Chinese_APT_Group_BRONZE_SILHOUETTE_Targeting_US_Government_and_Defense_Organizations
MEDIUM
+
—
—
- Intel Source:
- NSA / Secureworks
- Intel Name:
- Chinese_APT_Group_BRONZE_SILHOUETTE_Targeting_US_Government_and_Defense_Organizations
- Date of Scan:
- 2023-05-30
- Impact:
- MEDIUM
- Summary:
- SecureWorks researchers have discovered a cluster of activity of interest associated with a People’s Republic of China (PRC) state-sponsored cyber actor, also known as Volt Typhoon. Private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide.
Obsidian_ORB_Ransomware_Demanding_Payment_With_Gift_Cards
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Obsidian_ORB_Ransomware_Demanding_Payment_With_Gift_Cards
- Date of Scan:
- 2023-05-30
- Impact:
- LOW
- Summary:
- Cyble researchers have come across a new and unique ransomware strain named Obsidian ORB. Extensive analysis has revealed compelling evidence that suggests a significant correlation between Obsidian ORB Ransomware and the underlying source code of the notorious Chaos ransomware.
Source:
https://blog.cyble.com/2023/05/25/obsidian-orb-ransomware-demands-gift-cards-as-payment/
Ducktail_Malware_targets_a_high_profile_accounts
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Ducktail_Malware_targets_a_high_profile_accounts
- Date of Scan:
- 2023-05-30
- Impact:
- LOW
- Summary:
- Recently Cyble researchers recently discovered Ducktail malware that targets specifically Marketing and HR professionals. The malware is designed to extract browser cookies and take advantage of social media sessions to steal sensitive information from the victim’s Social Media account. The malware operation purpose is to gain control of Social Media Business accounts with adequate access privileges. TAs then use their acquired access to conduct advertisements for their financial gain.
The_Invicta_Stealer_Spreading
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- The_Invicta_Stealer_Spreading
- Date of Scan:
- 2023-05-30
- Impact:
- LOW
- Summary:
- Cyble researcher Lab team discovered a new stealer called Invicta Stealer. The developer who is in charge of this malware is heavy involved on social media platforms, utilizing them to promote their information stealer and its lethal capabilities.
Source:
https://blog.cyble.com/2023/05/25/invicta-stealer-spreading-through-phony-godaddy-refund-invoices/
Legion_Malware_Targeting_SSH_Servers_and_AWS_Credentials
LOW
+
—
—
- Intel Source:
- CADO Security
- Intel Name:
- Legion_Malware_Targeting_SSH_Servers_and_AWS_Credentials
- Date of Scan:
- 2023-05-29
- Impact:
- LOW
- Summary:
- CADO security researchers have identified an updated version of the commodity malware called Legion comes with expanded features to compromise SSH servers and Amazon Web Services (AWS) credentials associated with DynamoDB and CloudWatch.
Source:
https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/
Hackers_Targeting_Users_of_Portuguese_Financial_Institutions
MEDIUM
+
—
—
- Intel Source:
- Sentinelone
- Intel Name:
- Hackers_Targeting_Users_of_Portuguese_Financial_Institutions
- Date of Scan:
- 2023-05-29
- Impact:
- MEDIUM
- Summary:
- SentinelOne researchers have observed a campaign targeting users of Portuguese financial institutions conducted by a Brazilian threat group. The attackers can steal credentials and exfiltrate users’ data and personal information, which can be leveraged for malicious activities beyond financial gain.
Phishing_Delivering_via_Encrypted_Messages
MEDIUM
+
—
—
- Intel Source:
- Trustwave
- Intel Name:
- Phishing_Delivering_via_Encrypted_Messages
- Date of Scan:
- 2023-05-28
- Impact:
- MEDIUM
- Summary:
- Trustwave researchers have observed phishing attacks that use a combination of compromised Microsoft 365 accounts and .rpmsg encrypted emails to deliver the phishing message.
The_Technical_Examination_of_Pikabot
LOW
+
—
—
- Intel Source:
- Zscaler
- Intel Name:
- The_Technical_Examination_of_Pikabot
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- Researchers from Zscaler have identified a new malware trojan named Pikabot which emerged in early 2023 that consists of two components a loader and a core module.
Source:
https://www.zscaler.com/blogs/security-research/technical-analysis-pikabot
Over_200_Corporate_Victims_Hit_by_New_Ransomware_Wave
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Over_200_Corporate_Victims_Hit_by_New_Ransomware_Wave
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- Cyble Research and Intelligence Labs (CRIL) discovered the increasing adoption of double extortion by ransomware groups is an alarming trend. We are witnessing a surge in ransomware attacks that not only encrypt valuable corporate data but also involve the threat of public exposure unless the attackers’ demands are fulfilled.
Source:
https://blog.cyble.com/2023/05/23/new-ransomware-wave-engulfs-over-200-corporate-victims/
Ongoing_Kimsuky_Campaign_Utilizing_Custom_Reconnaissance_Toolkit
MEDIUM
+
—
—
- Intel Source:
- Sentilone
- Intel Name:
- Ongoing_Kimsuky_Campaign_Utilizing_Custom_Reconnaissance_Toolkit
- Date of Scan:
- 2023-05-27
- Impact:
- MEDIUM
- Summary:
- SentinelLabs have tracking a targeted campaign against information services, as well as organizations supporting human rights activists and defectors in relation to North Korea. The campaign focuses on file reconnaissance, and exfiltrating system and hardware information, laying the groundwork for subsequent precision attacks.
Source:
https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/
COSMICENERGY_new_OT_Malware_related_to_Russia
MEDIUM
+
—
—
- Intel Source:
- Mandiant
- Intel Name:
- COSMICENERGY_new_OT_Malware_related_to_Russia
- Date of Scan:
- 2023-05-27
- Impact:
- MEDIUM
- Summary:
- Mandiant discovered a new operational technology (OT) / industrial control system (ICS) malware, which was recognized as COSMICENERGY, uploaded by threat actor in Russia. The malware is capable of to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia.
Source:
https://www.mandiant.com/resources/blog/cosmicenergy-ot-malware-russian-response
Israeli_Logistics_Industry_targeted_by_hackers
LOW
+
—
—
- Intel Source:
- ClearSky
- Intel Name:
- Israeli_Logistics_Industry_targeted_by_hackers
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- ClearSky Cyber Security reserachers has discovered a watering hole attack on at least eight Israeli websites. The attack most likely was orchestrated by a nation-state actor from Iran, with some attribution to Tortoiseshell (also called TA456 or Imperial Kitten). The Infected sites collect preliminary user information through a script.
Volt_Typhoon_stealthy_activity
HIGH
+
—
—
- Intel Source:
- Microsoft, CISA
- Intel Name:
- Volt_Typhoon_stealthy_activity
- Date of Scan:
- 2023-05-27
- Impact:
- HIGH
- Summary:
- Microsoft has discovered sneaky and malicious activity that targets on credential access and network system discovery attacking critical infrastructure organizations in the United States. The attack is carried out by Volt Typhoon, a state-sponsored actor based in China that focuses on espionage and information stealing. Microsoft is sure that this Volt Typhoon campaign is targeting development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.
Return_of_BlackByte_Ransomware_with_New_Technology_Version
LOW
+
—
—
- Intel Source:
- Cluster25
- Intel Name:
- Return_of_BlackByte_Ransomware_with_New_Technology_Version
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- Cluster25 Threat Intel Team have identified that BlackByte is a Ransomware-as-a-Service group that is known for the use of the homonymous malware that is constantly updated and spread in different variants. The team used the above function in a IDAPython script that allowed to retrieve all invocations to the functions responsible for the dynamic loading of the APIs in order to continue with the static analysis of the malware.
Source:
https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt
Israeli_Logistics_Industry_attacked_by_hackers
LOW
+
—
—
- Intel Source:
- ClearSky
- Intel Name:
- Israeli_Logistics_Industry_attacked_by_hackers
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- ClearSky Cyber Security reserachers has discovered a watering hole attack on at least eight Israeli websites. The attack most likely was orchestrated by a nation-state actor from Iran, with some attribution to Tortoiseshell (also called TA456 or Imperial Kitten). The Infected sites collect preliminary user information through a script. W
Resurgence_of_Vacation_Request_Phishing_Emails_in_Summer_Time_Scams
LOW
+
—
—
- Intel Source:
- Cofense
- Intel Name:
- Resurgence_of_Vacation_Request_Phishing_Emails_in_Summer_Time_Scams
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- Cofense researchers have observed a phishing campaign where the threat actor sent an email to a user that claimed to be from the HR Department’ and provided the user with a link to submit their annual leave requests.
Source:
https://cofense.com/blog/summer-time-scams-the-return-of-vacation-request-phishing-emails/
Cyber_Crime_Forum_Offers_DDoS_As_A_Service_by_Russian_Hacktivists
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Cyber_Crime_Forum_Offers_DDoS_As_A_Service_by_Russian_Hacktivists
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- Cyble Research and Intelligence Labs (CRIL) has made a significant discovery on a cybercrime forum – a newly identified malware strain called “MDBotnet.” Our analysis suggests that this malware is believed to originate from a Threat Actor (TA) linked to Russia.
Source:
https://blog.cyble.com/2023/05/23/new-mdbotnet-unleashes-ddos-attacks/
Link_Found_Between_Korean_VPN_Installations_and_MeshAgent_Infections
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Link_Found_Between_Korean_VPN_Installations_and_MeshAgent_Infections
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- AhnLab Security Emergency response Center (ASEC) has previously covered the case where SparkRAT was distributed contained within a Korean VPN’s installer in the post, “SparkRAT Being Distributed Within a Korean VPN Installer”[1]. This VPN was commonly installed by Chinese users who required better access to the Internet, and the problem was addressed after the blog post was uploaded.
Agrius_threat_actor_attacks_against_Israel
MEDIUM
+
—
—
- Intel Source:
- Checkpoint
- Intel Name:
- Agrius_threat_actor_attacks_against_Israel
- Date of Scan:
- 2023-05-27
- Impact:
- MEDIUM
- Summary:
- A threat actor Agrius who is believed Iranian keep trying to attack against Israeli targets, hiding destructive impact of ransomware attacks.Recently the group deployed Moneybird, a new ransomware written in C++. Despite calling themselves as a new group name– Moneybird, this is yet another Agrius alias.
Diving_Deep_into_GoldenJackal_APT_Group
LOW
+
—
—
- Intel Source:
- Securelist
- Intel Name:
- Diving_Deep_into_GoldenJackal_APT_Group
- Date of Scan:
- 2023-05-26
- Impact:
- LOW
- Summary:
- Securelist researchers have monitored the GoldenJackal APT Group since mid-2020 and have observed a constant level of activity that indicates a capable and stealthy actor. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo, and JackalScreenWatcher.
Source:
https://securelist.com/goldenjackal-apt-group/109677/
Lazarus_Group_Targeting_Windows_IIS_Web_Servers
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Lazarus_Group_Targeting_Windows_IIS_Web_Servers
- Date of Scan:
- 2023-05-26
- Impact:
- LOW
- Summary:
- ASEC researchers have identified that the Lazarus group is known to receive support on a national scale, carrying out attacks against Windows IIS web servers.
StrelaStealer_Malware_Targeting_Spanish_Users
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- StrelaStealer_Malware_Targeting_Spanish_Users
- Date of Scan:
- 2023-05-26
- Impact:
- LOW
- Summary:
- ASEC researchers have observed that the StrelaStealer Infostealer is distributed to Spanish users. It was initially discovered around November 2022 and distributed as an attachment to spam emails.
Espionage_Activity_UAC_0063
LOW
+
—
—
- Intel Source:
- CERT-UA
- Intel Name:
- Espionage_Activity_UAC_0063
- Date of Scan:
- 2023-05-26
- Impact:
- LOW
- Summary:
- CERT-UA researchers have observed that on 04/18/2023 and 04/20/2023, e-mails were sent to the department’s e-mail address from the official mailbox of the Embassy of Tajikistan in Ukraine (probably as a result of the latter being compromised), the first of which contained an attachment in the form of a document with a macro, and the second – reference to the same document.
Raccoon_and_Vidar_Stealers_Spreading_Fake_Cracked_Software
MEDIUM
+
—
—
- Intel Source:
- Sekoia
- Intel Name:
- Raccoon_and_Vidar_Stealers_Spreading_Fake_Cracked_Software
- Date of Scan:
- 2023-05-26
- Impact:
- MEDIUM
- Summary:
- Sekoia researchers have identified the infection chain that is using about a hundred fake cracked software catalog websites that redirect to several links before downloading the payload hosted on file share platforms, such as GitHub.
Distribution_of_DarkCloud_Infostealer_Through_Spam_Emails_Detected
LOW
+
—
—
- Intel Source:
- Checkpoint
- Intel Name:
- Distribution_of_DarkCloud_Infostealer_Through_Spam_Emails_Detected
- Date of Scan:
- 2023-05-26
- Impact:
- LOW
- Summary:
- Checkpoint researchers have identified that malware developers strive to create new threats that can bypass the defenses of antivirus products. “Packing” and “crypting” services are specifically designed to resist analysis. GuLoader is one of the most prominent services cybercriminals use to evade antivirus detection.
Source:
https://research.checkpoint.com/2023/cloud-based-malware-delivery-the-evolution-of-guloader/
Distribution_of_DarkCloud_Infostealer_Through_Spam_Emails
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Distribution_of_DarkCloud_Infostealer_Through_Spam_Emails
- Date of Scan:
- 2023-05-26
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered the DarkCloud malware is distributed via spam email. It is an Infostealer that steals account credentials saved on infected systems, and the threat actor installed ClipBanker alongside DarkCloud.
Middle_East_Targeted_by_New_Kernel_Driver_Exploit
LOW
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- Middle_East_Targeted_by_New_Kernel_Driver_Exploit
- Date of Scan:
- 2023-05-24
- Impact:
- LOW
- Summary:
- Fortinet researchers have discovered suspicious executables that make use of open-source tools and frameworks. One of the things that we keep an eye out for is tools that use the Donut project. Donut is a position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters.
Source:
https://www.fortinet.com/blog/threat-research/wintapix-kernal-driver-middle-east-countries
New_Signed_Kernel_Driver_Deployed_BlackCat_Ransomware
MEDIUM
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- New_Signed_Kernel_Driver_Deployed_BlackCat_Ransomware
- Date of Scan:
- 2023-05-22
- Impact:
- MEDIUM
- Summary:
- TrendMicro researchers have analyzed the BlackCat ransomware incident that occurred in February 2023, where they observed a new capability, mainly used for the defense evasion phase, that overlaps with the earlier malicious drivers disclosed by the three vendors.
Hackers_Targeting_Vulnerable_WordPress_Elementor_plugin_Versions
LOW
+
—
—
- Intel Source:
- Wordfence
- Intel Name:
- Hackers_Targeting_Vulnerable_WordPress_Elementor_plugin_Versions
- Date of Scan:
- 2023-05-22
- Impact:
- LOW
- Summary:
- Wordfence researchers have identified Several versions of the WordPress plugin Essential Addons for Elementor impacted by the now-addressed critical CVE-2023-32243 vulnerability are being actively scanned and targeted by threat actors following the release of proof-of-concept exploit.
BatLoader_Campaign_Impersonates_ChatGPT_and_Midjourney_to_Deliver_Redline_Stealer
LOW
+
—
—
- Intel Source:
- Esentire
- Intel Name:
- BatLoader_Campaign_Impersonates_ChatGPT_and_Midjourney_to_Deliver_Redline_Stealer
- Date of Scan:
- 2023-05-22
- Impact:
- LOW
- Summary:
- Esentire researchers have observed threat actors are using BatLoader in the form of MSIX Windows App Installer files to deliver the Redline Stealer.
Source:
https://www.esentire.com/blog/batloader-impersonates-midjourney-chatgpt-in-drive-by-cyberattacks
IcedID_Macro_Ends_in_Nokoyawa_Ransomware
LOW
+
—
—
- Intel Source:
- DFIR Report
- Intel Name:
- IcedID_Macro_Ends_in_Nokoyawa_Ransomware
- Date of Scan:
- 2023-05-22
- Impact:
- LOW
- Summary:
- Researchers from DFIR Report have identified an incident taking place during Q4 of 2022 consisting of threat actors targeting Italian organizations with Excel maldocs that deploy IcedID. The threat actors deploying such a campaign may hope to target organizations who have not updated their Microsoft Office deployments after the newly released patches to block macros on documents downloaded from the internet.
Source:
https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/
AndoryuBot_s_DDOS_wild_behavior
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- AndoryuBot_s_DDOS_wild_behavior
- Date of Scan:
- 2023-05-19
- Impact:
- LOW
- Summary:
- The Cyble group observed active exploitation of CVE-2023-25717 and deployment of AndoryuBot. This incident indicates that Threat Actors are actively looking for vulnerable Ruckus assets for exploitation purposes. AndoryuBot is a new Botnet malware sold on Telegram on a subscription basis. The deployment of such malware by TAs allows them to orchestrate large-scale DDoS attacks, which can overwhelm targeted servers and infrastructure by flooding them with a massive volume of traffic.
Source:
https://blog.cyble.com/2023/05/17/andoryubots-ddos-rampage/
Brute_Ratel_remains_rare_and_targeted
LOW
+
—
—
- Intel Source:
- Sophos
- Intel Name:
- Brute_Ratel_remains_rare_and_targeted
- Date of Scan:
- 2023-05-19
- Impact:
- LOW
- Summary:
- The commercial attack tool’s use by threat actors has faded after an initial flurry, while Cobalt Strike remains the go-to post-exploitation tool for many.
Source:
https://news.sophos.com/en-us/2023/05/18/the-phantom-menace-brute-ratel-remains-rare-and-targeted/
Distributing_DarkCrystal_RAT_by_fake_Desktop_Authenticator_App
LOW
+
—
—
- Intel Source:
- Bushidotoken
- Intel Name:
- Distributing_DarkCrystal_RAT_by_fake_Desktop_Authenticator_App
- Date of Scan:
- 2023-05-19
- Impact:
- LOW
- Summary:
- The Bushitoken reseracher recently discovered an threat actor campaign that is using fake websites to distribute malware. It seems like this TTP to be on the rise. A suspected Russia-based threat actor tried to duplicate the website of a legitimate open-source desktop app called Steam Desktop Authenticator which is simply a convenient desktop version of the mobile authenticator app.
Source:
https://blog.bushidotoken.net/2023/05/fake-steam-desktop-authenticator-app.html
TurkoRat_found_hiding_in_the_npm_package
LOW
+
—
—
- Intel Source:
- Reversing Labs
- Intel Name:
- TurkoRat_found_hiding_in_the_npm_package
- Date of Scan:
- 2023-05-19
- Impact:
- LOW
- Summary:
- ReversingLabs researchers found two malicious packages that contained TurkoRat, an open source infostealer that lurked on npm for two months before being detected.
Source:
https://www.reversinglabs.com/blog/rats-found-hiding-in-the-npm-attic
CapCut_s_Video_to_Deliver_Multiple_Stealers
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- CapCut_s_Video_to_Deliver_Multiple_Stealers
- Date of Scan:
- 2023-05-19
- Impact:
- LOW
- Summary:
- Cyble Researchers recently discovered a couple of phishing websites disguised as video editing software. These ffake sites lure users into downloading and executing various types of malware families such as stealers, RAT, etc. In these campaigns, Threat Actors targeted the CapCut video editing tool, a product of ByteDance, the same parent company that owns TikTok.
Source:
https://blog.cyble.com/2023/05/19/capcut-users-under-fire/
The_exploitation_of_critical_vulnerability_CVE_2023_32243
HIGH
+
—
—
- Intel Source:
- Wordfence
- Intel Name:
- The_exploitation_of_critical_vulnerability_CVE_2023_32243
- Date of Scan:
- 2023-05-18
- Impact:
- HIGH
- Summary:
- Recently, Essential Addons for Elementor, a WordPress plugin had a released a patch for a critical vulnerability which is capable for any unauthenticated user to reset arbitrary user passwords, including user accounts with administrative-level access. This vulnerability was discovered and responsibly disclosed by security researcher Rafie Muhammed.
The_analysis_of_QakBot_Infrastructure
MEDIUM
+
—
—
- Intel Source:
- Team Cymru
- Intel Name:
- The_analysis_of_QakBot_Infrastructure
- Date of Scan:
- 2023-05-18
- Impact:
- MEDIUM
- Summary:
- Team Cymru shared their research about their analysis of QakBot is full of various hypotheses being identified and tested. Their key findings are QakBot C2 servers are not separated by affiliate ID, QakBot C2 servers from older configurations continue to communicate with upstream C2 servers months after being used in campaigns and Identification of three upstream C2 servers located in Russia, two of which behave similarly based on network telemetry patterns and the geolocations of the bot C2s communicating with them.
Source:
https://www.team-cymru.com/post/visualizing-qakbot-infrastructure
BlackSuit_Ransomware_ragets_VMware_ESXi_servers
HIGH
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- BlackSuit_Ransomware_ragets_VMware_ESXi_servers
- Date of Scan:
- 2023-05-18
- Impact:
- HIGH
- Summary:
- Cyble researchers from Labs observed an increase in the number of ransomware groups such as Cylance and Royal ransomware. The widespread use of Linux makes it an appealing target for ransomware groups, as a single attack can potentially compromise numerous systems.
Source:
https://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/
Joint_Cybersecurity_Advisory_on_BianLian_Ransomware_Group
MEDIUM
+
—
—
- Intel Source:
- CISA
- Intel Name:
- Joint_Cybersecurity_Advisory_on_BianLian_Ransomware_Group
- Date of Scan:
- 2023-05-18
- Impact:
- MEDIUM
- Summary:
- The FBI, CISA and Australian Cyber Security Centre (ACSC) released the joint Cybersecurity Advisory to disseminate known BianLian ransomware and data extortion group IOCs and TTPs identified through FBI and ACSC investigations back in March 2023. BianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022. They have also targeted Australian critical infrastructure sectors in addition to professional services and property development.
Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a
The_Korean_VPN_installer_is_being_used_to_distribute_SparkRAT
MEDIUM
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- The_Korean_VPN_installer_is_being_used_to_distribute_SparkRAT
- Date of Scan:
- 2023-05-18
- Impact:
- MEDIUM
- Summary:
- AhnLab Security Emergency response Center (ASEC) has recently discovered SparkRAT being distributed within the installer of a certain VPN program. SparkRAT is a Remote Administration Tool (RAT) developed with GoLang. When installed on a user’s system, it can perform a variety of malicious behaviors, such as executing commands remotely, controlling files and processes, downloading additional payloads, and collecting information from the infected system like by taking screenshots.
The_attackers_used_email_security_providers_for_spreading_phishing_attacks
LOW
+
—
—
- Intel Source:
- Cofense
- Intel Name:
- The_attackers_used_email_security_providers_for_spreading_phishing_attacks
- Date of Scan:
- 2023-05-18
- Impact:
- LOW
- Summary:
- Threat actors more often send malicious URLs within HTML attachments, which makes it more challenging for Secure Email gateways (SEGs) to block them. The Phishing Defence Centre did their analyses on a phishing campaign impersonating email security provider to trap recipients into providing their user credentials via malicious HTML attachment.
Malicious_Python_Packages_via_Supply_Chain_Attacks
MEDIUM
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- Malicious_Python_Packages_via_Supply_Chain_Attacks
- Date of Scan:
- 2023-05-17
- Impact:
- MEDIUM
- Summary:
- The FortiGuard Labs team discovered over 30 new zero-day attacks in PyPI packages (Python Package Index). These were found between late March and late April by monitoring an open-source ecosystem.
New_8220_Gang_Strategies
MEDIUM
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- New_8220_Gang_Strategies
- Date of Scan:
- 2023-05-17
- Impact:
- MEDIUM
- Summary:
- Reserachers documentedon the gang’s recent activities of 8220 Gang who has been active in recent months. Researchers shared in their article aboutk observed attack exploiting the Oracle WebLogic vulnerability CVE-2017-3506 captured by one of our honeypots. This vulnerability, with a CVSS score of 7.4, impacts the WLS Security Component of Oracle WebLogic, and when exploited can enable attackers to execute arbitrary commands through an HTTP request remotely with a specifically crafted XML document.
Source:
https://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html
The_Water_Orthrus_s_New_Campaigns
MEDIUM
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- The_Water_Orthrus_s_New_Campaigns
- Date of Scan:
- 2023-05-17
- Impact:
- MEDIUM
- Summary:
- TrendMicro researchers have been monitoring the activities of a threat actor named Water Orthrus, which spreaded CopperStealer malware via pay-per-install (PPI) networks. In March 2023, we observed two campaigns delivering new malware that we named CopperStealth and CopperPhish. Both malware have characteristics that are close to those of CopperStealer and are likely developed by the same author, leading the researchers believe that these campaigns are likely Water Orthrus’ new activities.
Uncovering_RedStinger_new
MEDIUM
+
—
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Uncovering_RedStinger_new
- Date of Scan:
- 2023-05-17
- Impact:
- MEDIUM
- Summary:
- During the conflict between Russia and Ukraine began last year, there is a not only political conflict, there is no surprise that the cybersecurity landscape between these two countries has also been tense. The former reseracher from Malwarebytes Threat Intelligence Team discovered a new interesting bait that targeted the Eastern Ukraine region and reported that finding to the public and tracked this actor as Red Stinger. These findings remained private for a while, but Kaspersky recently shared information about the same actor (who it called Bad Magic).
Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger
The_Lancefly_APT_group_using_Merdoor_backdoor
MEDIUM
+
—
—
- Intel Source:
- Symantec
- Intel Name:
- The_Lancefly_APT_group_using_Merdoor_backdoor
- Date of Scan:
- 2023-05-17
- Impact:
- MEDIUM
- Summary:
- The Lancefly (APT) group is attacking and target organizations in South and Southeast Asiausing with a custom-written backdoor. Lancefly’s custom malware is named Merdoor, is a powerful backdoor that existed since 2018. The recent targets lately are based in South and Southeast Asia, attacking areas including government, aviation, education, and telecoms. Symantec researchers observed that activity also appeared to be highly targeted, with only a small number of machines infected.
Maori_Ransomware
MEDIUM
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- Maori_Ransomware
- Date of Scan:
- 2023-05-16
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs recently came across a new ransomware variant called Maori. Like other ransomware variants, it encrypts files on victims’ machines to extort money. Interestingly, this variant is designed to run on Linux architecture and is coded in Go, which is somewhat rare and increases the analysis difficulty
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-maori?&web_view=true
Ongoing_Phishing_Campaign_uses_Meme_Filled_Code_to_Drop_XWorm_Payloads
MEDIUM
+
—
—
- Intel Source:
- Securonix
- Intel Name:
- Ongoing_Phishing_Campaign_uses_Meme_Filled_Code_to_Drop_XWorm_Payloads
- Date of Scan:
- 2023-05-16
- Impact:
- MEDIUM
- Summary:
- Last couple months was observed an interesting and ongoing attack campaign which was identified and tracked by the Securonix Threat Research team. The attack campaign (tracked by Securonix as MEME#4CHAN) was leveraging rather unusual meme-filled PowerShell code, followed by a heavily obfuscated XWorm payload to infect its victims. Securonix dived into this campaign by taking an in-depth technical analysis.
Source:
https://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/
A_new_ransomware_variant_Rancoz
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- A_new_ransomware_variant_Rancoz
- Date of Scan:
- 2023-05-16
- Impact:
- LOW
- Summary:
- This month Cyble researchers onserved a ransomware variant called Rancoz, that was identified by a researcher @siri_urz. During the investigation, it has been observed that this ransomware is similar and overlaps with the Vice Society ransomware.
Source:
https://blog.cyble.com/2023/05/11/dissecting-rancoz-ransomware/
LokiLocker_Ransomware_Distributed_in_Korea
MEDIUM
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- LokiLocker_Ransomware_Distributed_in_Korea
- Date of Scan:
- 2023-05-16
- Impact:
- MEDIUM
- Summary:
- AhnLab Security Emergency response Center(ASEC) has confirmed the distribution of the LokiLocker ransomware in Korea. This ransomware is almost identical to the BlackBit ransomware and their common traits
Eastern_European_APT_Cyber_Operations_Undetected_Since_2020
LOW
+
—
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Eastern_European_APT_Cyber_Operations_Undetected_Since_2020
- Date of Scan:
- 2023-05-16
- Impact:
- LOW
- Summary:
- Malwarebytes researchers have discovered a new interesting lure that targeted the Eastern Ukraine region and reported that finding to the public. Moreover, we started tracking the actor behind it, which we internally codenamed Red Stinger.
Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger
An_In_Depth_Look_at_Akira_Ransomware
MEDIUM
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- An_In_Depth_Look_at_Akira_Ransomware
- Date of Scan:
- 2023-05-16
- Impact:
- MEDIUM
- Summary:
- Cyble researchers have come across a Reddit post about a new ransomware variant named “Akira”, actively targeting numerous organizations and exposing their sensitive data. To increase the chances of payment from victims, Akira ransomware exfiltrates and encrypts their data using a double-extortion technique. The attackers then threaten to sell or leak the stolen data on the dark web if the ransom is not paid for decrypting the data.
Source:
https://blog.cyble.com/2023/05/10/unraveling-akira-ransomware/
The_Aurora_stealer_via_Invalid_Printer_loader
LOW
+
—
—
- Intel Source:
- Malware Bytes
- Intel Name:
- The_Aurora_stealer_via_Invalid_Printer_loader
- Date of Scan:
- 2023-05-16
- Impact:
- LOW
- Summary:
- Malware Bytes Lab shared their discovery about this malicious campaing and its connections to other attacks. They discovered that a threat actor was using malicious ads to redirect users to what looks like a Windows security update. The scheme looked very legit ans very much resembled what you’d expect from Microsoft. That fake security update was using a newly identified loader that at the time of the campaign was oblivious to malware sandboxes and bypassed practically all antivirus engines. Malware Bytes Lab tool patched that loader and identified its actual payload as Aurora stealer.
A_new_undetected_variant_of_Linux_Backdoor_BPFDoor
MEDIUM
+
—
—
- Intel Source:
- Deep Instinct Blog
- Intel Name:
- A_new_undetected_variant_of_Linux_Backdoor_BPFDoor
- Date of Scan:
- 2023-05-15
- Impact:
- MEDIUM
- Summary:
- BPFdoor is a Linux-specific, low-profile, passive backdoor intended to maintain a persistent, long-term foothold in already-breached networks and environments and functions primarily to ensure an attacker can re-enter an infected system over an extended period of time, post-compromise.
Source:
https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
Exploitation_of_CVE_2023_27350
LOW
+
—
—
- Intel Source:
- CISA
- Intel Name:
- Exploitation_of_CVE_2023_27350
- Date of Scan:
- 2023-05-14
- Impact:
- LOW
- Summary:
- The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-27350. This vulnerability occurs in certain versions of PaperCut NG and PaperCut MF and enables an unauthenticated actor to execute malicious code remotely without credentials.
Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a
Analysis_of_a_evasive_Shellcode
LOW
+
—
—
- Intel Source:
- Mcafee
- Intel Name:
- Analysis_of_a_evasive_Shellcode
- Date of Scan:
- 2023-05-14
- Impact:
- LOW
- Summary:
- McAfee researchers have observed a NSIS-based installers delivered via E-mail as malspam that use plugin libraries to execute the GU shellcode on the victim system
Threat_Actors_Build_ESXi_Lockers_Using_Leaked_Babuk_Code
MEDIUM
+
—
—
- Intel Source:
- Sentinelone
- Intel Name:
- Threat_Actors_Build_ESXi_Lockers_Using_Leaked_Babuk_Code
- Date of Scan:
- 2023-05-13
- Impact:
- MEDIUM
- Summary:
- SentinelLabs researchers have identified unexpected connections between ESXi ransomware families, exposing likely relationships between Babuk and more illustrious operations like Conti and REvil.
A_cybercriminal_group_attempted_an_extortion_scheme_against_Dragos
LOW
+
—
—
- Intel Source:
- Dragos
- Intel Name:
- A_cybercriminal_group_attempted_an_extortion_scheme_against_Dragos
- Date of Scan:
- 2023-05-13
- Impact:
- LOW
- Summary:
- Last week, an known hacker group tried and didn’t have a success at an extortion scheme against Dragos. Nothing was breached at Dragos systems, including anything related to the Dragos Platform. Dragos has shared what happened during a recent incident of failed extortion scheme against them – Dragos. The cybercriminal group attempted to compromise Drago’s information resources. The criminal group got access by compromising the personal email address of a new sales employee prior to their start date, and subsequently used their personal information to impersonate the Dragos employee and accomplish initial steps in the employee onboarding process.
Source:
https://www.dragos.com/blog/deconstructing-a-cybersecurity-event/
ASEC_Weekly_Statistics_May_1_7th_2023
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Statistics_May_1_7th_2023
- Date of Scan:
- 2023-05-13
- Impact:
- LOW
- Summary:
- ASEC lab researchers continiusly monitor phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post shares the cases of distribution of phishing emails during the week from April 9th, 2023 to April 15st, 2023 and provide statistical information on each type.
CLR_SqlShell_malware_Attack_MS_SQL_Servers
MEDIUM
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- CLR_SqlShell_malware_Attack_MS_SQL_Servers
- Date of Scan:
- 2023-05-12
- Impact:
- MEDIUM
- Summary:
- ASEC analyzed the CLR SqlShell malware that is being used to target MS-SQL servers. Similar to WebShell, which can be installed on web servers, SqlShell is a malware strain that supports various features after being installed on an MS-SQL server, such as executing commands from threat actors and carrying out all sorts of malicious behavior.
The_Examination_of_Highly_Evasive_Shellcode_Based_Loader
LOW
+
—
—
- Intel Source:
- Mcafee
- Intel Name:
- The_Examination_of_Highly_Evasive_Shellcode_Based_Loader
- Date of Scan:
- 2023-05-12
- Impact:
- LOW
- Summary:
- McAfee researchers have deeply analyzed the GULoader campaigns and found, a rise in NSIS-based installers delivered via E-mail as malspam that use plugin libraries to execute the GU shellcode on the victim system.
DownEx_Espionage_activity_in_Central_Asia
MEDIUM
+
—
—
- Intel Source:
- Bitdefender
- Intel Name:
- DownEx_Espionage_activity_in_Central_Asia
- Date of Scan:
- 2023-05-12
- Impact:
- MEDIUM
- Summary:
- Last year Bitdefender Labs reserchers observed an attack on foreign government institutions in Kazakhstan. During the analyses, it was disovered that this was a highly targeted attack to get an access to exfiltrate data. Bitdefender Labs reserchers did moitored for awhile it and the region for other similar attacks. Recently they detected another attack in Afghanistan and collected additional samples and observations.
An_Expansion_of_RapperBot_DDoS_Botnet_into_Cryptojacking
LOW
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- An_Expansion_of_RapperBot_DDoS_Botnet_into_Cryptojacking
- Date of Scan:
- 2023-05-12
- Impact:
- LOW
- Summary:
- FortiGate researchers have analyzed new samples of the RapperBot campaign active since January 2023. The threat actors have started venturing into cryptojacking, specifically for Intel x64 machines. Initially, they deployed and executed a separate Monero cryptominer alongside the usual RapperBot binary. But in late January 2023, they combined both functionalities into a single bot.
Source:
https://www.fortinet.com/blog/threat-research/rapperbot-ddos-botnet-expands-into-cryptojacking
Malspam_Campaign_Delivering_PowerDash
LOW
+
—
—
- Intel Source:
- Cert-PL
- Intel Name:
- Malspam_Campaign_Delivering_PowerDash
- Date of Scan:
- 2023-05-12
- Impact:
- LOW
- Summary:
- CERT-PL researchers have observed a malspam campaign delivering previously unseen PowerShell malware. They also dubbed this malware family as “PowerDash” because of the “/dash” path on C2 server, used as a gateway for bots.
Taking_a_Closer_Look_at_Israel_Based_BEC_Attacks
HIGH
+
—
—
- Intel Source:
- Abnormal
- Intel Name:
- Taking_a_Closer_Look_at_Israel_Based_BEC_Attacks
- Date of Scan:
- 2023-05-10
- Impact:
- HIGH
- Summary:
- Researchers from Abnormal Security have discovered that an Israel-based threat group has conducted 350 BEC campaigns since February 2021, with email attacks targeting employees from 61 countries across six continents.
MitM_Phishing_Growing_and_Using_Real_Login_Process_to_Steal_Credentials
LOW
+
—
—
- Intel Source:
- Cofense
- Intel Name:
- MitM_Phishing_Growing_and_Using_Real_Login_Process_to_Steal_Credentials
- Date of Scan:
- 2023-05-10
- Impact:
- LOW
- Summary:
- Cofense researchers have observed Man-in-the-middle attacks are increasing rapidly and identified a 35% increase in volume reaching inboxes between Q1 2022 and Q1 2023, 94% of MitM credential phishing attacks reaching inboxes targeted O365 authentication, and 89% of campaigns used at least one URL redirect, and 55% used two or more.
