be carried out by the same threat actor. The article also highlights the use of a deceptive YouTube channel and provides technical analysis of the campaign. The abstract introduces the concept of adaptability and resourcefulness in sustaining cyber attacks, and the article concludes with recommendations for cybersecurity best practices and indicators of compromise for detecting the XPhase Clipper malware.


Source:
https://cyble.com/blog/doppelganger-dilemma-new-xphase-clippers-proliferation-via-deceptive-crypto-sites-and-cloned-youtube-videos/

2024-02-08
A_malvertising_campaign_on_Facebook_still_on
LOW
+

Intel Source:
Malwarebytes
Intel Name:
A_malvertising_campaign_on_Facebook_still_on
Date of Scan:
2024-02-08
Impact:
LOW
Summary:
The article discusses a Facebook scam that has been ongoing for almost a year and is now appearing in different languages. The scam involves fake posts about fatal accidents and prompts users to click on a link, leading to malicious websites. The scammers use different tactics to target users based on their location and device. Tips on how to protect oneself from falling victim to this scam are provided, such as checking for unknown apps and enabling two-factor authentication. Malwarebytes’ efforts to block these malicious websites are also mentioned, along with their Identity Theft Protection service as a way to safeguard personal information.


Source:
https://www.malwarebytes.com/blog/news/2024/02/facebook-fatal-accident-scam-still-rages-on

2024-02-07
The_compromise_of_the_IT_environments_of_multiple_critical_infrastructures_by_Volt_Typhoon
HIGH
+

Intel Source:
CISA
Intel Name:
The_compromise_of_the_IT_environments_of_multiple_critical_infrastructures_by_Volt_Typhoon
Date of Scan:
2024-02-07
Impact:
HIGH
Summary:
The CISA, NSA, and FBI released a joint Cybersecurity Advisory about People’s Republic of China (PRC) state-sponsored cyber actors who are trying to disrupts on IT networks with cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States. It was based on observations from the U.S. authoring agencies’ incident response activities at critical infrastructure organizations compromised by the PRC state-sponsored cyber group known as Volt Typhoon (also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus). The U.S. authoring agencies have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations—primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors—in the continental and non-continental United States and its territories, including Guam.


Source:
https://www.cisa.gov/news-events/cybersecurity-advisories?f%5B0%5D=advisory_type%3A65&f%5B1%5D=advisory_type%3A93&f%5B2%5D=advisory_type%3A94
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
https://www.cisa.gov/news-events/analysis-reports/ar24-038a

2024-02-07
Jenkins_CVE_2024_23897_RCE
LOW
+

Intel Source:
Splunk
Intel Name:
Jenkins_CVE_2024_23897_RCE
Date of Scan:
2024-02-07
Impact:
LOW
Summary:
This article discusses the recent discovery of a critical security vulnerability in Jenkins servers, which are commonly used for continuous integration and deployment in software development. The vulnerability, known as CVE-2024-23897, allows attackers to read files from the server’s file system without authentication. The Splunk Threat Research Team has developed security analytics and hunting queries to help defenders protect against this exploit. The article provides an overview of the exploit and how it works, as well as a sample query for detecting it in Jenkins logs. It also discusses the use of a reverse proxy and logging Jenkins logs in Splunk for enhanced security. The author, Michael Haag, is also mentioned, along with references for further information.


Source:
https://www.splunk.com/en_us/blog/security/security-insights-jenkins-cve-2024-23897-rce.html

2024-02-07
The_Distribution_of_Zephyr_CoinMiner
LOW
+

Intel Source:
ASEC
Intel Name:
The_Distribution_of_Zephyr_CoinMiner
Date of Scan:
2024-02-07
Impact:
LOW
Summary:
The ASEC BLOG has discovered a CoinMiner targeting Zephyr cryptocurrency, distributed through a compressed file named “WINDOWS_PY_M3U_EXPLOIT_2024.7z.” The file creates scripts and executables, including an NSIS installer and two Javascript files, executed via wscript.exe. The executable “x.exe” contains a compressed file and a legitimate “7za.exe” file, which, when decompressed with a specific password, creates two more Autoit script files acting as a CoinMiner. Users are advised to be cautious when downloading files from unknown sources and to update their anti-malware solutions. The malware is detected by V3 and IOC information is provided for further investigation.


Source:
https://asec.ahnlab.com/en/61164/

2024-02-07
The_distribution_of_Qshing_Emails
LOW
+

Intel Source:
F1tym1
Intel Name:
The_distribution_of_Qshing_Emails
Date of Scan:
2024-02-07
Impact:
LOW
Summary:
The article discusses the distribution of Qshing emails, which are disguised as payslips and lead to malicious apps or phishing sites when a QR code is scanned. The sender email address is forged to appear legitimate, but the actual address can be seen in the email header. Scanning the QR code redirects users to a phishing site that prompts for personal information and can result in financial losses. The article provides IOC information and encourages users to subscribe to AhnLab’s threat intelligence platform for more information.


Source:
https://f1tym1.com/2024/02/02/distribution-of-qshing-emails-disguised-as-payslips/

2024-02-07
The_fake_version_of_WhatsApp_linked_to_a_spyware
LOW
+

Intel Source:
Vice
Intel Name:
The_fake_version_of_WhatsApp_linked_to_a_spyware
Date of Scan:
2024-02-07
Impact:
LOW
Summary:
Researchers have discovered a fake version of WhatsApp created by a spyware vendor, Cy4Gate, to gather information from iPhone users. The fake app was designed to trick users into installing a configuration file that could potentially collect data from their device. The company has a history of developing surveillance products and the fake WhatsApp page shared an encryption certificate with other domains associated with Cy4Gate. Although the company denied involvement, the researchers believe it is likely their product. The article also discusses Cy4Gate’s Epeius product, which is designed for targeted surveillance and data collection.


Source:
https://www.vice.com/en/article/akdqwa/a-spyware-vendor-seemingly-made-a-fake-whatsapp-to-hack-targets

2024-02-07
Lazarus_KandyKorn_malicious_DNS
LOW
+

Intel Source:
Infoblox
Intel Name:
Lazarus_KandyKorn_malicious_DNS
Date of Scan:
2024-02-07
Impact:
LOW
Summary:
The article discusses the importance of early detection of malicious domains in preventing cyber attacks. It introduces Infoblox’s DNS Early Detection Program, which uses proprietary techniques to identify potentially malicious domains and compares its analysis with data from public open source intelligence and commercial threat intelligence feeds. The program’s findings and role in identifying suspicious domains are highlighted, along with an analysis of a phishing campaign by CSIRT KNF. The methodology used in the analysis and the advantages of using Infoblox’s suspicious domain data are also discussed. The article is written by a senior product marketing manager at Infoblox with experience in cybersecurity.


Source:
https://blogs.infoblox.com/cyber-threat-intelligence/dns-for-early-detection-global-postal-services-phishing-campaign/

2024-02-07
Analysis_of_phishing_campaign_disguised_as_a_famous_Korean_portal_login_page
LOW
+

Intel Source:
ASEC
Intel Name:
Analysis_of_phishing_campaign_disguised_as_a_famous_Korean_portal_login_page
Date of Scan:
2024-02-07
Impact:
LOW
Summary:
The article discusses a recent phishing case where a fake login page was disguised as a popular Korean portal website. The threat actor collected login credentials and client information through the phishing page and used a legitimate plugin-type service to obtain more data. The article provides IOC information and advises caution when using login pages linked to emails from unknown sources.


Source:
https://asec.ahnlab.com/en/61130/

2024-02-07
A_Comprehensive_Analysis_of_Black_Hunt_Ransomware
LOW
+

Intel Source:
Rapid7
Intel Name:
A_Comprehensive_Analysis_of_Black_Hunt_Ransomware
Date of Scan:
2024-02-07
Impact:
LOW
Summary:
The article provides a comprehensive analysis of the Black Hunt ransomware, a new variant that was first reported in 2022. The article discusses the ransomware’s features and capabilities, including its ability to encrypt various file extensions and evade detection by checking for debugging and targeting specific countries. It also explores the ransomware’s code and functionality, including its encryption process, spreading mechanisms, and use of MITRE ATT&CK techniques. The article also provides an overview of the ransomware’s malicious activities, such as modifying the Windows registry, disabling security measures, and inhibiting system recovery. It concludes with a list of indicators of compromise and a technical analysis of the ransomware’s code.


Source:
https://www.rapid7.com/blog/post/2024/02/05/exploring-the-not-so-secret-code-of-blackhunt-ransomware-2/

2024-02-06
APAC_Job_Seekers_Data_Compromised_In_Massive_Breach
LOW
+

Intel Source:
GROUP-IB
Intel Name:
APAC_Job_Seekers_Data_Compromised_In_Massive_Breach
Date of Scan:
2024-02-06
Impact:
LOW
Summary:
GROUP-IB researchers have discovered that ResumeLooters successfully targeted a minimum of 65 websites in 2023, using straightforward techniques such as SQL injection and XSS. The threat actor sought to insert XSS scripts into all accessible forms, with the intention of executing them on administrators’ devices to acquire admin credentials.


Source:
https://www.group-ib.com/blog/resumelooters/

2024-02-06
The_Second_Round_of_Ivanti_Connect_Secure_VPN_ZeroDay_Exploitation
HIGH
+

Intel Source:
Cybereason
Intel Name:
The_Second_Round_of_Ivanti_Connect_Secure_VPN_ZeroDay_Exploitation
Date of Scan:
2024-02-06
Impact:
HIGH
Summary:
Researchers from Cybereason have looked into instances when Ivanti VPN appliances’ recently discovered vulnerabilities known as zero-days were exploited. These vulnerabilities were not patched at the time of disclosure. Ivanti urged users to implement quick mitigations for two significant vulnerabilities impacting their Connect Secure and Policy Secure systems, which were identified as CVE-2023-46805 and CVE-2024-21887, on January 10, 2024. A third party published a Proof of Concept (PoC) on January 16, 2024, which led to an increase in the scope of exploitation. In addition to the existing threat, Ivanti disclosed two additional vulnerabilities on January 31st: CVE-2024-21888, which is a privilege escalation flaw, and CVE-2024-21893, which is an SSRF web vulnerability. These vulnerabilities increase the need for action and increased security awareness while the manufacturer continues to work on developing and delivering suitable mitigations.


Source:
https://www.cybereason.com/blog/threat-alert-ivanti-connect-secure-vpn-zero-day-exploitation

2024-02-06
C2_Hosting_Using_EtherHiding_by_SmartGaft
LOW
+

Intel Source:
QiAnXin X Laboratory
Intel Name:
C2_Hosting_Using_EtherHiding_by_SmartGaft
Date of Scan:
2024-02-06
Impact:
LOW
Summary:
Researchers from XLab have obtained Smargaft bot samples for two different versions of each of the three CPU architectures: ARM, MIPS, and X86/64. The ability of these versions to spread like worms is the main distinction between them. In general, Smargaft functions quite simply. It verifies the current user when it runs on a compromised device; if it’s root, it starts more scanning and propagation tasks. After that, it manipulates the watchdog to stop the device from restarting and binds to a local port to guarantee that only one instance is running at a time. It then initiates five actions, including as using smart contracts to obtain C2, launching DDoS attakcs, and making sure it stays on the device. Lastly, Smargaft cycles through these duties at predetermined intervals while operating in an endless loop.


Source:
https://blog.xlab.qianxin.com/smargaft_abusing_binance-smart-contracts_en/

2024-02-06
The_Public_Information_and_Spam_Email
LOW
+

Intel Source:
ISC.SANS
Intel Name:
The_Public_Information_and_Spam_Email
Date of Scan:
2024-02-06
Impact:
LOW
Summary:
Multiple organizations make their contact details available to the public so that people can ask for assistance when they need it. This could be a list of all staff members’ public contacts or just general information. It should go without saying that having any information that is accessible to the public will make these accounts more vulnerable to spam or phishing emails.


Source:
https://isc.sans.edu/diary/Public+Information+and+Email+Spam/30620

2024-02-06
Scaly_Wolf_Attacks_Russian_Business_With_White_Snake_Stealer
LOW
+

Intel Source:
BI.ZONE
Intel Name:
Scaly_Wolf_Attacks_Russian_Business_With_White_Snake_Stealer
Date of Scan:
2024-02-06
Impact:
LOW
Summary:
Researchers from BI.ZONE have connected the Scaly Wolf organization to at least ten campaigns. Russian companies across a range of industries, including manufacturing and logistics, faced attacks. One of the group’s quirks is that they send phishing emails pretending to be Russian government agencies in order to obtain first access. The requirements of Roskomnadzor, the Russian Federation’s Investigative Committee, and the Military Prosecutor’s Office of the Russian Federation are among the tools in the criminals’ phishing armory. Attackers occasionally pose as commercial offers in emails.


Source:
https://bi.zone/expertise/blog/scaly-wolf-primenyaet-stiler-white-snake-protiv-rossiyskoy-promyshlennosti/

2024-02-06
New_Trojan_Tools_Used_by_APT_K_47_Group
LOW
+

Intel Source:
SeeBug
Intel Name:
New_Trojan_Tools_Used_by_APT_K_47_Group
Date of Scan:
2024-02-06
Impact:
LOW
Summary:
Researchers from SeeBug have discovered that the APT-K-47 group used an undisclosed Trojan tool. Following a successful intrusion, the tool downloads additional malicious payloads and ORPCBackdoor, traverses disk directories to steal target files, and then sends the data back to the command and control server (C2). Simultaneously, the group transmitted the password information back after stealing it from the target computer’s browser.


Source:
https://paper.seebug.org/3115/

2024-02-06
Alleged_Medibank_Hacker_Aleksandr_Ermakov
LOW
+

Intel Source:
Krebsonsecurity
Intel Name:
Alleged_Medibank_Hacker_Aleksandr_Ermakov
Date of Scan:
2024-02-06
Impact:
LOW
Summary:
The article discusses the recent financial sanctions imposed on Russian man Aleksandr Ermakov for his alleged involvement in the hacking of Australian health insurance company Medibank. Ermakov is believed to have worked with the ransomware group REvil and is accused of stealing and leaking sensitive data of 10 million customers. The section provides information on Ermakov’s aliases, his connection to REvil, and his involvement in other cybercrime activities. It also mentions his affiliation with a Russian technology firm and his connection to a cybercriminal known as “Rescator.” The article also discusses the potential impact of the sanctions on Ermakov’s life and the challenges he may face in Russia as a result.


Source:
https://krebsonsecurity.com/2024/01/who-is-alleged-medibank-hacker-aleksandr-ermakov/

2024-02-06
Kimsuky_APT_Evolving_Tactics_targeted_Cyber_Espionage_Campaign
LOW
+

Intel Source:
MP.WEIXIN.QQ
Intel Name:
Kimsuky_APT_Evolving_Tactics_targeted_Cyber_Espionage_Campaign
Date of Scan:
2024-02-06
Impact:
LOW
Summary:
Kimsuky APT, known for targeting South Korean military, expands cyber espionage to government entities. Recent tactics involve deceptive LNK files, with a focus on the financial sector. The group employs advanced techniques, including cloud services for communication, indicating an evolving threat landscape. Cybersecurity vigilance is crucial in countering Kimsuky’s sophisticated and fileless attacks.


Source:
https://mp.weixin.qq.com/s?__biz=Mzg2NjgzNjA5NQ%3D%3D&mid=2247522061&idx=1&sn=22e56ee213d9e5229371ad3e082ebfab

2024-02-06
Stately_Taurus_Cyber_Espionage_in_Myanmar
LOW
+

Intel Source:
CSIRT-CTI
Intel Name:
Stately_Taurus_Cyber_Espionage_in_Myanmar
Date of Scan:
2024-02-06
Impact:
LOW
Summary:
Between November 2023 and January 2024, cybersecurity teams uncovered a series of cyber attacks by Stately Taurus targeting Myanmar’s military entities. The campaigns involved sophisticated malware delivery through phishing, using tactics like DLL hijacking and Cobalt Strike beacons. These efforts aimed at espionage against the Myanmar military, leveraging political tensions as bait for their attacks. The operation’s complexity and targeted nature highlight the ongoing cyber threats from state-sponsored actors in the region.


Source:
https://csirt-cti.net/2024/02/01/stately-taurus-continued-new-information-on-cyberespionage-attacks-against-myanmar-military-junta/

2024-02-06
The_distribution_of_Python_Info_stealer
LOW
+

Intel Source:
Fortinet
Intel Name:
The_distribution_of_Python_Info_stealer
Date of Scan:
2024-02-06
Impact:
LOW
Summary:
In January 2024, FortiGuard Labs obtained an Excel document distributing an info-stealer related to a Vietnamese group first reported in August 2023. The attack uses simple downloaders to increase detection difficulty. The info-stealer collects browsers’ cookies and login data, compresses it, and sends it to the attacker’s telegram bot.


Source:
https://www.fortinet.com/blog/threat-research/python-info-stealer-malicious-excel-document

2024-02-05
The_exploitation_of_compromised_routers_to_target_goverment_in_Europe_and_Caucasus
MEDIUM
+

Intel Source:
Harfanglab
Intel Name:
The_exploitation_of_compromised_routers_to_target_goverment_in_Europe_and_Caucasus
Date of Scan:
2024-02-05
Impact:
MEDIUM
Summary:
A look back at a malicious espionage campaign that targeted government organisations in Ukraine and Poland in the early 20th Century and may have been carried out by a threat-actor known as APT28. HarfangLab identified additional malicious files and infrastructure which they believe with high confidence are part of the same campaign. The campaign targeted government organisations in Ukraine and Poland at least (and possibly in Azerbaijan as well), started on 2023-12-13 at the latest, and abused legitimate Ubiquity network devices as infrastructure. HarfangLab could not reliably link the described campaign with APT28 in particular.


Source:
https://harfanglab.io/en/insidethelab/compromised-routers-infrastructure-target-europe-caucasus/

2024-02-05
A_malware_campaign_infecting_cracked_macOS_apps
LOW
+

Intel Source:
Sentilone
Intel Name:
A_malware_campaign_infecting_cracked_macOS_apps
Date of Scan:
2024-02-05
Impact:
LOW
Summary:
Researchers discovered a malware campaign infecting cracked macOS apps from torrent sites to install a backdoor for further malware delivery. The malware disables security settings and then uses Python scripts to achieve persistence and retrieve additional payloads.


Source:
https://www.sentinelone.com/blog/backdoor-activator-malware-running-rife-through-torrents-of-macos-apps/

2024-02-05
Examining_the_Newest_Stealer_Variant_of_Mispadu
LOW
+

Intel Source:
PaloAlto
Intel Name:
Examining_the_Newest_Stealer_Variant_of_Mispadu
Date of Scan:
2024-02-05
Impact:
LOW
Summary:
Researchers from Unit 42 have recently found activities linked to the covert infostealer known as Mispadu Stealer, who was first identified in 2019. In their search for ways to exploit the CVE-2023-36025 vulnerability in this instance, they came upon a family of infostealer malware that targets particular areas and URLs that are frequently connected to Mexican nationals.


Source:
https://unit42.paloaltonetworks.com/mispadu-infostealer-variant/

2024-02-05
Examining_New_Malware_Operation_Aimed_Against_Docker
LOW
+

Intel Source:
Cado Security
Intel Name:
Examining_New_Malware_Operation_Aimed_Against_Docker
Date of Scan:
2024-02-05
Impact:
LOW
Summary:
Researchers at Cado have discovered the commando cat malware campaign, which targets Docker API endpoints exposed to the public. Since the start of 2024, there have been two campaigns that have targeted Docker. The first was the malicious deployment of the 9hits traffic exchange application, the results of which were reported just a few weeks ago.


Source:
https://www.cadosecurity.com/the-nine-lives-of-commando-cat-analysing-a-novel-malware-campaign-targeting-docker/

2024-02-05
Diving_Deep_into_Pony_Malware
LOW
+

Intel Source:
RexorVc0
Intel Name:
Diving_Deep_into_Pony_Malware
Date of Scan:
2024-02-05
Impact:
LOW
Summary:
Pony, also called Fareit or Siplog, is a malware that is classified as a loader and stealer but may also be used as a botnet because it has been around for over a decade and is still in use. This notorious malware is still available for purchase, is still receiving upgrades, and has been used to launch other malware during attacks on victim infrastructures in addition to stealing confidential data.


Source:
https://rexorvc0.com/2024/02/04/Pony_Fareit/

2024-02-05
FritzFrog_Botnet_Currently_Using_Log4Shell_Bug
MEDIUM
+

Intel Source:
Akamai
Intel Name:
FritzFrog_Botnet_Currently_Using_Log4Shell_Bug
Date of Scan:
2024-02-05
Impact:
MEDIUM
Summary:
Akamai researchers have provided an explanation for the change in the FritzFrog botnet, which has been in existence since 2020. Typically, the botnet leverages brute-force attacks to breach SSH, a network connection protocol, in order to access servers and launch cryptominers. However, more recent versions now scan many system files on infected computers to identify targets that are very likely to be weak points for this attack.


Source:
https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell

2024-02-05
CrackedCantil_malware
LOW
+

Intel Source:
Any.Run
Intel Name:
CrackedCantil_malware
Date of Scan:
2024-02-05
Impact:
LOW
Summary:
AnyRun researchers dive into a recent case of something they call a “malware symphony.” It’s a way to describe how different types of malware can work together, sort of like instruments in an orchestra.


Source:
https://any.run/cybersecurity-blog/crackedcantil-breakdown/

2024-02-02
New_SUBTLE_PAWS_PowerShell_Backdoor_Drops_on_Ukraine
MEDIUM
+

Intel Source:
Securonix
Intel Name:
New_SUBTLE_PAWS_PowerShell_Backdoor_Drops_on_Ukraine
Date of Scan:
2024-02-02
Impact:
MEDIUM
Summary:
Securonix researchers have identified an ongoing campaign (tracked as STEADY#URSA) that is likely tied to Shuckworm and targets military personnel in Ukraine. Perhaps via phishing emails, compressed files are used to transmit the harmful payload. The study found that military jargon and references to Ukrainian cities were present in a large number of the samples. Given that the attack includes multiple TTPs that are only utilized by the organization and have been mentioned in previous campaigns against the Ukrainian military, it is most likely connected to Shuckworm.


Source:
https://www.securonix.com/blog/security-advisory-steadyursa-attack-campaign-targets-ukraine-military/

2024-02-02
An_Incident_Occurred_During_Thanksgiving_2023
LOW
+

Intel Source:
Cloudflare
Intel Name:
An_Incident_Occurred_During_Thanksgiving_2023
Date of Scan:
2024-02-02
Impact:
LOW
Summary:
On November 23, 2023, Thanksgiving Day, Cloudflare discovered a threat actor on our Atlassian server that we host ourselves. Their security team shut down the threat actor’s access right away, launched an investigation, and on Sunday, November 26, they invited CrowdStrike’s Forensic team to do their own independent study.


Source:
https://blog.cloudflare.com/thanksgiving-2023-security-incident

2024-02-02
Hackers_Establishing_Backdoor_Accounts_on_Linux
LOW
+

Intel Source:
ASEC
Intel Name:
Hackers_Establishing_Backdoor_Accounts_on_Linux
Date of Scan:
2024-02-02
Impact:
LOW
Summary:
Attack campaigns that involve installing a backdoor account on unmanaged Linux SSH servers have been identified for a long time. Threat actors will have the option to either sell the credentials they have gathered from the compromised systems on the dark web or utilize the extra backdoor accounts to later install malware strains like ransomware, CoinMiners, and DDoS bots on the compromised system.


Source:
https://asec.ahnlab.com/en/61185/

2024-02-01
A_new_variant_of_VileRAT_malware
LOW
+

Intel Source:
Stairwell
Intel Name:
A_new_variant_of_VileRAT_malware
Date of Scan:
2024-02-01
Impact:
LOW
Summary:
Last month, Stairwell’s research team observed a new variant of VileRAT that has been circulating since August 2023. After some public reports and detecting filenames. The analysis showed that this variant is being distributed through fake software piracy sites to broadly infect systems.


Source:
https://stairwell.com/resources/technical-analysis-the-silent-torrent-of-vilerat/

2024-02-01
A_recent_Nitrogen_malware_campaign
LOW
+

Intel Source:
Malwarebytes
Intel Name:
A_recent_Nitrogen_malware_campaign
Date of Scan:
2024-02-01
Impact:
LOW
Summary:
Malwarebytes in their blog analyzed a recent Nitrogen campaign and how the initial payload is being served to victims. The threat actors prefer to host their payloads on compromised WordPress sites, many of which are already hacked with malicious PHP shell scripts.


Source:
https://www.malwarebytes.com/blog/threat-intelligence/2024/01/nitrogen-shelling-malware-from-hacked-sites

2024-02-01
KRUSTYLOADER_RUST_malware_analysis
LOW
+

Intel Source:
Synacktiv
Intel Name:
KRUSTYLOADER_RUST_malware_analysis
Date of Scan:
2024-02-01
Impact:
LOW
Summary:
On 18th January, it was an observation of the new evidence of compromised Ivanti Connect Secure instances by Volexity who published their observations which include hashes of Rust payloads downloaded on compromised instances. Synacktiv shared in their article a malware analysis of these unidentified Rust payloads that was labeled as KrustyLoader.


Source:
https://www.synacktiv.com/publications/krustyloader-rust-malware-linked-to-ivanti-connectsecure-compromises

2024-02-01
A_novel_cryptojacking_campaign_Commando_Cat
LOW
+

Intel Source:
Cado Security
Intel Name:
A_novel_cryptojacking_campaign_Commando_Cat
Date of Scan:
2024-02-01
Impact:
LOW
Summary:
Cado researchers have recently observed a new malware campaign, called “Commando Cat”, which targeted exposed Docker API endpoints. This is the second time targeting Docker since 2024 started the first being the malicious deployment of the 9hits traffic exchange application.


