Threat Research Feed

Intel Source:

ASEC

Intel Name:

Surge_in_Phishing_Attacks_Impersonating_Korean_Websites

Date of Scan:

2024-04-22

Impact:

MEDIUM

Summary:

AhnLab’s Security Intelligence Center (ASEC) has identified a significant rise in phishing attempts mimicking Korean portal websites, logistics brands, and webmail login pages. These attacks utilize sophisticated tactics, such as replicating the appearance of legitimate websites and leveraging NoCodeForm for credential exfiltration.

Source:
https://asec.ahnlab.com/en/64294/

Intel Source:

ISC.SANS

Intel Name:

A_Malicious_PDF_File_Using_to_Deliver_Malware

Date of Scan:

2024-04-22

Impact:

LOW

Summary:

Researchers at SANS have noted that billions of PDF files are shared on a regular basis, and that many individuals take these files for trust because they believe they are “read-only” and contain just “a bunch of data”. Previously, PDF viewers were vulnerable to nasty vulnerabilities in poorly crafted PDF files. Particularly the Acrobat or FoxIt readers, they were all impacted at least once. Additionally, a PDF file can be rather “dynamic” by containing embedded JavaScript scripts, auto-open actions that cause scripts (like PowerShell on Windows) to run, or any other kind of embedded data.

Source:
https://isc.sans.edu/diary/Malicious+PDF+File+Used+As+Delivery+Mechanism/30848/

Intel Source:

Microsoft

Intel Name:

Microsoft_Defender_Exposes_Kubernetes_Vulnerabilities

Date of Scan:

2024-04-22

Impact:

LOW

Summary:

Microsoft Defender recently identified a significant attack targeting Kubernetes workloads leveraging critical vulnerabilities in OpenMetadata for cryptomining. Exploiting flaws disclosed on March 15, 2024, attackers gained access to Kubernetes clusters, executed reconnaissance commands, and deployed cryptomining malware. Microsoft recommends updating OpenMetadata to version 1.3.1 or later, provides guidance for vulnerability checks, and highlights the role of Defender for Cloud in detecting and mitigating such threats, underlining the importance of proactive security measures in containerized environments.

Source:
https://www.microsoft.com/en-us/security/blog/2024/04/17/attackers-exploiting-new-critical-openmetadata-vulnerabilities-on-kubernetes-clusters/

Intel Source:

Securelist

Intel Name:

The_APT_group_ToddyCat_compromise_infrustructure

Date of Scan:

2024-04-22

Impact:

LOW

Summary:

This month, Securelist researchers ran an investigation on how attackers got constant access to compromised infrastructure, what information on the hosts they are interested in, and what tools they used for it. ToddyCat is a threat actors group that in general targets governmental organizations located in the Asia-Pacific region. The group’s main goal is to steal sensitive information from hosts.

Source:
https://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/

Intel Source:

CERT-UA

Intel Name:

Sandworm_Groups_Cyber_Scheme

Date of Scan:

2024-04-22

Impact:

LOW

Summary:

Researchers at CERT-UA found that the Sandworm group had a plan to mess with almost 20 important places in March 2024. They wanted to mess up the computer systems that control energy, water, and heat in different parts of Ukraine. CERT-UA also found out that three supply chains were messed with, either because of weak software or because employees from the supplier could get into the systems.

Source:
https://cert.gov.ua/article/6278706

Intel Source:

Ars Technica

Intel Name:

Phishing_campaign_attacks_LastPass_users

Date of Scan:

2024-04-19

Impact:

LOW

Summary:

The article discusses a recent phishing attack that targeted users of the password manager LastPass. The attack utilized a sophisticated phishing-as-a-service kit called CryptoChameleon, which provided all the necessary resources to deceive even knowledgeable individuals into revealing their master passwords. The attackers used a combination of email, SMS, and voice calls to trick victims into giving up their login credentials. LastPass was just one of the many sensitive services targeted by CryptoChameleon, and the attack was able to bypass multi-factor authentication. The section also mentions previous attacks on LastPass and offers tips for preventing these types of scams from being successful.

Source:
https://arstechnica.com/security/2024/04/lastpass-users-targeted-in-phishing-attacks-good-enough-to-trick-even-the-savvy/

Intel Source:

SOC Radar

Intel Name:

Security_Risks_in_OpenMetadata

Date of Scan:

2024-04-19

Impact:

LOW

Summary:

Researchers from Microsoft have discovered the critical vulnerabilities within the OpenMetadata platform, an open-source system designed to manage metadata across various data sources. These vulnerabilities affect versions of OpenMetadata earlier than 1.3.1, potentially allowing attackers to bypass authentication and execute Remote Code Execution (RCE).

