2022-05-20
Threat_Actors_exploiting_VMware_vulnerability
Medium
+
Intel Source:
CISA
Intel Name:
Threat_Actors_exploiting_VMware_vulnerability
Date of Scan:
2022-05-20
Impact:
Medium
Summary:
CISA released an advisory to warn organizations about threat actors exploiting unpatched VMware vulnerabilities. These vulnerabilities affect certain versions of VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.
Source: https://www.cisa.gov/uscert/ncas/alerts/aa22-138b
2022-05-20
All_about_ITG23_Crypters
Medium
+
Intel Source:
Security Intelligence
Intel Name:
All_about_ITG23_Crypters
Date of Scan:
2022-05-20
Impact:
Medium
Summary:
IBM X-Force researchers analyzed thirteen crypters that have all been used with malware built or operated by ITG23 internal teams or third-party distributors — including Trickbot, BazarLoader, Conti, and Colibri.
Source: https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/
2022-05-20
BumbleBee_Malware_getting_delivered_via_TransferXL_Urls
Low
+
Intel Source:
ISC.SANS
Intel Name:
BumbleBee_Malware_getting_delivered_via_TransferXL_Urls
Date of Scan:
2022-05-20
Impact:
Low
Summary:
Researchers at ISC.SANS were able to relate Bumblebee malware with EXOTIC LILY threat actor, as they saw usage of active TransferXL URLs delivering ISO files for Bumblebee malware.
Source: https://isc.sans.edu/diary/rss/28664
2022-05-20
Chinese_Threat_group_Space_Pirates_targets_Russian_Aerospace_Firms
Medium
+
Intel Source:
PtSecurity
Intel Name:
Chinese_Threat_group_Space_Pirates_targets_Russian_Aerospace_Firms
Date of Scan:
2022-05-20
Impact:
Medium
Summary:
Analysts at Positive Technologies came across a previously unknown Chinese hacking group known as 'Space Pirates' targets enterprises in the Russian aerospace industry with phishing emails to install novel malware on their systems. They have dubbed the threat actor Space Pirates.
Source: https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/space-pirates-tools-and-connections/#id5-2
2022-05-20
Latest_APT_C_24_SideWinder_Rattlesnake_attack_activity
Medium
+
Intel Source:
WeiXin
Intel Name:
Latest_APT_C_24_SideWinder_Rattlesnake_attack_activity
Date of Scan:
2022-05-20
Impact:
Medium
Summary:
Researchers from 360 Threat Intelligence Center came across an attack activity launched by APT-C-24/Sidewinder in which the threat actor has come up with New TTP.
Source: https://mp-weixin-qq-com.translate.goog/s/qsGxZIiTsuI7o-_XmiHLHg?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en
2022-05-20
Lazarus_Group_Exploiting_Log4Shell_Vulnerability
Medium
+
Intel Source:
Asec
Intel Name:
Lazarus_Group_Exploiting_Log4Shell_Vulnerability
Date of Scan:
2022-05-20
Impact:
Medium
Summary:
Researchers from ASEC discovered Lazarus group distributing NukeSped by exploiting Log4Shell vulnerability. The threat actor used the log4j vulnerability on VMware Horizon products that were not applied with the security patch.
Source: https://asec.ahnlab.com/en/34461/
2022-05-19
VMware_Bugs_Abused_to_Deliver_Mirai
Medium
+
Intel Source:
Barracuda
Intel Name:
VMware_Bugs_Abused_to_Deliver_Mirai
Date of Scan:
2022-05-19
Impact:
Medium
Summary:
Researchers from Barracuda discovered that attempts were made to exploit the recent vulnerabilities CVE-2022-22954 and CVE-2022-22960. Mirai was getting delivered by abusing the VMware Bug.
Source: https://blog.barracuda.com/2022/05/17/threat-spotlight-attempts-to-exploit-new-vmware-vulnerabilities/
2022-05-19
Threat Actors targets US Business Online Checkout Page
Medium
+
Intel Source:
Palo Alto
Intel Name:
Threat Actors targets US Business Online Checkout Page
Date of Scan:
2022-05-19
Impact:
Medium
Summary:
Researchers from Palo Alto Networks documented the background on Emotet, its activity since november 2021 and ending with January 2022.
Source: https://www.ic3.gov/Media/News/2022/220516.pdf
2022-05-19
Emotet_The_journey
Medium
+
Intel Source:
Palo Alto
Intel Name:
Emotet_The_journey
Date of Scan:
2022-05-19
Impact:
Medium
Summary:
Researchers from Palo Alto Networks documented the background on Emotet, its activity since november 2021 and ending with January 2022.
Source: https://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/
2022-05-18
Uncovering_Kingminer_Botnet_Attack
Low
+
Intel Source:
Trend Micro
Intel Name:
Uncovering_Kingminer_Botnet_Attack
Date of Scan:
2022-05-18
Impact:
Low
Summary:
Researchers from Trend Micro details about the TTPs of the Kinginer Botnet. In 2020 threat actors deployed Kingminer to target SQL servers for cryptocurrency mining.
Source: https://www.trendmicro.com/en_us/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html
2022-05-18
Wizard_Spider_Group_In_Depth_Analysis
Medium
+
Intel Source:
Prodaft
Intel Name:
Wizard_Spider_Group_In_Depth_Analysis
Date of Scan:
2022-05-18
Impact:
Medium
Summary:
Researchers from PRODAFT published the results of an investigation into Wizard Spider, believed to either be or be associated with the Grim Spider and Lunar Spider hacking groups.
Source: https://www.prodaft.com/resource/detail/ws-wizard-spider-group-depth-analysis
2022-05-18
Chaos_Ransomware_stands_with_Russia
Medium
+
Intel Source:
Fortinet
Intel Name:
Chaos_Ransomware_stands_with_Russia
Date of Scan:
2022-05-18
Impact:
Medium
Summary:
FortiGuard Labs came across a variant of the Chaos ransomware that appears to side with Russia. This variant of the ransomware have been leveraginhg Russia Ukraine conflict.
Source: https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia
2022-05-18
Operation RestyLink targeting Japenese Firms
Medium
+
Intel Source:
NTT Security
Intel Name:
Operation RestyLink targeting Japenese Firms
Date of Scan:
2022-05-18
Impact:
Medium
Summary:
Researchers from NTT security observed APT campaign targeting Japanese companies starting from mid of April 2022. The initial attack vector in this campaign was spear phishing email.
Source: https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies
2022-05-18
RansomEXX_and_its_TTPs
Medium
+
Intel Source:
Trend Micro
Intel Name:
RansomEXX_and_its_TTPs
Date of Scan:
2022-05-18
Impact:
Medium
Summary:
Researchers from TrendMicro sheds light on the Tactics and Techniques of ransomware variant called RansomEXX which have been active since 2020.
Source: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx
2022-05-18
X_Cart_Skimmer_with_DOM_based_Obfuscation
Low
+
Intel Source:
Sucuri
Intel Name:
X_Cart_Skimmer_with_DOM_based_Obfuscation
Date of Scan:
2022-05-18
Impact:
Low
Summary:
Security researcher from Sucuri worked on an infected X-Cart website and found two interesting credit card stealers there — one skimmer located server-side, the other client-side.
Source: https://blog.sucuri.net/2022/05/x-cart-skimmer-with-dom-based-obfuscation.html
2022-05-17
UpdateAgent_Returns_with_New_macOS_Malware_Dropper
Low
+
Intel Source:
Jamf
Intel Name:
UpdateAgent_Returns_with_New_macOS_Malware_Dropper
Date of Scan:
2022-05-17
Impact:
Low
Summary:
Researchers from Jamf Threat Labs came across a new variant of the macOS malware tracked as UpdateAgent. The malware relies on the AWS infrastructure to host its various payloads and perform its infection status updates to the server.
Source: https://www.jamf.com/blog/updateagent-adapts-again/
2022-05-17
Analysis_of_the_HUI_Loader
Low
+
Intel Source:
JPCERT
Intel Name:
Analysis_of_the_HUI_Loader
Date of Scan:
2022-05-17
Impact:
Low
Summary:
JPCERT researchers shared their analysis of the HUI Loader which has been used by multiple attack groups since around 2015, also the malware have been used by APT10.
Source: https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html
2022-05-17
Custom_PowerShell_RAT_targets_Germans
Low
+
Intel Source:
MalwareBytes
Intel Name:
Custom_PowerShell_RAT_targets_Germans
Date of Scan:
2022-05-17
Impact:
Low
Summary:
Researchers from MalwareBytes came across a new campaign that plays on concerns by trying to lure Germans with a promise of updates on the current threat situation in Ukraine and later infecting the victims with RAT.
Source: https://blog.malwarebytes.com/threat-intelligence/2022/05/custom-powershell-rat-targets-germans-seeking-information-about-the-ukraine-crisis/
2022-05-17
UN_social_program_themed_online_fraud
Medium
+
Intel Source:
CERT-UA
Intel Name:
UN_social_program_themed_online_fraud
Date of Scan:
2022-05-17
Impact:
Medium
Summary:
CERT-UA researchers recently responded to discovery of fraudulent page on facebook that mimics the resource of the TV channel "TSN".
Source: https://cert.gov.ua/article/40240
2022-05-17
Onyx_Ransomware
Low
+
Intel Source:
Cyfirma
Intel Name:
Onyx_Ransomware
Date of Scan:
2022-05-17
Impact:
Low
Summary:
Researchers from Cyfirma analyzed samples of a new ransomware called Onyx which was first seen in April 2022. This ransomware encrypts files and then modifies their filenames by appending the .ampkcz extension.
Source: https://www.cyfirma.com/outofband/onyx-ransomware-report/
2022-05-17
Malicious_HTML_Help_File_Delivering_Agent_Tesla
Low
+
Intel Source:
Palo Alto
Intel Name:
Malicious_HTML_Help_File_Delivering_Agent_Tesla
Date of Scan:
2022-05-17
Impact:
Low
Summary:
Unit 42 researchers observed an attack utilizing malicious compiled HTML help files for the initial delivery. The method was used to deliver Agent Tesla.
Source: https://unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent-tesla/
2022-05-16
APT29_Abusing_Legitimate_Software_For_Targeted_Operations_In_Europe
Medium
+
Intel Source:
Cluster25
Intel Name:
APT29_Abusing_Legitimate_Software_For_Targeted_Operations_In_Europe
Date of Scan:
2022-05-16
Impact:
Medium
Summary:
Cluster25 researchers analyzed several spear-phishing campaigns linked to APT29 that involve the usage of a side-loaded DLL through signed software (like Adobe suite) and legitimate webservices (like Dropbox) as communication vector for Command and Control (C&C).
Source: https://cluster25.io/2022/05/13/cozy-smuggled-into-the-box/
2022-05-16
Quantum_Locker_Ransomware
Medium
+
Intel Source:
Cybereason
Intel Name:
Quantum_Locker_Ransomware
Date of Scan:
2022-05-16
Impact:
Medium
Summary:
Researchers at Cybereason analyzed Quantum Locker ransomware and demonstrated its detection and prevention. The initial infection method used by the operators is infamous malware called IceID.
Source: https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware
2022-05-16
KurayStealer_Malware
Low
+
Intel Source:
Uptycs
Intel Name:
KurayStealer_Malware
Date of Scan:
2022-05-16
Impact:
Low
Summary:
Researchers at Uptycs came across a new malware builder dubbed as KurayStealer that has password stealing and screenshot capabilities.The malware harvests the passwords and screenshots and sends them to the attackers’ Discord channel via webhooks.
Source: https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks
2022-05-16
From_0_Day_to_Mirai
High
+
Intel Source:
ISC.SANS
Intel Name:
From_0_Day_to_Mirai
Date of Scan:
2022-05-16
Impact:
High
Summary:
Researchers at ISC.SANS found attacks exploiting the recent high severity vulnerability in F5 products and were able to attribute the attacks to Mirai.
Source: https://isc.sans.edu/diary/rss/28644
2022-05-16
Telegram_used_to_spread_Eternity_Malware
Low
+
Intel Source:
Cyble
Intel Name:
Telegram_used_to_spread_Eternity_Malware
Date of Scan:
2022-05-16
Impact:
Low
Summary:
Researchers from Cyble came across a new malware service, dubbed the Eternity Project by the threat actors behind it, allows cybercriminals to target potential victims with a customized threat offering based on individual modules.
Source: https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/
2022-05-16
Novel IceApple Post-Exploitation Framework
Low
+
Intel Source:
CrowdStrike
Intel Name:
Novel IceApple Post-Exploitation Framework
Date of Scan:
2022-05-16
Impact:
Low
Summary:
Researchers from CrowdStrike found New ‘post-exploitation’ threat getting deployed on Microsoft Exchange servers. The threat has been dubbed as IceApple.
Source: https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework.pdf
2022-05-13
APT34_targets_Jordan_Government_using_new_Saitama_backdoor
Medium
+
Intel Source:
MalwareBytes
Intel Name:
APT34_targets_Jordan_Government_using_new_Saitama_backdoor
Date of Scan:
2022-05-13
Impact:
Medium
Summary:
Researchers at Malwarebytes have discovered a malicious email targeting a government official at Jordan’s foreign ministry and researchers identified a suspicious message on April 26. It contained a malicious Excel document that delivered Saitama - a new hacking tool used to provide a backdoor into systems. Malwarebytes attributed the email to a threat group commonly known as APT34.
Source: https://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/
2022-05-13
RedLine_Stealer_Campaign_spread_via_Github_hosted_payload
Medium
+
Intel Source:
NetSkope
Intel Name:
RedLine_Stealer_Campaign_spread_via_Github_hosted_payload
Date of Scan:
2022-05-13
Impact:
Medium
Summary:
Researchers at NetSpoke Threat Labs has discovered a new RedLine Stealer campaign spread on YouTube, using a fake bot to buy Mystery Box NFT from Binance. The video description leads the victim to download the fake bot which is hosted on GitHub.
Source: https://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload
2022-05-13
Phishing_campaign_delivering_AveMariaRAT_BitRAT_PandoraHVNC
Low
+
Intel Source:
Fortinet
Intel Name:
Phishing_campaign_delivering_AveMariaRAT_BitRAT_PandoraHVNC
Date of Scan:
2022-05-13
Impact:
Low
Summary:
Researchers at Fortinet's FortiGaurd Labs has analysed a phishing campaign that was delivering three fileless malware onto a victim’s device. Once executed, Malware are able to steal sensitive information from that device. It is majorly affecting Microsoft Windows platform users.
Source: https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware
2022-05-13
Iranian_threat_actor_COBALT_MIRAGE_conducting_Ransomware_operations_in_US
Medium
+
Intel Source:
SecureWorks
Intel Name:
Iranian_threat_actor_COBALT_MIRAGE_conducting_Ransomware_operations_in_US
Date of Scan:
2022-05-13
Impact:
Medium
Summary:
SecureWorks Counter Threat Unit has analysed REvil ransomware samples and this has resumed operations of GOLD SOUTHFIELD. The identification of multiple samples containing different modifications and the lack of an official new version indicate that REvil is under active development.
Source: https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us
2022-05-13
UAC_0010_Armageddon_leveraging_GammaLoad_PS1_v2_malware
Medium
+
Intel Source:
CERT-UA
Intel Name:
UAC_0010_Armageddon_leveraging_GammaLoad_PS1_v2_malware
Date of Scan:
2022-05-13
Impact:
Medium
Summary:
CERT-UA has analysed a phishing campaign with a subject as "On revenge in Kherson!" and containing an attachment in the form of a file "Plan Kherson.htm". The campaign is using a malicious program GammaLoad.PS1_v2 and attributed to a group called UAC-0010 (Armageddon).
Source: https://cert.gov.ua/article/40240
2022-05-12
TA578_distributing_Bumblebee_malware
Medium
+
Intel Source:
ISC.SANS
Intel Name:
TA578_distributing_Bumblebee_malware
Date of Scan:
2022-05-12
Impact:
Medium
Summary:
Researchers at ISC.SANS has analysed a campaign where threat actor TA578 leveraging thread-hijacked emails to push ISO files for Bumblebee malware. These threat-hijacked emails either have links to storage.googleapis.com URLs similar to those used in the Contact Forms campaign.
Source: https://isc.sans.edu/diary/rss/28636
2022-05-12
Critical_F5_BIG_IP_Vulnerability_New_IoCs
High
+
Intel Source:
Palo Alto
Intel Name:
Critical_F5_BIG_IP_Vulnerability_New_IoCs
Date of Scan:
2022-05-12
Impact:
High
Summary:
Researchers from PaloAlto have also released few indicators of compromise and their view on Critical F5 BIG-IP Vulnerability.
Source: https://unit42.paloaltonetworks.com/cve-2022-1388/
2022-05-12
Nerbian_RAT_targeting_firms_in_Italy_Spain_and_UK
Low
+
Intel Source:
Proofpoint
Intel Name:
Nerbian_RAT_targeting_firms_in_Italy_Spain_and_UK
Date of Scan:
2022-05-12
Impact:
Low
Summary:
Proofpoint researchers found previously undocumented remote access trojan (RAT) called Nerbian RAT written in the Go programming language has been spotted disproportionately targeting entities in Italy, Spain, and the U.K.
Source: https://www.proofpoint.com/us/blog/threat-insight/nerbian-rat-using-covid-19-themes-features-sophisticated-evasion-techniques
2022-05-12
Bitter APT expands its target list
Medium
+
Intel Source:
Cisco Talos
Intel Name:
Bitter APT expands its target list
Date of Scan:
2022-05-12
Impact:
Medium
Summary:
An espionage-focused threat actor(Bitter APT) known for targeting China, Pakistan, and Saudi Arabia has included Bangladeshi government organizations as part of an ongoing campaign.
Source: https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html
2022-05-12
Malicious_NPM_Packages_targets_German_Companies
Low
+
Intel Source:
JFrog
Intel Name:
Malicious_NPM_Packages_targets_German_Companies
Date of Scan:
2022-05-12
Impact:
Low
Summary:
Researchers from Jfrog have discovered a number of malicious packages in the NPM registry specifically targeting a number of prominent companies based in Germany to carry out supply chain attacks.
Source: https://jfrog.com/blog/npm-supply-chain-attack-targets-german-based-companies/
2022-05-11
Examining_BlackBasta_ransomware
Medium
+
Intel Source:
Trend Micro
Intel Name:
Examining_BlackBasta_ransomware
Date of Scan:
2022-05-11
Impact:
Medium
Summary:
TrendMicro researchers have examined the whole infection routine of Black Basta ransomware and its infection tactics.
Source: https://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html
2022-05-11
German_Automakers_targeted_by_InfoStealer_campaign
Low
+
Intel Source:
checkpoint
Intel Name:
German_Automakers_targeted_by_InfoStealer_campaign
Date of Scan:
2022-05-11
Impact:
Low
Summary:
Checkpoint researchers discovered A years-long phishing campaign has targeted German companies in the automotive industry, attempting to infect their systems with password-stealing malware.
Source: https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/
2022-05-11
REvil_returns_reemergening_GOLD_SOUTHFIELD
High
+
Intel Source:
SecureWorks
Intel Name:
REvil_returns_reemergening_GOLD_SOUTHFIELD
Date of Scan:
2022-05-11
Impact:
High
Summary:
SecureWorks Counter Threat Unit has analysed REvil ransomware samples and this has resumed operations of GOLD SOUTHFIELD. The identification of multiple samples containing different modifications and the lack of an official new version indicate that REvil is under active development.
Source: https://www.secureworks.com/blog/revil-development-adds-confidence-about-gold-southfield-reemergence
2022-05-11
Different_elements_of_Cobalt_Strike
Medium
+
Intel Source:
Palo Alto
Intel Name:
Different_elements_of_Cobalt_Strike
Date of Scan:
2022-05-11
Impact:
Medium
Summary:
Palo Alto Unit42 researchers has analysed Cobalt Strike tool and gone through the encoding algorithm, describe definitions and differences of encoding types used in the Cobalt Strike framework, and cover some malicious attacks seen in the wild.
Source: https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/#Indicators-of-Compromise
2022-05-11
New_Wave_of_Ursnif_Malware
High
+
Intel Source:
Qualys
Intel Name:
New_Wave_of_Ursnif_Malware
Date of Scan:
2022-05-11
Impact:
High
Summary:
Researchers at Qualys has discovered and analysed few phishing emails with a macro embedded XLS attachment or a zip attachment containing an HTA file initiated the infection chain. This targeted attack researchers attributed to Ursnif malware which is one of the most widespread banking trojans.
Source: https://blog.qualys.com/vulnerabilities-threat-research/2022/05/08/ursnif-malware-banks-on-news-events-for-phishing-attacks
2022-04-19
SunnyDay Ransomware
LOW
+
Intel Source:
Seguranca-Informatica
Intel Name:
SunnyDay Ransomware
Date of Scan:
2022-04-19
Impact:
LOW
Summary:
Segurança-Informatica published an analysis of a recent sample of SunnyDay ransomware. As a result of the work some similarities between other ransomware samples such as Ever101 Medusa Locker Curator and Payment45 were found. According to the analysis “SunnyDay is a simple piece of ransomware based on the SALSA20 stream cipher”. SALSA20 is easy to recognize as it uses well-known values for its internal cryptographic operations.
Source: https://seguranca-informatica.pt/analysis-of-the-sunnyday-ransomware/#.Yl0eXdtBxPY
2022-04-19
Coordinated disruption of Zloader operation
LOW
+
Intel Source:
Microsoft/ESET
Intel Name:
Coordinated disruption of Zloader operation
Date of Scan:
2022-04-19
Impact:
LOW
Summary:
DCU unit from Microsoft have taken technical action against Zloader and have disrupted their operations.ZLoader is run by a global internet-based organized crime gang operating malware as a service that is designed to steal and extort money.
Source: https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/ https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/
2022-04-19
Lazarus Group Targets Chemical Sector
MEDIUM
+
Intel Source:
Symantec
Intel Name:
Lazarus Group Targets Chemical Sector
Date of Scan:
2022-04-19
Impact:
MEDIUM
Summary:
Researchers from Symantec have observed Lazarus group conducting an espionage campaign targeting organizations operating within the chemical sector. This campaign has been dubbed Operation Drem Job.
Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical
2022-04-19
Recent Emotet Maldoc Outbreak
MEDIUM
+
Intel Source:
Fortinet
Intel Name:
Recent Emotet Maldoc Outbreak
Date of Scan:
2022-04-19
Impact:
MEDIUM
Summary:
Researchers at Fortinet has identified a recent Emotet outbreak is being spread through a variety of malicious Microsoft Office files or maldocs attached to phishing emails. Once a victim opens the attached document a VBA Macro or Excel 4.0 Macro is used to execute malicious code that downloads and runs the Emotet malware.
Source: https://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak
2022-04-18
XSS Vulnerability in Zimbra leveraged to target Ukraine Government
MEDIUM
+
Intel Source:
CERT-UA
Intel Name:
XSS Vulnerability in Zimbra leveraged to target Ukraine Government
Date of Scan:
2022-04-18
Impact:
MEDIUM
Summary:
CERT-UA has detected threat actors are targeting Ukrainian government agencies with new attacks exploiting Zimbra XSS Vulnerability (CVE-2018-6882). CERT-UA has attributed this campaign to UAC-0097 a currently unknown actor.