Source:
https://www.cadosecurity.com/the-nine-lives-of-commando-cat-analysing-a-novel-malware-campaign-targeting-docker/

2024-02-01
Over_2000_PCs_in_Ukraine_Impacted_by_DIRTYMOE
MEDIUM
+

Intel Source:
CERT-UA
Intel Name:
Over_2000_PCs_in_Ukraine_Impacted_by_DIRTYMOE
Date of Scan:
2024-02-01
Impact:
MEDIUM
Summary:
For over five years, DIRTYMOE has been recognized as a modular malware. provides technical tools for remote computer access, and it’s primarily (though not only) employed for mining and DDoS attacks. Typically, using widely used software that comes with an MSI installer causes the initial damage. A rootkit installed in the backdoor hinders the removal of operating system components from the file system and registry when the system is in normal mode.


Source:
https://cert.gov.ua/article/6277422

2024-02-01
A_large_scale_campaign_called_ApateWeb
LOW
+

Intel Source:
Palo Alto
Intel Name:
A_large_scale_campaign_called_ApateWeb
Date of Scan:
2024-02-01
Impact:
LOW
Summary:
Unit 42 researchers discovered a large-scale campaign we call ApateWeb that uses a network of over 130,000 domains to deliver scareware, potentially unwanted programs (PUPs), and other scam pages. Among these PUPs, we have identified several adware programs including a rogue browser and different browser extensions.


Source:
https://unit42.paloaltonetworks.com/apateweb-scareware-pup-delivery-campaign/

2024-01-31
The_Russian_Opposition_Faces_New_Campaign
LOW
+

Intel Source:
Cluster25
Intel Name:
The_Russian_Opposition_Faces_New_Campaign
Date of Scan:
2024-01-31
Impact:
LOW
Summary:
Researchers from Cluster25 have discovered a recently launched campaign that is probably connected to a Russian APT organization. The spear-phishing mails used in this effort went after organizations that supported Russian dissident movements and were publicly critical of the Russian government, both inside and outside the country.


Source:
https://blog.cluster25.duskrise.com/2024/01/30/russian-apt-opposition

2024-01-31
The_Hidden_Depths_of_USB_Malware
LOW
+

Intel Source:
Mandiant
Intel Name:
The_Hidden_Depths_of_USB_Malware
Date of Scan:
2024-01-31
Impact:
LOW
Summary:
Mandiant researchers have discovered a distinct evolution in the TTPs from the campaign’s early stages, commencing with the use of the explorer.ps1 payload featuring a custom decoding scheme. This progressed to the adoption of asymmetric encryption, accompanied by the incorporation of device tracking capabilities.


Source:
https://www.mandiant.com/resources/blog/unc4990-evolution-usb-malware

2024-01-31
China_linked_hackers_target_Myanmar_s_top_ministries
MEDIUM
+

Intel Source:
CSIRT-CTI
Intel Name:
China_linked_hackers_target_Myanmar_s_top_ministries
Date of Scan:
2024-01-31
Impact:
MEDIUM
Summary:
Mustang Panda, the China-based threat actor has targeted Myanmar’s Ministry of Defence and Foreign Affairs as part of twin campaigns designed to deploy backdoors and remote access trojans.


Source:
https://csirt-cti.net/2024/01/23/stately-taurus-targets-myanmar/

2024-01-31
An_Attack_Using_Stealth_And_Brute_Force
LOW
+

Intel Source:
TrendMicro
Intel Name:
An_Attack_Using_Stealth_And_Brute_Force
Date of Scan:
2024-01-31
Impact:
LOW
Summary:
TrendMicro researchers have found that Pawn Storm remains unwavering in its pursuit to breach the networks and email accounts of high-profile targets worldwide. The group initially employed brute-force attacks from dedicated servers and later integrated more anonymization layers like commercial VPN services and Tor.


Source:
https://www.trendmicro.com/en_us/research/24/a/pawn-storm-uses-brute-force-and-stealth.html

2024-01-31
The_Grandoreiro_banking_trojan_operation
LOW
+

Intel Source:
Welivesecurity
Intel Name:
The_Grandoreiro_banking_trojan_operation
Date of Scan:
2024-01-31
Impact:
LOW
Summary:
ESET has provided technical analysis, statistical information, and known command and control (C&C) server domain names and IP addresses. Due to a design flaw in Grandoreiro’s network protocol, ESET researchers were also able to get a glimpse into the victimology.


Source:
https://www.welivesecurity.com/en/eset-research/eset-takes-part-global-operation-disrupt-grandoreiro-banking-trojan/

2024-01-31
The_Return_of_TA576
LOW
+

Intel Source:
Proofpoint
Intel Name:
The_Return_of_TA576
Date of Scan:
2024-01-31
Impact:
LOW
Summary:
Researchers at Proofpoint have discovered the reappearance of TA576, a cybercriminal threat actor that targets accounting and finance companies in particular with tax-themed baits. This actor mostly targets North American organizations with low-volume email campaigns, and is only active during the first few months of the year during tax season in the United States. In every campaign, the actor will try to distribute remote access trojans (RATs) and will respond to emails asking for help with tax preparation.


Source:
https://www.proofpoint.com/us/blog/threat-insight/security-brief-tis-season-tax-hax

2024-01-30
Albabat_Ransomware_roundup
MEDIUM
+

Intel Source:
Fortinet
Intel Name:
Albabat_Ransomware_roundup
Date of Scan:
2024-01-30
Impact:
MEDIUM
Summary:
FortiGuard Labs analysts researched data for a ransomware variant that triggered their attention called Albabat. Albabat, also known as White Bat, is a money-motivated ransomware variant written in Rust that finds and encrypts files important to the user and demands a ransom to release them. It first appeared last November, 2023. The affected platforms are Microsoft Windows and impacted parties are Microsoft Windows Users.


Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-albabat

2024-01-30
MSIX_installers_deliver_malware_payloads
LOW
+

Intel Source:
Red Canary
Intel Name:
MSIX_installers_deliver_malware_payloads
Date of Scan:
2024-01-30
Impact:
LOW
Summary:
Starting in July 2023, Red Canary began investigating a series of attacks by adversaries leveraging MSIX files to deliver malware. The adversaries in each intrusion appeared to be using malicious advertising or SEO poisoning to draw in victims, who believed that they were downloading legitimate software such as Grammarly, Microsoft Teams, Notion, and Zoom.


Source:
https://redcanary.com/blog/msix-installers/

2024-01-30
Examining_DarkGate_Loader_in_Depth
LOW
+

Intel Source:
Cybereason
Intel Name:
Examining_DarkGate_Loader_in_Depth
Date of Scan:
2024-01-30
Impact:
LOW
Summary:
Researchers at Cybereason have looked at occurrences involving the modular loader known as DarkGate Loader, which is sent via phishing emails and is in charge of delivering payloads that are used after an attack. Threat actors use the AutoIt script DarkGate Loader to deliver an encrypted payload. The payload is decrypted and injected into various processes by the AutoIt script. In the end, using DarkGate Loader triggers the use of post-exploitation tools like Meterpreter and Cobalt Strike.


Source:
https://www.cybereason.com/hubfs/dam/collateral/reports/darkgate-threat-alert.pdf

2024-01-30
Attacker_of_Trigona_Ransomware_Using_Mimic_Ransomware
LOW
+

Intel Source:
ASEC
Intel Name:
Attacker_of_Trigona_Ransomware_Using_Mimic_Ransomware
Date of Scan:
2024-01-30
Impact:
LOW
Summary:
ASEC researchers discovered a new way that the threat actor behind the Trigona ransomware is installing Mimic ransomware. Similar to previous instances, the newly discovered attack focuses on MS-SQL servers and is noteworthy for exploiting the MS-SQL servers’ Bulk Copy Program (BCP) feature to install malware.


Source:
https://asec.ahnlab.com/en/61000/

2024-01-30
Microsoft_Teams_Delivers_DarkGate_Malware
MEDIUM
+

Intel Source:
AT&T and PaloAlto
Intel Name:
Microsoft_Teams_Delivers_DarkGate_Malware
Date of Scan:
2024-01-30
Impact:
MEDIUM
Summary:
Although the majority of end users are probably aware of the risks associated with traditional phishing attacks, such those that arrive by email or other media, many are probably not aware that Microsoft Teams chats could also be a potential source of phishing attacks. While most Teams activity takes place within an organization, Microsoft by default permits users to add persons from outside the organization to their Teams chats. This function has, somewhat unsurprisingly, given bad actors a new way to take advantage of unsuspecting or inexperienced consumers.


Source:
https://cybersecurity.att.com/blogs/security-essentials/darkgate-malware-delivered-via-microsoft-teams-detection-and-response https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-12-IOCs-for-DarkGate-from-Teams-chat.txt

2024-01-30
A_Deep_Dive_into_Alpha_Ransomware
LOW
+

Intel Source:
Netenrich
Intel Name:
A_Deep_Dive_into_Alpha_Ransomware
Date of Scan:
2024-01-30
Impact:
LOW
Summary:
Netenrich group researchers provided updates for Alpha ransomware, a completely different group then ALPHV ransomware, which has recently emerged with the launch of its Dedicated/Data Leak Site on the Dark Web and an initial listing of six victims’ data.


Source:
https://netenrich.com/blog/alpha-ransomware-a-deep-dive-into-its-operations

2024-01-30
The_malicious_URL_file_uses
LOW
+

Intel Source:
Inquest
Intel Name:
The_malicious_URL_file_uses
Date of Scan:
2024-01-30
Impact:
LOW
Summary:
Inquest shared their details about the exploration of URL files, and their resurgence in the threat space as various vulnerabilities and exposures have led to adversaries finding utility in this simple file type.


Source:
https://inquest.net/blog/shortcut-to-malice-url-files/

2024-01-30
Zloader_Returned_With_New_Iteration
LOW
+

Intel Source:
Zscaler
Intel Name:
Zloader_Returned_With_New_Iteration
Date of Scan:
2024-01-30
Impact:
LOW
Summary:
Zscaler researchers have discovered that Zloader has comeback with an updated version, signaling a potential increase in ransomware attacks. The latest iteration of Zloader includes significant enhancements to its loader module, incorporating RSA encryption, an improved Domain Generation Algorithm (DGA), and advanced obfuscation techniques. Additionally, the malware now employs more junk code, API import hashing, and string encryption, making it more resilient against malware analysis.


Source:
https://www.zscaler.com/blogs/security-research/zloader-no-longer-silent-night

2024-01-29
An_Additional_Phobos_Ransomware_Variant_Initiates_an_Attack
LOW
+

Intel Source:
Fortinet
Intel Name:
An_Additional_Phobos_Ransomware_Variant_Initiates_an_Attack
Date of Scan:
2024-01-29
Impact:
LOW
Summary:
Researchers from FortiGuard Labs have discovered an Office document that includes a VBA script meant to spread the FAUST ransomware, which is a different kind of Phobos. The attackers stored many Base64-encoded files, each containing a malicious binary, using the Gitea service. These files start a file encryption attack when they are inserted into the memory of a system.


Source:
https://www.fortinet.com/blog/threat-research/phobos-ransomware-variant-launches-attack-faust

2024-01-29
Persistent_Cyber_Threats_Targeting_Mexican_Entities
LOW
+

Intel Source:
Blackberry
Intel Name:
Persistent_Cyber_Threats_Targeting_Mexican_Entities
Date of Scan:
2024-01-29
Impact:
LOW
Summary:
The BlackBerry Threat Research and Intelligence team have found that cyber attackers are consistently targeting Mexican organizations for financial gains. They use legitimate Mexican government resources, such as the IDSE software update document and the IMSS payment system SIPARE.


Source:
https://blogs.blackberry.com/en/2024/01/mexican-banks-and-cryptocurrency-platforms-targeted-with-allakore-rat

2024-01-29
Russian_APT_Operation_Star_Blizzard
MEDIUM
+

Intel Source:
SOC Radar
Intel Name:
Russian_APT_Operation_Star_Blizzard
Date of Scan:
2024-01-29
Impact:
MEDIUM
Summary:
Star Blizzard’s strategies operate in the ever-evolving cyber threat arena with a measured precision that is akin to a strategic orchestration. In this case, spear-phishing mimics a method that has been meticulously thought out and carried out. This elusive group, with an advanced level of intelligence akin to that of seasoned professionals, methodically pinpoints individual and group members as their intended audience.


Source:
https://socradar.io/russian-apt-operation-star-blizzard/

2024-01-29
Attackers_Exploiting_Publicly_Exposed_RDP_Host
MEDIUM
+

Intel Source:
The DFIR Report
Intel Name:
Attackers_Exploiting_Publicly_Exposed_RDP_Host
Date of Scan:
2024-01-29
Impact:
MEDIUM
Summary:
Researchers for The DFIR report saw threat actors in late December 2022 taking advantage of a publicly accessible Remote Desktop Protocol server, which resulted in the exfiltration of data and the installation of the Trigona ransomware. The threat actors spread ransomware throughout the network on Christmas Eve, just three hours after they first gained access.


Source:
https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/

2024-01-29
A_Batch_File_Holding_Several_Payloads
LOW
+

Intel Source:
ISC.SANS
Intel Name:
A_Batch_File_Holding_Several_Payloads
Date of Scan:
2024-01-29
Impact:
LOW
Summary:
Although most people consider Windows batch files (.bat) to be extremely basic, they can actually be fairly complicated or include intriguing encoded payloads. One that a Powershell process was using and had several decoded payloads was discovered by researchers. The trick to adding comments to these kinds of files is in the magic. “REM” is the default (or most popular) keyword to use.


Source:
https://isc.sans.edu/diary/rss/30592

2024-01-26
An_ongoing_phishing_campaign_spreads_with_an_Atomic_Stealer_version
MEDIUM
+

Intel Source:
Cyble
Intel Name:
An_ongoing_phishing_campaign_spreads_with_an_Atomic_Stealer_version
Date of Scan:
2024-01-26
Impact:
MEDIUM
Summary:
Cyble researchers discovered a new version of AMOS Stealer going thru website and pretending like legit Mac applications, including Parallels Desktop, CleanMyMac, Arc Browser, and Pixelmator. Earlier this year, the AMOS stealer has been circulating via Google Ads, serving as the main distribution method.


Source:
https://cyble.com/blog/uncovering-atomic-stealer-amos-strikes-and-the-rise-of-dead-cookies-restoration/

2024-01-25
The_BianLian_ransomware_group
MEDIUM
+

Intel Source:
Palo Alto
Intel Name:
The_BianLian_ransomware_group
Date of Scan:
2024-01-25
Impact:
MEDIUM
Summary:
The article discusses the detection and prevention of the BianLian encryptor and backdoor by Cortex XDR, as well as the use of SmartScore and protections offered by Palo Alto Networks. It also provides a list of IP addresses associated with the BianLian ransomware gang and additional resources for further information. The article also explores a potential connection between the BianLian and Makop ransomware groups and provides a technical analysis of the attack lifecycle of the BianLian group. It includes screenshots of alerts and prevention measures taken by Cortex XDR. The article also lists various codes and IP addresses related to the threat assessment of the malware.


Source:
https://unit42.paloaltonetworks.com/bianlian-ransomware-group-threat-assessment/

2024-01-25
New_China_Aligned_APT_Group_Called_Blackwood_Using_NSPX30_implants
MEDIUM
+

Intel Source:
Welivesecurity
Intel Name:
New_China_Aligned_APT_Group_Called_Blackwood_Using_NSPX30_implants
Date of Scan:
2024-01-25
Impact:
MEDIUM
Summary:
Researchers from ESET have presented a study of an attack carried out by Blackwood, a previously unidentified threat actor that they believe has been active since at least 2018. Blackwood is associated with China. Using adversary-in-the-middle (AitM) attacks, the attackers distribute a sophisticated implant they have termed NSPX30. They do this by taking advantage of update requests that are made by legal software.


Source:
https://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/

2024-01-25
Malware_Drops_From_Fake_NPM_Package
LOW
+

Intel Source:
Sonatype
Intel Name:
Malware_Drops_From_Fake_NPM_Package
Date of Scan:
2024-01-25
Impact:
LOW
Summary:
Researchers from Sonatype have discovered two npm packages, distube-config and discordyt, that mimic open source products such as Discord modules in an effort to infect Windows users with a Trojan.


Source:
https://blog.sonatype.com/fake-distube-config-npm-package-drops-windows-info-stealing-malware

2024-01-25
Mimicking_CherryTree_to_Deploy_PrawEsc_Exploits
LOW
+

Intel Source:
Arcticwolf
Intel Name:
Mimicking_CherryTree_to_Deploy_PrawEsc_Exploits
Date of Scan:
2024-01-25
Impact:
LOW
Summary:
According to Arctic Wolf researchers, the loader poses as the authentic CherryTree note-taking program through its name and symbol, tricking potential victims into installing it. They have found evidence of this new attack tool in two recent incidents.


Source:
https://arcticwolf.com/resources/blog/cherryloader-a-new-go-based-loader-discovered-in-recent-intrusions/

2024-01-25
Cactus_Ransomware_continued_activity
LOW
+

Intel Source:
Shadowstackre
Intel Name:
Cactus_Ransomware_continued_activity
Date of Scan:
2024-01-25
Impact:
LOW
Summary:
On January 20th, the Cactus ransomware group targeted again a large number of victims across different industries. The attacks were revealed with the victim’s data on their leak site. The ransomware group constantly puts a lot of pressure on victims by revealing their personal information about employees of the victim organization; this has included driver’s licenses, passports, pictures, and other personal identification.


Source:
https://www.shadowstackre.com/analysis/cactus

2024-01-25
The_Evolution_of_LODEINFO_Fileless_Malware
LOW
+

Intel Source:
ITOCHU Cyber & Intelligence Inc.
Intel Name:
The_Evolution_of_LODEINFO_Fileless_Malware
Date of Scan:
2024-01-25
Impact:
LOW
Summary:
ITOCHU Cyber & Intelligence Inc. researchers have discovered an updated variant of the LODEINFO backdoor, which is disseminated through spear-phishing attacks. Both new features and modifications to the anti-analysis (analysis avoidance) strategies have been added to the malware.


Source:
https://blog-en.itochuci.co.jp/entry/2024/01/24/134100

2024-01-25
An_Italian_Adaptive_Phishing_Campaign_called_MY_SLICE
LOW
+

Intel Source:
Security Affairs
Intel Name:
An_Italian_Adaptive_Phishing_Campaign_called_MY_SLICE
Date of Scan:
2024-01-25
Impact:
LOW
Summary:
A highly targeted phishing attempt last year targeted email account holders of Italian organizations under the alias “My slice,” which was formed from the name of a variable in the landing page’s javascript code.


Source:
https://securityaffairs.com/157914/cyber-crime/my-slice-aitalian-adaptive-phishing-campaign.html

2024-01-24
Kasseika_Ransomware_Exploiting_LNK_Vulnerabilities
MEDIUM
+

Intel Source:
ASEC
Intel Name:
Kasseika_Ransomware_Exploiting_LNK_Vulnerabilities
Date of Scan:
2024-01-24
Impact:
MEDIUM
Summary:
AhnLab Security Intelligence Center exposes a stealthy attack leveraging a malicious Word document disguised as an .lnk shortcut file. The attack, featuring the notorious AsyncRAT (VenomRAT), uses PowerShell commands and external URLs to download and execute payloads. The malware disguises itself as a Korean company’s certificate, making detection challenging.


Source:
https://asec.ahnlab.com/en/60805/

2024-01-24
Parrot_TDS_malware_campaign
MEDIUM
+

Intel Source:
Palo Alto
Intel Name:
Parrot_TDS_malware_campaign
Date of Scan:
2024-01-24
Impact:
MEDIUM
Summary:
The article provides an overview of the Parrot TDS malware campaign, which has been active for over four years and continues to evolve with new techniques and obfuscations. The campaign targets victims globally and uses automatic tools to exploit known vulnerabilities, with the majority of compromised servers using WordPress, Joomla, or other content management systems. The article includes a list of codes and identifiers related to the campaign, as well as examples of the landing and payload scripts used. It also discusses the protections and mitigations offered by Palo Alto Networks and provides indicators of compromise for detecting and defending against malware.


Source:
https://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/

2024-01-24
Massive_Criminal_Affiliate_Program_by_Vextrio
LOW
+

Intel Source:
Infoblox
Intel Name:
Massive_Criminal_Affiliate_Program_by_Vextrio
Date of Scan:
2024-01-24
Impact:
LOW
Summary:
Researchers from Infoblox expose a complex web of affiliations within the cybercrime ecosystem, focusing on prominent actors like VexTrio, ClearFake, and SocGholish. Collaboratively researched with security expert Randy McEoin, the study reveals these entities’ involvement in malicious activities, particularly in operating traffic distribution systems (TDS). VexTrio, a major player, is identified as the most pervasive threat in customer networks, acting as a traffic broker for over 60 affiliates. The research sheds light on their unique TDS model, attack chains involving multiple actors, and their exploitation of referral programs. The findings emphasize the critical role of TDS enterprises in the vast cybercrime economy and advocate for increased industry collaboration to counter these threats effectively.


Source:
https://blogs.infoblox.com/cyber-threat-intelligence/cybercrime-central-vextrio-operates-massive-criminal-affiliate-program/

2024-01-23
MetaStealer_Malware_Targeting_US_Asylum_Seekers
LOW
+

Intel Source:
Cyble
Intel Name:
MetaStealer_Malware_Targeting_US_Asylum_Seekers
Date of Scan:
2024-01-23
Impact:
LOW
Summary:
Researchers at Cyble have discovered a ZIP archive file that may be downloaded from a URL and might be shared via spam emails. There is a shortcut LNK file hidden as a PDF document inside the ZIP package. The VPN application launches when the shortcut file is executed, and it uses DLL sideloading to load a hidden malicious DLL. The DLL and the VPN program are both hidden within a ZIP file.


Source:
https://cyble.com/blog/threat-actors-target-us-asylum-seekers-with-metastealer-malware/

2024-01-23
Attackers_Using_GitHub_to_Store_Stolen_Data
LOW
+

Intel Source:
Reversing Labs
Intel Name:
Attackers_Using_GitHub_to_Store_Stolen_Data
Date of Scan:
2024-01-23
Impact:
LOW
Summary:
Two malicious packages on the npm open source package manager have been found by Revealing Labs researchers. These packages use GitHub to store stolen Base64-encrypted SSH keys that were taken from developer workstations that installed them.


Source:
https://www.reversinglabs.com/blog/gitgot-cybercriminals-using-github-to-store-stolen-data

2024-01-23
Update_on_Atlassian_Exploit_Activity_of_critical_vulnerabilty_CVE_2023_22527
HIGH
+

Intel Source:
Project Discovery, ISC.SANS, Picus Security
Intel Name:
Update_on_Atlassian_Exploit_Activity_of_critical_vulnerabilty_CVE_2023_22527
Date of Scan:
2024-01-23
Impact:
HIGH
Summary:
Exploit activity against Atlassian Confluence servers has exploded last couple days. The combination of a simple-to-exploit vulnerability and a potential set of high-value targets makes this an ideal vulnerability for many attackers. On January 16, 2024, Atlassian shared a disclosure about a remote code execution vulnerability affecting the Confluence Data Center and Confluence Server. CVE-2023-22527 is an OGNL injection vulnerability with a CVSS score of 10. This critical vulnerability poses a significant risk to organizations.


Source:
https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/
https://isc.sans.edu/diary/Scans%20Exploit%20Attempts%20for%20Atlassian%20Confluence%20RCE%20Vulnerability%20CVE-2023-22527/30576
https://isc.sans.edu/diary/0
https://www.picussecurity.com/resource/blog/cve-2023-22527-another-ognl-injection-leads-to-rce-in-atlassian-confluence

2024-01-23
Hackers_Targeting_Cybersecurity_Professionals
MEDIUM
+

Intel Source:
Sentinelone
Intel Name:
Hackers_Targeting_Cybersecurity_Professionals
Date of Scan:
2024-01-23
Impact:
MEDIUM
Summary:
Researchers at SentinelLabs have noticed a campaign by ScarCruft, a possible APT outfit based in North Korea, that targets prominent figures with knowledge of North Korean affairs as well as media outlets. ScarCruft is experimenting with new infection chains, one such trial was using a technical threat research paper as a ruse, presumably aimed at threat information users such as cybersecurity experts.


Source:
https://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/

2024-01-23
PyPI_Packages_That_Steal_Information
LOW
+

Intel Source:
Fortinet
Intel Name:
PyPI_Packages_That_Steal_Information
Date of Scan:
2024-01-23
Impact:
LOW
Summary:
Researchers from FortiGate have discovered a PyPI malware creator (known only by the ID “WS”) who subtly uploads malicious packages to PyPI. According to their current estimates, there could be more than 2000 “WS” victims from the shipments listed below alone.


Source:
https://www.fortinet.com/blog/threat-research/info-stealing-packages-hidden-in-pypi

2024-01-23
New_Legitimate_Program_Unveiled_In_DLL_Side_Loading_Attack
LOW
+

Intel Source:
ASEC
Intel Name:
New_Legitimate_Program_Unveiled_In_DLL_Side_Loading_Attack
Date of Scan:
2024-01-23
Impact:
LOW
Summary:
AhnLab Security Intelligence Center (ASEC) reveals the Lazarus Group’s latest cyber threat tactic involving a new legitimate program, “wmiapsrv.exe,” discovered on January 12, 2024. This program, utilized in DLL side-loading attacks (T1574.002), loads modified malicious DLLs, such as “wbemcomn.dll” and “netutils.dll,” serving as backdoors. The verification routine in wbemcomn.dll involves unique system information, making this an Advanced Persistent Threat (APT) attack aimed at specific systems.


Source:
https://asec.ahnlab.com/en/60792/

2024-01-23
Ransomware_Kasseika_Using_BYOVD_Attacks
LOW
+

Intel Source:
TrendMicro
Intel Name:
Ransomware_Kasseika_Using_BYOVD_Attacks
Date of Scan:
2024-01-23
Impact:
LOW
Summary:
TrendMicro researchers have examined the Kasseika ransomware and the indications they discovered imply that the perpetrators had obtained the source code of the infamous BlackMatter ransomware.