Source:
https://cofense.com/blog/cofense-intelligence-strategic-analysis-2/
Royal_Ransomware_Expands_to_Target_Linux_and_VMware_ESXi
MEDIUM
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- Royal_Ransomware_Expands_to_Target_Linux_and_VMware_ESXi
- Date of Scan:
- 2023-05-10
- Impact:
- MEDIUM
- Summary:
- PaloAlto researchers have observed that the Royal ransomware group has recently launched a variant of its encryptor malware built in the form of executable and linkable format (ELF) binary. Also, they started using the BatLoader dropper and SEO poisoning for initial access.
Source:
https://unit42.paloaltonetworks.com/royal-ransomware/
SideWinder_Using_Server_Based_Polymorphism_Technique
LOW
+
—
—
- Intel Source:
- Blackberry
- Intel Name:
- SideWinder_Using_Server_Based_Polymorphism_Technique
- Date of Scan:
- 2023-05-09
- Impact:
- LOW
- Summary:
- BlackBerry researchers have observed that APT Group SideWinder is accused of deploying a backdoor in attacks directed against Pakistan government organizations as part of a campaign that commenced in late November 2022.
Source:
https://blogs.blackberry.com/en/2023/05/sidewinder-uses-server-side-polymorphism-to-target-pakistan
AndoryuBot_Targeting_Ruckus_Wireless_Admin_Remote_Code_Execution_Vulnerability
LOW
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- AndoryuBot_Targeting_Ruckus_Wireless_Admin_Remote_Code_Execution_Vulnerability
- Date of Scan:
- 2023-05-09
- Impact:
- LOW
- Summary:
- FortiGate researchers have observed a unique botnet based on the SOCKS protocol distributed through the Ruckus vulnerability (CVE-2023-25717). It contains DDoS attack modules for different protocols and communicates with its command-and-control server using SOCKS5 proxies.
IRCTC_fake_apps
LOW
+
—
—
- Intel Source:
- Quickheal
- Intel Name:
- IRCTC_fake_apps
- Date of Scan:
- 2023-05-09
- Impact:
- LOW
- Summary:
- Quickheal analysts went through the recent advisory published by the Indian Railway Catering and Tourism Corporation (IRCTC), about the IRCTC fakeapps. The Fake IRCTC app pretends like it is real IRCTC app but is in reality a full-fledged spyware that spies on victims with ease.
Source:
https://blogs.quickheal.com/beware-fake-applications-are-disguised-as-legitimate-ones/
Microsoft_Phish_Redirects_Victims_to_Catering_Voice_Recording
LOW
+
—
—
- Intel Source:
- Cofense
- Intel Name:
- Microsoft_Phish_Redirects_Victims_to_Catering_Voice_Recording
- Date of Scan:
- 2023-05-09
- Impact:
- LOW
- Summary:
- Cofense researchers have observed credential phishing campaigns that use a novel deception technique, luring unsuspecting users into a false sense of security after they’ve given away their Microsoft login information.
New_Web_Injection_Toolkit_DrIBAN_Targeting_Italian_Corporate_Banking_Clients
MEDIUM
+
—
—
- Intel Source:
- Cleafy
- Intel Name:
- New_Web_Injection_Toolkit_DrIBAN_Targeting_Italian_Corporate_Banking_Clients
- Date of Scan:
- 2023-05-08
- Impact:
- MEDIUM
- Summary:
- Researchers from Cleafy have observed that Italian corporate banking clients are the target of an ongoing financial fraud campaign that has been leveraging a new web-inject toolkit called drIBAN since at least 2019.
Source:
https://www.cleafy.com/cleafy-labs/uncovering-driban-fraud-operations-chapter1
SmokeLoader_and_RoarBAT_Malware_Attacks_Against_Ukraine
MEDIUM
+
—
—
- Intel Source:
- CERT-UA
- Intel Name:
- SmokeLoader_and_RoarBAT_Malware_Attacks_Against_Ukraine
- Date of Scan:
- 2023-05-08
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have identified an ongoing phishing campaign with invoice-themed lures being used to distribute the SmokeLoader malware in the form of a polyglot file.
New_MultiStage_Attack_and_Malware_Distribution_of_Amadey
LOW
+
—
—
- Intel Source:
- Mcafee
- Intel Name:
- New_MultiStage_Attack_and_Malware_Distribution_of_Amadey
- Date of Scan:
- 2023-05-08
- Impact:
- LOW
- Summary:
- McAfee Labs researchers have identified an increase in Wextract.exe samples, that drop a malware payload at multiple stages.
RecordBreaker_Stealer_Distributed_by_YouTube_Accounts
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- RecordBreaker_Stealer_Distributed_by_YouTube_Accounts
- Date of Scan:
- 2023-05-08
- Impact:
- LOW
- Summary:
- ASEC analyzed and confirmed the distribution of RecordBreaker through a YouTube account and possibly hacked recently. RecordBreaker is a new Infostealer version of Raccoon Stealer. It tries to pretend itself as a software installer and similar to CryptBot, RedLine, and Vidar. AhnLab Security Emergency response Center (ASEC) has confirmed the distribution of RecordBreaker through a YouTube account that is assumed to have been recently hacked.
An_Increase_in_SHTML_Phishing_Attacks
MEDIUM
+
—
—
- Intel Source:
- Mcafee
- Intel Name:
- An_Increase_in_SHTML_Phishing_Attacks
- Date of Scan:
- 2023-05-08
- Impact:
- MEDIUM
- Summary:
- McAfee researchers have observed a new wave of phishing attacks. In this wave, the attacker has been abusing server-parsed HTML (SHTML) files. The SHTML files are commonly associated with web servers redirecting users to malicious, credential-stealing websites or displaying phishing forms locally within the browser to harvest user-sensitive information.
Source:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shtml-phishing-attack-with-blurred-image/
SideCopy_Group_Delivering_Malware_via_Phishing_Emails
LOW
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- SideCopy_Group_Delivering_Malware_via_Phishing_Emails
- Date of Scan:
- 2023-05-08
- Impact:
- LOW
- Summary:
- FortiGate researchers have identified one file that referenced an Indian state military research organization and an in-development nuclear missile. The file is meant to deploy malware with characteristics matching the APT group SideCopy with activities dating back to at least 2019, this group has aligned its targeting with the goals and objectives of the Pakistani government.
Source:
https://www.fortinet.com/blog/threat-research/clean-rooms-nuclear-missiles-and-sidecopy
US_Job_Services_Leaks_Customer_Data
LOW
+
—
—
- Intel Source:
- KrebsonSecurity
- Intel Name:
- US_Job_Services_Leaks_Customer_Data
- Date of Scan:
- 2023-05-08
- Impact:
- LOW
- Summary:
- Researchers from KrebsonSecurity have identified a huge tranche of full credit card records exposed online, and that at first glance the domain names involved appeared to be affiliated with the United States Postal Service.
Phishing_Sites_Spreading_RAT_Called_DarkWatchMan
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Phishing_Sites_Spreading_RAT_Called_DarkWatchMan
- Date of Scan:
- 2023-05-08
- Impact:
- LOW
- Summary:
- Cyble researchers have identified a phishing website that imitated a renowned Russian website, CryptoPro CSP. TAs is using this website to distribute DarkWatchman malware.
Source:
https://blog.cyble.com/2023/05/05/sophisticated-darkwatchman-rat-spreads-through-phishing-sites/
Multiple_Malware_Targeting_Business_Users
LOW
+
—
—
- Intel Source:
- Meta
- Intel Name:
- Multiple_Malware_Targeting_Business_Users
- Date of Scan:
- 2023-05-07
- Impact:
- LOW
- Summary:
- Researchers from Meta have analyzed the persistent malware campaigns targeting businesses across the internet, including threat indicators to help raise the industry’s collective defenses across the internet.
Source:
https://engineering.fb.com/2023/05/03/security/malware-nodestealer-ducktail/
New_KEKW_Malware_Variant_Detected_in_PyPI_Packages
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- New_KEKW_Malware_Variant_Detected_in_PyPI_Packages
- Date of Scan:
- 2023-05-07
- Impact:
- LOW
- Summary:
- Cyble researchers have uncovered multiple malicious Python .whl (Wheel) files that are found to be distributing a new malware named ‘KEKW’. KEKW malware can steal sensitive information from infected systems, as well as perform clipper activities which can lead to the hijacking of cryptocurrency transactions.
Source:
https://blog.cyble.com/2023/05/03/new-kekw-malware-variant-identified-in-pypi-package-distribution/
Mustang_Panda_New_Campaign_Against_Australia
LOW
+
—
—
- Intel Source:
- Lab52
- Intel Name:
- Mustang_Panda_New_Campaign_Against_Australia
- Date of Scan:
- 2023-05-07
- Impact:
- LOW
- Summary:
- Lab52 researchers have found a zip file named Biography of Senator the Hon Don Farrell.zip. Hon Don Farrell is the current Australian Secretary of State for Trade and Tourism, indicating a targeted campaign against Australia.
Source:
https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/
The_Analysis_of_CrossLock_Ransomware
LOW
+
—
—
- Intel Source:
- Netscope
- Intel Name:
- The_Analysis_of_CrossLock_Ransomware
- Date of Scan:
- 2023-05-07
- Impact:
- LOW
- Summary:
- Netskope researchers have identified a new ransomware named CrossLock. It emerged in April 2023, targeting a large digital certifier company in Brazil. This ransomware was written in Go, which has also been adopted by other ransomware groups, including Hive, due to the cross-platform capabilities offered by the language.
Source:
https://www.netskope.com/blog/netskope-threat-coverage-crosslock-ransomware
DLL_sideloading_Attacks_Gain_New_Air_With_a_Doubled_Dragon_Breath
LOW
+
—
—
- Intel Source:
- Sophos
- Intel Name:
- DLL_sideloading_Attacks_Gain_New_Air_With_a_Doubled_Dragon_Breath
- Date of Scan:
- 2023-05-07
- Impact:
- LOW
- Summary:
- Sophos researchers have spotted malicious DLL sideloading activity that builds on the classic sideloading scenario but adds complexity and layers to its execution.
Source:
https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/
The_Second_Variant_of_Atomic_Stealer_macOS_Malware
LOW
+
—
—
- Intel Source:
- Sentilone
- Intel Name:
- The_Second_Variant_of_Atomic_Stealer_macOS_Malware
- Date of Scan:
- 2023-05-06
- Impact:
- LOW
- Summary:
- The threat actor, however, has been busy looking for other ways to target macOS users with a different version of Atomic Stealer. In this post, we take a closer look at how Atomic Stealer works and describe a previously unreported second variant. We also provide a comprehensive list of indicators to aid threat hunters and security teams defending macOS endpoints.
BlackBit_Ransomware
MEDIUM
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- BlackBit_Ransomware
- Date of Scan:
- 2023-05-06
- Impact:
- MEDIUM
- Summary:
- AhnLab shared their analyses about BlackBit ransomware is being distributed in Korea. BlackBit Ransomware is a LokiLocker ransomware variant that based on the RaaS model. The source code of the BlackBit shows the ransomware is a copy of the LokiLocker with some new changes such as icons, name, color scheme. BlackBit ransomware is a sophisticated one with multipleseveral capabilities to establish persistence, defense evasion, and impair recovery.
Source:
https://blog.cyble.com/2023/05/03/blackbit-ransomware-a-threat-from-the-shadows-of-lokilocker/
Raspberry_Robin_USB_malware_campaign
LOW
+
—
—
- Intel Source:
- Bushidotoken
- Intel Name:
- Raspberry_Robin_USB_malware_campaign
- Date of Scan:
- 2023-05-06
- Impact:
- LOW
- Summary:
- Bushidotoken blog shares the technical details about this malware and analyses how it runs, works, the commands it runs, the processes it uses, and in this case how C2 communications look like.
Source:
https://blog.bushidotoken.net/2023/05/raspberry-robin-global-usb-malware.html
Infostealer_Embedded_in_a_Word_Document
LOW
+
—
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Infostealer_Embedded_in_a_Word_Document
- Date of Scan:
- 2023-05-06
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed a malicious document which is an embedded object.
Source:
https://isc.sans.edu/diary/Infostealer+Embedded+in+a+Word+Document/29810/
Kimsuky_New_Global_Campaign
MEDIUM
+
—
—
- Intel Source:
- Sentilone
- Intel Name:
- Kimsuky_New_Global_Campaign
- Date of Scan:
- 2023-05-06
- Impact:
- MEDIUM
- Summary:
- SentinelLabs has observed ongoing attacks from Kimsuky, a North Korean state-sponsored APT that has a long history of targeting organizations across Asia, North America, and Europe. Ongoing campaigns use a new malware component called ReconShark, which is actively delivered to specifically attacked individuals through spear-phishing emails, OneDrive links leading to document downloads, and the execution of malicious macros. ReconShark operates as a reconnaissance tool with unique execution instructions and server communication methods. Recent activity has been linked to a broader set of skills are attributed to North Korea.
Source:
https://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/
Malware_IcedID_information_stealer_configuration_analyses
LOW
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- Malware_IcedID_information_stealer_configuration_analyses
- Date of Scan:
- 2023-05-05
- Impact:
- LOW
- Summary:
- Palo Alto researchers shared an example of an IcedID malware (information stealer) configuration, how it was obfuscated and how they extracted it. It was one IcedID binary and how its configurations are encrypted.
Source:
https://unit42.paloaltonetworks.com/teasing-secrets-malware-configuration-parsing/
Destructive_cyberattack_UAC_0165_on_the_public_sector_of_Ukraine_using_RoarBat
MEDIUM
+
—
—
- Intel Source:
- CERT-UA
- Intel Name:
- Destructive_cyberattack_UAC_0165_on_the_public_sector_of_Ukraine_using_RoarBat
- Date of Scan:
- 2023-05-05
- Impact:
- MEDIUM
- Summary:
- Upon receiving information about interference in the information and communication system (ICS) of one of the state organizations of Ukraine, measures to investigate a cyber attack were initiated. It was found that the performance of electronic computing machines (server equipment, automated user workstations, data storage systems) was impaired as a result of the destructive influence carried out using the appropriate software.
Vidar_Infostealer_targeted_a_Polish_Healthcare_Industry
LOW
+
—
—
- Intel Source:
- Eclecticiq
- Intel Name:
- Vidar_Infostealer_targeted_a_Polish_Healthcare_Industry
- Date of Scan:
- 2023-05-05
- Impact:
- LOW
- Summary:
- EclecticIQ researchers has observed a spearphishing email targeting the healthcare industry in Poland. The spoofed email looked like as real sent from a Polish government entity and contained a infectips Microsoft Excel XLL attachment that can download and execute Vidar Infostealer malware.
North_Korean_Group_ScarCruft_Deploying_RokRAT_Malware
LOW
+
—
—
- Intel Source:
- Checkpoint
- Intel Name:
- North_Korean_Group_ScarCruft_Deploying_RokRAT_Malware
- Date of Scan:
- 2023-05-04
- Impact:
- LOW
- Summary:
- Checkpoint researchers have identified that the North Korean threat actor known as ScarCruft started experimenting with oversized LNK files as a delivery route for RokRAT malware as early as July 2022, the same month Microsoft began blocking macros across Office documents by default.
Source:
https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/
The_Investigation_of_BRAINSTORM_and_RILIDE
LOW
+
—
—
- Intel Source:
- Mandiant
- Intel Name:
- The_Investigation_of_BRAINSTORM_and_RILIDE
- Date of Scan:
- 2023-05-04
- Impact:
- LOW
- Summary:
- Mandiant researchers have identified BRAINSTORM, a rust-based dropper, which ultimately led to RILIDE, a chromium-based extension first publicly reported by SpiderLabs. After careful investigation identified that the email and cryptocurrency theft ecosystem of RILIDE is larger than reported.
Source:
https://www.mandiant.com/resources/blog/lnk-between-browsers
Earth_Longzhi_is_Back_With_New_Technique
LOW
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- Earth_Longzhi_is_Back_With_New_Technique
- Date of Scan:
- 2023-05-04
- Impact:
- LOW
- Summary:
- TrendMicro researchers have discovered a new campaign by Earth Longzhi that is targeting organizations based in Taiwan, Thailand, the Philippines, and Fiji. The recent campaign follows months of dormancy, abuses a Windows Defender executable to perform DLL sideloading while also exploiting a vulnerable driver, zamguard64.sys, to disable security products installed on the hosts via a bring-your-own-vulnerable-driver (BYOVD) attack.
Internet_Threats_Are_Impersonating_Common_Industries_via_Phishing_Attacks_Web_Skimmer_Analysis_and_Many_More
LOW
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- Internet_Threats_Are_Impersonating_Common_Industries_via_Phishing_Attacks_Web_Skimmer_Analysis_and_Many_More
- Date of Scan:
- 2023-05-03
- Impact:
- LOW
- Summary:
- PaloAlto researchers have observed the internet threat landscape and analyzed malicious URL distribution, geolocation, category analysis, and statistics describing attempted malware attacks. Also, this includes industry sectors being targeted for spoofing in phishing pages, as well as downloaded malware statistics, injected JavaScript malware analysis, and malicious DNS analysis.
Source:
https://unit42.paloaltonetworks.com/internet-threats-late-2022/
CoinMiner_Distributing_to_Linux_SSH_Servers
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- CoinMiner_Distributing_to_Linux_SSH_Servers
- Date of Scan:
- 2023-05-03
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered XMRig CoinMiner being installed on poorly managed Linux SSH servers. The attacks have been happening with a distinct pattern since 2022, they involve the usage of malware developed with Shell Script Compiler when installing the XMRig, as well as the creation of a backdoor SSH account.
Diving_Deep_into_BlackByte_Ransomware
LOW
+
—
—
- Intel Source:
- SocRadar
- Intel Name:
- Diving_Deep_into_BlackByte_Ransomware
- Date of Scan:
- 2023-05-03
- Impact:
- LOW
- Summary:
- Researchers from SOCRadar have analyzed the BlackByte ransomware. It is a Ransomware operation that began targeting corporate victims worldwide in July 2021. The first findings regarding the group emerged after victims sought help decrypting their files.
Source:
https://socradar.io/dark-web-profile-blackbyte-ransomware/
Russian_APT_Hacked_Tajikistani_Carrier_to_Spy_on_Government_and_Public_Services
MEDIUM
+
—
—
- Intel Source:
- Prodaft
- Intel Name:
- Russian_APT_Hacked_Tajikistani_Carrier_to_Spy_on_Government_and_Public_Services
- Date of Scan:
- 2023-05-03
- Impact:
- MEDIUM
- Summary:
- Researchers from Prodaft have observed a Russian espionage group tracked as Nomadic Octopus spying on Tajikistan’s high-ranking government officials, public service infrastructures, and telecoms services, likely by infiltrating a mobile phone carrier.
Source:
https://www.prodaft.com/m/reports/PAPERBUG_TLPWHITE-1.pdf
Malware_Families_Leveraging_AresLoader_for_Distribution
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Malware_Families_Leveraging_AresLoader_for_Distribution
- Date of Scan:
- 2023-05-03
- Impact:
- LOW
- Summary:
- Cyble researchers have observed a new loader called AresLoader that is used to spread several types of malware families. It is a loader malware written in the C programming language that first emerged in cybercrime forums and Telegram channels in 2022.
The_Overview_of_UNIZA_Ransomware
LOW
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Overview_of_UNIZA_Ransomware
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- Fortinet researchers have discovered a new ransomware variant called UNIZA. Like other ransomware variants. It uses the Command Prompt (cmd.exe) window to display its ransom message, and interestingly, it does not append the filename of the files it encrypts, making it more difficult to determine which files have been impacted.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-uniza-coverage
The_Unstoppable_Malverposting_Continues
LOW
+
—
—
- Intel Source:
- Guardio
- Intel Name:
- The_Unstoppable_Malverposting_Continues
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- In this post Gardio vresearchers shared the huge numbers of IOC detections of Malverposting, and also very detailed analyses of this one campaign using adult-rated click bates delivering sophisticated malware — making it even harder for detection, and too easy to mass propagate.
Ransomware_Family_Rapture_is_Similar_to_Paradise
MEDIUM
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- Ransomware_Family_Rapture_is_Similar_to_Paradise
- Date of Scan:
- 2023-05-01
- Impact:
- MEDIUM
- Summary:
- TrendMicro researchers have observed a type of ransomware targeting its victims via a minimalistic approach with tools that leave only a minimal footprint behind. The findings revealed many of the preparations made by the perpetrators and how quickly they managed to carry out the ransomware attack.
Threat_Actors_Leveraging_SEO_Poisoning
LOW
+
—
—
- Intel Source:
- Trellix
- Intel Name:
- Threat_Actors_Leveraging_SEO_Poisoning
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- Trellix researchers have identified that hackers continue to innovate their techniques to infect victims, with SEO poisoning being one of the recent trends.
A_malicious_Mitiga_document
LOW
+
—
—
- Intel Source:
- Mitiga
- Intel Name:
- A_malicious_Mitiga_document
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- Last January, an attacker uploaded a malicious .docx file to Virus Total. He used several of Mitiga’s publicly available branding elements which included logo, fonts and colors, to lend credibility to the document.
Source:
https://www.mitiga.io/blog/mitiga-advisory-virus-total
ASEC_Weekly_Phishing_Email_analyses_April_9_15th_2023
LOW
+
—
—
- Intel Name:
- ASEC_Weekly_Phishing_Email_analyses_April_9_15th_2023
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- ASEC lab researchers continiusly monitor phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post shares the cases of distribution of phishing emails during the week from April 9th, 2023 to April 15st, 2023 and provide statistical information on each type.
New_LOBSHOT_Malware_Deploying_Via_Google_Ads
LOW
+
—
—
- Intel Source:
- Elastic
- Intel Name:
- New_LOBSHOT_Malware_Deploying_Via_Google_Ads
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- Researchers from Elastic Security Labs have observed one malware family called LOBSHOT. It continues to collect victims while remaining undetected. Also, the infrastructure belongs to TA505, the well-known cybercriminal group associated with Dridex, Locky, and Necurs campaigns.
Source:
https://www.elastic.co/security-labs/elastic-security-labs-discovers-lobshot-malware
ASEC_Weekly_Malware_Statistics
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_Statistics
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from November 21st, 2022 (Monday) to November 27th (Sunday).
An_Ongoing_Magecart_Campaign
LOW
+
—
—
- Intel Source:
- Malwarebytes
- Intel Name:
- An_Ongoing_Magecart_Campaign
- Date of Scan:
- 2023-04-30
- Impact:
- LOW
- Summary:
- Malwarebytes researchers have identified an ongoing Magecart campaign that is leveraging realistic-looking fake payment screens to capture sensitive data entered by unsuspecting users.
Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/04/kritec-art
Hackers_From_APT28_Group_Distributing_Emails_With_Instructions_on_Updating_OS
MEDIUM
+
—
—
- Intel Source:
- CERT-UA
- Intel Name:
- Hackers_From_APT28_Group_Distributing_Emails_With_Instructions_on_Updating_OS
- Date of Scan:
- 2023-04-30
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have observed the distribution of emails with subject “Windows Update”, allegedly sent on behalf of system administrators of departments. At the same time, senders’ email addresses created on the @outlook.com public service can be formed using the real name and initials of the employee.
RTM_Locker_Ransomware_as_a_Service_Now_Suits_Linux_Architecture
LOW
+
—
—
- Intel Source:
- Uptycs
- Intel Name:
- RTM_Locker_Ransomware_as_a_Service_Now_Suits_Linux_Architecture
- Date of Scan:
- 2023-04-27
- Impact:
- LOW
- Summary:
- Uptycs researchers have discovered a new ransomware binary attributed to the RTM group, a known ransomware-as-a-service (RaaS) provider. This is the first time the group has created a Linux binary. Its locker ransomware infects Linux, NAS, and ESXi hosts and appears to be inspired by Babuk ransomware’s leaked source code.
Source:
https://www.uptycs.com/blog/rtm-locker-ransomware-as-a-service-raas-linux
PingPull_Malware_is_Updated_by_Chinese_Alloy_Taurus
LOW
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- PingPull_Malware_is_Updated_by_Chinese_Alloy_Taurus
- Date of Scan:
- 2023-04-27
- Impact:
- LOW
- Summary:
- Unit 42 researchers have identified a new variant of PingPull malware used by Alloy Taurus actors designed to target Linux systems. While following the infrastructure leveraged by the actor for this PingPull variant, we also identified their use of another backdoor we track as Sword2033.
TrafficStealer_Abusing_Open_Container_APIs
LOW
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- TrafficStealer_Abusing_Open_Container_APIs
- Date of Scan:
- 2023-04-27
- Impact:
- LOW
- Summary:
- Researchers from TrendMicro have discovered a different type of attack, a piece of software that leverages Docker containers to generate money through monetized traffic. Although the piece of software itself appears to be legitimate, it likely has compromised components that result in monitoring as a potentially unwanted application.
The_BellaCiao_Malware_of_Iran
MEDIUM
+
—
—
- Intel Source:
- Bitdefender
- Intel Name:
- The_BellaCiao_Malware_of_Iran
- Date of Scan:
- 2023-04-27
- Impact:
- MEDIUM
- Summary:
- BitDefender researchers have observed the modernization of Charming Kitten’s tactics, techniques, and procedures, including a new, previously unseen malware. This malware is tailored to suit individual targets and exhibits a higher level of complexity, evidenced by a unique communication approach with its command-and-control (C2) infrastructure.
Source:
https://businessinsights.bitdefender.com/unpacking-bellaciao-a-closer-look-at-irans-latest-malware
Hackers_Selling_New_Atomic_macOS_Stealer_on_Telegram
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Hackers_Selling_New_Atomic_macOS_Stealer_on_Telegram
- Date of Scan:
- 2023-04-27
- Impact:
- LOW
- Summary:
- Cyble Researchers have discovered a Telegram channel advertising a new information-stealing malware called Atomic macOS Stealer (AMOS). The malware is specifically designed to target macOS and can steal sensitive information from the victim’s machine.
Source:
https://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/
The_Exploiting_of_Kubernetes_RBAC_by_attackers
LOW
+
—
—
- Intel Source:
- Aqua
- Intel Name:
- The_Exploiting_of_Kubernetes_RBAC_by_attackers
- Date of Scan:
- 2023-04-27
- Impact:
- LOW
- Summary:
- Aqua researchers have observed new evidence that attackers are exploiting Kubernetes (K8s) Role-Based Access Control (RBAC) in the wild to create backdoors. The attackers also tried to lunch a DaemonSets to take control and seize resources of the K8s clusters they attack. Aqua analyses suspects that this campaign is actively targeting at least 60 clusters in the wild.
Source:
https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters
APT_Group_Panda_Delivering_Malware_via_Software_Updates
HIGH
+
—
—
- Intel Source:
- Welivesecurity
- Intel Name:
- APT_Group_Panda_Delivering_Malware_via_Software_Updates
- Date of Scan:
- 2023-04-27
- Impact:
- HIGH
- Summary:
- ESET researchers discovered a new campaign by the APT group known as Evasive Panda targeting an international NGO in China with malware delivered through updates of popular Chinese software.
PaperCut_actively_exploited_in_the_Wild
MEDIUM
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- PaperCut_actively_exploited_in_the_Wild
- Date of Scan:
- 2023-04-27
- Impact:
- MEDIUM
- Summary:
- Earlier this month, PaperCut shared a Security alert stating, they have an evidence that unpatched servers are being exploited in the wild. Russian Hacker Suspected Exploiting the PaperCut Vulnerability. The advisories provided by vendors shared insights into the two CVEs – CVE-2023-27350 (Severity: Critical) & CVE-2023-27351(Severity: High). Cyble researchers shared their details for the same in their post.
Source:
https://blog.cyble.com/2023/04/25/print-management-software-papercut-actively-exploited-in-the-wild/
Raccoon_and_Vidar_Stealers_Spreading_Fake_Cracked_new
MEDIUM
+
—
—
- Intel Source:
- Sekoia
- Intel Name:
- Raccoon_and_Vidar_Stealers_Spreading_Fake_Cracked_new
- Date of Scan:
- 2023-04-27
- Impact:
- MEDIUM
- Summary:
- Sekoia researchers have identified the infection chain that is using about a hundred fake cracked software catalog websites that redirect to several links before downloading the payload hosted on file share platforms, such as GitHub.
Tonto_Team_Using_Anti_Malware_Related_Files_for_DLL_Side_Loading
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Tonto_Team_Using_Anti_Malware_Related_Files_for_DLL_Side_Loading
- Date of Scan:
- 2023-04-26
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified the Tonto Team threat group is targeting mainly Asian countries and has been distributing Bisonal malware
Phishing_Attack_Increasing_in_Singapore_for_Tax_Portal
LOW
+
—
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Phishing_Attack_Increasing_in_Singapore_for_Tax_Portal
- Date of Scan:
- 2023-04-26
- Impact:
- LOW
- Summary:
- Researchers from SANS have identified an IRAS phishing website that looks legitimate, this website asks users to input their Singapore Personal Access (Singpass) credentials to access government and private services (such as banking) in Singapore.
Source:
https://isc.sans.edu/diary/Strolling+through+Cyberspace+and+Hunting+for+Phishing+Sites/29780/
RokRAT_Malware_Distributing_Through_LNK_Files
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- RokRAT_Malware_Distributing_Through_LNK_Files
- Date of Scan:
- 2023-04-26
- Impact:
- LOW
- Summary:
- ASEC researchers have observed that the RedEyes threat group (also known as APT37, ScarCruft), which distributed CHM Malware Disguised as Security Email from a Korean Financial Company last month, has also recently distributed the RokRAT malware through LNK files.
Finding_Decoy_Dog_Toolkit_via_Anomalous_DNS_Traffic
LOW
+
—
—
- Intel Source:
- Infoblox
- Intel Name:
- Finding_Decoy_Dog_Toolkit_via_Anomalous_DNS_Traffic
- Date of Scan:
- 2023-04-26
- Impact:
- LOW
- Summary:
- Researchers from Infoblox have identified a new malware toolkit named Decoy Dog, that has been discovered that allows attackers to avoid standard detection techniques and target enterprises. It uses DNS query dribbling and strategic domain aging techniques to bypass security checks.
New_the_Mirai_botnet_exploit
MEDIUM
+
—
—
- Intel Source:
- Zero Day Initiative (ZDI)
- Intel Name:
- New_the_Mirai_botnet_exploit
- Date of Scan:
- 2023-04-26
- Impact:
- MEDIUM
- Summary:
- The Zero Day Initiative threat-hunting team discovered recently new exploit attempts in Eastern Europe showing that the Mirai botnet has updated its version to CVE-2023-1389, known as ZDI-CAN-19557/ZDI-23-451. This malicious activity in the TP-Link Archer AX21 Wi-Fi router was originally disclosed to ZDI during the Pwn2Own Toronto event, where it was used by Team Viettel in their LAN-side entry against the TP-Link device and by Qrious Security in their WAN-side entry.
New_Findings_of_Educated_Manticore
MEDIUM
+
—
—
- Intel Source:
- Checkpoint
- Intel Name:
- New_Findings_of_Educated_Manticore
- Date of Scan:
- 2023-04-25
- Impact:
- MEDIUM
- Summary:
- Researchers from Checkpoint have revealed new findings of an activity cluster closely related to Phosphorus. It presents a new and improved infection chain leading to the deployment of a new version of PowerLess. This implant is attributed to Phosphorus in the past, an Iran-affiliated threat group operating in the Middle East and North America.
The_Analysis_of_Tomiris_Group
LOW
+
—
—
- Intel Source:
- Securelist
- Intel Name:
- The_Analysis_of_Tomiris_Group
- Date of Scan:
- 2023-04-25
- Impact:
- LOW
- Summary:
- Securelist researchers have continued to track Tomiris as a separate threat actor over three new attack campaigns between 2021 and 2023 and it is targeting government and diplomatic entities in the CIS.
Source:
https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/
Repurposing_Package_Name_on_PyPI_to_Push_Malware
LOW
+
—
—
- Intel Source:
- ReversingLabs
- Intel Name:
- Repurposing_Package_Name_on_PyPI_to_Push_Malware
- Date of Scan:
- 2023-04-25
- Impact:
- LOW
- Summary:
- Researchers from Reversing Labs have observed that a malicious package on the Python Package Index (PyPI) named termcolour, a three-stage downloader published in multiple versions.
Source:
https://www.reversinglabs.com/blog/package-names-repurposed-to-push-malware-on-pypi
After_15_Years_release_Open_Source_Gh0st_RAT_still_Haunting_Inboxes
LOW
+
—
—
- Intel Source:
- Cofense
- Intel Name:
- After_15_Years_release_Open_Source_Gh0st_RAT_still_Haunting_Inboxes
- Date of Scan:
- 2023-04-25
- Impact:
- LOW
- Summary:
- Cofense Intelligence Unit discovered Gh0st RAT, old open-source RAT, that is targeting a healthcare organization. Gh0st RAT was created by a Chinese hacking group named C. The public release of Gh0st RAT source code made it easy for threat actors to manipulate victims. Their information-stealing capabilities: taking full control of the infected machine, recording keystrokes in real time with offline logging available, accessing live web cam feeds including microphone recording, downloading files remotely, remote shutdown and reboot, disabling user input
Source:
https://cofense.com/blog/open-source-gh0st-rat-still-haunting-inboxes-15-years-after-release/
New_OCX_HARVESTER_Attack_Campaign_Using_Modernized_More_Eggs_Suite
MEDIUM
+
—
—
- Intel Source:
- Securonix Threat Labs
- Intel Name:
- New_OCX_HARVESTER_Attack_Campaign_Using_Modernized_More_Eggs_Suite
- Date of Scan:
- 2023-04-24
- Impact:
- MEDIUM
- Summary:
- Securonix Threat Labs researchers have observed a new attack campaign tracked as OCX#HARVESTER. Some of the malicious payloads leveraged as part of the attack campaign observed appear to be related to the More_eggs malicious payloads reported earlier.
Zero_Day_Vulnerabilities_in_PaperCut_Print_Management_Software
LOW
+
—
—
- Intel Source:
- Huntress
- Intel Name:
- Zero_Day_Vulnerabilities_in_PaperCut_Print_Management_Software
- Date of Scan:
- 2023-04-24
- Impact:
- LOW
- Summary:
- Researchers from Huntress have tracked the exploitation of zero-day vulnerabilities against PaperCut MF/NG which allow for unauthenticated remote code execution due to an authentication bypass.
Source:
https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software
ViperSoftX_Encryption_Updates
LOW
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- ViperSoftX_Encryption_Updates
- Date of Scan:
- 2023-04-24
- Impact:
- LOW
- Summary:
- TrendMicro researchers have observed cryptocurrency and information stealer ViperSoftX evading initial loader detection and making its lure more believable by making the initial package loader via cracks, keygens, activators, and packers non-malicious.
Source:
https://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html
X_Trader_Supply_Chain_Attack_Affecting_Critical_Infrastructure_Organizations_in_US_and_Europe
MEDIUM
+
—
—
- Intel Source:
- Symantec
- Intel Name:
- X_Trader_Supply_Chain_Attack_Affecting_Critical_Infrastructure_Organizations_in_US_and_Europe
- Date of Scan:
- 2023-04-24
- Impact:
- MEDIUM
- Summary:
- Researchers from Symantec have identified that North Korean-linked operations affected more organizations beyond 3CX, including two critical infrastructure organizations in the energy sector.
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain
The_QakBot_Malware_Continues_to_Evolve
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- The_QakBot_Malware_Continues_to_Evolve
- Date of Scan:
- 2023-04-24
- Impact:
- LOW
- Summary:
- Cyble Research Intelligence Labs have observed that several malware families, such as AsyncRAT, QuasarRAT, DCRAT, etc., have been found using OneNote attachments as part of their tactics. In February 2023, the well-known malware, Qakbot, started using OneNote attachments in their spam campaigns.
Source:
https://blog.cyble.com/2023/04/21/qakbot-malware-continues-to-morph/
BlueNoroff_APT_Group_Targeting_macOS_With_RustBucket_Malware
LOW
+
—
—
- Intel Source:
- Jamf
- Intel Name:
- BlueNoroff_APT_Group_Targeting_macOS_With_RustBucket_Malware
- Date of Scan:
- 2023-04-24
- Impact:
- LOW
- Summary:
- Jamf Threat Labs have discovered a macOS malware family that communicates with command and control (C2) servers to download and execute various payloads. They track and protect against this malware family under the name ‘RustBucket’ and suspect it to be attributed to a North Korean, state-sponsored threat actor.
Source:
https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/
Two_New_QakBot_C2_Servers_Detected
LOW
+
—
—
- Intel Source:
- Sophos
- Intel Name:
- Two_New_QakBot_C2_Servers_Detected
- Date of Scan:
- 2023-04-22
- Impact:
- LOW
- Summary:
- Sophos researchers have detected two new QakBot servers that have not yet been publicly identified. These servers are used by threat actors to manage and control QakBot infections, a banking trojan that has been active since 2008 and primarily targets financial institutions and their customers.
Source:
https://news.sophos.com/en-us/2023/04/20/new-qakbot-c2-servers-detected-with-sophos-ndr/
Scams_Involving_ChatGPT_Are_on_the_Rise
LOW
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- Scams_Involving_ChatGPT_Are_on_the_Rise
- Date of Scan:
- 2023-04-22
- Impact:
- LOW
- Summary:
- Unit42 researchers have monitored the newly registered domains and squatting domains related to ChatGPT, as it is one of the fastest-growing consumer applications in history. The dark side of this popularity is that ChatGPT is also attracting the attention of scammers seeking to benefit from using wording and domain names that appear related to the site.