Source:
https://socradar.io/openmetadata-attackers-cryptomine-in-kubernetes/

Intel Source:

Avast

Intel Name:

Technical_Analysis_of_Lazarus_Groups_Sophisticated_Attack_Chain_Targeting_Asian_Individuals

Date of Scan:

2024-04-19

Impact:

LOW

Summary:

Avast’s investigation uncovers a sophisticated campaign by the Lazarus group targeting individuals in Asia with fabricated job offers. The attack, employing fileless malware and multi-layered loaders, showcases advanced evasion techniques and intricate C&C communication. The involvement of the Kaolin RAT highlights the group’s commitment to control and data extraction.

Source:
https://decoded.avast.io/luiginocamastra/from-byovd-to-a-0-day-unveiling-advanced-exploits-in-cyber-recruiting-scams

Intel Source:

picussecurity

Intel Name:

Threat_Landscape_Update_Exploits_and_Breaches

Date of Scan:

2024-04-19

Impact:

LOW

Summary:

The Red Report 2024 by Picus Security include critical vulnerabilities exploited by threat actors, such as PAN-OS command injection and PuTTY SSH client vulnerability, alongside targeted attacks by groups like IntelBroker and Sandworm

Source:
https://www.picussecurity.com/resource/blog/april-19-top-threat-actors-malware-vulnerabilities-and-exploits

Intel Source:

Stairwell

Intel Name:

The_CVE_2024_31497_PuTTY_vulnerability

Date of Scan:

2024-04-19

Impact:

LOW

Summary:

In the Stairwell blog, the analysts discuss the details of a vulnerability, CVE-2024-31497, found in the PuTTY SSH libraries by researchers at Ruhr University Bochum. It allows attackers to access private keys used in key-based authentication. The blog provides a list of potentially vulnerable software, known vulnerable hashes, and a YARA rule for detection, and mentions the importance of quickly addressing supply chain vulnerabilities. The background of the vulnerability is explained, along with a list of potentially vulnerable software not mentioned in the NIST advisory.

Source:
https://stairwell.com/resources/stairwell-threat-report-vulnerable-putty-ssh-libraries-cve-2024-31497/

Intel Source:

CERT-UA

Intel Name:

Malicious_Attack_Targeting_Defense_Forces_of_Ukraine

Date of Scan:

2024-04-19

Impact:

MEDIUM

Summary:

The Government Computer Emergency Response Team of Ukraine (CERT-UA) has issued an urgent alert regarding a targeted cyber attack on a computer within the Defense Forces of Ukraine. The attack involves the distribution of a malicious file named “Support.rar” via the Signal messenger, purportedly under the guise of document submission for UN Peace Support Operations. This file contains an exploit for a WinRAR software vulnerability (CVE-2023-38831). Upon successful exploitation, a CMD file is executed, initiating PowerShell scripts associated with the COOKBOX malware.

Source:
https://cert.gov.ua/article/6278620

Intel Source:

Seqrite

Intel Name:

Unveiling_Ghost_Locker_2

Date of Scan:

2024-04-19

Impact:

LOW

Summary:

Seqrite researchers have discovered the two versions of the Ghost Locker ransomware during their threat hunting activities. The initial variant, coded in Python, secures its presence by replicating itself in the Windows Startup directory and utilizes AES encryption to lock files. This variant communicates with a C2 server to dispatch ransom demands and extract data. The subsequent variant, mostly developed in Golang, mirrors the characteristics of the first iteration but distinguishes itself in terms of C2 server interactions and operational procedures. Moreover, it incorporates mechanisms to evade detection and carefully chooses files for encryption and data extraction.

Source:
https://www.seqrite.com/blog/ghost-locker-2-0-the-evolving-threat-of-ransomware-as-a-service-unveiled-by-ghostsec/

Intel Source:

NSFOCUS

Intel Name:

Palo_Alto_Networks_Fixes_Critical_Command_Injection_Vulnerability_in_PAN_OS_Firewall

Date of Scan:

2024-04-19

Impact:

LOW

Summary:

NSFOCUS CERT has detected a critical command injection vulnerability (CVE-2024-3400) in Palo Alto Networks’ PAN-OS firewall operating system. Unauthenticated attackers could exploit this flaw to execute arbitrary code with root privileges on affected firewalls. Palo Alto Networks has released security updates addressing this vulnerability, with the PoC already public and actively exploited. The CVSS score of 10.0 underscores the severity of the issue. Users are urged to upgrade to patched versions immediately.

Source:
https://nsfocusglobal.com/palo-alto-networks-pan-os-command-injection-vulnerability-cve-2024-3400/

Intel Source:

Thehackernews

Intel Name:

Malvertising_Campaign_Leveraging_Google_Ads_Distributes_MadMxShell_Backdoor

Date of Scan:

2024-04-18

Impact:

MEDIUM

Summary:

Zscaler ThreatLabz researchers have uncovered a sophisticated malvertising campaign utilizing Google Ads to distribute a previously unknown backdoor named MadMxShell. The campaign involves the registration of multiple domains resembling legitimate IP scanner software, which are then promoted through Google Ads to target specific search keywords. Victims who visit these sites are tricked into downloading a malicious file disguised as IP scanner software. Once executed, the malware employs DLL side-loading and process hollowing techniques to infect systems, ultimately establishing a backdoor for gathering system information and performing malicious activities.