Source: https://cert.gov.ua/article/39606 https://docs.google.com/spreadsheets/d/1Y987F976R9j4ztw2IyDzazzfpGL2bL00kCYFAeeo2tE/edit#gid=0
2022-04-18
CVE_2022_24527_Seeder_Queries_14042022
MEDIUM
+
Intel Source:
STR
Intel Name:
CVE_2022_24527_Seeder_Queries_14042022
Date of Scan:
2022-04-18
Impact:
MEDIUM
Summary:
This research is part of Securonix Threat Labs - Threat Research Team
Source: STR Repository
2022-04-18
Indepth analysis of PYSA Ransomware Group
MEDIUM
+
Intel Source:
Prodaft
Intel Name:
Indepth analysis of PYSA Ransomware Group
Date of Scan:
2022-04-18
Impact:
MEDIUM
Summary:
Researchers at PRODAFT has identified and gained visibility into PYSA's ransomware infrastructure and analyzed its findings to gain insight into how the criminal operation works.
Source: https://www.prodaft.com/resource/detail/pysa-ransomware-group-depth-analysis
2022-04-18
BumbleBee Malware campaign
LOW
+
Intel Source:
Cynet
Intel Name:
BumbleBee Malware campaign
Date of Scan:
2022-04-18
Impact:
LOW
Summary:
Researchers from Cynet Security found a new campaign which instead of using malicious office documents is using malicious ISO image files luring victims to execute the BumbleBee malware.
Source: https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/
2022-04-18
New Fodcha DDoS botnet
MEDIUM
+
Intel Source:
netlab360
Intel Name:
New Fodcha DDoS botnet
Date of Scan:
2022-04-18
Impact:
MEDIUM
Summary:
Researchers at Qihoo 360's Network Security Research Lab has discovered a new DDoS botnet called 'Fodcha'. The Botnet has spread to over 62 000 devices between March 29 and April 10. The number of unique IP addresses linked to the botnet that researchers are tracking is10 000-strong Fodcha army of bots using Chinese IP addresses every day.
Source: https://blog.netlab.360.com/fodcha-a-new-ddos-botnet/
2022-04-18
CVE_2022_22954_Seeder_Queries_14042022
MEDIUM
+
Intel Source:
STR
Intel Name:
CVE_2022_22954_Seeder_Queries_14042022
Date of Scan:
2022-04-18
Impact:
MEDIUM
Summary:
This research is part of Securonix Threat Labs - Threat Research Team
Source: STR Repository
2022-04-18
Emotet Modules and Recent Attacks
MEDIUM
+
Intel Source:
SecureList
Intel Name:
Emotet Modules and Recent Attacks
Date of Scan:
2022-04-18
Impact:
MEDIUM
Summary:
Researchers from Kaspersky were able to etrieve 10 of the 16 modules used by Emotet for Credential/Password/Account/E-mail stealing and spamming. Also the statistics on recent Emotet attacks were also shared.
Source: https://securelist.com/emotet-modules-and-recent-attacks/106290/
2022-04-18
New File extensions added to BlackCat ransomware's arsenal
MEDIUM
+
Intel Source:
SecureList
Intel Name:
New File extensions added to BlackCat ransomware's arsenal
Date of Scan:
2022-04-18
Impact:
MEDIUM
Summary:
Researchers at SecureList has analysed BlackCat Ransomware Group's activities since its inception. They are also comparing BlackCat TTPs with BlackMatter Group like a custom exflitration tool called 'Fendr' previously been used exclusively in BlackMatter ransomware activity.
Source: https://securelist.com/a-bad-luck-blackcat/106254/
2022-04-14
Enemybot leveraged by Keksec group
MEDIUM
+
Intel Source:
Fortinet
Intel Name:
Enemybot leveraged by Keksec group
Date of Scan:
2022-04-14
Impact:
MEDIUM
Summary:
Researchers at FortiGuard Labs have identified a new DDoS botnet called “Enemybot” and attributed it to a threat group called 'Keksec' that specializes in cryptomining and DDoS attacks. This botnet is mainly derived from Gafgyt’s source code but has been observed to borrow several modules from Mirai’s original source code.
Source: https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet
2022-04-14
Critical Remote Code Execution Vulnerability in Windows RPC Runtime
HIGH
+
Intel Source:
Microsoft
Intel Name:
Critical Remote Code Execution Vulnerability in Windows RPC Runtime
Date of Scan:
2022-04-14
Impact:
HIGH
Summary:
Microsoft’s April 2022 Patch Tuesday introduced patches to more than a hundred new vulnerabilities in various components. Three critical vulnerabilities were found and patched in Windows RPC (Remote Procedure Call) runtime: CVE-2022-24492 CVE-2022-24528 and CVE-2022-26809. By exploiting these vulnerabilities a remote unauthenticated attacker can execute code on the vulnerable machine with the privileges of the RPC service which depends on the process hosting the RPC runtime.
Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809 https://www.securonix.com/blog/cve-2022-26809-remote-procedure-call-runtime-remote-code-execution-vulnerability-and-coverage/
2022-04-14
Virus/XLS Xanpei Infecting Excel Files
MEDIUM
+
Intel Source:
ASEC
Intel Name:
Virus/XLS Xanpei Infecting Excel Files
Date of Scan:
2022-04-14
Impact:
MEDIUM
Summary:
ASEC Research team have identified a constant distribution of malware strains that spread the infection when Excel file is opened. Upon opening the infected Excel file the file containing virus VBA code is dropped to Excel startup path. And when any Excel file is opened the malicious file dropped in Excel startup path is automatically executed to infect with virus and perform additional malicious behaviors.
Source: https://asec.ahnlab.com/en/33630/
2022-04-14
IcedID malware targeting Ukraine state bodies
MEDIUM
+
Intel Source:
CERT-UA
Intel Name:
IcedID malware targeting Ukraine state bodies
Date of Scan:
2022-04-14
Impact:
MEDIUM
Summary:
CERT-UA has issued a new heads-up that warns of an ongoing cyber-attack leveraging the infamous IcedID malware designed to compromise Ukrainian state bodies. The detected malware also dubbed as BankBot or BokBot is a banking Trojan primarily designed to target financial data and steal banking credentials.
Source: https://cert.gov.ua/article/39609 https://docs.google.com/spreadsheets/d/1QTwDDOO8JBpZbNyOnNvMm7VcZDQS0Y3CjYsMLrTKN7c/edit#gid=0
2022-04-14
ZingoStealer by Haskers Group
MEDIUM
+
Intel Source:
Cisco Talos
Intel Name:
ZingoStealer by Haskers Group
Date of Scan:
2022-04-14
Impact:
MEDIUM
Summary:
Researchers at Cisco Talos has identified a new information stealer called 'ZingoStealer' that has been released for free by a threat actor known as 'Haskers Gang.' This information stealer first introduced to the wild in March 2022 is currently undergoing active development and multiple releases of new versions have been observed recently.
Source: https://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/760/original/zingostealer-blog-iocs.txt?1649940925
2022-04-14
Malware Campaigns Targeting African Banking Sector
MEDIUM
+
Intel Source:
HP Wolf Security
Intel Name:
Malware Campaigns Targeting African Banking Sector
Date of Scan:
2022-04-14
Impact:
MEDIUM
Summary:
Researchers from HP Wolf Security have been tracking the campaign since early 2022 an employee of an unnamed West African bank received an email purporting to be from a recruiter at another African bank with information about job opportunities. A cybercrime campaign targeting the African banking sector is leveraging phishing emails and HTML smuggling techniques to deploy malware.
Source: https://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/
2022-04-14
OldGremlin Gang resumes attack with new methods
MEDIUM
+
Intel Source:
Group-IB
Intel Name:
OldGremlin Gang resumes attack with new methods
Date of Scan:
2022-04-14
Impact:
MEDIUM
Summary:
Group-IB has uncovered new attacks tools and methods used by OldGremlin Ransomware Group. In spring 2020 Group was first identified by Group-IB researchers over the past two years OldGremlin has conducted 13 malicious email campaigns. Researchers also discovered two variants of TinyFluff malware an earlier one that is more complex and a newer simplified version that copies the script and the Node.js interpreter from its storage location.
Source: https://blog.group-ib.com/oldgremlin_comeback
2022-04-12
SystemBC Malware
MEDIUM
+
Intel Source:
ASEC
Intel Name:
SystemBC Malware
Date of Scan:
2022-04-12
Impact:
MEDIUM
Summary:
ASEC Research team have identified a proxy malware called SystemBC that has been used by various attackers for the last few years. While it is recently distributed through SmokeLoader or Emotet this malware has steadily been used in various ransomware attacks in the past.
Source: https://asec.ahnlab.com/en/33600/
2022-04-12
NetSupport RAT_Seeder_Queries_08/04/2022
MEDIUM
+
Intel Source:
STR
Intel Name:
NetSupport RAT_Seeder_Queries_08/04/2022
Date of Scan:
2022-04-12
Impact:
MEDIUM
Summary:
This research is part of Securonix Threat Labs - Threat Research Team
Source: STR Repository
2022-04-12
New version of SolarMarker Malware
MEDIUM
+
Intel Source:
Palo Alto
Intel Name:
New version of SolarMarker Malware
Date of Scan:
2022-04-12
Impact:
MEDIUM
Summary:
A new version of SolarMarker a malware family known for its infostealing and backdoor capabilities has been identified by Palo Alto Networks and is believed to be active as of April 2022. This malware has been prevalent since September 2020 targeting U.S. organizations and part of the infrastructure is still active as of 2022 in addition to a new infrastructure that attackers have recently deployed.
Source: https://unit42.paloaltonetworks.com/solarmarker-malware/
2022-04-12
Fake COVID-19 forms targeting companies
MEDIUM
+
Intel Source:
Cofense
Intel Name:
Fake COVID-19 forms targeting companies
Date of Scan:
2022-04-12
Impact:
MEDIUM
Summary:
Cofense Phishing Defense Center has analysed a phishing campaign where threat actors impersonate companies to send out fake COVID-19 forms. CPDC team saw a phishing email masquerading as a general office wide email claiming someone in the building has been infected with COVID-19 and asking to review the company policy.
Source: https://cofense.com/blog/covid-19-phish-targeting-companies
2022-04-12
Bahamut group recent attacks
MEDIUM
+
Intel Source:
360 Beacon Lab
Intel Name:
Bahamut group recent attacks
Date of Scan:
2022-04-12
Impact:
MEDIUM
Summary:
Researcher at 360 Beacon Lab has identifed a suspected mobile terminal attack activity of Bahamut group. Bahamut is an advanced threat group targeting the Middle East and South Asia. Group mainly uses phishing websites fake news websites and social networking sites to attack.
Source: https://mp.weixin.qq.com/s/YAAybJBAvxqrQWYDg31BBw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=zh-CN
2022-04-12
MoqHao Malware targeting European countries
LOW
+
Intel Source:
TeamCymru
Intel Name:
MoqHao Malware targeting European countries
Date of Scan:
2022-04-12
Impact:
LOW
Summary:
Researchers at TeamCymru has examined the current target base of Roaming Mantis group where the group is levearging MoqHao malware to target European countries. MoqHao is generally used to target Android users often via an initial attack vector of smishing.
Source: https://team-cymru.com/blog/2022/04/07/moqhao-part-2-continued-european-expansion/
2022-04-12
Tarrask - HAFNIUM APT defense evasion malware
MEDIUM
+
Intel Source:
Microsoft
Intel Name:
Tarrask - HAFNIUM APT defense evasion malware
Date of Scan:
2022-04-12
Impact:
MEDIUM
Summary:
Microsoft Threat Intelligence Center has tracked the Chinese-backed Hafnium hacking group and identified that the group has been linked to a piece of a new malware that's used to maintain persistence on compromised Windows environments. MSTIC has dubbed the defense evasion malware 'Tarrask ' characterized it as a tool that creates 'hidden' scheduled tasks on the system.
Source: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/
2022-04-12
EvilNominatus Ransomware
LOW
+
Intel Source:
ClearSky
Intel Name:
EvilNominatus Ransomware
Date of Scan:
2022-04-12
Impact:
LOW
Summary:
Researchers at ClearSky has detected a malicious BAT file that was uploaded to VirusTotal from Iran. This file executes a ransomware that was associated with the EvilNominatus ransomware initially exposed at the end of 2021. Researchers believe that the ransomware’s developer is a young Iranian who bragged about its development on Twitter.
Source: https://www.clearskysec.com/wp-content/uploads/2022/04/EvilNominatus_Ransomware_7.4.22.pdf
2022-04-12
Sandworm Group (UAC-0082) targetiing Ukraine energy facilities using INDUSTROYER2 and CADDYWIPER
MEDIUM
+
Intel Source:
CERT-UA
Intel Name:
Sandworm Group (UAC-0082) targetiing Ukraine energy facilities using INDUSTROYER2 and CADDYWIPER
Date of Scan:
2022-04-12
Impact:
MEDIUM
Summary:
CERT-UA has taken urgent measures to respond to an information security incident related to a targeted attack on Ukraine's energy facility.
Source: https://cert.gov.ua/article/39518 https://docs.google.com/spreadsheets/d/1T2NyaCKfjszODa0hRu4xZFpnPe8yWP607aNHb7iB_ec/edit#gid=0
2022-04-11
FFDroider Stealer Targeting Social Media Platforms
LOW
+
Intel Source:
Zscaler
Intel Name:
FFDroider Stealer Targeting Social Media Platforms
Date of Scan:
2022-04-11
Impact:
LOW
Summary:
Researchers from Zscaler have discovered many new types of stealer malwares across different attack campaigns including a novel windows based malware creating a registry key dubbed FFDroider which is designed to send stolen credentials and cookies to C&C server.
Source: https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users
2022-04-11
Multiple cyber espionage operations disrupted
MEDIUM
+
Intel Source:
Facebook
Intel Name:
Multiple cyber espionage operations disrupted
Date of Scan:
2022-04-11
Impact:
MEDIUM
Summary:
Meta has shared their Adversarial Threat report in which they provide a broader view into the cyber threats Facebook observes in Iran Azerbaijan Ukraine Russia South America and the Philippines.
Source: https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf
2022-04-11
DPRK-Nexus threat actor spear-phishing campaign
LOW
+
Intel Source:
Cluster25
Intel Name:
DPRK-Nexus threat actor spear-phishing campaign
Date of Scan:
2022-04-11
Impact:
LOW
Summary:
Researchers at Cluster25 has identified a recent activity that started in early days of April 2022 from a DPRK-nexus threat actor using spear-phishing emails containing korean-based malicious documents with different lures to compromise its victims.
Source: https://cluster25.io/2022/04/11/dprk-nexus-adversary-new-kitty-phishing/
2022-04-11
Denonia Malware specifically targeting AWS Lambda
MEDIUM
+
Intel Source:
Cado security
Intel Name:
Denonia Malware specifically targeting AWS Lambda
Date of Scan:
2022-04-11
Impact:
MEDIUM
Summary:
Researchers from Cado Security published their findings on a new malware called 'Denonia' variant that targets AWS Lambda. After further investigation the researchers found the sample was a 64-bit ELF executable. The malware also relies on third-party GitHub libraries including those for writing Lambda functions and retrieving data from Lambda invoke requests.
Source: https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/
2022-04-11
Mirai Botnet exploiting Spring4Shell Vulnerability
MEDIUM
+
Intel Source:
Trend Micro
Intel Name:
Mirai Botnet exploiting Spring4Shell Vulnerability
Date of Scan:
2022-04-11
Impact:
MEDIUM
Summary:
Trend Micro Research team has confirmed on some earlier reports that the new Spring4Shell vulnerability has been exploited by the Mirai Botnet. The Mirai sample is downloaded to the ‘/tmp’ folder and executed after permission change to make them executable using ‘chmod’.
Source: https://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html
2022-04-08
Remcos RAT phishing campaign
LOW
+
Intel Source:
Fortinet
Intel Name:
Remcos RAT phishing campaign
Date of Scan:
2022-04-08
Impact:
LOW
Summary:
Researchers from FortiGuard Labs share their analysis of the Remcos RAT being used by malicious actors to control victims’ devices delivered by a phishing campaign.
Source: https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing
2022-04-08
Parrot TDS takes over compromised websites
MEDIUM
+
Intel Source:
Avast
Intel Name:
Parrot TDS takes over compromised websites
Date of Scan:
2022-04-08
Impact:
MEDIUM
Summary:
Avast researchers has published a report stating that a new traffic direction system (TDS) called Parrot has been spotted leveraging tens of thousands of compromised websites to launch further malicious campaigns. The TDS has infected various web servers hosting more than 16 500 websites ranging from adult content sites personal websites university sites and local government sites.
Source: https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/
2022-04-08
Operation Bearded Barbie
MEDIUM
+
Intel Source:
Cybereason
Intel Name:
Operation Bearded Barbie
Date of Scan:
2022-04-08
Impact:
MEDIUM
Summary:
Researchers from Cyberreason discovered a new APT-C-23 campaign targeting a group of high-profile Israeli targets working for sensitive defense law enforcement and emergency services organizations. The investigation revealed that APT-C-23 has effectively upgraded its malware arsenal with new tools dubbed Barb(ie) Downloader and BarbWire Backdoor.
Source: https://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials#iocs
2022-04-08
UAC-0010 group/Armageddon targeting Ukraine government
MEDIUM
+
Intel Source:
CERT-UA
Intel Name:
UAC-0010 group/Armageddon targeting Ukraine government
Date of Scan:
2022-04-08
Impact:
MEDIUM
Summary:
Ukraine’s Computer Emergency Response Team (CERT-UA) revealed on Monday a string of phishing emails that they’ve linked to a Russian state-sponsored actor called Armageddon. The attacks baited Ukrainian and Latvian government officials with information concerning the war between Ukraine and Russia.
Source: https://cert.gov.ua/article/39138 https://therecord.media/ukrainian-cert-details-russia-linked-phishing-attacks-targeting-government-officials/
2022-04-08
UAC-0010 group/Armageddon targeting European Union institutions
MEDIUM
+
Intel Source:
CERT-UA
Intel Name:
UAC-0010 group/Armageddon targeting European Union institutions
Date of Scan:
2022-04-08
Impact:
MEDIUM
Summary:
Ukraine’s Computer Emergency Response Team (CERT-UA) revealed on Monday a string of phishing emails that they’ve linked to a Russian state-sponsored actor called Armageddon. The attacks baited Ukrainian and Latvian government officials with information concerning the war between Ukraine and Russia.
Source: https://cert.gov.ua/article/39086 https://www.bleepingcomputer.com/news/security/ukraine-russian-armageddon-phishing-targets-eu-govt-agencies/
2022-04-08
Chinese APT targets Indian Powegrid
MEDIUM
+
Intel Source:
Recorded Future
Intel Name:
Chinese APT targets Indian Powegrid
Date of Scan:
2022-04-08
Impact:
MEDIUM
Summary:
Researchers from Recorded Future finds continued targeting of the Indian power grid by Chinese state-sponsored activity group - likely intended to enable information gathering surrounding critical infrastructure systems.
Source: https://go.recordedfuture.com/hubfs/reports/ta-2022-0406.pdf
2022-04-07
Windows MetaStealer Malware
MEDIUM
+
Intel Source:
ISC.SANS
Intel Name:
Windows MetaStealer Malware
Date of Scan:
2022-04-07
Impact:
MEDIUM
Summary:
Researchers at SANS has analysed 16 sampled of Excel files submitted to VirusTotal on 30-03-2022 these Excel files are distributed as Email attachments. Post-infection traffic triggers signatures for Win32/MetaStealer Related Activity.
Source: https://isc.sans.edu/diary/rss/28522
2022-04-07
Malicious Word Documents Using MS Media Player
LOW
+
Intel Source:
ASEC
Intel Name:
Malicious Word Documents Using MS Media Player
Date of Scan:
2022-04-07
Impact:
LOW
Summary:
ASEC Researchers has analysed a malicious word file that is also being distributed with text that impersonates AhnLab. The Word files downloaded another Word file containing malicious VBA macro via the external URL and run it. The downloaded word file used the Windows Media Player() function instead of AutoOpen() to automatically run the VBA macro.
Source: https://asec.ahnlab.com/en/33477/
2022-04-07
BLISTER & SocGholish loaders delivering LockBit Ransomware
MEDIUM
+
Intel Source:
Trend Micro
Intel Name:
BLISTER & SocGholish loaders delivering LockBit Ransomware
Date of Scan:
2022-04-07
Impact:
MEDIUM
Summary:
Researchers from TrendMicro made a recent discovery in which BLISTER and SocGholish which are loaders and are known for evasion tactics were involved in a campaign which were used to deliver LockBit ransomware.
Source: https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html
2022-04-07
Cicada/APT10 new espionage campaign
MEDIUM
+
Intel Source:
Symantec
Intel Name:
Cicada/APT10 new espionage campaign
Date of Scan:
2022-04-07
Impact:
MEDIUM
Summary:
Researchers at Symantec has discovered an espionage campaign by Chinese APT group called APT10/Cicada. Victims identified in this campaign include government legal religious and non-governmental organizations (NGOs) in multiple countries around the world including in Europe Asia and North America.
Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks
2022-04-07
Evolution of FIN7 group
MEDIUM
+
Intel Source:
Mandiant
Intel Name:
Evolution of FIN7 group
Date of Scan:
2022-04-07
Impact:
MEDIUM
Summary:
Mandiant published their research on the evolution of FIN7 from both historical and recent intrusions and describes the process of merging eight previously suspected UNC groups into FIN7. The researchers also highlighted notable shifts in FIN7 activity over time including their use of novel malware incorporation of new initial access vectors and shifts in monetization strategies.
Source: https://www.mandiant.com/resources/evolution-of-fin7
2022-04-07
Scammers are Exploiting Ukraine Donations
LOW
+
Intel Source:
McAfee
Intel Name:
Scammers are Exploiting Ukraine Donations
Date of Scan:
2022-04-07
Impact:
LOW
Summary:
McAfee Researchers has identified some malicious sites and emails used by attackers to lure netizens on cryptocurrency donation scam.
Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/scammers-are-exploiting-ukraine-donations/
2022-04-07
New AsyncRAT campaign features 3LOSH crypter
MEDIUM
+
Intel Source:
Cisco Talos
Intel Name:
New AsyncRAT campaign features 3LOSH crypter
Date of Scan:
2022-04-07
Impact:
MEDIUM
Summary:
Cisco Talos Intelligence Group discovered ongoing malware distribution campaigns are using ISO disk images to deliver AsyncRAT and other commodity malware to victims. They found that these campaigns appear to be linked to a new version of the 3LOSH crypter.
Source: https://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html
2022-04-07
CaddyWiper Malware- New Analysis
MEDIUM
+
Intel Source:
Morphisec
Intel Name:
CaddyWiper Malware- New Analysis
Date of Scan:
2022-04-07
Impact:
MEDIUM
Summary:
Researchers from Morphisec shares a new analysis on Caddywiper malware which has surfaced as the fourth destructive wiper attacking Ukrainian infrastructure. Caddywiper destroys user data partitions information from attached drives and has been spotted on several dozen systems in a limited number of organizations.
Source: https://blog.morphisec.com/caddywiper-analysis-new-malware-attacking-ukraine
2022-04-07
Colibri Loader campaign delivering the Vidar Stealer
LOW
+
Intel Source:
Malwarebytes
Intel Name:
Colibri Loader campaign delivering the Vidar Stealer
Date of Scan:
2022-04-07
Impact:
LOW
Summary:
Researchers from MalwareBytes recently uncovered a new Colibri Loader campaign delivering the Vidar Stealer as final payload that uses a clever persistence technique that combines Task Scheduler and PowerShell.