Source:
https://unit42.paloaltonetworks.com/chatgpt-scam-attacks-increasing/
The_Examination_of_EvilExtractor_Tool
MEDIUM
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Examination_of_EvilExtractor_Tool
- Date of Scan:
- 2023-04-22
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs researchers have analyzed the EvilExtractor tool which is an attack tool designed to target Windows operating systems and extract data and files from endpoint devices. Also, observed this malware in a phishing email campaign on 30 March.
Source:
https://www.fortinet.com/blog/threat-research/evil-extractor-all-in-one-stealer
Lazarus_Hackers_Pushing_Linux_Malware_via_Fake_Job_Offers
MEDIUM
+
—
—
- Intel Source:
- Welivesecurity
- Intel Name:
- Lazarus_Hackers_Pushing_Linux_Malware_via_Fake_Job_Offers
- Date of Scan:
- 2023-04-22
- Impact:
- MEDIUM
- Summary:
- Researchers from Welivesecurity identified a new Lazarus campaign considered part of “Operation DreamJob” has been discovered targeting Linux users with malware for the first time.
Daggerfly_APT_Group_Targeting_Telecoms_Company_in_Africa
LOW
+
—
—
- Intel Source:
- Symantec
- Intel Name:
- Daggerfly_APT_Group_Targeting_Telecoms_Company_in_Africa
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- Researchers from Symantec have identified that Telecommunication services providers in Africa are the target of a new campaign orchestrated by a China-linked threat actor at least since November 2022.
Hackers_Using_Abandoned_WordPress_Plugins_to_Backdoor_Websites
LOW
+
—
—
- Intel Source:
- Sucuri
- Intel Name:
- Hackers_Using_Abandoned_WordPress_Plugins_to_Backdoor_Websites
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- Sucuri researchers have identified that attackers are using Eval PHP, an outdated legitimate WordPress plugin, to compromise websites by injecting stealthy backdoors.
Source:
https://blog.sucuri.net/2023/04/massive-abuse-of-abandoned-evalphp-wordpress-plugin.html
EDR_Killer_AuKill_Exploiting_Process_Explorer_Drivers
MEDIUM
+
—
—
- Intel Source:
- Sophos
- Intel Name:
- EDR_Killer_AuKill_Exploiting_Process_Explorer_Drivers
- Date of Scan:
- 2023-04-21
- Impact:
- MEDIUM
- Summary:
- Sophos researchers have investigated multiple incidents where attackers attempted to disable EDR clients with a new defense evasion tool dubbed AuKill. The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system.
Source:
https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/
SideCopy_Attack_Chain_Deploying_AllaKore_RAT
LOW
+
—
—
- Intel Source:
- Team-Cymru
- Intel Name:
- SideCopy_Attack_Chain_Deploying_AllaKore_RAT
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- Researchers from Team-Cymru have analyzed the SideCopy group and discovered the SideCopy attack chain used to deploy AllaKore RAT. It is an open-source remote access tool that has been modified for the purposes of SideCopy operations and is commonly observed in their intrusions.
Source:
https://www.team-cymru.com/post/allakore-d-the-sidecopy-train
Bumblebee_Malware_Distributing_Via_Trojanized_Installer_Downloads
MEDIUM
+
—
—
- Intel Source:
- Secureworks
- Intel Name:
- Bumblebee_Malware_Distributing_Via_Trojanized_Installer_Downloads
- Date of Scan:
- 2023-04-21
- Impact:
- MEDIUM
- Summary:
- https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads
Source:
https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads
Distribution_of_the_BlackBit_ransomware
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Distribution_of_the_BlackBit_ransomware
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of the BlackBit ransomware disguised as svchost.exe during the team’s monitoring. According to the ASEC’s internal infrastructure, the BlackBit ransomware has been continuously distributed
Russian_Hackers_Conducting_Phishing_Attacks_in_Ukraine
LOW
+
—
—
- Intel Source:
- Google Blog
- Intel Name:
- Russian_Hackers_Conducting_Phishing_Attacks_in_Ukraine
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- Google Threat Analysis researchers have observed that Russian government-backed phishing campaigns targeted users in Ukraine the most, with the country accounting for over 60% of observed Russian targeting.
Source:
https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/
Belarus_Linked_Hacking_Group_Targeting_Poland_With_New_Disinformation_Campaign
MEDIUM
+
—
—
- Intel Source:
- CSIRT-MON
- Intel Name:
- Belarus_Linked_Hacking_Group_Targeting_Poland_With_New_Disinformation_Campaign
- Date of Scan:
- 2023-04-21
- Impact:
- MEDIUM
- Summary:
- CSIRT-MON researchers have issued a warning Wednesday about a recent disinformation campaign that has been traced back to the Belarusian hacking group known as Ghostwriter.
Source:
https://csirt-mon.wp.mil.pl/pl/articles/6-aktualnosci/dezinformacja-o-rekrutacji-do-litpolukrbrig/
Play_Ransomware_Group_Using_New_Custom_Data_Gathering_Tools
MEDIUM
+
—
—
- Intel Source:
- Symantec
- Intel Name:
- Play_Ransomware_Group_Using_New_Custom_Data_Gathering_Tools
- Date of Scan:
- 2023-04-21
- Impact:
- MEDIUM
- Summary:
- Symantec researchers have identified that the Play ransomware group is using two new, custom-developed tools that allow it to enumerate all users and computers on a compromised network, and copy files from the Volume Shadow Copy Service (VSS) that are normally locked by the operating system.
Hackers_Promptly_Adopting_Web3_IPFS_Technology
LOW
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- Hackers_Promptly_Adopting_Web3_IPFS_Technology
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- PaloAlto researchers have observed several types of cyberthreats using InterPlanetary File System (aka IPFS), including phishing, credential theft, command and control (C2) communications, and malicious payload distribution. Also, observed a significant jump in IPFS-related traffic at the beginning of 2022.
Source:
https://unit42.paloaltonetworks.com/ipfs-used-maliciously/
USB_Based_FlowCloud_Malware_Attacks
LOW
+
—
—
- Intel Source:
- NTT Security
- Intel Name:
- USB_Based_FlowCloud_Malware_Attacks
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- Researchers from NTT security have observed several companies have been infected with FlowCloud. It is known as malware used by an attack group called TA410 and has been observed since around 2019.
Source:
https://insight-jp.nttsecurity.com/post/102id0t/usbflowcloud
New_Attack_Chain_Uncovered_From_Blind_Eagle_Cyber_Espionage_Group
LOW
+
—
—
- Intel Source:
- Threatmon
- Intel Name:
- New_Attack_Chain_Uncovered_From_Blind_Eagle_Cyber_Espionage_Group
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- Researchers from Threatmon have observed that the cyber espionage actor tracked as Blind Eagle has been linked to a new multi-stage attack chain that leads to the deployment of the NjRAT remote access trojan on compromised systems.
Source:
https://threatmon.io/apt-blind-eagles-malware-arsenal-technical-analysis/
Hackers_From_Pakistan_Using_Linux_Malware_Poseidon_to_Target_Indian_Government_Agencies
MEDIUM
+
—
—
- Intel Source:
- Uptycs
- Intel Name:
- Hackers_From_Pakistan_Using_Linux_Malware_Poseidon_to_Target_Indian_Government_Agencies
- Date of Scan:
- 2023-04-20
- Impact:
- MEDIUM
- Summary:
- Researchers from Uptycs have identified a Pakistan-based advanced persistent threat actor known as Transparent Tribe using a two-factor authentication (2FA) tool used by Indian government agencies as a ruse to deliver a new Linux backdoor called Poseidon.
Source:
https://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware
Phishing_Campaign_Targeting_EPOS_Net_Customers
LOW
+
—
—
- Intel Source:
- LOW
- Intel Name:
- Phishing_Campaign_Targeting_EPOS_Net_Customers
- Date of Scan:
- 2023-04-20
- Impact:
- LOW
- Summary:
- Cofense Phishing Defense Center have observed a sophisticated phishing campaign targeting EPOS Net customers, a large Japanese credit card company. The campaign is notable for its meticulously crafted emails and cloned website, as well as its use of official customer service numbers to establish an illusion of legitimacy.
Google_Ads_Abuse_and_Spear_Phishing_Campaigns_Impersonating_Spains_Tax_Agency
LOW
+
—
—
- Intel Source:
- Blackberry
- Intel Name:
- Google_Ads_Abuse_and_Spear_Phishing_Campaigns_Impersonating_Spains_Tax_Agency
- Date of Scan:
- 2023-04-20
- Impact:
- LOW
- Summary:
- Researchers from BlackBerry have observed two parallel malicious campaigns that use the same infrastructure but have different purposes. The first campaign is related to a malvertising Google Ads Platform and the second campaign is related to a massive spear-phishing campaign targeting large organizations based in Spain. The campaign impersonated Spain’s tax agency, with the goal of harvesting the email credentials of companies in Spain.
New_Strain_of_Ransomware_Named_CrossLock
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- New_Strain_of_Ransomware_Named_CrossLock
- Date of Scan:
- 2023-04-20
- Impact:
- LOW
- Summary:
- Cyble researchers have discovered a new strain of ransomware called CrossLock, which is written in the programming language “Go”. It employs the double-extortion technique to increase the likelihood of payment from its victims and this technique involves encrypting the victim’s data as well as exfiltrating it from their system.
A_New_Backdoor_Called_Devopt
LOW
+
—
—
- Intel Source:
- Zscaler
- Intel Name:
- A_New_Backdoor_Called_Devopt
- Date of Scan:
- 2023-04-19
- Impact:
- LOW
- Summary:
- Zscaler ThreatLabz researchers have identified a new backdoor called ‘Devopt’. It utilizes hard-coded names for persistence and offers several functionalities, including keylogging, stealing browser credentials, clipper, and more. Multiple versions of the backdoor have surfaced in just the last few days, indicating that it is still in development.
Source:
https://www.zscaler.com/blogs/security-research/introducing-devopt-multifunctional-backdoor-arsenal
Attacking_High_Value_Targets_With_Mint_Sandstorm
MEDIUM
+
—
—
- Intel Source:
- Microsoft
- Intel Name:
- Attacking_High_Value_Targets_With_Mint_Sandstorm
- Date of Scan:
- 2023-04-19
- Impact:
- MEDIUM
- Summary:
- Microsoft researchers have observed a mature subgroup of Mint Sandstorm, an Iranian nation-state actor previously tracked as PHOSPHORUS, refining its tactics, techniques, and procedures (TTPs). Specifically, this subset has rapidly weaponized N-day vulnerabilities in common enterprise applications and conducted highly-targeted phishing campaigns to quickly and successfully access environments of interest.
The_Critical_Component_of_Aurora_Stealer_Attack_Delivery_Chain
LOW
+
—
—
- Intel Source:
- Morphisec
- Intel Name:
- The_Critical_Component_of_Aurora_Stealer_Attack_Delivery_Chain
- Date of Scan:
- 2023-04-19
- Impact:
- LOW
- Summary:
- Morphisec researchers have observed the component that makes Aurora’s delivery stealthy and dangerous is a highly evasive loader named “in2al5d p3in4er.” It is compiled with Embarcadero RAD Studio and targets endpoint workstations using advanced anti-VM (virtual machine) techniques.
Hackers_From_Iran_Leveraging_SimpleHelp_Remote_Support_Software_for_Persistent_Access
MEDIUM
+
—
—
- Intel Source:
- Group-IB
- Intel Name:
- Hackers_From_Iran_Leveraging_SimpleHelp_Remote_Support_Software_for_Persistent_Access
- Date of Scan:
- 2023-04-18
- Impact:
- MEDIUM
- Summary:
- Researchers from Group-IB have identified that the Iranian threat actor known as MuddyWater is continuing its time-tested tradition of relying on legitimate remote administration tools to commandeer targeted systems.
Source:
https://www.group-ib.com/blog/muddywater-infrastructure/
The_Examination_of_BabLock_Ransomware
LOW
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- The_Examination_of_BabLock_Ransomware
- Date of Scan:
- 2023-04-18
- Impact:
- LOW
- Summary:
- TrendMicro researchers have analyzed stealthy and expeditious ransomware called BabLock (aka Rorschach). It has recently been making waves due to its sophisticated and fast-moving attack chain that uses subtle yet effective techniques.
Source:
https://www.trendmicro.com/en_us/research/23/d/an-analysis-of-the-bablock-ransomware.html
Gamaredon_Groups_Automated_Spear_Phishing_Campaigns_Revealed_by_Exposed_Web_Panel
MEDIUM
+
—
—
- Intel Source:
- Eclecticiq
- Intel Name:
- Gamaredon_Groups_Automated_Spear_Phishing_Campaigns_Revealed_by_Exposed_Web_Panel
- Date of Scan:
- 2023-04-18
- Impact:
- MEDIUM
- Summary:
- EclecticIQ researchers have identified a spear phishing campaign targeting Ukrainian government entities like the Foreign Intelligence Service of Ukraine (SZRU) and the Security Service of Ukraine (SSU), likely conducted by APT group Gamaredon.
The_Activities_of_Tick_Group
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- The_Activities_of_Tick_Group
- Date of Scan:
- 2023-04-18
- Impact:
- LOW
- Summary:
- Researchers from ASEC have continued to track Tick group activities as it is targeting government agencies, the military, and various industries in Korea and Japan for over a decade.
QBot_Banker_Delivering_Via_Business_Correspondence
LOW
+
—
—
- Intel Source:
- Securelist
- Intel Name:
- QBot_Banker_Delivering_Via_Business_Correspondence
- Date of Scan:
- 2023-04-18
- Impact:
- LOW
- Summary:
- Securelist researchers have observed a significant increase in attacks that use banking Trojans of the QBot family. The malware is delivered through e-mail letters written in different languages — variations of them were coming in English, German, Italian, and French. The messages were based on real business letters the attackers had gotten access to, which afforded them the opportunity to join the correspondence thread with messages of their own.
Source:
https://securelist.com/qbot-banker-business-correspondence/109535/
Trigona_Ransomware_Attacking_MS_SQL_Servers
MEDIUM
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Trigona_Ransomware_Attacking_MS_SQL_Servers
- Date of Scan:
- 2023-04-18
- Impact:
- MEDIUM
- Summary:
- ASEC researchers have discovered the Trigona ransomware is installed on poorly managed MS-SQL servers and typical attacks include brute force attacks and dictionary attacks to systems where account credentials are poorly being managed.
The_Analysis_of_Trigona_Ransomware
LOW
+
—
—
- Intel Source:
- ZScaler
- Intel Name:
- The_Analysis_of_Trigona_Ransomware
- Date of Scan:
- 2023-04-17
- Impact:
- LOW
- Summary:
- Zscaler researchers have analyzed the Trigona ransomware. It is written in the Delphi programming language that has been active since at least June 2022.
Source:
https://www.zscaler.com/blogs/security-research/technical-analysis-trigona-ransomware
An_Overview_of_Tax_Scammers
MEDIUM
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- An_Overview_of_Tax_Scammers
- Date of Scan:
- 2023-04-17
- Impact:
- MEDIUM
- Summary:
- Fortinet researchers have analyzed a few examples of malware that take advantage of tax season. Attackers make every attempt to scam taxpayers for financial gain and data exfiltration for future attacks.
Source:
https://www.fortinet.com/blog/threat-research/tax-scammers-at-large
Threat_Actors_From_Conti_and_FIN7_Collaborate_With_Domino_Backdoor
MEDIUM
+
—
—
- Intel Source:
- IBM Security Intelligence
- Intel Name:
- Threat_Actors_From_Conti_and_FIN7_Collaborate_With_Domino_Backdoor
- Date of Scan:
- 2023-04-17
- Impact:
- MEDIUM
- Summary:
- Researchers from IBM security have discovered a new malware family called Domino that is created by developers associated with the cybercriminal group that X-Force tracks as ITG14, also known as FIN7.
Source:
https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor/
Zaraza_Bot_Credential_Stealer_Targeting_Browser_Passwords
LOW
+
—
—
- Intel Source:
- Uptycs
- Intel Name:
- Zaraza_Bot_Credential_Stealer_Targeting_Browser_Passwords
- Date of Scan:
- 2023-04-17
- Impact:
- LOW
- Summary:
- Researchers from Uptycs team have identified a new variant of credential stealing malware, dubbed Zaraza bot, which is using telegram as its command and control and It is the Russian word for infection.
Source:
https://www.uptycs.com/blog/zaraza-bot-credential-password-stealer
LockBit_Encryptor_Targeting_macOS_System
MEDIUM
+
—
—
- Intel Source:
- Malware Hunter
- Intel Name:
- LockBit_Encryptor_Targeting_macOS_System
- Date of Scan:
- 2023-04-17
- Impact:
- MEDIUM
- Summary:
- Researchers from Malware Hunter team have warned that the LockBit ransomware gang has developed encryptors to target macOS devices.
Source:
https://twitter.com/malwrhunterteam/status/1647384505550876675
Fraudulent_Campaign_Using_Fake_Google_Chrome_Error_to_Spread_Malware
LOW
+
—
—
- Intel Source:
- NTT Security
- Intel Name:
- Fraudulent_Campaign_Using_Fake_Google_Chrome_Error_to_Spread_Malware
- Date of Scan:
- 2023-04-17
- Impact:
- LOW
- Summary:
- Researchers from NTT security have observed an attack campaign distributing malware from a web page disguised as a Google Chrome error message since around November 2022. It has become active since around February 2023, and the attacks have been confirmed in a very wide area, so close attention is required.
Bitter_Group_CHM_malware_distribution
LOW
+
—
—
- Intel Source:
- Ciberdefensa
- Intel Name:
- Bitter_Group_CHM_malware_distribution
- Date of Scan:
- 2023-04-16
- Impact:
- LOW
- Summary:
- The Bitter group has been distributing CHM malware to certain Chinese organizations through compressed email attachments with filenames such as “Project Plan 2023.chm”. When executed, the CHM files display content related to Chinese and Russian organizations and activate a malicious script that executes additional malware.
Money_Ransomware
LOW
+
—
—
- Intel Source:
- Yoroi
- Intel Name:
- Money_Ransomware
- Date of Scan:
- 2023-04-16
- Impact:
- LOW
- Summary:
- The article discusses the Money Ransomware group, which utilizes a double extortion model by encrypting data and exfiltrating sensitive information, threatening to publish the data unless a ransom is paid.
Source:
https://yoroi.company/research/money-ransomware-the-latest-double-extortion-group/?&web_view=true
The_Activity_of_Emerging_Cybercriminal_Group_Named_Read_The_Manual_RTM_Locker
LOW
+
—
—
- Intel Source:
- Trellix
- Intel Name:
- The_Activity_of_Emerging_Cybercriminal_Group_Named_Read_The_Manual_RTM_Locker
- Date of Scan:
- 2023-04-15
- Impact:
- LOW
- Summary:
- Researchers from Trellix have detailed the tactics, techniques, and procedures of an emerging cybercriminal gang called ‘Read The Manual RTM Locker. The group provides a ransomware-as-a-service (RaaS) and provides its malicious code to a network of affiliates by imposing strict rules.
Threat_Actors_Try_to_Wreak_Havoc_on_Tax_Day
MEDIUM
+
—
—
- Intel Source:
- Microsoft
- Intel Name:
- Threat_Actors_Try_to_Wreak_Havoc_on_Tax_Day
- Date of Scan:
- 2023-04-15
- Impact:
- MEDIUM
- Summary:
- Microsoft researchers have observed phishing attacks targeting accounting and tax return preparation firms to deliver the Remcos remote access trojan (RAT) and compromise target networks beginning in February of this year.
Malware_Attacks_on_Tax_Firms
LOW
+
—
—
- Intel Source:
- Sophos
- Intel Name:
- Malware_Attacks_on_Tax_Firms
- Date of Scan:
- 2023-04-15
- Impact:
- LOW
- Summary:
- Sophos researchers have observed that a threat actor is targeting Financial accountant firms and CPAs with an attack that combines social engineering with a novel exploit against Windows computers to deliver malware called GuLoader.
Source:
https://news.sophos.com/en-us/2023/04/13/tax-firms-targeted-by-precision-malware-attacks/
APT36_Group_Targeting_Indian_Education_Sector
MEDIUM
+
—
—
- Intel Source:
- Sentinelone
- Intel Name:
- APT36_Group_Targeting_Indian_Education_Sector
- Date of Scan:
- 2023-04-14
- Impact:
- MEDIUM
- Summary:
- Researchers from SentinelOne have identified a cluster of malicious Office documents that distribute Crimson RAT, used by the APT36 group (also known as Transparent Tribe) targeting the education sector.
Russian_Hackers_Targeting_NATO_and_EU
MEDIUM
+
—
—
- Intel Source:
- CERT-PL
- Intel Name:
- Russian_Hackers_Targeting_NATO_and_EU
- Date of Scan:
- 2023-04-14
- Impact:
- MEDIUM
- Summary:
- Researchers from The Military Counterintelligence Service and the CERT Polska team have observed a widespread espionage campaign linked to Russian intelligence services and targeting NATO and EU.
Source:
https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services
Bitter_Group_Distributing_CHM_Malware_to_Chinese_Organizations
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Bitter_Group_Distributing_CHM_Malware_to_Chinese_Organizations
- Date of Scan:
- 2023-04-14
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified multiple circumstances of the group distributing CHM malware to certain Chinese organizations. The files used in the recent attack are distributed as attachments to emails as compressed files. The compressed files contain a CHM file with different filenames.
New_Legion_Hacktool_Stealing_Credentials_From_Misconfigured_Sites
MEDIUM
+
—
—
- Intel Source:
- CADO
- Intel Name:
- New_Legion_Hacktool_Stealing_Credentials_From_Misconfigured_Sites
- Date of Scan:
- 2023-04-14
- Impact:
- MEDIUM
- Summary:
- CADO Security researchers have identified a new Python-based credential harvester and SMTP hijacking tool named ‘Legion’ that is being sold on Telegram that targets online email services for phishing and spam attacks.
Source:
https://www.cadosecurity.com/legion-an-aws-credential-harvester-and-smtp-hijacker/
DigitalOceans_Tech_Support_Scam_Shifts_to_StackPaths_CDN
MEDIUM
+
—
—
- Intel Source:
- Netscope
- Intel Name:
- DigitalOceans_Tech_Support_Scam_Shifts_to_StackPaths_CDN
- Date of Scan:
- 2023-04-13
- Impact:
- MEDIUM
- Summary:
- Netskope researchers have identified that attackers previously abusing DigitalOcean to host a tech support scam have expanded the operation, now abusing StackPath CDN to distribute the scam, and are likely to start abusing additional cloud services to deliver the scam in the near future.
Source:
https://www.netskope.com/pt/blog/tech-support-scam-pivots-from-digitalocean-to-stackpath-cdn
Color1337_Cryptojacking_Campaign_Targeting_Linux_Machines
LOW
+
—
—
- Intel Source:
- Tehtris
- Intel Name:
- Color1337_Cryptojacking_Campaign_Targeting_Linux_Machines
- Date of Scan:
- 2023-04-13
- Impact:
- LOW
- Summary:
- Researchers from Tehtris have identified a cryptojacking campaign, believed to have originated from Romania, and targeting Linux machines. This campaign, dubbed Color1337, leverages a botnet to mine Monero and the botnet can propagate itself to other machines across the network.
Source:
https://tehtris.com/en/blog/linux-focus-on-a-cryptomining-attack-dubbed-color1337
GuLoader_Targeting_the_Financial_Sector_Using_a_Taxthemed_Phishing_Lure
MEDIUM
+
—
—
- Intel Source:
- Esentire
- Intel Name:
- GuLoader_Targeting_the_Financial_Sector_Using_a_Taxthemed_Phishing_Lure
- Date of Scan:
- 2023-04-13
- Impact:
- MEDIUM
- Summary:
- Researchers from Esentire have observed GuLoader targeting the financial sector via the phishing email using a tax-themed lure. The phishing email contains a shared link to Adobe Acrobat, where the user can download the password-protected ZIP archive.
Raise_in_Qakbot_Malware_Incidents
LOW
+
—
—
- Intel Source:
- Esentire
- Intel Name:
- Raise_in_Qakbot_Malware_Incidents
- Date of Scan:
- 2023-04-13
- Impact:
- LOW
- Summary:
- Researchers from Esentire have observed a significant increase in Qakbot incidents impacting various industries.
Source:
https://www.esentire.com/security-advisories/increase-in-observations-of-qakbot-malware
Qakbot_Distributing_via_Email_Hijacking
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Qakbot_Distributing_via_Email_Hijacking
- Date of Scan:
- 2023-04-13
- Impact:
- LOW
- Summary:
- ASEC Lab researchers have identified circumstances of Qakbot malware is distributing via malicious PDF files attached to forwarded or replies to existing emails.
ASEC_Weekly_Malware_Analyses_April_03rd_April_09th_2023
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_Analyses_April_03rd_April_09th_2023
- Date of Scan:
- 2023-04-13
- Impact:
- LOW
- Summary:
- ASEC researchers have analyzed the malware and found backdoor ranked top with 61.1%, followed by Infostealer with 20.8%, downloader with 16.9%, and ransomware with 1.1%.
Chinese_Hacking_Group_Targeting_European_Governments_and_Businesses
HIGH
+
—
—
- Intel Source:
- Securinfra
- Intel Name:
- Chinese_Hacking_Group_Targeting_European_Governments_and_Businesses
- Date of Scan:
- 2023-04-13
- Impact:
- HIGH
- Summary:
- Researchers from Securinfra have observed that Chinese APT groups are targeting European governments and businesses. Recently, European Union Agency for Cybersecurity (ENISA) and CERT-EU warned about malicious activities against EU governments and businesses attributed to Chinese Advanced Persistent Threat (APT) groups.
Attacks_With_Nokoyawa_Ransomware_Using_ZeroDay_Vulnerabilities_in_Windows
MEDIUM
+
—
—
- Intel Source:
- Securelist
- Intel Name:
- Attacks_With_Nokoyawa_Ransomware_Using_ZeroDay_Vulnerabilities_in_Windows
- Date of Scan:
- 2023-04-12
- Impact:
- MEDIUM
- Summary:
- Securelist researchers have analyzed the CVE-2023-28252 zero-day vulnerability in Common Log File System (CLFS).
Source:
https://securelist.com/nokoyawa-ransomware-attacks-with-windows-zero-day/109483/
The_Development_and_Refinement_of_DeathNote_Campaign_TTPs
MEDIUM
+
—
—
- Intel Source:
- Securelist
- Intel Name:
- The_Development_and_Refinement_of_DeathNote_Campaign_TTPs
- Date of Scan:
- 2023-04-12
- Impact:
- MEDIUM
- Summary:
- Researchers from Securelist have focused on an active cluster that is dubbed DeathNote because the malware responsible for downloading additional payloads is named Dn.dll or Dn64.dll. This threat is also known as Operation DreamJob or NukeSped.
Source:
https://securelist.com/the-lazarus-group-deathnote-campaign/109490/
The_Attack_Flow_of_RagnarLocker_Ransomware
LOW
+
—
—
- Intel Source:
- Sygnia
- Intel Name:
- The_Attack_Flow_of_RagnarLocker_Ransomware
- Date of Scan:
- 2023-04-12
- Impact:
- LOW
- Summary:
- Researchers from Sygnia have analyzed the attack flow of RagnarLocker ransomware. It is both the name of a ransomware strain and of a criminal group that develops and operates it. Their data leakage blog appeared in April 2020, but although they’re an experienced group, RagnarLocker never made it to the top 10 ransomware strains.
Source:
https://blog.sygnia.co/threat-actor-spotlight-ragnarlocker-ransomware
Recent_Activity_of_IcedID
LOW
+
—
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Recent_Activity_of_IcedID
- Date of Scan:
- 2023-04-12
- Impact:
- LOW
- Summary:
- Researchers from SANS have observed that IcedID (Bokbot) is distributing through thread-hijacked emails with PDF attachments. The PDF files have links that redirect to Google Firebase Storage URLs hosting password-protected zip archives and the password for the downloaded zip archive is shown in the PDF file.
The_textwrap_wrap_function
LOW
+
—
—
- Intel Source:
- ISC. SANS
- Intel Name:
- The_textwrap_wrap_function
- Date of Scan:
- 2023-04-12
- Impact:
- LOW
- Summary:
- Didier Stevens, Senior handler from Microsoft MVP discovered that the textwrap.wrap function he used in diary entry “String Obfuscation: Character Pair Reversal” does not always group characters as he expected. He released an update of his python-per-line.py tool, including a Reverse function. And also some simple brute-forcing.
Source:
https://isc.sans.edu/diary/Extra+String+Obfuscation+Character+Pair+Reversal/29656
The_discovery_of_three_vulnerabilities_in_the_Microsoft_Message_Queuing_service_MSMQ
HIGH
+
—
—
- Intel Source:
- Checkpoint
- Intel Name:
- The_discovery_of_three_vulnerabilities_in_the_Microsoft_Message_Queuing_service_MSMQ
- Date of Scan:
- 2023-04-12
- Impact:
- HIGH
- Summary:
- Check Point reserachers recently observed three new vulnerabilities in the “Microsoft Message Queuing” service, known as MSMQ. These vulnerabilities were disclosed to Microsoft and patched in the April Patch Tuesday update. The most severe of these, dubbed QueueJumper by CPR (CVE-2023-21554), is a critical vulnerability that could allow unauthorized attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe.
An_attack_campaign_distributing_malware_disguised_as_a_Google_Chrome
LOW
+
—
—
- Intel Source:
- NTT Security
- Intel Name:
- An_attack_campaign_distributing_malware_disguised_as_a_Google_Chrome
- Date of Scan:
- 2023-04-12
- Impact:
- LOW
- Summary:
- Since around November 2022, SOC has been observing an attack campaign distributing malware from a web page disguised as a Google Chrome error screen. It became active from around February 2023, and malware downloads have been confirmed in a very wide range, so it is necessary to be careful. This article provides an overview of the attack campaign and the malware.
Source:
https://insight-jp.nttsecurity.com/post/102ic6o/webgoogle-chrome
Analyzing_Impala_Stealer
LOW
+
—
—
- Intel Source:
- JFrog
- Intel Name:
- Analyzing_Impala_Stealer
- Date of Scan:
- 2023-04-12
- Impact:
- LOW
- Summary:
- Reserachers from JFrog provided a detailed analysis of a malicious payload named “Impala Stealer”, a custom crypto stealer which was used as the payload for the NuGet malicious packages campaign. The sophisticated campaign targeted .NET developers via NuGet malicious packages, and the JFrog Security team was able to detect and report it as part of their regular activity of exposing supply chain attacks.
Source:
https://jfrog.com/blog/impala-stealer-malicious-nuget-package-payload/
Malicious_Document_From_Ukraines_Energoatom_Delivering_Havoc_Demon_Backdoor
LOW
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- Malicious_Document_From_Ukraines_Energoatom_Delivering_Havoc_Demon_Backdoor
- Date of Scan:
- 2023-04-12
- Impact:
- LOW
- Summary:
- FortiGuard Labs researchers have identified a malicious spoofed document pretending to be from the Ukrainian company, Energoatom, a state-owned enterprise that operates Ukraine’s nuclear power plants.
The_Analysis_of_Malicious_HTA_File
LOW
+
—
—
- Intel Source:
- ISC.SANS
- Intel Name:
- The_Analysis_of_Malicious_HTA_File
- Date of Scan:
- 2023-04-12
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed the malicious HTA file.
Source:
https://isc.sans.edu/diary/Another+Malicious+HTA+File+Analysis+Part+2/29676/
ASEC_Weekly_Phishing_Email_analyses_March_26_April_1_2023
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Phishing_Email_analyses_March_26_April_1_2023
- Date of Scan:
- 2023-04-11
- Impact:
- LOW
- Summary:
- ASEC lab researchers continiusly monitor phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post shares the cases of distribution of phishing emails during the week from March 26th, 2023 to April 1st, 2023 and provide statistical information on each type.
Gopuram_backdoor_deployed_through_3CX_supply_chain_attack
MEDIUM
+
—
—
- Intel Source:
- Securelist
- Intel Name:
- Gopuram_backdoor_deployed_through_3CX_supply_chain_attack
- Date of Scan:
- 2023-04-11
- Impact:
- MEDIUM
- Summary:
- On March 29, Crowdstrike posted their report about a supply chain attack conducted via 3CXDesktopApp. They analyzed the attack and shared their findings. They observed few victims compromised with Gopuram, but the number of infections began to increase in March 2023. As it turned out, the increase was directly related to the 3CX supply chain attack.
Source:
https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/
A_new_strain_of_malware_Rilide_targets_Chromium_based_browsers
LOW
+
—
—
- Intel Source:
- Trustwave
- Intel Name:
- A_new_strain_of_malware_Rilide_targets_Chromium_based_browsers
- Date of Scan:
- 2023-04-11
- Impact:
- LOW
- Summary:
- Trustwave SpiderLabs observed a new strain of malware that was named as Rilide and targets Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera. Rilide malware is pretending as a legitimate Google Drive extension and lets threat actors to carry out a big range of malicious activities, including monitoring browsing history, taking screenshots, and injecting malicious scripts to withdraw funds from various cryptocurrency exchanges.
The_CryptoClippy_malware_campaign_targets_Portuguese_speakers
LOW
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- The_CryptoClippy_malware_campaign_targets_Portuguese_speakers
- Date of Scan:
- 2023-04-11
- Impact:
- LOW
- Summary:
- Unit 42 recently observed a malware campaign targeting Portuguese speakers and redirect cryptocurrency from legitimate users’ wallets and controlled by threat actors. The campaign uses a malware known as a cryptocurrency clipper, which monitors the victim’s clipboard for signs that a cryptocurrency wallet address is being copied.
Source:
https://unit42.paloaltonetworks.com/crypto-clipper-targets-portuguese-speakers/
The_Deep_Analysis_Report_on_SarinLocker_Ransomware
LOW
+
—
—
- Intel Source:
- Cyfirma
- Intel Name:
- The_Deep_Analysis_Report_on_SarinLocker_Ransomware
- Date of Scan:
- 2023-04-11
- Impact:
- LOW
- Summary:
- Cyfirma researchers have deeply analyzed a new ransomware called SarinLocker. The group has started a ransomware affiliate program that provides attackers with ransomware and affiliate software to manage victims.
Source:
https://www.cyfirma.com/outofband/sarinlocker-ransomware/
Hackers_Flooding_NPM_With_Fake_Packages_Causing_DoS_Attack
LOW
+
—
—
- Intel Source:
- Checkmarx
- Intel Name:
- Hackers_Flooding_NPM_With_Fake_Packages_Causing_DoS_Attack
- Date of Scan:
- 2023-04-11
- Impact:
- LOW
- Summary:
- Researchers from Checkmarx security have identified that hackers flooding the npm open source package repository for Node.js with bogus packages that briefly even resulted in a denial-of-service (DoS) attack.
WordPress_Infection_Campaign_Leveraging_Recently_Discovered_Theme_and_Plugin_Vulnerabilities
LOW
+
—
—
- Intel Source:
- Sucuri
- Intel Name:
- WordPress_Infection_Campaign_Leveraging_Recently_Discovered_Theme_and_Plugin_Vulnerabilities
- Date of Scan:
- 2023-04-10
- Impact:
- LOW
- Summary:
- Researchers from Sucuri have tracked a massive WordPress infection campaign since 2017. Typically, they refer to it as an ongoing long lasting massive WordPress infection campaign that leverages all known and recently discovered theme and plugin vulnerabilities.
ASEC_Weekly_Phishing_Email_analyses_March_19_25th_2023
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Phishing_Email_analyses_March_19_25th_2023
- Date of Scan:
- 2023-04-10
- Impact:
- LOW
- Summary:
- ASEC lab researchers continiusly monitor phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post shares the cases of distribution of phishing emails during the week from March 19th, 2023 to March 25th, 2023 and provide statistical information on each type.
New_Ransomware_Group_Named_Money_Message
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- New_Ransomware_Group_Named_Money_Message
- Date of Scan:
- 2023-04-10
- Impact:
- LOW
- Summary:
- Cyble researchers have discovered a new ransomware group named Money Message. It can encrypt network shares and targets both Windows and Linux operating systems.
Source:
https://blog.cyble.com/2023/04/06/demystifying-money-message-ransomware/\
Ransomware_Based_Attacks_Carried_Out_by_Iranian_Hackers
MEDIUM
+
—
—
- Intel Source:
- Microsoft
- Intel Name:
- Ransomware_Based_Attacks_Carried_Out_by_Iranian_Hackers
- Date of Scan:
- 2023-04-10
- Impact:
- MEDIUM
- Summary:
- Microsoft researchers have identified the Iranian nation-state group known as MuddyWater has been observed carrying out destructive attacks on hybrid environments under the guise of a ransomware operation.
ASEC_Weekly_Malware_statistics_March_27_April_2_2023
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_statistics_March_27_April_2_2023
- Date of Scan:
- 2023-04-06
- Impact:
- LOW
- Summary:
- ASEC lab researchers continiusly monitor malware threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post lists weekly statistics collected from March 27th, 2023 (Monday) to April 2nd, 2023 (Sunday).