Source:
https://thehackernews.com/2024/04/malicious-google-ads-pushing-fake-ip.html

Intel Source:

Securelist

Intel Name:

Unveiling_the_DuneQuixote_Malware_Campaign

Date of Scan:

2024-04-18

Impact:

LOW

Summary:

Researchers at Securelist have discovered a new malware campaign named “DuneQuixote,” specifically aimed at government organizations within the Middle East. This campaign comprises more than 30 dropper samples, each carrying a backdoor labeled “CR4T.” The primary objective of this malware is to secretly infiltrate and manage compromised systems.

Source:
https://securelist.com/dunequixote/112425/

Intel Source:

CISA

Intel Name:

A_wide_range_of_Akira_ransomware

Date of Scan:

2024-04-18

Impact:

HIGH

Summary:

According to a joint advisory from the FBI, CISA, Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL), the Akira ransomware operation has breached the networks of over 250 organizations and raked in roughly $42 million in ransom payments. Since March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia. In April 2023, following an initial focus on Windows systems, Akira threat actors deployed a Linux variant targeting VMware ESXi virtual machines.

Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a

Intel Source:

Cisco Talos

Intel Name:

The_upload_of_confidential_documents_to_VirusTotal_by_OfflRouter_virus

Date of Scan:

2024-04-18

Impact:

MEDIUM

Summary:

Recently, Cisco Talos discovered documents with some sensitive information from Ukraine. The documents had malicious VBA code, indicating they may be used as a trick to infect organizations. The virus, OfflRouter, has been known in Ukraine since 2015 and is still active on some Ukrainian organizations’ networks, based on over 100 original infected documents uploaded to VirusTotal from Ukraine and the documents’ upload dates.

Source:
https://blog.talosintelligence.com/offlrouter-virus-causes-upload-confidential-documents-to-virustotal/

Intel Source:

Trend Micro

Intel Name:

UK_Law_Enforcement_Successfully_Takes_Down_Phishing_as_a_Service_Provider_LabHost

Date of Scan:

2024-04-18

Impact:

MEDIUM

Summary:

UK’s Metropolitan Police Service, in collaboration with international law enforcement agencies and private industry partners, executed an operation leading to the takedown of the notorious Phishing-as-a-Service (PhaaS) provider LabHost. LabHost, also known as LabRat, had gained notoriety since its emergence in late 2021 for offering a platform facilitating phishing attacks against numerous banks and organizations worldwide. With over 2,000 criminal users and more than 40,000 fraudulent sites deployed, LabHost posed a significant threat to global cybersecurity.

Source:
https://www.trendmicro.com/en_us/research/24/d/labhost-takedown.html

Intel Source:

McAfee

Intel Name:

A_new_packed_variant_of_the_Redline_Stealer_trojan

Date of Scan:

2024-04-18

Impact:

MEDIUM

Summary:

Recently, McAfee telemetry data showed the details of a new variant of the Redline Stealer trojan that uses Lua bytecode to perform malicious activities. It is prevalent in various regions and is distributed through GitHub. The trojan creates persistence on infected machines and communicates through HTTP, while also being able to take screenshots and steal data. McAfee also covered the analysis of the bytecode file and the techniques used by the threat actors, including creating a mutex and retrieving information from the Windows registry.

Source:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/redline-stealer-a-novel-approach/

Intel Source:

ASEC

Intel Name:

Analysis_of_Pupy_RAT

Date of Scan:

2024-04-18

Impact:

LOW

Summary:

ASEC researchers discovered that many bad actors are using Pupy RAT, a tricky type of software. Pupy RAT allows them to control computers from far away and do things like stealing data and getting more control over the system. Now, it’s not just targeting Windows computers; it’s also affecting Linux systems, especially in countries like South Korea.

Source:
https://asec.ahnlab.com/en/64258/

Intel Source:

Zscaler

Intel Name:

The_newly_discovered_backdoor_MadMxShell

Date of Scan:

2024-04-18

Impact:

LOW

Summary:

Zscaler provided the details of a new backdoor, MadMxShell, discovered by ThreatLabz. The backdoor is delivered through a ZIP archive and uses obfuscated shellcodes to extract and decode an executable file. It also has a dropper stage and a final backdoor stage for collecting system information and executing commands. The backdoor communicates with its C2 server through DNS MX queries and responses, using a custom method to encode data.