Source: https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
2022-04-06
New Rat campaign leverages Tax Season
LOW
+
Intel Source:
Cofense
Intel Name:
New Rat campaign leverages Tax Season
Date of Scan:
2022-04-06
Impact:
LOW
Summary:
Cofense Phishing Defense Center team has discovered a tatic that spoofs the U.S. Internal Revenue Service (IRS) to download malware onto user systems. This campaign leverages Netsupport Manager a troubleshooting and screen control program as a malicious remote access trojan (RAT) the threat actor employs to remotely enter user systems.
Source: https://cofense.com/blog/rat-campaign-looks-to-take-advantage-of-the-tax-season
2022-04-06
Lazarus Group New Campaign
LOW
+
Intel Source:
SecureList
Intel Name:
Lazarus Group New Campaign
Date of Scan:
2022-04-06
Impact:
LOW
Summary:
Researchers at SecureList has discovered a Trojanized DeFi application was used to deliver backdoor by Lazarus Group. The DeFi application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet but also implants a malicious file when executed.
Source: https://securelist.com/lazarus-trojanized-defi-app/106195/
2022-04-06
Mirai campaign updated its arsenal of exploits
MEDIUM
+
Intel Source:
Fortinet
Intel Name:
Mirai campaign updated its arsenal of exploits
Date of Scan:
2022-04-06
Impact:
MEDIUM
Summary:
Researchers at Fortinet Labs has identified that the Beastmode Mirai-based DDoS campaign has aggressively updated its arsenal of exploits. Five new exploits were added within a month with three targeting various models of TOTOLINK routers.
Source: https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign
2022-04-06
New UAC-0056 Group activity
MEDIUM
+
Intel Source:
Malwarebytes
Intel Name:
New UAC-0056 Group activity
Date of Scan:
2022-04-06
Impact:
MEDIUM
Summary:
Researchers from Intezer Labs shared that UAC-0056 (TA471 SaintBear UNC2589) have been launching targeted spear phishing campaigns using spoofed Ukrainian governmental email addresses to deliver the Elephant malware framework written in Go.
Source: https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/ https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/
2022-04-06
Stolen Image Evidence Campaign
MEDIUM
+
Intel Source:
DFIR Report
Intel Name:
Stolen Image Evidence Campaign
Date of Scan:
2022-04-06
Impact:
MEDIUM
Summary:
Researchers at DFIR Report has identified a single Conti ransomware deployment from December that appears to be part of a larger campaign. The attack utilized IcedID a well known banking trojan was delivered via the 'Stolen Images Evidence' email campaign.
Source: https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
2022-04-05
Remcos Rat Phishing Campaign
MEDIUM
+
Intel Source:
Morphisec
Intel Name:
Remcos Rat Phishing Campaign
Date of Scan:
2022-04-05
Impact:
MEDIUM
Summary:
Morphisec Labs has detected a new wave of Remcos RAT infections being spread through phishing emails masquerading as payment remittances sent from financial institutions.
Source: https://blog.morphisec.com/remcos-trojan-analyzing-attack-chain
2022-04-05
VajraEleph (APT-Q-43) group New campaign
LOW
+
Intel Source:
Qianxin
Intel Name:
VajraEleph (APT-Q-43) group New campaign
Date of Scan:
2022-04-05
Impact:
LOW
Summary:
The mobile security team of Qianxin Technology HK Co. Limited Virus Response Center identified the VajraEleph (APT-Q-43) group has been carrying out targeted military espionage intelligence activities against the Pakistani military.
Source: https://mp.weixin.qq.com/s/B0ElRhbqLzs-wGQh79fTww
2022-04-04
Hive Ransomware leveraging IPfuscation Technique
MEDIUM
+
Intel Source:
SentinelOne
Intel Name:
Hive Ransomware leveraging IPfuscation Technique
Date of Scan:
2022-04-04
Impact:
MEDIUM
Summary:
Researchers at SentinelOne have discovered a new obfuscation technique used by the Hive ransomware gang which involves IPv4 addresses and a series of conversions that eventually lead to downloading a Cobalt Strike beacon.
Source: https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/
2022-04-04
New PlugX variant used by Chinese APT group
MEDIUM
+
Intel Source:
Trellix
Intel Name:
New PlugX variant used by Chinese APT group
Date of Scan:
2022-04-04
Impact:
MEDIUM
Summary:
Researchers at Trellix has discovered a new variant of PlugX malware named 'Talisman'. The new variant follows usual execution process by abusing a signed and benign binary which loads a modified DLL to execute shellcode. The shellcode is used to decrypt the PlugX malware which then serves as a backdoor with plug-in capabilities.
Source: https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html
2022-04-04
Mars InfoStealer new operation
MEDIUM
+
Intel Source:
Morphisec
Intel Name:
Mars InfoStealer new operation
Date of Scan:
2022-04-04
Impact:
MEDIUM
Summary:
Morphisec Labs team has analysed a campaign where the actor distributed Mars Stealer via cloned websites offering well-known software. Morphisec team has attributed this actor to a Russian national by looking at the screenshots and keyboard details from the extracted system.txt.
Source: https://blog.morphisec.com/threat-research-mars-stealer
2022-04-04
BlackGuard - new infostealer malware
MEDIUM
+
Intel Source:
Zscaler
Intel Name:
BlackGuard - new infostealer malware
Date of Scan:
2022-04-04
Impact:
MEDIUM
Summary:
The Zscaler ThreatLabz team came across BlackGuard a sophisticated stealer currently being advertised as malware-as-a-service with a monthly price of $200. Researcher share their analysis of the techniques the Blackguard stealer uses to steal information and evade detection using obfuscation as well as techniques used for anti-debugging.
Source: https://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking
2022-04-04
Acid Rain wiper malware targets Viasat KA-SAT modems
MEDIUM
+
Intel Source:
SentinelOne
Intel Name:
Acid Rain wiper malware targets Viasat KA-SAT modems
Date of Scan:
2022-04-04
Impact:
MEDIUM
Summary:
Sentinel Labs researchers a new modern wiper AcidRain which have beeb targeting Europe and on Viasat KA-SAT modems. This wiper is an ELF MIPS malware designed to wipe modems and routers.
Source: https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/
2022-04-04
State sponsored groups leveraging RU-UA conflict
MEDIUM
+
Intel Source:
Checkpoint
Intel Name:
State sponsored groups leveraging RU-UA conflict
Date of Scan:
2022-04-04
Impact:
MEDIUM
Summary:
Researchers from CheckPoint provides an overview of several campaigns by different APT groups using the ongoing Russia-Ukraine war to increase the efficiency of their campaigns. They also discuss the victimology of these campaigns; the tactics used and provides technical analysis of the observed malicious payloads and malware specially crafted for this cyber-espionage.
Source: https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/
2022-04-04
North Korea related files distributed via malicious VB Scripts
LOW
+
Intel Source:
ASEC
Intel Name:
North Korea related files distributed via malicious VB Scripts
Date of Scan:
2022-04-04
Impact:
LOW
Summary:
ASEC Researchers has analysed a phishing emails related to North Korea and a compressed file is attached. Referring to writing a resume induce execution of the attached file. A malicious VBS script file exists inside the compressed file.
Source: https://asec.ahnlab.com/ko/33141/
2022-04-01
Deep Panda APT group exploiting Log4shell
MEDIUM
+
Intel Source:
Fortinet
Intel Name:
Deep Panda APT group exploiting Log4shell
Date of Scan:
2022-04-01
Impact:
MEDIUM
Summary:
FortiGuard Labs detected an opportunistic campaign by the Chinese nation-state “Deep Panda” APT group exploiting the Log4Shell vulnerability in VMware Horizon servers belonging to the financial academic cosmetics and travel industries.
Source: https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits
2022-04-01
Spoofed Invoice delivering IcedID Trojan
MEDIUM
+
Intel Source:
Fortinet
Intel Name:
Spoofed Invoice delivering IcedID Trojan
Date of Scan:
2022-04-01
Impact:
MEDIUM
Summary:
FortiGuard Labs encountered spearphishing campaign targeting a fuel company in Kyiv Ukraine. The email contains an attached zip file which also contains a invoice file claiming to be from another fuel company. IcedID trojan drop via main.dll in windows registry.
Source: https://www.fortinet.com/blog/threat-research/spoofed-invoice-drops-iced-id
2022-04-01
Spring4Shell Vulnerability
HIGH
+
Intel Source:
Securonix
Intel Name:
Spring4Shell Vulnerability
Date of Scan:
2022-04-01
Impact:
HIGH
Summary:
Securonix Threat Research team has identified a currently unpatched zero-day vulnerability in Spring Core a widely used Java-based platform with cross platform support. Early details claim that the bug would allow full remote code execution (RCE) to affected systems.
Source: https://www.securonix.com/blog/detection-and-analysis-of-spring4shell/
2022-03-31
Transparent Tribe targets Indian government and military
MEDIUM
+
Intel Source:
Cisco Talos
Intel Name:
Transparent Tribe targets Indian government and military
Date of Scan:
2022-03-31
Impact:
MEDIUM
Summary:
Cisco Talos researchers has identified a new campaign by Transparent Tribe targeting Indian government and military bodies. The Threat actor is leveraging CrimsonRAT for infecting the victims.
Source: https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html
2022-03-31
Verblecon - A New Malware Loader
LOW
+
Intel Source:
Symantec
Intel Name:
Verblecon - A New Malware Loader
Date of Scan:
2022-03-31
Impact:
LOW
Summary:
Symantec researchers has identifed a malware named Trojan.Verblecon which has being leveraged in attacks that appear to have installing cryptocurrency miners on infected machines as their end goals. However the capabilities of this malware indicate that it could be highly dangerous if leveraged in ransomware or espionage campaigns.
Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord
2022-03-31
Chromium Based Browser Vulnerability
MEDIUM
+
Intel Source:
Google
Intel Name:
Chromium Based Browser Vulnerability
Date of Scan:
2022-03-31
Impact:
MEDIUM
Summary:
Google is urging users on Windows macOS and Linux to update Chrome builds to version 99.0.4844.84 following the discovery of a vulnerability that has an exploit in the wild.
Source: https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html
2022-03-31
Multiple APT groups targeting Eastern Europe
MEDIUM
+
Intel Source:
Google
Intel Name:
Multiple APT groups targeting Eastern Europe
Date of Scan:
2022-03-31
Impact:
MEDIUM
Summary:
Google TAG researchers has tracked 3 APT groups targeting government military organisations in Ukraine Kazakhstan Mongolia and NATO forces in Eastern Europe. All 3 APT groups conducting phishing campaigns to against the targets.
Source: https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/
2022-03-30
Emotet New IoC and New Pattern
MEDIUM
+
Intel Source:
Cisco
Intel Name:
Emotet New IoC and New Pattern
Date of Scan:
2022-03-30
Impact:
MEDIUM
Summary:
Cisco conducted research to find new Emotet IOCs and URL patterns related to this new wave in Emotet activity since it’s re-emergence in November 2021. Cisco researchers summarizes the Emotet (Geodo/Heodo) malware threat it’s lifecycle and typical detectable patterns.
Source: https://blogs.cisco.com/security/emotet-is-back
2022-03-30
Kimsuky distributing VB Script disguised as PDF Files
LOW
+
Intel Source:
ASEC
Intel Name:
Kimsuky distributing VB Script disguised as PDF Files
Date of Scan:
2022-03-30
Impact:
LOW
Summary:
ASEC Researchers has identified an APT attacks by a group called Kimsuky using VB Script disguised as PDF files. Upon running the script file with the VBS extension the malware runs the innocuous PDF file that exists internally to trick the user into thinking that they opened an innocuous document file and uses a malicious DLL file to leak information.
Source: https://asec.ahnlab.com/en/33032/
2022-03-30
BitRAT malware disguised as office Installer
LOW
+
Intel Source:
ASEC
Intel Name:
BitRAT malware disguised as office Installer
Date of Scan:
2022-03-30
Impact:
LOW
Summary:
ASEC REsearchers has analysed a BitRAT malware sample which is being distributed as office installer with different files. The malware is being distributed actively via file-sharing websites such as Korean webhards.
Source: https://asec.ahnlab.com/en/33024/
2022-03-29
Purple Fox using New variant of FatalRat
MEDIUM
+
Intel Source:
Trend Micro
Intel Name:
Purple Fox using New variant of FatalRat
Date of Scan:
2022-03-29
Impact:
MEDIUM
Summary:
Trend Micro Research were tracking an threat actor named 'Purple Fox' and their activities. Researchers identified Purple Fox’s new arrival vector and the early access loaders we believe are associated with the intrusion set behind this botnet. The operators are updating their arsenal with new malware including a variant of the remote access trojan FatalRAT that they seem to be continuously upgrading.
Source: https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html
2022-03-29
New Conversation Hijacking Campaign Delivering IcedID
MEDIUM
+
Intel Source:
Intezer
Intel Name:
New Conversation Hijacking Campaign Delivering IcedID
Date of Scan:
2022-03-29
Impact:
MEDIUM
Summary:
Researcher from Intezer provides a technical analysis of a new campaign which initiates attacks with a phishing email that uses conversation hijacking to deliver the IcedID malware.
Source: https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/
2022-03-28
Muhstik Gang targets Redis Servers
MEDIUM
+
Intel Source:
Juniper
Intel Name:
Muhstik Gang targets Redis Servers
Date of Scan:
2022-03-28
Impact:
MEDIUM
Summary:
Researchers at Juniper Threat Labs has revealed an attack that targets Redis Servers using a recently disclosed vulnerability namely CVE-2022-0543. This vulnerability exists in some Redis Debian packages. The payload used is a variant of Muhstik bot that can be used to launch DDOS attacks.
Source: https://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers
2022-03-28
Conti Ransomware new update
MEDIUM
+
Intel Source:
Zscaler
Intel Name:
Conti Ransomware new update
Date of Scan:
2022-03-28
Impact:
MEDIUM
Summary:
Researchers at Zscaler ThreatLabz has been following Conti Ransomware group and identified an updated version of Conti ransomware as part of the global ransomware tracking efforts which includes improved file encryption introduced techniques to better evade security software and streamlined the ransom payment process.
Source: https://www.zscaler.com/blogs/security-research/conti-ransomware-attacks-persist-updated-version-despite-leaks
2022-03-25
Operation Dragon Castling
LOW
+
Intel Source:
Avast
Intel Name:
Operation Dragon Castling
Date of Scan:
2022-03-25
Impact:
LOW
Summary:
Researchers from Avast found an APT campaign dubbed Operation Dragon Castling which has been targeting betting companies in Southeast Asian countries.The campaign has similarities with several old malware samples used by an unspecified Chinese-speaking APT group.
Source: https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies/
2022-03-25
JSSLoader RAT delivered through XLL Files
LOW
+
Intel Source:
Morphisec
Intel Name:
JSSLoader RAT delivered through XLL Files
Date of Scan:
2022-03-25
Impact:
LOW
Summary:
Morphisec labs has discovered a new variant of JSSLoader RAT. JSSLoader is a small very capable .NET remote access trojan (RAT). Its capabilities include data exfiltration persistence auto-updating additional payload delivery and more. Moreover attacker are now using .XLL files to deliver and obfuscated version of JSSLoader.
Source: https://blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files
2022-03-25
Tax Season and Refugee war scams delivering Emotet
MEDIUM
+
Intel Source:
Fortinet
Intel Name:
Tax Season and Refugee war scams delivering Emotet
Date of Scan:
2022-03-25
Impact:
MEDIUM
Summary:
FortiGuard Labs Research team has anlaysed emails related to tax season and the Ukrainian conflict. The Phishing emails are attributed to an unfamous malware called 'Emotet' are affecting Windows platform and compromised machines are under the control of the threat actor further stole personally identifiable information (PII) credential theft monetary loss etc.
Source: https://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams
2022-03-25
Chinese APT Scarab targets Ukraine
MEDIUM
+
Intel Source:
SentinelOne
Intel Name:
Chinese APT Scarab targets Ukraine
Date of Scan:
2022-03-25
Impact:
MEDIUM
Summary:
Researchers at Sentinel Labs has further analysed the alert #4244 released by Ukrainian CERT on 22nd March 2022 which states about the malicious activity of UAC-0026 threat group. Sentinel team has confirmed UAC-0026 attribution with Chinese APT group called Scarab.
Source: https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/
2022-03-24
Password stealer disguised as private Fortnite server
LOW
+
Intel Source:
Avast
Intel Name:
Password stealer disguised as private Fortnite server
Date of Scan:
2022-03-24
Impact:
LOW
Summary:
Researchers at Avast have identified a password stealer malware disguised as private Fortnite server where users can meet for a private match and use skins for free. The malware is being heavily propagated on communications platform Discord.
Source: https://blog.avast.com/password-stealer-disguised-as-fortnite-server-spreading-on-discord
2022-03-24
New variants of Arkei Stealer
LOW
+
Intel Source:
ISC.SANS
Intel Name:
New variants of Arkei Stealer
Date of Scan:
2022-03-24
Impact:
LOW
Summary:
Researchers at SANS InfoSec Diary blog has analysed Vidar Oski and Mars stealer variants of Arkei Stealer malware. Researchers also found legitimate DLL files has been used by Vidar Oski and Mars variants which are hosted on the same C2 server.
Source: https://isc.sans.edu/diary.html?date=2022-03-23
2022-03-24
Operation DreamJob and AppleJeus
MEDIUM
+
Intel Source:
Google
Intel Name:
Operation DreamJob and AppleJeus
Date of Scan:
2022-03-24
Impact:
MEDIUM
Summary:
Researchers from google discovered two new North Korean backed threat actors exploiting a remote code execution vulnerability in Chrome CVE-2022-0609.hese groups' activity has been publicly tracked as Operation Dream Job and Operation AppleJeus. These campaigns have been targeting U.S based organizations.
Source: https://blog.google/threat-analysis-group/countering-threats-north-korea/
2022-03-24
Arid Viper using Arid Gopher malware
MEDIUM
+
Intel Source:
deepinstinct
Intel Name:
Arid Viper using Arid Gopher malware
Date of Scan:
2022-03-24
Impact:
MEDIUM
Summary:
Researchers from Deep Instinct's Threat Research team discovered a never before seen Micropsia malware dubbed Arid Gropher and is attributed to Arid Viper.
Source: https://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant
2022-03-24
Conti Ransomware Affiliate Exposed
MEDIUM
+
Intel Source:
eSentire
Intel Name:
Conti Ransomware Affiliate Exposed
Date of Scan:
2022-03-24
Impact:
MEDIUM
Summary:
Researchers at eSentire has been tracking the movements of Conti gang for over two years and now publishing new set of indicators which are currently being used by Conti affiliate. Researchers analysis also focus on the infrastructre used by the gang.
Source: https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire
2022-03-24
Vidar Malware hidden in Microsoft Help file
MEDIUM
+
Intel Source:
Trustwave
Intel Name:
Vidar Malware hidden in Microsoft Help file
Date of Scan:
2022-03-24
Impact:
MEDIUM
Summary:
Trustwave Spider Labs researchers has detected a vidar malware based phishing campaign that abuses Microsoft HTML help files. Vidar is Windows spyware and an information stealer available for purchase by cybercriminals. Vidar can harvest OS & user data online service and cryptocurrency account credentials and credit card information.
Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vidar-malware-launcher-concealed-in-help-file/
2022-03-24
Crypto Phishing
LOW
+
Intel Source:
Confiant
Intel Name:
Crypto Phishing
Date of Scan:
2022-03-24
Impact:
LOW
Summary:
Researcher at Confiant has looked at several chains that start with an ad and end with cryptocurrency theft usually via phishing.
Source: https://blog.confiant.com/a-whirlwind-tour-of-crypto-phishing-8628da0a9e38
2022-03-24
Midas Ransomware - A Thanos Ransomware variant
LOW
+
Intel Source:
Zscaler
Intel Name:
Midas Ransomware - A Thanos Ransomware variant
Date of Scan:
2022-03-24
Impact:
LOW
Summary:
Researchers at Zscaler has analysed variants of Thanos ransomware and identified the shifting of tactics by the ransomware in 2021. Thanos ransomware was first identified in Feb 2020 as a RaaS on darkweb. In 2021 Thanos source code got leaked after that lot of variants has been identified by the researchers. One of the latest variant is Midas.
Source: https://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants
2022-03-24
Meris and TrickBot joined Hands
MEDIUM
+
Intel Source:
Avast
Intel Name:
Meris and TrickBot joined Hands
Date of Scan:
2022-03-24
Impact:
MEDIUM
Summary:
As per Avast researchers Meris backdoor and Trickbot have joined hands. The botnet is known to exploit a known vulnerability in the Winbox component of MikroTik routers (CVE-2018-14847) enabling the attackers to gain unauthenticated remote administrative access to any affected device.
Source: https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/
2022-03-23
DoubleZero Destructive Malware targets Ukrainian firms
MEDIUM
+
Intel Source:
CERT-UA
Intel Name:
DoubleZero Destructive Malware targets Ukrainian firms
Date of Scan:
2022-03-23
Impact:
MEDIUM
Summary:
On March 17 CERT-UA found presence of a destructive malware dubbed as DoubleZero targeting Ukrainian firms. The malware erases files and destroys certain registry branches on the infected machine.
Source: https://cert.gov.ua/article/38088 https://socprime.com/blog/doublezero-destructive-malware-used-in-cyber-attacks-at-ukrainian-companies-cert-ua-alert/
2022-03-23
Phishing Campaign using QR code targets Ukraine
MEDIUM
+
Intel Source:
CERT-UA
Intel Name:
Phishing Campaign using QR code targets Ukraine
Date of Scan:
2022-03-23
Impact:
MEDIUM
Summary:
CERT UA discovered the distribution of e-mails that mimic messages from UKR.NET and contain a QR code encoding a URL created using one of the URL-shortener services and it was attributed with low confidence to APT28.
Source: https://cert.gov.ua/article/37788
2022-03-23
Vermin (UAC-0020) targets Ukraine Govt using Spectr malware
MEDIUM
+
Intel Source:
CERT-UA
Intel Name:
Vermin (UAC-0020) targets Ukraine Govt using Spectr malware
Date of Scan:
2022-03-23
Impact:
MEDIUM
Summary:
On March 17 CERT-UA found an active spear phishing campaign delivering SPECTR malware. The campaign was initiated by Vermin aks UAC-0020 who are associated with Luhansk People’s Republic (LPR).
Source: https://cert.gov.ua/article/37815 https://socprime.com/blog/vermin-uac-0020-hacking-collective-hits-ukrainian-government-and-military-with-spectr-malware/
2022-03-23
Mustang Panda deploying new Hodur Malware
MEDIUM
+
Intel Source:
WeLiveSecurity
Intel Name:
Mustang Panda deploying new Hodur Malware
Date of Scan:
2022-03-23
Impact:
MEDIUM
Summary:
A new cyber espionage campaign has been discovered by researchers from ESET in which APT group Mustang Panda who is China linked was deploying Hodur malware. The victims are from east and southeast Asia.
Source: https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/
2022-03-23
Clipper malware disguised as AvD Crypto Stealer
LOW
+
Intel Source:
Cyble
Intel Name:
Clipper malware disguised as AvD Crypto Stealer
Date of Scan:
2022-03-23
Impact:
LOW
Summary:
Researchers at Cyble has discovered a new malware dubbed as 'AvD crypto stealer' but it is does not function as crypto stealer. However it disguised variant of well-known clipper malware and it has capability of read and edit any text copied by vicitm.