The_efile_com_analyses
LOW
+
—
—
- Intel Source:
- ISC. SANS
- Intel Name:
- The_efile_com_analyses
- Date of Scan:
- 2023-04-06
- Impact:
- LOW
- Summary:
- Johannes B. Ullrich, Ph.D. , Dean of Research from SANS.edu analyzed the efile.com Malware “efail” which serving malicious ake “Browser Updates” to some of its users. Johannes B. Ulrich could retrieve some of the malware last evening before it was removed. The attack uses two main executables. The first one, “update.exe,” is a simple downloader downloading and executing the second part. The second part is a PHP script communicating with the command and control server. Its main function is to download and execute additional code as instructed to do so. During the installation, basic system information is sent to the attacker, and the backdoor is made persistent via scheduled/on-boot registry entries.
Source:
https://isc.sans.edu/diary/Analyzing+the+efilecom+Malware+efail/29712/#comments
The_functions_of_Genesis_Market
LOW
+
—
—
- Intel Source:
- Trellix
- Intel Name:
- The_functions_of_Genesis_Market
- Date of Scan:
- 2023-04-06
- Impact:
- LOW
- Summary:
- Trellix was approached by law enforcment asking for assistance with the analyses of Genesis Market. Trellix have analyzed and explained the function and operations of Genesis Market, as well as provided an analysis of malware samples that law enforcement shared with Trellix, advice and guidance to (potential) victims.
Royal_Ransom_analyses
LOW
+
—
—
- Intel Source:
- Trellix
- Intel Name:
- Royal_Ransom_analyses
- Date of Scan:
- 2023-04-06
- Impact:
- LOW
- Summary:
- Trellix Advanced Cyber Services team within Trellix Professional Services provided updated incident response-related data.
Source:
https://www.trellix.com/en-us/about/newsroom/stories/research/a-royal-analysis-of-royal-ransom.html
Emotet_Resumed_its_Spamming_Activities
LOW
+
—
—
- Intel Source:
- Trustwave
- Intel Name:
- Emotet_Resumed_its_Spamming_Activities
- Date of Scan:
- 2023-04-06
- Impact:
- LOW
- Summary:
- Researchers from Trustwave SpiderLabs have saw Emotet switch focus to using OneNote attachments, which is a tactic also adopted by other malware groups in recent months. The analysis is intended to help the cybersecurity community better understand the wider obfuscation and padding tricks Emotet is using.
New_Ransomware_Variants_Are_Dark_Power_and_PayME100USD
LOW
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- New_Ransomware_Variants_Are_Dark_Power_and_PayME100USD
- Date of Scan:
- 2023-04-05
- Impact:
- LOW
- Summary:
- FortiGate Labs researchers have identified two new ransomware named Dark Power and PayME100USD. Dark Power ransomware launched in early February 2023 and this is a rare ransomware breed in that it was written in the Nim programming language. PayMe100USD ransomware written in Python that was discovered in March 2023 and the malware has basic functionality and performs ordinary ransomware activities.
Source:
https://www.fortinet.com/blog/threat-research/dark-power-and-payme100usd-ransomware?&web_view=true
Typhon_Reborn_Stealer_Malware_Back_with_Advanced_Evasion_Techniques
LOW
+
—
—
- Intel Source:
- Talos
- Intel Name:
- Typhon_Reborn_Stealer_Malware_Back_with_Advanced_Evasion_Techniques
- Date of Scan:
- 2023-04-05
- Impact:
- LOW
- Summary:
- Talos researchers have observed that the threat actor behind the information-stealing malware known as Typhon Reborn has resurfaced with an updated version (V2) that packs in improved capabilities to evade detection and resist analysis.
Source:
https://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/
ALPHV_Ransomware_Affiliate_Targeting_Vulnerable_Backup_Installations_to_Gain_Initial_Access
MEDIUM
+
—
—
- Intel Source:
- Mandiant
- Intel Name:
- ALPHV_Ransomware_Affiliate_Targeting_Vulnerable_Backup_Installations_to_Gain_Initial_Access
- Date of Scan:
- 2023-04-05
- Impact:
- MEDIUM
- Summary:
- Mandiant researchers have observed a new ALPHV (aka BlackCat ransomware) ransomware affiliate, tracked as UNC4466, targeting publicly exposed Veritas Backup Exec installations, vulnerable to CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878, for initial access to victim environments.
Source:
https://www.mandiant.com/resources/blog/alphv-ransomware-backup
An_Attack_Against_Palestinian_Targets_Using_New_Weapons
LOW
+
—
—
- Intel Source:
- Symantec
- Intel Name:
- An_Attack_Against_Palestinian_Targets_Using_New_Weapons
- Date of Scan:
- 2023-04-05
- Impact:
- LOW
- Summary:
- Researchers from Symantec have observed that the Mantis APT group (aka Arid Viper, Desert Falcon, APT-C-23), a threat actor believed to be operating out of the Palestinian territories, is continuing to mount attacks, deploying a refreshed toolset and going to great lengths to maintain a persistent presence on targeted networks.
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks
Proxyjacking_Scheme_Exploits_Log4j_Bug_to_Profit_From_Victim_IP_Addresses
LOW
+
—
—
- Intel Source:
- Sysdig
- Intel Name:
- Proxyjacking_Scheme_Exploits_Log4j_Bug_to_Profit_From_Victim_IP_Addresses
- Date of Scan:
- 2023-04-05
- Impact:
- LOW
- Summary:
- Researchers from Sysdig have detected a new attack, dubbed proxyjacking, that leveraged the Log4j vulnerability for initial access. The attacker then sold the victim’s IP addresses to proxyware services for profit.
Source:
https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/
Chinese_Hacking_Group_RedGolf_Targeting_Windows_and_Linux_Systems
MEDIUM
+
—
—
- Intel Source:
- Mandiant
- Intel Name:
- Chinese_Hacking_Group_RedGolf_Targeting_Windows_and_Linux_Systems
- Date of Scan:
- 2023-04-05
- Impact:
- MEDIUM
- Summary:
- Mandiant researchers have identified a Chinese state-sponsored threat activity group tracked as RedGolf has been attributed to the use of a custom Windows and Linux backdoor called KEYPLUG.
Source:
https://www.mandiant.com/resources/blog/mobileiron-log4shell-exploitation
Disney_Phishing_Scams
LOW
+
—
—
- Intel Source:
- Cyber War Zone
- Intel Name:
- Disney_Phishing_Scams
- Date of Scan:
- 2023-04-05
- Impact:
- LOW
- Summary:
- Researchers from Cyber War Zone have identified the latest Disney-related phishing scams in 2023 and provide tips to protect from falling victim to these scams.
Source:
https://cyberwarzone.com/beware-of-disney-phishing-scams-in-2023/?web_view=true
Arid_Viper_Hacking_Group_Using_Upgraded_Malware
LOW
+
—
—
- Intel Source:
- Symantec
- Intel Name:
- Arid_Viper_Hacking_Group_Using_Upgraded_Malware
- Date of Scan:
- 2023-04-05
- Impact:
- LOW
- Summary:
- Researchers from Symantec have discovered the threat actor known as Arid Viper has been observed using refreshed variants of its malware toolkit in its attacks targeting Palestinian entities since September 2022.
New_Ransomware_Rorschach_Targeting_US_Based_Company
MEDIUM
+
—
—
- Intel Source:
- Checkpoint
- Intel Name:
- New_Ransomware_Rorschach_Targeting_US_Based_Company
- Date of Scan:
- 2023-04-05
- Impact:
- MEDIUM
- Summary:
- Checkpoint researchers have analyzed the Rorschach ransomware and revealed the emergence of a new ransomware strain in the crimeware landscape. Its developers implemented new anti-analysis and defense evasion techniques to avoid detection and make it more difficult for security software and researchers to analyze and mitigate its effects.
Source:
https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/
Analyzing_Rhadamanthys_infostealer
LOW
+
—
—
- Intel Source:
- Checkpoint
- Intel Name:
- Analyzing_Rhadamanthys_infostealer
- Date of Scan:
- 2023-04-04
- Impact:
- LOW
- Summary:
- Checkpoint reserachers provided the highlights of the Dark Web ‘buzz’ surrounding this malware. They shared insights which confirm that by the nature of how the malware is used, large orgs are also being subjected to incidental drive-by attacks that have a theoretical potential to escalate. Rhadamanthys is an advanced infostealer which debuted on the dark web in September of last year to a warm critical reception by cybercriminals.
Source:
https://research.checkpoint.com/2023/rhadamanthys-the-everything-bagel-infostealer/
Vulnerability_in_WordPress_Elementor_Pro_Patched
LOW
+
—
—
- Intel Source:
- Sucuri
- Intel Name:
- Vulnerability_in_WordPress_Elementor_Pro_Patched
- Date of Scan:
- 2023-04-04
- Impact:
- LOW
- Summary:
- Researchers from Sucuri have analyzed the WordPress Elementor Pro vulnerability that allows authenticated users to arbitrarily change wp_options values within the database via the AJAX action of Elementor Pro working in conjunction with WooCommerce.
Source:
https://blog.sucuri.net/2023/03/high-severity-vulnerability-in-wordpress-elementor-pro-patched.html
New_European_APT_Group_Named_FusionCore
LOW
+
—
—
- Intel Source:
- Cyfirma
- Intel Name:
- New_European_APT_Group_Named_FusionCore
- Date of Scan:
- 2023-04-04
- Impact:
- LOW
- Summary:
- Cyfirma researchers have identified a new European threat actor group known as FusionCore that is running Malware-as-a-service, along with the hacker-for-hire operation, they have a wide variety of tools and services that offered on their website, making it a one-stop-shop for threat actors looking to purchase cost-effective yet customizable malware.
Source:
https://www.cyfirma.com/outofband/the-rise-of-fusioncore-an-emerging-cybercrime-group-from-europe/
IRS_Authorized_Tax_Return_Filing_Software_Caught_Serving_JS_Malware
LOW
+
—
—
- Intel Source:
- MalwareHunter, ISC.SANS
- Intel Name:
- IRS_Authorized_Tax_Return_Filing_Software_Caught_Serving_JS_Malware
- Date of Scan:
- 2023-04-04
- Impact:
- LOW
- Summary:
- Researchers from MalwareHunter have observed the malicious JavaScript file that existed on eFile[.]com website for weeks. It is an IRS-authorized e-file software service provider used by many for filing their tax returns and has been caught serving JavaScript malware.
The_distribution_of_Nevada_Ransomware_in_Korea
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- The_distribution_of_Nevada_Ransomware_in_Korea
- Date of Scan:
- 2023-04-04
- Impact:
- LOW
- Summary:
- ASEC have identified new cases of the Nevada ransomware while they did some internal monotoring. Nevada is a malware that adds the “.NEVADA” extension to the files it infects is its defining trait. After encrypting directories, it creates ransom notes with the filename “README.txt” in every directory. These notes contain a Tor browser link for ransom payments.
The_Malware_Sample_Analysis_of_Cl0p_Ransomware
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- The_Malware_Sample_Analysis_of_Cl0p_Ransomware
- Date of Scan:
- 2023-04-04
- Impact:
- LOW
- Summary:
- Cyble researchers have analyzed malware samples as an executable file with a Graphical User Interface (GUI), compiled using Microsoft Visual C/C++.
Source:
https://blog.cyble.com/2023/04/03/cl0p-ransomware-active-threat-plaguing-businesses-worldwide/
New_Cylance_Ransomware_Targeting_Linux_and_Windows
LOW
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- New_Cylance_Ransomware_Targeting_Linux_and_Windows
- Date of Scan:
- 2023-04-03
- Impact:
- LOW
- Summary:
- FortiGate Labs researchers have identified two new ransomware named Dark Power and PayME100USD. Dark Power ransomware launched in early February 2023 and this is a rare ransomware breed in that it was written in the Nim programming language. PayMe100USD ransomware written in Python that was discovered in March 2023 and the malware has basic functionality and performs ordinary ransomware activities.
Source:
https://www.fortinet.com/blog/threat-research/dark-power-and-payme100usd-ransomware?&web_view=true
MalSpam_Delivering_Malicious_ISO
LOW
+
—
—
- Intel Source:
- DFIR Report
- Intel Name:
- MalSpam_Delivering_Malicious_ISO
- Date of Scan:
- 2023-04-03
- Impact:
- LOW
- Summary:
- The DFIR report researchers have observed that IcedID continues to deliver malspam emails to facilitate a compromise, and covers the activity from a campaign in late September of 2022. Post-exploitation activities detail some familiar and some new techniques and tooling, which led to domain-wide ransomware.
Source:
https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/
ICS_compromised_Due_to_Installition_of_Unlicensed_Microsoft_Office
MEDIUM
+
—
—
- Intel Source:
- CERT-UA
- Intel Name:
- ICS_compromised_Due_to_Installition_of_Unlicensed_Microsoft_Office
- Date of Scan:
- 2023-04-03
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have identified unauthorized access to the information and communication system (ICS) of one of the utility companies. It is observed that the primary compromise of the computer took place on 19.01.2023 as a result of the installation of an unlicensed version of the software product Microsoft Office 2019.
New_Variant_of_Xloader_Malware
MEDIUM
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- New_Variant_of_Xloader_Malware
- Date of Scan:
- 2023-04-03
- Impact:
- MEDIUM
- Summary:
- Researchers from PaloAlto have discovered a new ransomware named Cylance Ransomware which is targeting Windows and Linux systems.
Source:
https://twitter.com/Unit42_Intel/status/1641588431221342208
Money_Message_Ransomware_Targeting_Worldwide
LOW
+
—
—
- Intel Source:
- ZScaler
- Intel Name:
- Money_Message_Ransomware_Targeting_Worldwide
- Date of Scan:
- 2023-04-03
- Impact:
- LOW
- Summary:
- Researchers from Zscaler have identified a new ransomware gang named ‘Money Message’ has appeared, targeting victims worldwide and demanding million-dollar ransoms not to leak data and release a decryptor.
Source:
https://twitter.com/Threatlabz/status/1641113991824158720
New_Infostealer_LummaC2_Distributing_Under_the_Mask_of_Illegal_Cracks
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- New_Infostealer_LummaC2_Distributing_Under_the_Mask_of_Illegal_Cracks
- Date of Scan:
- 2023-04-01
- Impact:
- LOW
- Summary:
- ASEC researchers have identified a new Infostealer called LummaC2 that is distributing disguised as illegal programs such as cracks and keygens.
Analyzing_CHM_Malware_Using_EDR
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Analyzing_CHM_Malware_Using_EDR
- Date of Scan:
- 2023-04-01
- Impact:
- LOW
- Summary:
- ASEC researchers have identified an APT attack case that has recently used CHM (Compiled HTML Help File). Threat actors are able to input malicious script codes in HTMLs with the inclusion of CHM and the inserted script is executing through hh.exe which is a default OS application.
New_OpcJacker_Malware_Distributing_via_Fake_VPN_Malvertising
LOW
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- New_OpcJacker_Malware_Distributing_via_Fake_VPN_Malvertising
- Date of Scan:
- 2023-04-01
- Impact:
- LOW
- Summary:
- TrendMicro researchers have discovered a new malware, which we named OpcJacker that is distributing in the wild since the second half of 2022. Its main functions include keylogging, taking screenshots, stealing sensitive data from browsers, loading additional modules, and replacing cryptocurrency addresses in the clipboard for hijacking purposes.
The_Deep_Examination_of_Royal_Ransomware
LOW
+
—
—
- Intel Source:
- Quickheal
- Intel Name:
- The_Deep_Examination_of_Royal_Ransomware
- Date of Scan:
- 2023-04-01
- Impact:
- LOW
- Summary:
- QuickHeal researchers have deeply analyzed the Royal Ransomware. It was first observed in mid-2022 and it is a type of ransomware that encrypts all volumes including network shared drives.
Source:
https://blogs.quickheal.com/deep-dive-into-royal-ransomware/
The_Detection_and_Defense_Technique_of_AsyncRAT
LOW
+
—
—
- Intel Source:
- Splunk
- Intel Name:
- The_Detection_and_Defense_Technique_of_AsyncRAT
- Date of Scan:
- 2023-04-01
- Impact:
- LOW
- Summary:
- Splunk researchers have analyzed the AsyncRAT and provided the detection and defense technique. It is a popular malware commodity and tool and threat actors and adversaries use several interesting script loaders and spear phishing attachments to deliver AsyncRAT to targeted hosts or networks in different campaigns.
Source:
https://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html
Emotet_Distributing_via_OneNote
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Emotet_Distributing_via_OneNote
- Date of Scan:
- 2023-04-01
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered the distribution of Emotet being distributed via OneNote. A spear-phishing email as below attached with a OneNote file prompts the reader to open the attachment which contains a malicious script file (JS file).
New_TACTICAL_OCTOPUS_Attack_Campaign_Targeting_US_Entities
MEDIUM
+
—
—
- Intel Source:
- Securonix Threat Labs
- Intel Name:
- New_TACTICAL_OCTOPUS_Attack_Campaign_Targeting_US_Entities
- Date of Scan:
- 2023-03-31
- Impact:
- MEDIUM
- Summary:
- Securonix Threat Labs researchers have observed that threat actors are ramping up tax-related phishing scams to US-based victims to infect systems with stealthy malware.
New_APT_Group_TA473_Exploiting_Zimbra_Vulnerability
MEDIUM
+
—
—
- Intel Source:
- Proofpoint
- Intel Name:
- New_APT_Group_TA473_Exploiting_Zimbra_Vulnerability
- Date of Scan:
- 2023-03-31
- Impact:
- MEDIUM
- Summary:
- Researchers from Proofpoint have observed a newly minted advanced persistent threat actor named TA473, exploiting Zimbra vulnerability CVE-2022-27926 to abuse publicly facing Zimbra hosted webmail portals. The goal of this activity is assessed to be gaining access to the emails of military, government, and diplomatic organizations across Europe involved in the Russia-Ukrainian War.
ASEC_Weekly_Malware_statistics_March_13_19th_2023
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_statistics_March_13_19th_2023
- Date of Scan:
- 2023-03-31
- Impact:
- LOW
- Summary:
- ASEC analysis team used the ASEC automatic analysis system RAPIT to categorize and respond to known malware. Their post covers weekly statistics collected from March 13th, 2023 to March 19th, 2023.
Hackers_Spreading_ShellBot_and_Moobot_Malware_on_Exploitable_Servers
MEDIUM
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- Hackers_Spreading_ShellBot_and_Moobot_Malware_on_Exploitable_Servers
- Date of Scan:
- 2023-03-31
- Impact:
- MEDIUM
- Summary:
- Researchers from FortiGuard Labs have observed several attacking bursts targeting Cacti and Realtek vulnerabilities in January and March of this year and then spreading ShellBot and Moobot malware.
ASEC_Weekly_Phishing_Email_sample_analyses_Mar_4th_to_11th_2023
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Phishing_Email_sample_analyses_Mar_4th_to_11th_2023
- Date of Scan:
- 2023-03-31
- Impact:
- LOW
- Summary:
- ASEC lab researchers continiusly monitor phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post shares the cases of distribution of phishing emails during the week from March 5th, 2023 to March 11th, 2023 and provide statistical information on each type.
Defensive_Considerations_for_Lazarus_FudModule
LOW
+
—
—
- Intel Source:
- Security Intelligence
- Intel Name:
- Defensive_Considerations_for_Lazarus_FudModule
- Date of Scan:
- 2023-03-31
- Impact:
- LOW
- Summary:
- Security Intelligence analysts posted in their blog a focus on highlighting the capabilities for detection of the FudModule within the Lazarus sample analyzed by X-Force, as well as summary of a strategy of using telemetry stream health as a mode of detecting malware designed to impair defenses through ETW tampering.
The_distribution_of_a_OneNote_malware_by_Kimsuky
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- The_distribution_of_a_OneNote_malware_by_Kimsuky
- Date of Scan:
- 2023-03-30
- Impact:
- LOW
- Summary:
- ASEC has observed the distribution of a OneNote malware mimicking as a form rlinked to compensation. The confirmed file is pretending the same research center as the LNK-type malware mentioned earlier. Based on the identical malicious activity performed by the VBS files, the team came to a conclusion that the same actor the Kimsuky group is behind both incidents.
Supply_Chain_Attack_on_3CX_Desktop_Apps_Threatens_Millions_at_Risk
MEDIUM
+
—
—
- Intel Source:
- Sentinelone
- Intel Name:
- Supply_Chain_Attack_on_3CX_Desktop_Apps_Threatens_Millions_at_Risk
- Date of Scan:
- 2023-03-30
- Impact:
- MEDIUM
- Summary:
- Researchers from SentinelOne have identified the trojanized 3CX desktop app is the first stage in a multi-stage attack chain that pulls ICO files appended with Base64 data from GitHub and ultimately leads to a third-stage info stealer DLL.
ShellBot_Malware_distribution
MEDIUM
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- ShellBot_Malware_distribution
- Date of Scan:
- 2023-03-30
- Impact:
- MEDIUM
- Summary:
- ASEC researchers has recently observed the ShellBot malware being installed on Linux SSH servers. ShellBot, aka PerlBot, is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server. ShellBot is an old malware that has been in steady use and is still being used today to launch attacks against Linux systems.
Source:
https://asec.ahnlab.com/en/49769/comment-page-2/#comments
AlienFox_Toolkit_Stealing_Cloud_Service_Credentials
HIGH
+
—
—
- Intel Source:
- Sentinelone
- Intel Name:
- AlienFox_Toolkit_Stealing_Cloud_Service_Credentials
- Date of Scan:
- 2023-03-30
- Impact:
- HIGH
- Summary:
- SentinelOne researchers have identified a new modular toolkit called AlienFox which allows threat actors to scan for misconfigured servers to steal authentication secrets and credentials for cloud-based email services.
Source:
https://assets.sentinelone.com/sentinellabs22/s1_-sentinellabs_dis#page=1
ChinaZ_DDoS_Bot_malware_distribution
MEDIUM
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- ChinaZ_DDoS_Bot_malware_distribution
- Date of Scan:
- 2023-03-30
- Impact:
- MEDIUM
- Summary:
- ASEC has observed the ChinaZ DDoS Bot malware that installed on Linux SSH servers. The ChinaZ group that was discovered in 2014 installs various DDoS bots on Windows and Linux systems. Major DDoS bots suspected that it was created by the ChinaZ threat group include XorDDoS, AESDDos, BillGates, and MrBlack.
New_Linux_Malware_Linked_With_Chinese_APT_Groups
MEDIUM
+
—
—
- Intel Source:
- Exatrack
- Intel Name:
- New_Linux_Malware_Linked_With_Chinese_APT_Groups
- Date of Scan:
- 2023-03-29
- Impact:
- MEDIUM
- Summary:
- Exatrack researchers have discovered unknown Chinese state-sponsored hacking group has been linked to a novel piece of malware aimed at Linux servers dubbed Mélofée.
A_Deep_Dive_into_APT43
MEDIUM
+
—
—
- Intel Source:
- Mandiant
- Intel Name:
- A_Deep_Dive_into_APT43
- Date of Scan:
- 2023-03-29
- Impact:
- MEDIUM
- Summary:
- Mandiant researchers have assessed with high confidence that APT43 is a moderately-sophisticated cyber operator that supports the interests of the North Korean regime. Campaigns attributed to APT43 include strategic intelligence collection aligned with Pyongyang’s geopolitical interests, credential harvesting, and social engineering to support espionage activities, and financially-motivated cybercrime to fund operations.
Source:
https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report
Kimsuky_Group_Leveraging_Alternate_Data_Stream_to_Hide_Malware
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Kimsuky_Group_Leveraging_Alternate_Data_Stream_to_Hide_Malware
- Date of Scan:
- 2023-03-29
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered that the Kimsuky group is using Alternate Data Stream (ADS) to hide their malware. This malware is an Infostealer that collects data by starting the VBScript included inside an HTML file. It can be characterized by its tendency to add the actual code between numerous dummy codes.
Tofsee_Botnet_Engaging_With_Proxying_and_Mining
LOW
+
—
—
- Intel Source:
- BitSight
- Intel Name:
- Tofsee_Botnet_Engaging_With_Proxying_and_Mining
- Date of Scan:
- 2023-03-29
- Impact:
- LOW
- Summary:
- Researchers from BitSight have observed a 15-year-old modular spambot called Tofsee being distributed by PrivateLoader (ruzki), a notorious malware distribution service.
Source:
https://www.bitsight.com/blog/tofsee-botnet-proxying-and-mining
New_Threats_Delivering_Through_NullMixer_Malware
LOW
+
—
—
- Intel Source:
- Medium
- Intel Name:
- New_Threats_Delivering_Through_NullMixer_Malware
- Date of Scan:
- 2023-03-29
- Impact:
- LOW
- Summary:
- Researchers from Medium have identified that the NullMixer malware operation revealed Italy and France are the favorite European countries from the opportunistic attackers’ perspective. They obtained information and data regarding an ongoing malware operation hitting more than 8.000 targets within a few weeks, with a particular emphasis on North American, Italian, and French targets.
Source:
https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1
Hackers_From_Biter_Group_Targeting_Chinese_Nuclear_Energy_Industry
LOW
+
—
—
- Intel Source:
- Intezer
- Intel Name:
- Hackers_From_Biter_Group_Targeting_Chinese_Nuclear_Energy_Industry
- Date of Scan:
- 2023-03-29
- Impact:
- LOW
- Summary:
- Researchers from Intezer have observed a cyberespionage hacking group tracked as ‘Bitter APT’ is recently seen targeting the Chinese nuclear energy industry using phishing emails to infect devices with malware downloaders.
Source:
https://www.intezer.com/blog/research/phishing-campaign-targets-nuclear-energy-industry/
A_new_Malware_as_a_Service_platform_Cinoshi
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- A_new_Malware_as_a_Service_platform_Cinoshi
- Date of Scan:
- 2023-03-28
- Impact:
- LOW
- Summary:
- Cyble Researchers discovered a new Malware-as-a-Service (MaaS) platform “Cinoshi”. Cinoshi’s storehouse has of a stealer, botnet, clipper, and cryptominer. And now this MaaS platform is offering stealer and web panel for free, and such free services are rarely seen. The accesibility of this free malware services indicates that attackers no longer need technical expertise or resources to launch cyber-attacks.
Source:
https://blog.cyble.com/2023/03/23/cinoshi-project-and-the-dark-side-of-free-maas/
BlackGuard_stealer_new_variant
LOW
+
—
—
- Intel Source:
- AT&T
- Intel Name:
- BlackGuard_stealer_new_variant
- Date of Scan:
- 2023-03-28
- Impact:
- LOW
- Summary:
- AT&T Alien Labs researchers have observed a new variant of BlackGuard stealer in the wild, infecting using spear phishing attacks. BlackGuard steals user sensitive information from a wide range of applications and browsers, can hijack crypto wallets copied to clipboard and also try to propagate through removable media and shared devices.
DBatLoader_Targeting_European_Businesses_via_Phishing_Email
LOW
+
—
—
- Intel Source:
- ZScaler
- Intel Name:
- DBatLoader_Targeting_European_Businesses_via_Phishing_Email
- Date of Scan:
- 2023-03-28
- Impact:
- LOW
- Summary:
- Researchers from Zscaler have identified a new campaign involving DBatLoader also known as ModiLoader that specifically targets manufacturing companies and various businesses in European countries via phishing emails.
The_Investigation_of_CVE_2023_23397
HIGH
+
—
—
- Intel Source:
- Microsoft
- Intel Name:
- The_Investigation_of_CVE_2023_23397
- Date of Scan:
- 2023-03-28
- Impact:
- HIGH
- Summary:
- Microsoft researchers have provided guidance on where organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397. A successful exploit of this vulnerability can result in unauthorized access to an organization’s environment by triggering a Net-NTLMv2 hash leak.
Earth_Preta_Cyberespionage_Campaign_Hits_Over_200
LOW
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- Earth_Preta_Cyberespionage_Campaign_Hits_Over_200
- Date of Scan:
- 2023-03-28
- Impact:
- LOW
- Summary:
- TrendMicro researchers have analyzed the active campaign delved into the structure, goals, and requirements of the organizations involved, and provided an opportunity to conduct wider intelligence analysis and insights in the development of effective countermeasures.
The_Hunter_obfuscator_used_by_Magecart_skimmer
LOW
+
—
—
- Intel Source:
- Malwarebytes
- Intel Name:
- The_Hunter_obfuscator_used_by_Magecart_skimmer
- Date of Scan:
- 2023-03-28
- Impact:
- LOW
- Summary:
- Malwarebytes reserachers discovered and analyzed a Magecart skimmer that uses Hunter, a PHP Javascript obfuscator. During their investigation, they observed a number of domains all part of the same infrastructure with custom skimmers for several Magento stores.
Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/03/hunter-skimmer
MacOS_Malware_Targeting_Data_Assets
LOW
+
—
—
- Intel Source:
- Sentinelone
- Intel Name:
- MacOS_Malware_Targeting_Data_Assets
- Date of Scan:
- 2023-03-27
- Impact:
- LOW
- Summary:
- SentinelOne researchers have observed that the data assets targeted by macOS malware in some of the most recent in-the-wild incidents in order to help defenders better protect the enterprise and hunt for signs of compromise.
New_Era_of_IcedID
MEDIUM
+
—
—
- Intel Source:
- Proofpoint
- Intel Name:
- New_Era_of_IcedID
- Date of Scan:
- 2023-03-27
- Impact:
- MEDIUM
- Summary:
- Proofpoint researchers have observed three new distinct variants of the malware known as IcedID. Proofpoint called these ew variants as “Forked” and “Lite” IcedID , Standard IcedID Variant. IcedID is a malware originally classified as a banking malware and was first observed in 2017. It also performs as a loader for other malware, including ransomware. There are several key differences between initial and new ones. One key difference is the removal of banking functionality such as web injects and backconnect. Proofpoint researchers suspect the original operators behind Emotet are using an IcedID variant with different functionality.
New_macOS_based_Stealer_MacStealer_Malware
LOW
+
—
—
- Intel Source:
- Uptycs
- Intel Name:
- New_macOS_based_Stealer_MacStealer_Malware
- Date of Scan:
- 2023-03-27
- Impact:
- LOW
- Summary:
- The Uptycs threat research team has observed aother macOS stealer “MacStealer”. The threat actor who is distributing MacStealer was discovered by the Uptycs threat intelligence team during their dark web hunting. The stealer can extract documents, cookies from a victim’s browser, and login information. It affects Catalina and subsequent macOS versions riding on Intel M1 and M2 CPUs.
Source:
https://www.uptycs.com/blog/macstealer-command-and-control-c2-malware
A_new_ransomware_named_Dark_Power
MEDIUM
+
—
—
- Intel Source:
- Trellix
- Intel Name:
- A_new_ransomware_named_Dark_Power
- Date of Scan:
- 2023-03-27
- Impact:
- MEDIUM
- Summary:
- Researchers from Trellix have identified a new ransomware operation named ‘Dark Power’ that has appeared, and it has already listed its first victims on a dark web data leak site, threatening to publish the data if a ransom is not paid.
Source:
https://www.trellix.com/en-us/about/newsroom/stories/research/shining-light-on-dark-power.html
MDS_Evasion_Feature_of_Anti_Sandboxes_That_Use_Pop_up_Windows
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- MDS_Evasion_Feature_of_Anti_Sandboxes_That_Use_Pop_up_Windows
- Date of Scan:
- 2023-03-25
- Impact:
- LOW
- Summary:
- ASEC researchers have monitored various anti-sandbox tactics to evade sandboxes. The persistent anti-sandbox technique exploits the button form of the malicious IcedID Word files and the evasion feature of AhnLab’s MDS which is meant for detecting malicious behavior.
Microsoft_Office_Outlook_Privilege_Escalation_Vulnerability
HIGH
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Microsoft_Office_Outlook_Privilege_Escalation_Vulnerability
- Date of Scan:
- 2023-03-25
- Impact:
- HIGH
- Summary:
- Researchers from ASEC have analyzed the Microsoft vulnerability in Outlook for Windows that is being exploited to steal NTLM credentials.
Chinese_Hackers_Targeting_Middle_East_Telecom_Providers
LOW
+
—
—
- Intel Source:
- Sentinelone
- Intel Name:
- Chinese_Hackers_Targeting_Middle_East_Telecom_Providers
- Date of Scan:
- 2023-03-25
- Impact:
- LOW
- Summary:
- SentinelLabs researchers have observed the use of a well-maintained, versioned credential theft capability and a new dropper mechanism indicative of an ongoing development effort by a highly-motivated threat actor with specific tasking requirements.
Source:
https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/
Exploring_New_Public_Cloud_File_Borne_Phishing_Attack
LOW
+
—
—
- Intel Source:
- Inquest
- Intel Name:
- Exploring_New_Public_Cloud_File_Borne_Phishing_Attack
- Date of Scan:
- 2023-03-25
- Impact:
- LOW
- Summary:
- Researchers from InQuest Labs have analyzed a credential phishing attack discovered by a municipal government organization. The email arrived from a compromised sender account address. The sender organization in the observed samples is the municipality’s county health agency.
Earth_Preta_Changing_its_TTPs_to_Bypass_Security_Solutions
LOW
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- Earth_Preta_Changing_its_TTPs_to_Bypass_Security_Solutions
- Date of Scan:
- 2023-03-25
- Impact:
- LOW
- Summary:
- TrendMicro researchers have discovered Earth Preta delivering lure archives via spear-phishing emails and Google Drive links. After months of investigation, they identified that several undisclosed malware and interesting tools used for exfiltration purposes were used in this campaign.
Source:
https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html
New_Kritec_Magecart_Skimmer_Targeting_Magento_Stores
LOW
+
—
—
- Intel Source:
- Malwarebytes
- Intel Name:
- New_Kritec_Magecart_Skimmer_Targeting_Magento_Stores
- Date of Scan:
- 2023-03-24
- Impact:
- LOW
- Summary:
- Malwarebytes researchers have identified instances of compromised stores having both skimmers loaded, which means double trouble for victims as their credit card information is stolen not just once but twice.
Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/03/new-kritec-skimmer
Diving_Deep_into_UNC961
LOW
+
—
—
- Intel Source:
- Mandiant
- Intel Name:
- Diving_Deep_into_UNC961
- Date of Scan:
- 2023-03-24
- Impact:
- LOW
- Summary:
- Researchers from Mandiant have analyzed the details and timeline of each intrusion conducted by UNC961, along with detection opportunities and examples of how Managed Defense’s proactive threat hunting, investigation, and response routinely limits the impact on our customers’ business and prevents their reality from being desecrated.
Source:
https://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated
AresLoader_Linked_With_Russian_APT_Group
LOW
+
—
—
- Intel Source:
- Intel471
- Intel Name:
- AresLoader_Linked_With_Russian_APT_Group
- Date of Scan:
- 2023-03-24
- Impact:
- LOW
- Summary:
- Intel471 researchers have observed a new loader malware-as-a-service (MaaS) named AresLoader offered by threat actors with links to Russian hacktivism that is spotted recently in the wild.
Source:
https://intel471.com/blog/new-loader-on-the-bloc-aresloader
A_Detailed_Examination_of_LockBit_From_CISA_and_MS_ISAC
MEDIUM
+
—
—
- Intel Source:
- CISA
- Intel Name:
- A_Detailed_Examination_of_LockBit_From_CISA_and_MS_ISAC
- Date of Scan:
- 2023-03-23
- Impact:
- MEDIUM
- Summary:
- Researchers from CISA and MS-ISAC have warned against the LockBit ransomware. This may involve developing a comprehensive restoration plan, employing robust passwords for all accounts, integrating anti-phishing measures, updating software and system versions, and segregating network components, among others.
Source:
https://www.cisa.gov/sites/default/files/2023-03/aa23-075a-stop-ransomware-lockbit.pdf
The_Analysis_of_Hidden_Threats
LOW
+
—
—
- Intel Source:
- Unit42
- Intel Name:
- The_Analysis_of_Hidden_Threats
- Date of Scan:
- 2023-03-23
- Impact:
- LOW
- Summary:
- Researchers from PaloAlto have discussed two important ways they have been able to tailor the analysis environment. Threats are continually evolving, and architecting analysis systems as more of a flexible, nicely abstracted software development kit instead of a stand-alone monolithic application is crucial.
Source:
https://unit42.paloaltonetworks.com/tailoring-sandbox-techniques/
The_New_Ransomware_Named_ALC_Ransomware
LOW
+
—
—
- Intel Source:
- Cyfirma
- Intel Name:
- The_New_Ransomware_Named_ALC_Ransomware
- Date of Scan:
- 2023-03-23
- Impact:
- LOW
- Summary:
- CYFIRMA researchers have identified a new strain of malware, named ALC Ransomware, which masquerades as ransomware but is scareware. This malware does not encrypt files on the victim’s machine, but instead disables the task manager, locks the screen, and displays a ransom note.
Source:
https://www.cyfirma.com/outofband/alc-scareware-pretends-to-be-a-ransomware/
Emotet_Malware_Spreading_via_OneNote_Attachments_to_Deliver_Payloads
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Emotet_Malware_Spreading_via_OneNote_Attachments_to_Deliver_Payloads
- Date of Scan:
- 2023-03-23
- Impact:
- LOW
- Summary:
- Cyble researchers have closely monitored the Emotet campaign and identified that is again spreading malicious emails and infecting devices globally by rebuilding its network.