Source:
https://www.zscaler.com/blogs/security-research/malvertising-campaign-targeting-it-teams-madmxshell

Intel Source:

Fortinet

Intel Name:

Botnets_Continue_Exploiting_CVE_2023_1389

Date of Scan:

2024-04-17

Impact:

MEDIUM

Summary:

Fortinet researchers in their article explored patterns of the infection traffic and insights into the botnet that was exploited last year and believed to be exploited widely this month by a command injection vulnerability, CVE-2023-1389 was disclosed and a fix developed for the web management interface of the TP-Link Archer AX21 (AX1800). Recently, research has observed multiple attacks focusing on this year-old vulnerability, spotting botnets like Moobot, Miori, the Golang-based agent “AGoent,” and the Gafgyt Variant.

Source:
https://www.fortinet.com/blog/threat-research/botnets-continue-exploiting-cve-2023-1389-for-wide-scale-spread

Intel Source:

Forescout

Intel Name:

A_Recent_Wild_Exploit_Campaign_Targets_Media_Company

Date of Scan:

2024-04-17

Impact:

LOW

Summary:

Forescout researchers have discovered that Vedere Labs describes an exploitation effort that targets businesses using FortiClient EMS from Fortinet, which is vulnerable to CVE-2023-48788.

Source:
https://www.forescout.com/blog/connectfun-new-exploit-campaign-in-the-wild-targets-media-company/

Intel Source:

CERT-UA

Intel Name:

Cyber_Threats_Targeting_Ukraine_Defense_Forces

Date of Scan:

2024-04-17

Impact:

MEDIUM

Summary:

Researchers at CERT-UA are actively engaged to protect against online dangers. They noticed that in 2024, a group called UAC-0184 became more active. This group tries to steal documents and chat messages from computers used by Ukraine’s Defense Forces. They often send harmful software through popular chat apps, tricking people with fake messages about legal issues or war videos.

Source:
https://cert.gov.ua/article/6278521

Intel Source:

Blackberry

Intel Name:

Threat_actors_FIN7_attack_the_US_Automotive

Date of Scan:

2024-04-17

Impact:

MEDIUM

Summary:

Blackberry’s analysts shared the examined details about the threat of phishing attacks on businesses and provided recommendations for protecting against them. It includes a case study of a recent attack by the threat group FIN7 on a U.S. automotive company. The article suggests implementing various security measures, such as employee training, multi-factor authentication, and incident response plans, to prevent and mitigate the impact of phishing attacks. It also provides a detailed analysis of the tactics and techniques used by FIN7 in their attack, as well as a list of indicators of compromise.

Source:
https://blogs.blackberry.com/en/2024/04/fin7-targets-the-united-states-automotive-industry

Intel Source:

Cado Security

Intel Name:

Critical_Atlassian_Flaw_Exploited_to_Deploy_Linux_Variant_of_Cerber_Ransomware

Date of Scan:

2024-04-17

Impact:

MEDIUM

Summary:

Researchers at Cado Security have noticed that threat actors are using unpatched Atlassian servers as a means of distributing the Linux version of the Cerber ransomware, also known as C3RB3R. The attacks take use of a significant security flaw in the Atlassian Confluence Data Center and Server known as CVE-2023-22518 (CVSS score: 9.1), which enables an unauthorized attacker to reset Confluence and create an administrator account.

Source:
https://www.cadosecurity.com/blog/cerber-ransomware-dissecting-the-three-heads

Intel Source:

Netscope

Intel Name:

Evil_Ant_Ransomware

Date of Scan:

2024-04-17

Impact:

LOW

Summary:

Netscope researchers shared the analysis of a new ransomware strain called Evil Ant. It targets personal folders and external drives for encryption and requires administrator privileges to function properly. It also disables Windows Defender and Task Manager, collects the victim’s IP address, and uses Fernet symmetric cryptography to encrypt files.

Source:
https://www.netskope.com/jp/blog/netskope-threat-coverage-evil-ant-ransomware

Intel Source:

Cisco Talos

Intel Name:

Attacks_Using_Brute_Force_to_Attack_VPN_and_SSH_Services

Date of Scan:

2024-04-17

Impact:

MEDIUM

Summary:

Researchers at Cisco Talos have recently alerted about a global increase in brute-force attacks that, as of at least March 18, 2024, are targeting a variety of devices, including web application authentication interfaces, virtual private network (VPN) services, and SSH services. All of these attacks seem to be coming from anonymizing tunnels and proxies, as well as TOR exit nodes.