Source:
https://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html

2024-01-22
Backdoor_in_macOS_Steals_Cryptowallets
LOW
+

Intel Source:
Securelist
Intel Name:
Backdoor_in_macOS_Steals_Cryptowallets
Date of Scan:
2024-01-22
Impact:
LOW
Summary:
Researchers at Securelist have discovered a new type of macOS malware that was previously unidentified and using software that has been cracked. The danger turned out to be much more serious than installing a proxy server without authorization.


Source:
https://securelist.com/new-macos-backdoor-crypto-stealer/111778/

2024-01-22
Cryptomine_Exploit_Connect
MEDIUM
+

Intel Source:
Greynoise
Intel Name:
Cryptomine_Exploit_Connect
Date of Scan:
2024-01-22
Impact:
MEDIUM
Summary:
The article discusses a recent exploit of Ivanti Connect Secure, a remote access software, to install cryptominers on affected systems. It includes details on the files, file paths, IP addresses involved in the exploit, and recommendations for organizations to block the listed IPs. The article also provides a decoded URL and shell script used in the attack and advice for detecting and preventing similar attacks. The author shares their experience of discovering the exploit and provides a script that exploits Ivanti Connect Secure to install cryptominers. The article also discusses creating a plan for a task, including checking for sudo privileges and creating a system service for the miner. It also includes a configuration file for the miner and information on the pool it connects to.


Source:
https://www.greynoise.io/blog/ivanti-connect-secure-exploited-to-install-cryptominers

2024-01-22
SmokeLoader_Distribution_Aims_at_Ukrainian_Government_and_Businesses
MEDIUM
+

Intel Source:
ASEC
Intel Name:
SmokeLoader_Distribution_Aims_at_Ukrainian_Government_and_Businesses
Date of Scan:
2024-01-22
Impact:
MEDIUM
Summary:
Researchers from ASEC have found that the Ukrainian government and businesses are receiving many infections of the SmokeLoader virus. Attacks on Ukraine appear to have grown in frequency recently. The Ukrainian Department of Justice, government agencies, insurance providers, healthcare providers, building businesses, and manufacturing companies are among the targets that have been confirmed thus far.


Source:
https://asec.ahnlab.com/en/60703/

2024-01-22
Using_Discord_Bot_for_advanced_info_stealer
LOW
+

Intel Source:
Trellix
Intel Name:
Using_Discord_Bot_for_advanced_info_stealer
Date of Scan:
2024-01-22
Impact:
LOW
Summary:
The article discusses a Java-based malware that is being spread through cracked software zip files. The malware uses a Discord bot channel as an EventListener to steal sensitive information from the victim’s system. The delivery mechanism and threat analysis of the malware are discussed, along with its capabilities of stealing various data from browsers and applications. The article also includes indicators of compromise and recommendations for protection against such threats.


Source:
https://www.trellix.com/about/newsroom/stories/research/java-based-sophisticated-stealer-using-discord-bot-as-eventlistener/

2024-01-22
Kuiper_Ransomware_s_advanced_capabilities
LOW
+

Intel Source:
Trellix
Intel Name:
Kuiper_Ransomware_s_advanced_capabilities
Date of Scan:
2024-01-22
Impact:
LOW
Summary:
Trellix researchers shared their analysis about the threat actor’s sales post of the ransomware for Windows, Linux, and MacOS targeting binaries, and a version comparison. The version comparison is included in the technical analysis. The analyzed files, their hashes, and the detection information are listed at the end of this blog.


Source:
https://www.trellix.com/about/newsroom/stories/research/the-evolution-of-the-kuiper-ransomware/

2024-01-22
Attack_With_UAC_0050_Using_RemoteUtilities
LOW
+

Intel Source:
CERT-UA
Intel Name:
Attack_With_UAC_0050_Using_RemoteUtilities
Date of Scan:
2024-01-22
Impact:
LOW
Summary:
Researchers from CERT-UA have uncovered evidence of a widespread dissemination of emails purporting to be from the State Emergency Service of Ukraine and the State Special Communications Service. The emails contained links to Bitbucket or a RAR archive and were ostensibly about “evacuations” and “virus removal.”


Source:
https://cert.gov.ua/article/6277285

2024-01-22
The_Trust_in_Digitally_Signed_Certificates_Is_Not_Always_Secure
MEDIUM
+

Intel Source:
Stairwal
Intel Name:
The_Trust_in_Digitally_Signed_Certificates_Is_Not_Always_Secure
Date of Scan:
2024-01-22
Impact:
MEDIUM
Summary:
According to Stairwell threat experts, “Hainan YouHu Technology Co. Ltd.” is in charge of sending Microsoft the LaiXi file so that it can be signed. This app is made for social media content marketing and bulk administration of mobile devices. This program may be downloaded for Windows and Android from dl.cnhack[.]com. Interestingly, the infected sample that is examined came from a LaiXi_setup.exe file.


Source:
https://stairwell.com/resources/signed-sealed-but-not-always-secure-rethinking-trust-in-digitally-signed-certificates/

2024-01-22
Using_9Hits_Maliciously_on_Susceptible_Docker_Hosts
LOW
+

Intel Source:
Cado Security
Intel Name:
Using_9Hits_Maliciously_on_Susceptible_Docker_Hosts
Date of Scan:
2024-01-22
Impact:
LOW
Summary:
Researchers at Cado Security have noticed a new campaign that targets weak Docker services. The campaign installs the 9hits viewer application and a standard XMRig miner in two containers on the vulnerable instance. This is the first instance of malware using the 9hits application as a payload that has been reported.


Source:
https://www.cadosecurity.com/containerised-clicks-malicious-use-of-9hits-on-vulnerable-docker-hosts/

2024-01-22
Update_to_the_Chaes_malware
LOW
+

Intel Source:
Morphisec
Intel Name:
Update_to_the_Chaes_malware
Date of Scan:
2024-01-22
Impact:
LOW
Summary:
Morphisec Threat Labs has provided an analysis of Chae$ 4.1, an update to the Chaes Infostealer malware.


Source:
https://www.morphisec.com/hubfs/Chae$_Chronicles_Chaes4.1.pdf
https://blog.morphisec.com/chaes-chronicles

2024-01-20
A_malicious_Python_package_analysis
LOW
+

Intel Source:
Checkmarx
Intel Name:
A_malicious_Python_package_analysis
Date of Scan:
2024-01-20
Impact:
LOW
Summary:
Checkmarx researchers did a deep analysis of a malicious Python package. Targeting the open-source space in the software industry is going on among threat actors, not only because it represents one of the largest attack surfaces, but because it often escapes the vigilant eyes of organizations.


Source:
https://checkmarx.com/blog/when-the-hunter-becomes-the-hunted/

2024-01-20
A_malicious_Python_script_attacks_macOS_apps
LOW
+

Intel Source:
ISC.SANS
Intel Name:
A_malicious_Python_script_attacks_macOS_apps
Date of Scan:
2024-01-20
Impact:
LOW
Summary:
Xavier Mertens, an ISC SANS researcher found a malicious Python script targeting wallet applications on macOS. It targets two applications: Exodus3 and Bitcoin Core. It searches for occurrences of these applications.


Source:
https://isc.sans.edu/diary/rss/30572

2024-01-20
New_malware_embedded_in_pirated_macOS_applications
LOW
+

Intel Source:
Jamf
Intel Name:
New_malware_embedded_in_pirated_macOS_applications
Date of Scan:
2024-01-20
Impact:
LOW
Summary:
Recently, Jamf Threat Labs researchers in their blog, analyzed malware they observed in pirated macOS applications. It seemed like these apps were similar to ZuRu malware, download and execute multiple payloads to compromise machines in the background.


Source:
https://www.jamf.com/blog/jtl-malware-pirated-applications/

2024-01-19
Stealthy_Godzilla_Webshell_Exploits_ActiveMQ_Vulnerability
MEDIUM
+

Intel Source:
Trustwave
Intel Name:
Stealthy_Godzilla_Webshell_Exploits_ActiveMQ_Vulnerability
Date of Scan:
2024-01-19
Impact:
MEDIUM
Summary:
Researchers at Trustwave have seen an increase in attacks that take advantage of holes in Apache ActiveMQ hosts. Sometimes, sites host malicious web shells called Java Server Pages (JSP). The web shells are made to elude security and signature-based scanners by being hidden inside an unidentified binary format. Interestingly, the web shell is still compiled and run by ActiveMQ’s JSP engine even if the binary’s file format is unknown.


Source:
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/apache-activemq-vulnerability-leads-to-stealthy-godzilla-webshell/

2024-01-19
A_new_stealer_named_Atlantida
LOW
+

Intel Source:
Rapid7
Intel Name:
A_new_stealer_named_Atlantida
Date of Scan:
2024-01-19
Impact:
LOW
Summary:
This month, Rapid7 noticed a new stealer called Atlantida. The stealer makes users download a malicious file from a compromised website and uses different techniques such as reflective loading and injection before the stealer is loaded. Atlantida has a lot of different capabilities from stealing login information of software like Telegram, and Steam, several offline cryptocurrency wallet data, browser stored data as well as cryptocurrency wallet browser extension data. It also captures the victim’s screen and collects hardware data.


Source:
https://www.rapid7.com/blog/post/2024/01/17/whispers-of-atlantida-safeguarding-your-digital-treasure/

2024-01-19
The_use_of_TeamViewer_by_ransomware_deployment
LOW
+

Intel Source:
Huntress
Intel Name:
The_use_of_TeamViewer_by_ransomware_deployment
Date of Scan:
2024-01-19
Impact:
LOW
Summary:
Huntress security analysts recently warned their customers about two disparate endpoints identified as low impacted by ransomware. An investigation into each endpoint illustrated that initial access to each endpoint was achieved via TeamViewer.


Source:
https://www.huntress.com/blog/ransomware-deployment-attempts-via-teamviewer

2024-01-19
A_Russian_Threat_Group_Using_Malware_to_Target_Western_Officials
MEDIUM
+

Intel Source:
Google Blog
Intel Name:
A_Russian_Threat_Group_Using_Malware_to_Target_Western_Officials
Date of Scan:
2024-01-19
Impact:
MEDIUM
Summary:
Researchers from the Google Analysis Group have examined a number of persistent threats, such as COLDRIVER (also referred to as UNC4057, Star Blizzard, and Callisto), a Russian threat group that specializes in credential phishing attacks against prominent figures in NGOs, former military and intelligence officers, and NATO governments.


Source:
https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/

2024-01-19
New_Observations_of_Ivanti_Connect_Secure_VPN_Exploitation
MEDIUM
+

Intel Source:
Volexity, CISA
Intel Name:
New_Observations_of_Ivanti_Connect_Secure_VPN_Exploitation
Date of Scan:
2024-01-19
Impact:
MEDIUM
Summary:
Volexity shared the details of new detailed scanning and exploitation by threat actors using still non-public exploits to compromise different devices. Subsequently, Volexity has observed an increase in attacks from various threat actors against Ivanti Connect Secure VPN appliances beginning on January 16th, 2024. The new observations were GIFTEDVISITOR webshell that Volexity scanned for, which led to the initial discovery of over 1,700 compromised Ivanti Connect Secure VPN devices. Also, UTA0178 had made modifications to the in-built Integrity Checker Tool. CISA also issued an Emergency Directive on Ivanti Vulnerabilities.


Source:
https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/
https://www.cisa.gov/news-events/alerts/2024/01/19/cisa-issues-emergency-directive-ivanti-vulnerabilities

2024-01-19
AnyDesk_Installed_With_OScompatible_Package_by_Npm_Trojan
LOW
+

Intel Source:
Phylum
Intel Name:
AnyDesk_Installed_With_OScompatible_Package_by_Npm_Trojan
Date of Scan:
2024-01-19
Impact:
LOW
Summary:
An advanced remote access trojan have discovered to be installed on infected Windows computers by a malicious package that was posted to the npm registry. The software, dubbed “oscompatible,” was made available on January 9, 2024, and was downloaded 380 times in total before being removed.


Source:
https://blog.phylum.io/npm-package-found-delivering-sophisticated-rat/

2024-01-19
An_analysis_of_the_DarkGate_AutoIt_Loader
LOW
+

Intel Source:
Splunk
Intel Name:
An_analysis_of_the_DarkGate_AutoIt_Loader
Date of Scan:
2024-01-19
Impact:
LOW
Summary:
The Splunk Threat researchers provided a deep analysis of DarkGate malware and its use of AutoIt in their blog.


Source:
https://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html

2024-01-18
AI_generated_videos_attacked_Romania
LOW
+

Intel Source:
CyberGeeks
Intel Name:
AI_generated_videos_attacked_Romania
Date of Scan:
2024-01-18
Impact:
LOW
Summary:
Cybergeeks researchers continue to see the threat for AI-generated videos in different industries and recently seen a YouTube ad that presented a “unique” opportunity to invest in stocks. The attackers used a legitimate Podcast that was modified using AI. The researchers concluded that the account promoting the unlisted video was compromised


Source:
https://cybergeeks.tech/attackers-target-romania-using-ai-generated-videos/

2024-01-18
Hackers_Install_Mimo_CryptoMiner_And_Mimus_Ransomware
LOW
+

Intel Source:
ASEC
Intel Name:
Hackers_Install_Mimo_CryptoMiner_And_Mimus_Ransomware
Date of Scan:
2024-01-18
Impact:
LOW
Summary:
Recently, ASEC researchers have documented instances where a CoinMiner threat actor named Mimo has installed malware by taking advantage of different vulnerabilities. In March 2022, they installed CoinMiners via a Log4Shell vulnerability exploitation, which is how Mimo, also known as Hezb, was initially discovered.


Source:
https://asec.ahnlab.com/en/60440/

2024-01-18
A_new_variant_of_the_Mirai_malware_known_as_Rimasuta
MEDIUM
+

Intel Source:
Qianxin
Intel Name:
A_new_variant_of_the_Mirai_malware_known_as_Rimasuta
Date of Scan:
2024-01-18
Impact:
MEDIUM
Summary:
A new variant of the Mirai malware, known as Rimasuta, has recently resurfaced in samples captured by 360netlab in Japan, but has undergone a significant change in its encryption algorithm.


Source:
https://blog.xlab.qianxin.com/rimasuta-new-variant-switches-to-chacha20-encryption-en/

2024-01-18
Info_Stealing_Malware_Potentially_Targeting_Indian_Air_Force
HIGH
+

Intel Source:
Cyble
Intel Name:
Info_Stealing_Malware_Potentially_Targeting_Indian_Air_Force
Date of Scan:
2024-01-18
Impact:
HIGH
Summary:
Researchers at Cyble have discovered a fresh spy operation that might use malware to steal information from the Indian Air Force. The unknown threat actor lured victims with phishing emails that included a link to a malicious.zip file purporting to provide information on Su-30 fighter jets. India authorized the purchase of these aircraft last year in order to support its current defense modernization initiatives.


Source:
https://cyble.com/blog/cyber-espionage-attack-on-the-indian-air-force-go-based-infostealer-exploits-slack-for-data-theft/

2024-01-18
The_delivery_of_WorkersDevBackdoor
LOW
+

Intel Source:
Esentire
Intel Name:
The_delivery_of_WorkersDevBackdoor
Date of Scan:
2024-01-18
Impact:
LOW
Summary:
In November 2023, eSentire’s Threat Response Unit (TRU) detected WorkersDevBackdoor malware impacting a customer in business services industry. This malware spreads through malicious online ads, tricking users into downloading it by mimicking legitimate software. Once installed, it secretly collects sensitive information and provides backdoor access to the infected system.


Source:
https://www.esentire.com/blog/workersdevbackdoor-delivered-via-malvertising

2024-01-18
Spread_of_LockBit_Ransomware_Using_Word_Documents
MEDIUM
+

Intel Source:
ASEC
Intel Name:
Spread_of_LockBit_Ransomware_Using_Word_Documents
Date of Scan:
2024-01-18
Impact:
MEDIUM
Summary:
Researchers from ASEC have discovered that starting last month, Word files are being used to spread the LockBit ransomware. Notably, malicious Word files were recently discovered to be masquerading as resumes, which is another way that the LockBit ransomware typically spreads. In 2022, it was discovered that the LockBit ransomware spreads using external URLs in Word documents.


Source:
https://asec.ahnlab.com/en/60633/

2024-01-18
A_Massive_Email_Campaign_Brings_TA866_Back
MEDIUM
+

Intel Source:
Proofpoint
Intel Name:
A_Massive_Email_Campaign_Brings_TA866_Back
Date of Scan:
2024-01-18
Impact:
MEDIUM
Summary:
Researchers at Proofpoint have discovered that, following a nine-month hiatus, TA866 has returned to exploit email campaign data. Proofpoint stopped a massive campaign with thousands of emails aimed at North America on January 11, 2024. Emails with an invoice theme included PDF attachments with titles like “Document_[10 digits].pdf” and different subject lines like “Project achievements.” The PDF files included OneDrive URLs that, when clicked, started a series of steps that eventually led to the malware payload—a WasabiSeed and Screenshotter custom variant.


Source:
https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta866-returns-large-email-campaign

2024-01-18
A_Detailed_Analysis_of_Aquabot
LOW
+

Intel Source:
Antiy
Intel Name:
A_Detailed_Analysis_of_Aquabot
Date of Scan:
2024-01-18
Impact:
LOW
Summary:
Researchers from Antiy CERT have discovered a new version of the Mirai botnet that targets a variety of architectures, including X86, ARM, and MIPS. It waits for control instructions to launch DDoS attacks after infecting targets with weak passwords. They gave it the name Aquabot since the botnet file name is derived from “Aqua*”.


Source:
https://www.antiy.cn/research/notice&report/research_report/Aquabot.html

2024-01-18
High_Profile_Individuals_Targeted_by_Mint_Sandstorm_Campaign
MEDIUM
+

Intel Source:
Microsoft
Intel Name:
High_Profile_Individuals_Targeted_by_Mint_Sandstorm_Campaign
Date of Scan:
2024-01-18
Impact:
MEDIUM
Summary:
Microsoft researchers have been tracking a specific subset of Mint Sandstorm (PHOSPHORUS) since November 2023. This subset has been observed to target prominent persons who focus on Middle Eastern politics at universities and research institutions in Belgium, France, Gaza, Israel, the United Kingdom, and the United States. During this campaign, Mint Sandstorm attempted to trick targets into downloading infected files by using custom phishing lures. Microsoft discovered novel post-intrusion techniques in a few instances, including the introduction of a brand-new, specially designed backdoor known as MediaPl.


Source:
https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/

2024-01-18
An_Overview_of_VBS_Script_Driven_Campaigns
LOW
+

Intel Source:
Mcafee
Intel Name:
An_Overview_of_VBS_Script_Driven_Campaigns
Date of Scan:
2024-01-18
Impact:
LOW
Summary:
Researchers at McAfee have observed a complex VBS campaign that uses obfuscated Visual Basic Scripting (VBS). After starting off as a campaign that distributed the AgentTesla malware, it has developed into a multifaceted threat that uses VBS scripts as a flexible delivery system. This campaign serves as an example of a thorough infection procedure that is started by an email-delivered VBS file. It begins with a VBS script that is activated, then it moves via PowerShell stages, using the BitsTransfer tool to retrieve a second PowerShell script.


Source:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/from-email-to-rat-deciphering-a-vbs-script-driven-campaign/

2024-01-18
The_compromise_of_Cisco_devices_by_Volt_Typhoon
MEDIUM
+

Intel Source:
Security Score Card
Intel Name:
The_compromise_of_Cisco_devices_by_Volt_Typhoon
Date of Scan:
2024-01-18
Impact:
MEDIUM
Summary:
Chinese state-sponsored group continues to actively compromiseCisco devices possibly affected by vulnerabilities publicly disclosed in 2019. Approximately 30% of the Cisco RV320/325 devices observed by SecurityScorecard in a 37-day period may have been compromised by Volt Typhoon. The Cisco RV320/325 vulnerability was publicly disclosed in January 2019. The devices are end-of-life, so Cisco has not released and will not release software updates to address vulnerabilities affecting them.


Source:
https://resources.securityscorecard.com/research/volt-typhoon

2024-01-17
Atomic_Stealer_First_MacOS_Threat_Unveiled
MEDIUM
+

Intel Source:
Russian Panda
Intel Name:
Atomic_Stealer_First_MacOS_Threat_Unveiled
Date of Scan:
2024-01-17
Impact:
MEDIUM
Summary:
Discovered in March 2023, Atomic Stealer is the inaugural MacOS-targeting stealer, offering a sophisticated panel for $3000 monthly. Boasting advanced features such as keychain extraction, password retrieval, and browser data theft, it recently evolved with encrypted strings and anti-VM checks. The threat minimizes traces on infected devices, presenting a formidable challenge to cybersecurity. Special thanks to Edward Crowder and @cod3nym for their contributions


Source:
https://russianpanda.com/2024/01/15/Atomic-Stealer-AMOS/

2024-01-17
Analysis_of_Keyholes
LOW
+

Intel Source:
Walmart Global Tech Blog
Intel Name:
Analysis_of_Keyholes
Date of Scan:
2024-01-17
Impact:
LOW
Summary:
Keyhole is a multipurpose VNC/Backconnect component that is heavily utilized by Anubis and IcedID. Although the malware has features that have been previously documented as standard VNC and HDESK capabilities, there doesn’t seem to be much technical information available regarding some of the other features that are currently present.


Source:
https://medium.com/walmartglobaltech/keyhole-analysis-60302922aa03

2024-01-17
The_rise_of_infostealers_targeting_macOS
MEDIUM
+

Intel Source:
Sentinelone
Intel Name:
The_rise_of_infostealers_targeting_macOS
Date of Scan:
2024-01-17
Impact:
MEDIUM
Summary:
In this post, Sentilone shared details on three active infostealers that are currently evading many static signature detection engines.


Source:
https://www.sentinelone.com/blog/the-many-faces-of-undetected-macos-infostealers-keysteal-atomic-cherrypie-continue-to-adapt/

2024-01-17
Facebook_Scammers_Exploit_BBC_Branding_in_Morbid_Scheme
LOW
+

Intel Source:
Malwarebytes
Intel Name:
Facebook_Scammers_Exploit_BBC_Branding_in_Morbid_Scheme
Date of Scan:
2024-01-17
Impact:
LOW
Summary:
In a recent Facebook scam, cybercriminals employ BBC branding to lure victims into a morbid scheme. The scam involves posts claiming the tragic loss of someone, accompanied by a link to a fake BBC news item about a fatal road accident. The posts tag Facebook friends to trigger curiosity. Clicking on the link redirects users through various steps, likely performing fingerprinting to gather information. The scam uses a URL format like “BBCNEWS-{6 characters}.OMH4.XYZ.” While testing, the redirection led to a known source of pop-ups, potentially unwanted programs, and fraudulent sites. The article provides tips on avoiding Facebook scams, including scrutinizing URLs, reaching out to friends outside the platform for verification, being cautious of “free” offers, regular browser updates, changing login credentials, and using browser protection tools. Users are encouraged to report suspicious posts to protect themselves and others from online threats.


Source:
https://www.malwarebytes.com/blog/news/2024/01/ill-miss-him-so-much-facebook-scam-uses-bbc-branding-to-lure-victims

2024-01-17
Microsoft_as_the_top_number_impersonated_brand
LOW
+

Intel Source:
Checkpoint
Intel Name:
Microsoft_as_the_top_number_impersonated_brand
Date of Scan:
2024-01-17
Impact:
LOW
Summary:
Last quarter of 2023 year, Microsoft was on the top spot as the number one most impersonated brand, accounting for 33% of all brand phishing attempts. The technology sector stood out as the most targeted industry overall Checkpoint researchers said.


Source:
https://blog.checkpoint.com/research/microsoft-returns-to-the-top-spot-as-the-most-imitated-brand-in-phishing-attacks-for-q4-2023/

2024-01-17
The_New_Botnet_RDDoS
LOW
+

Intel Source:
NSFocus Global
Intel Name:
The_New_Botnet_RDDoS
Date of Scan:
2024-01-17
Impact:
LOW
Summary:
NSFOCUS’s Global Threat Hunting System discovered a widespread spread of an unknown elf file, leading to the identification of a new botnet named RDDoS. This botnet, primarily designed for launching DDoS attacks, possesses command execution capabilities, distinguishing it as a formidable threat. The botnet’s favored attack method is ICMP_flood, with the United States, Brazil, and France being its primary targets. The analysis reveals the botnet’s relatively uncomplicated nature, but its continuous updates and iterations pose an evolving threat. NSFOCUS emphasizes the need for heightened attention to emerging botnet families like RDDoS, emphasizing ongoing monitoring and offering an Anti-DDoS solution to counter this rising threat effectively.


Source:
https://nsfocusglobal.com/nsfocus-reveals-new-botnet-family-rddos/

2024-01-16
Azorult_malware_back
LOW
+

Intel Source:
Cyble
Intel Name:
Azorult_malware_back
Date of Scan:
2024-01-16
Impact:
LOW
Summary:
Cyble researchers came across the activity of old Azorult malware that was identified in 2016 and functions as an information-stealing threat. It can get diverse data, including browsing history, cookies, login credentials, and cryptocurrency details.


Source:
https://cyble.com/blog/sneaky-azorult-back-in-action-and-goes-undetected/

2024-01-16
Threat_actors_deployed_an_Androxgh0st_malware
HIGH
+

Intel Source:
CISA
Intel Name:
Threat_actors_deployed_an_Androxgh0st_malware
Date of Scan:
2024-01-16
Impact:
HIGH
Summary:
The FBI and the CISA are releasing their joint cybersecurity advisory about threat associated with threat actors deploying Androxgh0st malware. Androxgh0st malware has been observed establishing a botnet for victim identification and exploitation in target networks.


Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a
https://www.cisa.gov/sites/default/files/2024-01/aa24-016a-known-indicators-of-compromise-associated-with-adroxgh0st-malware_0.pdf

2024-01-16
Phemedrone_Malware_Dropped_by_Windows_SmartScreen_Bug
LOW
+

Intel Source:
TrendMicro
Intel Name:
Phemedrone_Malware_Dropped_by_Windows_SmartScreen_Bug
Date of Scan:
2024-01-16
Impact:
LOW
Summary:
Trend Micro researchers discovered a malware campaign employing Phemedrone, which exploits a Microsoft Defender SmartScreen vulnerability to bypass Windows security prompts when opening URL files. This open-source info-stealer focuses on extracting data from web browsers, cryptocurrency wallets, and applications like Discord, Steam, and Telegram. The gathered data is then sent to attackers for potential malicious purposes or sale to other threat actors.


Source:
https://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html

2024-01-16
Detailed_Analysis_of_Pure_Malware_Family
LOW
+

Intel Source:
ANY.RUN
Intel Name:
Detailed_Analysis_of_Pure_Malware_Family
Date of Scan:
2024-01-16
Impact:
LOW
Summary:
Researchers from AnyRun have examined PureCrypter, one of the most peculiar crypters, and PureLogs, a multipurpose stealer. Several intriguing samples were discovered by them while they were reviewing Public Submissions. Unusual traffic that appeared to be related to encryption operations on executable files with short keys and high entropy TCP connections piqued their interest.


Source:
https://any.run/cybersecurity-blog/pure-malware-family-analysis/

2024-01-15
Remcos_RAT_Distributing_via_Webhards
LOW
+

Intel Source:
ASEC
Intel Name:
Remcos_RAT_Distributing_via_Webhards
Date of Scan:
2024-01-15
Impact:
LOW
Summary:
Researchers from ASEC have discovered that webhards are being used to spread the Remcos RAT virus, which is masquerading as adult games. In Korea, webhards and torrents are popular delivery channels for malware.


Source:
https://asec.ahnlab.com/en/60270/

2024-01-15
A_Mallox_Ransomware_Victim
LOW
+

Intel Source:
TrueSec
Intel Name:
A_Mallox_Ransomware_Victim
Date of Scan:
2024-01-15
Impact:
LOW
Summary:
The Mallox threat actor have a history of gaining early access by taking advantage of vulnerable MSSQL servers. The initial signs of the threat actor were discovered during the analysis of an unprotected MSSQL web server. There were many dropper PowerShell scripts found in the Appdata directory for the service account that was operating the SQL service. Take the script “alta.ps1,” for example.


Source:
https://www.truesec.com/hub/blog/a-victim-of-mallox-ransomware-how-truesec-csirt-fought-back

2024-01-12
UAC_0050_Armed_RemcosRAT_QuasarRAT_RemoteUtilities
MEDIUM
+

Intel Source:
CERT-UA
Intel Name:
UAC_0050_Armed_RemcosRAT_QuasarRAT_RemoteUtilities
Date of Scan:
2024-01-12
Impact:
MEDIUM
Summary:
CERT-UA researchers have located and examined numerous letters that have an attachment that is a ZIP archive bearing the same name. The latter includes a TXT file that requires a password and a password-protected multivolume RAR archive.


Source:
https://cert.gov.ua/article/6277063

2024-01-12
FIFA_World_cyber_threats
LOW
+

Intel Source:
Trendmicro
Intel Name:
FIFA_World_cyber_threats
Date of Scan:
2024-01-12
Impact:
LOW
Summary:
Trend Micro, a cybersecurity company, played a crucial role in protecting the 2022 FIFA World Cup from cyber threats. They collaborated with law enforcement, particularly INTERPOL, to monitor and report any malicious websites and scams related to the event. Their global threat intelligence was also shared to prevent attacks and mitigate risks. The article delves into the various cyber threats discovered, including fake ticketing systems, live streaming sites, survey scams, and crypto scams. By supporting INTERPOL and the World Cup, Trend Micro fulfilled its mission of making the digital world a safer place.


Source:
https://www.trendmicro.com/en_us/research/24/a/trend-micro-defends-fifa-world-cup-from-cyber-threats.html

2024-01-12
Denmark_and_Ukraines_Energy_Sector_Attacks
MEDIUM
+

Intel Source:
Forescout
Intel Name:
Denmark_and_Ukraines_Energy_Sector_Attacks
Date of Scan:
2024-01-12
Impact:
MEDIUM
Summary:
Forescout researchers have analyzed two newly publicized attacks targeting the energy sectors in Denmark and Ukraine. So far, the attacks have been linked, if tenuously, to the Russian military threat actor Sandworm, one of the most well-known APT organizations operating at the moment.


Source:
https://www.forescout.com/resources/clearing-the-fog-of-war/

2024-01-12
A_New_Exploit_Module_From_DreamBus_Releases_Metabase_Mayhem
LOW
+

Intel Source:
Zscaler
Intel Name:
A_New_Exploit_Module_From_DreamBus_Releases_Metabase_Mayhem
Date of Scan:
2024-01-12
Impact:
LOW
Summary:
Researchers from Zscaler’s ThreatLabz have tracked down the DreamBus malware family, which is based on Linux. Other than a few minor bug patches and slight adjustments to avoid being detected by security software, not much has changed in the last several years. To exploit weaknesses in Metabase and Apache RocketMQ, the threat actor behind DreamBus has, nevertheless, released two new modules during the past six months.


Source:
https://www.zscaler.com/blogs/security-research/dreambus-unleashes-metabase-mayhem-new-exploit-module

2024-01-12
An_Analysis_of_Phishing_Email
LOW
+

Intel Source:
ISC.SANS
Intel Name:
An_Analysis_of_Phishing_Email
Date of Scan:
2024-01-12
Impact:
LOW
Summary:
SANS researchers have talked on how obfuscation works in malicious scripts. They discovered a VB script that poses as a PDF document. It arrived as usual in the form of a zip archive attached to a phishing email. “rfw_po_docs_order_sheet_01_10_202400000000_pdf.vbs” is the filename.


Source:
https://isc.sans.edu/diary/One+File+Two+Payloads/30558/

2024-01-12
WordPress_Sites_Are_Infected_by_Balada_Injector
LOW
+

Intel Source:
Sucuri
Intel Name:
WordPress_Sites_Are_Infected_by_Balada_Injector
Date of Scan:
2024-01-12
Impact:
LOW
Summary:
In a campaign that began in mid-December, a little over 6,700 WordPress websites that used a vulnerable version of the Popup Builder plugin were compromised by the Balada Injector malware.


Source:
https://blog.sucuri.net/2024/01/thousands-of-sites-with-popup-builder-compromised-by-balada-injector.html

2024-01-12
The_Medusa_ransomware_capabilities
LOW
+

Intel Source:
Palo Alto
Intel Name:
The_Medusa_ransomware_capabilities
Date of Scan:
2024-01-12
Impact:
LOW
Summary:
The article discusses the Medusa ransomware and its capabilities, including the use of two drivers to target specific security products and a customized tool for remote deployment. It also mentions the use of remote scripting and Cyrillic scripts, possibly referencing the creators’ preferred language. The article provides a list of commands to stop various services on a computer to prevent the ransomware from encrypting files. It also discusses the use of string and RSA encryption for protecting the ransomware’s key. The article mentions the escalation of Medusa ransomware activities and a shift towards extortion, as well as the involvement of the Unit 42 Incident Response team in a Medusa incident. It provides protections and mitigations for Palo Alto Networks customers and discusses the tools and techniques used by the Medusa group, including webshells and defense evasion techniques.


Source:
https://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/

2024-01-11
Mac_users_facing_a_New_Year_threat_with_the_Obfuscated_Atomic_Stealer
LOW
+

Intel Source:
Malwarebytes
Intel Name:
Mac_users_facing_a_New_Year_threat_with_the_Obfuscated_Atomic_Stealer
Date of Scan:
2024-01-11
Impact:
LOW
Summary:
Malwarebytes researchers discovered an upgraded version of the Atomic Stealer, actively targeting Mac users through malicious ads on Google Search. This insidious threat is specifically designed to harvest passwords and other sensitive files that are usually restricted in access.


Source:
https://www.malwarebytes.com/blog/threat-intelligence/2024/01/atomic-stealer-rings-in-the-new-year-with-updated-version

2024-01-11
Ivanti_Connect_Secure_VPN_Exploited
MEDIUM
+

Intel Source:
Volexity
Intel Name:
Ivanti_Connect_Secure_VPN_Exploited
Date of Scan:
2024-01-11
Impact:
MEDIUM
Summary:
Researchers from Volexity have discovered that two vulnerabilities in Ivanti Connect Secure VPN devices allowing unauthenticated remote code execution are now being exploited in the wild.


Source:
https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/

2024-01-11
FBot_Malware_Targeting_Cloud_and_Payment_Services
LOW
+

Intel Source:
Sentinelone
Intel Name:
FBot_Malware_Targeting_Cloud_and_Payment_Services
Date of Scan:
2024-01-11
Impact:
LOW
Summary:
Researchers at SentinelLabs have discovered a Python-based hacking tool called FBot that is unique from previous families of cloud malware that targeting cloud services, SaaS platforms, and web servers like Office365, AWS, PayPal, Sendgrid, and Twilio.


Source:
https://www.sentinelone.com/labs/exploring-fbot-python-based-malware-targeting-cloud-and-payment-services/

2024-01-10
Pikabot_Malware_Thirstily_Involved_In_Spam_Campaigns
HIGH
+

Intel Source:
TrendMicro
Intel Name:
Pikabot_Malware_Thirstily_Involved_In_Spam_Campaigns
Date of Scan:
2024-01-10
Impact:
HIGH
Summary:
TrendMicro researchers are actively involved in spam efforts that result in ransomware attacks using the Black Basta virus. Using a loader and a core module which allows illegal remote access and the execution of arbitrary commands over an established connection with their C&C server, they are utilizing these two components to target victims with their phishing campaigns.


Source:
https://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html

2024-01-10
Storm_1152_used_their_CAPTCHA_cracking_capabilities
LOW
+

Intel Source:
Garwarner
Intel Name:
Storm_1152_used_their_CAPTCHA_cracking_capabilities
Date of Scan:
2024-01-10
Impact:
LOW
Summary:
Microsoft’s Digital Crime Unit posted their deep analysis on how it disrupts cybercrime. In their post they discuss the case against the hackers team called Storm-1152. DCU team thinks that Storm-1152 used their CAPTCHA-cracking capabilities to assist other criminals in the massive creation of Microsoft email accounts, such as Hotmail and Outlook accounts. There were 750 MILLION email accounts created for illicit purposes.


Source:
https://garwarner.blogspot.com/2023/12/vietnams-massive-captcha-crackers-vs.html

2024-01-10
New_Year_themed_spam_emails_campaign
LOW
+

Intel Source:
Cyble
Intel Name:
New_Year_themed_spam_emails_campaign
Date of Scan:
2024-01-10
Impact:
LOW
Summary:
Cyble researchers discovered a ZIP archive file that could potentially spread through New Year-themed spam emails. The ZIP attachment contains a shortcut file disguised as a PNG image.


Source:
https://cyble.com/blog/festive-facade-dissecting-multi-stage-malware-in-new-year-themed-lure/

2024-01-10
User_agent_web_resource_connection
LOW
+

Intel Source:
ISC.SANS
Intel Name:
User_agent_web_resource_connection
Date of Scan:
2024-01-10
Impact:
LOW
Summary:
Jesse La Grew, ISC SANS researcher, explained in his paper how devices are connecting to different web resources on a regular basis. And about one of method to identify what is connecting to a web resource is through a user agent.


Source:
https://isc.sans.edu/diary/rss/30536

2024-01-10
Hackers_Targeting_YouTube_Channels_to_Scatter_Lumma_Stealer
LOW
+

Intel Source:
Fortinet
Intel Name:
Hackers_Targeting_YouTube_Channels_to_Scatter_Lumma_Stealer
Date of Scan:
2024-01-10
Impact:
LOW
Summary:
Researchers at FortiGuard Labs have identified a threat group using YouTube channels to spread a Lumma Stealer variant. This malicious actor targeting the sensitive information, along with user credentials, system details, browser data, and extensions.


Source:
https://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube

2024-01-10
Syrian_Hackers_Distributing_Stealthy_C_Sharp_Based_Silver_RAT
LOW
+

Intel Source:
Cyfirma
Intel Name:
Syrian_Hackers_Distributing_Stealthy_C_Sharp_Based_Silver_RAT
Date of Scan:
2024-01-10
Impact:
LOW
Summary:
Researchers at Cyfirma have shed light on how RAT development is changing and the nefarious actions carried out by threat actors going by the handle “Anonymous Arabic.” The group looked at the Silver RAT, which is built in C sharp and can start browsers, hidden apps, keyloggers, and other dangerous programs discreetly while evading antivirus software.


Source:
https://www.cyfirma.com/outofband/a-gamer-turned-malware-developer-diving-into-silverrat-and-its-syrian-roots/

2024-01-10
Ducktail_and_Peeling_PowerShell_Layers
LOW
+

Intel Source:
Esentire
Intel Name:
Ducktail_and_Peeling_PowerShell_Layers
Date of Scan:
2024-01-10
Impact:
LOW
Summary:
The eSentire Threat Response Unit discovered a failed effort to infect a customer’s employee with Ducktail malware, which was directed towards digital marketing at a business services company. The employee received a private message from Ducktail distributors on LinkedIn, along with an attachment that opened a ZIP archive.


Source:
https://www.esentire.com/blog/ducktail-and-peeling-the-layers-of-powershell

2024-01-10
A_Novel_Advanced_Malware_Attack_on_Microsoft_Office
MEDIUM
+

Intel Source:
ForcePoint
Intel Name:
A_Novel_Advanced_Malware_Attack_on_Microsoft_Office
Date of Scan:
2024-01-10
Impact:
MEDIUM
Summary:
Researchers from Forcepoint X-Labs have discovered a sophisticated Microsoft Office-based attack that targets well-known corporate executives just before a nation’s general elections.


Source:
https://www.forcepoint.com/blog/x-labs/advanced-malware-attack-using-microsoft-office

2024-01-10
A_new_attack_targeting_Apache_Hadoop_and_Flink_applications
LOW
+

Intel Source:
Aquasec
Intel Name:
A_new_attack_targeting_Apache_Hadoop_and_Flink_applications
Date of Scan:
2024-01-10
Impact:
LOW
Summary:
The article discusses a new cyber attack targeting Apache Hadoop and Flink applications, which was uncovered by researchers at Aqua Nautilus. The attack involves the use of packers and rootkits to conceal the malware, making it difficult for traditional security defenses to detect. The attack exploits a misconfiguration in the ResourceManager of Hadoop YARN, allowing unauthenticated users to create and run applications.


Source:
https://blog.aquasec.com/threat-alert-apache-applications-targeted-by-stealthy-attacker

2024-01-10
Turkish_Hackers_Target_MSSQL_servers_to_deliver_MIMIC_Ransomware
MEDIUM
+

Intel Source:
Securonix
Intel Name:
Turkish_Hackers_Target_MSSQL_servers_to_deliver_MIMIC_Ransomware
Date of Scan:
2024-01-10
Impact:
MEDIUM
Summary:
Financially motivated Turkish threat actors appear to be actively targeting MSSQL servers in an effort to deliver MIMIC ransomware payloads. The Securonix Threat Research team has been monitoring an ongoing threat campaign, RE#TURGENCE which involves the targeting and exploitation of MSSQL database servers to gain initial access. The threat actors appear to be targeting US, EU and LATAM countries and are financially motivated.


Source:
https://www.securonix.com/blog/securonix-threat-research-security-advisory-new-returgence-attack-campaign-turkish-hackers-target-mssql-servers-to-deliver-domain-wide-mimic-ransomware/

2024-01-10
Protection_analysis_against_GuLoader_and_RedLine_Stealer_malware
LOW
+

Intel Source:
Palo Alto
Intel Name:
Protection_analysis_against_GuLoader_and_RedLine_Stealer_malware
Date of Scan:
2024-01-10
Impact:
LOW
Summary:
Unit 42 Palo Alto introduced selected configuration protection techniques employed by two malware families: GuLoader and RedLine Stealer.


Source:
https://unit42.paloaltonetworks.com/malware-configuration-extraction-techniques-guloader-redline-stealer/#post-131796-_v8176g40kstn

2024-01-10
Deep_analysis_of_a_mining_threat_spreaded_through_a_YouTube
LOW
+

Intel Source:
Cyfirma
Intel Name:
Deep_analysis_of_a_mining_threat_spreaded_through_a_YouTube
Date of Scan:
2024-01-10
Impact:
LOW
Summary:
This comprehensive analysis delves into the dissemination of cryptocurrency miners through a YouTube channel. Examining the tactics employed, the report reveals a concerning trend of malicious actors leveraging popular video-sharing platforms to distribute mining threats. The study explores the various evasion techniques, employed by threat actors to avoid detection. Additionally, it sheds light on the processes for generating resilient malware payloads.


Source:
https://www.cyfirma.com/outofband/decoding-the-cryptocurrency-malware-landscape-a-comprehensive-analysis-of-a-mining-threat-disseminated-through-a-youtube-channel/

2024-01-08
Dutch_IT_And_Telecom_Firms_Targeted_by_Turkish_Sea_Turtles_Group
LOW
+

Intel Source:
Hunt & Hackett
Intel Name:
Dutch_IT_And_Telecom_Firms_Targeted_by_Turkish_Sea_Turtles_Group
Date of Scan:
2024-01-08
Impact:
LOW
Summary:
The cyber espionage group Sea Turtle (also known as Teal Kurma, Marbled Dust, SILICON, and Cosmic Wolf) is detected by researchers from the Dutch security firm Hunt & Hackett targeting Kurdish websites, media, ISPs, telcos, and IT service providers in the Netherlands.


Source:
https://www.huntandhackett.com/blog/turkish-espionage-campaigns

2024-01-08
New_North_Korean_macOS_Backdoor
LOW
+

Intel Source:
Greg Lesnewich
Intel Name:
New_North_Korean_macOS_Backdoor
Date of Scan:
2024-01-08
Impact:
LOW
Summary:
A new backdoor for Apple macOS named SpectralBlur has been found by cybersecurity experts. It overlaps with a family of malware that is known to be associated with North Korean threat actors.


Source:
https://g-les.github.io/yara/2024/01/03/100DaysofYARA_SpectralBlur.html

2024-01-08
Unusual_Prometei_Botnet_Behavior
LOW
+

Intel Source:
ISC.SANS
Intel Name:
Unusual_Prometei_Botnet_Behavior
Date of Scan:
2024-01-08
Impact:
LOW
Summary:
ISC.SANS researchers have discovered that following several attempts at logging in with different usernames and passwords, the actor utilizing the IP


Source:
https://isc.sans.edu/diary/Suspicious+Prometei+Botnet+Activity/30538/

2024-01-08
Attacks_on_Ukrainian_Servicemen_Targeting_Recruitment_to_3rd_OSHBr_And_IDF
MEDIUM
+

Intel Source:
CERT-UA
Intel Name:
Attacks_on_Ukrainian_Servicemen_Targeting_Recruitment_to_3rd_OSHBr_And_IDF
Date of Scan:
2024-01-08
Impact:
MEDIUM
Summary:
Experts from Trendmicro notified CERT-UA of the discovery of suspicious files, the majority of which had military themes. Based on the information that was obtained, CERT-UA moved to look into a number of cyberattacks that are targeting soldiers of the Armed Forces of Ukraine under the pretense of recruiting for the Israel Defense Forces (IDF) and the 3rd Separate Assault Brigade.


Source:
https://cert.gov.ua/article/6276988

2024-01-05
JinxLoader_Delivers_Next_Stage_Malware_Like_Formbook_and_XLoader
LOW
+

Intel Source:
Palo Alto
Intel Name:
JinxLoader_Delivers_Next_Stage_Malware_Like_Formbook_and_XLoader
Date of Scan:
2024-01-05
Impact:
LOW
Summary:
Researchers from Symantec and Palo Alto Networks alerted us to the existence of JinxLoader, a new Go-based malware loader that is being used to spread next-stage payloads like XLoader and Formbook. Additionally, in November 2023, the malware was noticed, and it was reported that from April 30, 2023, it has been promoted on the hacking community Hackforums. The researchers detected an assault that employed phishing communications purporting to be from the Abu Dhabi National Oil Company (ADNOC).


Source:
https://twitter.com/Unit42_Intel/status/1730237085246775562

2024-01-05
Attack_by_Iranian_APT_using_wipers_on_Albania
MEDIUM
+

Intel Source:
ClearSkySec
Intel Name:
Attack_by_Iranian_APT_using_wipers_on_Albania
Date of Scan:
2024-01-05
Impact:
MEDIUM
Summary:
The Iranian psychological operation group “Homeland Justice” claimed to be eliminating “terrorist supporters” once more in a video that was uploaded to its Telegram channel on December 24, 2023, and it was shared in Albanian. Since July 2022, this gang has been active, concentrating on ransomware and damaging activities directed at Albania. The following Albanian infrastructure and government agencies’ computer systems and webpages were totally compromised and erased, the actor declared on its official website and Telegram channel the next day.


Source:
https://www.clearskysec.com/wp-content/uploads/2024/01/No-Justice-Wiper.pdf

2024-01-05
Decoys_Govno_DGAs_And_Obfuscation_in_AsyncRAT_Loaders
LOW
+

Intel Source:
AT&T
Intel Name:
Decoys_Govno_DGAs_And_Obfuscation_in_AsyncRAT_Loaders
Date of Scan:
2024-01-05
Impact:
LOW
Summary:
Researchers at AT&T Alien Labs have discovered a campaign to install AsyncRAT on victim PCs without their knowledge. This threat actor has been working on distributing the RAT via an initial JavaScript file embedded in a phishing page for at least 11 months. The threat actor is steadfast in their goals even after more than 300 samples and more than 100 domains have passed.


Source:
https://cybersecurity.att.com/blogs/labs-research/asyncrat-loader-obfuscation-dgas-decoys-and-govno

2024-01-04
UAC_0050_Targeting_Ukraine_With_Remcos_RAT_Pipe_Method
LOW
+

Intel Source:
Uptycs
Intel Name:
UAC_0050_Targeting_Ukraine_With_Remcos_RAT_Pipe_Method
Date of Scan:
2024-01-04
Impact:
LOW
Summary:
The UAC-0050 threat group, well-known for its history of unrelenting cyberattacks against targets in Ukraine, is back at it. However, this time, researchers at Uptycs have uncovered a sophisticated tactic that permits a more covert data transfer channel, successfully eluding antivirus and Endpoint Detection and Response (EDR) detection methods.


Source:
https://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method

2024-01-04
Cryptomining_PyPI_Packages_Targeting_Linux
LOW
+

Intel Source:
Fortinet
Intel Name:
Cryptomining_PyPI_Packages_Targeting_Linux
Date of Scan:
2024-01-04
Impact:
LOW
Summary:
Researchers from FortiGate have noted that three new malicious packages that have the ability to install a cryptocurrency miner on vulnerable Linux computers have been found in the Python Package Index (PyPI) open-source repository.


Source:
https://www.fortinet.com/blog/threat-research/malicious-pypi-packages-deploy-coinminer-on-linux-devices

2024-01-03
The_implementation_of_Artificial_Intelligence_for_invoice_fraud
LOW
+

Intel Source:
Resecurity
Intel Name:
The_implementation_of_Artificial_Intelligence_for_invoice_fraud
Date of Scan:
2024-01-03
Impact:
LOW
Summary:
Resecurity discovered a threat actors group “GXC Team”, which is known for crafting tools for online banking theft, e-commerce deception, and internet scams. This time this group introduced a new tool that incorporates Artificial Intelligence with the creation of fraudulent invoices used for Wire fraud and Business E-Mail Compromise (BEC). According to an FBI IC3 report, successful business email compromise (BEC) scams (such as invoice fraud) resulted in an average loss of over $120,000 per incident, inflicting a staggering financial toll of more than $2.4 billion on organizations.


Source:
https://www.resecurity.com/blog/article/cybercriminals-implemented-artificial-intelligence-ai-for-invoice-fraud

2024-01-03
Analysis_of_the_Ransomware_Attack_On_Boeing
MEDIUM
+

Intel Source:
Antiy
Intel Name:
Analysis_of_the_Ransomware_Attack_On_Boeing
Date of Scan:
2024-01-03
Impact:
MEDIUM
Summary:
Antiy CERT reviewed recent major attack cases and selected the Boeing Company’s extortion attack that was linked to the LockBit group and completed a complete analysis. Antiy CERT has been monitoring attacks for a long time and made its analysis of these ransomware attacks. The researchers continued to pay attention to attack organizations such as LockBit, forming a relatively systematic analysis and accumulation. Relying on the intelligence data of the Antiy Cyber ​​Ultrain platform, CISA, and other agencies have launched relevant public information released by this incident.


Source:
https://www.antiy.cn/research/notice&report/research_report/BoeingReport.html

2024-01-03
The_summarized_malware_families_roundups
MEDIUM
+

Intel Source:
Palo Alto
Intel Name:
The_summarized_malware_families_roundups
Date of Scan:
2024-01-03
Impact:
MEDIUM
Summary:
This article summarizes the malware families (and groups pushing malware) seen by Unit 42. This article reviews all our timely threat intelligence released from October through December 2023.


Source:
https://unit42.paloaltonetworks.com/unit42-threat-intelligence-roundup/

2024-01-03
Malicious_malspam_attachments
LOW
+

Intel Source:
ISC.SANS
Intel Name:
Malicious_malspam_attachments
Date of Scan:
2024-01-03
Impact:
LOW
Summary:
John Kopriva from ISC.SANS shared his observations of over the last 12 months, 1152 potentially malicious attachments of different types that got trapped by his malspam trap. When he decompressed and/or unpacked all the images and archives, removed all duplicates, and eliminated all the non-malicious files, he was still left with 525 unique malicious samples – 285 of these were PE files with various extensions, and the rest were a wide assortment of scripts, Office files, PDFs, help files, shortcut links, etc.