Source:
https://blog.cyble.com/2023/03/17/recent-emotet-spam-campaign-utilizing-new-tactics/
An_Emerging_Ransomware_Strain_Named_Trigona_Ransomware
LOW
+
—
—
- Intel Source:
- Unit 42
- Intel Name:
- An_Emerging_Ransomware_Strain_Named_Trigona_Ransomware
- Date of Scan:
- 2023-03-23
- Impact:
- LOW
- Summary:
- PaloAlto researchers have identified two new Trigona ransom notes in January 2023 and two in February 2023. Trigona’s ransom notes are unique; rather than the usual text file, they are instead presented in an HTML Application with embedded JavaScript containing unique computer IDs (CID) and victim IDs (VID).
Source:
https://unit42.paloaltonetworks.com/trigona-ransomware-update/
SideCopy_APT_group_targets_India_goverment_organization
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- SideCopy_APT_group_targets_India_goverment_organization
- Date of Scan:
- 2023-03-23
- Impact:
- LOW
- Summary:
- Recently, Cyble researchers discovered a Twitter post of an ongoing campaign by SideCopy APT against the “Defence Research and Development Organisation” of the Indian government. DRDO is a government agency tasked with researching and developing advanced technologies for use by the Indian Armed Forces.
Source:
https://blog.cyble.com/2023/03/21/notorious-sidecopy-apt-group-sets-sights-on-indias-drdo/
Microsoft_OneNote_Attachments_used_by_QakBot_eCrime_Campaign
LOW
+
—
—
- Intel Source:
- CrowdStrike
- Intel Name:
- Microsoft_OneNote_Attachments_used_by_QakBot_eCrime_Campaign
- Date of Scan:
- 2023-03-22
- Impact:
- LOW
- Summary:
- https://www.crowdstrike.com/blog/qakbot-ecrime-campaign-leverages-microsoft-onenote-for-distribution/
The_Examination_of_the_Attack_Vectors_of_APT37
LOW
+
—
—
- Intel Source:
- ZScaler
- Intel Name:
- The_Examination_of_the_Attack_Vectors_of_APT37
- Date of Scan:
- 2023-03-22
- Impact:
- LOW
- Summary:
- Researchers from Zscaler have analyzed the APT37 and found it is a threat actor heavily focused on targeting entities in South Korea. It is constantly updating its tactics, techniques, and procedures as is evident from the multiple file types used in the initial stages by it. The themes used by this threat actor range from geopolitics, current events, and education to finance and insurance.
Source:
https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
Observed_Exploitation_of_Adobe_ColdFusion
LOW
+
—
—
- Intel Source:
- Rapid7
- Intel Name:
- Observed_Exploitation_of_Adobe_ColdFusion
- Date of Scan:
- 2023-03-22
- Impact:
- LOW
- Summary:
- Rapid7’s Threat Intell team has observed active exploitation of Adobe ColdFusion in multiple customer environments.
Source:
https://www.rapid7.com/blog/post/2023/03/21/etr-rapid7-observed-exploitation-of-adobe-coldfusion/
New_ShellBot_DDoS_Malware_Targeting_Poorly_Managed_Linux_Servers
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- New_ShellBot_DDoS_Malware_Targeting_Poorly_Managed_Linux_Servers
- Date of Scan:
- 2023-03-22
- Impact:
- LOW
- Summary:
- ASEC researchers have observed that poorly managed Linux SSH servers are being targeted as part of a new campaign that deploys different variants of malware called ShellBot. ShellBot, also known as PerlBot, is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server.
Hackers_targeting_DotNET_Developers_With_Malicious_NuGet_Packages
LOW
+
—
—
- Intel Source:
- JFrog
- Intel Name:
- Hackers_targeting_DotNET_Developers_With_Malicious_NuGet_Packages
- Date of Scan:
- 2023-03-21
- Impact:
- LOW
- Summary:
- Researchers from JFrog have identified that threat actors are targeting and infecting .NET developers with cryptocurrency stealers delivered through the NuGet repository and impersonating multiple legitimate packages via typosquatting.
The_Analysis_of_FudModule_within_the_Lazarus
LOW
+
—
—
- Intel Source:
- IBM Security Intelligence
- Intel Name:
- The_Analysis_of_FudModule_within_the_Lazarus
- Date of Scan:
- 2023-03-21
- Impact:
- LOW
- Summary:
- Researchers from IBM Security Intelligence have analyzed the FudModule within the Lazarus sample, as well as highlighted a strategy of using telemetry stream health as a mode of detecting malware designed to impair defenses through ETW tampering.
Source:
https://securityintelligence.com/posts/defensive-considerations-lazarus-fudmodule/
A_New_APT_Discovered_in_the_Area_of_Russo_Ukrainian_Conflict
LOW
+
—
—
- Intel Source:
- Securelist
- Intel Name:
- A_New_APT_Discovered_in_the_Area_of_Russo_Ukrainian_Conflict
- Date of Scan:
- 2023-03-21
- Impact:
- LOW
- Summary:
- Securelist researchers have identified a new APT group but yet not found any direct links between the samples and data used in this campaign and any previously known actors. However, the campaign is still active, and the investigation continues.
Chinese_Hackers_Suspected_of_Launching_Fortinet_Zero_day_Attacks
MEDIUM
+
—
—
- Intel Source:
- Mandiant
- Intel Name:
- Chinese_Hackers_Suspected_of_Launching_Fortinet_Zero_day_Attacks
- Date of Scan:
- 2023-03-20
- Impact:
- MEDIUM
- Summary:
- Mandiant researchers have discovered that a suspected Chinese hacking group has been linked to a series of attacks on government organizations exploiting a Fortinet zero-day vulnerability (CVE-2022-41328) to deploy malware.
Source:
https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem
Hackers_From_China_and_Russia_using_SILKLOADER_Malware_to_Avoid_Detection
LOW
+
—
—
- Intel Source:
- WithSecure
- Intel Name:
- Hackers_From_China_and_Russia_using_SILKLOADER_Malware_to_Avoid_Detection
- Date of Scan:
- 2023-03-20
- Impact:
- LOW
- Summary:
- Researchers from WithSecure Labs have investigated and found an interesting Cobalt Strike beacon loader that leverages DLL side-loading, which they are tracking as SILKLOADER. By taking a closer look at the loader, it is identified several activity clusters leveraging this loader within the Russian as well as Chinese cybercriminal ecosystems.
Source:
https://labs.withsecure.com/content/dam/labs/docs/withsecure-silkloader.pdf
In_depth_Analysis_of_DotRunpeX_Injector
LOW
+
—
—
- Intel Source:
- Checkpoint
- Intel Name:
- In_depth_Analysis_of_DotRunpeX_Injector
- Date of Scan:
- 2023-03-20
- Impact:
- LOW
- Summary:
- Researchers from Checkpoint have analyzed the dotRunpeX injector and its relation to the older version and the Investigation shows that dotRunpeX is used in the wild to deliver numerous known malware families.
Diving_Deep_into_Go_Based_Threat
LOW
+
—
—
- Intel Source:
- Akamai
- Intel Name:
- Diving_Deep_into_Go_Based_Threat
- Date of Scan:
- 2023-03-20
- Impact:
- LOW
- Summary:
- Researchers from Akamai have discovered a new botnet named HinataBot at the start of the year, they caught it on their HTTP and SSH honeypots and saw exploiting old flaws such as CVE-2014-8361 and CVE-2017-17215.
Source:
https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet
A_New_InfoStealer_Named_HookSpoofer
LOW
+
—
—
- Intel Source:
- Uptycs
- Intel Name:
- A_New_InfoStealer_Named_HookSpoofer
- Date of Scan:
- 2023-03-20
- Impact:
- LOW
- Summary:
- Uptycs researchers have discovered a new Infostealer with keylogging and clipper capabilities named HookSpoofer spreading by multiple bundlers. A bundler is a collection of two or more files combined together in a single package.
Source:
https://www.uptycs.com/blog/threat-research-hookspoofer
BIanLian_Ransomware_Gang_Turns_to_Data_Extortion
LOW
+
—
—
- Intel Source:
- Redacted
- Intel Name:
- BIanLian_Ransomware_Gang_Turns_to_Data_Extortion
- Date of Scan:
- 2023-03-20
- Impact:
- LOW
- Summary:
- Redacted researchers have identified the BianLian ransomware group has shifted its focus from encrypting its victims’ files to only exfiltrating data found on compromised networks and using them for extortion.
Source:
https://redacted.com/blog/bianlian-ransomware-gang-continues-to-evolve/
ChatGPT_Rising_Activities_in_Cybercrime_World
MEDIUM
+
—
—
- Intel Source:
- G Data Blog
- Intel Name:
- ChatGPT_Rising_Activities_in_Cybercrime_World
- Date of Scan:
- 2023-03-18
- Impact:
- MEDIUM
- Summary:
- Researchers from G DATA have observed that cyberthreat actors capitalize on prominent social events’ latest technology buzzwords to launch their attacks. And the curtain raiser for 2023 that made the headlines was the clamor and viral use of a very human-sounding, artificial technology chatbot named, ChatGPT.
Source:
https://www.gdatasoftware.com/blog/2023/03/37716-chatgpt-evil-twin
APT_C_36_Linked_With_Campaigns
LOW
+
—
—
- Intel Source:
- Lab52
- Intel Name:
- APT_C_36_Linked_With_Campaigns
- Date of Scan:
- 2023-03-18
- Impact:
- LOW
- Summary:
- Researchers from Lab52 have observed the APT-C-36 group has many similarities in terms of tactics, techniques, and procedures (TTPs) with the group Hagga / Aggah.
Source:
https://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/
The_Investigation_of_Winter_Vivern_APT_Activity
LOW
+
—
—
- Intel Source:
- Sentinelone
- Intel Name:
- The_Investigation_of_Winter_Vivern_APT_Activity
- Date of Scan:
- 2023-03-18
- Impact:
- LOW
- Summary:
- SentinelOne researchers have analyzed Winter Vivern Advanced Persistent Threat (APT) activity, leveraging observations made by The Polish CBZC and Ukraine CERT and uncovered a previously unknown set of espionage campaigns and targeting activities conducted by this threat actor.
Source:
https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/
The_Popularity_of_ProxyNotShell_Continues_to_Grow
LOW
+
—
—
- Intel Source:
- Sophos
- Intel Name:
- The_Popularity_of_ProxyNotShell_Continues_to_Grow
- Date of Scan:
- 2023-03-18
- Impact:
- LOW
- Summary:
- Researchers from Sophos have observed that ProxyNotShell vulnerability continues to make waves as November 2022 fixes fail to contain the SSRF tactic.
Source:
https://news.sophos.com/en-us/2023/03/15/observing-owassrf-exchange-exploitation-still/
Hackers_From_YoroTrooper_Group_Targeting_CIS_Energy_Orgs_and_EU_Embassies
MEDIUM
+
—
—
- Intel Source:
- Talos
- Intel Name:
- Hackers_From_YoroTrooper_Group_Targeting_CIS_Energy_Orgs_and_EU_Embassies
- Date of Scan:
- 2023-03-17
- Impact:
- MEDIUM
- Summary:
- Cisco Talos researchers have identified a new threat actor named ‘YoroTrooper’ has been running cyber-espionage campaigns since at least June 2022, targeting government and energy organizations in Commonwealth of Independent States (CIS) countries.
Source:
https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/
Mallox_Ransomware_Distributing_in_Korea
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Mallox_Ransomware_Distributing_in_Korea
- Date of Scan:
- 2023-03-16
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered the distribution of the Mallox ransomware which targets vulnerable MS-SQL servers.
Telerik_Vulnerability_in_US_Government_IIS_Server
MEDIUM
+
—
—
- Intel Source:
- CISA
- Intel Name:
- Telerik_Vulnerability_in_US_Government_IIS_Server
- Date of Scan:
- 2023-03-16
- Impact:
- MEDIUM
- Summary:
- The CISA, FBI, and MS-ISAC released a joint Cybersecurity Advisory. This joint CSA provides IT infrastructure defenders with TTPs, IOCs, and detection, protection methods against similar, successful CVE-2019-18935 exploitation.
Hackers_Exploiting_SVB_Collapse_Scenario
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Hackers_Exploiting_SVB_Collapse_Scenario
- Date of Scan:
- 2023-03-16
- Impact:
- LOW
- Summary:
- Cyble researchers have identified several suspicious websites that have emerged in the wake of the Silicon Valley Bank (SVB) collapse.
Source:
https://blog.cyble.com/2023/03/14/svb-collapse-triggers-heightened-cybersecurity-concerns/
Russian_Threat_Group_NOBELIUM_Targeting_Western_Countries
MEDIUM
+
—
—
- Intel Source:
- Blackberry
- Intel Name:
- Russian_Threat_Group_NOBELIUM_Targeting_Western_Countries
- Date of Scan:
- 2023-03-16
- Impact:
- MEDIUM
- Summary:
- Researchers from Blackberry have observed a new campaign targeting European Union countries, specifically, its diplomatic entities and systems transmitting sensitive information about the region’s politics, aiding Ukrainian citizens fleeing the country, and providing help to the government of Ukraine.
Source:
https://blogs.blackberry.com/en/2023/03/nobelium-targets-eu-governments-assisting-ukraine
Microsoft_SmartScreen_Bypassed_by_Magniber_Ransomware_Actors
LOW
+
—
—
- Intel Source:
- Google Blog
- Intel Name:
- Microsoft_SmartScreen_Bypassed_by_Magniber_Ransomware_Actors
- Date of Scan:
- 2023-03-16
- Impact:
- LOW
- Summary:
- Researchers from Google threat analysis group have discovered the usage of an unpatched security bypass in Microsoft’s SmartScreen security feature, which financially motivated actors are using to deliver the Magniber ransomware without any security warnings. The attackers are delivering MSI files signed with an invalid but specially crafted Authenticode signature.
Large_Scale_Phishing_Campaigns_are_Powered_by_DEV_1101_AiTM_Phishing_Kit
MEDIUM
+
—
—
- Intel Source:
- Microsoft
- Intel Name:
- Large_Scale_Phishing_Campaigns_are_Powered_by_DEV_1101_AiTM_Phishing_Kit
- Date of Scan:
- 2023-03-16
- Impact:
- MEDIUM
- Summary:
- Researchers from Microsoft have identified an open-source adversary-in-the-middle (AiTM) phishing kit that has found a number of takers in the cybercrime world for its ability to orchestrate attacks at scale. It is tracking the threat actor behind the development of the kit under its emerging moniker DEV-1101.
The_Examination_of_FG_IR_22_369
HIGH
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Examination_of_FG_IR_22_369
- Date of Scan:
- 2023-03-16
- Impact:
- HIGH
- Summary:
- FortiGate researchers have identified that government entities and large organizations are targeted by an unknown threat actor by exploiting a security flaw in Fortinet FortiOS software to result in data loss and OS and file corruption.
Source:
https://www.fortinet.com/blog/psirt-blogs/fg-ir-22-369-psirt-analysis
APT_Group_Tick_Targeting_Data_Loss_Prevention_Company
MEDIUM
+
—
—
- Intel Source:
- Welivesecurity
- Intel Name:
- APT_Group_Tick_Targeting_Data_Loss_Prevention_Company
- Date of Scan:
- 2023-03-16
- Impact:
- MEDIUM
- Summary:
- ESET researchers have discovered a campaign by APT group Tick. The attackers compromising the DLP company’s internal update servers to deliver malware inside the software developer’s network, and trojanizing installers of legitimate tools using by the company, which eventually result in the execution of malware on the computers of the company’s customers.
A_Look_at_Dark_Side_of_Email_Traffic
LOW
+
—
—
- Intel Source:
- Juniper
- Intel Name:
- A_Look_at_Dark_Side_of_Email_Traffic
- Date of Scan:
- 2023-03-16
- Impact:
- LOW
- Summary:
- Researchers from Juniper have analyzed the dark side of email traffic, uncovering some of the latest malware threats, tactics, and trends that can potentially undermine the systems.
Source:
https://blogs.juniper.net/en-us/threat-research/uncovering-the-dark-side-of-email-traffic
Diving_Deep_into_CatB_Ransomware
LOW
+
—
—
- Intel Source:
- Sentinelone
- Intel Name:
- Diving_Deep_into_CatB_Ransomware
- Date of Scan:
- 2023-03-16
- Impact:
- LOW
- Summary:
- SentinelOne researchers have analyzed the CatB ransomware and its abuse of the legitimate MSDTC service, describing its evasion tactics, encryption behavior, and its attempts to steal credentials and browser data.
Source:
https://www.sentinelone.com/blog/decrypting-catb-ransomware-analyzing-their-latest-attack-methods/
The_MedusaLocker_Ransomware_is_Revealed
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- The_MedusaLocker_Ransomware_is_Revealed
- Date of Scan:
- 2023-03-16
- Impact:
- LOW
- Summary:
- Researchers from Cyble have unmasked the MedusaLocker ransomware. It’s known to target Hospital and Healthcare industries, but additionally, the gang also targets industries such as Education and Government organizations.
Source:
https://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/
A_CHM_malware_by_the_Kimsuky_group
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- A_CHM_malware_by_the_Kimsuky_group
- Date of Scan:
- 2023-03-15
- Impact:
- LOW
- Summary:
- ASEC has discovered a new CHM malware created by the Kimsuky group. This malware type is the same that the reserqachers mnetioned earlier in their posts on the malware distributed by the Kimsuky group, its goal being the exfiltration of user information.
Increasingly_Abusing_of_DigitalOcean_by_attackers
LOW
+
—
—
- Intel Source:
- Netscope
- Intel Name:
- Increasingly_Abusing_of_DigitalOcean_by_attackers
- Date of Scan:
- 2023-03-15
- Impact:
- LOW
- Summary:
- Netskope Threat Labs observed increased traffic in malicious web pages hosted on DigitalOcean in the last couple months. This new campaigns scam mimics Windows Defender and tries to deceive users into believing that their computer is infected. The purpose of this scam is to involve victims into a scam “help line”. The attackers try to involve the remotely access of the victim’s computer to either install malware or request payment to infect the victims.
Source:
https://www.netskope.com/blog/attackers-increasingly-abusing-digitalocean-to-host-scams-and-phishing
North_Korea_s_UNC2970_TTPs_Part_1_and_2
MEDIUM
+
—
—
- Intel Source:
- Mandiant
- Intel Name:
- North_Korea_s_UNC2970_TTPs_Part_1_and_2
- Date of Scan:
- 2023-03-15
- Impact:
- MEDIUM
- Summary:
- During our investigation, Mandiant researchers discovered most of the original compromised hosts, targeted by UNC2970. Mandiant Managed Defense discovered as well that this group is targeting a U.S.-based technology company
Source:
https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970
https://www.mandiant.com/resources/blog/lightshift-and-lightshow
Emotet_resumes_sending_malicious_emails
LOW
+
—
—
- Intel Source:
- Cofense
- Intel Name:
- Emotet_resumes_sending_malicious_emails
- Date of Scan:
- 2023-03-14
- Impact:
- LOW
- Summary:
- Researchers from Confense have discovered that after several months of inactivity, the Emotet botnet resumed email activity this morning at 8:00am EST. The malicious emails seem to be replying to already existing email chains, with the addition of an attached .zip file. The .zip files are not password protected. The themes of the attached files include finances and invoices.
Source:
https://cofense.com/blog/emotet-sending-malicious-emails-after-three-month-hiatus/
The_new_ATM_Malware_FiXS
LOW
+
—
—
- Intel Source:
- MetaBase Q
- Intel Name:
- The_new_ATM_Malware_FiXS
- Date of Scan:
- 2023-03-14
- Impact:
- LOW
- Summary:
- FiXs is a new ATM malware that steals data from ATMs and infects computers. Metabase Q has been tracking and monitoring the rise of ATM malware that takes advantage of physical and digital components of the ATM.
New_capabilities_of_Prometei_botnet
MEDIUM
+
—
—
- Intel Source:
- Talos
- Intel Name:
- New_capabilities_of_Prometei_botnet
- Date of Scan:
- 2023-03-14
- Impact:
- MEDIUM
- Summary:
- Researchers from Talos have observed Prometei with the updated infrastructure components and capabilities. The botnet operators updated certain submodules of the execution chain to automate processes and challenge forensic analysis methods. The threat actors are trying actively spreading improved Linux versions of the Prometei bot, v3. Also researchers have observed a new functionality, which includes an additional C2 domain generating algorithm (DGA), a self-updating mechanism, and a bundled version of the Apache Webserver with a web shell. This bot is possible influenced by the war in Ukraine.
Source:
https://blog.talosintelligence.com/prometei-botnet-improves/
Chinese_Hacker_Running_Malware_on_Unpatched_SMA
LOW
+
—
—
- Intel Source:
- Mandiant
- Intel Name:
- Chinese_Hacker_Running_Malware_on_Unpatched_SMA
- Date of Scan:
- 2023-03-13
- Impact:
- LOW
- Summary:
- Mandiant researchers have identified a suspected Chinese campaign that involves maintaining long-term persistence by running malware on an unpatched SonicWall Secure Mobile Access (SMA) appliance. The malware has the functionality to steal user credentials, provide shell access, and persist through firmware upgrades. Currently tracks this actor as UNC4540.
Source:
https://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall
AsynRAT_Trojan_Distributing_via_Bill_Payment_Email
LOW
+
—
—
- Intel Source:
- ISC.SANS
- Intel Name:
- AsynRAT_Trojan_Distributing_via_Bill_Payment_Email
- Date of Scan:
- 2023-03-13
- Impact:
- LOW
- Summary:
- Researchers from SANS have observed the mail server quarantined this file FautraPago392023.gz. After executing (gunzip) the file, there was no .exe extension associated with this file. The source and destination addresses are both blank without an actual email address.
Source:
https://isc.sans.edu/diary/AsynRAT+Trojan+Bill+Payment+Pago+de+la+factura/29626/
Overview_of_a_Mirai_Payload_Generator
LOW
+
—
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Overview_of_a_Mirai_Payload_Generator
- Date of Scan:
- 2023-03-13
- Impact:
- LOW
- Summary:
- Researchers from SANS have observed that still honeypot is hit by hundreds of Mirai requests every day. Upon analysis, they found a Python script that generates a Mirai payload and deploys networking services to serve it via FTP, HTTP, and TFTP.
Source:
https://isc.sans.edu/diary/Overview+of+a+Mirai+Payload+Generator/29624/
New_GoBruteforcer_Malware_Targeting_phpMyAdmin_MySQL_FTP_and_Postgres
MEDIUM
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- New_GoBruteforcer_Malware_Targeting_phpMyAdmin_MySQL_FTP_and_Postgres
- Date of Scan:
- 2023-03-13
- Impact:
- MEDIUM
- Summary:
- PaloAlto researchers have identified a newly discovered Golang-based botnet malware scan for and infect web servers running phpMyAdmin, MySQL, FTP, and Postgres services.
Source:
https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/?web_view=true
Netcat_Malware_Targeting_MS_SQL_Servers
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Netcat_Malware_Targeting_MS_SQL_Servers
- Date of Scan:
- 2023-03-13
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered the distribution of the Netcat malware targeting poorly managed MS-SQL servers. Netcat is a utility that allows users to send and receive data from specific destinations on a network connected by the TCP/UDP protocol.
BATLOADER_Malware_Leveraging_Google_Ads
MEDIUM
+
—
—
- Intel Source:
- Esentire
- Intel Name:
- BATLOADER_Malware_Leveraging_Google_Ads
- Date of Scan:
- 2023-03-13
- Impact:
- MEDIUM
- Summary:
- Esentire researchers have discovered the malware downloader known as BATLOADER that is abusing Google Ads to deliver secondary payloads like Vidar Stealer and Ursnif. The malicious ads are used to spoof a wide range of legitimate apps and services such as Adobe, OpenAPI’s ChatGPT, Spotify, Tableau, and Zoom.
New_Phishing_Scam_Using_Fake_SBA_Grants
LOW
+
—
—
- Intel Source:
- Cofense
- Intel Name:
- New_Phishing_Scam_Using_Fake_SBA_Grants
- Date of Scan:
- 2023-03-13
- Impact:
- LOW
- Summary:
- Researchers from Cofense have observed that a phishing campaign attempting to impersonate the US Small Business Administration (SBA), offering these grants in the hopes someone unfortunate will provide their credentials.
Source:
https://cofense.com/blog/fake-small-business-administration-sba-grant-used-in-new-phishing-scam/
PlugX_Malware_Exploits_Remote_Desktop_Software_Flaws
MEDIUM
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- PlugX_Malware_Exploits_Remote_Desktop_Software_Flaws
- Date of Scan:
- 2023-03-11
- Impact:
- MEDIUM
- Summary:
- Researchers from ASEC have discovered security vulnerabilities in remote desktop programs such as Sunlogin and AweSun are being exploited by threat actors to deploy the PlugX malware.
Chaos_Ransomware_Shadow_is_Cast_by_BlackSnake_Ransomware
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Chaos_Ransomware_Shadow_is_Cast_by_BlackSnake_Ransomware
- Date of Scan:
- 2023-03-11
- Impact:
- LOW
- Summary:
- Cyble Labs researchers have discovered a ransomware variant that not only encrypts victims’ files but also steals their Discord tokens.
Source:
https://blog.cyble.com/2023/03/09/blacksnake-ransomware-emerges-from-chaos-ransomwares-shadow/
The_Use_of_Search_Engines_For_Malvertising
LOW
+
—
—
- Intel Source:
- Securelist
- Intel Name:
- The_Use_of_Search_Engines_For_Malvertising
- Date of Scan:
- 2023-03-10
- Impact:
- LOW
- Summary:
- Researchers from Securelist have observed an increase in the number of malicious campaigns that use Google Advertising as a means of distributing and delivering malware. At least two different stealers, Rhadamanthys and RedLine, are abusing the search engine promotion plan in order to deliver malicious payloads to victims’ machines.
Source:
https://securelist.com/malvertising-through-search-engines/108996/
IceFire_Ransomware_Exploiting_IBM_Aspera_Faspex
MEDIUM
+
—
—
- Intel Source:
- Sentinelone
- Intel Name:
- IceFire_Ransomware_Exploiting_IBM_Aspera_Faspex
- Date of Scan:
- 2023-03-10
- Impact:
- MEDIUM
- Summary:
- SentinelOne researchers have identified a Windows-based ransomware strain known as IceFire has expanded its focus to target Linux enterprise networks belonging to several media and entertainment sector organizations across the world.
Source:
https://www.sentinelone.com/labs/icefire-ransomware-returns-now-targeting-linux-enterprise-networks/
New_ScrubCrypt_Crypter_Targeting_Oracle_WebLogic
MEDIUM
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- New_ScrubCrypt_Crypter_Targeting_Oracle_WebLogic
- Date of Scan:
- 2023-03-10
- Impact:
- MEDIUM
- Summary:
- Fortinet Lab researchers have observed the attack chain commences with the successful exploitation of susceptible Oracle WebLogic servers to download a PowerShell script that contains ScrubCrypt.
Source:
https://www.fortinet.com/blog/threat-research/old-cyber-gang-uses-new-crypter-scrubcrypt
Increasing_Phishing_Campaigns_During_Tax_Season
LOW
+
—
—
- Intel Source:
- Cofense
- Intel Name:
- Increasing_Phishing_Campaigns_During_Tax_Season
- Date of Scan:
- 2023-03-09
- Impact:
- LOW
- Summary:
- Researchers from Cofense have identified threat actors attempting to use tax season to target recipients with a potential refund and using the Adobe filesharing service to deliver the phishing.
Source:
https://cofense.com/blog/tax-season-phishing-campaigns-are-ramping-up/
OneNote_Misused_by_Cybercriminals
LOW
+
—
—
- Intel Source:
- Trustwave
- Intel Name:
- OneNote_Misused_by_Cybercriminals
- Date of Scan:
- 2023-03-09
- Impact:
- LOW
- Summary:
- Researchers from Trustwave have analyzed the activity of cybercriminals as to how they are abusing OneNote.
Analysis_of_Nevada_Ransomware_and_Compares_With_Nokoyawa_Ransomware
LOW
+
—
—
- Intel Source:
- ZScaler
- Intel Name:
- Analysis_of_Nevada_Ransomware_and_Compares_With_Nokoyawa_Ransomware
- Date of Scan:
- 2023-03-09
- Impact:
- LOW
- Summary:
- Zscaler ThreatLab have identified the significant code similarities between Nevada and Nokoyawa ransomware including debug strings, command-line arguments, and encryption algorithms.
Source:
https://www.zscaler.com/blogs/security-research/nevada-ransomware-yet-another-nokayawa-variant
Analysis_of_Memory_For_Detecting_EDR_Nullifying_Malware
LOW
+
—
—
- Intel Source:
- Volexity
- Intel Name:
- Analysis_of_Memory_For_Detecting_EDR_Nullifying_Malware
- Date of Scan:
- 2023-03-09
- Impact:
- LOW
- Summary:
- Volexity researchers have examined the technique of attacking endpoint detection and response (EDR) and antivirus (AV) software could reliably be detected through memory analysis.
Source:
https://www.volexity.com/blog/2023/03/07/using-memory-analysis-to-detect-edr-nullifying-malware/
Chinese_Cyber_Attack_Against_Southeast_Asian_Government_Entities
HIGH
+
—
—
- Intel Source:
- Checkpoint
- Intel Name:
- Chinese_Cyber_Attack_Against_Southeast_Asian_Government_Entities
- Date of Scan:
- 2023-03-08
- Impact:
- HIGH
- Summary:
- Researchers from Checkpoint have analyzed the TTPs and the tools used in the espionage campaign against Southeast Asian government entities. The initial infection stages of this campaign use TTPs and tools consistent with Sharp Panda activity.
In_Depth_Analysis_of_Sirattacker_and_ALC_Ransomware
MEDIUM
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- In_Depth_Analysis_of_Sirattacker_and_ALC_Ransomware
- Date of Scan:
- 2023-03-08
- Impact:
- MEDIUM
- Summary:
- FortiGate Lab researchers have gathered data on ransomware variants of interest that have been gaining traction within their datasets and the OSINT community. They analyzed the Sirattacker and ALC ransomware which is targeting Microsoft Windows users.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-sirattacker-acl?&web_view=true
PyPI_package_delivers_malicious_Colour_Blind_RAT
LOW
+
—
—
- Intel Source:
- Cyware
- Intel Name:
- PyPI_package_delivers_malicious_Colour_Blind_RAT
- Date of Scan:
- 2023-03-08
- Impact:
- LOW
- Summary:
- Researchers from cyware have identified a malicious PyPI package that delivers a fully-featured information stealer and remote access trojan dubbed Colour-Blind.
Source:
https://cyware.com/news/malicious-pypi-package-delivers-colour-blind-rat-1c24f4e6/?web_view=true
GlobeImposter_Ransomware_Installed_Using_RDP
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- GlobeImposter_Ransomware_Installed_Using_RDP
- Date of Scan:
- 2023-03-08
- Impact:
- LOW
- Summary:
- ASEC has recently discovered the active distribution of the GlobeImposter ransomware. This attack is being carried out by the threat actors behind MedusaLocker.
Qakbot_evolves_to_OneNote_Malware_Distribution
MEDIUM
+
—
—
- Intel Source:
- Trellix
- Intel Name:
- Qakbot_evolves_to_OneNote_Malware_Distribution
- Date of Scan:
- 2023-03-08
- Impact:
- MEDIUM
- Summary:
- Researchers from Trellix have discovered Qakbot (aka QBot, QuakBot, and Pinkslipbot) is a sophisticated piece of malware, there has been an upsurge in the number of Qakbot campaigns using a novel delivery technique: OneNote documents for malware distribution
LokiBot_Distributing_via_Phishing_Emails
LOW
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- LokiBot_Distributing_via_Phishing_Emails
- Date of Scan:
- 2023-03-07
- Impact:
- LOW
- Summary:
- PaloAlto researchers have uncovered a malware distribution campaign that is delivering the LokiBot information stealer via business email compromise (BEC) phishing emails. This malware is designed to steal sensitive information from victims’ systems, such as passwords and banking information, as well as other sensitive data.
Source:
https://unit42.paloaltonetworks.com/lokibot-spike-analysis/
Phishing_Campaign_Using_Copycat_ChatGPT_Platform
MEDIUM
+
—
—
- Intel Source:
- Bitdefender
- Intel Name:
- Phishing_Campaign_Using_Copycat_ChatGPT_Platform
- Date of Scan:
- 2023-03-07
- Impact:
- MEDIUM
- Summary:
- Researchers from BitDefender Labs have identified the success of the viral AI tool has also attracted the attention of fraudsters who use the technology to conduct highly sophisticated investment scams against unwary internet users.
In_Depth_Analysis_of_RIG_Exploit_Kit
LOW
+
—
—
- Intel Source:
- PRODAFT
- Intel Name:
- In_Depth_Analysis_of_RIG_Exploit_Kit
- Date of Scan:
- 2023-03-07
- Impact:
- LOW
- Summary:
- Researchers from Prodaft have analyzed the RIG Exploit Kit. It is malware being operated as a MaaS subscription model and is enjoying the most glorious duration of its lifetime in terms of successful attacks.
Source:
https://www.prodaft.com/resource/detail/rig-rig-exploit-kit-depth-analysis
New_HiatusRAT_Malware_Targeting_Business_Grade_Routers
MEDIUM
+
—
—
- Intel Source:
- Lumen
- Intel Name:
- New_HiatusRAT_Malware_Targeting_Business_Grade_Routers
- Date of Scan:
- 2023-03-07
- Impact:
- MEDIUM
- Summary:
- Lumen researchers have observed malware that is targeting business-grade routers to covertly spy on victims in Latin America, Europe, and North America at least since July 2022.
Source:
https://blog.lumen.com/new-hiatusrat-router-malware-covertly-spies-on-victims/
Phishing_Campaign_Targeting_Job_Seekers_and_Employers
LOW
+
—
—
- Intel Source:
- Trellix
- Intel Name:
- Phishing_Campaign_Targeting_Job_Seekers_and_Employers
- Date of Scan:
- 2023-03-07
- Impact:
- LOW
- Summary:
- Researchers from Trellix have discovered threat actors are exploiting the ongoing economic downturn by using job-themed phishing and malware campaigns to target job seekers and employers to steal sensitive information and hack company recruiters.
The_Analysis_of_Lazarus_Group
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- The_Analysis_of_Lazarus_Group
- Date of Scan:
- 2023-03-07
- Impact:
- LOW
- Summary:
- ASEC researchers have identified that Lazarus group’s malware strains have been found in various Korean companies related to national defense, satellites, software, media press, etc. Hence, they pursued and analyzed the Lazarus threat group’s activities and related malware.
OneNote_Embedded_File_Abuse
LOW
+
—
—
- Intel Source:
- Nviso
- Intel Name:
- OneNote_Embedded_File_Abuse
- Date of Scan:
- 2023-03-07
- Impact:
- LOW
- Summary:
- Researchers from Nviso have observed the OneNote feature that is being abused during these phishing campaigns is hiding embedded files behind pictures which entices the user to click the picture. If the picture is clicked, it will execute the file hidden beneath.
Source:
https://blog.nviso.eu/2023/02/27/onenote-embedded-file-abuse/
MyDoom_Worm_Distributing_via_Phishing_Email
LOW
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- MyDoom_Worm_Distributing_via_Phishing_Email
- Date of Scan:
- 2023-03-06
- Impact:
- LOW
- Summary:
- Researchers from Fortinet have identified a phishing campaign using the MyDoom worm. It was first discovered back in 2004 and it has seen some updates and modifications since its introduction.
RIG_Exploit_Kit_Targeting_Internet_Explorer_Users
LOW
+
—
—
- Intel Source:
- Malwarebytes
- Intel Name:
- RIG_Exploit_Kit_Targeting_Internet_Explorer_Users
- Date of Scan:
- 2023-03-06
- Impact:
- LOW
- Summary:
- Malwarebytes researchers have identified that Internet Explorer (IE) is still being exploited by exploit kits like the RIG exploit kit (EK).
OneNote_Documents_Distributing_Malware
LOW
+
—
—
- Intel Source:
- ZScaler
- Intel Name:
- OneNote_Documents_Distributing_Malware
- Date of Scan:
- 2023-03-06
- Impact:
- LOW
- Summary:
- Zscaler researchers have observed threat actors are increasingly using Microsoft OneNote documents to deliver malware via phishing emails.
Source:
https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
WhiteSnake_Stealer_Targeting_Windows_and_Linux_Users
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- WhiteSnake_Stealer_Targeting_Windows_and_Linux_Users
- Date of Scan:
- 2023-03-06
- Impact:
- LOW
- Summary:
- Cyble researchers have discovered a new malware strain called “WhiteSnake” Stealer. This stealer is available in versions designed for both Windows and Linux. It is capable of gathering a range of sensitive information, including passwords, cookies, credit card numbers, screenshots, and other personal or financial data.
Source:
https://blog.cyble.com/2023/02/24/new-whitesnake-stealer-offered-for-sale-via-maas-model/
Hackers_From_China_Using_Custom_Backdoor_to_Evade_Detection
LOW
+
—
—
- Intel Source:
- Welivesecurity
- Intel Name:
- Hackers_From_China_Using_Custom_Backdoor_to_Evade_Detection
- Date of Scan:
- 2023-03-06
- Impact:
- LOW
- Summary:
- Researchers from Welivesecurity have identified the Chinese cyber espionage hacking group Mustang Panda is deploying a new custom backdoor named ‘MQsTTang’ in attacks starting this year.