Source:
https://blog.talosintelligence.com/large-scale-brute-force-activity-targeting-vpns-ssh-services-with-commonly-used-login-credentials/

Intel Source:

ISC.SANS

Intel Name:

The_Peril_of_Malicious_Annotations

Date of Scan:

2024-04-17

Impact:

LOW

Summary:

ISC.SANS researchers provided PDF files, long considered “read-only” and benign, remain a potent vector for malware delivery. Despite improvements in PDF viewer security, malicious actors exploit features like annotations and clickable links to deceive users into downloading malware. This analysis delves into the intricacies of PDF file structure, demonstrating how attackers embed clickable zones using “/Annot” keywords to link to external URLs. The provided YARA rule offers a means to detect such malicious PDF documents

Source:
https://isc.sans.edu/diary/rss/30848

Intel Source:

Blackberry

Intel Name:

LightSpy_campaign_returns

Date of Scan:

2024-04-16

Impact:

LOW

Summary:

Blackberry researchers shared the details of the LightSpy campaign, a mobile espionage operation targeting individuals in Southern Asia, potentially with state-sponsored involvement. The “Title-Abstract” section delves into the technical details of the malware, its Chinese origins, and the advanced techniques used. The “Abstract” section offers recommendations for individuals and organizations to protect themselves. The “LightSpy Returns” section discusses the campaign’s return with expanded capabilities and the threat actor group behind it. The article emphasizes the need for increased vigilance and robust security measures in the targeted region.

Source:
https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india

Intel Source:

Proofpoint

Intel Name:

Decoding_TA427

Date of Scan:

2024-04-16

Impact:

LOW

Summary:

Proofpoint researchers discovered a group called TA427, who are really busy causing trouble. They pretend to be experts from North Korea in different fields like education, news, and research. They do this to trick other experts and sneak into their organizations to gather important information. TA427 has been quite successful at this and doesn’t seem to be stopping anytime soon. They’re quick to change their methods and create new identities when needed.

Source:
https://www.proofpoint.com/us/blog/threat-insight/social-engineering-dmarc-abuse-ta427s-art-information-gathering

Intel Source:

Positive Technologies

Intel Name:

TA558_Worldwide_Attacks

Date of Scan:

2024-04-16

Impact:

MEDIUM

Summary:

Researchers at Positive Technologies have discovered a group called TA558 has carried out over 300 attacks worldwide. They are using an old vulnerability called CVE-2017-11882 to spread malware through a campaign called SteganoAmor. This campaign is affecting users in Latin America and other parts of the world. TA558 hides malware within its attacks using a technique called steganography.

Source:
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/#id0

Intel Source:

PaloAlto

Intel Name:

Campaign_For_Contact_Forms_Distributes_SSLoad_Malware

Date of Scan:

2024-04-16

Impact:

LOW

Summary:

Researchers at Palo Alto have noticed that the MSI file’s WebDAV server has stopped operating. They have observed this effort spreading Latrodectus malware in the last few weeks. But Latrodectus is not the MSI linked to this specific infection chain.

Source:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-04-15-IOC-for-Contact-Forms-campaign-SSLoad-activity.txt

Intel Source:

Recorded Future

Intel Name:

The_spread_of_infostealers_by_a_Russian_cybercriminal_campaign

Date of Scan:

2024-04-15

Impact:

LOW

Summary:

The Insikt Group has uncovered a large-scale Russian-language cybercrime operation that leverages fake Web3 gaming projects to distribute infostealer malware targeting both macOS and Windows users.

Source:
https://www.recordedfuture.com/cybercriminal-campaign-spreads-infostealers-highlighting-risks-to-web3-gaming

Intel Source:

Palo Alto, Volexity

Intel Name:

Zero_Day_Exploitation_of_Unauthenticated_RCE_Vulnerability_in_GlobalProtect

Date of Scan:

2024-04-15

Impact:

HIGH

Summary:

Researchers at PaloAlto have identified zero-day exploitation of a vulnerability found within the GlobalProtect feature of Palo Alto Networks PAN-OS. A critical command injection vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. The vulnerability, assigned CVE-2024-3400, has a CVSS score of 10.0.

Source:
https://unit42.paloaltonetworks.com/cve-2024-3400/#post-133365-_ydqdbjg0dngh
https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/

Intel Source:

Bitdefender

Intel Name:

Malvertising_campaigns_hijack_social_media_to_spread_stealers

Date of Scan:

2024-04-15

Impact:

LOW

Summary:

Threat actors have been copying AI software such as Midjourney, Sora AI, DALL-E 3, Evoto, and ChatGPT 5 on Facebook to trick users into downloading purported official desktop versions of these AI software. The malicious webpages then download intrusive stealers such as Rilide, Vidar, IceRAT, and Nova Stealer.

Source:
https://www.bitdefender.com/blog/labs/ai-meets-next-gen-info-stealers-in-social-media-malvertising-campaigns/#new_tab

Intel Source:

Esentire

Intel Name:

The_XWorm_Tax_Scam

Date of Scan:

2024-04-12

Impact:

LOW

Summary:

Recently, Esentire SOC Analysts shared with their Threat Response Unit about the tax-themed threat delivering XWorm as the final payload. Researchers are certain the initial infection vector is via the phishing email.

Source:
https://www.esentire.com/blog/dont-take-the-bait-the-xworm-tax-scam

Intel Source:

Esentire

Intel Name:

A_series_of_tax_themed_phishing_emails_delivering_the_Remcos_RAT

Date of Scan:

2024-04-12

Impact:

LOW

Summary:

Last month, eSentire researchers detected a series of tax-themed phishing emails delivering the Remcos RAT as the final payload through GuLoader. The phishing email contained the link to the password-protected ZIP archive hosted on Adobe Document Cloud.