Source: https://blog.cyble.com/2022/03/22/hunters-become-the-hunted/
2022-03-23
ClipBanker Malware disguised as Malware Creation Tool
LOW
+
Intel Source:
ASEC
Intel Name:
ClipBanker Malware disguised as Malware Creation Tool
Date of Scan:
2022-03-23
Impact:
LOW
Summary:
ASEC Team has indentified a ClipBanker malware which disguised as malware creation tool. ClipBanker malware monitors the clipbooard of the infected system and if the malware copies a string for a coin wallet address then changes its to the address designated by the attacker.
Source: https://asec.ahnlab.com/en/32825/
2022-03-23
UAC-0026 targets Ukraine by HeaderTIP malware
MEDIUM
+
Intel Source:
CERT-UA
Intel Name:
UAC-0026 targets Ukraine by HeaderTIP malware
Date of Scan:
2022-03-23
Impact:
MEDIUM
Summary:
CERT UA identified yet another nefarious malware dubbed headerTip which leveraged to drop additional DLL files to the infected instance and this has been targeting the nfrastructure of Ukrainian state bodies and organizations across the country.
Source: https://cert.gov.ua/article/38097
2022-03-23
Document-borne APT attack targeting Carbon emissions companies
LOW
+
Intel Source:
ASEC
Intel Name:
Document-borne APT attack targeting Carbon emissions companies
Date of Scan:
2022-03-23
Impact:
LOW
Summary:
ASEC Team has analysed a malicious word document titled '**** Carbon Credit Institution.doc' which user downloaded thorugh a web browser. The team identified the malicious document from the logs collected by their Smart Defense tool. The malicious document comes with macro code and it is likely that its internal macro code runs wscript.ex.
Source: https://asec.ahnlab.com/en/32822/
2022-03-22
Serpent Backdoor Targets French government firms
MEDIUM
+
Intel Source:
Proofpoint
Intel Name:
Serpent Backdoor Targets French government firms
Date of Scan:
2022-03-22
Impact:
MEDIUM
Summary:
ProofPoint researchers identified a targeted attack leveraging an open-source package installer Chocolatey to deliver a backdoor. The backdoor was dubbed as Serpent and target has been French firms in cinstruction and real estate.
Source: https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain
2022-03-22
Malware disguised as a Windows Help File
LOW
+
Intel Source:
ASEC
Intel Name:
Malware disguised as a Windows Help File
Date of Scan:
2022-03-22
Impact:
LOW
Summary:
ASEC Team has discovered a malware disguised as Windows Help File (*.chm) and targeting Korean users. The CHM File is complied HTML Help file which is executed via Microsoft HTML help executable program. After executing CHM File it downloads additional malicious files.
Source: https://asec.ahnlab.com/en/32800/
2022-03-22
Serpent Backdoor_Seeder_Queries_21/03/22
MEDIUM
+
Intel Source:
STR
Intel Name:
Serpent Backdoor_Seeder_Queries_21/03/22
Date of Scan:
2022-03-22
Impact:
MEDIUM
Summary:
This research is part of Securonix Threat Labs - Threat Research Team
Source: STR Repository
2022-03-22
APT35 Automates Initial Access Using ProxyShell
MEDIUM
+
Intel Source:
DFIR Report
Intel Name:
APT35 Automates Initial Access Using ProxyShell
Date of Scan:
2022-03-22
Impact:
MEDIUM
Summary:
Researchers at DFIR report observed an intrusion attributed to APT35 exploiting ProxyShell vulnerabilities followed by some further post-exploitation activity which included web shells credential dumping and specialized payloads.
Source: https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
2022-03-22
SurTr Ransomware recent activity
LOW
+
Intel Source:
Arete
Intel Name:
SurTr Ransomware recent activity
Date of Scan:
2022-03-22
Impact:
LOW
Summary:
Researchers from Arete investigated a security incident involving Surtr ransomware which made registry key change to the infected host to pay tribute to REvil group.
Source: https://areteir.com/surtr-ransomware-pays-tribute-to-revil/
2022-03-22
BitRAT distributed via webhards
MEDIUM
+
Intel Source:
ASEC
Intel Name:
BitRAT distributed via webhards
Date of Scan:
2022-03-22
Impact:
MEDIUM
Summary:
ASEC team has analysed a malware which is being distributed via webhards they identified malware as BitRAT. The attacker disguised the malware as Windows10 license verification tool and to lure the netizens attacker named the installer as 'New Quick Install Windows License Verification' One-click.
Source: https://asec.ahnlab.com/en/32781/
2022-03-22
DarkHotel APT New Campaign
LOW
+
Intel Source:
Trellix
Intel Name:
DarkHotel APT New Campaign
Date of Scan:
2022-03-22
Impact:
LOW
Summary:
Trelix researchers discovered a first stage malicious campaign targeting luxury hotels in Macao China since last 5 months and the attack has been attributed to South Korean APT group DarkHotel.
Source: https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/suspected-darkhotel-apt-activity-update.html
2022-03-22
UAC-0035/InvisiMole targeting Ukrainain government
LOW
+
Intel Source:
CERT-UA
Intel Name:
UAC-0035/InvisiMole targeting Ukrainain government
Date of Scan:
2022-03-22
Impact:
LOW
Summary:
CERT-UA identified cyberattacks being launched by the UAC-0035/InvisiMole threat group targeting Ukrainain government organisations using phishing campaigns. InvisiMole is likely a subgroup connected to the Russia-sponsored Gamaredon group.
Source: https://cert.gov.ua/article/37829
2022-03-21
CONTI & EMOTET Infrastructure
LOW
+
Intel Source:
Dragos
Intel Name:
CONTI & EMOTET Infrastructure
Date of Scan:
2022-03-21
Impact:
LOW
Summary:
Researchers at Dragos has observed consistent network communication between the Emotet ransomware group and automotive manufacturers across North America and Japan which is suspected to be controlled by the Conti ransomware.
Source: https://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/
2022-03-21
Cobalt Strike-an effective emulator
LOW
+
Intel Source:
Palo Alto
Intel Name:
Cobalt Strike-an effective emulator
Date of Scan:
2022-03-21
Impact:
LOW
Summary:
Cobalt Strike is a tool that emulates command and control communications and is widely used in real-world attacks but can also be used as a way to evade traditional firewall defenses. Cobalt Strike users control Beacon’s HTTP indicators through a profile and can select either the default profile or a customizable Malleable C2 profile.
Source: https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/
2022-03-21
DirtyMoe malware
LOW
+
Intel Source:
Avast
Intel Name:
DirtyMoe malware
Date of Scan:
2022-03-21
Impact:
LOW
Summary:
Researchers from Avast warned of the rapid growth of the DirtyMoe botnet which passed from 10 000 infected systems in 2020 to more than 100 000 in the first half of 2021. Experts defined DirtyMoe as a complex malware that has been designed as a modular system. The Windows botnet has been active since late 2017 it was mainly used to mine cryptocurrency but it was also involved in DDoS attacks in 2018.
Source: https://decoded.avast.io/martinchlumecky/dirtymoe-5/
2022-03-21
EXOTIC LILY/BazarLoader_TTP_Seeder_Queries_18/03/22
HIGH
+
Intel Source:
STR
Intel Name:
EXOTIC LILY/BazarLoader_TTP_Seeder_Queries_18/03/22
Date of Scan:
2022-03-21
Impact:
HIGH
Summary:
This research is part of Securonix Threat Labs - Threat Research Team
Source: STR Repository
2022-03-21
CAKETAP Rootkit deployed by UNC2891
MEDIUM
+
Intel Source:
Mandiant
Intel Name:
CAKETAP Rootkit deployed by UNC2891
Date of Scan:
2022-03-21
Impact:
MEDIUM
Summary:
Security researchers from Mandiant came across a new Unix rootkit called CakeTap that was used to steal ATM banking data. This rootkit was leveraged by UNC2891.
Source: https://www.mandiant.com/resources/unc2891-overview
2022-03-21
Conti Gang working with IAB
MEDIUM
+
Intel Source:
Google
Intel Name:
Conti Gang working with IAB
Date of Scan:
2022-03-21
Impact:
MEDIUM
Summary:
Google TAG team has discovered an operations of a threat actor dubbed 'EXOTIC LILY ' an initial access broker linked to the Conti and Diavol ransomware operations. EXOTIC LILY was first spotted exploiting a zero-day vulnerability in Microsoft MSHTML (CVE-2021-40444). After further investigation it is determined that EXOTIC LILLY is an initial access broker that uses large-scale phishing campaigns to breach targeted corporate networks.
Source: https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/
2022-03-21
BlackCat and BlackMatter ransomware connection
MEDIUM
+
Intel Source:
Cisco Talos
Intel Name:
BlackCat and BlackMatter ransomware connection
Date of Scan:
2022-03-21
Impact:
MEDIUM
Summary:
Cisco Talos researchers analysed relation between BlackCat ransomware and BlackMatter ransomware. Researchers has concluded with moderate confidence that the same affiliate are behind both the ransomware operators as same C2 Infrastructure used for certain attacks.
Source: https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html
2022-03-21
GhostWriter New Espionage Campaign Update
MEDIUM
+
Intel Source:
QI-ANXIN Threat Intelligence Center
Intel Name:
GhostWriter New Espionage Campaign Update
Date of Scan:
2022-03-21
Impact:
MEDIUM
Summary:
CERT-UA found and analysed a malicious zip file which contains the Microsoft Compiled HTML Help file named dovidka.chm. The malicious file was designed to spread malware for espionage purposes against targets located in Ukraine that displays the logos of the Ukrainian President’s office and secret services with content relating to advice on dealing with the bombing.
Source: https://ti.qianxin.com/blog/articles/Analysis-of-attack-activities-of-suspected-aptorganization-unc1151-against-ukraine-and-other-countries/
2022-03-21
LokiLocker RaaS Targets Windows Systems
MEDIUM
+
Intel Source:
Blackberry
Intel Name:
LokiLocker RaaS Targets Windows Systems
Date of Scan:
2022-03-21
Impact:
MEDIUM
Summary:
A new ransomware as a service has been identified by BlackBerry researchers dubbed as LokiLocker. It targets English-speaking victims and Windows. The threat was first seen in the wild in mid-August 2021. LokiLocker encrypts victim’s files on local drives and network shares with a standard combination of AES for file encryption and RSA for key protection.
Source: https://blogs.blackberry.com/en/2022/03/lokilocker-ransomware
2022-03-21
Cyclops Blink malware targets Asus Router
HIGH
+
Intel Source:
Trend Micro
Intel Name:
Cyclops Blink malware targets Asus Router
Date of Scan:
2022-03-21
Impact:
HIGH
Summary:
Researchers from TrendMicro have analyzed technical capabilities of the Cyclops Blink malware variant that has been targeting ASUS routers and provides an extensive list of more than 150 current and historical Command and Control (C2) servers of the Cyclops Blink botnet.
Source: https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html
2022-03-18
Qakbot infection with Cobalt Strike and VNC
MEDIUM
+
Intel Source:
ISC.SANS
Intel Name:
Qakbot infection with Cobalt Strike and VNC
Date of Scan:
2022-03-18
Impact:
MEDIUM
Summary:
Researchers at SANS has disected
Source: https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/
2022-03-17
Gh0stCringe RAT targets MS-SQL and MySQL servers
MEDIUM
+
Intel Source:
ASEC
Intel Name:
Gh0stCringe RAT targets MS-SQL and MySQL servers
Date of Scan:
2022-03-17
Impact:
MEDIUM
Summary:
ASEC team has analysed and monitored a malware which being distrbuted to vulnerable MySQL and MSSQL servers. ASEC Team named the malware as Gh0stCringe also known as CirenegRAT.
Source: https://asec.ahnlab.com/en/32572/
2022-03-17
WIZARD SPIDER massive phishing campaign
MEDIUM
+
Intel Source:
Prevailion
Intel Name:
WIZARD SPIDER massive phishing campaign
Date of Scan:
2022-03-17
Impact:
MEDIUM
Summary:
Researchers at Prevailion earlier this year has identified a massive phishing campaign focused on collecting credentials of Naver users. Naver is a popular South Korean online platform comparable to Google that offers a variety of services (e.g. email news and search among many others). Researchers found overlaps with infrastructure which is historically linked with WIZARD SPIDER a Russian-based threat actor motivated towards initial access and ransomware operations.
Source: https://www.prevailion.com/what-wicked-webs-we-unweave/
2022-03-16
Russian Threat Actors exploits PrintNightMare Vulnerability
HIGH
+
Intel Source:
CISA
Intel Name:
Russian Threat Actors exploits PrintNightMare Vulnerability
Date of Scan:
2022-03-16
Impact:
HIGH
Summary:
In an Joint Advisory by FBI & CISA they are warning organizations that Russian state-sponsored threat actors have gained network access through exploitation of default MFA protocols and a known vulnerability. This advisory also provides TTPs IOCs and recommendations to protect against Russian state-sponsored malicious cyber activity.
Source: https://www.cisa.gov/uscert/ncas/alerts/aa22-074a
2022-03-16
CaddyWiper TTP_Seeder_Queries_15/03/222
HIGH
+
Intel Source:
STR
Intel Name:
CaddyWiper TTP_Seeder_Queries_15/03/222
Date of Scan:
2022-03-16
Impact:
HIGH
Summary:
This research is part of Securonix Threat Labs - Threat Research Team
Source: STR Repository
2022-03-16
Pandora Ransomware
MEDIUM
+
Intel Source:
Cyble
Intel Name:
Pandora Ransomware
Date of Scan:
2022-03-16
Impact:
MEDIUM
Summary:
Cyble Research Labs has analysed a sample of Pandora ransomware. After analysing the sampled Cyble believe that Pandora ransomware is a re-brand of ROOK ransomware as they observed similar behaviour in the past. Pandora ransomware gang is suspected of leveraging the double extortion method.
Source: https://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/
2022-03-16
CaddyWiper Malware
HIGH
+
Intel Source:
ESET
Intel Name:
CaddyWiper Malware
Date of Scan:
2022-03-16
Impact:
HIGH
Summary:
ESET Researcher has idenfied third Wiper malware impacting Ukraine dubbed as CaddyWiper. This wiper is relatively smaller compiled size of just 9KB than previous wiper attacks. This is a developing threat currently only one hash is available.
Source: https://twitter.com/ESETresearch/status/1503436420886712321 https://securityintelligence.com/posts/caddywiper-malware-targeting-ukrainian-organizations/ https://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html
2022-03-16
EnemyBot - Linux based Botnet
HIGH
+
Intel Source:
Securonix
Intel Name:
EnemyBot - Linux based Botnet
Date of Scan:
2022-03-16
Impact:
HIGH
Summary:
Securonix Threat Labs has identified a Linux based botnet dubbed as EnemyBot. STL correlates EnemyBot to LolFMe botnet which contains similar strings such as “watudoinglookingatdis”. The EnemyBot malware also have ability to steal data via HTTP POST which STL identified in their analysis the malware was sending the data back to the original IP address.
Source: https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/
2022-03-16
B1txor20 Botnet exploits Log4j vulnerability
MEDIUM
+
Intel Source:
netlab360
Intel Name:
B1txor20 Botnet exploits Log4j vulnerability
Date of Scan:
2022-03-16
Impact:
MEDIUM
Summary:
Researchers at Qihoo 360's Netlab has captured an ELF file on their honeypot system which was first observed propagating through the Log4j vulnerability on February 9 2022. After closely analysing the file they named it B1txor20 based on the propogation using the file name 'b1t ' the XOR encryption algorithm and the RC4 algorithm key length of 20 bytes.
Source: https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/
2022-03-15
Decoding Dannabot malware
LOW
+
Intel Source:
Security Soup
Intel Name:
Decoding Dannabot malware
Date of Scan:
2022-03-15
Impact:
LOW
Summary:
A researcher on security soup wrote about VBS based DanaBot downloader which have added pbfuscation scheme and few other TTPs to its arsenal.
Source: https://security-soup.net/decoding-a-danabot-downloader/
2022-03-15
NIGHT SPIDER Zloader Campaign
LOW
+
Intel Source:
CrowdStrike
Intel Name:
NIGHT SPIDER Zloader Campaign
Date of Scan:
2022-03-15
Impact:
LOW
Summary:
Researchers from CrowdStrike tracked an ongoing widespread intrusion campaign leveraging bundled .msi installers to trick victims into downloading malicious payloads alongside legitimate software. This was used to execute NIGHT SPIDER’s Zloader trojan.
Source: https://www.crowdstrike.com/blog/falcon-overwatch-uncovers-ongoing-night-spider-zloader-campaign/
2022-03-15
North KoreanTTP/Babyshark Campaign_Seeder_Queries_15/03/22
HIGH
+
Intel Source:
STR
Intel Name:
North KoreanTTP/Babyshark Campaign_Seeder_Queries_15/03/22
Date of Scan:
2022-03-15
Impact:
HIGH
Summary:
This research is part of Securonix Threat Labs - Threat Research Team
Source: STR Repository
2022-03-15
GrimPlant and GraphSteel used to attack Ukraine
MEDIUM
+
Intel Source:
CERT-UA
Intel Name:
GrimPlant and GraphSteel used to attack Ukraine
Date of Scan:
2022-03-15
Impact:
MEDIUM
Summary:
CERT-UA identified cyberattacks being launched by the UAC-0056 threat group targeting state authorities of Ukraine using phishing emails with instructions on improving information security that would deliver an executable leading to a Cobalt Strike beacon.
Source: https://cert.gov.ua/article/37704 https://socprime.com/blog/cobalt-strike-beacon-grimplant-and-graphsteel-malware-massively-spread-by-uac-0056-threat-actors-in-targeted-phishing-emails-cert-ua-alert/
2022-03-15
Dirty Pipe vulnerability in Linux kernel
HIGH
+
Intel Source:
SecureList
Intel Name:
Dirty Pipe vulnerability in Linux kernel
Date of Scan:
2022-03-15
Impact:
HIGH
Summary:
Security researcher Max Kellermann discovered a high severity vulnerability in the Linux kernel which can be used for local privilege escalation. It affects the Linux kernels from 5.8 through any version before 5.16.11 5.15.25 and 5.10.102 and can be used for local privilege escalation.
Source: https://securelist.com/cve-2022-0847-aka-dirty-pipe-vulnerability-in-linux-kernel/106088/
2022-03-14
Sockbot in GoLand
MEDIUM
+
Intel Source:
Security Joes
Intel Name:
Sockbot in GoLand
Date of Scan:
2022-03-14
Impact:
MEDIUM
Summary:
Security Joes incident response team responded to malicious activity in one of their clients' network infrastructure. During the investigation it was discovered that the threat actors used two customized GoLang-compiled Windows executables “lsassDumper” and “Sockbot” to perform the attack.
Source: https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf
2022-03-14
Kwampirs Malware Linked to Shamoon APT
MEDIUM
+
Intel Source:
Cylera
Intel Name:
Kwampirs Malware Linked to Shamoon APT
Date of Scan:
2022-03-14
Impact:
MEDIUM
Summary:
Cylera Labs assess with medium to high confidence that Shamoon and Kwapirs are the same group or close collaborators sharing updates techniques and code over the course of multiple years. Evolution of Kwampris and its connections with Shamoon 1 and 2 are also well documented in the recent report by Cylera.
Source: https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf
2022-03-14
Brazilian trojan targets Portuguese users
LOW
+
Intel Source:
seguranca-informatica
Intel Name:
Brazilian trojan targets Portuguese users
Date of Scan:
2022-03-14
Impact:
LOW
Summary:
A new variant of Brazilian trojan have targeted users from Portugal and there seems to be no difference in terms of sophistication in contrast to other well-known trojans such as Maxtrilha URSA and Javali.The trojan has been disseminated via phishing templates impersonating Tax services in Portugal.
Source: https://seguranca-informatica.pt/brazilian-trojan-impacting-portuguese-users-and-using-the-same-capabilities-seen-in-other-latin-american-threats/#.Yi8lzRBBxHb
2022-03-14
TunnelVision exploits VMWare Horizon Servers
MEDIUM
+
Intel Source:
esentire
Intel Name:
TunnelVision exploits VMWare Horizon Servers
Date of Scan:
2022-03-14
Impact:
MEDIUM
Summary:
Researchers from esentire found suspicious account creation and credential harvesting attempts on a customer’s endpoint and it was tracked to VMware Horizon server. The attack with high confidence was linked to TunnelVision Iranian-aligned threat actor.
Source: https://www.esentire.com/blog/exploitation-of-vmware-horizon-servers-by-tunnelvision-threat-actor
2022-03-14
Remcos RAT distribution campaign take advantage of Ukraine Invasion
MEDIUM
+
Intel Source:
Cisco Talos
Intel Name:
Remcos RAT distribution campaign take advantage of Ukraine Invasion
Date of Scan:
2022-03-14
Impact:
MEDIUM
Summary:
Cisco Talos Reserachers has observed that Threat Actors are using Email lures themes related to Russia-Ukraine conflict fundraising and humanitrain support. These emails are related to scam activity and delivering Remcos RAT.
Source: https://blog.talosintelligence.com/2022/03/ukraine-invasion-scams-malware.html
2022-03-14
CryptBot Infostealer disguised as Cracked Software
LOW
+
Intel Source:
Blackberry
Intel Name:
CryptBot Infostealer disguised as Cracked Software
Date of Scan:
2022-03-14
Impact:
LOW
Summary:
Researchers from BlackBerry cam across a new and improved version of the malicious infostealer CryptBot which have been released via compromised pirated sites which appear to offer “cracked” versions of popular software and video games.
Source: https://blogs.blackberry.com/en/2022/03/threat-thursday-cryptbot-infostealer
2022-03-14
Infostealer Distributed via YouTube
LOW
+
Intel Source:
ASEC
Intel Name:
Infostealer Distributed via YouTube
Date of Scan:
2022-03-14
Impact:
LOW
Summary:
ASEC researchers has discovered an Infostealer being distributed voa YouTube. The threat actor disguised the malware as a game hack and uploaded the video on YouTube with dowload link of the malware.
Source: https://asec.ahnlab.com/en/32499/
2022-03-14
Formbook/XLoader targets Ukraine Government Officials
MEDIUM
+
Intel Source:
Netskope
Intel Name:
Formbook/XLoader targets Ukraine Government Officials
Date of Scan:
2022-03-14
Impact:
MEDIUM
Summary:
Netskope Threat Labs has analysed a phishing email targeting high-rank government officials in Ukraine. The email seems to be part of new spam campaign which contians infected spreadsheet. The email also contians a .NET executable responsible for loading Formbook malware in a multi-stage chain.
Source: https://www.netskope.com/blog/new-formbook-campaign-delivered-through-phishing-emails https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/Formbook/IOCs
2022-03-14
Disguised malware exploit Ukrainian sympathizers- Liberator tool analysis
MEDIUM
+
Intel Source:
Cisco Talos
Intel Name:
Disguised malware exploit Ukrainian sympathizers- Liberator tool analysis
Date of Scan:
2022-03-14
Impact:
MEDIUM
Summary:
Researchers analysed the malware/tool called 'Liberator' by disBalancer group. Furthermore the post has been updated with two new IoCs.