Spear_Phishing_Campaign_Targeting_Hospitality_Industry_Using_RedLine_Stealer
LOW
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- Spear_Phishing_Campaign_Targeting_Hospitality_Industry_Using_RedLine_Stealer
- Date of Scan:
- 2023-03-06
- Impact:
- LOW
- Summary:
- Researchers from TrendMicro have identified RedLine Stealer’s evasive spear-phishing campaign that targeting the hospitality industry.
Hackers_From_SCARLETEEL_Using_Advanced_Cloud_Skills_to_Steal_Source_Code_and_Data
MEDIUM
+
—
—
- Intel Source:
- Sysdig
- Intel Name:
- Hackers_From_SCARLETEEL_Using_Advanced_Cloud_Skills_to_Steal_Source_Code_and_Data
- Date of Scan:
- 2023-03-06
- Impact:
- MEDIUM
- Summary:
- Sysdig researchers have discovered a sophisticated cloud operation in a customer environment, dubbed SCARLETEEL, that resulted in stolen proprietary data. The attacker exploited a containerized workload and then leveraged it to perform privilege escalation into an AWS account in order to steal proprietary software and credentials.
Source:
https://sysdig.com/blog/cloud-breach-terraform-data-theft/
LockBit_Ransomware_Attack_on_Indian_Companies
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- LockBit_Ransomware_Attack_on_Indian_Companies
- Date of Scan:
- 2023-03-06
- Impact:
- LOW
- Summary:
- Cyble researchers have observed the LockBit ransomware group that claimed to have compromised the networks of an Indian investment company, Infrastructure Leasing & Financial Services Limited (IL&FS), on February 28, 2023.
Source:
https://blog.cyble.com/2023/03/01/ransomware-attack-on-ilfs/
The_New_TTPs_of_Royal_ransomware
MEDIUM
+
—
—
- Intel Source:
- CISA
- Intel Name:
- The_New_TTPs_of_Royal_ransomware
- Date of Scan:
- 2023-03-06
- Impact:
- MEDIUM
- Summary:
- The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released the joint CSA to disseminate known Royal ransomware IOCs and TTPs identified through FBI threat response activities as recently as January 2023.
Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a
The_Examination_of_EXFILTRATION_22
LOW
+
—
—
- Intel Source:
- Cyfirma
- Intel Name:
- The_Examination_of_EXFILTRATION_22
- Date of Scan:
- 2023-03-04
- Impact:
- LOW
- Summary:
- Researchers from Cyfirma have provided an analysis of a new post of exploitation framework called EXFILTRATOR-22 a.k.a. EX-22.
Source:
https://www.cyfirma.com/outofband/exfiltrator-22-an-emerging-post-exploitation-framework/
The_Deep_Investigation_of_LockBit_Ransomware_Campaign
MEDIUM
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Deep_Investigation_of_LockBit_Ransomware_Campaign
- Date of Scan:
- 2023-03-04
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs researchers have observed a new LockBit ransomware campaign last December and January using a combination of techniques effective against AV and EDR solutions and analyzed the infection chain and Tactics, Techniques, and Procedures (TTPs) of this campaign.
Source:
https://www.fortinet.com/blog/threat-research/emerging-lockbit-campaign?&web_view=true
The_deployment_of_New_MortalKombat_Ransomware_and_Laplas_Clipper_Malware_threats
MEDIUM
+
—
—
- Intel Source:
- Talos
- Intel Name:
- The_deployment_of_New_MortalKombat_Ransomware_and_Laplas_Clipper_Malware_threats
- Date of Scan:
- 2023-03-04
- Impact:
- MEDIUM
- Summary:
- Since last December, Cisco Talos team has has been observing a new actor who used 2 new threats MortalKombat ransomware and a GO variant of the Laplas Clipper malware, to steal cryptocurrency from victims. Also Talos researchers have seen the actor browsing the internet for victim machines with a malicious exposed remote desktop protocol (RDP) port 3389, using one of their download servers that run an RDP crawler and also download MortalKombat ransomware. After the reserachers analyzed something common in the code, class name, and registry key strings, they think that that the MortalKombat ransomware belongs to the Xorist family.
Source:
https://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats/
BlackLotus_Malware_Capable_of_Bypassing_Secure_Boot
MEDIUM
+
—
—
- Intel Source:
- Welivesecurity
- Intel Name:
- BlackLotus_Malware_Capable_of_Bypassing_Secure_Boot
- Date of Scan:
- 2023-03-03
- Impact:
- MEDIUM
- Summary:
- Researchers from Welivesecurity have identified that a stealthy Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus has becomes the first UEFI bootkit malware to bypass secure boot on Windows 11.
Source:
https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
Hackers_From_Blind_Eagle_Targeting_Organizations_in_Colombia_and_Ecuador
LOW
+
—
—
- Intel Source:
- Blackberry
- Intel Name:
- Hackers_From_Blind_Eagle_Targeting_Organizations_in_Colombia_and_Ecuador
- Date of Scan:
- 2023-03-01
- Impact:
- LOW
- Summary:
- BlackBerry researchers have identified a new campaign where the threat actor impersonated a Colombian government tax agency to target key industries in Colombia, including health, financial, law enforcement, immigration, and an agency in charge of peace negotiation in the country.
Source:
https://blogs.blackberry.com/en/2023/02/blind-eagle-apt-c-36-targets-colombia
Diving_Deep_into_TA_69_and_its_SocGholish_Payload
LOW
+
—
—
- Intel Source:
- Proofpoint
- Intel Name:
- Diving_Deep_into_TA_69_and_its_SocGholish_Payload
- Date of Scan:
- 2023-03-01
- Impact:
- LOW
- Summary:
- Researchers from Proofpoint have observed changes in the tactics, techniques, and procedures (TTPs) employed by TA569. Changes include an increase in the number of injection varieties, as well as payloads deviating from the standard SocGholish “Fake Update” JavaScript packages.
Source:
https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond
Threat_Actors_Using_Microsoft_OneNote_for_Malicious_Campaigns
LOW
+
—
—
- Intel Source:
- Inquest
- Intel Name:
- Threat_Actors_Using_Microsoft_OneNote_for_Malicious_Campaigns
- Date of Scan:
- 2023-03-01
- Impact:
- LOW
- Summary:
- Researchers from Inquest have observed OneNote show that it has been featured in delivery chains for a number of malware threats and distributing multiple groups.
BB17_Distribution_Qakbot_Activity
LOW
+
—
—
- Intel Source:
- ISC.SANS
- Intel Name:
- BB17_Distribution_Qakbot_Activity
- Date of Scan:
- 2023-03-01
- Impact:
- LOW
- Summary:
- Researchers from SANS have identified an infection with a URL that is found on VirusTotal after pivoting on a search for BB17-tagged distribution URLs for Qakbot.
Snip3_Crypter_is_Back_With_New_TTPs
LOW
+
—
—
- Intel Source:
- ZScaler
- Intel Name:
- Snip3_Crypter_is_Back_With_New_TTPs
- Date of Scan:
- 2023-03-01
- Impact:
- LOW
- Summary:
- Researchers from Zscaler have identified the use of the crypter with new TTPs deploying RAT families including DcRAT and QuasarRAT targeting victims across multiple industry verticals such as healthcare, energy and utilities, and manufacturing via spear phishing emails with subject lines related to “tax statements” in order to lure victims into execution.
Source:
https://www.zscaler.com/blogs/security-research/snip3-crypter-reveals-new-ttps-over-time
Hackers_From_Blackfly_Group_Targeting_Materials_Technology
LOW
+
—
—
- Intel Source:
- Symantec
- Intel Name:
- Hackers_From_Blackfly_Group_Targeting_Materials_Technology
- Date of Scan:
- 2023-03-01
- Impact:
- LOW
- Summary:
- Symantec researchers have identified the Blackfly espionage group (aka APT41, Winnti Group, Bronze Atlas) has continued to mount attacks against targets in Asia and recently targeted two subsidiaries of an Asian conglomerate, both of which operate in the materials and composites sector, suggesting that the group may be attempting to steal intellectual property.
Iron_Tiger_Group_Targeting_Linux_Through_SysUpdate
MEDIUM
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- Iron_Tiger_Group_Targeting_Linux_Through_SysUpdate
- Date of Scan:
- 2023-03-01
- Impact:
- MEDIUM
- Summary:
- Researchers from TrendMicro have identified that hackers from Iron Tiger updated SysUpdate, one of their custom malware families, to include new features and add malware infection support for the Linux platform.
Source:
https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
Cyber_attacks_on_the_Ukrainian_state_organizations
MEDIUM
+
—
—
- Intel Source:
- CERT-UA
- Intel Name:
- Cyber_attacks_on_the_Ukrainian_state_organizations
- Date of Scan:
- 2023-02-28
- Impact:
- MEDIUM
- Summary:
- Researchers from CERT-UA have investigated the violation of the integrity and availability of the web resources of a number of state organizations.
ChatGPT_Based_Phishing_Attacks
MEDIUM
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- ChatGPT_Based_Phishing_Attacks
- Date of Scan:
- 2023-02-28
- Impact:
- MEDIUM
- Summary:
- Cyble researchers have detected several phishing websites that are being promoted through a fraudulent OpenAI social media page to spread various types of malware. Furthermore, several phishing sites are impersonating ChatGPT to steal credit card information.
Source:
https://blog.cyble.com/2023/02/22/the-growing-threat-of-chatgpt-based-phishing-attacks/
Malicious_Emails_Impersonating_Shipping_Companies
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Malicious_Emails_Impersonating_Shipping_Companies
- Date of Scan:
- 2023-02-28
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered malicious emails impersonating shipping companies being distributed in Korea. These emails prompt users to open the attached file with the subject ‘Submitting import clearance info’.
The_Investigation_of_PlugX_Trojan
LOW
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- The_Investigation_of_PlugX_Trojan
- Date of Scan:
- 2023-02-28
- Impact:
- LOW
- Summary:
- TrendMicro researchers have discovered a file called x32dbg.exe is used to sideload a malicious DLL they identified as a variant of PlugX.
Hackers_Abusing_Atlassian
LOW
+
—
—
- Intel Source:
- Cofense
- Intel Name:
- Hackers_Abusing_Atlassian
- Date of Scan:
- 2023-02-28
- Impact:
- LOW
- Summary:
- Cofense researchers have observed a phishing campaign, under the guise of a payment remittance, taking advantage of custom URLs from Atlassian to redirect users to their phish.
Source:
https://cofense.com/blog/threat-actors-abuse-atlassian-bypass-multiple-secure-email-gateways-segs/
Chile_IP_Address_Connecting_to_IcedID_BackConnect_C2_Servers
LOW
+
—
—
- Intel Source:
- Team Cymru
- Intel Name:
- Chile_IP_Address_Connecting_to_IcedID_BackConnect_C2_Servers
- Date of Scan:
- 2023-02-28
- Impact:
- LOW
- Summary:
- Researchers from Team-Cymru have identified an IP address geolocation to Chile that is used to access various elements of the IcedID infrastructure.
Source:
https://www.team-cymru.com/post/from-chile-with-malware
URL_Files_and_WebDAV_Using_For_IcedID_Infection
LOW
+
—
—
- Intel Source:
- ISC.SANS
- Intel Name:
- URL_Files_and_WebDAV_Using_For_IcedID_Infection
- Date of Scan:
- 2023-02-28
- Impact:
- LOW
- Summary:
- Researchers from SANS have observed that IcedID distribution patterns occasionally change and identified a distribution pattern using .url files and WebDAV traffic for an IcedID infection.
Source:
https://isc.sans.edu/diary/URL+files+and+WebDAV+used+for+IcedID+Bokbot+infection/29578/
Magniber_Ransomware_is_Back_With_New_Technique
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Magniber_Ransomware_is_Back_With_New_Technique
- Date of Scan:
- 2023-02-28
- Impact:
- LOW
- Summary:
- ASEC researchers have identified that Magniber ransomware is distributed as a Windows installer package file (.msi) in Edge and Chrome browsers.
PyPI_Malicious_Packages_Dropping_Windows_Trojan_via_Dropbox
LOW
+
—
—
- Intel Source:
- Sonatypa
- Intel Name:
- PyPI_Malicious_Packages_Dropping_Windows_Trojan_via_Dropbox
- Date of Scan:
- 2023-02-28
- Impact:
- LOW
- Summary:
- Researchers from Sonatype have observed hundreds of packages getting published and removed in batches on the PyPI registry. These packages, despite containing contextual terms like “libs,” “nvidiapaypalsuper,” and so on, are named quite arbitrarily.
Analysis_of_FortiNAC_Vulnerability_CVE_2022_39952
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Analysis_of_FortiNAC_Vulnerability_CVE_2022_39952
- Date of Scan:
- 2023-02-28
- Impact:
- LOW
- Summary:
- Cyble researchers have analyzed the vulnerability affecting multiple versions of FortiNAC. The affected product is widely used in mid to large-size enterprises involving state and private entities.
Lazarus_Group_Using_New_WinorDLL64_Backdoor
MEDIUM
+
—
—
- Intel Source:
- WeliveSecurity
- Intel Name:
- Lazarus_Group_Using_New_WinorDLL64_Backdoor
- Date of Scan:
- 2023-02-27
- Impact:
- MEDIUM
- Summary:
- Welivesecurity researchers have observed one of the payloads of the Wslink downloader that was discovered back in 2021. That payload WinorDLL64 based on its filename WinorDLL64.dll. Wslink, which had the filename WinorLoaderDLL64.dll, is a loader for Windows binaries that and runs as a server and executes received modules in memory.
Source:
https://www.welivesecurity.com/2023/02/23/winordll64-backdoor-vast-lazarus-arsenal/
I2Pminer_Variant_Targeting_MacOS
LOW
+
—
—
- Intel Source:
- Crowdstrike & Jamf
- Intel Name:
- I2Pminer_Variant_Targeting_MacOS
- Date of Scan:
- 2023-02-27
- Impact:
- LOW
- Summary:
- CrowdStrike and Jamf researchers have analyzed a macOS-targeted mineware campaign that utilized malicious application bundles to deliver open source XMRig cryptomining software and Invisible Internet Protocol (I2P) network tooling.
New_Hacking_Group_Clasiopa_Targeting_Materials_Research
MEDIUM
+
—
—
- Intel Source:
- Symantec
- Intel Name:
- New_Hacking_Group_Clasiopa_Targeting_Materials_Research
- Date of Scan:
- 2023-02-27
- Impact:
- MEDIUM
- Summary:
- Symantec researchers have identified that an unknown threat actor targeting Materials research organizations in Asia with a distinct set of tools.
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clasiopa-materials-research
Hackers_Targeting_Multiple_ManageEngine_Products
MEDIUM
+
—
—
- Intel Source:
- Bitdefender
- Intel Name:
- Hackers_Targeting_Multiple_ManageEngine_Products
- Date of Scan:
- 2023-02-27
- Impact:
- MEDIUM
- Summary:
-
Researchers from BitDefender have observed that multiple threat actors opportunistically weaponized a now-patched critical security vulnerability impacting several Zoho ManageEngine products since January 20, 2023.
Additional Blog link: https://www.bitdefender.com/blog/labs/weaponizing-pocs-a-targeted-attack-using-cve-2022-47966/
Source:
https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966
NPM_Packages_Distributing_Phishing_Links
LOW
+
—
—
- Intel Source:
- Checkmarx
- Intel Name:
- NPM_Packages_Distributing_Phishing_Links
- Date of Scan:
- 2023-02-24
- Impact:
- LOW
- Summary:
- Checkmarx researchers have investigated and uncovered a recurring attack method, in which cyber attackers utilize spamming techniques to flood the open-source ecosystem with packages that include links to phishing campaigns in their README.md files.
Source:
https://checkmarx.com/blog/how-npm-packages-were-used-to-spread-phishing-links/
The_Investigation_of_8220_Gang_Cloud_Threat
LOW
+
—
—
- Intel Source:
- Sentinelone
- Intel Name:
- The_Investigation_of_8220_Gang_Cloud_Threat
- Date of Scan:
- 2023-02-23
- Impact:
- LOW
- Summary:
- SentinelOne researchers have analyzed the 8220 gang cloud threat as the group has again switched to new infrastructure and samples.
PyPI_Packages_Mimicking_Popular_Libraries
LOW
+
—
—
- Intel Source:
- Reversing Labs
- Intel Name:
- PyPI_Packages_Mimicking_Popular_Libraries
- Date of Scan:
- 2023-02-23
- Impact:
- LOW
- Summary:
- Reversing Labs researchers are warning of “imposter packages” mimicking popular libraries available on the Python Package Index (PyPI) repository. The 41 malicious PyPI packages have been found to pose as typosquatted variants of legitimate modules such as HTTP, AIOHTTP, requests, urllib, and urllib3.
Source:
https://www.reversinglabs.com/blog/beware-impostor-http-libraries-lurk-on-pypi
Techniques_Analysis_of_Rhadamanthys_information_stealer
LOW
+
—
—
- Intel Source:
- Zscaler
- Intel Name:
- Techniques_Analysis_of_Rhadamanthys_information_stealer
- Date of Scan:
- 2023-02-23
- Impact:
- LOW
- Summary:
- Zscaler researchers have analyzed Rhadamanthys, an information stealer. The malware implements complex anti-analysis techniques by using a public open source library. It is written in C++ and being distributed mostly via malicious Google advertisements. The malware is designed to steal credentials from web browsers, VPN clients, email clients and chat clients as well as cryptocurrency wallets.
Lazarus_Group_Leveraging_Anti_Forensic_Techniques
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Lazarus_Group_Leveraging_Anti_Forensic_Techniques
- Date of Scan:
- 2023-02-23
- Impact:
- LOW
- Summary:
- ASEC researchers have shared the anti-forensic traces and details found in the systems that were infiltrated by the Lazarus group.
The_New_Version_of_HardBit_2_0_Ransomware
LOW
+
—
—
- Intel Source:
- Varonis
- Intel Name:
- The_New_Version_of_HardBit_2_0_Ransomware
- Date of Scan:
- 2023-02-23
- Impact:
- LOW
- Summary:
- Researchers from Varonis have identified the new version of HardBit ransomware which is HardBit 2.0 and it is still under development and features unique capabilities.
Hackers_Targeting_Innorix_Agent_Vulnerable_Versions
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Hackers_Targeting_Innorix_Agent_Vulnerable_Versions
- Date of Scan:
- 2023-02-23
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered the distribution of malware targeting users with vulnerable versions of Innorix Agent and the collected malware is a backdoor that attempts to connect to a C&C server.
Credit_Card_Skimmers_Targeting_Ecommerce_Platforms
LOW
+
—
—
- Intel Source:
- Mawarebytes
- Intel Name:
- Credit_Card_Skimmers_Targeting_Ecommerce_Platforms
- Date of Scan:
- 2023-02-23
- Impact:
- LOW
- Summary:
- Researchers from Malwarebytes have observed credit card skimmers targeting e-commerce platforms such as Magento and WordPress/WooCommerce.
Attackers_Leveraging_Cron_Jobs_to_Infect_Websites
LOW
+
—
—
- Intel Source:
- Sucuri
- Intel Name:
- Attackers_Leveraging_Cron_Jobs_to_Infect_Websites
- Date of Scan:
- 2023-02-23
- Impact:
- LOW
- Summary:
- Sucuri researchers have observed attackers using malicious corn jobs quite frequently to reinfect websites. Recently, they have seen a distinctive new wave of these infections.
Source:
https://blog.sucuri.net/2023/02/attackers-abuse-cron-jobs-to-reinfect-websites.html
A_New_InfoStealer_Stealc
LOW
+
—
—
- Intel Source:
- Sekoia
- Intel Name:
- A_New_InfoStealer_Stealc
- Date of Scan:
- 2023-02-23
- Impact:
- LOW
- Summary:
- Sekoia researchers have identified a new info stealer while routine Dark Web monitoring. The information stealer is advertised as Stealc by its alleged developer, going by the handle Plymouth. Also, the threat actor presents Stealc as a fully featured and ready-to-use stealer, whose development relied on Vidar, Raccoon, Mars, and Redline stealers.
The_Examination_of_DarkCloud_Stealer
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- The_Examination_of_DarkCloud_Stealer
- Date of Scan:
- 2023-02-22
- Impact:
- LOW
- Summary:
- Cyble researchers have observed an increase in the prevalence of DarkCloud Stealer, with Threat Actors employing various spam campaigns to disseminate this malware worldwide.
Source:
https://blog.cyble.com/2023/02/20/decoding-the-inner-workings-of-darkcloud-stealer/
Expansion_of_attackes_on_Linux_ESXi_Servers_by_Royal_ransomware
MEDIUM
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- Expansion_of_attackes_on_Linux_ESXi_Servers_by_Royal_ransomware
- Date of Scan:
- 2023-02-22
- Impact:
- MEDIUM
- Summary:
- TrendMicro analysts analayzed that since last year that ransomware groups will would increasingly target Linux servers and embedded systems in the coming years after detecting a double-digit year-on-year (YoY) increase in attacks on these systems. Royal ransomware is a new variant targeting Linux systems emerged and TrendMicro shared their technical analysis on this variant in their blog.
A_new_threat_group_Hydrochasma_targets_organizations_in_Asia
LOW
+
—
—
- Intel Source:
- Symantec
- Intel Name:
- A_new_threat_group_Hydrochasma_targets_organizations_in_Asia
- Date of Scan:
- 2023-02-22
- Impact:
- LOW
- Summary:
- Researchers from Symantec have observed a new threat group Hydrochasma attacking shipping companies and medical laboratories in Asia. Hydrochasma has not been linked to any previously identified group, but appears to have a possible interest in industries that may be involved in COVID-19-related treatments or vaccines. And possible infection vector used by Hydrochasma was a phishing email.
HWP_Malware_Using_the_Steganography_Technique
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- HWP_Malware_Using_the_Steganography_Technique
- Date of Scan:
- 2023-02-22
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered that the RedEyes threat group is distributing malware by exploiting the HWP EPS (Encapsulated PostScript) vulnerability (CVE-2017-8291).
Raccoon_Stealer_V2_Using_Microsoft_Add_Ins_to_Delivering_Malware
MEDIUM
+
—
—
- Intel Source:
- Quickheal
- Intel Name:
- Raccoon_Stealer_V2_Using_Microsoft_Add_Ins_to_Delivering_Malware
- Date of Scan:
- 2023-02-22
- Impact:
- MEDIUM
- Summary:
- Researchers from QuickHeal have identified that Microsoft Add-Ins can present a potential threat vector for malware like Raccoon Stealer V2. These types of malware are designed to steal sensitive information from infected systems and use Microsoft Add-Ins as a means of delivering the malware to target systems.
Source:
https://blogs.quickheal.com/your-office-document-is-at-risk-xll-a-new-attack-vector/
Analysis_of_Icarus_Stealer
LOW
+
—
—
- Intel Source:
- Esentire
- Intel Name:
- Analysis_of_Icarus_Stealer
- Date of Scan:
- 2023-02-22
- Impact:
- LOW
- Summary:
- Esentire researchers have analyzed the Icarus stealer malware into the technical details of how the malware operates and security recommendations to protect the organization from being exploited.
Source:
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-icarus-stealer
ReverseRAT_Backdoor_Targeting_Indian_Government_Agencies
MEDIUM
+
—
—
- Intel Source:
- ThreatMon
- Intel Name:
- ReverseRAT_Backdoor_Targeting_Indian_Government_Agencies
- Date of Scan:
- 2023-02-22
- Impact:
- MEDIUM
- Summary:
- Researchers from ThreatMon have observed a spear-phishing campaign targeting Indian government entities that aim to deploy an updated version of a backdoor called ReverseRAT.
Source:
https://threatmon.io/apt-sidecopy-targeting-indian-government-entities/
STL_Investigation_222
LOW
+
—
—
- Intel Source:
- SecuronixThreatLabs
- Intel Name:
- STL_Investigation_222
- Date of Scan:
- 2023-02-22
- Impact:
- LOW
- Summary:
- Indicators of Compromise related to a Securonix Threat Labs investigation
VMWare_ESXi_Vulnerability_targeted_by_ESXiArgs_Ransomware
MEDIUM
+
—
—
- Intel Source:
- Securityscorecard
- Intel Name:
- VMWare_ESXi_Vulnerability_targeted_by_ESXiArgs_Ransomware
- Date of Scan:
- 2023-02-22
- Impact:
- MEDIUM
- Summary:
- After warning of a widespread ransomware campaign exploiting CVE-2021-21974, a VMWare ESXi vulnerability, The SecurityScorecard Threat Research Team started their analyses about this new campaign in response to the advisories and they discovered possible communication between target IP addresses and infrastructure involved in the exploitation of this vulnerability.
Qakbot_Distributing_via_OneNote
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Qakbot_Distributing_via_OneNote
- Date of Scan:
- 2023-02-22
- Impact:
- LOW
- Summary:
- Cyble researchers have identified multiple distribution methods for the widely known banking trojan Qakbot and these methods include using malspam with OneNote attachments, malspam with zip files containing WSF, and others.
Return_of_Redline_Stealer
LOW
+
—
—
- Intel Source:
- SocInvestigation
- Intel Name:
- Return_of_Redline_Stealer
- Date of Scan:
- 2023-02-22
- Impact:
- LOW
- Summary:
- SOC Investigation reserachers discussed in their blog the Redline Stealer malware, the background, its capabilities, and its impact, the basic steps of the malware outlines.
Source:
https://www.socinvestigation.com/redline-stealer-returns-with-new-ttps-detection-response/
The_Deep_Examination_of_CatB_Ransomware
LOW
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Deep_Examination_of_CatB_Ransomware
- Date of Scan:
- 2023-02-21
- Impact:
- LOW
- Summary:
- Fortinet researchers have analyzed the CatB ransomware. It is a reasonably new entrant to the ransomware field, with samples only dating back to December 2022.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-catb-ransomware
Royal_Ransomware_Targeting_Linux_ESXi_Servers
MEDIUM
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- Royal_Ransomware_Targeting_Linux_ESXi_Servers
- Date of Scan:
- 2023-02-21
- Impact:
- MEDIUM
- Summary:
- TrendMicro researchers have observed that Royal ransomware expanding its targets by increasingly developing Linux-based versions.
BlackCat_Ransomware_Group_Targeting_Healthcare_Service_Provider
LOW
+
—
—
- Intel Source:
- SecurityScoreCard
- Intel Name:
- BlackCat_Ransomware_Group_Targeting_Healthcare_Service_Provider
- Date of Scan:
- 2023-02-20
- Impact:
- LOW
- Summary:
- Security ScoreCard researchers have observed BlackCat ransomware group adding an entry for an electronic health record (EHR) vendor to its extortion site.
Hackers_Targeting_Security_Service_of_Ukraine_and_NATO_Allies
LOW
+
—
—
- Intel Source:
- Eclecticiq
- Intel Name:
- Hackers_Targeting_Security_Service_of_Ukraine_and_NATO_Allies
- Date of Scan:
- 2023-02-20
- Impact:
- LOW
- Summary:
- EclecticIQ researchers have observed multiple weaponized phishing emails probably targeting the Security Service of Ukraine (SSU), NATO allies like Latvia, and private companies such as Culver Aviation.
The_Dangers_of_Installing_Nulled_WordPress_Themes_and_Plugins
LOW
+
—
—
- Intel Source:
- Sucuri
- Intel Name:
- The_Dangers_of_Installing_Nulled_WordPress_Themes_and_Plugins
- Date of Scan:
- 2023-02-20
- Impact:
- LOW
- Summary:
- Researchers from Sucuri have identified installing nulled themes or plugins on the website is not only participating in software theft but can also introduce serious risks including malware, SEO spam, and website backdoors.
Source:
https://blog.sucuri.net/2023/02/the-dangers-of-installing-nulled-wordpress-themes-and-plugins.html
WordPress_Sites_Backdoored_With_Ad_Fraud_Plugin
LOW
+
—
—
- Intel Source:
- Malwarebytes
- Intel Name:
- WordPress_Sites_Backdoored_With_Ad_Fraud_Plugin
- Date of Scan:
- 2023-02-20
- Impact:
- LOW
- Summary:
- Malwarebytes researchers have identified around 50 WordPress blogs that have been backdoored with a plugin called fuser-master.
A_new_threat_cluster_WIP26
MEDIUM
+
—
—
- Intel Source:
- Sentilone
- Intel Name:
- A_new_threat_cluster_WIP26
- Date of Scan:
- 2023-02-19
- Impact:
- MEDIUM
- Summary:
- SentinelLabs has observed a threat activity tracked as WIP26. This threat actor has been targeting telecommunication companies in the Middle East. WIP26 is known by abusing of public Cloud infrastructure – Microsoft 365 Mail, Microsoft Azure, Google Firebase, and Dropbox – for malware delivery, data exfiltration, and C2 purposes.
From_Targeting_Attacks_to_widespread_Usage_of_Brute_Ratel
LOW
+
—
—
- Intel Source:
- Yoroi
- Intel Name:
- From_Targeting_Attacks_to_widespread_Usage_of_Brute_Ratel
- Date of Scan:
- 2023-02-18
- Impact:
- LOW
- Summary:
- Researchers from Yoroi have identified and tracked security threats that involve actively searching for and analyzing potential security breaches or anomalies in an organization’s systems and networks.
Analysis_of_distribution_sites_of_Magniber_ransomware_using_EDR
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Analysis_of_distribution_sites_of_Magniber_ransomware_using_EDR
- Date of Scan:
- 2023-02-18
- Impact:
- LOW
- Summary:
- ASEC researchers have identified that Magniber ransomware distribution is continued and tracking the distribution site URL through a different method.
Earth_Kitsune_Delivering_New_WhiskerSpy_Backdoor
LOW
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- Earth_Kitsune_Delivering_New_WhiskerSpy_Backdoor
- Date of Scan:
- 2023-02-18
- Impact:
- LOW
- Summary:
- TrendMicro researchers have discovered a new backdoor which they have attributed to the APT group known as Earth Kitsune. Since 2019, Earth Kitsune has been distributing variants of self-developed backdoors to targets, primarily individuals who are interested in North Korea.
Source:
https://www.trendmicro.com/en_us/research/23/b/earth-kitsune-delivers-new-whiskerspy-backdoor.html
DarkBit_Ransomware_Targeting_Israel
MEDIUM
+
—
—
- Intel Source:
- Blackberry
- Intel Name:
- DarkBit_Ransomware_Targeting_Israel
- Date of Scan:
- 2023-02-18
- Impact:
- MEDIUM
- Summary:
- BlackBerry researchers have identified a new ransomware strain dubbed “DarkBit” that has recently appeared on the threat landscape after targeting one of Israel’s top research universities, Technion – Israel Institute of Technology (IIT).
Source:
https://blogs.blackberry.com/en/2023/02/darkbit-ransomware-targets-israel
Mirai_Variant_V3G4_Targeting_IoT_Devices
LOW
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- Mirai_Variant_V3G4_Targeting_IoT_Devices
- Date of Scan:
- 2023-02-17
- Impact:
- LOW
- Summary:
- Researchers from PaloAlto have observed a Mirai variant called V3G4, is leveraging several vulnerabilities to spread itself. Once the vulnerable devices are compromised, they will be fully controlled by attackers and become a part of the botnet.
Source:
https://unit42.paloaltonetworks.com/mirai-variant-v3g4/
Hackers_From_RedEyes_Using_New_Malware_to_Steal_Data
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Hackers_From_RedEyes_Using_New_Malware_to_Steal_Data
- Date of Scan:
- 2023-02-17
- Impact:
- LOW
- Summary:
- ASEC researchers have identified that the APT37 threat group using a new evasive ‘M2RAT’ malware and steganography to target individuals for intelligence collection.
The_Analysis_of_TZW_Ransomware
LOW
+
—
—
- Intel Source:
- Sentinelone
- Intel Name:
- The_Analysis_of_TZW_Ransomware
- Date of Scan:
- 2023-02-17
- Impact:
- LOW
- Summary:
- SentinelOne researchers have deeply analyzed the TZW ransomware. Also, observed TZW ransomware linked to a known malware family called GlobeImposter (sometimes referred to as LOLNEK or LOLKEK).
New_Malware_Abusing_Microsoft_IIS_Feature_to_Establish_Backdoor
MEDIUM
+
—
—
- Intel Source:
- Symantec
- Intel Name:
- New_Malware_Abusing_Microsoft_IIS_Feature_to_Establish_Backdoor
- Date of Scan:
- 2023-02-17
- Impact:
- MEDIUM
- Summary:
- Researchers from Symantec have observed a new malware that abuses a feature of Microsoft’s Internet Information Services (IIS) to deploy a backdoor onto targeted systems.
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/frebniis-malware-iis
Malware_Campaign_Delivering_ProxyShellMiner_to_Windows_Endpoints
MEDIUM
+
—
—
- Intel Source:
- Morphisec
- Intel Name:
- Malware_Campaign_Delivering_ProxyShellMiner_to_Windows_Endpoints
- Date of Scan:
- 2023-02-17
- Impact:
- MEDIUM
- Summary:
- Morphisec researchers have identified a highly evasive malware campaign delivering ProxyShellMiner to Windows endpoints. ProxyShellMiner exploits the ProxyShell vulnerabilities CVE-2021-34473 and CVE-2021-34523 in Windows Exchange servers for initial access and compromise of an organization to deliver crypto miners.
ESXiArgs_Ransomware_Leveraging_Two_Year_Old_Vulnerability
LOW
+
—
—
- Intel Source:
- Trellix
- Intel Name:
- ESXiArgs_Ransomware_Leveraging_Two_Year_Old_Vulnerability
- Date of Scan:
- 2023-02-17
- Impact:
- LOW
- Summary:
- Trellix researchers have identified that Global ESXiArgs ransomware is attacking the back of a two-year-old vulnerability. The vulnerability ransomware actors targeted is CVE-2021-21974 and allows an attacker to exploit the OpenSLP protocol if the affected server is exposed to the internet.
Earth_Yako_Group_is_Back
LOW
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- Earth_Yako_Group_is_Back
- Date of Scan:
- 2023-02-17
- Impact:
- LOW
- Summary:
- Researchers from TrendMicro have investigated several incidents and observed the intrusion set introduced new tools and malware within a short period of time, frequently changing and expanding its attack targets. Security researchers believe that Earth Yako is still active and will keep targeting more organizations soon.
Dark_Caracal_APT_Back_with_New_Version_of_Bandook_Spyware
MEDIUM
+
—
—
- Intel Source:
- Lookout
- Intel Name:
- Dark_Caracal_APT_Back_with_New_Version_of_Bandook_Spyware
- Date of Scan:
- 2023-02-17
- Impact:
- MEDIUM
- Summary:
- Researchers from Lookout have discovered that the Dark Caracal APT is currently using a new version of Bandook spyware to target Windows systems.
Source:
https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf
Trojanized_Installers_Targeting_Southeast_and_East_Asia
LOW
+
—
—
- Intel Source:
- Welivesecurity
- Intel Name:
- Trojanized_Installers_Targeting_Southeast_and_East_Asia
- Date of Scan:
- 2023-02-17
- Impact:
- LOW
- Summary:
- ESET researchers have identified a campaign using trojanized installers to deliver the FatalRAT malware, distributing via malicious websites linked in ads that appear in Google search results.
Source:
https://www.welivesecurity.com/2023/02/16/these-arent-apps-youre-looking-for-fake-installers/
US_Public_Housing_Authority_ransomware_attack
LOW
+
—
—
- Intel Source:
- SecurityScoreCard
- Intel Name:
- US_Public_Housing_Authority_ransomware_attack
- Date of Scan:
- 2023-02-16
- Impact:
- LOW
- Summary:
- U.S. Public Housing Authority has announced a disruption, but has not elaborated on the nature of the event. The LockBit ransomware group, which has made false claims in the past, took responsibility for the incident.
Malware_Targeting_Security_Related_Workers
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Malware_Targeting_Security_Related_Workers
- Date of Scan:
- 2023-02-16
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered that the malware is distributed to broadcasting and ordinary companies as well as those in the security-related field.
Paradise_Ransomware_Distributing_Through_AweSun_Vulnerability_Exploitation
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Paradise_Ransomware_Distributing_Through_AweSun_Vulnerability_Exploitation
- Date of Scan:
- 2023-02-16
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered the distribution of Paradise ransomware and the threat actors are suspected to be utilizing vulnerability exploitation of the Chinese remote control program AweSun.
A_new_Havoc_campaign_targeting_a_Government_organization
LOW
+
—
—
- Intel Source:
- ZScaler
- Intel Name:
- A_new_Havoc_campaign_targeting_a_Government_organization
- Date of Scan:
- 2023-02-16
- Impact:
- LOW
- Summary:
- Zscaler ThreatLabz research team observed a new campaign called Havoc which is targeting a Government organization.The threat actors have been using a new Command & Control (C2) framework named Havoc. The team provoded the technical analysis and overview of recently discovered attack campaign targeting government organization using Havoc and reveals how it can be leveraged by the threat actors in various campaigns.
Source:
https://www.zscaler.com/blogs/security-research/havoc-across-cyberspace
Diving_Deep_into_DarkBit_Ransomware
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Diving_Deep_into_DarkBit_Ransomware
- Date of Scan:
- 2023-02-16
- Impact:
- LOW
- Summary:
- Cyble researchers have recently detected a sample of the DarkBit ransomware and analyzed its details.