Source:
https://www.esentire.com/blog/tax-season-alert-beware-of-guloader-and-remcos-rat

Intel Source:

Halcyon

Intel Name:

Halcyon_Threat_Insights_003

Date of Scan:

2024-04-12

Impact:

LOW

Summary:

Halcyon researchers indicated and blocked a big range of threats that were missed by other security layers in their client’s environments that are often precursors to the delivery of the ransomware payload.

Source:
https://www.halcyon.ai/blog/halcyon-threat-insights-003-march-2024

Intel Source:

Esentire

Intel Name:

SolarMarker_malware_campaigns

Date of Scan:

2024-04-12

Impact:

LOW

Summary:

This month, eSentire’s researchers discovered that SolarMarker malware campaigns now utilize PyInstaller to hide malicious PowerShell scripts, marking a shift from previous methods such as Inno Setup and PS2EXE.

Source:
https://www.esentire.com/blog/solarmarkers-shift-to-pyinstaller-tactics

Intel Source:

Seqrite

Intel Name:

A_New_Banking_Trojan_Called_Coyote

Date of Scan:

2024-04-12

Impact:

LOW

Summary:

Researchers at Seqrite have discovered a brand-new banking trojan known as Coyote, which makes use of a tool/library known as Squirrel Installer, designed to install and control Windows application updates. The software appears to be more sophisticated than typical banking trojans, and in the coming days, it may pose a more serious threat. This recently discovered malware identifies the market it targets and targets various banking institutions in Brazil.

Source:
https://www.seqrite.com/blog/exposing-coyote-the-next-gen-banking-trojan-revolutionizing-cyber-threats-in-brazil/

Intel Source:

Trellix

Intel Name:

Observed_spike_of_LockBit_related_activity_of_vulnerabilities_in_ScreenConnect

Date of Scan:

2024-04-12

Impact:

MEDIUM

Summary:

Recently, Trellix Researchers have observed a rise in LockBit-related cyber activity in vulnerabilities in ScreenConnect. Researchers are confident that the cybercriminals group behind LockBit ransomware partially restored their infrastructure and created a feeling that the LE actions did not affect their normal operation.

Source:
https://www.trellix.com/blogs/research/the-lockbits-attempt-to-stay-relevant-its-imposters-and-new-opportunistic-ransomware-groups/

Intel Source:

Sucuri

Intel Name:

Embedding_a_credit_card_skimmer_in_a_fake_Facebook_Pixel_tracker_script

Date of Scan:

2024-04-12

Impact:

LOW

Summary:

Recently Sucuri discovered an interesting case of this: the attackers took that a step further by embedding a credit card skimmer in a well-concealed fake Facebook Pixel tracker script.

Source:
https://blog.sucuri.net/2024/04/credit-card-skimmer-hidden-in-fake-facebook-pixel-tracker.html

Intel Source:

Rapid7

Intel Name:

Continuation_of_execution_of_IDAT_Loader

Date of Scan:

2024-04-11

Impact:

MEDIUM

Summary:

In part 2 of this series, Rapid7 continues to provide an analysis of how an MSIX installer led to the download and execution of the IDAT Loader. After they analyzed the recent tactics, techniques, and procedures observed (TTPs), Rapid7 concluded that the activity is associated with financially motivated threat groups.

Source:
https://www.rapid7.com/blog/post/2024/04/10/stories-from-the-soc-part-2-msix-installer-utilizes-telegram-bot-to-execute-idat-loader/

Intel Source:

HP Wolf

Intel Name:

New_Raspberry_Robin_Malware_Campaign_Spreading_Through_WSF_Files

Date of Scan:

2024-04-11

Impact:

HIGH

Summary:

HP wolf security researchers have discovered a new Raspberry Robin campaign wave that propagates the malware through malicious Windows Script Files (WSFs) since March 2024. The scripts are highly obfuscated and use a range of anti-analysis techniques, enabling the malware to evade detection.

Source:
https://threatresearch.ext.hp.com/raspberry-robin-now-spreading-through-windows-script-files/

Intel Source:

Cyble

Intel Name:

Active_exploitation_continues_of_critical_D_Link_NAS_vulnerability

Date of Scan:

2024-04-11

Impact:

MEDIUM

Summary:

Security analysts continue to observe the exploitation of critical D-Link NAS vulnerabilities. Cyble Global Sensor Intelligence Observes Active Exploitation Of Critical D-Link NAS Vulnerabilities. The vulnerabilities, identified as CVE-2024-3272 and CVE-2024-3273 were discovered originally by some analyst who goes by the alias “netsecfish” on GitHub last month. D-Link disclosed the same on April 4, 2024. Cyble Intel network picked up ongoing exploitation attempts of these vulnerabilities from April 09 itself. This also indicates the swift weaponization of publicly available exploits by Threat Actors (TAs) targeting vulnerable internet-exposed D-Link NAS. Affected products are D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L up to 20240403.