Source: https://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.htmll
2022-03-14
Russian Threat Actors using Google Ad Delivery Network
MEDIUM
+
Intel Source:
NovaSOC
Intel Name:
Russian Threat Actors using Google Ad Delivery Network
Date of Scan:
2022-03-14
Impact:
MEDIUM
Summary:
Researchers from Novasoc caught Russian Actors Utilizing Google Ad Delivery Network to Establish Browser Connections. Russian IP addresses has been using the Google ad delivery network as a mechanism to initiate client network connections.
Source: https://innovatecybersecurity.com/security-threat-advisory/novasoc-catches-russian-actors-utilizing-google-ad-delivery-network-to-establish-browser-connections/
2022-03-11
Online Contact forms delivering BazarLoader
MEDIUM
+
Intel Source:
Abnormal
Intel Name:
Online Contact forms delivering BazarLoader
Date of Scan:
2022-03-11
Impact:
MEDIUM
Summary:
Cybercriminals are always looking for new ways to targets users Researchers at Abnormal Security has identified attacks targeting users through an online contact form. They also observed that these attacks leads to deliverying BazarLoader malware.
Source: https://abnormalsecurity.com/blog/bazarloader-contact-form
2022-03-11
Email interjection by Qakbot
MEDIUM
+
Intel Source:
Sophos
Intel Name:
Email interjection by Qakbot
Date of Scan:
2022-03-11
Impact:
MEDIUM
Summary:
Sophos Labs have discovered Qakbot botnet's new technique where the botnet spread itself around by inserting malicious replies into the middle of existing email conversations. These email interruption is in the form of reply-all message include a short sentence and a link to download a zip file containing a malicious office document.
Source: https://news.sophos.com/en-us/2022/03/10/qakbot-injects-itself-into-the-middle-of-your-conversations/
2022-03-11
FormBook malware targets Ukrainians
MEDIUM
+
Intel Source:
Malwarebytes
Intel Name:
FormBook malware targets Ukrainians
Date of Scan:
2022-03-11
Impact:
MEDIUM
Summary:
MalwareBytes researchers discovered recently discovered about a malicious spam campaign dropping the Formbook stealer specifically targeting Ukrainians. The email lure which are being sent is written in Ukrainian.
Source: https://blog.malwarebytes.com/threat-intelligence/2022/03/formbook-spam-campaign-targets-citizens-of-ukraine%ef%b8%8f/
2022-03-11
LazyScripter APT H-Worm campaign
MEDIUM
+
Intel Source:
Lab52
Intel Name:
LazyScripter APT H-Worm campaign
Date of Scan:
2022-03-11
Impact:
MEDIUM
Summary:
Researchers at Lab52 has tracked the activity of LazyScripter APT and discovered a new malware and new elements of infrastructure under LazyScripter arsenal. Further analysing the LazyScripter malware they found the usage of popular and open source online obfuscating tool for scripts which would inject their own downloader for njRAT.
Source: https://lab52.io/blog/very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation/
2022-03-11
MuddyWater subgroup leveraging maldocs and RATs
MEDIUM
+
Intel Source:
Cisco Talos
Intel Name:
MuddyWater subgroup leveraging maldocs and RATs
Date of Scan:
2022-03-11
Impact:
MEDIUM
Summary:
Cisco Talos believe with high confidence that there are sub-groups operating under MuddyWater umberalla targeting Turkey and Arabian peninsula countries with maldocs and Windows script file based RAT. These subgroups are highly motivated to conduct espionage intellectual property theft implant malware and ransomware in targeted network.
Source: https://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html
2022-03-11
Disguised malware exploit Ukrainian sympathizers
MEDIUM
+
Intel Source:
Cisco Talos
Intel Name:
Disguised malware exploit Ukrainian sympathizers
Date of Scan:
2022-03-11
Impact:
MEDIUM
Summary:
Threat Actors are attempting to exploit Ukrainian sympathizers by offering malware as cyber tools to target Russian entities. Cisco Talos analysed one such instance where a threat actor offering DDoS tool on Telegram to target Russian websites. They downloaded the file and found it to be a infostealer malware.
Source: https://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.html
2022-03-10
Racoon Stealer leverages Telegram
LOW
+
Intel Source:
Avast
Intel Name:
Racoon Stealer leverages Telegram
Date of Scan:
2022-03-10
Impact:
LOW
Summary:
Researchers from Avast recently noted Raccoon Stealer which is a password stealing malware using the Telegram infrastructure to store and update actual C&C addresses. Raccoon Stealer is getting distributed via downloaders: Buer Loader and GCleaner.
Source: https://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram/
2022-03-10
Prometheus Ransomware Decrypted
LOW
+
Intel Source:
Avast
Intel Name:
Prometheus Ransomware Decrypted
Date of Scan:
2022-03-10
Impact:
LOW
Summary:
Avast researchers have recently released decryptor for the Prometheus Ransomware. Prometheus is a ransomware strain written in C# that inherited a lot of code from an older strain called Thanos.
Source: https://decoded.avast.io/threatresearch/decrypted-prometheus-ransomware/
2022-03-10
Conti Ransomware Indicator of Compromise
HIGH
+
Intel Source:
FBI FLASH
Intel Name:
Conti Ransomware Indicator of Compromise
Date of Scan:
2022-03-10
Impact:
HIGH
Summary:
A join advisory has been released by FBI NSA and CISA detailing about the updated indicators of compromise of Conti ransomware and their TTPS. The ransomware have been very active and have included attack vectors like TrickBot and CobaltStrike.
Source: https://www.cisa.gov/uscert/sites/default/files/publications/AA21-265A-Conti_Ransomware_TLP_WHITE.pdf
2022-03-10
Emotet Resurgence
HIGH
+
Intel Source:
Lumen
Intel Name:
Emotet Resurgence
Date of Scan:
2022-03-10
Impact:
HIGH
Summary:
The infamous malware 'Emotet' returned on November 2021 after a 10 month gap is once again showing signs of steady growth. Researchers at Lumen Black Lotus Labs have determined a strong resurgence of Emotet with 130 000 unique bots spread across 179 countries since its return.
Source: https://blog.lumen.com/emotet-redux/
2022-03-09
UNC1151_TTP_Seeder_Queries_070322
HIGH
+
Intel Source:
STR
Intel Name:
UNC1151_TTP_Seeder_Queries_070322
Date of Scan:
2022-03-09
Impact:
HIGH
Summary:
This research is part of Securonix Threat Labs - Threat Research Team
Source: STR Repository
2022-03-09
Agent Tesla RAT campiagn
HIGH
+
Intel Source:
Fortinet
Intel Name:
Agent Tesla RAT campiagn
Date of Scan:
2022-03-09
Impact:
HIGH
Summary:
FortiGaurd Labs analysed a phishing email impersonate as Ukraine based materials and chemical manufacturing company sharing purchase order. The phishing email has PPT as attachment that is multi-stage efforts to deploy the Agent Telsa RAT.
Source: https://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla
2022-03-09
GhostWriter New Espionage Campaign
MEDIUM
+
Intel Source:
CERT-UA
Intel Name:
GhostWriter New Espionage Campaign
Date of Scan:
2022-03-09
Impact:
MEDIUM
Summary:
CERT-UA found and analysed a malicious zip file which contains the Microsoft Compiled HTML Help file named dovidka.chm. The malicious file was designed to spread malware for espionage purposes against targets located in Ukraine that displays the logos of the Ukrainian President’s office and secret services with content relating to advice on dealing with the bombing.
Source: https://cert.gov.ua/article/37626 https://cluster25.io/2022/03/08/ghostwriter-unc1151-adopts-microbackdoor-variants-in-cyber-operations-against-targets-in-ukraine/
2022-03-09
APT41_TTP_Seeder_Queries_070322
HIGH
+
Intel Source:
STR
Intel Name:
APT41_TTP_Seeder_Queries_070322
Date of Scan:
2022-03-09
Impact:
HIGH
Summary:
This research is part of Securonix Threat Labs - Threat Research Team
Source: STR Repository
2022-03-09
RURansom Wiper Targets Russia
LOW
+
Intel Source:
Trend Micro
Intel Name:
RURansom Wiper Targets Russia
Date of Scan:
2022-03-09
Impact:
LOW
Summary:
Recently TrendMicro researchers analyzed sample released by MalwareHnterTeam which as per them is a wiper but decoyed like a ransomware and it was targeting Russia. The malware is written in .NET programming language and spreads as a worm.
Source: https://www.trendmicro.com/en_us/research/22/c/new-ruransom-wiper-targets-russia.html
2022-03-09
APT41 targeting US Government
HIGH
+
Intel Source:
Mandiant
Intel Name:
APT41 targeting US Government
Date of Scan:
2022-03-09
Impact:
HIGH
Summary:
Researchers at Mandiant claiming that they became aware of a campaign in May 2021 when they were called in to investigate an attack on US government network. An analysis revealed that the attack had likely carried out by Chinese nation state group APT41. Researchers has confirmed that the hackers have compromised the networks of at least six U.S. state government organizations between May 2021 and February 2022.
Source: https://www.mandiant.com/resources/apt41-us-state-governments
2022-03-09
Nokoyawa Ransomware linked to Hive
MEDIUM
+
Intel Source:
Trend Micro
Intel Name:
Nokoyawa Ransomware linked to Hive
Date of Scan:
2022-03-09
Impact:
MEDIUM
Summary:
TrendMicro researchers came across a new ransomware which had similarities with Hive ransomware like their attack chain teh tools used to the order in which they execute various steps. Most of targets of the ransomware are located in South America.
Source: https://www.trendmicro.com/en_us/research/22/c/nokoyawa-ransomware-possibly-related-to-hive-.html
2022-03-08
RagnarLocker Ransomware IoCs
MEDIUM
+
Intel Source:
FBI FLASH
Intel Name:
RagnarLocker Ransomware IoCs
Date of Scan:
2022-03-08
Impact:
MEDIUM
Summary:
Federal Bureau of Investigation (FBI) published a new FLASH report that provides additional IOCs associated with RagnarLocker ransomware. The FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware.
Source: https://www.ic3.gov/Media/News/2022/220307.pdf
2022-03-08
Emotet recent campaign using MS Excel
HIGH
+
Intel Source:
Fortinet
Intel Name:
Emotet recent campaign using MS Excel
Date of Scan:
2022-03-08
Impact:
HIGH
Summary:
Fortinet researchers has conducted a deep research on 500 Excel files which were involved in delivering Emotet Trojan. Researchers analysed the Excel file leveraged to spread Emotet anti-analysis techniques used persistence on victim's deivce communicates with C2 servers and how modules are delivered loaded and executed on target system.
Source: https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one
2022-03-08
Webhards distributing njRAT
LOW
+
Intel Source:
ASEC
Intel Name:
Webhards distributing njRAT
Date of Scan:
2022-03-08
Impact:
LOW
Summary:
ASEC researchers has identified njRAT malware is being distributed through webhard. Webhard is a platform used to distribute malware and it is mainly used by attackers to target Korean users. The malware disguised as an adult game that was uploaded in webhard.
Source: https://asec.ahnlab.com/en/32450/
2022-03-08
Threat Landscape around Ukraine
MEDIUM
+
Intel Source:
Google
Intel Name:
Threat Landscape around Ukraine
Date of Scan:
2022-03-08
Impact:
MEDIUM
Summary:
The Google Threat Analysis Group (TAG) has observed phishing campaigns and espionage activity from a range of threat actors including FancyBear (APT28) and Ghostwriter targeting Ukraine. Activities from Mustang Panda was also noted.
Source: https://blog.google/threat-analysis-group/update-threat-landscape-ukraine/
2022-03-08
PROPHET SPIDER Exploits Citrix ShareFile
MEDIUM
+
Intel Source:
CrowdStrike
Intel Name:
PROPHET SPIDER Exploits Citrix ShareFile
Date of Scan:
2022-03-08
Impact:
MEDIUM
Summary:
CrowdStrike Inteligence team has investigated an incident where PROPHET SPIDER targeting Microsoft IIS by exploiting CVE-2021-22941. PROPHET SPIDER first spotted on May 2017 that intially access to the targeted networks by compromising vulnerable web servers.
Source: https://www.crowdstrike.com/blog/prophet-spider-exploits-citrix-sharefile/
2022-03-08
TA416 targets European Government
HIGH
+
Intel Source:
Proofpoint
Intel Name:
TA416 targets European Government
Date of Scan:
2022-03-08
Impact:
HIGH
Summary:
Researchers at Proofpoint has discovered a Threat group TA416 targeting European diplomatic entities including an individuals involve in refguee and migrant services. TA416 group has assessed to be aligned with Chinese nation state which exploits web vulnerabilities to profile their targets. Researchers identified the campaign is escalated since the tension between Russia Ukraine and NATO members in Europe.
Source: https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european
2022-03-07
FormBook targets Oil & Gas companies
MEDIUM
+
Intel Source:
Malwarebytes
Intel Name:
FormBook targets Oil & Gas companies
Date of Scan:
2022-03-07
Impact:
MEDIUM
Summary:
During our random intel gathering we identified a tweet from Malwarebytes Threat Intelligence which states that FormBook continues to target Oil and Gas Companies. It also has potential IoCs. Few hours later Malwarebytes has published a blog with the findings. The campaign was delivered by a targeted email that contained two attachments one is a pdf file and the other an Excel document.
Source: https://blog.malwarebytes.com/threat-intelligence/2022/03/beware-of-malware-offering-warm-greetings-from-saudi-aramco/ https://twitter.com/MBThreatIntel/status/1499435858537107459
2022-03-07
Global credential harvesting campaign
MEDIUM
+
Intel Source:
Curated Intel
Intel Name:
Global credential harvesting campaign
Date of Scan:
2022-03-07
Impact:
MEDIUM
Summary:
Researchers from Curated Intelligence recently tracked a new global credential harvesting campaign targeting Microsoft accounts through a range of phishing emails masquerading as ‘shared document’ notifications which deliver an embedded URL that leads to a fake Adobe Document Cloud application login page.
Source: https://www.curatedintel.org/2022/03/curated-intel-threat-report-adobe.html
2022-03-07
AvosLocker group new variant targets Linux systems
MEDIUM
+
Intel Source:
Qualys
Intel Name:
AvosLocker group new variant targets Linux systems
Date of Scan:
2022-03-07
Impact:
MEDIUM
Summary:
AvosLocker ransomware group made its first presence in June 2021 targeting Windows machine. Recently researchers at Qualys has identified that the AvosLocker group is also targeting Linux environments. The AvosLocker ransomware group advertises their latest ransomware variants on the Darkweb Leak site and mentioned that tthey have added support for encrypting Linux systems specifically targeting VMware ESXi virtual machines.
Source: https://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/
2022-03-07
Cyber campaign against Indian Government
LOW
+
Intel Source:
Telsy
Intel Name:
Cyber campaign against Indian Government
Date of Scan:
2022-03-07
Impact:
LOW
Summary:
Researchers from Telsy identified a spear phishing campaign targetting Indian government. The threat actors are using legitimate portal as C2 and encrypted HTTPS communication. Legitimate sites were used as cobalt strike C&C.
Source: https://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/
2022-03-04
Multi malware campaign on Ukraine
HIGH
+
Intel Source:
Trend Micro
Intel Name:
Multi malware campaign on Ukraine
Date of Scan:
2022-03-04
Impact:
HIGH
Summary:
Trend Micro Research have verified and validated a number of alleged cyber attacks carry out by multiple groups in support of both the countries Russia Ukraine. Researchers have analysed internal data and external reports to provide these information.
Source: https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html
2022-03-03
Domains Linked to Phishing Attacks Targeting Ukraine
MEDIUM
+
Intel Source:
SecureWorks
Intel Name:
Domains Linked to Phishing Attacks Targeting Ukraine
Date of Scan:
2022-03-03
Impact:
MEDIUM
Summary:
Researchers at SecureWorks CTU has investigated a warning published by CERT-UA on 25th Feb 2022 regarding the phishing attacks targeting Ukrainian military personnel and government. Researchers attributed this campaign to MOONSCAPE threat group whereas CERT-UA attributed to UNC1151 APT group linked to Belarusian government.
Source: https://www.secureworks.com/blog/domains-linked-to-phishing-attacks-targeting-ukraine
2022-03-03
DanaBot attacks Ukrainian MOD
MEDIUM
+
Intel Source:
Zscaler
Intel Name:
DanaBot attacks Ukrainian MOD
Date of Scan:
2022-03-03
Impact:
MEDIUM
Summary:
On 2 Mar 2022 in the midst of Russia Ukraine conflict Zscaler identified a threat actor launched an HTTP-based DDoS attack against the Ukrainian Ministry of Defense's webmail server. The threat attack is using DanaBot to launch DDoS attack and deliver second-stage malware payload using the download and execute command.
Source: https://www.zscaler.com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense
2022-03-03
Russia-Ukraine Conflict Leverages Phishing Themes
MEDIUM
+
Intel Source:
Cofense
Intel Name:
Russia-Ukraine Conflict Leverages Phishing Themes
Date of Scan:
2022-03-03
Impact:
MEDIUM
Summary:
As Russia Ukraine conflict on the ground and cyber front going hand in hand. Cofense Phishing Defense Center monitoring phishing emails related to the conflict and has identifed malicious campaign that are using conflict as a lure to target users and enterprises. However Cofense do not have any evidence to support the phishing campaign attribution towards the countries directly involved in war.
Source: https://cofense.com/blog/russia-ukraine-conflict-leverages-phishing-themes
2022-03-02
DDoS botnets cryptominers exploits Log4shell
MEDIUM
+
Intel Source:
Barracuda
Intel Name:
DDoS botnets cryptominers exploits Log4shell
Date of Scan:
2022-03-02
Impact:
MEDIUM
Summary:
Barracuda researchers have analyzed botnet and cryptobots exploiting Log4shell vulnerabilities and it has been constant since two months. They noticed that major of attacks came from IP addresses in the U.S. with half of those IP addresses being associated with AWS Azure and other data centers.
Source: https://blog.barracuda.com/2022/03/02/threat-spotlight-attacks-on-log4shell-vulnerabilities/
2022-03-02
Vollgar CoinMiner targets MSSQL
MEDIUM
+
Intel Source:
ASEC
Intel Name:
Vollgar CoinMiner targets MSSQL
Date of Scan:
2022-03-02
Impact:
MEDIUM
Summary:
Researchers from ASEC is monitoring a specific form of CoinMiner that has been consistently distributed to vulnerable MS-SQL servers. ASEC Infrastructure has detected Vollgar CoinMiner samples in the logs. Vollgar is a typical CoinMiner that is installed via brute force attacks against MS-SQL servers with vulnerable account credentials.
Source: https://asec.ahnlab.com/en/32143/
2022-03-02
TrickBot upgrades AnchorDNS Backdoor
MEDIUM
+
Intel Source:
Security Intelligence
Intel Name:
TrickBot upgrades AnchorDNS Backdoor
Date of Scan:
2022-03-02
Impact:
MEDIUM
Summary:
Researchers from IBM discovered a updated version of Trickbot Group’s AnchorDNS backdoor being used in recent attacks ending with the deployment of Conti ransomware. AnchorDNS is notable for communicating with its Command and Control (C2) server using the DNS protocol.
Source: https://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/
2022-03-02
SoulSearcher Malware
MEDIUM
+
Intel Source:
Fortinet
Intel Name:
SoulSearcher Malware
Date of Scan:
2022-03-02
Impact:
MEDIUM
Summary:
Researchers from Fortinet have analyzed the evolution of SoulSearcher Malware which have been targting Windows and collecting ssensitive information and executes additional malicious modules.
Source: https://www.fortinet.com/blog/threat-research/unraveling-the-evolution-of-the-soul-searcher-malware
2022-03-02
Emotet Malware Updated TTPs
MEDIUM
+
Intel Source:
Cyble
Intel Name:
Emotet Malware Updated TTPs
Date of Scan:
2022-03-02
Impact:
MEDIUM
Summary:
Cyble researchers came across email phishing campaigns by Emotet malware and these were similar to old ones which used spam emails with malicious MS Excel files as the initial attack vector to infect targets. It was also observed that Emotet is rebuilding its botnet with the help of the TrickBot malware.
Source: https://blog.cyble.com/2022/02/26/emotet-malware-back-in-action/
2022-03-02
Magniber Ransomware being Redistributed
MEDIUM
+
Intel Source:
ASEC
Intel Name:
Magniber Ransomware being Redistributed
Date of Scan:
2022-03-02
Impact:
MEDIUM
Summary:
ASEC researchers has identified a redistribution campaign by Magniber ransomware which disguised itself as Windows update files. The distributed magniber files have normal Windows Installer (MSI) as their extension. Magniber ransomware is currently distributed using typosquating techniques targeting Chrome and Edge users with the latest Windows version.
Source: https://asec.ahnlab.com/en/32226/
2022-03-02
Conti Leaks_Seeder_Queries_010322
HIGH
+
Intel Source:
STR
Intel Name:
Conti Leaks_Seeder_Queries_010322
Date of Scan:
2022-03-02
Impact:
HIGH
Summary:
This research is part of Securonix Threat Labs - Threat Research Team
Source: STR Repository
2022-03-02
RU Threat Actors TTPs_Phishing Campaign_Seeder_Queries_010322
HIGH
+
Intel Source:
STR
Intel Name:
RU Threat Actors TTPs_Phishing Campaign_Seeder_Queries_010322
Date of Scan:
2022-03-02
Impact:
HIGH
Summary:
This research is part of Securonix Threat Labs - Threat Research Team
Source: STR Repository
2022-03-02
TA445 Targets European Governments
HIGH
+
Intel Source:
Proofpoint
Intel Name:
TA445 Targets European Governments
Date of Scan:
2022-03-02
Impact:
HIGH
Summary:
The Proofpoint Threat Research team has identified a likely nation-state sponsored phishing campaign using a possibly compromised Ukrainian armed service member’s email account to target European government personnel with a Lua-based malware dubbed SunSeed.
Source: https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails
2022-03-02
Conti and Karma attacked Healthcare
MEDIUM
+
Intel Source:
Sophos
Intel Name:
Conti and Karma attacked Healthcare
Date of Scan:
2022-03-02
Impact:
MEDIUM
Summary:
Sophos Labs researchers identified that two ransomware groups Conti & Karma have exploited ProxyShell vulnerabilty to gain access to the network of healthcare provider in Canada with very different tactics. Karma group exfiltrated data but did not encrypt the targeted systems. While Conti came into the network later but but encrypted the targeted systems.
Source: https://news.sophos.com/en-us/2022/02/28/conti-and-karma-actors-attack-healthcare-provider-at-same-time-through-proxyshell-exploits/
2022-03-02
Daxin Backdoor espionage campaign
MEDIUM
+
Intel Source:
Symantec
Intel Name:
Daxin Backdoor espionage campaign
Date of Scan:
2022-03-02
Impact:
MEDIUM
Summary:
Researchers from Symantec found a new highly sophisticated piece of malware being used by a Chinese threat actor and the backdoor is dubbed as Daxin. Most of the targets have been government organizations and have been interest of China. The malware has been also called the most advanced type ever used by China linked threat actors.
Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage
2022-03-02
BlackCat Ransomware- Technical Analysis
MEDIUM
+
Intel Source:
AT&T
Intel Name:
BlackCat Ransomware- Technical Analysis
Date of Scan:
2022-03-02
Impact:
MEDIUM
Summary:
AT&T researchers recently analyzed BlackCat ransomware samples which was quite active in Jan 2022. The keytakaways from their analysis was that the ransomware is coded in Rust and targets multiple platform WINDOWS AND LINUX.