Source:
https://isc.sans.edu/diary/rss/30524

2024-01-03
8base_Ransomware_Roundup
MEDIUM
+

Intel Source:
Fortinet
Intel Name:
8base_Ransomware_Roundup
Date of Scan:
2024-01-03
Impact:
MEDIUM
Summary:
The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. 8base is a financially motivated ransomware variant most likely based on the Phobos ransomware. Per our FortiRecon information, the 8base ransomware first appeared in May 2023.


Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-8base

2024-01-02
The_use_of_weaponized_LNK_files_to_exploit_vulnerabilities_in_Windows
MEDIUM
+

Intel Source:
Cyber Security news
Intel Name:
The_use_of_weaponized_LNK_files_to_exploit_vulnerabilities_in_Windows
Date of Scan:
2024-01-02
Impact:
MEDIUM
Summary:
Last month, cybersecurity researchers at ASEC identified that the Kimsuky group has been actively using the weaponized LNK file to deploy AppleSeed malware. Hackers use weaponized LNK files to exploit vulnerabilities in Windows operating systems. These files often contain malicious code that can be executed when the user clicks on the shortcut.


Source:
https://cybersecuritynews.com/kimsuky-appleseed-malware/

2024-01-02
Diving_Deep_into_Cactus_Ransomware
LOW
+

Intel Source:
SOC Radar
Intel Name:
Diving_Deep_into_Cactus_Ransomware
Date of Scan:
2024-01-02
Impact:
LOW
Summary:
Since its discovery in March 2023, the Cactus Ransomware Group has quickly expanded throughout the digital sphere, taking use of flaws in VPNs in particular to obtain access without authorization and establish a presence on compromised systems. The organization has proven to have a deep understanding of evasion strategies by using a dynamic approach to encryption and a variety of tools and procedures to ensure the efficient and discrete delivery of its malicious payload.


Source:
https://socradar.io/dark-web-profile-cactus-ransomware/

2024-01-02
New_Version_Of_Medusa_Stealer_Released
LOW
+

Intel Source:
Resecurity
Intel Name:
New_Version_Of_Medusa_Stealer_Released
Date of Scan:
2024-01-02
Impact:
LOW
Summary:
Resecurity researchers observed last week the details of the New Medusa Stealer malware. The release version of Meduza is 2.2, a significantly upgraded password stealer poised to wreak havoc on unsuspecting victims. One of the new capabilities of this stealer is the support of more software clients (including browser-based cryptocurrency wallets), an upgraded credit card (CC) grabber, and additional advanced mechanisms for password storage dump on various platforms to extract credentials and tokens.


Source:
https://www.resecurity.com/blog/article/new-version-of-medusa-stealer-released-in-dark-web

2023-12-29
Microsoft_Stops_MSIX_Protocol_Handler_Used_Maliciously
MEDIUM
+

Intel Source:
Microsoft
Intel Name:
Microsoft_Stops_MSIX_Protocol_Handler_Used_Maliciously
Date of Scan:
2023-12-29
Impact:
MEDIUM
Summary:
After several financially motivated threat groups used the MSIX ms-appinstaller protocol handler to infect Windows users with malware, Microsoft disabled it once more. In order to get around security measures that would normally shield Windows users from malware, such as the Defender SmartScreen anti-phishing and anti-malware component and built-in browser alerts warning users against downloading executable files, the attackers took advantage of the CVE-2021-43890 Windows AppX Installer spoofing vulnerability.


Source:
https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/

2023-12-28
New_Zero_Day_in_Barracuda_s_ESG_Appliances
LOW
+

Intel Source:
Barracuda
Intel Name:
New_Zero_Day_in_Barracuda_s_ESG_Appliances
Date of Scan:
2023-12-28
Impact:
LOW
Summary:
Barracuda posted that Chinese threat actors exploited a new zero-day in its Email Security Gateway (ESG) appliances to deploy backdoors on a “limited number” of devices. It is assigned to CVE-2023-7102, the issue relates to a case of arbitrary code execution that resides within a third-party and open-source library named Spreadsheet::ParseExcel that’s used by the Amavis scanner within the gateway to screen Microsoft Excel email attachments for malware.


Source:
https://www.barracuda.com/company/legal/esg-vulnerability
https://thehackernews.com/2023/12/chinese-hackers-exploited-new-zero-day.html

2023-12-28
QBit_Stealer_s_source_code_malicious_feature
LOW
+

Intel Source:
Cyble
Intel Name:
QBit_Stealer_s_source_code_malicious_feature
Date of Scan:
2023-12-28
Impact:
LOW
Summary:
After analyzing qBit Stealer’s source code, the Cyble research team discovered a unique feature not like any other stealers, qBit selectively targets files with specific extensions. This characteristic implies its potential use as an exfiltration tool in ransomware operations.


Source:
https://cyble.com/blog/decoding-qbit-stealers-source-release-and-data-exfiltration-prowess/

2023-12-28
A_Domain_Controller_is_Threatened_Within_an_Hour_of_Attack
MEDIUM
+

Intel Source:
CERT UA
Intel Name:
A_Domain_Controller_is_Threatened_Within_an_Hour_of_Attack
Date of Scan:
2023-12-28
Impact:
MEDIUM
Summary:
Following an investigation by CERT-UA researchers into an incident, it was discovered that the aforementioned links take the victim to a webpage where, using JavaScript and features of the application protocol “search” (“ms-search”), a shortcut file is downloaded, which when opened, causes the launch of A PowerShell script created to launch (open) a spoof document and download it from a remote (SMB) resource, together with the Python interpreter and the Client.py file marked as MASEPIE.


Source:
https://cert.gov.ua/article/6276894

2023-12-28
Trend_Analysis_of_Kimsuky_Group_Attacks
LOW
+

Intel Source:
ASEC
Intel Name:
Trend_Analysis_of_Kimsuky_Group_Attacks
Date of Scan:
2023-12-28
Impact:
LOW
Summary:
Spear phishing attacks are a regular tactic used by the Kimsuky threat group to target South Korean users. Typically, the organization sends out malicious files that appear to be document attachments for emails. Users may not be able to operate their machine when they launch these attachments.


Source:
https://asec.ahnlab.com/en/60054/

2023-12-28
A_Glimpse_into_DShield_Honeypot_Activity
LOW
+

Intel Source:
SANS
Intel Name:
A_Glimpse_into_DShield_Honeypot_Activity
Date of Scan:
2023-12-28
Impact:
LOW
Summary:
ISC.SANS researchers have discovered a disruptive malware strain called Mirai, which has caused havoc since it was discovered. It takes advantage of security flaws in IoT devices and turns them into a “botnet,” or network of bots, that can be used to launch massive network attacks.


Source:
https://isc.sans.edu/diary/rss/30514

2023-12-27
Ande_Loader_and_SwaetRAT_analysis
LOW
+

Intel Source:
Esentire
Intel Name:
Ande_Loader_and_SwaetRAT_analysis
Date of Scan:
2023-12-27
Impact:
LOW
Summary:
This article analyzes the malicious payloads used by the PhantomControl threat actors. It explains the process of retrieving the base64-encoded data from the downloaded image, the parameters passed to the “VAI” method, and the core payload, SwaetRAT, written in .NET and has key logging capabilities. It also explains the ID generation algorithm, the commands handled by the ReadPacket class, and the creation of persistence via startup folders and process hollowing techniques. Finally, it provides a Yara rule on SwaetRAT and recommendations for protection.


Source:
https://www.esentire.com/blog/phantomcontrol-returns-with-ande-loader-and-swaetrat

2023-12-27
Vulnerability_in_Barracuda_Email_Security_Gateway_Appliance
LOW
+

Intel Source:
Barracuda
Intel Name:
Vulnerability_in_Barracuda_Email_Security_Gateway_Appliance
Date of Scan:
2023-12-27
Impact:
LOW
Summary:
According to the findings of Barracuda experts’ ongoing investigation, a threat actor deployed a specially designed Excel email attachment to target a certain number of ESG devices by taking use of an Arbitrary Code Execution (ACE) vulnerability within a third-party library, Spreadsheet::ParseExcel.


Source:
https://www.barracuda.com/company/legal/esg-vulnerability

2023-12-27
Advanced_Web_Injection_Campaignu_unraveling_the_Tactics_of_a_Sophisticated_Threat
MEDIUM
+

Intel Source:
Security Intelligence
Intel Name:
Advanced_Web_Injection_Campaignu_unraveling_the_Tactics_of_a_Sophisticated_Threat
Date of Scan:
2023-12-27
Impact:
MEDIUM
Summary:
In a recent analysis, IBM Security Trusteer has uncovered a sophisticated web injection campaign that utilizes JavaScript injections, impacting over 40 banks across North America, South America, Europe, and Japan. This malware, possibly linked to DanaBot, employs evasive techniques, including dynamic web injection, to compromise popular banking applications. The injected JavaScript targets specific pages within banks, aiming to intercept user credentials and potentially monetize banking information. The attackers purchased malicious domains in December 2022, initiating campaigns since early 2023. The web injection’s dynamic behavior, communication with a command and control server, and adaptability make it a significant threat to the security of financial institutions and their customers. Users are advised to remain vigilant, report suspicious activities, and follow best practices for security.


Source:
https://securityintelligence.com/posts/web-injections-back-on-rise-banks-affected-danabot-malware/

2023-12-27
Threat_Actor_UAC_0099_continues_to_target_Ukraine
LOW
+

Intel Source:
Deep Instinct
Intel Name:
Threat_Actor_UAC_0099_continues_to_target_Ukraine
Date of Scan:
2023-12-27
Impact:
LOW
Summary:
Threat actor ‘UAC-0099’ has been targeting Ukraine since mid-2022, using a fabricated court summons to bait targets, a RAR SFX with LNK infection vector, and a HTA infection vector. They have also exploited a WinRAR vulnerability, CVE-2023-38831. To reduce risk, monitoring and limiting PowerShell and scheduled tasks is recommended, as well as updating WinRAR. IOCs and POC for CVE-2023-38831 can be found on GitHub.


Source:
https://www.deepinstinct.com/blog/threat-actor-uac-0099-continues-to-target-ukraine

2023-12-27
The_spike_of_phishing_attacks_with_Crypto_drainers
LOW
+

Intel Source:
Checkpoint
Intel Name:
The_spike_of_phishing_attacks_with_Crypto_drainers
Date of Scan:
2023-12-27
Impact:
LOW
Summary:
This article examines the threat of phishing attacks with crypto drainers, which involve malicious smart contracts and deceptive websites to deceive users into giving away their tokens. It explains the Angel Drainer technique, a phishing attack that uses permit functions to transfer tokens without the user’s knowledge. Tips are provided on how to safeguard against these attacks.


Source:
https://research.checkpoint.com/2023/the-rising-threat-of-phishing-attacks-with-crypto-drainers/

2023-12-27
PikaBot_Malware_Spreads_via_Malvertising_Campaign_Targeting_AnyDesk_Users
LOW
+

Intel Source:
thehackernews
Intel Name:
PikaBot_Malware_Spreads_via_Malvertising_Campaign_Targeting_AnyDesk_Users
Date of Scan:
2023-12-27
Impact:
LOW
Summary:
Security researchers have uncovered a malvertising campaign spreading the PikaBot malware, particularly targeting users searching for legitimate software like AnyDesk. PikaBot, previously distributed through malspam campaigns, serves as a loader and backdoor, allowing unauthorized remote access to compromised systems. In this campaign, threat actors, including the notorious TA577, leverage malicious Google ads for AnyDesk that redirect victims to a fake website hosting a malicious MSI installer on Dropbox. The malvertising tactic involves bypassing Google’s security checks with a tracking URL via a legitimate marketing platform. The attack is reminiscent of malvertising chains previously observed with other loader malware, indicating a potential trend in “malvertising-as-a-service.” This discovery follows a surge in malicious ads through Google searches for popular software, indicating a growing threat in browser-based attacks.


Source:
https://thehackernews.com/2023/12/new-malvertising-campaign-distributing.html

2023-12-26
A_Sophisticated_Phishing_Campaign_Targeting_Indian_Government_Personnel
LOW
+

Intel Source:
Seqrite
Intel Name:
A_Sophisticated_Phishing_Campaign_Targeting_Indian_Government_Personnel
Date of Scan:
2023-12-26
Impact:
LOW
Summary:
Operation RusticWeb is an advanced phishing campaign, active since October 2023, that specifically targets Indian government personnel, notably in the defense sector. The threat actors employ Rust-based payloads and encrypted PowerShell scripts for file system enumeration and exfiltration of confidential documents. Noteworthy tactics include the use of fake domains mimicking government entities, such as the Army Welfare Education Society (AWES) and the Department of Personnel & Training. The campaign, exhibiting similarities with known APT groups linked to Pakistan, reflects a shift towards newer programming languages like Rust.


Source:
https://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/

2023-12-26
Analysis_of_SSH_Scanner_Malware_Attacks_on_Linux_Servers
LOW
+

Intel Source:
ASEC
Intel Name:
Analysis_of_SSH_Scanner_Malware_Attacks_on_Linux_Servers
Date of Scan:
2023-12-26
Impact:
LOW
Summary:
AhnLab Security Emergency Response Center (ASEC) has conducted a detailed analysis of recent attack campaigns targeting poorly managed Linux SSH servers. In addition to commonly installed malware like DDoS bots and CoinMiners, threat actors are employing SSH scanner malware to extract valuable information, including IP addresses and SSH account credentials. This article outlines the attack flow, including the utilization of tools such as ShellBot, Tsunami, ChinaZ DDoS Bot, and XMRig CoinMiner.


Source:
https://asec.ahnlab.com/en/59972/

2023-12-26
MageCart_WordPress_Plugin_Injects_Malicious_stuff
LOW
+

Intel Source:
Sucuri
Intel Name:
MageCart_WordPress_Plugin_Injects_Malicious_stuff
Date of Scan:
2023-12-26
Impact:
LOW
Summary:
A new strain of MageCart malware has been identified, targeting WordPress/WooCommerce e-commerce websites. The malware injects itself into the mu-plugins directory, concealing its presence and making removal challenging. Operating under the guise of a fake WordPress Cache Addons plugin, the malware goes to great lengths to avoid detection and removal, even restricting the use of file manager plugins. Notably, it creates a hidden administrator user account, providing attackers sustained access. The malware’s primary goal is credit card skimming, injecting sophisticated JavaScript into the website’s checkout page.


Source:
https://blog.sucuri.net/2023/12/magecart-wordpress-plugin-injects-malicious-user-credit-card-skimmer.html

2023-12-26
A_Comprehensive_Analysis_of_Phishing_Infrastructure_and_Tactics
LOW
+

Intel Source:
Inflobox
Intel Name:
A_Comprehensive_Analysis_of_Phishing_Infrastructure_and_Tactics
Date of Scan:
2023-12-26
Impact:
LOW
Summary:
The United States Postal Service (USPS) has become a prime target for a surge in SMS phishing attacks, colloquially known as smishing, since July. Chinese threat actors dominate this trend, utilizing a dark market toolkit to facilitate attacks on various messaging platforms and carriers. The toolkit’s ease of use and affordability have contributed to a notable increase in USPS-themed phishing campaigns. While previous reports have focused on specific campaigns, actors, or the toolkit itself, this analysis delves into a comprehensive examination of over 7,000 USPS-related domains, revealing distinct techniques, tactics, and procedures (TTPs) observable in the Domain Name System (DNS).


Source:
https://blogs.infoblox.com/cyber-threat-intelligence/phishers-weather-the-storm-the-dns-landscape-of-us-postal-smishing-attacks/

2023-12-26
8220_Gang_Evolving_Tactics_Exploiting_Web_Servers
LOW
+

Intel Source:
Imperva
Intel Name:
8220_Gang_Evolving_Tactics_Exploiting_Web_Servers
Date of Scan:
2023-12-26
Impact:
LOW
Summary:
Imperva Threat Research uncovers new activity from the 8220 gang, a Chinese-origin threat group known for deploying cryptojacking malware on both Windows and Linux web servers. The blog details recent exploits, attack vectors, and indicators of compromise (IoCs), emphasizing the importance of patching and robust security measures for organizations. The group’s evolving tactics include exploiting vulnerabilities such as CVE-2021-44228, CVE-2017-3506, and CVE-2020-14883 to propagate malware, with Imperva providing mitigation through its Cloud WAF and on-prem WAF.


Source:
https://www.imperva.com/blog/imperva-detects-undocumented-8220-gang-activities/

2023-12-26
Bandook_malware_behavior
LOW
+

Intel Source:
Fortinet
Intel Name:
Bandook_malware_behavior
Date of Scan:
2023-12-26
Impact:
LOW
Summary:
FortiGuard Labs has discovered a new variant of the Bandook malware, a persistent remote access trojan (RAT) with origins dating back to 2007. This latest variant is distributed through a PDF file containing a shortened URL, leading to a password-protected .7z file. Upon extraction, the malware injects its payload into the msinfo32.exe process. The malware exhibits a refined injection process and establishes persistence through registry manipulation. The communication with its command and control (C2) server involves an array of commands, including file manipulation, information stealing, and control over the victim’s computer. FortiGuard Labs provides insights into the malware’s behavior and the added complexity in its latest variant, offering protections against the identified threats.


Source:
https://www.fortinet.com/blog/threat-research/bandook-persistent-threat-that-keeps-evolving

2023-12-24
Akira_ransomware_came_back
MEDIUM
+

Intel Source:
Sophos
Intel Name:
Akira_ransomware_came_back
Date of Scan:
2023-12-24
Impact:
MEDIUM
Summary:
There was an observation of some incidents involving Akira ransomware which has a big impact on different areas and countries. According to the evidence, Akira has primarily targeted organizations in Europe, North America, and Australia, and operates in the government, manufacturing, technology, education, consulting, pharmaceuticals, and telecommunication sectors.


Source:
https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/

2023-12-23
New_UAC_0050_attack_using_RemcosRAT
MEDIUM
+

Intel Source:
CERT-UA
Intel Name:
New_UAC_0050_attack_using_RemcosRAT
Date of Scan:
2023-12-23
Impact:
MEDIUM
Summary:
Recently, the CERT-UA has observed the mass distribution of e-mails with the subject “Debts under the Kyivstar contract” and an attachment in the form of the “Subscriber debt.zip” archive.


Source:
https://cert.gov.ua/article/6276824

2023-12-21
Some_malware_clusters_spreads_via_email_and_fake_browser_updates
LOW
+

Intel Source:
Proofpoint
Intel Name:
Some_malware_clusters_spreads_via_email_and_fake_browser_updates
Date of Scan:
2023-12-21
Impact:
LOW
Summary:
Recently It was observed that DarkGate remote access Trojan (RAT) was used by multiple cybercrime actors and was spread via many methods such as email, Microsoft Teams, Skype, malvertising, and fake updates. And the researchers provided details about the RogueRaticate and BattleRoyal fake update activity cluster fake update activity cluster.


Source:
https://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates

2023-12-21
Web_injections_are_on_the_rise
LOW
+

Intel Source:
Security Intelligence
Intel Name:
Web_injections_are_on_the_rise
Date of Scan:
2023-12-21
Impact:
LOW
Summary:
Security Intelligence researchers did deep analyses of the web injection utilized in the recent campaign, its evasive techniques, code flow, targets and the methods employed to achieve them. Analysts discovered that in this new campaign, threat actors’ intention with the web injection module is likely to compromise popular banking applications and, once the malware is installed, intercept the users’ credentials in order to access then and likely monetize their banking information.


Source:
https://securityintelligence.com/posts/web-injections-back-on-rise-banks-affected-danabot-malware/

2023-12-21
The_Nim_based_Campaign_Using_Microsoft_Word_Docs
LOW
+

Intel Source:
Netscope
Intel Name:
The_Nim_based_Campaign_Using_Microsoft_Word_Docs
Date of Scan:
2023-12-21
Impact:
LOW
Summary:
Netskope did some analysis of a malicious backdoor written in Nim, which is a relatively new programming language. Their blog gives detailed analyses of a recent targeted threat that uses Word document bait to deliver a Nim backdoor.


Source:
https://www.netskope.com/blog/a-look-at-the-nim-based-campaign-using-microsoft-word-docs-to-impersonate-the-nepali-government

2023-12-21
HR_Themed_Spam_Emails
LOW
+

Intel Source:
Trustwave
Intel Name:
HR_Themed_Spam_Emails
Date of Scan:
2023-12-21
Impact:
LOW
Summary:
Trustwave provided their details on some recent campaigns that use HR-related themes, along with their context and a run-through of their attack flow.


Source:
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/surfing-the-tidal-waves-of-hr-themed-spam-emails/

2023-12-21
Operation_HamsaUpdate
HIGH
+

Intel Source:
Intezer
Intel Name:
Operation_HamsaUpdate
Date of Scan:
2023-12-21
Impact:
HIGH
Summary:
The Israel National Cyber Directorate alarmed a warning about a phishing campaign actively targeting Israeli customers using F5’s network devices. They named it this operation as an Operation HamsaUpdate. This campaign started the deployment of a newly developed wiper malware that targets both Windows and Linux servers.


Source:
https://intezer.com/blog/research/stealth-wiper-israeli-infrastructure/

2023-12-20
Instagram_Phishing_attacks
LOW
+

Intel Source:
Trustwave
Intel Name:
Instagram_Phishing_attacks
Date of Scan:
2023-12-20
Impact:
LOW
Summary:
Trustwave researchers observed another campaign of Instagram “Copyright Infringement” phishing emails in their spam traps. In this new campaign, in addition, the threat actors also target to obtain the victim’s Instagram backup codes. This campaign is an enhanced version of what we reported on the SpiderLabs blog titled “Insta-Phish-A-Gram”.


Source:
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/instagram-phishing-targets-backup-codes/

2023-12-20
Modus_operandi_UAC_0177_JokerDPR_attack
MEDIUM
+

Intel Source:
CERT-UA
Intel Name:
Modus_operandi_UAC_0177_JokerDPR_attack
Date of Scan:
2023-12-20
Impact:
MEDIUM
Summary:
The government of Ukraine CERT-UA investigated one of the incidents, information about which was published in a manipulative form on the Telegram channel JokerDPR. It was found that one of the methods of implementing cyber threats carried out by “followers” JokerDPR and/or the information about which is published in the mentioned channel, is conducting phishing attacks aimed at obtaining unauthorized access to the accounts of the mail services Google, Ukr.Net, Outlook, as well as the cryptocurrency exchanges EXMO and Binance.


Source:
https://cert.gov.ua/article/6276799

2023-12-20
Agent_Tesla_delivery
LOW
+

Intel Source:
Zscaler
Intel Name:
Agent_Tesla_delivery
Date of Scan:
2023-12-20
Impact:
LOW
Summary:
ZScaler analyzed Agent Tesla’s new tactics employed by threat actors to deploy Agent Tesla malware using CVE-2017-11882. Agent Tesla is an advanced keylogger with features like clipboard logging, screen key logging, screen capturing, and extracting stored passwords from web browsers.


Source:
https://www.zscaler.com/blogs/security-research/threat-actors-exploit-cve-2017-11882-deliver-agent-tesla

2023-12-20
Seedworm_Iranian_Hackers_Target_Telecoms
MEDIUM
+

Intel Source:
Symantec
Intel Name:
Seedworm_Iranian_Hackers_Target_Telecoms
Date of Scan:
2023-12-20
Impact:
MEDIUM
Summary:
Iranian espionage group Seedworm (aka Muddywater) attacked telecom companies in Egypt, Sudan, and Tanzania. This group has been active since 2017 and attacked companies in many countries. It is believed to be a part of Iran’s Ministry of Intelligence and Security. The threat actors used a variety of tools in this activity. Researchers on Symantec’s Threat Hunter Team, part of Broadcom are investigating hacker activity and found a MuddyC2Go PowerShell launcher. The attackers also use the SimpleHelp remote access tool and Venom Proxy, which have previously been associated with Seedworm activity, as well as a custom key logging tool, and other publicly available and living-off-the-land tools.


Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/iran-apt-seedworm-africa-telecoms

2023-12-20
Double_Extortion_Attack_Analysis
LOW
+

Intel Source:
ReliaQuest
Intel Name:
Double_Extortion_Attack_Analysis
Date of Scan:
2023-12-20
Impact:
LOW
Summary:
A couple of months ago, ReliaQuest detected some unknown process executions inside of the customer’s environment, originating from the Windows debug directory. The analysts’ analysis showed that these executions as part of a more significant cyber-threat incident that resulted in double extortion: the encryption of customer data, followed by ransomware deployment and a threat to release the data publicly.


Source:
https://www.reliaquest.com/blog/double-extortion-attack-analysis/

2023-12-20
Malicious_JavaScript_samples_to_steal_sensitive_information
LOW
+

Intel Source:
PaloAlto
Intel Name:
Malicious_JavaScript_samples_to_steal_sensitive_information
Date of Scan:
2023-12-20
Impact:
LOW
Summary:
Unit 42 researchers have observed threat actors using malicious JavaScript samples to steal sensitive information by abusing popular survey sites, low-quality hosting, and web chat APIs. In some campaigns, attackers created chatbots that they registered to someone noteworthy such as an Australian footballer. Other malware campaigns had both web skimmers injected into compromised sites and traditional phishing sites.


Source:
https://unit42.paloaltonetworks.com/malicious-javascript-steals-sensitive-data/

2023-12-20
Two_novel_techniques_deployed_on_GitHub
MEDIUM
+

Intel Source:
Reversing Labs
Intel Name:
Two_novel_techniques_deployed_on_GitHub
Date of Scan:
2023-12-20
Impact:
MEDIUM
Summary:
ReversingLabs researchers have uncovered two novel techniques running on GitHub — one abusing GitHub Gists, another issuing commands through git commit messages.


Source:
https://www.reversinglabs.com/blog/malware-leveraging-public-infrastructure-like-github-on-the-rise

2023-12-20
JaskaGO_malware_attacks_on_macOS_and_Windows
MEDIUM
+

Intel Source:
AT&T
Intel Name:
JaskaGO_malware_attacks_on_macOS_and_Windows
Date of Scan:
2023-12-20
Impact:
MEDIUM
Summary:
AT&T Alien Labs has discovered a sophisticated malware stealer strain crafted in the Go programming language, impacting as a severe threat to both Windows and macOS operating systems.