Source:
https://blog.cyble.com/2023/02/15/uncovering-the-dark-side-of-darkbit-ransomware/
LockBit_2_0_Ransomware_is_Back
MEDIUM
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- LockBit_2_0_Ransomware_is_Back
- Date of Scan:
- 2023-02-16
- Impact:
- MEDIUM
- Summary:
- ASEC researchers have identified that Lockbit 2.0 is being distributed in a MalPE format instead of the NSIS format.
Microsoft_OneNote_Sample_Targeting_Cisco_VPN
LOW
+
—
—
- Intel Source:
- DOCGuard
- Intel Name:
- Microsoft_OneNote_Sample_Targeting_Cisco_VPN
- Date of Scan:
- 2023-02-16
- Impact:
- LOW
- Summary:
- Researchers from DOCGuard have identified that the Microsoft OneNote sample targeting Cisco VPN users bypasses all the antiviruses.
Source:
https://twitter.com/doc_guard/status/1625872935595507713
Qakbot_Malware_Distributing_via_OneNote
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Qakbot_Malware_Distributing_via_OneNote
- Date of Scan:
- 2023-02-15
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified that Qakbot stopped using MS Office Macro, their past distribution method, and instead started to use OneNote to execute their malware.
A_Deep_Investigation_of_VMware_ESXi_Servers_Vulnerability
LOW
+
—
—
- Intel Source:
- BitDefender
- Intel Name:
- A_Deep_Investigation_of_VMware_ESXi_Servers_Vulnerability
- Date of Scan:
- 2023-02-15
- Impact:
- LOW
- Summary:
- BitDefender researchers have investigated the VMware ESXi servers vulnerability which was targeted by Opportunistic Threat Actors and advised users to patch it immediately.
Turkish_Earthquake_Leads_to_Fake_Donation_Schemes
MEDIUM
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Turkish_Earthquake_Leads_to_Fake_Donation_Schemes
- Date of Scan:
- 2023-02-15
- Impact:
- MEDIUM
- Summary:
- Researchers from Cyble have discovered various domains and IP addresses hosting websites that claim to be collecting funds to aid those affected by the earthquake in Turkey and Syria.
Active_IOCs_of_Tofsee_Malware
LOW
+
—
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Tofsee_Malware
- Date of Scan:
- 2023-02-15
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Tofsee Malware. It has been around since 2016. Once installed on a compromised computer, it can be used to send spam emails and gather user data.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alerts-tofsee-malware-active-iocs
New_Malware_That_Can_Fly_Under_the_Radar
LOW
+
—
—
- Intel Source:
- Minerva Labs
- Intel Name:
- New_Malware_That_Can_Fly_Under_the_Radar
- Date of Scan:
- 2023-02-15
- Impact:
- LOW
- Summary:
- Researchers from Minerva Labs have identified a new piece of evasive malware dubbed Beep that’s designed to fly under the radar and drop additional payloads onto a compromised host.
Source:
https://minerva-labs.com/blog/beepin-out-of-the-sandbox-analyzing-a-new-extremely-evasive-malware/
Pybot_DDoS_Distributing_With_Illegal_Software
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Pybot_DDoS_Distributing_With_Illegal_Software
- Date of Scan:
- 2023-02-15
- Impact:
- LOW
- Summary:
- ASEC researchers have monitoring malware that is being distributed through illegal software like software cracks or serial keygens and recently discovered Pybot DDoS being distributed with illegal software.
Diving_Deep_into_Mylobot
LOW
+
—
—
- Intel Source:
- BitSight
- Intel Name:
- Diving_Deep_into_Mylobot
- Date of Scan:
- 2023-02-14
- Impact:
- LOW
- Summary:
- BitSight researchers have analyzed the Mylobot malware and focused on its main capability, which is transforming the infected system into a proxy.
Source:
https://www.bitsight.com/blog/mylobot-investigating-proxy-botnet
Hackers_Targeting_Ukraine_Using_Remote_Utility_Program
MEDIUM
+
—
—
- Intel Source:
- CERT-UA
- Intel Name:
- Hackers_Targeting_Ukraine_Using_Remote_Utility_Program
- Date of Scan:
- 2023-02-14
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have identified a cyber attack on organizations and institutions in Ukraine using the Remote Utilities program.
Hackers_From_ChinaTargeting_GroupIB_Cybersecurity_Firm
MEDIUM
+
—
—
- Intel Source:
- Group-IB
- Intel Name:
- Hackers_From_ChinaTargeting_GroupIB_Cybersecurity_Firm
- Date of Scan:
- 2023-02-14
- Impact:
- MEDIUM
- Summary:
- Group-IB researchers have identified that an APT group known as Tonto Team has tried targeting the Singapore-based Group-IB cybersecurity firm for the second time.
Hackers_From_Dalbit_Group_Targeting_Vulnerable_Korean_Company_Servers
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Hackers_From_Dalbit_Group_Targeting_Vulnerable_Korean_Company_Servers
- Date of Scan:
- 2023-02-13
- Impact:
- LOW
- Summary:
- ASEC researchers have identified that the Chinese threat actor group named Dalbit (m00nlight) is targeting vulnerable Korean company servers. Also, this group uses publicly available tools, from the WebShell used in the early stages to the ransomware used at the end.
Malicious_Npm_Package_Using_Typosquatting_to_Download_Malware
LOW
+
—
—
- Intel Source:
- Reversing Labs
- Intel Name:
- Malicious_Npm_Package_Using_Typosquatting_to_Download_Malware
- Date of Scan:
- 2023-02-13
- Impact:
- LOW
- Summary:
- Reversing Labs researchers have observed a package called “aabquerys” is spotted on the open-source JavaScript npm repository using typosquatting techniques to enable the download of malicious components.
Source:
https://www.reversinglabs.com/blog/open-source-malware-sows-havoc-on-supply-chain
Website_posing_as_Naver_login_page
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Website_posing_as_Naver_login_page
- Date of Scan:
- 2023-02-13
- Impact:
- LOW
- Summary:
- ASEC researchers have observed a situation where a fake Kakao login page is used to steal the account credentials of certain individuals.
The_Clop_Ransomware_Claims_to_Have_Breached_130_Organizations
MEDIUM
+
—
—
- Intel Source:
- Huntress
- Intel Name:
- The_Clop_Ransomware_Claims_to_Have_Breached_130_Organizations
- Date of Scan:
- 2023-02-13
- Impact:
- MEDIUM
- Summary:
- Researchers from Huntress have identified that Clop ransomware gang claims to be behind recent attacks that exploited a zero-day vulnerability in the GoAnywhere MFT secure file transfer tool, saying they stole data from over 130 organizations.
Source:
https://www.huntress.com/blog/investigating-intrusions-from-intriguing-exploits
Supply_Chain_Attack_by_New_Malicious_Python_Package
LOW
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- Supply_Chain_Attack_by_New_Malicious_Python_Package
- Date of Scan:
- 2023-02-13
- Impact:
- LOW
- Summary:
- FortiGate researchers have identified five malicious packages on the Python Package Index (PyPI), stealing passwords, Discord authentication cookies, and cryptocurrency wallets from unsuspecting developers.
AsyncRAT_Leveraging_Windows_Help_File
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- AsyncRAT_Leveraging_Windows_Help_File
- Date of Scan:
- 2023-02-13
- Impact:
- LOW
- Summary:
- ASEC researchers have identified that AsyncRAT is distributing as a Windows help file (*.chm).
DPRK_Malicious_Cyber_Activities
MEDIUM
+
—
—
- Intel Source:
- CISA
- Intel Name:
- DPRK_Malicious_Cyber_Activities
- Date of Scan:
- 2023-02-12
- Impact:
- MEDIUM
- Summary:
- This cybersecurity advisory provides an overview of Democratic People’s Republic of Korea (DPRK), state-sponsored ransomware and their TTPs and IOCs DPRK cyber actors used to gain access to and conduct ransomware attacks against Healthcare and Public Health (HPH) Sector organizations and other critical infrastructure sector entities, as well as DPRK cyber actors’ use of cryptocurrency to demand ransoms.
Malicious_Google_Ads_Targeting_AWS_Login
LOW
+
—
—
- Intel Source:
- Sentinelone
- Intel Name:
- Malicious_Google_Ads_Targeting_AWS_Login
- Date of Scan:
- 2023-02-10
- Impact:
- LOW
- Summary:
- SentinelOne researchers have identified a new phishing campaign targeting Amazon Web Services (AWS) logins is abusing Google ads to sneak phishing sites into Google Search to steal login credentials.
Source:
https://www.sentinelone.com/blog/cloud-credentials-phishing-malicious-google-ads-target-aws-logins/
Hackers_Leveraging_HTML_Smuggling_to_Deliver_Malware
LOW
+
—
—
- Intel Source:
- SpiderLabs Blog
- Intel Name:
- Hackers_Leveraging_HTML_Smuggling_to_Deliver_Malware
- Date of Scan:
- 2023-02-10
- Impact:
- LOW
- Summary:
- SpiderLabs researchers have analyzed some notable malware strains that have utilized HTML smuggling in their infection chain and provide a brief analysis of each malware.
Ransomware_Attac_on_Critical_Infrastructure_Funded_by_DPRK
LOW
+
—
—
- Intel Source:
- CISA
- Intel Name:
- Ransomware_Attac_on_Critical_Infrastructure_Funded_by_DPRK
- Date of Scan:
- 2023-02-10
- Impact:
- LOW
- Summary:
- CISA researchers have identified TTPs and IOCs DPRK cyber actors using to gain access to and conduct ransomware attacks against Healthcare and Public Health Sector organizations and other critical infrastructure sector entities, as well as DPRK cyber actors’ use of cryptocurrency to demand ransoms.
GootLoader_Leveraging_SEO_Poisoning_Techniques
LOW
+
—
—
- Intel Source:
- Cybereason
- Intel Name:
- GootLoader_Leveraging_SEO_Poisoning_Techniques
- Date of Scan:
- 2023-02-09
- Impact:
- LOW
- Summary:
- Cybereason researchers have investigated an incident that involved new deployment methods of the GootLoader malware loader through heavily-obfuscated JavaScript files.
Hackers_From_NewsPenguin_Targeting_Pakistani_Entities
LOW
+
—
—
- Intel Source:
- Blackberry
- Intel Name:
- Hackers_From_NewsPenguin_Targeting_Pakistani_Entities
- Date of Scan:
- 2023-02-09
- Impact:
- LOW
- Summary:
- BlackBerry researchers have identified an unknown threat actor dubbed NewsPenguin has been linked to a phishing campaign targeting Pakistani entities by leveraging the upcoming international maritime expo as a lure.
Analysis_of_ESXiArgs_Ransomware
LOW
+
—
—
- Intel Source:
- SecuInfra
- Intel Name:
- Analysis_of_ESXiArgs_Ransomware
- Date of Scan:
- 2023-02-09
- Impact:
- LOW
- Summary:
- In their post SecuInfrs analysts are analyzing the recent “ESXiArgs” Ransomware variant, which spread to a large number of outdated, internet-exposed ESXi Servers around the world.
Source:
https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/
The_distribution_of_Quasar_RAT
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- The_distribution_of_Quasar_RAT
- Date of Scan:
- 2023-02-09
- Impact:
- LOW
- Summary:
- The ASEC analysis team just discovered the Quasar RAT malware through the private Home Trading System (HTS). It is assumed that the victims did not install their HTS from an institutional financial company, but instead, they got HPlus HTS through an unsanctioned source or a disguised financial investment company. The malware, Quasar, is a RAT malware that allows threat actors to gain control over infected systems to either steal information or perform malicious behaviors.
Malicious_aptX_Python_Package_Drops_Meterpreter_Shell
LOW
+
—
—
- Intel Source:
- Sonatypa
- Intel Name:
- Malicious_aptX_Python_Package_Drops_Meterpreter_Shell
- Date of Scan:
- 2023-02-09
- Impact:
- LOW
- Summary:
- Researchers from Sonatype have identified malicious Python packages on the PyPI software registry that carry out a bunch of nefarious activities.
Source:
https://blog.sonatype.com/malicious-aptx-python-package-drops-meterpreter-shell-deletes-netstat
New_Russian_Information_Stealing_Malware_Graphiron
MEDIUM
+
—
—
- Intel Source:
- Symantec
- Intel Name:
- New_Russian_Information_Stealing_Malware_Graphiron
- Date of Scan:
- 2023-02-09
- Impact:
- MEDIUM
- Summary:
- A new russian Nodaria group has installed a new malware threat that targets to steal a wide range of information from infected computers. The Nodaria espionage group (aka UAC-0056) is using a new piece of information stealing malware against targets in Ukraine. The malware (Infostealer.Graphiron) is written in Go language and is meant to collect a wide range of information from the infected computer, including system information, credentials, screenshots, and files.
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer
A_Backdoor_with_Smart_Screenshot_Capability
LOW
+
—
—
- Intel Source:
- ISC.SANS
- Intel Name:
- A_Backdoor_with_Smart_Screenshot_Capability
- Date of Scan:
- 2023-02-09
- Impact:
- LOW
- Summary:
- Researchers from SANS have identified that backdoors and trojans implemented screenshot capabilities to “see” what’s displayed on the victim’s computer and to take a screenshot in Python.
The_malware_attacks_distributed_by_SteelClove_group
LOW
+
—
—
- Intel Source:
- NTT Security
- Intel Name:
- The_malware_attacks_distributed_by_SteelClove_group
- Date of Scan:
- 2023-02-09
- Impact:
- LOW
- Summary:
- NTT Security SOC team shared the latest tactics in attacks by SteelClover among the most recently observed cases of malware distribution via Google Ads. SteelClover is an attack group that has been active since 2019, and their purpose is money.
Source:
https://insight-jp.nttsecurity.com/post/102i7af/steelclovergoogle
Hackers_Targeting_State_Bodies_of_Ukraine
MEDIUM
+
—
—
- Intel Source:
- CERT-UA
- Intel Name:
- Hackers_Targeting_State_Bodies_of_Ukraine
- Date of Scan:
- 2023-02-08
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have identified mass distribution of e-mails and an attachment in the form of RAR- archive “court letter, information on debt.rar.”
Ransomware_Attacks_Targeting_VMware_ESXi_Servers
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Ransomware_Attacks_Targeting_VMware_ESXi_Servers
- Date of Scan:
- 2023-02-08
- Impact:
- LOW
- Summary:
- Cyble researchers have identified a ransomware attack targeting VMware ESXi servers to deploy ESXi Args Ransomware.
Source:
https://blog.cyble.com/2023/02/06/massive-ransomware-attack-targets-vmware-esxi-servers/
Royal_Ransomware_Targeting_VMware_ESXi_Servers_in_Linux_Devices
LOW
+
—
—
- Intel Source:
- Equinix Threat Analysis Center
- Intel Name:
- Royal_Ransomware_Targeting_VMware_ESXi_Servers_in_Linux_Devices
- Date of Scan:
- 2023-02-08
- Impact:
- LOW
- Summary:
- Researchers from Equinix Threat Analysis Center (ETAC) have identified that Royal ransomware updating techniques for encrypting Linux devices and specially targeting VMware ESXi virtual machines.
Source:
https://twitter.com/BushidoToken/status/1621087221905514496
Earth_Zhulong_Threat_Group_Targeting_Vietnam_Telecom_and_Media_Sector
MEDIUM
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- Earth_Zhulong_Threat_Group_Targeting_Vietnam_Telecom_and_Media_Sector
- Date of Scan:
- 2023-02-08
- Impact:
- MEDIUM
- Summary:
- TrendMicro researchers have discovered a new hacking group that is targeting Vietnam’s telecom, technology, and media sectors. The group is dubbed as Earth Zhulong and it is related to the Chinese-linked hacking group 1937CN based on similar code in the custom shellcode loader and victimology.
Source:
https://www.trendmicro.com/en_us/research/23/b/earth-zhulong-familiar-patterns-target-vietnam.html
Magniber_Ransomware_Distributing_Again_in_Korea
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Magniber_Ransomware_Distributing_Again_in_Korea
- Date of Scan:
- 2023-02-08
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered the redistribution of Magniber disguised as normal Windows Installers (MSI). The distributed Magniber files have MSI as their extensions, disguising themselves as Windows update files.
Cl0p_Ransomware_Targets_Linux_Systems
LOW
+
—
—
- Intel Source:
- Sentinelone
- Intel Name:
- Cl0p_Ransomware_Targets_Linux_Systems
- Date of Scan:
- 2023-02-08
- Impact:
- LOW
- Summary:
- Researchers from SentinelOne have observed the first ELF variant of Cl0p (also known as Clop) ransomware variant targeting Linux systems. The new variant is similar to the Windows variant, using the same encryption method and similar process logic.
ASEC_Weekly_Malware_samples_January_30th_to_February_5th_2023
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_samples_January_30th_to_February_5th_2023
- Date of Scan:
- 2023-02-08
- Impact:
- LOW
- Summary:
- The ASEC analysis team keeps monitoring a weekly malware collection samples for January 30 – February 5th, 2023. The top malwares for this week is SmokeLoader, BeamWinHTTP, Formbook, Quasar RAT and Redline.
Newly_Threat_Actor_TA866_Distributing_Malware_via_Email
MEDIUM
+
—
—
- Intel Source:
- Proofpoint
- Intel Name:
- Newly_Threat_Actor_TA866_Distributing_Malware_via_Email
- Date of Scan:
- 2023-02-08
- Impact:
- MEDIUM
- Summary:
- Researchers from Proofpoint have observed a cluster of evolving financially motivated activity which they are referring to as “Screentime”. The attack chain starts with an email containing a malicious attachment or URL and leads to malware that Proofpoint dubbed WasabiSeed and Screenshotter.
Analysis_of_the_AveMaria_infostealer_attack_chain
LOW
+
—
—
- Intel Source:
- Zscaler
- Intel Name:
- Analysis_of_the_AveMaria_infostealer_attack_chain
- Date of Scan:
- 2023-02-07
- Impact:
- LOW
- Summary:
- Zscaler’s ThreatLabz research team monitors and tracks very close active threat campaigns. In their report they provided the seven case studies that follow provide an in-depth analysis of the AveMaria infostealer attack chain and how it has been shifting over the past six months.
Active_IOCs_of_Trickbot_Malware
MEDIUM
+
—
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Trickbot_Malware
- Date of Scan:
- 2023-02-07
- Impact:
- MEDIUM
- Summary:
- Researchers from Rewterz have identified the active IOCs of Trickbot Malware. It is operating since 2016. It is primarily distributed through phishing campaigns and is known for its ability to steal sensitive information such as login credentials, financial information, and personal data.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-trickbot-malware-active-iocs-30
The_Trigona_ransomware_variant
MEDIUM
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Trigona_ransomware_variant
- Date of Scan:
- 2023-02-07
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs got together the report for the Trigona ransomware with the details and insights of this ransomware landscape protection against those variants.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-trigona-ransomware
New_Medusa_Botnet_targeting_Linux_Users
MEDIUM
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- New_Medusa_Botnet_targeting_Linux_Users
- Date of Scan:
- 2023-02-07
- Impact:
- MEDIUM
- Summary:
- Cyble Research and Intelligence Labs has been monitoring on the actions of the MiraiBot and its behavior. A botnet capable of Performing DDoS, Ransomware, and Bruteforce Attacks.
Source:
https://blog.cyble.com/2023/02/03/new-medusa-botnet-emerging-via-mirai-botnet-targeting-linux-users/
The_cases_of_threat_actors_using_Sliver_malware
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- The_cases_of_threat_actors_using_Sliver_malware
- Date of Scan:
- 2023-02-07
- Impact:
- LOW
- Summary:
- This ASEC blog is desctibing recent cases of threat actors using Sliver in addition to Cobalt Strike and Metasploit. The ASEC (AhnLab Security Emergency response Center) analysis team keeps eye on the attacks against systems with either unpatched vulnerabilities or misconfigured settings. A recently discovered a Sliver backdoor being installed through what is presumed to be vulnerability exploitation on certain software.
Hackers_backdoor_Windows_Devices_in_Sliver_and_BYOVD_Attacks
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Hackers_backdoor_Windows_Devices_in_Sliver_and_BYOVD_Attacks
- Date of Scan:
- 2023-02-07
- Impact:
- LOW
- Summary:
- ASEC researchers have identified a new hacking campaign that exploits Sunlogin flaws to deploy the Sliver post-exploitation toolkit and launch Windows Bring Your Own Vulnerable Driver (BYOVD) attacks to disable security software.
Observed_intrusion_used_AutoHotkey_to_launch_a_keylogger
LOW
+
—
—
- Intel Source:
- Diff Report
- Intel Name:
- Observed_intrusion_used_AutoHotkey_to_launch_a_keylogger
- Date of Scan:
- 2023-02-07
- Impact:
- LOW
- Summary:
- The Diff team observed a compromise that used with a Word document containing a malicious VBA macro, which established persistence and communication to a command and control server (C2). During the initial discovery and user enumeration, the threat actor used AutoHotkey to launch a keylogger.
Source:
https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/
Hackers_Leveraging_Microsoft_Visual_Studio_Add_Ins_to_Push_Malware
LOW
+
—
—
- Intel Source:
- Deep Instinct
- Intel Name:
- Hackers_Leveraging_Microsoft_Visual_Studio_Add_Ins_to_Push_Malware
- Date of Scan:
- 2023-02-06
- Impact:
- LOW
- Summary:
- Deep Instinct researchers have observed that hackers start using Microsoft Visual Studio Tools for Office (VSTO) more often as method to achieve persistence and execute code on a target machine via malicious Office add-ins.
Source:
https://www.deepinstinct.com/blog/no-macro-no-worries-vsto-being-weaponized-by-threat-actors
Supply_Chain_Attack_by_New_Malicious_Python_Package_web3_essential
MEDIUM
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- Supply_Chain_Attack_by_New_Malicious_Python_Package_web3_essential
- Date of Scan:
- 2023-02-06
- Impact:
- MEDIUM
- Summary:
- FortiGate researchers have discovered another new 0-day attack in a PyPI package (Python Package Index) called web3-essential. The package includes malicious code in its setup.py installation script that downloads and runs an executable file as a part of its installation.
ASEC_Weekly_Malware_samples_January_23_29th_2023
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_samples_January_23_29th_2023
- Date of Scan:
- 2023-02-06
- Impact:
- LOW
- Summary:
- The ASEC analysis team keep monitoring weekly malware collection samples for January 23-29th, 2023. The top malwares for this week is SmokeLoader, BeamWinHTTP, Formbook, AgentTesla and SnakeKeylogger.
The_Gambling_Industry_is_targeted_by_Ice_Breaker_Operation
LOW
+
—
—
- Intel Source:
- Security Joes
- Intel Name:
- The_Gambling_Industry_is_targeted_by_Ice_Breaker_Operation
- Date of Scan:
- 2023-02-06
- Impact:
- LOW
- Summary:
- In September of last year, Security Joes IRT was informed about an incident with an attempt of social engineering an online customer service platform. Due to custom-built rules and extensive employee awareness training, Security Joes IRT was able to push back these threats. Recently they tracked a new threat actor as Ice Breaker APT. Although research is still ongoing, the team is sharing this article to reveal the attacker’s Modus Operandi, attack chain, ways to mitigate the threat and supported IOCs, TTPs and Yara.
New_BATLoader_Spreading_RATs_and_Stealers
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- New_BATLoader_Spreading_RATs_and_Stealers
- Date of Scan:
- 2023-02-05
- Impact:
- LOW
- Summary:
- Cyble researchers have observed a novel type of BAT loader is used to distribute a range of RAT and Stealer malware families. This loader employs an innovative method to deliver the malicious payload to the user system.
Source:
https://blog.cyble.com/2023/02/02/new-batloader-disseminates-rats-and-stealers/
The_Details_Examination_of_Malware_Technique
LOW
+
—
—
- Intel Source:
- Quickheal
- Intel Name:
- The_Details_Examination_of_Malware_Technique
- Date of Scan:
- 2023-02-05
- Impact:
- LOW
- Summary:
- QuickHeal researchers have observed crucial steps in the attack chain, like, how is the malware able to achieve administrative privileges to perform changes in the system.
DotNET_Malware_Loaders_aka_MalVirt_Distributing_Through_Malvertising_Attack
LOW
+
—
—
- Intel Source:
- Sentinelone
- Intel Name:
- DotNET_Malware_Loaders_aka_MalVirt_Distributing_Through_Malvertising_Attack
- Date of Scan:
- 2023-02-04
- Impact:
- LOW
- Summary:
- SentinelOne researchers have observed a cluster of virtualized .NET malware loaders distributing through malvertising attacks and the loader dubbed MalVirt, uses obfuscated virtualization for anti-analysis and evasion along with the Windows Process Explorer driver for terminating processes.
Source:
https://www.sentinelone.com/labs/malvirt-net-virtualization-thrives-in-malvertising-attacks/
Qakbot_Rising_with_New_Strategies
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Qakbot_Rising_with_New_Strategies
- Date of Scan:
- 2023-02-04
- Impact:
- LOW
- Summary:
- Cyble researchers have identified that threat actors leveraging Microsoft OneNote to infect users.
Source:
https://blog.cyble.com/2023/02/01/qakbots-evolution-continues-with-new-strategies/
Hackers_From_Korea_Exploiting_Unpatched_Zimbra_Devices
LOW
+
—
—
- Intel Source:
- WithSecure
- Intel Name:
- Hackers_From_Korea_Exploiting_Unpatched_Zimbra_Devices
- Date of Scan:
- 2023-02-04
- Impact:
- LOW
- Summary:
- Researchers from WithSecurity have identified a new intelligence-gathering campaign linked to the prolific North Korean state-sponsored Lazarus Group leveraged known security flaws in unpatched Zimbra devices to compromise victim systems.
Mustang_Panda_APT_Group_Targeting_Europe_With_Spearphishing_Campaign
LOW
+
—
—
- Intel Source:
- Eclecticiq
- Intel Name:
- Mustang_Panda_APT_Group_Targeting_Europe_With_Spearphishing_Campaign
- Date of Scan:
- 2023-02-04
- Impact:
- LOW
- Summary:
- EclecticIQ researchers have identified that the Mustang Panda APT group started targeting Europe with a new spearphishing campaign using a customized variant of the PlugX backdoor.
Hackers_From_APT34_Targeting_The_Middle_East
LOW
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- Hackers_From_APT34_Targeting_The_Middle_East
- Date of Scan:
- 2023-02-03
- Impact:
- LOW
- Summary:
- TrendMicro researchers have identified a suspicious executable that was dropped and executed on multiple machines. Upon investigation, It is inked with APT34, and the main goal is to steal users’ credentials. Even in case of a password reset or change, the malware is capable of sending the new credentials to the threat actors.
Source:
https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html
HeadCrab_Malware_Compromising_Redis_Servers
LOW
+
—
—
- Intel Source:
- Aqua Blog
- Intel Name:
- HeadCrab_Malware_Compromising_Redis_Servers
- Date of Scan:
- 2023-02-03
- Impact:
- LOW
- Summary:
- Aqua security researchers have identified that around 1,200 Redis database servers worldwide have been corralled into a botnet using an elusive and severe threat dubbed HeadCrab since early September 2021.
Source:
https://blog.aquasec.com/headcrab-attacks-servers-worldwide-with-novel-state-of-art-redis-malware
Malicious_LNK_File_Disguising_as_a_Normal_HWP_Document
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Malicious_LNK_File_Disguising_as_a_Normal_HWP_Document
- Date of Scan:
- 2023-02-03
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered the distribution of a malicious LNK file disguised as a normal HWP document, Along with a text file impersonating the National Tax Service.
The_track_of_tactics_of_the_threat_actor_PYTA27
LOW
+
—
—
- Intel Source:
- Checkmarx
- Intel Name:
- The_track_of_tactics_of_the_threat_actor_PYTA27
- Date of Scan:
- 2023-02-02
- Impact:
- LOW
- Summary:
- The Checkmarx threat reserachers analyzed In this blog the tactics of one attacker who has been distributing their packages for at least four months and shows no signs of stopping. This actor is tracked as PYTA27.
Source:
https://checkmarx.com/blog/evolution-of-a-software-supply-chain-attacker/
The_Ministry_of_Foreign_Affairs_official_of_Ukraine_Web_Resource_Imitated
MEDIUM
+
—
—
- Intel Source:
- CERT-UA
- Intel Name:
- The_Ministry_of_Foreign_Affairs_official_of_Ukraine_Web_Resource_Imitated
- Date of Scan:
- 2023-02-02
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have discovered a web page imitating the official web resource of the Ministry of Foreign Affairs of Ukraine, which offers to download software for the detection of infected computers.
Remote_Desktop_Files_targeted_by_evasive_malware
MEDIUM
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Remote_Desktop_Files_targeted_by_evasive_malware
- Date of Scan:
- 2023-02-02
- Impact:
- MEDIUM
- Summary:
- Cyble Research and Intelligence Labs (CRIL) discovered a new malware named ‘Vector Stealer’, which can steal .rdp files. By stealing these RDP files it can enableThreat Actors to do RDP hijacking as these files have details about the RDP session, including information needed for remote access.
Source:
https://blog.cyble.com/2023/02/01/vector-stealer-a-gateway-for-rdp-hijacking/
CoinMiners_Mining_Ethereum_Classic_Coins_attack_cases
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- CoinMiners_Mining_Ethereum_Classic_Coins_attack_cases
- Date of Scan:
- 2023-02-02
- Impact:
- LOW
- Summary:
- The ASEC analysis team is observing CoinMiners that are targeting Korean and overseas users. The ASEC analysis team studied cases of various types of CoinMiner attacks over multiple blog posts in the past. They shared information to introduce the recently discovered malware that mine Ethereum Classic coins.
The_spread_of_Redline_Infostealer_Malware
MEDIUM
+
—
—
- Intel Source:
- Rapid7
- Intel Name:
- The_spread_of_Redline_Infostealer_Malware
- Date of Scan:
- 2023-02-02
- Impact:
- MEDIUM
- Summary:
- Recently, Rapid7 discovered the activity of malicious actors using OneNote files to deliver malicious code. Rapid 7 found a specific technique that used OneNote files containing batch scripts, which upon execution started an instance of a renamed PowerShell process to decrypt and execute a base64 encoded binary.
Active_IOCs_of_LockBit_Green
MEDIUM
+
—
—
- Intel Source:
- PRODAFT
- Intel Name:
- Active_IOCs_of_LockBit_Green
- Date of Scan:
- 2023-02-02
- Impact:
- MEDIUM
- Summary:
- Researchers from Prodaft have identified that the LockBit ransomware team made a so-called “LockBit Green” version of their ransomware available.
Microsoft_OneNote_Documents_Delivering_Malware_via_Email
MEDIUM
+
—
—
- Intel Source:
- Proofpoint
- Intel Name:
- Microsoft_OneNote_Documents_Delivering_Malware_via_Email
- Date of Scan:
- 2023-02-02
- Impact:
- MEDIUM
- Summary:
- Proofpoint researchers have identified an increase in threat actor use of OneNote documents to deliver malware via email to unsuspecting end-users in December 2022 and January 2023.
GuLoader_Encrypted_With_NSIS_Crypter
LOW
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- GuLoader_Encrypted_With_NSIS_Crypter
- Date of Scan:
- 2023-02-02
- Impact:
- LOW
- Summary:
- In their post post, the Unit 42 researchers discussed a machine learning pipeline and analyses of one GuLoader downloader that has been encrypted with an Nullsoft Scriptable Install System (NSIS) crypter. NSIS is an open source system to create Windows installers.
Source:
https://unit42.paloaltonetworks.com/malware-detection-accuracy/
NikoWiper_Malware_Targeting_Ukraine_Energy_Sector
LOW
+
—
—
- Intel Source:
- Welivesecurity
- Intel Name:
- NikoWiper_Malware_Targeting_Ukraine_Energy_Sector
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- ESET researchers have analyzed the activities of selected APT groups and identified the Russia-affiliated Sandworm using another wiper malware strain dubbed NikoWiper as part of an attack that took place in October 2022 targeting an energy sector company in Ukraine.
Source:
https://www.welivesecurity.com/wp-content/uploads/2023/01/eset_apt_activity_report_t32022.pdf
The_Analysis_of_Cryptojacks_System_to_Mine_for_Monero_Crypto
LOW
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Analysis_of_Cryptojacks_System_to_Mine_for_Monero_Crypto
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- Fortinet researchers have analyzed the crypto miner software that is delivering via the Excel document and executing it on the victim device.
An_ongoing_phishing_campaign_that_impersonates_Southwest_Airlines
LOW
+
—
—
- Intel Source:
- Inky
- Intel Name:
- An_ongoing_phishing_campaign_that_impersonates_Southwest_Airlines
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- Last December, INKY observed and detected an ongoing phishing campaign that impersonates Southwest Airlines. Phishing emails are being sent from newly created domains, set up explicitly for these attacks.
Source:
https://www.inky.com/en/blog/fresh-phish-southwests-flying-phish-takes-off-with-your-credentials
LockBit_s_new_Black_variant_attack
MEDIUM
+
—
—
- Intel Source:
- Quickheal
- Intel Name:
- LockBit_s_new_Black_variant_attack
- Date of Scan:
- 2023-02-01
- Impact:
- MEDIUM
- Summary:
- The Quickheak team investigated and analyzed about the LockBit’s new Black variant attack. They have determined that the new LockBit 3.0 variant has a high infection vector and attack chain exhibiting substantial anti-forensic activity. This variant showed that is capable of clearing the event logs, killing multiple tasks, and deleting services simultaneously. It also can obtain initial access to the victim’s network via SMB brute forcing from various IPs.
Source:
https://blogs.quickheal.com/uncovering-lockbit-blacks-attack-chain-and-anti-forensic-activity/
The_Similarities_Between_Abraham_s_Ax_and_Moses_Staff_Group
LOW
+
—
—
- Intel Source:
- Secureworks
- Intel Name:
- The_Similarities_Between_Abraham_s_Ax_and_Moses_Staff_Group
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- Researchers from SecureWorks have analyzed the similarities between the Moses Staff hacktivist group persona that emerged in September 2021 and the Abraham’s Ax persona that emerged in November 2022.
Source:
https://www.secureworks.com/blog/abrahams-ax-likely-linked-to-moses-staff
New_Version_of_Nevada_Ransomware
MEDIUM
+
—
—
- Intel Source:
- Resecurity
- Intel Name:
- New_Version_of_Nevada_Ransomware
- Date of Scan:
- 2023-02-01
- Impact:
- MEDIUM
- Summary:
- Resecurity researchers have identified a new version of Nevada Ransomware which recently emerged on the Dark Web right before the start of 2023. The actors behind this new project have an affiliate platform first introduced on the RAMP underground community, which is known for initial access brokers (IABs) and other cybercriminal actors and ransomware groups.
Source:
https://resecurity.com/blog/article/nevada-ransomware-waiting-for-the-next-dark-web-jackpot
An_Email_Specific_Phishing_Page
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- An_Email_Specific_Phishing_Page
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- ASEC researchers have identified multiple phishing emails that are distributed with a changing icon to reflect the mail account service entered by the user and send a warning that their account will be shut down, prompting them to click the ‘Reactivate Now’ link if they need their account kept active.
Malware_Packer_TrickGate_Using_by_Several_Malware_to_Evade_Detection
LOW
+
—
—
- Intel Source:
- Checkpoint
- Intel Name:
- Malware_Packer_TrickGate_Using_by_Several_Malware_to_Evade_Detection
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- Researchers from Checkpoint have identified a shellcode-based packer dubbed TrickGate has been successfully operating without attracting notice for over six years, while enabling threat actors to deploy a wide range of malware such as TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze, and REvil over the years.
TZW_Ransomware_Distributing_in_Korea
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- TZW_Ransomware_Distributing_in_Korea
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered the distribution of the TZW ransomware, which encrypts files before adding the “TZW” file extension to the original extension.
Phishing_Emails_Circulating_With_Requests_for_Product_Quotation
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Phishing_Emails_Circulating_With_Requests_for_Product_Quotation
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified phishing emails with content related to requests for product quotations. These phishing emails are all disguised to seem as if they were sent by a manager with a high position, such as the team leader or department director of production companies or foundries, and were also .html and .htm attachments.
Google_Ads_Targeting_Password_Manager
LOW
+
—
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Google_Ads_Targeting_Password_Manager
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- Researchers from Malwarebytes have identified a new malvertising campaign that makes use of Google Ads to target users looking for password managers.
Changes_in_the_IcedID_malware_strategy
MEDIUM
+
—
—
- Intel Source:
- Esentire
- Intel Name:
- Changes_in_the_IcedID_malware_strategy
- Date of Scan:
- 2023-02-01
- Impact:
- MEDIUM
- Summary:
- Last December 2022, Esentire threat intel team observed IcedID infections that were traced to payloads downloaded by users from the Internet. This observation matched with a general uptick in successful IcedID infections in Q4 of 2022, which saw 35% percent of IcedID incidents for the period between January 2022 and January 2023. The observed IcedID infections have originated exclusively via drive-by attacks, specifically Google Search Ads targeting common applications.