Source: https://cybersecurity.att.com/blogs/labs-research/blackcat-ransomware
2022-03-02
BABYSHARK Malware
MEDIUM
+
Intel Source:
Huntress
Intel Name:
BABYSHARK Malware
Date of Scan:
2022-03-02
Impact:
MEDIUM
Summary:
Researchers at Huntress has identified a APT group activity which was attributed to North Korean threat actors targeting national security institutes. The North Korean APT using a malware family called BABYSHARK this variant of malware customized to specific victim environment.
Source: https://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood
2022-03-01
Electron Bot - SEO poisoning malware
MEDIUM
+
Intel Source:
Checkpoint
Intel Name:
Electron Bot - SEO poisoning malware
Date of Scan:
2022-03-01
Impact:
MEDIUM
Summary:
Researchers at Check Point Research has identifed a new malware dubbed as Electron Bot which has infected over 5000 active machines worldwide and being distributed through Microsoft’s official store. Electron Bot is a modular SEO poisoning malware which is used for social media promotion and click fraud. Once malware persist inside the targeted system it executes attacker commands such as controlling social media accounts on Facebook Google and Sound Cloud.
Source: https://research.checkpoint.com/2022/new-malware-capable-of-controlling-social-media-accounts-infects-5000-machines-and-is-actively-being-distributed-via-gaming-applications-on-microsofts-official-store/
2022-03-01
ColdStealer Infostealer
MEDIUM
+
Intel Source:
ASEC
Intel Name:
ColdStealer Infostealer
Date of Scan:
2022-03-01
Impact:
MEDIUM
Summary:
Researchers from ASEC has analysed a new type of Infostealer dubbed as ColdStealer it disguises as a software download for cracks and tools. There are two type of distribution methods used by ColdStealer first it distribute single type of malware like CryptBot or RedLine secondly Dropper type malware.
Source: https://asec.ahnlab.com/en/32090/
2022-03-01
UNC3313 targets MiddleEast government
MEDIUM
+
Intel Source:
Mandiant
Intel Name:
UNC3313 targets MiddleEast government
Date of Scan:
2022-03-01
Impact:
MEDIUM
Summary:
Mandiant researchers recently responded to an intrusion activity by UNC3313 who were targetting Middle East government also new targeted malware was used Gramdoor and Starwhale. The whole process started with targted spear phishing email.
Source: https://www.mandiant.com/resources/telegram-malware-iranian-espionage
2022-03-01
QakBot Campaign with old Tactics
MEDIUM
+
Intel Source:
Cofense
Intel Name:
QakBot Campaign with old Tactics
Date of Scan:
2022-03-01
Impact:
MEDIUM
Summary:
Confense Phishing Defense Center has analysed emails delivering Qakbot that use a familiar tactic which is used in old emails.
Source: https://cofense.com/blog/qakbot-campaign-attempts-to-revive-old-emails
2022-03-01
Spear Phishing attacks on Ukraine
MEDIUM
+
Intel Source:
Palo Alto
Intel Name:
Spear Phishing attacks on Ukraine
Date of Scan:
2022-03-01
Impact:
MEDIUM
Summary:
Researchers from PaloAlto identified a spear phishing campaign which was attributed to UAC-0056. The target organization were from Ukraine and the payloads included the Document Stealer OutSteel and the Downloader SaintBot.
Source: https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/
2022-03-01
New wiper and worm targets Ukraine
HIGH
+
Intel Source:
WeLiveSecurity
Intel Name:
New wiper and worm targets Ukraine
Date of Scan:
2022-03-01
Impact:
HIGH
Summary:
ESET researchers discovered new set of malwares and worm after the invasion of Russia on Ukraine. The malware was dubbed as IsaacWiper and HermeticWizard also a decoy ransomware called Hermeticransom aks Partyticket ransomware.
Source: https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/
2022-02-28
SockDetour Targets U.S. Defense Contractors
MEDIUM
+
Intel Source:
Palo Alto
Intel Name:
SockDetour Targets U.S. Defense Contractors
Date of Scan:
2022-02-28
Impact:
MEDIUM
Summary:
Researchers from PaloAlto have came across a stealthy custom malware SockDetour that targeted U.S.-based defense contractors. Analysis shows that SockDetour was delivered from an external FTP server to a U.S.-based defense contractor's internet-facing Windows server.
Source: https://unit42.paloaltonetworks.com/sockdetour/
2022-02-28
Evolution of EvilCorp
MEDIUM
+
Intel Source:
SentinelOne
Intel Name:
Evolution of EvilCorp
Date of Scan:
2022-02-28
Impact:
MEDIUM
Summary:
Researchers from Sentinel Labs have assessed with high confidence that WastedLocker Hades Phoenix Locker PayloadBIN belongs to the same cluster of malware which EvilCorp operates. A technical analysis was also done on the evolution evolution of Evil Corp from Dridex through to Macaw Locker and for the first time publicly describe CryptOne and the role it plays in Evil Corp malware development.
Source: https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp
2022-02-28
UNC2596 deploys Cuba ransomware
MEDIUM
+
Intel Source:
Mandiant
Intel Name:
UNC2596 deploys Cuba ransomware
Date of Scan:
2022-02-28
Impact:
MEDIUM
Summary:
Mandiant researchers have tracked a ransomware gang as UNC2596 who also claims to be COLDDRAW and commonly known as Cuba ransomware have been found exploiting Microsoft Exchange vulnerabilities to gain initial access to corporate networks and encrypt devices. Cuba operation primarily targets the United States followed by Canada.
Source: https://www.mandiant.com/resources/unc2596-cuba-ransomware
2022-02-28
TrickBot Switches to New Malware
MEDIUM
+
Intel Source:
Intel471
Intel Name:
TrickBot Switches to New Malware
Date of Scan:
2022-02-28
Impact:
MEDIUM
Summary:
As per the recent report by Intel 471 Trickbot is switching its operations and joining hands with Emotet operators. Also it has been noticed that Bazar malware family was also linked to trickbot recently as operators were taking over the TrickBot operations.
Source: https://intel471.com/blog/trickbot-2022-emotet-bazar-loader
2022-02-28
DDoS attacks against Ukrainian Websites
MEDIUM
+
Intel Source:
netlab360
Intel Name:
DDoS attacks against Ukrainian Websites
Date of Scan:
2022-02-28
Impact:
MEDIUM
Summary:
NetLab360 researchers analyzed recent DDOS attack on Ukrainian websites and tracked botnets who were involved in it. Also as per them the C2s belong to multiple malware family including Mirai Gafgyt ripprbot moobot and ircBot.
Source: https://blog-netlab-360-com.translate.goog/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=zh-CN
2022-02-28
MuddyWater_Seeder Queries_25/02/2022
HIGH
+
Intel Source:
STR
Intel Name:
MuddyWater_Seeder Queries_25/02/2022
Date of Scan:
2022-02-28
Impact:
HIGH
Summary:
This research is part of Securonix Threat Labs - Threat Research Team
Source: STR Repository
2022-02-25
Muddywater attacks U.S/Worldwide
HIGH
+
Intel Source:
FBI/NCSC/CISA
Intel Name:
Muddywater attacks U.S/Worldwide
Date of Scan:
2022-02-25
Impact:
HIGH
Summary:
Authorities from US and UK have released a detailed advisory about the recent cyber espionage campaign of MuddyWater which is allegedly state sponsored by Iran and works in the interests of MOIS. In this current campaign they have been mainly targeting government and private organizations from industries including telecom defense oil & gas located in Asia Africa Europe and North America. This time they have come up with a variety of malwares ranging from PowGoop Small Sieve Mori and POWERSTATS
Source: https://www.ic3.gov/Media/News/2022/220224.pdf
2022-02-24
TeamTNT targeting Linux servers
MEDIUM
+
Intel Source:
Intezer
Intel Name:
TeamTNT targeting Linux servers
Date of Scan:
2022-02-24
Impact:
MEDIUM
Summary:
Researchers at Intezer have alerted with TTPs of TeamTNT threat actor. Over the past year TeamTNT threat actor has been very active and is one of the predominant cryptojacking threat actors however currently targeting Linux servers.
Source: https://www.intezer.com/blog/malware-analysis/teamtnt-cryptomining-explosion/
2022-02-24
Cyclops Blink malware by Sandworm
MEDIUM
+
Intel Source:
NCSC-UK
Intel Name:
Cyclops Blink malware by Sandworm
Date of Scan:
2022-02-24
Impact:
MEDIUM
Summary:
A Joint advisory has been published by NCSC [UK] and CISA FBI NSA [USA] that identifies a new malware used by the actor Sandworm. Sandworm also known as Voodoo Bear has previously been attributed to Russia’s GRU. The malware dubbed Cyclops Blink appears to be a replacement for the VPNFilter malware exposed in 2018 and its deployment could allow Sandworm to remotely access networks. The advisory also includes information on the associated TTPs used by Sandworm.
Source: https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf
2022-02-23
Operation Cache Panda
LOW
+
Intel Source:
CyCraft
Intel Name:
Operation Cache Panda
Date of Scan:
2022-02-23
Impact:
LOW
Summary:
Researchers from Cycraft have came across campaign which has been targetting Taiwan's Financial trading sector with supply chain and this camapign has been attributed to allegedly state sponsored threat actor APT10.
Source: https://medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934
2022-02-22
Cobalt Strike targets MS-SQL servers
MEDIUM
+
Intel Source:
ASEC
Intel Name:
Cobalt Strike targets MS-SQL servers
Date of Scan:
2022-02-22
Impact:
MEDIUM
Summary:
Researchers from ASEC discovered a campaign in which unpatched Microsoft SQL Database servers were targetted by distribution of Cobalt Strike. The attacker usually scans port 1433 to check if MS-SQL servers open to the public if its found open then they launch brute forcing or dictionary attacks against the admin account.
Source: https://asec.ahnlab.com/en/31811/
2022-02-22
Predatory Sparrow targets Iran's BroadCaster
LOW
+
Intel Source:
Checkpoint
Intel Name:
Predatory Sparrow targets Iran's BroadCaster
Date of Scan:
2022-02-22
Impact:
LOW
Summary:
A wave of cyberattacks has floaded Iran in 2021 and early 2022. CPR team has done a technical analysis on one of the attacks against Iranian national media corporation Islamic Republic of Iran Broadcasting (IRIB) which occurred in late January 2022.
Source: https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/
2022-02-22
Qbot utilized to exploit ZeroLogon Vulnerability
MEDIUM
+
Intel Source:
DFIR Report
Intel Name:
Qbot utilized to exploit ZeroLogon Vulnerability
Date of Scan:
2022-02-22
Impact:
MEDIUM
Summary:
Researchers at DFIR Report has discovered that threat actors are exploiting Qbot and ZeroLogon vulnerability. The threat actor gained their initial access through the execution of a malicious DLL.
Source: https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
2022-02-22
Katana Botnet exploited Ukrainian websites
MEDIUM
+
Intel Source:
Cado security
Intel Name:
Katana Botnet exploited Ukrainian websites
Date of Scan:
2022-02-22
Impact:
MEDIUM
Summary:
A team from Cado security have identified the source as 'Katana botnet' (one of the Mirai variant) was behind the series of DDoS attacks against Ukrainian websites between 15-16 February. The impacted sites included Banks Government and Military websites. Moreover Ukrainian CERT 360Netlab and BadPackets have attributed the source of these attacks to Mirai botnet.
Source: https://www.cadosecurity.com/technical-analysis-of-the-ddos-attacks-against-ukrainian-websites/
2022-02-22
Arkei Infostealer utilizing SmokeLoader
MEDIUM
+
Intel Source:
Blackberry
Intel Name:
Arkei Infostealer utilizing SmokeLoader
Date of Scan:
2022-02-22
Impact:
MEDIUM
Summary:
The latest analysis of the Arkei Infostealer shows that the cyber-thieves are increasingly targeting people using multifactor authentication as well as crypto-wallets. Arkei Infostealer is often sold and distributed as Malware-as-a-Service and has been spotted utilizing SmokeLoader as a method of deployment. Both Arkei and SmokeLoader have been identified using the same IOCs and known-malicious URLs to conduct their malicious operations.
Source: https://blogs.blackberry.com/en/2022/02/threat-thursday-arkei-infostealer?utm_medium=social&utm_source=bambu
2022-02-22
CryptBot Infostealer
MEDIUM
+
Intel Source:
ASEC
Intel Name:
CryptBot Infostealer
Date of Scan:
2022-02-22
Impact:
MEDIUM
Summary:
A new version of the CryptBot info stealer was found by ASEC researchers which was getting distributed via multiple websites that offer free downloads of cracks for games and pro-grade software. In the current version of the CryptoBot there is only one infostealing C2.
Source: https://asec.ahnlab.com/en/31802/
2022-02-21
TunnelVision exploiting Log4j
MEDIUM
+
Intel Source:
SentinelOne
Intel Name:
TunnelVision exploiting Log4j
Date of Scan:
2022-02-21
Impact:
MEDIUM
Summary:
SentinelOne researchers have observed some activities of TunnelVision attackers which focuses on exploitation of VMware Horion Lojg4j vulnerabilities. The attackers actively exploiting the vulnerability to run malicious PowerShell commands deploy backdoors create backdoor users harvest credentials and perform lateral movement. Moreover Researchers has been tracking the activity of the Iranian threat actor operating in the Middle-East and the US.
Source: https://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/
2022-02-21
PseudoManuscrypt Malware
MEDIUM
+
Intel Source:
ASEC
Intel Name:
PseudoManuscrypt Malware
Date of Scan:
2022-02-21
Impact:
MEDIUM
Summary:
Multiple windows machines in South Korea have been attacked by PseudoManuscrypt malware. This malware is said to be using the same tactics as of CryptBot. The malware's target have been mostly government and industrial organization.
Source: https://asec.ahnlab.com/en/31683/
2022-02-21
Remcos RAT
MEDIUM
+
Intel Source:
ISC.SANS
Intel Name:
Remcos RAT
Date of Scan:
2022-02-21
Impact:
MEDIUM
Summary:
ISC SANS Researcher has shared an analysis for a sample received via email. The file was received as an attachment to a mail that pretended to be related to a purchase order. Later Researcher attributed the file to Remcos RAT.
Source: https://isc.sans.edu/forums/diary/Remcos+RAT+Delivered+Through+Double+Compressed+Archive/28354/
2022-02-18
Moses Staff targets Israeli Organization
MEDIUM
+
Intel Source:
Fortinet
Intel Name:
Moses Staff targets Israeli Organization
Date of Scan:
2022-02-18
Impact:
MEDIUM
Summary:
Moses Staff threat actor has recently launched a new espionage campaign against Israeli organizations. This time they have been leveraging the ProxyShell vulnerability in Microsoft Exchange servers as an initial infection vector to deploy two web shells followed by exfiltrating Outlook Data Files (.PST) from the compromised server.
Source: https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard
2022-02-18
Kraken- A new botnet
MEDIUM
+
Intel Source:
ZeroFox
Intel Name:
Kraken- A new botnet
Date of Scan:
2022-02-18
Impact:
MEDIUM
Summary:
Researchers from Zerofox have found a new golang based botneyt dubbed Kraken which is currently under development and has backdoor capabilities to siphon sensitive information from compromised Windows hosts. Their targets are crypto wallets which are not limited to Armory Atomic Wallet Bytecoin Electrum Ethereum Exodus Guarda Jaxx Liberty and Zcash.
Source: https://www.zerofox.com/blog/meet-kraken-a-new-golang-botnet-in-development/#iocs
2022-02-18
Gamaredon targets Ukraine
HIGH
+
Intel Source:
Palo Alto
Intel Name:
Gamaredon targets Ukraine
Date of Scan:
2022-02-18
Impact:
HIGH
Summary:
The Russia-linked Gamaredon hacking group aka Primitive Bear has been actively targetting wester government entity in Ukraine. The threat vector was phishing attack which leveraged a job search and employment platform within the country as a conduit to upload their malware downloader in the form of a resume for an active job listing related to the targeted entity.
Source: https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/ https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/
2022-02-18
Power BI Phishing Campaign
MEDIUM
+
Intel Source:
Cofense
Intel Name:
Power BI Phishing Campaign
Date of Scan:
2022-02-18
Impact:
MEDIUM
Summary:
Cofense Phishing Defense Center has analysed a new phishing campaign that harvests Microsoft credentials by impersonating Power BI emails. Due to Power BI's popularity commonly used and vendor trust it has become the prime target for threat actors to spoof and abuse it for phishing attacks.
Source: https://cofense.com/blog/phishers-spoof-power-bi-to-visualize-your-credential-data
2022-02-17
BlackByte TTP_Seeder Queries_16/02/2022
HIGH
+
Intel Source:
STR
Intel Name:
BlackByte TTP_Seeder Queries_16/02/2022
Date of Scan:
2022-02-17
Impact:
HIGH
Summary:
This research is part of Securonix Threat Labs - Threat Research Team
Source: STR Repository
2022-02-17
Emotet new Infection Method
MEDIUM
+
Intel Source:
Palo Alto
Intel Name:
Emotet new Infection Method
Date of Scan:
2022-02-17
Impact:
MEDIUM
Summary:
Researchers at Palo Alto Unit42 have found that yet agan the infamous Emotet malware has switched tactics. In an email campaign propagating through malicious Excel files that includes an obfuscated Excel 4.0 macro through socially engineered emails. When the macro is activated it downloads and executes an HTML application that downloads two stages of PowerShell to retrieve and execute the final Emotet payload
Source: https://unit42.paloaltonetworks.com/new-emotet-infection-method/
2022-02-17
ModifiedElephant APT
MEDIUM
+
Intel Source:
SentinelOne
Intel Name:
ModifiedElephant APT
Date of Scan:
2022-02-17
Impact:
MEDIUM
Summary:
SentinelOne researchers attributed the intrusions to a group tracked as 'ModifiedElephant'. The threat actor has been operational since at least 2012 its activity aligns sharply with Indian state interests. The threat actor uses spear-phishing technique with malicious documents to deliver malware such as NetWire DarkComet and keyloggers.
Source: https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/
2022-02-17
GlowSpark Campaign
MEDIUM
+
Intel Source:
Inquest
Intel Name:
GlowSpark Campaign
Date of Scan:
2022-02-17
Impact:
MEDIUM
Summary:
Inquest Labs researchers analysed a malicious document from the GlowSpark campaign which is a possible attack vector in the WhisperGate attack. Some samples of this campaign are quite secretive as it successfully infect the target. This allows the threat actor to gain a strong foothold in the victim's network without leaving a large footprint.
Source: https://inquest.net/blog/2022/02/10/380-glowspark
2022-02-16
MyloBot Malware
MEDIUM
+
Intel Source:
Minerva Labs
Intel Name:
MyloBot Malware
Date of Scan:
2022-02-16
Impact:
MEDIUM
Summary:
A new version of the MyloBot malware has been observed to deploy malicious payloads that are being used to send sextortion emails demanding victims a huge sum in form of digital currency. MyloBot also leverages a technique called process hollowing wherein the attack code is injected into a suspended and hollowed process in order to circumvent process-based defenses.
Source: https://blog.minerva-labs.com/mylobot-2022-so-many-evasive-techniques-just-to-send-extortion-emails
2022-02-16
LockBit 2.0 Ransomware TTPs
HIGH
+
Intel Source:
Picus Security
Intel Name:
LockBit 2.0 Ransomware TTPs
Date of Scan:
2022-02-16
Impact:
HIGH
Summary:
On 4th Feb 2022 FBI issued a Flash report on Lockbit 2.0 Ransomware and few IoCs. Picus Security team has also shared TTPs used by the Lockbit 2.0 ransomware operators in emerging ransomware campaigns.
Source: https://www.picussecurity.com/resource/lockbit-2.0-ransomware-ttps-used-in-emerging-ransomware-campaigns
2022-02-16
Trickbot Attacks Global Giants customers
MEDIUM
+
Intel Source:
Checkpoint
Intel Name:
Trickbot Attacks Global Giants customers
Date of Scan:
2022-02-16
Impact:
MEDIUM
Summary:
Researchers from Checkpoint analyzed new evasive technique of TrickBot and also found this time it has been targetting more than 60 firm's customers worldwide. The trickbot operators have been using AntiAnalysis techniques so that researchers can't send automated requests to Command-and-Control servers to get fresh web-injects.
Source: https://research.checkpoint.com/2022/a-modern-ninja-evasive-trickbot-attacks-customers-of-60-high-profile-companies/
2022-02-16
TA2541 APT targets Aviation
MEDIUM
+
Intel Source:
Proofpoint
Intel Name:
TA2541 APT targets Aviation
Date of Scan:
2022-02-16
Impact:
MEDIUM
Summary:
ProofPoint researchers have identified threat actor TA2541 to be tragetting avaiation and aersospace industries. The threat actor commonly uses RATs through which they can control compromised machines. It is said that target can be 100 of organizations from North America Europe and the Middle East.
Source: https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight
2022-02-16
BitRAT malware
MEDIUM
+
Intel Source:
Fortinet
Intel Name:
BitRAT malware
Date of Scan:
2022-02-16
Impact:
MEDIUM
Summary:
Threat actors are leveraging NFT (Non-fungible tokens) information to lure users into downloading the BitRAT malware. The campaign makes use of malicious Excel files named ‘NFT_Items’ to attract targets. These files are hosted on the Discord app and appear to contain names of NFTs forecasts for potential investment returns and selling quantities.
Source: https://www.fortinet.com/blog/threat-research/nft-lure-used-to-distribute-bitrat
2022-02-16
ShadowPad RAT linked to Chinese government
MEDIUM
+
Intel Source:
SecureWorks
Intel Name:
ShadowPad RAT linked to Chinese government
Date of Scan:
2022-02-16
Impact:
MEDIUM
Summary:
Researchers from SecureWorks were able to link recent activity of ShadowPad malware to multiple threat actors from China whose activity can be linked to Chinese ministry and PLA. It is the same malware which was behind the attacks on NetSarang CCleaner and ASUS.
Source: https://www.secureworks.com/research/shadowpad-malware-analysis
2022-02-15
BlackByte Ransomware
MEDIUM
+
Intel Source:
FBI FLASH
Intel Name:
BlackByte Ransomware
Date of Scan:
2022-02-15
Impact:
MEDIUM
Summary:
BlackByte ransomware had compromised multiple US and foreign businesses including entities in at least three US critical infrastructure sectors (government facilities financial and food & agriculture). Recently it came in news when the tansomware attacked San Francisco 49ers ahead of the Super Bowl.
Source: https://www.ic3.gov/Media/News/2022/220211.pdf
2022-02-15
Magecart attacking Magento sites
MEDIUM
+
Intel Source:
Sansec
Intel Name:
Magecart attacking Magento sites
Date of Scan:
2022-02-15
Impact:
MEDIUM
Summary:
According to Sansec more than 350 ecommerce stores infected with malware in a single day. All stores were victim of a payment skimmer loaded from a domain. The doamin is currently offline however the goal of the threat actors was to steal the credit card information of customers on the targeted online stores.
Source: https://sansec.io/research/naturalfreshmall-mass-hack
2022-02-14
OilRig's New Espionage Campaign-Out To Sea
MEDIUM
+
Intel Source:
ESET
Intel Name:
OilRig's New Espionage Campaign-Out To Sea
Date of Scan:
2022-02-14
Impact:
MEDIUM
Summary:
Recently Researchers from ESET discovered a new campaign dubbed 'Out to Sea'. This campaign was attributed to APT34(OilRig) which had also links with Lyceum group. Their malware toolset has also been developed and they have come up with a backdoor named Marlin.