Source:
https://cyble.com/blog/critical-d-link-nas-vulnerability-under-active-exploitation/

Intel Source:

ASEC

Intel Name:

Redis_Server_Used_to_Install_Metasploit_Meterpreter

Date of Scan:

2024-04-11

Impact:

LOW

Summary:

Researchers from ASEC have found that the Redis service has been used to install the Metasploit Meterpreter backdoor. Redis is the shorthand for Remote Dictionary Server, an open-source in-memory database and data structure storage system. It is assumed that the threat actors employed vulnerability attacks to execute commands or exploited improper settings.

Source:
https://asec.ahnlab.com/en/64034/

Intel Source:

Krebson Security

Intel Name:

The_exposure_of_Privnote_Phishing_Sites

Date of Scan:

2024-04-11

Impact:

LOW

Summary:

A network of websites that mimic the self-destructing messaging service Privnote.com is being used by cybercriminals to steal cryptocurrency addresses, reports the BBC’s Yolande Knell.

Source:
https://krebsonsecurity.com/2024/04/fake-lawsuit-threat-exposes-privnote-phishing-sites/

Intel Source:

Trend Micro

Intel Name:

A_Continuous_Refinement_of_Waterbear_and_Deuterbear_by_Earth_Hundun

Date of Scan:

2024-04-11

Impact:

MEDIUM

Summary:

Researchers at TrendMicro have noticed a significant increase in cyberattacks that are directed on numerous organizations in different industries, including government, research, and technology. The cyberespionage group Earth Hundun, also known as BlackTech, is connected to the Waterbear malware family, which is responsible for these attacks. BlackTech is a threat actor that primarily targets government and technical institutions in the Asia-Pacific area.

Source:
https://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html

Intel Source:

Cyble

Intel Name:

A_sophisticated_FatalRAT_campaign_targeting_ryptocurrency_users

Date of Scan:

2024-04-11

Impact:

MEDIUM

Summary:

Cyble researchers discovered a new phishing campaign aimed at cryptocurrency users. This campaign used a known FatalRAT and additional malware such as Clipper and Keylogger. The TAs target Chinese-speaking individuals or organizations, as evidenced by using Chinese-language installers. FatalRAT is a Remote Access Trojan that gives attackers control over the victim’s computer and is equipped with extensive capabilities for stealing sensitive information.

Source:
https://cyble.com/blog/fatalrats-new-prey-cryptocurrency-users-in-the-crosshairs/

Intel Source:

Seqrite

Intel Name:

The_Rapid_Rise_of_Abyss_Locker_Ransomware

Date of Scan:

2024-04-11

Impact:

MEDIUM

Summary:

Seqrite researchers have noticed that a recently launched ransomware operation called Abyss Locker has quickly taken aim at businesses and grown to be a serious threat to a variety of industries, including public sector organizations, businesses, and industrial control systems (ICS). It is a serious risk to Linux and Windows systems both.

Source:
https://www.seqrite.com/blog/unveiling-abyss-locker-the-rapid-rise-of-a-menacing-ransomware-threat/

Intel Source:

CERT-AGID

Intel Name:

Credentials_Forwarded_to_Telegram_Bot_in_PEC_Phishing_Campaign

Date of Scan:

2024-04-11

Impact:

LOW

Summary:

Researchers from CERT-AGID have discovered a phishing campaign that aims to get credentials for Certified Electronic Mail (PEC) boxes through fraud. An email containing false information is sent to PEC account holders to carry out fraudulent operations. The email notification warns of a said account deactivation request that must be performed within 24 hours and proposes clicking on a link provided in the message’s body if the receiver believes this is an error.

Source:
https://cert-agid.gov.it/news/campagna-di-phishing-pec-credenziali-inoltrate-ad-un-bot-telegram/

Intel Source:

sophos

Intel Name:

Exposing_Smoke_and_Screen_Mirrors_Backdoor

Date of Scan:

2024-04-10

Impact:

LOW

Summary:

Researchers at Sophos have investigated the finding of a trick backdoor hidden in an executable file that was disguising itself as a genuine Microsoft Hardware Publisher Certificate. The analysis reveals the backdoor’s association with LaiXi Android Screen Mirroring, a software package that appears benign at first glance. It also reveals the strategies threat actors use to avoid discovery.

Source:
https://news.sophos.com/en-us/2024/04/09/smoke-and-screen-mirrors-a-strange-signed-backdoor/

Intel Source:

Strikeready

Intel Name:

Activity_of_Sidewinder_Threat_Group

Date of Scan:

2024-04-10

Impact:

MEDIUM

Summary:

This in-depth examination explores the methods used by the cybersecurity experts to locate and identify infrastructure connected to the Sidewinder threat organization. It describes a broad architecture with several search queries applied to different data sources with the goal of finding signs and artifacts associated with the adversary’s activities. The methodology consists of searching for particular strings, payloads that have been encoded, network fingerprints, and using intelligence feeds to find new domains, IPs, and possible infrastructure that the group uses for command and control.