Source:
https://cybersecurity.att.com/blogs/labs-research/behind-the-scenes-jaskagos-coordinated-strike-on-macos-and-windows

2023-12-19
Malware_Trends_Tracker
LOW
+

Intel Source:
Any.Run
Intel Name:
Malware_Trends_Tracker
Date of Scan:
2023-12-19
Impact:
LOW
Summary:
“Every day Any.Run researchers upload a lot of submissions to ANY.RUN sandbox, many of them with malicious verdicts. That’s why researchers created Malware Trends Tracker. They provide in their malware description malware history, recent samples, malware distribution method, malware execution video, detection process, global, week, and month ranks, IOCs – latest IP addresses, Hashes, domain names, URLs.


Source:
https://any.run/cybersecurity-blog/malware-statistics-and-trends/

2023-12-19
The_Play_ransomware_group
MEDIUM
+

Intel Source:
CISA
Intel Name:
The_Play_ransomware_group
Date of Scan:
2023-12-19
Impact:
MEDIUM
Summary:
The FBI, CISA, and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) released a joint Cybersecurity Advisory (CSA), #StopRansomware: Play Ransomware, to disseminate Play ransomware group’s tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs). Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data, and have impacted a wide range of businesses and critical infrastructure organizations in North America, South America, Europe, and Australia.


Source:
https://www.cisa.gov/news-events/alerts/2023/12/18/fbi-cisa-and-asds-acsc-release-advisory-play-ransomware

2023-12-19
Anonymous_Sudan_expansion
LOW
+

Intel Source:
Cyberint
Intel Name:
Anonymous_Sudan_expansion
Date of Scan:
2023-12-19
Impact:
LOW
Summary:
In December 2023 Cyberint detected that Anonymous Sudan claimed responsibility for disrupting the Discord login page in collaboration with SKYNET and GodzillaBotnet. This action stands among a series of recent collaborative attacks the groups executed.


Source:
https://cyberint.com/blog/research/anonymous-sudan-an-analysis/

2023-12-19
Ongoing_Exploitation_of_Apache_ActiveMQ_Vulnerability
MEDIUM
+

Intel Source:
ASEC
Intel Name:
Ongoing_Exploitation_of_Apache_ActiveMQ_Vulnerability
Date of Scan:
2023-12-19
Impact:
MEDIUM
Summary:
A recent blog post by AhnLab Security Emergency Response Center (ASEC) reveals that threat actors continue to exploit the Apache ActiveMQ vulnerability (CVE-2023-46604). The vulnerability, allowing remote code execution in the messaging and integration pattern server, has been targeted by various threat actors for deploying Ladon, NetCat, AnyDesk, and z0Miner.


Source:
https://asec.ahnlab.com/en/59904/

2023-12-19
Cybercriminals_abuse_GitHub_tool_Predator
LOW
+

Intel Source:
Trellix
Intel Name:
Cybercriminals_abuse_GitHub_tool_Predator
Date of Scan:
2023-12-19
Impact:
LOW
Summary:
Trellix showed in their blog how cybercriminals have abused this GitHub tool Predator and how it has been used in multiple phishing campaigns with frequently changing url patterns in a very short span. Predator, a tool designed to combat bots and web crawlers, can distinguish web requests originating from automated systems, bots, or web crawlers.


Source:
https://www.trellix.com/about/newsroom/stories/research/cybercrooks-leveraging-anti-automation-toolkit-for-phishing-campaigns/

2023-12-18
The_Sidewinder_group_cyber_intrusion_tactics
LOW
+

Intel Source:
Cyfirma
Intel Name:
The_Sidewinder_group_cyber_intrusion_tactics
Date of Scan:
2023-12-18
Impact:
LOW
Summary:
Cyfirma published their report which describes a recent threat actor’s campaign with a malicious Word document equipped with an embedded macro, unraveling a sophisticated cyber threat orchestrated by the Sidewinder group possibly to target Nepalese government officials. That threat started with a potentially spear-phished email delivering a malicious Word document. After downloading and upon opening the document, the embedded macro executes, manipulating victims into enabling macros.


Source:
https://www.cyfirma.com/outofband/from-macro-to-payload-decrypting-the-sidewinder-cyber-intrusion-tactics/

2023-12-18
Kimsuky_threat_group_is_targeting_research_institutes_in_South_Korea
LOW
+

Intel Source:
Rewterz
Intel Name:
Kimsuky_threat_group_is_targeting_research_institutes_in_South_Korea
Date of Scan:
2023-12-18
Impact:
LOW
Summary:
The North Korean state-backed threat group known as Kimsuky is targeting research institutes in South Korea with spear-phishing to infect the target systems with backdoor trojans and ultimately execute commands for stealing sensitive data.


Source:
https://f1tym1.com/2023/12/18/rewterz-threat-alert-kimsuky-apt-uses-backdoor-attacks-on-south-korean-research-institutes-active-iocs/

2023-12-18
Unearthing_a_Scripted_Assault_on_RocketMQ
LOW
+

Intel Source:
SANS
Intel Name:
Unearthing_a_Scripted_Assault_on_RocketMQ
Date of Scan:
2023-12-18
Impact:
LOW
Summary:
Delving into the aftermath of the CVE-2023-33246 vulnerability in RocketMQ, this report spotlights a malicious Bash script discovered in the wild. Operating surreptitiously, the script dynamically creates an environment, installs dependencies, and leverages the masscan port scanner to identify vulnerable servers. Specifically targeting open ports associated with RocketMQ, the script then employs a Python counterpart for the actual exploitation


Source:
https://isc.sans.edu/diary/rss/30492

2023-12-18
Early_Detection_of_Malicious_Stockpiled_Domains
LOW
+

Intel Source:
PaloAlto
Intel Name:
Early_Detection_of_Malicious_Stockpiled_Domains
Date of Scan:
2023-12-18
Impact:
LOW
Summary:
Palo Alto analysts described techniques used by cybercriminals evolved into domain wars.


Source:
https://unit42.paloaltonetworks.com/detecting-malicious-stockpiled-domains/

2023-12-18
Unveiling_a_Year_of_Covert_Operations_Profiling_a_Stealthy_Threat_Actor
LOW
+

Intel Source:
Thedfirreport
Intel Name:
Unveiling_a_Year_of_Covert_Operations_Profiling_a_Stealthy_Threat_Actor
Date of Scan:
2023-12-18
Impact:
LOW
Summary:
This report provides a unique analysis by exploring data from the perspective of a threat actor’s exposed host. Discovered in an open directory, the amassed data spans over a year, unveiling a historical narrative of the threat actor’s operations. While primarily non-financially motivated, the actor strategically targeted an array of sectors, including government, defense contractors, finance, critical infrastructure, telecommunications, and escort services. Operating exclusively with open-source tools, the threat actor demonstrated a diverse skill set, employing active scanning, reconnaissance, and targeted exploits.


Source:
https://thedfirreport.com/2023/12/18/lets-opendir-some-presents-an-analysis-of-a-persistent-actors-activity/

2023-12-18
Pig_Butchering_Scams_Deep_Dive_into_Cryptocurrency_Confidence_Schemes
LOW
+

Intel Source:
sophos
Intel Name:
Pig_Butchering_Scams_Deep_Dive_into_Cryptocurrency_Confidence_Schemes
Date of Scan:
2023-12-18
Impact:
LOW
Summary:
Cryptocurrency-based crime, particularly “pig butchering” scams, has evolved into sophisticated confidence schemes. Perpetrators use dating apps to establish relationships, leveraging generative AI to craft convincing messages. Investigating these scams reveals a complex web of interconnected domains and contract wallets, with scams evolving to avoid detection. The study unveils a multimillion-dollar network, emphasizing the need for public awareness and vigilance against the maturing tactics employed by organized crime rings in the cryptocurrency space.


Source:
https://news.sophos.com/en-us/2023/12/18/luring-with-love-defi-mining-scam-indepth/

2023-12-18
Xorbot_Botnet_Family
LOW
+

Intel Source:
Nsfocus
Intel Name:
Xorbot_Botnet_Family
Date of Scan:
2023-12-18
Impact:
LOW
Summary:
NSFOCUS Global Threat system observed some elf file that was being widely spread by a large amount of suspected encrypted outbound communication traffic. But the detection engine did not detect it. After further deep analysis, it was identified as a novel botnet family with a deep hidden mystery. Given that the family uses multiple rounds of xor operations in encryption and decryption algorithms, NSFOCUS Research Labs named the Trojan xorbot.


Source:
https://nsfocusglobal.com/xorbot-a-stealthy-botnet-family-that-defies-detection/

2023-12-18
BATLOADER_2_X_Threat_of_Stealthy_Malware_Tactics
LOW
+

Intel Source:
Seqrite
Intel Name:
BATLOADER_2_X_Threat_of_Stealthy_Malware_Tactics
Date of Scan:
2023-12-18
Impact:
LOW
Summary:
Seqrite analysts analyzed an attack where Batloader loads the payload, and it is a stealer this time. Batloader is not a new malware in the series – it is an emerging one.


Source:
https://www.seqrite.com/blog/decoding-batloader-2-x-unmasking-the-threat-of-stealthy-malware-tactics/

2023-12-15
The_Lazarus_Group_Releases_KandyKorn
MEDIUM
+

Intel Source:
Infoblox
Intel Name:
The_Lazarus_Group_Releases_KandyKorn
Date of Scan:
2023-12-15
Impact:
MEDIUM
Summary:
KandyKorn is a highly sophisticated and dangerously formidable remote access trojan (RAT). Lazarus Group’s use of the KandyKorn malware tool highlights the group’s continued build-out of sophisticated tools and the growing dangers of their cyberattacks. Infoblox shared in their blog that threat actors have refined their techniques, causing most of the potential damage before malicious domains are identified and shared through open-source intelligence (OSINT) and the majority of commercial threat intel feeds.


Source:
https://blogs.infoblox.com/cyber-threat-intelligence/dns-for-early-detection-lazarus-kandykorn/

2023-12-15
PikaBot_distributed_via_malicious_search_ads
LOW
+

Intel Source:
Malwarebytes
Intel Name:
PikaBot_distributed_via_malicious_search_ads
Date of Scan:
2023-12-15
Impact:
LOW
Summary:
Recently, researchers have noticed PikaBot, a new malware family that first showed up at the beginning of 2023, distributed via malvertising. PikaBot was previously only distributed via malspam campaigns similar to QakBot and emerged as one of the preferred payloads for a threat actor known as TA577.


Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/12/pikabot-distributed-via-malicious-ads

2023-12-15
Honeypot_Recon_for_MySQL_Malware_Infection
LOW
+

Intel Source:
Trustwave
Intel Name:
Honeypot_Recon_for_MySQL_Malware_Infection
Date of Scan:
2023-12-15
Impact:
LOW
Summary:
Trustwave took a closer look at the infection mechanisms to get a better picture of this process. They recently surfaced in MySQL servers, leveraging SQL commands to infiltrate stealthily, deploy, and activate malicious payloads. And how they are constantly evolving, changing behavior, and adjusting infection techniques.


Source:
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/

2023-12-15
The_BianLian_White_Rabbit_and_Mario_ransomware_gangs_collaboration
MEDIUM
+

Intel Source:
Resecurity
Intel Name:
The_BianLian_White_Rabbit_and_Mario_ransomware_gangs_collaboration
Date of Scan:
2023-12-15
Impact:
MEDIUM
Summary:
A ransomware attack on a financial services firm in the APAC region used tactics such as password spraying, BEC emails, and compromised third-party accounts. Evidence suggests the attack was conducted by a trinity of ransomware gangs, White Rabbit, Mario, and Ransomhouse, who threatened to report the victim to regulators if they failed to pay the ransom. The attack further highlights the vulnerability of VPNs to ransomware attackers.


Source:
https://www.resecurity.com/blog/article/Exposing-Cyber-Extortion-Trinity-BianLian-White-Rabbit-Mario-Ransomware-Gangs-Spotted-Joint-Campaign

2023-12-14
KV_Botnet_Investigation
LOW
+

Intel Source:
Lumen
Intel Name:
KV_Botnet_Investigation
Date of Scan:
2023-12-14
Impact:
LOW
Summary:
The Black Lotus Labs team at Lumen Technologies is tracking a small office/home office (SOHO) router botnet that forms a covert data transfer network for advanced threat actors. They called this KV-botnet. The campaign infects devices at the edge of networks, a segment that has emerged as a soft spot in the defensive array of many enterprises.


Source:
https://blog.lumen.com/routers-roasting-on-an-open-firewall-the-kv-botnet-investigation/

2023-12-14
GambleForce_campaign_carries_SQL_injection_attacks
LOW
+

Intel Source:
Group-IB
Intel Name:
GambleForce_campaign_carries_SQL_injection_attacks
Date of Scan:
2023-12-14
Impact:
LOW
Summary:
Group-IB’s Threat Intelligence team observed since September 2023 that GambleForce threat actor has targeted more than 20 websites (government, gambling, retail, and travel) in Australia, China, Indonesia, the Philippines, India, South Korea, Thailand, and Brazil. After doing their deep analyses and the toolset in more detail, the analysts concluded that the tools were most likely associated with a threat actor executing one of the oldest attack methods: SQL injections.


Source:
https://www.group-ib.com/blog/gambleforce-gang/

2023-12-14
OilRig_persistent_attacks
MEDIUM
+

Intel Source:
Welivesecurity
Intel Name:
OilRig_persistent_attacks
Date of Scan:
2023-12-14
Impact:
MEDIUM
Summary:
Researchers from Welivesecurity have analyzed a growing series of downloaders used by the OilRig cyber espionage group to maintain access to Israeli targets of special interest, in their blogpost published on 14 December 2023.


Source:
https://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-cloud-service-powered-downloaders/

2023-12-14
Recent_Gaza_Cybergang_activities
MEDIUM
+

Intel Source:
Sentinelone
Intel Name:
Recent_Gaza_Cybergang_activities
Date of Scan:
2023-12-14
Impact:
MEDIUM
Summary:
SentinelLabs’ analysis reinforces the suspected ties between Gaza Cybergang and WIRTE, historically considered a distinct cluster with loose relations to the Gaza Cybergang.


Source:
https://www.sentinelone.com/labs/gaza-cybergang-unified-front-targeting-hamas-opposition/

2023-12-14
RHADAMANTHYS_V_0_5_0
LOW
+

Intel Source:
Checkpoint
Intel Name:
RHADAMANTHYS_V_0_5_0
Date of Scan:
2023-12-14
Impact:
LOW
Summary:
Check Point Research team provided in their analysis a detailed view of agent modules, presenting their capabilities and implementation, focusing on how the stealer components are loaded and how they work. Rhadamanthys is an information stealer with a diverse set of modules and an interesting multilayered design.


Source:
https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/

2023-12-14
NKAbuse_a_new_multiplatform_threat
LOW
+

Intel Source:
Securelist
Intel Name:
NKAbuse_a_new_multiplatform_threat
Date of Scan:
2023-12-14
Impact:
LOW
Summary:
Securelist discovered a new multiplatform threat “NKAbuse”. The malware using NKN technology for data exchange and backdoor capabilities. Their analysis assume that the main target of NKAbuse is Linux desktops. But possible is to infect MISP and ARM systems and could poses a threat to IoT devices.


Source:
https://securelist.com/unveiling-nkabuse/111512/

2023-12-14
The_discovered_cluster_of_malicious_Python_projects
LOW
+

Intel Source:
Welivesecurity
Intel Name:
The_discovered_cluster_of_malicious_Python_projects
Date of Scan:
2023-12-14
Impact:
LOW
Summary:
ESET Research discovered 116 malicious packages in PyPI, the official repository of software for the Python programming language, uploaded in 53 projects. The malware delivers a backdoor capable of remote command execution, exfiltration, and taking screenshots. The backdoor component is implemented for both Windows, in Python, and Linux, in Go.


Source:
https://www.welivesecurity.com/en/eset-research/pernicious-potpourri-python-packages-pypi/

2023-12-13
Exploitation_of_JetBrains_TeamCity_CVE_Globally
MEDIUM
+

Intel Source:
CISA
Intel Name:
Exploitation_of_JetBrains_TeamCity_CVE_Globally
Date of Scan:
2023-12-13
Impact:
MEDIUM
Summary:
The FBI, U.S. CISA, U.S. NSA, Polish Military Counterintelligence Service, CERT Polska (CERT.PL), and the UK’s NCSC concluded the JetBrains TeamCity software was exploited by Russian cyber actors APT 29 aka the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard with CVE-2023-42793 at a massive spread, targeting servers hosting that JetBrains TeamCity software last couple months.


Source:
https://www.cisa.gov/sites/default/files/2023-12/aa23-347a-russian-foreign-intelligence-service-svr-exploiting-jetbrains-teamcity-cve-globally.pdf

2023-12-13
An_increase_of_malicious_ads_on_Google_searches_for_Zoom
LOW
+

Intel Source:
Malwarebytes
Intel Name:
An_increase_of_malicious_ads_on_Google_searches_for_Zoom
Date of Scan:
2023-12-13
Impact:
LOW
Summary:
This month, Malwarebytes researchers have noticed a spike of malicious ads on Google searches for “Zoom”, the video conferencing software. Threat actors have been switching and changing between different keywords for software downloads such as “Advanced IP Scanner” or “WinSCP” normally geared toward IT administrators. So researchers shared the details of two cases: 1st – about a new loader which we have not seen mentioned publicly before called HiroshimaNukes and 2nd – a campaign dropping FakeBat loader where the threat actor tracked victims via a panel that was new to us, called Hunting panel 1.40.


Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/12/malvertisers-zoom-in-on-cryptocurrencies-and-initial-access

2023-12-13
Kuiper_ransomware_analysis
LOW
+

Intel Source:
Stairwell
Intel Name:
Kuiper_ransomware_analysis
Date of Scan:
2023-12-13
Impact:
LOW
Summary:
At the beginning of this month, Stairwell researchers got a copy of a server that was suspected operated by the developers of the Kuiper ransomware. Their report will have an overview of Stairwell researcher’s findings and a technical analysis of the ransomware.


Source:
https://stairwell.com/resources/kuiper-ransomware-analysis-stairwells-technical-report/

2023-12-13
FakeSG_RAT_Campaign_Akira_Ransomware_and_AMOS_Stealer_Insights
MEDIUM
+

Intel Source:
securelist
Intel Name:
FakeSG_RAT_Campaign_Akira_Ransomware_and_AMOS_Stealer_Insights
Date of Scan:
2023-12-13
Impact:
MEDIUM
Summary:
Explore the dynamic landscape of crimeware through a detailed examination of three distinct threats: the FakeSG campaign utilizing NetSupport RAT, the Akira ransomware affecting both Windows and Linux environments, and the AMOS stealer targeting macOS users. Delve into the FakeSG campaign’s deceptive browser update tactics, Akira’s sophisticated ransomware techniques resembling Conti, and the AMOS stealer’s evolution from Go to C language.


Source:
https://securelist.com/crimeware-report-fakesg-akira-amos/111483/

2023-12-13
Mallox_Resurrected
MEDIUM
+

Intel Source:
Sentilone
Intel Name:
Mallox_Resurrected
Date of Scan:
2023-12-13
Impact:
MEDIUM
Summary:
Sentilone analysts shared their summary and report of recent Mallox activity, explained the group’s initial access methods, and provided a high-level analysis of recent Mallox payloads. Up today this group continues to steal and leak a steady stream of enterprise data.


Source:
https://www.sentinelone.com/blog/mallox-resurrected-ransomware-attacks-exploiting-ms-sql-continue-to-burden-enterprises/

2023-12-13
Unraveling_Cerber_Ransomware
MEDIUM
+

Intel Source:
Seqrite
Intel Name:
Unraveling_Cerber_Ransomware
Date of Scan:
2023-12-13
Impact:
MEDIUM
Summary:
This analysis delves into the intricacies of Cerber ransomware, a malicious software identified in 2016. Cerber employs advanced techniques, such as custom-packing its payload, using mutex validation to prevent reinfection, and configuring Windows firewall rules for evading security tools. The ransomware communicates through a specific protocol, employs RSA and RC4 algorithms for encryption, and employs a self-deletion mechanism post-infection. To safeguard against Cerber and similar threats, the analysis recommends precautionary measures, including regular data backups, software updates, strong password usage, and vigilant email practices.


Source:
https://www.seqrite.com/blog/cerber-ransomware-exposed-a-comprehensive-analysis-of-advanced-tactics-encryption-and-evasion/

2023-12-12
A_series_of_related_attacks_against_organizations_with_new_tool_set
MEDIUM
+

Intel Source:
PaloAlto
Intel Name:
A_series_of_related_attacks_against_organizations_with_new_tool_set
Date of Scan:
2023-12-12
Impact:
MEDIUM
Summary:
Unit 42 researchers observed a series of apparently related attacks against organizations in the Middle East, Africa and the U.S. Unit 42 is sharing these results with the purpose of helping organizations defend against the tools observed here.


Source:
https://unit42.paloaltonetworks.com/new-toolset-targets-middle-east-africa-usa/

2023-12-12
TA4557_Targets_Recruiters_Directly_via_Email
LOW
+

Intel Source:
Proofpoint
Intel Name:
TA4557_Targets_Recruiters_Directly_via_Email
Date of Scan:
2023-12-12
Impact:
LOW
Summary:
Recently, Proofpoint observed an attack from the TA455 campaign which used both the new method of attacks where recruiters send emails directly as well as the older technique of applying to jobs posted on job boards starting off the attack chain. Specifically, in the attack chain that uses the direct email technique, once the recipient responds to the initial email, the actor is observed responding with a URL linking to an actor-controlled website posing as a candidate’s resume.


Source:
https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta4557-targets-recruiters-directly-email?

2023-12-12
APT37_also_known_as_ScarCruft_or_Red_Eyes_activity
MEDIUM
+

Intel Source:
Rewterz
Intel Name:
APT37_also_known_as_ScarCruft_or_Red_Eyes_activity
Date of Scan:
2023-12-12
Impact:
MEDIUM
Summary:
APT37, aka ScarCruft or Red Eyes, is a state-sponsored cyber espionage group originating from North Korea. The group has been active for more than 10 years and targeted previous victims in South Korea. This time it started attacks against entities in other countries, including Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and various parts of the Middle East. One of the threats APT37 has been associated with is the Goldbackdoor and RokRAT.


Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-apt37-aka-scarcruft-or-redeyes-active-iocs-2/

2023-12-12
The_updated_GULOADER_analysis
LOW
+

Intel Source:
Elastic
Intel Name:
The_updated_GULOADER_analysis
Date of Scan:
2023-12-12
Impact:
LOW
Summary:
Elastic Security Labs researchers follow on the active threat monitor active threats like GULOADER, aka CloudEyE which is a very triccking shellcode downloader that has been highly active for years while under constant development. One of these recent changes is the addition of exceptions to its Vectored Exception Handler (VEH) in a fresh campaign.


Source:
https://www.elastic.co/security-labs/getting-gooey-with-guloader-downloader

2023-12-12
The_delivery_of_the_ITG05_campaign_exclusive_Headlace_backdoor
MEDIUM
+

Intel Source:
X-Force
Intel Name:
The_delivery_of_the_ITG05_campaign_exclusive_Headlace_backdoor
Date of Scan:
2023-12-12
Impact:
MEDIUM
Summary:
X-Force observed the ITG05 campaign which is likely a Russian state-sponsored group related to the ongoing Israel-Hamas war to assist the delivery of a custom backdoor called HeadLace. This new campaign is against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance, and diplomatic centers,” security researchers Golo Mühr, Claire Zaboeva, and Joe Fasulo said.


Source:
https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/

2023-12-11
Malicious_Backdoor_Disguised_as_Data_Leak_Material_in_Targeted_Campaign
LOW
+

Intel Source:
ASEC
Intel Name:
Malicious_Backdoor_Disguised_as_Data_Leak_Material_in_Targeted_Campaign
Date of Scan:
2023-12-11
Impact:
LOW
Summary:
AhnLab Security Emergency Response Center (ASEC) has identified a targeted campaign distributing a malicious executable file disguised as personal data leak material. The malware functions as a backdoor, receiving obfuscated commands in XML format from threat actors. Although the final behavior could not be observed due to the closure of the command and control (C2) server, the malware involves the creation of obfuscated files, including legitimate doc files, to deceive users. The threat actor employs various scripts, such as Operator.jse and WindowsHotfixUpdate.ps1, creating a complex execution chain


Source:
https://asec.ahnlab.com/en/59763/

2023-12-11
Sandman_APT
MEDIUM
+

Intel Source:
Sentilone
Intel Name:
Sandman_APT
Date of Scan:
2023-12-11
Impact:
MEDIUM
Summary:
SentinelLabs, Microsoft, and PwC threat intelligence researchers shared the joint report with the information on the Sandman APT cluster. They saw links between Sandman and a suspected China-based threat actor using the shared KEYPLUG backdoor – STORM-0866/Red Dev 40. Their report included victimology overlaps, cohabitation, and sharing C2 infrastructure control and management practices.


Source:
https://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/

2023-12-11
Unraveling_the_Complex_AsyncRAT_Infection_Chai
MEDIUM
+

Intel Source:
Trendmicro
Intel Name:
Unraveling_the_Complex_AsyncRAT_Infection_Chai
Date of Scan:
2023-12-11
Impact:
MEDIUM
Summary:
Trend Micro’s Managed XDR (MxDR) team has conducted an in-depth analysis of the AsyncRAT (Remote Access Tool) infection chain, revealing the tool’s sophisticated capabilities, including keylogging and remote desktop control. The blog post explores the misuse of the legitimate Microsoft process aspnet_compiler.exe by malicious actors, shedding light on evolving adversary tactics. The investigation details the entire timeline of events, from the initial download to the establishment of command-and-control connections. The analysis highlights AsyncRAT’s adaptability across diverse attack vectors, including phishing campaigns and ransomware infections.