Source: https://www.welivesecurity.com/wp-content/uploads/2022/02/eset_threat_report_t32021.pdf
2022-02-11
SolarMarker Campaign
MEDIUM
+
Intel Source:
Sophos
Intel Name:
SolarMarker Campaign
Date of Scan:
2022-02-11
Impact:
MEDIUM
Summary:
SophosLabs has monitored a series of new efforts to distribute SolarMarker an information stealer and backdoor. It was first detected in 2020 the .NET malware usually delivered by a PowerShell installer has information harvesting and backdoor capabilities.
Source: https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/
2022-02-11
CoinStomp Malware
MEDIUM
+
Intel Source:
Cado security
Intel Name:
CoinStomp Malware
Date of Scan:
2022-02-11
Impact:
MEDIUM
Summary:
Cado Security Researchers has discovered a new malware campaign targeting Asian Cloud Service Providers (CSPs). Researchers dubbed the malware as CoinStomp this family of malware exploit cloud compute instances for the purpose of mining cryptocurrency.
Source: https://www.cadosecurity.com/coinstomp-malware-family-targets-asian-cloud-service-providers/
2022-02-11
Transparent Tribe Group/APT36
HIGH
+
Intel Source:
Cisco Talos
Intel Name:
Transparent Tribe Group/APT36
Date of Scan:
2022-02-11
Impact:
HIGH
Summary:
Researchers from Talos recently analyszed Crimson RAT and Oblique RATS sample and were able to attribute the attck to Transparent Tribe Threat group also knows as APT36. The thraet actor is known to be targetting India.Their initial infection vector is usually email purporting to come from official sources and containing a lure which can be a Word document or more often an Excel spreadsheet.
Source: http://blog.talosintelligence.com/2022/02/whats-with-shared-vba-code.html
2022-02-11
Emotet dropping Cobalt Strike
HIGH
+
Intel Source:
ISC.SANS
Intel Name:
Emotet dropping Cobalt Strike
Date of Scan:
2022-02-11
Impact:
HIGH
Summary:
Researchers at SANS has disected a Cobalt Strike sample dropped by Emotet and shared their analysis.
Source: https://isc.sans.edu/diary/rss/28318
2022-02-11
Lorenz Ransomware
MEDIUM
+
Intel Source:
Cybereason
Intel Name:
Lorenz Ransomware
Date of Scan:
2022-02-11
Impact:
MEDIUM
Summary:
Lorenz Ransomware was first seen in February 2021 and it is believed to be a rebranding of '.s40' ransomware. Lorenz Ransomware targets organisations worldwide with customised attacks and targeting victims mostly in English-speacking countries.
Source: https://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware
2022-02-11
RedLine Stealer disguised as Windows 11 installer
MEDIUM
+
Intel Source:
HP
Intel Name:
RedLine Stealer disguised as Windows 11 installer
Date of Scan:
2022-02-11
Impact:
MEDIUM
Summary:
Threat actors have started luring Windows10 users soon after the announcement of Windows11 upgrade. They are using a fake microsoft website to trick users into downloading and running a fake installer and executing RedLine stealer malware.
Source: https://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/
2022-02-10
Molerat Palestinian-Aligned Espionage campaign
HIGH
+
Intel Source:
Proofpoint
Intel Name:
Molerat Palestinian-Aligned Espionage campaign
Date of Scan:
2022-02-10
Impact:
HIGH
Summary:
A new campaign have been discovered by proofpoint researchers which details about operations of Molerat threat group who is allegedly affliated with Palestanine interest. TA402 is not only abusing Dropbox services for delivery of NimbleMamba but also for malware command and control (C2).
Source: https://www.proofpoint.com/us/blog/threat-insight/ugg-boots-4-sale-tale-palestinian-aligned-espionage
2022-02-10
PrivateLoader
MEDIUM
+
Intel Source:
Intel471
Intel Name:
PrivateLoader
Date of Scan:
2022-02-10
Impact:
MEDIUM
Summary:
An analysis of a pay-per-install loader by Intel471 researchers has highlighted its place in the deployment of popular malware strains including Smokeloader Vidar and Redline. The distribution of PrivateLoader is mostly through cracked software websites.
Source: https://intel471.com/blog/privateloader-malware
2022-02-09
SEO Poisoning distributes BATLOADER malware
HIGH
+
Intel Source:
Mandiant
Intel Name:
SEO Poisoning distributes BATLOADER malware
Date of Scan:
2022-02-09
Impact:
HIGH
Summary:
Mandiant researchers uncovered a malicious campaign using SEO poisoning to trick potential victims into downloading the BATLOADER malware. The attackers created malicious sites and packed it with keywords of popular software products and used search engine optimization poisoning to make them show up higher in search results.
Source: https://www.mandiant.com/resources/seo-poisoning-batloader-atera
2022-02-09
Lazarus APT targeting job seekers
LOW
+
Intel Source:
CyberGeeks
Intel Name:
Lazarus APT targeting job seekers
Date of Scan:
2022-02-09
Impact:
LOW
Summary:
Lazarus APT is yet again targeting job seekers and using job opportunities documents for companies such as LockHeed Martin BAE Systems and Boeing. In this blog researcher analysed document called Boeing BDS MSE.docx it focuses on people that are looking for jobs at Boeing. The malware extracts the hostname username network information a list of processes and other information that will be exfiltrated to one out of the four C2 servers.
Source: https://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/
2022-02-09
Mac Trojan:Update Agent
MEDIUM
+
Intel Source:
Microsoft
Intel Name:
Mac Trojan:Update Agent
Date of Scan:
2022-02-09
Impact:
MEDIUM
Summary:
The Mac trojan has evolved and its avatar by name UpdateAgent has added multiple capabilities to its artillerylike bypassing gatekeeper. It lures its victims by impersonating legitimate software and can leverage Mac device functionalities to its benefit.
Source: https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/
2022-02-09
Chinese APT Antlion targets financial institutions
LOW
+
Intel Source:
Symantec
Intel Name:
Chinese APT Antlion targets financial institutions
Date of Scan:
2022-02-09
Impact:
LOW
Summary:
Antlion (Chinese state-backed APT) has been targeting financial institutions in Taiwan in a persistent campaign over the course of at least 18 months. The attackers deployed a custom backdoor we have called xPack on compromised systems which gave them extensive access to victim machines.
Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks
2022-02-09
Arid Viper APT
MEDIUM
+
Intel Source:
Cisco Talos
Intel Name:
Arid Viper APT
Date of Scan:
2022-02-09
Impact:
MEDIUM
Summary:
Cisco Talos has observed a new wave of Delphi malware called Micropsia developed and operated by the Arid Viper APT group since 2017. This campaign targets Palestinian entities and activists using politically themed lures. This is a group believed to be based out of Gaza that's known to target organizations all over the world.
Source: http://blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html
2022-02-09
Operation EmailThief
MEDIUM
+
Intel Source:
Volexity
Intel Name:
Operation EmailThief
Date of Scan:
2022-02-09
Impact:
MEDIUM
Summary:
Alleged Chinese threat actor tracked as TEMP_Heretic is actively attempting to exploit a zero-day XSS vulnerability in the Zimbra open-source email platform. The campaign has been named as EmailThief. The successful exploitation of the cross-site scripting (XSS) vulnerability could allow threat actors to execute arbitrary JavaScript code.
Source: https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/
2022-02-09
QakBot Phishing campaign
HIGH
+
Intel Source:
DFIR Report
Intel Name:
QakBot Phishing campaign
Date of Scan:
2022-02-09
Impact:
HIGH
Summary:
Qakbot activities since October 2021 has been demystified by DFIR researchers. A malicious email campaign was used to deliver an Excel (xls) document. Following the opening of the xls document the initial Qbot DLL loader was downloaded and saved to disk.
Source: https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
2022-02-08
Gold Dragon Malware
MEDIUM
+
Intel Source:
AhnLab
Intel Name:
Gold Dragon Malware
Date of Scan:
2022-02-08
Impact:
MEDIUM
Summary:
A new wave of activity from the Kimsuky hacking group have been spotted by ASEC analysis team. Group was using xRAT (open-source RAT) and dropped with their custom backdoor dubbed as Gold Dragon. The campaign started on January 24 2022 targeting South Korean entitites and is still ongoing.
Source: https://asec.ahnlab.com/en/31089/
2022-02-08
Lockbit 2.0 TTP_Seeder Queries_07/02/2022
MEDIUM
+
Intel Source:
STR
Intel Name:
Lockbit 2.0 TTP_Seeder Queries_07/02/2022
Date of Scan:
2022-02-08
Impact:
MEDIUM
Summary:
This research is part of Securonix Threat Labs - Threat Research Team
Source: STR Repository
2022-02-08
LockBit 2.0 Ransomware
HIGH
+
Intel Source:
FBI FLASH
Intel Name:
LockBit 2.0 Ransomware
Date of Scan:
2022-02-08
Impact:
HIGH
Summary:
LockBit 2.0 operates as an affiliate-based Ransomware-as-a-Service (RaaS) and employs a wide variety of tactics techniques and procedures (TTPs). LockBit 2.0 ransomware compromises victim networks through a variety of techniques including but not limited to purchased access unpatched vulnerabilities insider access and zero day exploits.
Source: https://www.ic3.gov/Media/News/2022/220204.pdf
2022-02-08
QBot_Seeder Queries_07/02/2022
MEDIUM
+
Intel Source:
STR
Intel Name:
QBot_Seeder Queries_07/02/2022
Date of Scan:
2022-02-08
Impact:
MEDIUM
Summary:
This research is part of Securonix Threat Labs - Threat Research Team
Source: STR Repository
2022-02-07
BazarBackdoor malware campaign
MEDIUM
+
Intel Source:
Bleeping Computer
Intel Name:
BazarBackdoor malware campaign
Date of Scan:
2022-02-07
Impact:
MEDIUM
Summary:
A new phishing campaign is using specially crafted CSV text files to infect users' devices with the BazarBackdoor malware. The phishing emails pretend to be 'Payment Remittance Advice' with links to remote sites that download a CSV file with names similar to 'document-21966.csv.'
Source: https://www.bleepingcomputer.com/news/security/malicious-csv-text-files-used-to-install-bazarbackdoor-malware/
2022-02-07
Blackcat Ransomware_Seeder Queries_04/02/2022
HIGH
+
Intel Source:
STR
Intel Name:
Blackcat Ransomware_Seeder Queries_04/02/2022
Date of Scan:
2022-02-07
Impact:
HIGH
Summary:
This research is part of Securonix Threat Labs - Threat Research Team
Source: STR Repository
2022-02-04
StrifeWater RAT added to Iranian APT Moses Staff arsenal
MEDIUM
+
Intel Source:
Cybereason
Intel Name:
StrifeWater RAT added to Iranian APT Moses Staff arsenal
Date of Scan:
2022-02-04
Impact:
MEDIUM
Summary:
Researchers discovered a previously unidentified Remote Access Trojan (RAT) in the Moses Staff arsenal dubbed StrifeWater. The StrifeWater RAT appears to be used in the initial stage of the attack and this stealthy RAT has the ability to remove itself from the system to cover the Iranian group’s tracks. The RAT possesses other capabilities such as command execution and screen capturing as well as the ability to download additional extensions.
Source: https://www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations
2022-02-04
White Tur Threat Group
MEDIUM
+
Intel Source:
PWC
Intel Name:
White Tur Threat Group
Date of Scan:
2022-02-04
Impact:
MEDIUM
Summary:
A newly detailed threat actor has been observed employing various techniques borrowed from multiple advanced persistent threat (APT) actors dubbed as 'White Tur' the adversary hasn’t been attributed to a specific geography although it appears to have been active since at least 2017. The adversary was also observed abusing the open source project OpenHardwareMonitor for payload execution.
Source: https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html
2022-02-04
Sugar Ransomware
MEDIUM
+
Intel Source:
Walmart Global Tech Blog
Intel Name:
Sugar Ransomware
Date of Scan:
2022-02-04
Impact:
MEDIUM
Summary:
Recently an threat actor has been starting up a RaaS solution that appears to primarily focus on individual computers instead of entire enterprises but is also reusing objects from other ransomware families. Researchers analysed sample from a tweet and concluded it as Sugar Ransomware.
Source: https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb
2022-02-04
Mars Stealer- New variant of Oski Stealer
LOW
+
Intel Source:
@3xport
Intel Name:
Mars Stealer- New variant of Oski Stealer
Date of Scan:
2022-02-04
Impact:
LOW
Summary:
A new variant of Oski stealer has been identified in the wild named Mars Stealer.It has capability to steal information from all popular web browsers two-factor authentication plugins and multiple cryptocurrency extensions and wallets.
Source: https://3xp0rt.com/posts/mars-stealer
2022-02-03
WhisperGate Lateral Movement_Seeder Queries_02/02/2022
HIGH
+
Intel Source:
STR
Intel Name:
WhisperGate Lateral Movement_Seeder Queries_02/02/2022
Date of Scan:
2022-02-03
Impact:
HIGH
Summary:
This research is part of Securonix Threat Labs - Threat Research Team
Source: STR Repository
2022-02-03
PowerLess Trojan by Phosphorus/APT35
HIGH
+
Intel Source:
Cybereason
Intel Name:
PowerLess Trojan by Phosphorus/APT35
Date of Scan:
2022-02-03
Impact:
HIGH
Summary:
Cybereason researchers recently discovered a new set of tools which were developed by the Phosphorus group and incorporated into their arsenal including a novel PowerShell backdoor dubbed PowerLess Backdoor. Research also highlights a stealthy technique used by the group to avoid PowerShell detection by running the PowerShell Backdoor in a .NET context rather than spawning the PowerShell process.
Source: https://www.cybereason.com/blog/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage
2022-02-03
MuddyWater targets Turkish users
HIGH
+
Intel Source:
Cisco Talos
Intel Name:
MuddyWater targets Turkish users
Date of Scan:
2022-02-03
Impact:
HIGH
Summary:
Researchers at Cisco Talos has observed a new campaign targeting Turkish private organizations alongside governmental institutions. They have attributes this campaign with high confidence to MuddyWater which utilizes malicious PDFs XLS files and Windows executables to deploy malicious PowerShell-based downloaders acting as initial footholds.
Source: http://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html
2022-02-02
StellarParticle campaign by CozyBear/APT29
HIGH
+
Intel Source:
CrowdStrike
Intel Name:
StellarParticle campaign by CozyBear/APT29
Date of Scan:
2022-02-02
Impact:
HIGH
Summary:
Researchers at Crowdstrike has tracked activities of the StellatPraticle campaign and its association with the COZY BEAR adversary group. They have also disccussed about the Tactics and Techniques leveraged in StellarPraticle few of the techniques are - Credential hopping use of TrailBlazer implant and Linux variant of GoldMax malware etc.
Source: https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/
2022-02-02
ShuckWorm targets Ukraine
MEDIUM
+
Intel Source:
Symantec
Intel Name:
ShuckWorm targets Ukraine
Date of Scan:
2022-02-02
Impact:
MEDIUM
Summary:
Symenatec researchers cam through a cyber espionage campaign targetting Ukraine. This campaign was attributed a famous threat actor group called Shuckworm which is allegedly a state sponsored threat group from Russia.
Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine
2022-02-02
BotenaGo Malware
MEDIUM
+
Intel Source:
AT&T
Intel Name:
BotenaGo Malware
Date of Scan:
2022-02-02
Impact:
MEDIUM
Summary:
BotenaGo malware source code is now available to any malicious hacker or malware developer. With only 2 891 lines of code BotenaGo has the potential to be the starting point for many new variants and new malware families using its source code. Alien Labs expects to see new campaigns based on BotenaGo variants targeting routers and IoT devices globally.
Source: https://cybersecurity.att.com/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github
2022-02-02
Lazarus APT
HIGH
+
Intel Source:
Malwarebytes
Intel Name:
Lazarus APT
Date of Scan:
2022-02-02
Impact:
HIGH
Summary:
This attack including a clever use of Windows Update to execute the malicious payload and GitHub as a command and control server by North Korean APT.
Source: https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/
2022-02-01
Belarusian Cyber-Partisans group attack national railways
LOW
+
Intel Source:
Curated Intel
Intel Name:
Belarusian Cyber-Partisans group attack national railways
Date of Scan:
2022-02-01
Impact:
LOW
Summary:
Belarusian hacktivist group aka Belarusian Cyber-Partisans claimed responsibility for a limited attack against the national railway company. A primary objective of the attack they claimed was aimed at hindering Russian troop movements inside Belarus. Initial access via BlueKeep RCE (CVE-2019-0708) in RDP in a Windows Server 2008 R2 system. Used the 3proxy[.]ru service to launch attacks from a VPS. Use of Mimikatz to dump LSASS etc..
Source: https://www.curatedintel.org/2022/01/hacktivist-group-shares-details-related.html
2022-02-01
APT 27 targetting German Companies
LOW
+
Intel Source:
Federal Office_German Government
Intel Name:
APT 27 targetting German Companies
Date of Scan:
2022-02-01
Impact:
LOW
Summary:
German government informed about a Chinese cyberespionage campaign who have been targetting german companies by exploiting vulnerabilities in Microsoft exchange and ZOHO Self service. In this campaign HyperBro malware was used.
Source: https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2022-01-bfv-cyber-brief.pdf?__blob=publicationFile&v=10 https://therecord.media/german-government-warns-of-apt27-activity-targeting-local-companies/
2022-02-01
WaspLocker Ransomware
LOW
+
Intel Source:
Cyfirma
Intel Name:
WaspLocker Ransomware
Date of Scan:
2022-02-01
Impact:
LOW
Summary:
WaspLocker is a ransomware which encrypts files on your system with AES+RSA encryption and append the encrypted files with .0.locked extension and put them in a folder with extension .locked. It spreads via phishing spear phishing and social engineering tactics.
Source: https://www.cyfirma.com/outofband/ransomware-report-wasplocker/
2022-01-31
Chaes Banking Trojan
HIGH
+
Intel Source:
Avast
Intel Name:
Chaes Banking Trojan
Date of Scan:
2022-01-31
Impact:
HIGH
Summary:
Researchers from Avast discovered that Chaes banking Trojan has been actively spreading since November 2020. Chaes is its multi-stage distribution method which makes use of programming frameworks such as JScript Python and NodeJS binary files written in Delphi as well as malicious Google Chrome extensions among other things.
Source: https://decoded.avast.io/anhho/chasing-chaes-kill-chain/
2022-01-31
Prophet Spider exploiting Log4j Vulnerability
HIGH
+
Intel Source:
Blackberry
Intel Name:
Prophet Spider exploiting Log4j Vulnerability
Date of Scan:
2022-01-31
Impact:
HIGH
Summary:
Blackberry Research team have discovered an correlating attack by Prophet Spider group with exploitation of Log4j vulnerability in VMware Horizon. Researchers also claimed to have spotted Propjer Spider TTPs as sell network access to other criminals including ransomware gangs. Despite VMware's patch and subsequent guidance many implementations remain unpatched leaving them susceptible to exploitation.
Source: https://blogs.blackberry.com/en/2022/01/log4u-shell4me
2022-01-31
Log4j 4 IP's
HIGH
+
Intel Source:
Internal
Intel Name:
Log4j 4 IP's
Date of Scan:
2022-01-31
Impact:
HIGH
Summary:
IP address linked to Log4j vulnerability
Source: Internal Investigations
2022-01-31
KONNI RAT
HIGH
+
Intel Source:
MalwareBytes
Intel Name:
KONNI RAT
Date of Scan:
2022-01-31
Impact:
HIGH
Summary:
KONNI is a Remote Administration Tool that has being used for at least 8 years. The North Korean threat actor that is using this piece of malware has being identified under the Kimsuky umbrella. KONNI Rat is being actively developed and new samples are now including significant updates.
Source: https://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/
2022-01-28
Analysis of a Management IP Address linked to Molerats APT
MEDIUM
+
Intel Source:
Team Cymru
Intel Name:
Analysis of a Management IP Address linked to Molerats APT
Date of Scan:
2022-01-28
Impact:
MEDIUM
Summary:
Team Cymru have analysed management of IP addresses which were linked to Molerats APT. These were higher order infrastructure utilizing IP addresses assigned to Palestinian providers. Additionally the targets identified were Israel and Saudi Arabia.
Source: https://team-cymru.com/blog/2022/01/26/analysis-of-a-management-ip-address-linked-to-molerats-apt/
2022-01-28
Midas Ransomware
MEDIUM
+
Intel Source:
Sophos
Intel Name:
Midas Ransomware
Date of Scan:
2022-01-28
Impact:
MEDIUM
Summary:
An attack on technology vendor was identified and the ransomware behind it was Midas. Midas Ransomware Attack Highlights the Risks of Limited Access Controls and “Ghost” Tools. The attackers were able to spend nearly two months undetected in a target's environment.
Source: https://news.sophos.com/en-us/2022/01/25/windows-services-lay-the-groundwork-for-a-midas-ransomware-attack/ https://github.com/sophoslabs/IoCs/blob/master/Ransomware-Midas.csv
2022-01-28
AsyncRAT
MEDIUM
+
Intel Source:
Morphisec
Intel Name:
AsyncRAT
Date of Scan:
2022-01-28
Impact:
MEDIUM
Summary:
Morphisec researchers have identified a new sophisticated campaign delivery evading multiple AVs. Through a simple email phishing tactic with an html attachment threat attackers are delivering AsyncRAT (a remote access trojan) designed to remotely monitor and control its infected computers through a secure encrypted connection.
Source: https://blog.morphisec.com/asyncrat-new-delivery-technique-new-threat-campaign
2022-01-27
TrickBot Invoices
HIGH
+
Intel Source:
Cofense
Intel Name:
TrickBot Invoices
Date of Scan:
2022-01-27
Impact:
HIGH
Summary:
In the new campaign TrickBot is taking advantage of supply chain delays and sending the phishing emails to users with an invoice attachment claiming to be from USPS. This TrickBot campaign demonstrates more effort than past campaigns relative to design and more in the email itself. Most of the time the style for TrickBot campaign emails is relatively simple and can be easily spotted as suspicious.
Source: https://cofense.com/blog/trickbot-malware-delivered-as-invoicess
2022-01-27
DazzleSpy macOS malware
MEDIUM
+
Intel Source:
WeLiveSecurity
Intel Name:
DazzleSpy macOS malware
Date of Scan:
2022-01-27
Impact:
MEDIUM
Summary:
ESET rersearchers discovered a new watering hole attack targeting macOS users and visitors of a pro-democracy radio station website in Hong Kong and infecting them with the DazzleSpy malware.
Source: https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/
2022-01-26
WhisperGate TTP_Seeder Queries
HIGH
+
Intel Source:
STR
Intel Name:
WhisperGate TTP_Seeder Queries
Date of Scan:
2022-01-26
Impact:
HIGH
Summary:
This research is part of Securonix Threat Labs - Threat Research Team
Source: STR Repository
2022-01-26
PKEXEC LPE/CVE-2021-4034_Seeder Queries
MEDIUM
+
Intel Source:
STR
Intel Name:
PKEXEC LPE/CVE-2021-4034_Seeder Queries
Date of Scan:
2022-01-26
Impact:
MEDIUM
Summary:
This research is part of Securonix Threat Labs - Threat Research Team
Source: STR Repository
2022-01-25
APT36/Earth Karkaddan
HIGH
+
Intel Source:
Trend Micro
Intel Name:
APT36/Earth Karkaddan
Date of Scan:
2022-01-25
Impact:
HIGH
Summary:
According to Trend Micro researchers the suspected Pakistani threat actor group APT36 aka Earth Karkaddan has expanded its malware arsenal by adding a new Android Rat malware -CapraRAT.