Source:
https://www.esentire.com/blog/icedid-malware-shifts-its-delivery-strategy
The_Magniber_ransomware_spotlight
MEDIUM
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- The_Magniber_ransomware_spotlight
- Date of Scan:
- 2023-01-31
- Impact:
- MEDIUM
- Summary:
- After it was originally discovered in 2017, Magniber came back in 2021. It is aiming some Asian countries and TrendMicro found out about the exploitation of new vulnerabilities for initial access, including CVE-2021-26411, CVE-2021-40444, and most notably the PrintNightmare vulnerability, CVE-2021-34527
Source:
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-magniber
ASEC_Weekly_Malware_samples_January_16_22nd_2023
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_samples_January_16_22nd_2023
- Date of Scan:
- 2023-01-31
- Impact:
- LOW
- Summary:
- The ASEC analysis team keep monitoring weekly malware collection samples for January 16-22nd, 2023. They shared their analyses of the cases of distribution of phishing emails during this week and provide statistical information on each type.
Hackers_From_BlueBravo_Deploying_GraphicalNeutrino_Malware
LOW
+
—
—
- Intel Source:
- Recorded Future
- Intel Name:
- Hackers_From_BlueBravo_Deploying_GraphicalNeutrino_Malware
- Date of Scan:
- 2023-01-31
- Impact:
- LOW
- Summary:
- Recorded Future researchers have identified the new malware used by BlueBravo threat group, which overlaps with Russian APT activity tracked as APT29 and NOBELIUM, which Western governments and researchers have linked to the Russian Foreign Intelligence Service (SVR).
Source:
https://www.recordedfuture.com/bluebravo-uses-ambassador-lure-deploy-graphicalneutrino-malware
Gootkit_Malware_Updating_With_New_Components_and_Obfuscations
LOW
+
—
—
- Intel Source:
- Mandiant
- Intel Name:
- Gootkit_Malware_Updating_With_New_Components_and_Obfuscations
- Date of Scan:
- 2023-01-30
- Impact:
- LOW
- Summary:
- Mandiant researchers have identified that the threat actors associated with the Gootkit malware have made notable changes to their toolset, adding new components and obfuscations to their infection chains.
Source:
https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations
Sandworm_APT_Targeting_Ukraine
LOW
+
—
—
- Intel Source:
- ESET
- Intel Name:
- Sandworm_APT_Targeting_Ukraine
- Date of Scan:
- 2023-01-30
- Impact:
- LOW
- Summary:
- ESET researchers have discovered a new Golang-based wiper, dubbed SwiftSlicer, that is used in attacks aimed at Ukraine. Also, they believe that the Russia-linked APT group Sandwork (aka BlackEnergy and TeleBots) is behind the wiper attacks.
Database_Injection_Attacks_Compromise_WordPress_Sites
LOW
+
—
—
- Intel Source:
- Sucuri
- Intel Name:
- Database_Injection_Attacks_Compromise_WordPress_Sites
- Date of Scan:
- 2023-01-30
- Impact:
- LOW
- Summary:
- Sucuri researchers have identified a massive campaign that infects over 4,500 WordPress websites as part of a long-running operation. According to GoDaddy-owned Sucuri, the infections involve the injection of obfuscated JavaScript hosted on a malicious domain that’s designed to redirect visitors to undesirable sites.
The_Deep_Examination_of_Venom_Spider
LOW
+
—
—
- Intel Source:
- Esentire
- Intel Name:
- The_Deep_Examination_of_Venom_Spider
- Date of Scan:
- 2023-01-30
- Impact:
- LOW
- Summary:
- Esentire researchers have discovered the real-world identity of the threat actor behind Golden Chickens malware-as-a-service, who goes by the online persona badbullzvenom.
Source:
https://www.esentire.com/web-native-pages/unmasking-venom-spider
Realtek_SDK_Vulnerability_Attempting_to_Hack_IoT_Devices
LOW
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- Realtek_SDK_Vulnerability_Attempting_to_Hack_IoT_Devices
- Date of Scan:
- 2023-01-30
- Impact:
- LOW
- Summary:
- Researchers from PaloAlto have observed the spike in exploitation attempts weaponizing a critical remote code execution flaw in Realtek Jungle SDK, the ongoing campaign is said to have recorded 134 million exploit attempts as of December 2022, with 97% of the attacks occurring in the past four months.
Source:
https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/#post-126726-_f37quwequ6r
Hackers_From_Sandworm_Group_Targeting_News_Agencies
LOW
+
—
—
- Intel Source:
- CERT-UA
- Intel Name:
- Hackers_From_Sandworm_Group_Targeting_News_Agencies
- Date of Scan:
- 2023-01-30
- Impact:
- LOW
- Summary:
- Researchers from CERT-UA have identified the five different data-wiping malware strains deploying on the network of the country’s national news agency (Ukrinform) on January 17th.
ASEC_Weekly_Malware_samples_January_8_14th_2023
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_samples_January_8_14th_2023
- Date of Scan:
- 2023-01-28
- Impact:
- LOW
- Summary:
- The ASEC analysis team keep monitoring weekly malware collection samples for January 8-14th, 2023. They shared their analyses of thee cases of distribution of phishing emails during this week and provide statistical information on each type.
Mimic_Ransomware_Targeting_Russian_and_English_Speaking_Users
LOW
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- Mimic_Ransomware_Targeting_Russian_and_English_Speaking_Users
- Date of Scan:
- 2023-01-27
- Impact:
- LOW
- Summary:
- Researchers from TrendMicro have discovered a new ransomware that abuses the APIs of a legitimate tool called Everything, a Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for minimal resource usage.
Titan_Stealer_Leveraging_GoLang
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Titan_Stealer_Leveraging_GoLang
- Date of Scan:
- 2023-01-27
- Impact:
- LOW
- Summary:
- Cyble researchers have observed that threat actors use Golang for their information stealer malware. Additionally, it is spotted, Titan stealer using multiple Command and Control (C&C) infrastructures targeting new victims.
Source:
https://blog.cyble.com/2023/01/25/titan-stealer-the-growing-use-of-golang-among-threat-actors/
Cybercriminals_Leveraging_Legitimate_RMM_software
MEDIUM
+
—
—
- Intel Source:
- CISA
- Intel Name:
- Cybercriminals_Leveraging_Legitimate_RMM_software
- Date of Scan:
- 2023-01-27
- Impact:
- MEDIUM
- Summary:
- CISA researchers have identified a widespread cyber campaign involving the malicious use of legitimate RMM software. Specifically, cyber-criminal actors send phishing emails to the target to download legitimate RMM software—ScreenConnect (now ConnectWise Control) and AnyDesk—which the actors use in a refund scam to steal money from victim bank accounts.
Chinese_PlugX_Malware_Hidden_in_USB_Devices
MEDIUM
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- Chinese_PlugX_Malware_Hidden_in_USB_Devices
- Date of Scan:
- 2023-01-27
- Impact:
- MEDIUM
- Summary:
- Researchers from PaloAlto have discovered a similar variant of PlugX in VirusTotal that infects USB devices and copies all Adobe PDF and Microsoft Word files from the host. It places these copies in a hidden folder on the USB device that is created by the malware.
Source:
https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/
Kronos_Malware_Increasing_its_Functionality
LOW
+
—
—
- Intel Source:
- IBM Security Intelligence
- Intel Name:
- Kronos_Malware_Increasing_its_Functionality
- Date of Scan:
- 2023-01-27
- Impact:
- LOW
- Summary:
- Researchers from IBM Security Intelligence have identified that Kronos Malware is back with new functionality. It is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims.
Hackers_Targeting_Tech_Layoff_Employees_With_Job_Scams
MEDIUM
+
—
—
- Intel Source:
- Zscaler
- Intel Name:
- Hackers_Targeting_Tech_Layoff_Employees_With_Job_Scams
- Date of Scan:
- 2023-01-27
- Impact:
- MEDIUM
- Summary:
- Zscaler Threatlabz researchers have observed multiple suspicious job portals and surveys used by attackers to solicit information from job seekers under the guise of employment application forms. The attackers may advertise jobs online, sometimes setting up fake websites, or look for targets on social media to steal money and personal information.
The_Deep_Examination_of_GuLoader
LOW
+
—
—
- Intel Source:
- Trellix
- Intel Name:
- The_Deep_Examination_of_GuLoader
- Date of Scan:
- 2023-01-27
- Impact:
- LOW
- Summary:
- Trellix researchers have analyzed the multiple archive types used by threat actors to trick users into opening an email attachment and the progression of its distribution inside NSIS (Nullsoft Scriptable Install System) executable files by showing the obfuscation and string encryption updates through the year 2022.
Source:
https://www.trellix.com/en-us/about/newsroom/stories/research/guloader-the-nsis-vantage-point.html
New_Evasion_Methods_For_Emotet
LOW
+
—
—
- Intel Source:
- Blackberry
- Intel Name:
- New_Evasion_Methods_For_Emotet
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- BlackBerry researchers have observed that Emotet returns with new techniques. It is continued to steadily evolve, adding new techniques for evasion and increasing its likelihood of successful infections. It is also able to host an array of modules, each used for different aspects of information theft that report back to their command-and-control (C2) servers.
Source:
https://blogs.blackberry.com/en/2023/01/emotet-returns-with-new-methods-of-evasion
The_ConnectWise_Control_vulnerabilities_and_exploitation
LOW
+
—
—
- Intel Source:
- Huntress
- Intel Name:
- The_ConnectWise_Control_vulnerabilities_and_exploitation
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- During the month of December, the Huntress team has caught the talks surrounding supposed ConnectWise Control vulnerabilities and possibly in-the-wild exploitation. The Huntress team has been in contact with both the ConnectWise CISO and security team and did their own research on it and explained their opinions in the details.
Source:
https://www.huntress.com/blog/clearing-the-air-overblown-claims-of-vulnerabilities-exploits-severity
North_Korean_Hackers_Moving_With_Credential_Harvesting
LOW
+
—
—
- Intel Source:
- Proofpoint
- Intel Name:
- North_Korean_Hackers_Moving_With_Credential_Harvesting
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- Researchers from Proofpoint have identified a well known North Korean threat group for crypto heists has been attributed to a new wave of malicious email attacks as part of a “sprawling” credential harvesting activity targeting a number of industry verticals, marking a significant shift in its strategy.
Source:
https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds
Hackers_Leveraging_ProxyNotShell_For_Attacks
LOW
+
—
—
- Intel Source:
- Bitdefender
- Intel Name:
- Hackers_Leveraging_ProxyNotShell_For_Attacks
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- BitDefender researchers have started observing an increase in attacks using ProxyNotShell/OWASSRF exploits chains to target on-premises Microsoft Exchange deployments.
Source:
https://businessinsights.bitdefender.com/technical-advisory-proxyhell-exploit-chains-in-the-wild
Active_IOCs_of_APT_Group_Gamaredon
LOW
+
—
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_APT_Group_Gamaredon
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of APT Group Gamaredon. It is a Russia-backed advanced persistent threat (APT) that has been operating since at least 2013. The group is believed to be operating out of Ukraine, and is thought to be focused on targeting Ukrainian government and military organizations, as well as individuals and organizations in the energy sector.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-apt-group-gamaredon-active-iocs-31
Active_IOCs_of_Remcos_RAT
LOW
+
—
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Remcos_RAT
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Remcos RAT. It is operating since 2016. This RAT was originally promoted as genuine software for remote control of Microsoft Windows from XP onwards, and is frequently found in phishing attempts due to its capacity to completely infect an afflicted machine.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-remcos-rat-active-iocs-86
Active_IOCs_of_Raccoon_Infostealer
LOW
+
—
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Raccoon_Infostealer
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Raccoon Infostealer. It gathers private data such as credit card numbers, cryptocurrency wallet addresses, login passwords, and browser information like cookies and history.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-raccoon-infostealer-active-iocs-39
The_rised_concern_of_Amadey_Bot
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- The_rised_concern_of_Amadey_Bot
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- Recently, Cyble Research and Intelligence Labs (CRIL) has observed a huge spike of Amadey bot samples. It proved that threat actors are actively using this bot to infect victims’ systems with another malware.
Source:
https://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/
Cybercriminals_Using_JQuery_to_Spread_Malware
LOW
+
—
—
- Intel Source:
- SocInvestigation
- Intel Name:
- Cybercriminals_Using_JQuery_to_Spread_Malware
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- Researchers from SocInvestigation have identified that the popular javascript library “JQuery” is used by hackers for distributing malware.
Source:
https://www.socinvestigation.com/malicious-jquery-javascript-threat-detection-incident-response/
Critical_ManageEngine_Vulnerability_Observed
MEDIUM
+
—
—
- Intel Source:
- Rapid 7
- Intel Name:
- Critical_ManageEngine_Vulnerability_Observed
- Date of Scan:
- 2023-01-26
- Impact:
- MEDIUM
- Summary:
- Rapid7 is taking precausios steps from the vulnerability exploitation of CVE-2022-47966. Several of the affected products are extremely popular with organizations and attackers, including ADSelfService Plus and ServiceDesk Plus. Rapid7 provided a detailed analysis of CVE-2022-47966 in AttackerKB. Rapid7 vulnerability research team discovered during testing that some products may be more exploitable than others: ServiceDesk Plus and ADSelfService.
Hackers_From_DragonSpark_Using_Golang_Malware_to_Avoid_Detection
MEDIUM
+
—
—
- Intel Source:
- Sentinelone
- Intel Name:
- Hackers_From_DragonSpark_Using_Golang_Malware_to_Avoid_Detection
- Date of Scan:
- 2023-01-26
- Impact:
- MEDIUM
- Summary:
- Researchers from SentinelOne have identified that companies in East Asia are being targeted by a Chinese-speaking threat actor named DragonSpark. The attacks are characterized by the use of the little-known open-source SparkRAT and malware that attempts to evade detection through Golang source code interpretation.
Active_IOCs_of_Ursnif_Banking_Trojan_aka_Gozi
LOW
+
—
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Ursnif_Banking_Trojan_aka_Gozi
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Ursnif Banking Trojan aka Gozi. It is also known as Gozi and Dreambot has been around for more than 10 years. It gained popularity in 2015 when its source code was published on Github and since then the moderators have always tweaked some changes to make use of their arsenal according to their gains.
Vice_Society_Ransomware_Group_Targeting_Manufacturing_Companies
MEDIUM
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- Vice_Society_Ransomware_Group_Targeting_Manufacturing_Companies
- Date of Scan:
- 2023-01-26
- Impact:
- MEDIUM
- Summary:
- TrendMicro researchers have highlighted the findings of Vice Society, which includes an end-to-end infection diagram.
A_Deep_Examination_of_Raspberry_Robin
LOW
+
—
—
- Intel Source:
- Esentire
- Intel Name:
- A_Deep_Examination_of_Raspberry_Robin
- Date of Scan:
- 2023-01-25
- Impact:
- LOW
- Summary:
- Esentire researchers have observed 11 cases of Raspberry Robin infections since May 2022 and analyzed them.
Source:
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-raspberry-robin
Titan_Stealer_Malware_Distributing_via_Telegram_Channel
LOW
+
—
—
- Intel Source:
- Uptycs
- Intel Name:
- Titan_Stealer_Malware_Distributing_via_Telegram_Channel
- Date of Scan:
- 2023-01-25
- Impact:
- LOW
- Summary:
- Researchers from Uptycs have discovered a campaign involving the Titan Stealer malware, which is being marketed and sold by a threat actor (TA) through a Telegram channel for cybercrime purposes.
Source:
https://www.uptycs.com/blog/titan-stealer-telegram-malware-campaign
Black_Friday_Day_Makes_Big_For_Malvertising
LOW
+
—
—
- Intel Source:
- Confiant
- Intel Name:
- Black_Friday_Day_Makes_Big_For_Malvertising
- Date of Scan:
- 2023-01-25
- Impact:
- LOW
- Summary:
- Confiant researchers have observed a cookie-stuffing campaign running across multiple programmatic ad platforms with a specific uptick in Q4 around Black Friday.
Source:
https://blog.confiant.com/malvertiser-makes-the-big-bucks-on-black-friday-637922cd5865
8220_Gang_Targeting_Vulnerable_Cloud_Providers
LOW
+
—
—
- Intel Source:
- Radware
- Intel Name:
- 8220_Gang_Targeting_Vulnerable_Cloud_Providers
- Date of Scan:
- 2023-01-24
- Impact:
- LOW
- Summary:
- Radware researchers have identified that the Chinese threat group a.k.a 8220 Gang is targeting cloud providers and poorly secured applications with a custom-built crypto miner and IRC bot.
Advertisement_Fraud_Scheme_VASTFLUX_Targeted_Over_11_Million_Devices
LOW
+
—
—
- Intel Source:
- Human Blog
- Intel Name:
- Advertisement_Fraud_Scheme_VASTFLUX_Targeted_Over_11_Million_Devices
- Date of Scan:
- 2023-01-24
- Impact:
- LOW
- Summary:
- Researchers from HUMAN’s Satori Threat Intelligence team have identified a sophisticated ad fraud scheme, dubbed VASTFLUX, that targeted more than 11 million devices.
Source:
https://www.humansecurity.com/learn/blog/traffic-signals-the-vastflux-takedown
Remcos_RAT_Deployment_by_GuLoader
LOW
+
—
—
- Intel Source:
- Cyfirma
- Intel Name:
- Remcos_RAT_Deployment_by_GuLoader
- Date of Scan:
- 2023-01-24
- Impact:
- LOW
- Summary:
- CYFIRMA researchers have identified the distribution of a malicious PDF file through email. It redirects the user to a cloud-based platform where they are prompted to download a ZIP file.
Source:
https://www.cyfirma.com/outofband/guloader-deploying-remcos-rat/
Diving_Deep_into_LockBit_Ransomware
MEDIUM
+
—
—
- Intel Source:
- Analyst1
- Intel Name:
- Diving_Deep_into_LockBit_Ransomware
- Date of Scan:
- 2023-01-23
- Impact:
- MEDIUM
- Summary:
- Researchers from Analyst1 have analyzed the LockBit ransomware operations. It is one of the most notorious organized cybercrime syndicates that exists today.
Database_Infections_That_Compromise_Vulnerable_WordPress_Sites
LOW
+
—
—
- Intel Source:
- Sucuri
- Intel Name:
- Database_Infections_That_Compromise_Vulnerable_WordPress_Sites
- Date of Scan:
- 2023-01-20
- Impact:
- LOW
- Summary:
- Sucuri researchers have identified a database injection that has two different pieces of malware accomplishing two unrelated goals. The first injection redirects users to a spammy sports website and the second injection boosts authority of a spammy casino website within search engines.
ASEC_Weekly_Malware_samples_January_9_15th_2023
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_samples_January_9_15th_2023
- Date of Scan:
- 2023-01-20
- Impact:
- LOW
- Summary:
- The ASEC analysis team keep monitoring weekly malware collection samples for January 9-15th, 2023. The top malwares for this week is SmokeLoader, BeamWinHTTP, Formbook, AgentTesla and Lokibot.
The_Vidar_operators_expanding_their_infrastructure
MEDIUM
+
—
—
- Intel Source:
- Team Cymru
- Intel Name:
- The_Vidar_operators_expanding_their_infrastructure
- Date of Scan:
- 2023-01-20
- Impact:
- MEDIUM
- Summary:
- Team Cymru researchers analyzed on Darth Vidar infrastructure. Vidar operators appear to be expanding their infrastructure. Vidar is an info-stealer malware, which was first spotted in the wild in late 2018 by the security researcher Fumik0. The name itself (Vidar) is derived from a string found in the malware’s code. Vidar is considered to be a distinct fork of the Arkei malware family.
Source:
https://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure
New_CrySIS_or_Dharma_Ransomware_Variants
MEDIUM
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- New_CrySIS_or_Dharma_Ransomware_Variants
- Date of Scan:
- 2023-01-20
- Impact:
- MEDIUM
- Summary:
- Fortinet Labs researchers have analyzed the variants of the CrySIS/Dharma ransomware family.
Exploitation_of_FortiOS_Vulnerability_CVE_2022_42475
HIGH
+
—
—
- Intel Source:
- Mandiant
- Intel Name:
- Exploitation_of_FortiOS_Vulnerability_CVE_2022_42475
- Date of Scan:
- 2023-01-20
- Impact:
- HIGH
- Summary:
- Mandiant is monitoring a suspected China-nexus campaign that exploited a recently discovered vulnerability in Fortinet’s FortiOS SSL-VPN, CVE-2022-42475, as a zero-day. Mandiant discovered a new malware called “BOLDMOVE” during the investigation. They found a Windows variant of BOLDMOVE and a Linux variant, which is specifically designed to run on FortiGate Firewalls.
Source:
https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw
Fortinet_Firewall_Vulnerability_Exploited_by_New_Chinese_Malware
MEDIUM
+
—
—
- Intel Source:
- Mandiant
- Intel Name:
- Fortinet_Firewall_Vulnerability_Exploited_by_New_Chinese_Malware
- Date of Scan:
- 2023-01-20
- Impact:
- MEDIUM
- Summary:
- Researchers from Mandiant have identified a China-nexus threat actor who exploited a recently patched vulnerability in Fortinet FortiOS SSL-VPN as a zero-day in attacks targeting a European government entity and a managed service provider (MSP) located in Africa.
Source:
https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw
Active_IOCs_of_Gh0st_RAT
LOW
+
—
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Gh0st_RAT
- Date of Scan:
- 2023-01-19
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Gh0st RAT. It is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information and data. This type of malware enables cybercriminals to gain complete access to infected computers and attempt to hijack the user’s banking account.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-gh0st-rat-active-iocs-4
Cybersecurity_incident_on_website_of_Liquor_Control_Board_of_Ontario
LOW
+
—
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Cybersecurity_incident_on_website_of_Liquor_Control_Board_of_Ontario
- Date of Scan:
- 2023-01-19
- Impact:
- LOW
- Summary:
- This month, the Liquor Control Board of Ontario (LCBO) shared the news about a cybersecurity incident, affecting online sales. The cybersecurity incident was a web skimmer, which is designed to retrieve customer payment information.
The_SEO_Poisoning_attack
LOW
+
—
—
- Intel Source:
- Sentilone
- Intel Name:
- The_SEO_Poisoning_attack
- Date of Scan:
- 2023-01-19
- Impact:
- LOW
- Summary:
- A lot of researchers have observed increase in malicious search engine advertisements found in the wild – known as SEO Poisoning, which is malvertising (malicious advertising) activity. There is an increasing variety in the specifics of the malware delivery method, such as which searches produce the malicious advertisements and which malware being delivered.
Active_IOCs_of_STRRAT_Malware
LOW
+
—
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_STRRAT_Malware
- Date of Scan:
- 2023-01-19
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of STRRAT Malware. It is a Java-based Remote-Access Trojan (RAT) with a slew of malicious features, notably information theft and backdoor capabilities.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-strrat-malware-active-iocs-7
The_LNK_metadata_trail
LOW
+
—
—
- Intel Source:
- Talos
- Intel Name:
- The_LNK_metadata_trail
- Date of Scan:
- 2023-01-19
- Impact:
- LOW
- Summary:
- Cisco Talos reserachers analyzed metadata in LNK files that lined to threat actors tactics techniques and procedures, to identify their activity. The researchers report shares their analyses on Qakbot and Gamaredon as examples.
Source:
https://blog.talosintelligence.com/following-the-lnk-metadata-trail/
Batloader_Malware_Attacks_in_Q4_2022_Used_Obfuscated_JavaScript_Files_and_Legitimate_Tools
LOW
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- Batloader_Malware_Attacks_in_Q4_2022_Used_Obfuscated_JavaScript_Files_and_Legitimate_Tools
- Date of Scan:
- 2023-01-19
- Impact:
- LOW
- Summary:
- Researchers from TrendMicro have identified notable Batloader campaigns that they observed in the last quarter of 2022, including the abuse of custom action scripts from the Advanced Installer software and Windows Installer XML (WiX) toolset, the use of obfuscated JavaScript files as a first-stage payload, and the use of PyArmor tool to obfuscate Batloader Python scripts.
Active_IOCs_of_NJRAT
LOW
+
—
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_NJRAT
- Date of Scan:
- 2023-01-18
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of NJRAT. It is a Remote Access Trojan, which is found leveraging Pastebin to deliver a second-stage payload after initial infection.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-njrat-active-iocs-49
Malicious_Google_Ads
LOW
+
—
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Malicious_Google_Ads
- Date of Scan:
- 2023-01-18
- Impact:
- LOW
- Summary:
- Researchers from SANS have identified that Google ads are a common vector for malware distribution. These ads frequently lead to fake sites impersonating web pages for legitimate software.
Abusing_Google_Ads_platform_by_various_campaigns
LOW
+
—
—
- Intel Source:
- Cyfirma
- Intel Name:
- Abusing_Google_Ads_platform_by_various_campaigns
- Date of Scan:
- 2023-01-18
- Impact:
- LOW
- Summary:
- CYFIRMA researchers observed the campaigns closely and they provided preliminary analysis of a new RAT known as “VagusRAT” and its possible attribution to Iranian Threat actors. The VagusRAT is also delivered to the victims by exploiting Google Ads.
Source:
https://www.cyfirma.com/outofband/vagusrat-a-new-entrant-in-the-external-threat-landscape/
Attacks_on_Iranian_Government_Entities_Through_Backdoor_Diplomacy
MEDIUM
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- Attacks_on_Iranian_Government_Entities_Through_Backdoor_Diplomacy
- Date of Scan:
- 2023-01-18
- Impact:
- MEDIUM
- Summary:
- PaloAlto researchers have identified that the threat actor known as Backdoor Diplomacy has been linked to a new wave of attacks targeting Iranian government entities between July and late December 2022.
The_observation_of_the_numerous_attacks_by_NetSupport_RAT_campaign
LOW
+
—
—
- Intel Source:
- Sentilone
- Intel Name:
- The_observation_of_the_numerous_attacks_by_NetSupport_RAT_campaign
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- Researchers from ASEC reported on a NetSupport RAT campaign that uses a Pokemon as the social engineering lure. Threat actors is hosting a Pokemon-based NFT gameat the malicious sites offering both a fun and financially rewards.
Decryption_Tool_For_BianLian_Ransomware_Released_by_Avast
LOW
+
—
—
- Intel Source:
- Avast
- Intel Name:
- Decryption_Tool_For_BianLian_Ransomware_Released_by_Avast
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- Avast researchers have released a free decryptor for the BianLian ransomware strain to help victims of the malware recover locked files without paying the hackers.
Source:
https://decoded.avast.io/threatresearch/decrypted-bianlian-ransomware/
Active_IOCs_of_Bitter_APT_Group
LOW
+
—
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Bitter_APT_Group
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- The Rewterz analysts team did an analysis summary on Bitter APT Group. APT-17 group aka BITTER APT group has been recently active and targeting sectors in South Asia for information theft and espionage. This group has a history of targeting Energy, Engineering, and Government in South Asia.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-bitter-apt-group-active-iocs-22
Other_Threat_Actor_Can_Use_Raspberry_Robin
LOW
+
—
—
- Intel Source:
- Sekoia
- Intel Name:
- Other_Threat_Actor_Can_Use_Raspberry_Robin
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- Sekoia researchers have identified that Raspberry Robin’s attack infrastructure, that possible for other threat actors to repurpose the infections for their own malicious activities which makes it an even more potent threat.
Source:
https://blog.sekoia.io/raspberry-robins-botnet-second-life/
A_manuscript_Solicitation_Letter_was_disguised_by_malware
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- A_manuscript_Solicitation_Letter_was_disguised_by_malware
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- On January 8th, the ASEC analysis team discovered a document-type malware targeting workers in the security field. The obtained malware uses an external object within a Word document to execute an additional malicious macro.
Exploitation_by_attackers_to_deliver_malware_with_Microsoft_Office_macros
LOW
+
—
—
- Intel Source:
- Perception-Point
- Intel Name:
- Exploitation_by_attackers_to_deliver_malware_with_Microsoft_Office_macros
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- The Perception-Point researchers discussed in their blog on similarity of Microsoft Office macros, which are widely exploited by attackers and used to delivering malware. They discussed the tactics of similarity based on real-world samples that was detected in the wild.
Source:
https://perception-point.io/blog/malicious-office-macros-detecting-similarity-in-the-wild-2/
Document_Type_Malware_Targeting_Security_Field_Workers
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Document_Type_Malware_Targeting_Security_Field_Workers
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- ASEC researchers have observed document-type malware distributing and targeting workers in the security field. The obtained malware uses an external object within a Word document to execute an additional malicious macro.
A_Deep_Analysis_of_CircleCI_Security_Alert
LOW
+
—
—
- Intel Source:
- CircleCI
- Intel Name:
- A_Deep_Analysis_of_CircleCI_Security_Alert
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- Researchers from CircleCI have received an alert and analyzed the suspicious GitHub OAuth activity.
Source:
https://circleci.com/blog/jan-4-2023-incident-report/
Three_PyPI_Package_Spreading_Malware_to_Developer_Systems
MEDIUM
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- Three_PyPI_Package_Spreading_Malware_to_Developer_Systems
- Date of Scan:
- 2023-01-17
- Impact:
- MEDIUM
- Summary:
- Fortinet researchers have identified that a threat actor named Lolip0p has uploaded three rogue packages to the Python Package Index (PyPI) repository that is designed to drop malware on compromised developer systems.
Phishing_Email_Targeting_National_Tax_Service
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Phishing_Email_Targeting_National_Tax_Service
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered that a phishing email impersonating the National Tax Service is distributing.
ASEC_Weekly_Phishing_Email_Threats_analyses_January_1_7_2023
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Phishing_Email_Threats_analyses_January_1_7_2023
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- The ASEC analysis team keep monitoring phishing email threats with their automatic sample analysis system (RAPIT) and honeypot. Their post explained the samples of distribution of phishing emails during the week from January 1st, 2023 to January 7th, 2022. The most prevalent threat type was observed in phishing email attachments was FakePage, taking up 58%. FakePages are web pages where the threat actor has duplicated the screen layout, logo, and font of the real login pages or advertising pages, leading users to enter their account and password information.
Hackers_Using_Middle_Eastern_Geopolitical_Themed_to_Distribute_NjRAT
LOW
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- Hackers_Using_Middle_Eastern_Geopolitical_Themed_to_Distribute_NjRAT
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- Researchers from TrendMicro have identified an active campaign that is using Middle Eastern geopolitical themes as a lure to target potential victims in the Middle East and Africa. In this campaign, Earth Bogle, the threat actor uses public cloud storage services such as files.fm and failiem.lv to host malware, while compromised web servers distribute NjRAT.
Vidar_Stealer_Attack_Campaign_impersonating_AnyDesk
LOW
+
—
—
- Intel Source:
- Crep1x
- Intel Name:
- Vidar_Stealer_Attack_Campaign_impersonating_AnyDesk
- Date of Scan:
- 2023-01-15
- Impact:
- LOW
- Summary:
- Typosquatting attack campaign found in the wild impersonating multiple legitimate RMM tools and redirecting users to fake AnyDesk websites triggering Vidar Stealer Payload download through dropbox.
Source:
https://twitter.com/crep1x/status/1612199364805660673
Rhadamanthys_Stealer_Leverages_Google_Ads_in_the_wild
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Rhadamanthys_Stealer_Leverages_Google_Ads_in_the_wild
- Date of Scan:
- 2023-01-14
- Impact:
- LOW
- Summary:
- Researchers from Cyble found a new malware strain, Rhadamanthys Stealer, leveraging Spam and Phishing campaigns through Google Ads and redirecting users to fake phishing websites of popular software. The Malware downloaded in the background of legitimate files or through obfuscated images steals sensitive information to further aid in unauthorized access.
Source:
https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/
PurpleUrchin_Campaign_Bypass_CAPTCHA_and_Steals_Cloud_Platform_Resources
LOW
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- PurpleUrchin_Campaign_Bypass_CAPTCHA_and_Steals_Cloud_Platform_Resources
- Date of Scan:
- 2023-01-14
- Impact:
- LOW
- Summary:
- Researchers from PaloAlto have analyzed Automated Libra, the cloud threat actor group behind the freejacking campaign PurpleUrchin. Automated Libra is a South African-based freejacking group that primarily targets cloud platforms offering limited-time trials of cloud resources in order to perform their cryptomining operations.
Source:
https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/
Gootloader_Malware_returns_with_revamped_infection_technique
LOW
+
—
—
- Intel Source:
- Esentire
- Intel Name:
- Gootloader_Malware_returns_with_revamped_infection_technique
- Date of Scan:
- 2023-01-14
- Impact:
- LOW
- Summary:
- Researchers from Esentire found Gootloader malware activity with a new infection technique, further leading to Cobalt Strike leveraging existing PowerShell process beaconed to various malicious domains. The attacker seems to be hands-on, dropping multiple payloads, including BloodHound and PsExec, while being persistent and targeting different areas for further compromise.
Source:
https://www.esentire.com/blog/gootloader-leads-to-cobalt-strike-and-hand-on-keyboard-activity
Unpatched_Vulnerability_to_Bypass_Windows_OS_Security_Feature
MEDIUM
+
—
—
- Intel Source:
- Eclecticiq
- Intel Name:
- Unpatched_Vulnerability_to_Bypass_Windows_OS_Security_Feature
- Date of Scan:
- 2023-01-13
- Impact:
- MEDIUM
- Summary:
- EclecticIQ analysts researched on QakBot phishing campaigns who can turn it to a Zero-Day Vulnerability to evade Windows Mark of the Web (MoTW). QakBot may be able to increase its infection success rate as a result of the switch to a zero-day exploit.
The_Deep_Investigation_of_FortiOS_Zero_Day_Attack
LOW
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Deep_Investigation_of_FortiOS_Zero_Day_Attack
- Date of Scan:
- 2023-01-13
- Impact:
- LOW
- Summary:
- Researchers from Fortinet have analyzed the zero-day vulnerability in FortiOS SSL-VPN that Fortinet addressed last month was exploited by unknown actors in attacks targeting the government and other large organizations.
RAT_Malware_Campaign_Using_Polyglot_Files_to_Evade_Detection
LOW
+
—
—
- Intel Source:
- Deep Instinct
- Intel Name:
- RAT_Malware_Campaign_Using_Polyglot_Files_to_Evade_Detection
- Date of Scan:
- 2023-01-13
- Impact:
- LOW
- Summary:
- Deep Instinct researchers have identified that operators of the StrRAT and Ratty remote access trojans (RAT) are running a new campaign using polyglot MSI/JAR and CAB/JAR files to evade detection from security tools.
Source:
https://www.deepinstinct.com/blog/malicious-jars-and-polyglot-files-who-do-you-think-you-jar
Research_on_HIVE_Ransomware_attacks
MEDIUM
+
—
—
- Intel Source:
- Rapid7
- Intel Name:
- Research_on_HIVE_Ransomware_attacks
- Date of Scan:
- 2023-01-13
- Impact:
- MEDIUM
- Summary:
- Rapid7 monitors and research on the range of techniques that threat actors use to conduct malicious activity. Recently, Rapid7 observed a malicious activity performed by threat actor performing several known techniques for distributing ransomware across many systems within a victim’s environment. In addition to those techniques, the actor employed a number of previously unseen techniques designed to to drop the defenses of the victim, inhibit monitoring, disable networking and allow time for the ransomware to finish encrypting files.
Source:
https://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/
Orcus_RAT_being_distributed_on_file_sharing_sites
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Orcus_RAT_being_distributed_on_file_sharing_sites
- Date of Scan:
- 2023-01-13
- Impact:
- LOW
- Summary:
- The ASEC analysis team recently identified Orcus RAT being distributed on file-sharing sites disguised as a cracked version of Hangul Word Processor.
Spike_in_Holiday_Attacks_Targeting_Ancient_Vulnerabilities_and_Hidden_Webshells
LOW
+
—
—
- Intel Source:
- Wordfence
- Intel Name:
- Spike_in_Holiday_Attacks_Targeting_Ancient_Vulnerabilities_and_Hidden_Webshells
- Date of Scan:
- 2023-01-13
- Impact:
- LOW
- Summary:
- Researchers from Wordfence have observed spikes in attack traffic over the Christmas and New Year holidays, which is specifically targeting the Downloads Manager plugin by Giulio Ganci.
Hackers_From_Scattered_Spider_Using_Old_Intel_Driver_to_Bypass_Security
MEDIUM
+
—
—
- Intel Source:
- CrowdStrike
- Intel Name:
- Hackers_From_Scattered_Spider_Using_Old_Intel_Driver_to_Bypass_Security
- Date of Scan:
- 2023-01-12
- Impact:
- MEDIUM
- Summary:
- CrowdStrick researchers have identified a financially motivated threat actor named Scattered Spider and observed attempting to deploy Intel Ethernet diagnostics drivers in a BYOVD (Bring Your Own Vulnerable Driver) attack to evade detection from EDR (Endpoint Detection and Response) security products.
Active_IOCs_of_Mirai_Botnet_aka_Katana
LOW
+
—
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Mirai_Botnet_aka_Katana
- Date of Scan:
- 2023-01-12
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Mirai Botnet aka Katana. Mirai is one of the first major botnets to target Linux-based vulnerable networking devices. It was discovered in August 2016 and its name means “future” in Japanese.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-mirai-botnet-aka-katana-active-iocs-4
The_Examine_of_NeedleDropper_Malware
LOW
+
—
—
- Intel Source:
- Avast
- Intel Name:
- The_Examine_of_NeedleDropper_Mal