Source:
https://www.trendmicro.com/en_us/research/23/l/analyzing-asyncrat-code-injection-into-aspnetcompiler-exe.html

2023-12-11
New_Editbot_Stealer_Spreads
LOW
+

Intel Source:
Cyble
Intel Name:
New_Editbot_Stealer_Spreads
Date of Scan:
2023-12-11
Impact:
LOW
Summary:
Cyble researchers observed a WinRAR archive file on VirusTotal with minimal detection. Their analysis indicated that it is part of a new campaign targeted at Social Media users. This campaign attack surrounds a multi-stage attack, where each phase has a particular role, such as evading detection, downloading additional payloads, or gaining persistence on the victim’s system.


Source:
https://cyble.com/blog/new-editbot-stealer-spreads-via-social-media-messages/

2023-12-11
New_Linux_Remote_Access_Trojan
LOW
+

Intel Source:
Group-IB
Intel Name:
New_Linux_Remote_Access_Trojan
Date of Scan:
2023-12-11
Impact:
LOW
Summary:
The Group-IB Threat Intelligence unit shared their insights on existing Linux Remote Access Trojan (RAT) Krasue. This RAT has been used against organizations in Thailand. Krasue poses a severe risk to critical systems and sensitive data, which could grant attackers remote access to the targeted network. The malware also features rootkits embedded in the binary. Group-IB researchers also confirmed that Krasue was used against telecommunications companies, although it has likely been leveraged in attacks against organizations in other verticals. The Group-IB team in their insights shared the Krasue’s key characteristics, its functionalities, potential impact, and the measures that organizations should take to defend against the evolving threat.


Source:
https://www.group-ib.com/blog/krasue-rat/

2023-12-11
Mustang_Panda_s_PlugX_new_variant_attacks
LOW
+

Intel Source:
Lab52
Intel Name:
Mustang_Panda_s_PlugX_new_variant_attacks
Date of Scan:
2023-12-11
Impact:
LOW
Summary:
The Lab52 team did team analyses of the campaign in which attackers started a new variant of the PlugX malware. The details and the various artifacts used showed that it has a lot of similarities with the SmugX campaign, attributed to threat actors Red Delta and Mustang Panda, allegedly linked to the Chinese government. The analysts observed that these attacks are targeted against Taiwanese government and diplomats.


Source:
https://lab52.io/blog/mustang-pandas-plugx-new-variant-targetting-taiwanese-government-and-diplomats/

2023-12-11
Operation_Blacksmith
MEDIUM
+

Intel Source:
Talos
Intel Name:
Operation_Blacksmith
Date of Scan:
2023-12-11
Impact:
MEDIUM
Summary:
This month Cisco Talos researchers discovered a new campaign “Operation Blacksmith” made by the Lazarus Group using three new DLang-based malware families, two of which are remote access trojans (RATs), it uses Telegram bots and channels as a medium of command and control (C2) communications. Researchers linked this Telegram-based RAT as “NineRAT” and the non-Telegram-based RAT as “DLRAT.” We track the DLang-based downloader as “BottomLoader.”


Source:
https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/

2023-12-09
Malware_creation_by_Kimsuky_Group_using_AutoIt
MEDIUM
+

Intel Source:
ASEC
Intel Name:
Malware_creation_by_Kimsuky_Group_using_AutoIt
Date of Scan:
2023-12-09
Impact:
MEDIUM
Summary:
ASEC is constantly following the Kimsuky group’s attacks using LNK-type malware and studying their attack cases. The Kimsuky group installs remote control malware to control the infected system to gain initial access. Kimsuky’s malware also includes open-source or commercial malware such as XRat, HVNC, Amadey, and Metasploit Meterpreter. This time ASEC analyzed Amadey and RftRAT which were recently found being distributed.


Source:
https://asec.ahnlab.com/en/59590/

2023-12-09
Fighting_Ursa_two_malicious_campaigns
MEDIUM
+

Intel Source:
PaloAlto
Intel Name:
Fighting_Ursa_two_malicious_campaigns
Date of Scan:
2023-12-09
Impact:
MEDIUM
Summary:
Unit 42 researchers have observed this group Fighting Ursa APT28 using this a zero-day exploit in Microsoft Outlook CVE-2023-23397 vulnerability over the past 20 months to target at least 30 organizations within 14 nations that are of likely strategic intelligence value to the Russian government and its military. This time this threat actor group conducted at least two campaigns with this vulnerability that have been made public.


Source:
https://unit42.paloaltonetworks.com/russian-apt-fighting-ursa-exploits-cve-2023-233397/

2023-12-09
MrAnon_Stealer_Spreads_via_Email
MEDIUM
+

Intel Source:
Fortinet
Intel Name:
MrAnon_Stealer_Spreads_via_Email
Date of Scan:
2023-12-09
Impact:
MEDIUM
Summary:
This month FortiGuard Labs discovered an email phishing campaign using misleading booking information to attempt victims into clicking on a malicious PDF file. These malicious PDF downloads run a PowerShell script to bring the MrAnon Stealer malware. This malware is a Python-based information stealer condensed with cx-Freeze to vaporize detection. MrAnon Stealer steals its victims’ credentials, system information, browser sessions, and cryptocurrency extensions.


Source:
https://www.fortinet.com/blog/threat-research/mranon-stealer-spreads-via-email-with-fake-hotel-booking-pdf

2023-12-09
The_exploits_for_Citrix_Bleed_are_in_the_wild
HIGH
+

Intel Source:
Esentire
Intel Name:
The_exploits_for_Citrix_Bleed_are_in_the_wild
Date of Scan:
2023-12-09
Impact:
HIGH
Summary:
2 months ago, the eSentire team some alerts, and after investigating it was tied to a LockBit ransomware attack. The first indicators included Rclone activity and connections to the known malicious C2 domain megapackup[.]com. The eSentire Threat Response Unit continued an investigation of this malicious activity and with confidence concluded that the threat actor gained the initial access via the Citrix Bleed vulnerability (CVE-2023-4966) affecting Citrix NetScaler ADC and NetScaler Gateway, which allow the attackers to bypass authentication by retrieving the session tokens. The exploits for Citrix Bleed are available in the wild, and the vulnerability is being actively discussed on Russian hacking forums.


Source:
https://www.esentire.com/blog/citrix-bleed-vulnerability-a-gateway-to-lockbit-ransomware

2023-12-09
DanaBot_trojan_deploying_IcedID
LOW
+

Intel Source:
Esentire
Intel Name:
DanaBot_trojan_deploying_IcedID
Date of Scan:
2023-12-09
Impact:
LOW
Summary:
Last month, the eSentire Threat Response analysts observed again DanaBot, a banking Trojan renowned for its ability to steal banking credentials, personal information, and hVNC. This malware was being employed to deliver IcedID, a banking Trojan.


Source:
https://www.esentire.com/blog/danabots-latest-move-deploying-icedid

2023-12-09
The_evolution_of_the_ATMZOW_skimmer
LOW
+

Intel Source:
Sucuri
Intel Name:
The_evolution_of_the_ATMZOW_skimmer
Date of Scan:
2023-12-09
Impact:
LOW
Summary:
Sucuri research team shared their deep look into recent Google Tag Manager containers used in e-commerce malware, examine some newer forms of obfuscation techniques used in the malicious code, and tracked the evolution of the ATMZOW skimmer linked to widespread Magento website infections since 2015.


Source:
https://blog.sucuri.net/2023/12/40-new-domains-of-magecart-veteran-atmzow-found-in-google-tag-manager.html

2023-12-09
Exploitation_of_Qlik_Sense_servers
LOW
+

Intel Source:
Esentire
Intel Name:
Exploitation_of_Qlik_Sense_servers
Date of Scan:
2023-12-09
Impact:
LOW
Summary:
eSentire has seen multiple instances of threat actors exploiting vulnerabilities in Qlik Sense to get initial access into victim organizations. Qlik Sense is a data analytics platform; there is a high probability that Qlik Sense servers are unpatched and internet-facing, and will be targeted in an ongoing campaign.


Source:
https://www.esentire.com/security-advisories/qlik-sense-exploitation

2023-12-09
Israel_Hamas_vs_Ukraine_Russia_cyber_war
MEDIUM
+

Intel Source:
Cyberint
Intel Name:
Israel_Hamas_vs_Ukraine_Russia_cyber_war
Date of Scan:
2023-12-09
Impact:
MEDIUM
Summary:
The conflict that happened in Israel on the morning of October 7 between Israel and Hamas, has not only engaged physical battlegrounds but has also drawn the multiple threat actors in cyberspace as well as in the Russian-Ukrainian conflict. Cyberint shared their deep analysis of all cases that happened during these 2 different wars.


Source:
https://cyberint.com/blog/research/israel-hamas-vs-ukraine-russia-war/

2023-12-08
Merry_Phishmas_phishing_activities
LOW
+

Intel Source:
Domaintools
Intel Name:
Merry_Phishmas_phishing_activities
Date of Scan:
2023-12-08
Impact:
LOW
Summary:
During the holidays, DomainTools is warning the public to stay extremely careful against the threat of USPS package redelivery phishing attacks. DomainTools is monitoring several USPS phishing campaigns, which include activity that coordinates with known tactics, techniques, and procedures of the China-based “Chenlun” phishing actor and their affiliates groups.


Source:
https://www.domaintools.com/resources/blog/merry-phishmas-beware-us-postal-service-phishing-during-the-holidays/

2023-12-07
A_huge_spike_scale_phishing_campaign
LOW
+

Intel Source:
Patchstack
Intel Name:
A_huge_spike_scale_phishing_campaign
Date of Scan:
2023-12-07
Impact:
LOW
Summary:
The Patchstack team has been keeping eye on a huge spike scale phishing campaign with different variants of phishing emails going around that are notifying users about a new security vulnerability in their WordPress website, supposedly a “Remote Code Execution (RCE)” vulnerability “CVE-2023-45124” and asked to patch right away by using a “Patch created by the WordPress Team”. The email was a fake and the plugin asked to download and install was malicious and can infect your website with a backdoor and malicious administrator account.


Source:
https://patchstack.com/articles/fake-cve-phishing-campaign-tricks-wordpress-users-to-install-malware/

2023-12-07
Star_Blizzard_increases_sophistication_and_evasion_in_ongoing_attacks
HIGH
+

Intel Source:
CISA, Microsoft
Intel Name:
Star_Blizzard_increases_sophistication_and_evasion_in_ongoing_attacks
Date of Scan:
2023-12-07
Impact:
HIGH
Summary:
The CISA, UK-NCSC, Australian Signals Directorate’s Australian Cyber Security Centre, Canadian Centre for Cyber Security), New Zealand National Cyber Security Centre, and the U.S. NSA, FBI, and Cyber Command Cyber National Mission Force (CNMF) shared their security warning about Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns. This threat actor used to be known as SEABORGIUM, also Callisto Group/TA446/COLDRIVER/TAG-53/BlueCharlie continues to use spear-phishing campaigns against targeted organizations and individuals in the UK, and other geographical areas of interest, for information-gathering activity.


Source:
https://www.cisa.gov/news-events/alerts/2023/12/07/cisa-and-international-partners-release-advisory-russia-based-threat-actor-group-star-blizzard
https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/

2023-12-07
Detailed_analysis_of_PlugX_Malware
LOW
+

Intel Source:
Splunk
Intel Name:
Detailed_analysis_of_PlugX_Malware
Date of Scan:
2023-12-07
Impact:
LOW
Summary:
The Splunk researchers team shared their deep analysis on a PlugX variant, uncovering all sides of malicious payload, tactics, and impact on the digital realm, including: PlugX .DAT Payload Extraction, PlugX .CFG Decryption, PlugX Extractor Tool, PlugX Analysis.


Source:
https://www.splunk.com/en_us/blog/security/unmasking-the-enigma-a-historical-dive-into-the-world-of-plugx-malware.html

2023-12-06
New_Trojan_BlueNoroff_loader_attacking_macOS_users
LOW
+

Intel Source:
Securelist
Intel Name:
New_Trojan_BlueNoroff_loader_attacking_macOS_users
Date of Scan:
2023-12-06
Impact:
LOW
Summary:
Securelist uncovered a new variety of malicious loader that attacks macOS, suspected to be the BlueNoroff APT gang and the known campaign RustBucket. The threat actor is known to attack financial organizations tied to the activity is related to cryptocurrency, as well as individuals who hold crypto assets or take an interest in the subject.


Source:
https://securelist.com/bluenoroff-new-macos-malware/111290/

2023-12-06
WSF_Script_Variant_of_AsyncRAT_Malware_Campaign
MEDIUM
+

Intel Source:
ASEC
Intel Name:
WSF_Script_Variant_of_AsyncRAT_Malware_Campaign
Date of Scan:
2023-12-06
Impact:
MEDIUM
Summary:
A recent analysis by the AhnLab Security Emergency Response Center (ASEC) reveals a shift in the distribution method of the AsyncRAT malware. Previously distributed through files with the .chm extension, the malware is now using WSF script format, found in compressed (.zip) files distributed via email URLs. The WSF script, when executed, triggers a sequence of events, downloading and running Visual Basic scripts that ultimately execute the AsyncRAT malware. The campaign employs fileless attack techniques, bypassing UAC and utilizing various scripts to maintain persistence, collect system information, and exfiltrate data.


Source:
https://asec.ahnlab.com/en/59573/

2023-12-06
Unidentified_Infostealer_Dec5
LOW
+

Intel Source:
Unit42
Intel Name:
Unidentified_Infostealer_Dec5
Date of Scan:
2023-12-06
Impact:
LOW
Summary:
Loader EXE leads to unidentified malware with C2 using encoded/encrypted TCP traffic on 91.92.120[.]119.


Source:
https://twitter.com/Unit42_Intel/status/1732411660013273387
https://www.linkedin.com/posts/unit42_malwaretraffic-timelythreatintel-unit42threatintel-activity-7138177279964151809–S66/

2023-12-06
New_macOS_Trojan_Proxy_piggybacking_on_cracked_software
LOW
+

Intel Source:
Securelist
Intel Name:
New_macOS_Trojan_Proxy_piggybacking_on_cracked_software
Date of Scan:
2023-12-06
Impact:
LOW
Summary:
Securelist researchers identified several ruptured applications spread by illegal websites and loaded with a Trojan-Proxy. Attackers use this malware to gain money by building a proxy server network or to perform illegal activities on behalf of the victim: to launch attacks on websites, companies, and individuals, and buy guns, drugs, and other illicit goods.


Source:
https://securelist.com/trojan-proxy-for-macos/111325/

2023-12-05
WordPress_Phishing_Campaign_Targets_Users_with_Fake_Security_Patch_Plugin
LOW
+

Intel Source:
Wordfence
Intel Name:
WordPress_Phishing_Campaign_Targets_Users_with_Fake_Security_Patch_Plugin
Date of Scan:
2023-12-05
Impact:
LOW
Summary:
Wordfence Threat Intelligence Team has identified a phishing campaign targeting WordPress users, falsely warning of a non-existent Remote Code Execution vulnerability (CVE-2023-45124). The phishing email instructs users to download a fake “Patch” plugin, leading to a malicious backdoor. The plugin adds an administrator user (wpsecuritypatch) and communicates with a command and control domain. The separate backdoor provides multiple forms of access, enabling full control over the WordPress site and the server’s web user account.


Source:
https://www.wordfence.com/blog/2023/12/psa-fake-cve-2023-45124-phishing-scam-tricks-users-into-installing-backdoor-plugin/

2023-12-05
Lumma_Stealer_threat_in_the_expanding_infostealers_Ecosystem
MEDIUM
+

Intel Source:
Cyberint
Intel Name:
Lumma_Stealer_threat_in_the_expanding_infostealers_Ecosystem
Date of Scan:
2023-12-05
Impact:
MEDIUM
Summary:
Lumma Stealer, identified in August 2022, continues to evolve as a prominent InfoStealer. Orchestrated by threat actor “Shamel,” it targets crypto users, extracting sensitive data through various methods. Priced at $140-$160 per month on the dark web, Lumma Stealer poses a significant risk with potential financial losses, compromised security, and privacy breaches. Its impact extends to organizational reputational damage. Businesses are urged to stay vigilant and implement robust cybersecurity measures against this evolving threat.


Source:
https://cyberint.com/blog/research/the-lumma-stealer-infostealer-the-details/

2023-12-05
DanaBot_Stealer
MEDIUM
+

Intel Source:
Cyfirma
Intel Name:
DanaBot_Stealer
Date of Scan:
2023-12-05
Impact:
MEDIUM
Summary:
Cyfirma analysts provided their comprehensive analysis focuses on the information stealer DanaBot and presents a thorough examination of its functionality and capabilities. DanaBot is a stealthy and versatile malware that infiltrates computers to steal valuable information for monetization. Unlike ransomware that demands immediate payment, DanaBot operates discreetly, prioritizing long-term persistence and the theft of sensitive data.


Source:
https://www.cyfirma.com/outofband/danabot-stealer-a-multistage-maas-malware-re-emerges-with-reduced-detectability/

2023-12-05
DJvu_Variant_Xaro_Delivered_via_Freeware_Loader
LOW
+

Intel Source:
Cybereason
Intel Name:
DJvu_Variant_Xaro_Delivered_via_Freeware_Loader
Date of Scan:
2023-12-05
Impact:
LOW
Summary:
The Cybereason Security Services Team is investigating incidents involving a variant of the DJvu ransomware named “Xaro,” delivered through loaders masquerading as freeware. This attack aims at data exfiltration, information theft, and file encryption for ransom. Notable observations include the .xaro extension appended to affected files and a “shotgun” infection approach, deploying various malware strains alongside Xaro.


Source:
https://www.cybereason.com/blog/threat-alert-djvu-variant-delivered-by-loader-masquerading-as-freeware

2023-12-05
Vast_Parcel_Delivery_Phishing_Campaign
LOW
+

Intel Source:
Bolster
Intel Name:
Vast_Parcel_Delivery_Phishing_Campaign
Date of Scan:
2023-12-05
Impact:
LOW
Summary:
Bolsters’s researchers have discovered new scam tactics. It is a domain impersonating Walmart, precesely designed to mimic the appearance of the USPS.com website.


Source:
https://bolster.ai/blog/usps-phishing-campaign

2023-12-05
Exploit_of_PLCs_in_US_Water_and_Wastewater_Systems_Facilities
HIGH
+

Intel Source:
CISA
Intel Name:
Exploit_of_PLCs_in_US_Water_and_Wastewater_Systems_Facilities
Date of Scan:
2023-12-05
Impact:
HIGH
Summary:
The FBI, CISA, NSA, EPA, and the Israel National Cyber Directorate released their joined Security Advisory to share about continued malicious cyber activity against operational technology devices by Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated Advanced Persistent Threat cyber actors. The IRGC is an Iranian military organization that the United States designated as a foreign terrorist organization in 2019. IRGC-affiliated cyber actors using the persona “CyberAv3ngers” are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs).


Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a

2023-12-05
Return_of_the_Banking_Trojan_TrickMo
LOW
+

Intel Source:
Cyble
Intel Name:
Return_of_the_Banking_Trojan_TrickMo
Date of Scan:
2023-12-05
Impact:
LOW
Summary:
Cyble researchers discovered a new variant of the banking trojan via VirusTotal Intelligence back in September 2023. This variant of TrickMo demonstrated the advanced functionalities upon comparison with the last analysis, employing overlay injection techniques to extract credentials from targeted applications instead of relying on screen recording, as observed in the first iteration.


Source:
https://cyble.com/blog/trickmos-return-banking-trojan-resurgence-with-new-features/

2023-12-05
Global_credit_card_information_campaigns_targeting_users_in_different_services
LOW
+

Intel Source:
CuratedIntel
Intel Name:
Global_credit_card_information_campaigns_targeting_users_in_different_services
Date of Scan:
2023-12-05
Impact:
LOW
Summary:
Tas and Curated Intel researchers shared their discovery on the newly observed method of phishing utilizing chat functionality in multiple web/mobile applications. This campaign of phishing introduced a novel TTP of utilizing the postal, reservation, and e-commerce services chat functionality.


Source:
https://www.curatedintel.org/2023/12/curated-intel-threat-report-multi.html

2023-12-05
Exploitation_of_Adobe_ColdFusion_or_Initial_Access_to_Government_Servers
HIGH
+

Intel Source:
CISA
Intel Name:
Exploitation_of_Adobe_ColdFusion_or_Initial_Access_to_Government_Servers
Date of Scan:
2023-12-05
Impact:
HIGH
Summary:
The CISA has released a Cybersecurity Advisory to confirm the exploitation of CVE-2023-26360 by unknown threat actors at a Federal Civilian Executive Branch (FCEB) agency. This vulnerability is about an improper access control issue impacting Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier). Exploitation of this CVE can result in arbitrary code execution.


Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-339a

2023-12-05
Ransomware_group_Trigona_operation
MEDIUM
+

Intel Source:
TrendMicro
Intel Name:
Ransomware_group_Trigona_operation
Date of Scan:
2023-12-05
Impact:
MEDIUM
Summary:
Trigona threat actors were observed leveraging the vulnerability CVE-2021-40539. Trigona also targets compromised accounts by obtaining access from network access brokers. Based on a combination of Trend’s open-source intelligence (OSINT) research and investigation of the leak site, Trigona ransomware compromised 33 organizations within a short period in North America, Europe, Enterprises in Asia-Pacific and Latin America, and the Caribbean were also compromised.


Source:
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-trigona

2023-12-05
Unveiling_Akira_Ransomware
MEDIUM
+

Intel Source:
Trellix
Intel Name:
Unveiling_Akira_Ransomware
Date of Scan:
2023-12-05
Impact:
MEDIUM
Summary:
Discovered in 2023, the Akira ransomware employs a double extortion scheme, targeting diverse sectors with victims primarily in the United States. Using various initial access methods, including multi-factor authentication exploitation and spear phishing, the ransomware exfiltrates data, encrypts files with ChaCha, and demands payment for decryption and data protection.


Source:
https://www.trellix.com/about/newsroom/stories/research/akira-ransomware/

2023-12-05
Compromise_of_SEO_Poisoning_and_Large_Payloads_by_GootLoader_threat
MEDIUM
+

Intel Source:
Cybereason
Intel Name:
Compromise_of_SEO_Poisoning_and_Large_Payloads_by_GootLoader_threat
Date of Scan:
2023-12-05
Impact:
MEDIUM
Summary:
The Cybereason IR team captured different attack scenarios, which started from a GootLoader infection to ultimately deployed more capabilities. Cybereason IR team observed payloads with large sizes (40MB and more) and masquerading with legitimate JavaScript code to evade security mechanisms, displayed fast-moving behaviors, also observed post-infection frameworks being deployed: Cobalt Strike and SystemBC, which is usually leveraged for data exfiltration, SEO Poisoning techniques used to spread malware.


Source:
https://www.cybereason.com/blog/threat-alert-gootloader-seo-poisoning-and-large-payloads-leading-to-compromise

2023-12-05
Multi_Layered_Invoice_Campaign_Unveils_Stealthy_LUMMA_InfoStealer_Attack
MEDIUM
+

Intel Source:
Perception point
Intel Name:
Multi_Layered_Invoice_Campaign_Unveils_Stealthy_LUMMA_InfoStealer_Attack
Date of Scan:
2023-12-05
Impact:
MEDIUM
Summary:
Researchers at Perception Point recently uncovered a sophisticated malware attack leveraging a multi-layered fake invoice campaign. The threat actor, impersonating a financial services company, prompts users to click on a seemingly legitimate invoice link, creating an evasion tactic. The attacker exploits a breached website to redirect users, initiating the download of a JavaScript file containing the LUMMA InfoStealer malware. LUMMA, distributed through Malware-as-a-Service, executes complex processes from unusual locations, adding layers of obfuscation to the attack.


Source:
https://perception-point.io/blog/behind-the-attack-lumma-malware/

2023-12-05
Threat_Actors_Target_MSSQL_Servers
MEDIUM
+

Intel Source:
STR
Intel Name:
Threat_Actors_Target_MSSQL_Servers
Date of Scan:
2023-12-05
Impact:
MEDIUM
Summary:
In an interesting attack campaign, the Securonix Threat Research team has identified threat actors targeting exposed Microsoft SQL (MSSQL) services using brute force attacks. One of the things that makes DB#JAMMER stand out is how the attacker’s tooling infrastructure and payloads are used. The ransomware payload of choice appears to be a newer variant of Mimic ransomware called FreeWorld.


Source:
https://www.securonix.com/blog/securonix-threat-labs-security-advisory-threat-actors-target-mssql-servers-in-dbjammer-to-deliver-freeworld-ransomware/

2023-12-05
TA422_s_Dedicated_Exploitation
MEDIUM
+

Intel Source:
Proofpoint
Intel Name:
TA422_s_Dedicated_Exploitation
Date of Scan:
2023-12-05
Impact:
MEDIUM
Summary:
Since the middle of the year 2023, Proofpoint researchers have observed regular TA422 (APT28) phishing activity, where the threat actor leveraged patched vulnerabilities including CVE-2023-23397 to send, at times, high-volume campaigns to targets in Europe and North America. TA422 used the vulnerabilities as initial access against government, aerospace, education, finance, manufacturing, and technology sector targets likely to either disclose user credentials or initiate follow-on activity.


Source:
https://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week

2023-12-05
P2PInfect
LOW
+

Intel Source:
CADO Security
Intel Name:
P2PInfect
Date of Scan:
2023-12-05
Impact:
LOW
Summary:
Cado analysts have been monitoring the development of a cross-platform botnet “P2Pinfect”. As the name suggests, the malware – written in Rust – acts as a botnet agent, connecting infected hosts in a peer-to-peer topology.