Source: https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html
2022-01-25
Trickbot's new evasion technique
HIGH
+
Intel Source:
IBM
Intel Name:
Trickbot's new evasion technique
Date of Scan:
2022-01-25
Impact:
HIGH
Summary:
As per securityintelligence researchers TrickBot operators have been escalating activity. As part of that escalation malware injections have been fitted with added protection to keep researchers out and get through security controls.
Source: https://securityintelligence.com/posts/trickbot-bolsters-layered-defenses-prevent-injection/
2022-01-25
OceanLotus APT attack
HIGH
+
Intel Source:
QI-ANXIN Threat Intelligence Center
Intel Name:
OceanLotus APT attack
Date of Scan:
2022-01-25
Impact:
HIGH
Summary:
The state-sponsored threat actor group known as OceanLotus is using the web archive file format to evade system detection while delivering backdoors for intrusion. A report from QI-ANXIN Threat Intelligence Center claims that OceanLotus’s campaign is actively using web archive files (.MHT and .MHTML) for its attacks.
Source: https://mp.weixin.qq.com/s/1L7o1C-aGlMBAXzHqR9udA
2022-01-25
STRRAT Malware
MEDIUM
+
Intel Source:
Fortinet
Intel Name:
STRRAT Malware
Date of Scan:
2022-01-25
Impact:
MEDIUM
Summary:
Researchers at Fortinet has identified an email which was subsequently found to harbor a variant of the STRRAT malware as an attachment. STRRAT is a multi-capability Remote Access Trojan that dates to at least mid-2020. Unusually it is Java-based and is typically delivered via phishing email to victims.
Source: https://www.fortinet.com/blog/threat-research/new-strrat-rat-phishing-campaign
2022-01-25
BRATA RAT malware
MEDIUM
+
Intel Source:
Cleafy Labs
Intel Name:
BRATA RAT malware
Date of Scan:
2022-01-25
Impact:
MEDIUM
Summary:
Researchers from Cleafy have tracked BRATA malware and have documented its evolution in terms of both new targets and new features.
Source: https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account
2022-01-25
Infected PowerPoint Files Using Cloud Services to Deliver Multiple Malware
MEDIUM
+
Intel Source:
Netskope
Intel Name:
Infected PowerPoint Files Using Cloud Services to Deliver Multiple Malware
Date of Scan:
2022-01-25
Impact:
MEDIUM
Summary:
Researchers at Netspoke has identified an increase in the usage of one specific file type from the Microsoft Office suite: PowerPoint. These relatively small files are being delivered through phishing emails then downloading and executing malicious scripts through LoLBins a common technique often used to stay under the radar.
Source: https://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware
2022-01-24
FIN7 trojanized USB
HIGH
+
Intel Source:
Gemini Advisory
Intel Name:
FIN7 trojanized USB
Date of Scan:
2022-01-24
Impact:
HIGH
Summary:
Geminiadvisory researchers found FIN7 group using flash drives to Spread Remote Access Trojan. It uses the trojanized USB devices to ultimately load the IceBot Remote Access Trojan (RAT) resulting in FIN7 gaining unauthorized remote access to systems within victims’ networks.
Source: https://geminiadvisory.io/fin7-flash-drives-spread-remote-access-trojan/
2022-01-24
MoonBounce Implant_Seeder Queries
HIGH
+
Intel Source:
STR
Intel Name:
MoonBounce Implant_Seeder Queries
Date of Scan:
2022-01-24
Impact:
HIGH
Summary:
This research is part of Securonix Threat Labs - Threat Research Team
Source: STR Repository
2022-01-24
AIKIDO C2_Seeder Queries - 24/01/2022
HIGH
+
Intel Source:
STR
Intel Name:
AIKIDO C2_Seeder Queries - 24/01/2022
Date of Scan:
2022-01-24
Impact:
HIGH
Summary:
This research is part of Securonix Threat Labs - Threat Research Team
Source: STR Repository
2022-01-24
DDoS IRC Bot Malware
LOW
+
Intel Source:
ASEC
Intel Name:
DDoS IRC Bot Malware
Date of Scan:
2022-01-24
Impact:
LOW
Summary:
ASEC Research Team has discovered that DDoS IRC Bot strains disguised as adult games are being installed via webhards. Webhards are platforms commonly used for the distribution of malware in Korea where njRAT and UDP Rat were distributed in the past.
Source: https://asec.ahnlab.com/en/30755/
2022-01-24
Emotet Spam
HIGH
+
Intel Source:
Trend Micro
Intel Name:
Emotet Spam
Date of Scan:
2022-01-24
Impact:
HIGH
Summary:
Trend Micro research team spotted the new ransomware family named 'White Rabbit' which discretely making a name for itself by executing an attack on a local US bank in December 2021. The ransomware copies the hiding capability from Egregor and carries a potential connection to the APT group FIN8.
Source: https://www.trendmicro.com/en_us/research/22/a/emotet-spam-abuses-unconventional-ip-address-formats-spread-malware.html
2022-01-24
Molerats APT Espionage campaign
HIGH
+
Intel Source:
Zscaler
Intel Name:
Molerats APT Espionage campaign
Date of Scan:
2022-01-24
Impact:
HIGH
Summary:
Zscaler ThreatLabz team have detected several samples of macro-based MS office files uploaded from Middle Eastern countries. These files contained decoy themes related to geo-political conflicts between Israel and Palestine. Such themes have been used in previous attack campaigns waged by the Molerats APT.
Source: https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east
2022-01-24
DTPacker
MEDIUM
+
Intel Source:
Proofpoint
Intel Name:
DTPacker
Date of Scan:
2022-01-24
Impact:
MEDIUM
Summary:
Researchers at Proofoint has identified a malware packer which researchers have dubbed as 'DTPacker'. The malware is typically used to pack remote access trojans that can be used to steal information and load follow-on payloads such as ransomware.
Source: https://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1
2022-01-21
DoL Phishing
MEDIUM
+
Intel Source:
INKY
Intel Name:
DoL Phishing
Date of Scan:
2022-01-21
Impact:
MEDIUM
Summary:
Researchers at INKY has detected phishing campaign that impersonated the United States Department of Labor (DoL). In this campaign the majority of phishing attempts had sender email addresses spoofed to look as if they came from [email protected][.]gov which is the real DoL site. A small subset was spoofed to look as if they came from [email protected][.]com which is of course not the real DoL domain.
Source: https://www.inky.com/blog/fresh-phish-phishers-lure-victims-with-fake-invites-to-bid-on-nonexistent-federal-projects
2022-01-21
DONOT Hacking team/APT-C-35/SectorE02
MEDIUM
+
Intel Source:
WeLiveSecurity
Intel Name:
DONOT Hacking team/APT-C-35/SectorE02
Date of Scan:
2022-01-21
Impact:
MEDIUM
Summary:
ESET researchers take a deep look into recent attacks carried out by Donot Team throughout 2020 and 2021 targeting government and military entities in several South Asian countries.
Source: https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/
2022-01-21
Mirai Botnet Abusing Log4j
HIGH
+
Intel Source:
Akamai
Intel Name:
Mirai Botnet Abusing Log4j
Date of Scan:
2022-01-21
Impact:
HIGH
Summary:
Researchers at Akamai has examined a ARM binary which revealed the adaptation of Log4j vulnerability to infect and assist in the proliferation of malware used by the Mirai botnet.
Source: https://www.akamai.com/blog/security/mirai-botnet-abusing-log4j-vulnerability
2022-01-21
BHUNT Stealer
MEDIUM
+
Intel Source:
BitDefender
Intel Name:
BHUNT Stealer
Date of Scan:
2022-01-21
Impact:
MEDIUM
Summary:
Bitdefender researchers have discovered a new family of crypto-wallet stealer malware dubbed as 'BHUNT'. The samples identified appear to have been digitally signed with a digital certificate issued to a software company but the digital certificate does not match the binaries.
Source: https://www.bitdefender.com/files/News/CaseStudies/study/411/Bitdefender-PR-Whitepaper-CyberWallet-creat5874-en-EN.pdf
2022-01-20
Targeted ICS Spyware
MEDIUM
+
Intel Source:
Kaspersky
Intel Name:
Targeted ICS Spyware
Date of Scan:
2022-01-20
Impact:
MEDIUM
Summary:
Kaspersky ICS Experts have noticed a large set of campaigns that spread from one industrial enterprise to another via hard-to-detect phishing emails disguised as the victim organizations’ correspondence and abusing their corporate email systems to attack through the contact lists of compromised mailboxes.
Source: https://ics-cert.kaspersky.com/publications/reports/2022/1/19/campaigns-abusing-corporate-trusted-infrastructure-hunt-for-corporate-credentials-on-ics-networks/
2022-01-20
Operation Bleeding Bear
HIGH
+
Intel Source:
Elastic
Intel Name:
Operation Bleeding Bear
Date of Scan:
2022-01-20
Impact:
HIGH
Summary:
Researchers at Elastic Security provides new analysis and insights into targeted campaign against Ukraine organizations with destructive malware. In a multi-staged attack one malware component known as WhisperGate utilizes a wiping capability on the Master Boot Record (MBR) making any machine impacted inoperable after boot-up.
Source: https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/#indicators
2022-01-20
MoonBounce
HIGH
+
Intel Source:
Kaspersky
Intel Name:
MoonBounce
Date of Scan:
2022-01-20
Impact:
HIGH
Summary:
Kaspersky Researchers has identified a UEFI firmware-level compromise which Researchers further analysed and detected that a single component within the inspected firmware’s image was modified by attackers in a way that allowed them to intercept the original execution flow of the machine’s boot sequence and introduce a sophisticated infection chain.
Source: https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
2022-01-20
White Rabbit Ransomware
MEDIUM
+
Intel Source:
Trend Micro
Intel Name:
White Rabbit Ransomware
Date of Scan:
2022-01-20
Impact:
MEDIUM
Summary:
Trend Micro research team spotted the new ransomware family named 'White Rabbit' which discretely making a name for itself by executing an attack on a local US bank in December 2021. The ransomware copies the hiding capability from Egregor and carries a potential connection to the APT group FIN8.
Source: https://lodestone.com/insight/white-rabbit-ransomware-and-the-f5-backdoor/ https://www.trendmicro.com/en_us/research/22/a/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics.html
2022-01-20
Blackcat Ransomware
MEDIUM
+
Intel Source:
SentinelOne
Intel Name:
Blackcat Ransomware
Date of Scan:
2022-01-20
Impact:
MEDIUM
Summary:
Researchers at SentinelOne analysing BlackCat Ransomware behaviour. BlackCat first appeared in late November 2021 and has reportedly been attacking targets in multiple countries including Australia India and the U.S and demanding ransoms in the region of $400 000 to $3 000 000 in Bitcoin or Monero.
Source: https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/
2022-01-20
WhisperGate
HIGH
+
Intel Source:
Microsoft
Intel Name:
WhisperGate
Date of Scan:
2022-01-20
Impact:
HIGH
Summary:
MSTIC found a destructive malware operation which have been targeting organaizations in UKraine. The malware has been dubbed as WhisperGate. The activity has been identified as possible Master Boot Records (MBR) Wiper activity.
Source: https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ https://twitter.com/threatintel/status/1483470646210445320
2022-01-19
vSphere cryptominer campaign
MEDIUM
+
Intel Source:
Uptycs
Intel Name:
vSphere cryptominer campaign
Date of Scan:
2022-01-19
Impact:
MEDIUM
Summary:
Researchers from Uptycs identified some malicious shell scripts which specifically targets VMware vSphere. The attackers have used certain commands in the shell script to modify the vSphere service in order to run the Xmrig miner.
Source: https://www.uptycs.com/blog/cryptominer-campaign-targeting-vmware-vsphere-services-for-coin-mining
2022-01-19
SysJoker_Seeder Queries - 12/01/2022
HIGH
+
Intel Source:
STR
Intel Name:
SysJoker_Seeder Queries - 12/01/2022
Date of Scan:
2022-01-19
Impact:
HIGH
Summary:
This research is part of Securonix Threat Labs - Threat Research Team
Source: STR Repository
2022-01-19
AIKIDO C2_Seeder Queries - 18/01/2022
MEDIUM
+
Intel Source:
STR
Intel Name:
AIKIDO C2_Seeder Queries - 18/01/2022
Date of Scan:
2022-01-19
Impact:
MEDIUM
Summary:
This research is part of Securonix Threat Labs - Threat Research Team
Source: STR Repository
2022-01-19
AIKIDO ICEID New Delivery Method_Seeder Queries - 12/01/2022
MEDIUM
+
Intel Source:
STR
Intel Name:
AIKIDO ICEID New Delivery Method_Seeder Queries - 12/01/2022
Date of Scan:
2022-01-19
Impact:
MEDIUM
Summary:
This research is part of Securonix Threat Labs - Threat Research Team
Source: STR Repository
2022-01-19
(Mailbox Phishing Kit)Espionage campaign- Renewable energy companies
MEDIUM
+
Intel Source:
Bushidotoken
Intel Name:
(Mailbox Phishing Kit)Espionage campaign- Renewable energy companies
Date of Scan:
2022-01-19
Impact:
MEDIUM
Summary:
A security researcher discovered a large-scale cyber-espionage campaign targeting primarily renewable energy and industrial technology organization. The attacker uses a custom 'Mail Box' toolkit an unsophisticated phishing package deployed on the actors' infrastructure as well as legitimate websites compromised to host phishing pages.
Source: https://blog.bushidotoken.net/2022/01/tracking-renewable-energy-intelligence.html https://www.bleepingcomputer.com/news/security/cyber-espionage-campaign-targets-renewable-energy-companies/
2022-01-18
MuddyWater_MOIS_Seeder Queries - 14/01/2022
HIGH
+
Intel Source:
STR
Intel Name:
MuddyWater_MOIS_Seeder Queries - 14/01/2022
Date of Scan:
2022-01-18
Impact:
HIGH
Summary:
This research is part of Securonix Threat Labs - Threat Research Team
Source: STR Repository
2022-01-14
BlueNoroff APT Group
HIGH
+
Intel Source:
Kaspersky
Intel Name:
BlueNoroff APT Group
Date of Scan:
2022-01-14
Impact:
HIGH
Summary:
The North Korea-linked APT group BlueNoroff has been spotted targeting cryptocurrency startups with fake MetaMask browser extensions. The latest attacks targeted cryptocurrency startups in the US Russia China India the UK Ukraine Poland Czech Republic UAE Singapore Estonia Vietnam Malta Germany and Hong Kong.
Source: https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/
2022-01-13
Exploit Kits vs Chrome
MEDIUM
+
Intel Source:
Avast
Intel Name:
Exploit Kits vs Chrome
Date of Scan:
2022-01-13
Impact:
MEDIUM
Summary:
Avast researchers found Underminer exploit kit developed an exploit for the Chromium based vulnerability.There were two exploit kits that dared to attack Google Chrome: Magnitude using CVE-2021-21224 and CVE-2021-31956 and Underminer using CVE-2021-21224 CVE-2019-0808 CVE-2020-1020 and CVE-2020-1054.
Source: https://decoded.avast.io/janvojtesek/exploit-kits-vs-google-chrome/
2022-01-13
TellYouThePass Ransomware
HIGH
+
Intel Source:
CrowdStrike
Intel Name:
TellYouThePass Ransomware
Date of Scan:
2022-01-13
Impact:
HIGH
Summary:
Crowdstrike found re-emerged version of TellYouThePass ransomware compiled using golang. The same ransomware was recently associated with Log4Shell post-exploitation targeting Windows and Linux.
Source: https://www.crowdstrike.com/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/
2022-01-13
Magniber Ransomware
MEDIUM
+
Intel Source:
ASEC
Intel Name:
Magniber Ransomware
Date of Scan:
2022-01-13
Impact:
MEDIUM
Summary:
Analysts from ahnlab discovered that attackers behind the Magniber ransomware who have been exploiting IE-based vulnerabilities so far are now targeting PCs via modern browsers such as Edge and Chrome.
Source: https://asec.ahnlab.com/en/30645/
2022-01-13
Abusing MS Office Using Malicious Web Archive Files
MEDIUM
+
Intel Source:
Netskope
Intel Name:
Abusing MS Office Using Malicious Web Archive Files
Date of Scan:
2022-01-13
Impact:
MEDIUM
Summary:
The OceanLotus group of state-sponsored hackers are now using the web archive file format (.MHT and .MHTML) to deploy backdoors to compromised systems.
Source: https://www.netskope.com/blog/abusing-microsoft-office-using-malicious-web-archive-files
2022-01-13
DEV-0401
MEDIUM
+
Intel Source:
Microsoft
Intel Name:
DEV-0401
Date of Scan:
2022-01-13
Impact:
MEDIUM
Summary:
Microsoft Threat Intelligence Center has detected an activity from attackers where they started exploiting the CVE-2021-44228 vulnerability in internet-facing systems running VMware Horizon. These attacks are performed by a China-based ransomware operator that they tracking as DEV-0401.
Source: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/#NightSky
2022-01-13
MuddyWater_MOIS
HIGH
+
Intel Source:
US cyber command
Intel Name:
MuddyWater_MOIS
Date of Scan:
2022-01-13
Impact:
HIGH
Summary:
U.S. Cyber Command’s Cyber National Mission Force (CNMF) has identified multiple open-source tools used by an Iranian advanced persistent threat (APT) group known as MuddyWater. The techniques used by the APT group includes side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions.
Source: https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/
2022-01-13
GootLoader Campaign
MEDIUM
+
Intel Source:
eSentire
Intel Name:
GootLoader Campaign
Date of Scan:
2022-01-13
Impact:
MEDIUM
Summary:
Esentire researchers found that Operators of the GootLoader campaign are targeting employees of accounting and law firms. GootLoader is a stealthy initial access malware which after getting a foothold into the victim's computer system infects the system with ransomware or other lethal malware.
Source: https://www.esentire.com/security-advisories/gootloader-hackers-are-compromising-employees-of-law-firms-and-accounting-agencies-warns-esentire
2022-01-12
Patchwork APT
LOW
+
Intel Source:
MalwareBytes
Intel Name:
Patchwork APT
Date of Scan:
2022-01-12
Impact:
LOW
Summary:
MalwareBytes labs has analysed a campaign where Patchwork APT has used malicious RTF files to drop a variant of the BADNEWS Remote Administration Trojan (RAT).
Source: https://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-own-web/
2022-01-12
RedLine Stealer
MEDIUM
+
Intel Source:
Fortinet
Intel Name:
RedLine Stealer
Date of Scan:
2022-01-12
Impact:
MEDIUM
Summary:
Researchers at Fortinet has identified an executable file 'Omicron Stats.exe' which attributed to be a variant of RedLine Stealer malware. Researchers has analysed Redline new variant its core functions how it communicates with its C2 server and how organizations can protect themselves.
Source: https://www.fortinet.com/blog/threat-research/omicron-variant-lure-used-to-distribute-redline-stealer
2022-01-12
Nanocore Netwire and AsyncRAT
HIGH
+
Intel Source:
Cisco Talos
Intel Name:
Nanocore Netwire and AsyncRAT
Date of Scan:
2022-01-12
Impact:
HIGH
Summary:
Cisco Talos researchers discovered new attacks Campaign Using Public Cloud Infrastructure to Spread RATs those RATs are Nanocore Netwire and AsyncRATs.
Source: https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html
2022-01-12
ABCbot
LOW
+
Intel Source:
Cado security
Intel Name:
ABCbot
Date of Scan:
2022-01-12
Impact:
LOW
Summary:
Cadosecurity researchers analyzed Abcbot and found its link with Xanthe based cryptojcaking campaign. Same threat actor is responsible for both Xanthe and Abcbot and is shifting its objective from mining cryptocurrency on compromised hosts to activities more traditionally associated with botnets such as DDoS attacks.
Source: https://www.cadosecurity.com/abcbot-an-evolution-of-xanthe/
2022-01-12
STR Omega 1/12/22
HIGH
+
Intel Source:
STR
Intel Name:
STR Omega 1/12/22
Date of Scan:
2022-01-12
Impact:
HIGH
Summary:
This research is part of Securonix Threat Labs - Threat Research Team
Source: STR Repository
2022-01-11
APT35
HIGH
+
Intel Source:
Checkpoint
Intel Name:
APT35
Date of Scan:
2022-01-11
Impact:
HIGH
Summary:
CheckPoint researchers discovered that APT35 have started widespread scanning and attempts to leverage Log4j flaw in publicly facing systems.
Source: https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/
2022-01-11
SysJoker Backdoor
HIGH
+
Intel Source:
Intezer
Intel Name:
SysJoker Backdoor
Date of Scan:
2022-01-11
Impact:
HIGH
Summary:
Researchers from Intezer discovered a new ulti-platform backdoor that targets Windows Mac and Linux. The backdoor was named as SysJoker. SysJoker masquerades as a system update and generates its C2 by decoding a string retrieved from a text file hosted on Google Drive.
Source: https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/
2022-01-11
Trojanized dnspy app campaign
HIGH
+
Intel Source:
STR
Intel Name:
Trojanized dnspy app campaign
Date of Scan:
2022-01-11
Impact:
HIGH
Summary:
This research is part of Securonix Threat Labs - Threat Research Team
Source: STR Repository
2022-01-11
VMware Horizon Exploitation Using Log4J
HIGH
+
Intel Source:
STR
Intel Name:
VMware Horizon Exploitation Using Log4J
Date of Scan:
2022-01-11
Impact:
HIGH
Summary:
This research is part of Securonix Threat Labs - Threat Research Team
Source: STR Repository
2022-01-06
TA551 IcedID
MEDIUM
+
Intel Source:
Palo Alto
Intel Name:
TA551 IcedID
Date of Scan:
2022-01-06
Impact:
MEDIUM
Summary:
Palo Alto Unit42 Researchers has tracked TA551 activity where threat actor using Word documents with both German templates and Italian templates. Later deliverying IcedID malware.
Source: https://github.com/pan-unit42/tweets/blob/master/2022-01-05-IOCs-for-TA551-IcedID-with-Cobalt-Strike.txt
2022-01-06
Web Skimmer Campaign
MEDIUM
+
Intel Source:
Palo Alto
Intel Name:
Web Skimmer Campaign
Date of Scan:
2022-01-06
Impact:
MEDIUM
Summary:
Researchers at Unit42 has found a supply chain attack leveraging a cloud video platform to distribute skimmer (aka formjacking) campaigns. In skimmer attacks cybercriminals inject malicious JavaScript code to hack a website and take over the functionality of the site’s HTML form page to collect sensitive user information.
Source: https://unit42.paloaltonetworks.com/web-skimmer-video-distribution/
2022-01-05
Zloader Banking Malware Campaign
MEDIUM
+
Intel Source:
Checkpoint
Intel Name:
Zloader Banking Malware Campaign
Date of Scan:
2022-01-05
Impact:
MEDIUM
Summary:
Checkpoint Research Team tracking Zloader campaign and identified an evidence of the new campaign was first seen around early November 2021. The techniques incorporated in the infection chain include the use of legitimate remote management software (RMM) to gain initial access to the target machine.
Source: https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/