Source:
https://www.cadosecurity.com/p2pinfect-new-variant-targets-mips-devices/

2023-12-05
New_Cyber_Espionage_Threat_Targets_US_Aerospace_Industry
LOW
+

Intel Source:
Blackberry
Intel Name:
New_Cyber_Espionage_Threat_Targets_US_Aerospace_Industry
Date of Scan:
2023-12-05
Impact:
LOW
Summary:
BlackBerry’s Threat Research team has uncovered a sophisticated cyber-espionage campaign, naming the threat actor AeroBlade, targeting a U.S. aerospace organization. Initiated through spear-phishing, the attacker evolved their tactics from a testing phase in September 2022 to a more advanced stage in July 2023. The attacker’s goal, assessed with medium to high confidence, is commercial cyber espionage.


Source:
https://blogs.blackberry.com/en/2023/11/aeroblade-on-the-hunt-targeting-us-aerospace-industry

2023-12-04
BlueSky_Ransomware_Emerges
LOW
+

Intel Source:
thedfirreport
Intel Name:
BlueSky_Ransomware_Emerges
Date of Scan:
2023-12-04
Impact:
LOW
Summary:
In December, a notable intrusion occurred, targeting public-facing MSSQL servers, resulting in the deployment of BlueSky ransomware. This report unveils the threat actors’ techniques, starting with a MSSQL brute force attack on the “sa” account. Leveraging Cobalt Strike and Tor2Mine, the attackers executed post-exploitation activities. Within an hour, BlueSky ransomware spread network-wide. The report provides a comprehensive breakdown, including threat actor profiles, initial access details, execution events, persistence methods, privilege escalation tactics, and the impact of the ransomware.


Source:
https://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/

2023-12-01
Cactus_Ransomware_Campaign_Exploiting_Vulnerabilities_in_Qlik_Sense
MEDIUM
+

Intel Source:
Arctic Wolf
Intel Name:
Cactus_Ransomware_Campaign_Exploiting_Vulnerabilities_in_Qlik_Sense
Date of Scan:
2023-12-01
Impact:
MEDIUM
Summary:
Researchers from Arctic Wolf Labs have observed a new catus ransomware compaign exploiting the publicly-exposed installations of Qlik Sense. This campaign marks the first documented instance, which is aware that where threat actors are deploying Cactus ransomware and exploiting vulnerabilities in Qlik Sense for initial access.


Source:
https://www.arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/

2023-12-01
Uncovering_the_new_Java_Based_SAW_RAT
LOW
+

Intel Source:
Cyble
Intel Name:
Uncovering_the_new_Java_Based_SAW_RAT
Date of Scan:
2023-12-01
Impact:
LOW
Summary:
This article provides an analysis of the Saw RAT, a Java-based RAT embedded in a ZIP archive file. It outlines the infiltration strategy, which involves a maliciously crafted ZIP archive containing a PDF icon shortcut, a JavaScript file, a deceptive PDF file, and a malicious JAR file. The malware establishes a connection with a C&C server and carries out various functions in response to commands. Recommendations for best practices to protect against such attacks are also provided.


Source:
https://cyble.com/blog/uncovering-the-new-java-based-saw-rats-infiltration-strategy-via-lnk-files/

2023-12-01
Fake_Virus_Alerts
LOW
+

Intel Source:
Malwarebytes
Intel Name:
Fake_Virus_Alerts
Date of Scan:
2023-12-01
Impact:
LOW
Summary:
ScamClub has been running a malvertising campaign since 2018, redirecting mobile users on high profile websites to a fake security alert connected to a malicious McAfee affiliate. The malicious JavaScripts were hosted on Google’s cloud but have since moved to Azure’s CDN. Malwarebytes for Android can protect users from this campaign. Indicators of compromise are provided.


Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/11/associated-press-espn-cbs-among-top-sites-serving-fake-virus-alerts

2023-12-01
Attacks_against_organizations_in_the_Middle_East_and_Africa
LOW
+

Intel Source:
PaloAlto
Intel Name:
Attacks_against_organizations_in_the_Middle_East_and_Africa
Date of Scan:
2023-12-01
Impact:
LOW
Summary:
Unit 42 researchers identified a tool set used by a threat actor against Middle East, Africa and the US, including Agent Racoon malware, Ntospy, and a customized version of Mimikatz. The tool set was used to exfiltrate confidential information, such as emails and Roaming Profiles, and was mapped to the MITRE ATT&CK matrix.


Source:
https://unit42.paloaltonetworks.com/new-toolset-targets-middle-east-africa-usa/

2023-12-01
Early_Detection_of_ROMCOM_malicious_DNS
LOW
+

Intel Source:
Infoblox
Intel Name:
Early_Detection_of_ROMCOM_malicious_DNS
Date of Scan:
2023-12-01
Impact:
LOW
Summary:
This article discusses the malicious domain ROMCOM and the threat actor group Void Rabisu, and how Infoblox’s DNS Early Detection Program identified multiple ROMCOM malicious domains as suspicious an average of 91.6 days before they were identified as malicious in OSINT. It also explains how ROMCOMLITE, a new variation of the malware, is being used to target organizations in Ukraine and various NATO countries, and how Infoblox’s suspicious domain data can help customers reduce risk and increase the return on investment for their threat intelligence program.


Source:
https://blogs.infoblox.com/cyber-threat-intelligence/dns-early-detection-romcom/

2023-12-01
South_Korea_and_Uzbekistan_are_Targeted_by_SugarGh0st_RAT
LOW
+

Intel Source:
Cisco Talos
Intel Name:
South_Korea_and_Uzbekistan_are_Targeted_by_SugarGh0st_RAT
Date of Scan:
2023-12-01
Impact:
LOW
Summary:
Cisco Talos researchers have identified a new RAT, “SugarGh0st,” in a malicious campaign. They assess with high confidence that the SugarGh0st RAT is a new customized variant of Gh0st RAT, an infamous trojan that’s been active for more than a decade, with customized commands to facilitate the remote administration tasks as directed by the C2. They observed two infection chains leveraging Windows Shortcut embedded with malicious JavaScript to deliver the components to drop and launch the SugarGh0st payload.


Source:
https://blog.talosintelligence.com/new-sugargh0st-rat/

2023-11-30
Malware_Distributing_Using_Sale_of_Personal_Information_as_Bait
LOW
+

Intel Source:
ASEC
Intel Name:
Malware_Distributing_Using_Sale_of_Personal_Information_as_Bait
Date of Scan:
2023-11-30
Impact:
LOW
Summary:
Researchers from ASEC have uncovered a case of virus spreading that used the selling of personal data as a lure. This attack case uses a hacking method known as social engineering.


Source:
https://asec.ahnlab.com/en/59379/

2023-11-30
South_Korean_Research_Institutes_Targeted_by_Kimsuky
LOW
+

Intel Source:
ASEC
Intel Name:
South_Korean_Research_Institutes_Targeted_by_Kimsuky
Date of Scan:
2023-11-30
Impact:
LOW
Summary:
ASEC researchers have discovered that the Kimsuky threat organization is sending malicious JSE files to South Korean research institutes under the appearance of an import declaration. In the end, the threat actor employs a backdoor to carry out commands and steal data.


Source:
https://asec.ahnlab.com/en/59387/

2023-11-30
Observed_the_use_of_Finger_a_client_server_application
LOW
+

Intel Source:
Huntress
Intel Name:
Observed_the_use_of_Finger_a_client_server_application
Date of Scan:
2023-11-30
Impact:
LOW
Summary:
Huntress analysts observed the use of Finger, a client-server application, to exfiltrate data from an endpoint. The threat actor created a webshell on an MSExchange server and used Finger to download a file and gain situational awareness. In September 2020, an advisory was published by security researcher John Page. MITRE ATT&CK mappings and a statistic from Huntress’ SMB Threat Report are also provided.


Source:
https://www.huntress.com/blog/cant-touch-this-data-exfiltration-via-finger

2023-11-30
The_release_of_new_malware_Nova_infostealer
LOW
+

Intel Source:
Cyfirma
Intel Name:
The_release_of_new_malware_Nova_infostealer
Date of Scan:
2023-11-30
Impact:
LOW
Summary:
MaaS operator Sordeal has developed the Nova infostealer, a sophisticated malware with alarming capabilities such as credential harvesting, Discord injection, and targeting crypto wallets. Organizations must enhance their threat detection and fortify defenses to mitigate the risks posed by Nova. Strategic, tactical, and management recommendations are provided to help protect against the malware.


Source:
https://www.cyfirma.com/outofband/emerging-maas-operator-sordeal-releases-nova-infostealer/

2023-11-29
The_delivery_of_the_Remcos_Trojan
LOW
+

Intel Source:
Weixin
Intel Name:
The_delivery_of_the_Remcos_Trojan
Date of Scan:
2023-11-29
Impact:
LOW
Summary:
The QiAnXin Threat Intelligence Center observed that Spyder has undergone at least two rounds of updates since July, and found that attackers used Spyder to implant the Remcos Trojan into the target host. The Spyder malware is associated with the Maharashtra organization, and its main function is to download and run executable files issued by the C2 server.


Source:
https://mp.weixin.qq.com/s?__biz=MzI2MDc2MDA4OA==&mid=2247508856&idx=1&sn=256ab2e8e63a406a37088f1b133eb6ff&chksm=ea66540fdd11dd1924c87240bbf3675e276a17a5980df63d8aace47c92cbe40ca5e197f7e183&scene=178&cur_album_id=1539799351089283075#rd

2023-11-29
Tracking_Vidar_malware_infrastructure
LOW
+

Intel Source:
Censys
Intel Name:
Tracking_Vidar_malware_infrastructure
Date of Scan:
2023-11-29
Impact:
LOW
Summary:
The security researcher shared his details about one of the more advanced stealers: Vidar. Vidar is a piece of malware originating from the Arkei Stealer but uses new methods to find and direct traffic to the attacker.


Source:
https://censys.com/tracking-vidar-infrastructure/

2023-11-29
GoTitan_Botnet_Exploiting_Apache_ActiveMQ_Vulnerability
LOW
+

Intel Source:
Fortinet
Intel Name:
GoTitan_Botnet_Exploiting_Apache_ActiveMQ_Vulnerability
Date of Scan:
2023-11-29
Impact:
LOW
Summary:
Threat actors are aggressively using the recently discovered severe security weakness affecting Apache ActiveMQ to spread a new Go-based botnet named GoTitan and a.NET application called PrCtrl Rat, which has the ability to remotely takeover the compromised servers.


Source:
https://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq

2023-11-29
MetaStealer_analysis
LOW
+

Intel Source:
Russian Panda
Intel Name:
MetaStealer_analysis
Date of Scan:
2023-11-29
Impact:
LOW
Summary:
Russian Panda researchers provided the technical analysis and overview of Red Stealer’s some functionalities. It had so many similarities with Redline Stealer.


Source:
https://russianpanda.com/2023/11/20/MetaStealer-Redline%27s-Doppelganger/

2023-11-29
Delivering_DJvu_Variant_while_Posing_as_Freeware_via_Loader
MEDIUM
+

Intel Source:
cybereason
Intel Name:
Delivering_DJvu_Variant_while_Posing_as_Freeware_via_Loader
Date of Scan:
2023-11-29
Impact:
MEDIUM
Summary:
Researchers from Cybereason have seen DJvu variants distributing through loaders that appear to be freeware. They present an overview of these dangers and offer doable suggestions for defending against them.


Source:
https://www.cybereason.com/hubfs/dam/collateral/reports/threat-alert-DJvu-variant.pdf

2023-11-28
Diving_Deep_into_RisePro_Malware
LOW
+

Intel Source:
Any.run
Intel Name:
Diving_Deep_into_RisePro_Malware
Date of Scan:
2023-11-28
Impact:
LOW
Summary:
AnyRun researchers have examined the RisePro malware. The spyware, which steals information, was initially discovered by cybersecurity companies Sekoia and Flashpoint. It is disseminated via fake crack websites run by the pay-per-install (PPI) malware distribution firm PrivateLoader. Its goal is to take cryptocurrency wallets, passwords, and credit cards from compromised machines.


Source:
https://any.run/cybersecurity-blog/risepro-malware-communication-analysis/

2023-11-28
AgentTesla_infection_with_FTP_data_exfil
LOW
+

Intel Source:
Malware Traffic Analysis
Intel Name:
AgentTesla_infection_with_FTP_data_exfil
Date of Scan:
2023-11-28
Impact:
LOW
Summary:
This article provides an overview of an AgentTesla infection with FTP data exfiltration that occurred on 2023-11-22. It includes associated files, malware/artifacts, email headers, and infection chain. Malware/artifacts include a RAR archive, VBS file, script, PNG image, DLL, reversed base64 text, and AgentTesla EXE. Infection traffic is also listed, including IP addresses and ports used.


Source:
https://www.malware-traffic-analysis.net/2023/11/22/index.html

2023-11-28
New_Persian_Remote_World_malicious_activity
LOW
+

Intel Source:
Cyble
Intel Name:
New_Persian_Remote_World_malicious_activity
Date of Scan:
2023-11-28
Impact:
LOW
Summary:
Cyble research center identified a website selling malicious tools, including RATs, loaders, and crypters, which can enable unauthorized control, identity theft, financial fraud, and system modifications. Recommendations to protect against these tools are provided, as well as MITRE ATT&CK® Techniques and Indicators of Compromise (IOCs).


Source:
https://cyble.com/blog/new-persian-remote-world-selling-a-suite-of-malicious-tools/

2023-11-28
Insight_into_groups_operating_Telekopye_bots
LOW
+

Intel Source:
Welivesecurity
Intel Name:
Insight_into_groups_operating_Telekopye_bots
Date of Scan:
2023-11-28
Impact:
LOW
Summary:
Welivesecurity published their article about Telekopye, a Telegram bot that helps cybercriminals scam people in online marketplaces. Telekopye can craft phishing websites, emails, SMS messages, and more.


Source:
https://www.welivesecurity.com/en/eset-research/telekopye-hunting-mammoths-using-telegram-bot/

2023-11-28
Actionable_day_in_a_Threat_Hunters_life_report
LOW
+

Intel Source:
Virustotal Blog
Intel Name:
Actionable_day_in_a_Threat_Hunters_life_report
Date of Scan:
2023-11-28
Impact:
LOW
Summary:
This article explains how to use VirusTotal Intelligence (VTI) to hunt and monitor malicious activity, using third-party intelligence reports. It provides examples of how to use VTI to search for samples with similar behaviors, and how to convert VTI queries into YARA rules for use in VirusTotal Livehunt.


Source:
https://blog.virustotal.com/2023/11/actionable-threat-intel-vi-day-in.html

2023-11-28
The_2_state_sponcored_North_Korean_campaigns_targeting_job_seekers
MEDIUM
+

Intel Source:
PaloAlto
Intel Name:
The_2_state_sponcored_North_Korean_campaigns_targeting_job_seekers
Date of Scan:
2023-11-28
Impact:
MEDIUM
Summary:
The team at Palo Alto Networks Unit 42 released some great research of North Korean activity leveraging remote work in two unique campaigns they call Contagious Interview and Wagemole. Both campaigns have the goals of espionage and cryptocurrency theft.


Source:
https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/#post-131292-_6n6fflyzyu52

2023-11-27
Parallax_RAT_infection
LOW
+

Intel Source:
Esentire
Intel Name:
Parallax_RAT_infection
Date of Scan:
2023-11-27
Impact:
LOW
Summary:
Parallax RAT is a malware discovered by eSentire’s TRU. It is delivered to machines, has capabilities to evade detection, and can be used to compromise endpoints. Recommendations are provided to protect against it, as well as indicators of compromise.


Source:
https://www.esentire.com/blog/unveiling-parallax-rat-a-journey-from-infection-to-lateral-movement

2023-11-27
DPRK_Crypto_Theft
MEDIUM
+

Intel Source:
Sentilone
Intel Name:
DPRK_Crypto_Theft
Date of Scan:
2023-11-27
Impact:
MEDIUM
Summary:
This article discusses two North Korean-aligned macOS campaigns in 2023: RustBucket and KandyKorn. RustBucket used a Swift-based application bundle and KandyKorn used a five-stage attack with social engineering via Discord. KandyKorn is distributed as Cross-Platform Bridges.zip and contains multiple benign Python scripts. SentinelOne Singularity detects and protects against all known components of KandyKorn and RustBucket malware.


Source:
https://www.sentinelone.com/blog/dprk-crypto-theft-macos-rustbucket-droppers-pivot-to-deliver-kandykorn-payloads/

2023-11-27
Phobos_Ransomware_Masquerading_As_VX_Underground
LOW
+

Intel Source:
Qualys
Intel Name:
Phobos_Ransomware_Masquerading_As_VX_Underground
Date of Scan:
2023-11-27
Impact:
LOW
Summary:
Phobos ransomware is a malicious software masquerading as VX-Underground, distributed via stolen RDP connections. It halts execution if Cyrillic alphabets are present, kills processes, deletes shadow copies, and encrypts files with a “.VXUG” extension. Qualys Threat Research is monitoring the attack and providing hunting queries for detection.


Source:
https://blog.qualys.com/vulnerabilities-threat-research/2023/11/23/unveiling-the-deceptive-dance-phobos-ransomware-masquerading-as-vx-underground

2023-11-27
Hackers_Utilize_Supply_Chain_Attacks_With_Zero_Day_Vulnerabilities
MEDIUM
+

Intel Source:
NIS
Intel Name:
Hackers_Utilize_Supply_Chain_Attacks_With_Zero_Day_Vulnerabilities
Date of Scan:
2023-11-27
Impact:
MEDIUM
Summary:
The National Intelligence Service (NIS) of Korea and the National Cyber Security Centre (NCSC) have issued a warning over the North Korean Lazarus hacker group’s use of a zero-day vulnerability in the MagicLine4NX software to perform supply-chain assaults against businesses.


Source:
https://www.documentcloud.org/documents/24174869-rok-uk-joint-cyber-security-advisoryeng

2023-11-27
Exploiting_an_Apache_ActiveMQ_Vulnerability_CVE_2023_46604
MEDIUM
+

Intel Source:
ASEC
Intel Name:
Exploiting_an_Apache_ActiveMQ_Vulnerability_CVE_2023_46604
Date of Scan:
2023-11-27
Impact:
MEDIUM
Summary:
The Andariel threat group has been targeting South Korean companies and institutions with spear phishing, watering hole, and supply chain attacks. Recently, they have been exploiting a Log4Shell vulnerability, targeting MS-SQL servers, and abusing legitimate software. AhnLab Security Emergency Response Center (ASEC) discovered the group exploiting a remote code execution vulnerability (CVE-2023-46604) in Apache ActiveMQ servers to install malware, including NukeSped, HelloKitty ransomware, Metasploit Meterpreter’s Stager, and CobaltStrike Beacon. The article provides hashes, C&C servers, and URLs associated with the malicious files.


Source:
https://asec.ahnlab.com/en/59318/

2023-11-24
Distributing_Atomic_Stealers_via_Fake_Browser_Updates
LOW
+

Intel Source:
Malwarebytes
Intel Name:
Distributing_Atomic_Stealers_via_Fake_Browser_Updates
Date of Scan:
2023-11-24
Impact:
LOW
Summary:
Researchers at Malwarebytes have discovered that AMOS is being distributed to Mac users through a fake browser update chain known as “ClearFake.” This might be the first time that one of the most popular social engineering campaigns which was previously exclusive to Windows branches out into other operating systems in addition to geolocation.


Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/11/atomic-stealer-distributed-to-mac-users-via-fake-browser-updates

2023-11-24
An_Overview_of_Volt_Typhoon
LOW
+

Intel Source:
SOC Radar
Intel Name:
An_Overview_of_Volt_Typhoon
Date of Scan:
2023-11-24
Impact:
LOW
Summary:
Volt Typhoon, also known as BRONZE SILHOUETTE, is an advanced, state-sponsored Advanced Persistent Threat (APT) organization that is mostly thought to have originated in China. Their online activities have been meticulously observed and recorded over the last few years by numerous cybersecurity companies, international intelligence agencies, and governmental organizations.


Source:
https://socradar.io/apt-profile-volt-typhoon/

2023-11-24
Missuse_of_MQTT_Messaging_Protocol_by_Stealthy_WailingCrab_Malware
LOW
+

Intel Source:
IBM Security Intelligence
Intel Name:
Missuse_of_MQTT_Messaging_Protocol_by_Stealthy_WailingCrab_Malware
Date of Scan:
2023-11-24
Impact:
LOW
Summary:
Researchers from IBM X-Force have been monitoring changes made to the WailingCrab malware family. They have focused on changes that affect the virus’s C2 communication techniques, which involve abusing the MQTT Internet-of-Things (IoT) messaging protocol.


Source:
https://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/

2023-11-24
Konni_Campaign_Spreading_Through_a_Malicious_File
LOW
+

Intel Source:
Fortinet
Intel Name:
Konni_Campaign_Spreading_Through_a_Malicious_File
Date of Scan:
2023-11-24
Impact:
LOW
Summary:
The Russian-language Word document that has a malicious macro included in it is being used in the ongoing Konni campaign, according to FortiGuard Labs. Internal telemetry shows continued engagement on the campaign’s C2 server even though the document was created in September.


Source:
https://www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document

2023-11-24
Taking_Edge_Off_Systemjoker_in_Israel_Hamas_War_Spotlight
MEDIUM
+

Intel Source:
Checkpoint
Intel Name:
Taking_Edge_Off_Systemjoker_in_Israel_Hamas_War_Spotlight
Date of Scan:
2023-11-24
Impact:
MEDIUM
Summary:
Researchers at Check Point have traced the development of SysJoker, a previously unidentified multi-platform backdoor that was used by an APT with ties to Hamas to target Israel.


Source:
https://research.checkpoint.com/2023/israel-hamas-war-spotlight-shaking-the-rust-off-sysjoker/

2023-11-23
The_distribution_of_Atomic_Stealer_to_Mac_users
LOW
+

Intel Source:
Malware news
Intel Name:
The_distribution_of_Atomic_Stealer_to_Mac_users
Date of Scan:
2023-11-23
Impact:
LOW
Summary:
Atomic Stealer, aka AMOS, is an known stealer for Mac OS. Reently it was observed a new development, AMOS is now being delivered to Mac users via a fake browser update chain tracked as ‘ClearFake’. It is the first time it was observed this main social engineering campaigns, previously reserved for Windows. The threat actors could widden their new possibilities by stealing credentials and files of interest that can be monetized immediately or repurposed for additional attacks.


Source:
https://malware.news/t/atomic-stealer-distributed-to-mac-users-via-fake-browser-updates/75907

2023-11-23
Possible_Return_of_Genesis_Market_malicious_operations
LOW
+

Intel Source:
TrendMicro
Intel Name:
Possible_Return_of_Genesis_Market_malicious_operations
Date of Scan:
2023-11-23
Impact:
LOW
Summary:
The Trend Micro Managed XDR team observed malicious campaigns that was very similar to the ones used by Genesis Market. The threat actor used Node.js to act as a platform for the backdoor, Extended Validation (EV) Code Signing for defense evasion, and possibly Google Colab to host search engine-optimized download sites. The Trend Micro researchers provided in their blog a technical analysis of these attacks, including the confirmation and speculations on the other techniques used by the threat actor behind these activities.


Source:
https://www.trendmicro.com/en_us/research/23/k/attack-signals-possible-return-of-genesis-market.html

2023-11-23
Modified_CyberLink_Installer_Distributing_by_Diamond_Sleet
MEDIUM
+

Intel Source:
Microsoft
Intel Name:
Modified_CyberLink_Installer_Distributing_by_Diamond_Sleet
Date of Scan:
2023-11-23
Impact:
MEDIUM
Summary:
Microsoft researchers have discovered a supply chain attack using a malicious version of an application created by CyberLink Corp. that was carried out by the North Korea-based threat actor Diamond Sleet (ZINC). This malicious file is actually an installer for a CyberLink application, but it has been altered to contain malicious code that loads a second-stage payload and downloads and decrypts it.


Source:
https://www.microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/

2023-11-23
Scattered_Spider_Attack_Analysis
LOW
+

Intel Source:
ReliaQuest
Intel Name:
Scattered_Spider_Attack_Analysis
Date of Scan:
2023-11-23
Impact:
LOW
Summary:
ReliaQuest recently observed an intrusion to a customer’s internal IT documentation, and a lateral access move from the customer’s identity-as-a-service (IDaaS) provider to their on-premises assets in reallu short time minutes. It was detected that it was the highly capable “Scattered Spider” cybercrime group perpetrated the attack. Scattered Spider, an “ALPHV”/“BlackCat” ransomware affiliate, infiltrates cloud and on-premises environments via social engineering.


Source:
https://www.reliaquest.com/blog/scattered-spider-attack-analysis-account-compromise/

2023-11-23
Marai_Based_Botnet_Explores_Two_Zero_Days
LOW
+

Intel Source:
Akamai
Intel Name:
Marai_Based_Botnet_Explores_Two_Zero_Days
Date of Scan:
2023-11-23
Impact:
LOW
Summary:
Researchers from Akamai have uncovered a brand-new DDoS botnet, called InfectedSlurs, that targets routers and network video recorders (NVRs) by actively taking advantage of two zero-day vulnerabilities.


Source:
https://www.akamai.com/blog/security-research/new-rce-botnet-spreads-mirai-via-zero-days

2023-11-23
Malicious_Chrome_Extensions_Targeting_Brazil
LOW
+

Intel Source:
Trend Micro
Intel Name:
Malicious_Chrome_Extensions_Targeting_Brazil
Date of Scan:
2023-11-23
Impact:
LOW
Summary:
Researchers from Trend Micro have described the modular architecture of malicious Chrome extensions, which are made up of a number of highly obfuscated parts that use the Google Chrome API to monitor, intercept, and steal victim data.


Source:
https://www.trendmicro.com/en_us/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html

2023-11-23
HrServ_web_shell_analysis
LOW
+

Intel Source:
Securelist
Intel Name:
HrServ_web_shell_analysis
Date of Scan:
2023-11-23
Impact:
LOW
Summary:
Securelist got a DLL file, that was identified as hrserv.dll, and was previously unknown web shell exhibiting sophisticated features such as custom encoding methods for client communication and in-memory execution.


Source:
https://