Source:
https://blog.strikeready.com/blog/rattling-the-cage-of-a-sidewinder

Intel Source:

Checkmarx

Intel Name:

Hackers_Using_New_Technique_to_Trick_Developers_in_Open_Source_Supply_Chains

Date of Scan:

2024-04-10

Impact:

MEDIUM

Summary:

Researchers at Checkmarx have examined the concerning practice of hackers using GitHub’s search feature to spread malware. Secretly creating repositories with well-known names and subjects, attackers trick unsuspecting users into downloading and running harmful programs.

Source:
https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/

Intel Source:

Proofpoint

Intel Name:

TA547_Targets_German_Organizations_with_Rhadamanthys_Malware

Date of Scan:

2024-04-10

Impact:

LOW

Summary:

Proofpoint researchers have discovered a group called TA547 is sending emails to German organizations with Rhadamanthys malware. This malware steals information and is used by many cybercriminals. The group also seems to be using a PowerShell script possibly created by large language models like ChatGPT or Gemini.

Source:
https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta547-targets-german-organizations-rhadamanthys-stealer

Intel Source:

ISC.SANS

Intel Name:

A_potential_threat_detected_in_the_customer_environment

Date of Scan:

2024-04-10

Impact:

LOW

Summary:

The senior SecOps analyst recently discussed a potential threat detected in our environment. It started with the investigation of a group called Wazawaka and after a study of Wazawaka’s activities, the threat-hunting team created numerous SentinelOne queries to detect similar activity. Although the threat-hunting team concluded that this activity was not a result of Wazawaka, they decided to continue further investigation.

Source:
https://isc.sans.edu/diary/A+Use+Case+for+Adding+Threat+Hunting+to+Your+Security+Operations+Team+Detecting+Adversaries+Abusing+Legitimate+Tools+in+A+Customer+Environment+Guest+Diary/30816/

Intel Source:

Malwarebytes

Intel Name:

Malicious_Campaign_Targeting_System_Administrator_With_Nitrogen_Malware

Date of Scan:

2024-04-10

Impact:

LOW

Summary:

Malwarebytes Labs researchers have observed an ongoing campaign targeting at system administrators through fake ads for well-known system tools. These ads pop up as sponsored links on Google searches, mainly in North America. Victims are lured into downloading what appears to be PuTTY or FileZilla installers but are actually Nitrogen malware. This malware allows hackers to breach networks, steal data, and introduce ransomware like BlackCat/ALPHV.

Source:
https://www.malwarebytes.com/blog/threat-intelligence/2024/04/active-nitrogen-campaign-delivered-via-malicious-ads-for-putty-filezilla

Intel Source:

Sysdig

Intel Name:

An_Established_Romanian_APT_Group_RUBYCARP

Date of Scan:

2024-04-10

Impact:

LOW

Summary:

Sysdig researchers have uncovered a persistent botnet maintained by a Romanian threat actor group which they are referring to as RUBYCARP. This threat actor appears to have been active for a minimum of ten years based on the evidence. Its main mode of operation makes use of a botnet that has been set up through a number of open exploits and brute force attacks. The group uses both public and secret IRC networks for communication. It also creates cyberweapons and target databases. Finally, it employs its botnet to mine cryptocurrency and send phishing scams.

Source:
https://sysdig.com/blog/rubycarp-romanian-botnet-group/

Intel Source:

Perception-Point

Intel Name:

Phishing_campaign_targets_LinkedIn_users

Date of Scan:

2024-04-09

Impact:

LOW

Summary:

This blog highlights a new LinkedIn threat, one that combines breached accounts and an evasive 2-step phishing attack.

Source:
https://perception-point.io/blog/professionally-hooked-microsoft-two-step-phishing-campaign-targets-linkedin-users/

Intel Source:

PTsecurity

Intel Name:

LazyStealer_analysis

Date of Scan:

2024-04-09

Impact:

MEDIUM

Summary:

In the first quarter of 2024, Positive Technologies’ Expert Security Center (PT ESC) uncovered a series of attacks targeting government structures in Russia, Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, and Armenia. The primary goal was to steal account credentials from various services used by government employees’ computers. This group, dubbed Lazy Koala due to their simple techniques and the username managing the Telegram bots with stolen data, used a malware called LazyStealer, which was straightforward but effective. All victims were directly notified about the compromise.

Source:
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazystealer-sophisticated-does-not-mean-better/?sphrase_id=300945

Intel Source:

Fortinet

Intel Name:

Attackers_Delivering_Multi_Stage_Malware_via_Invoice_Phishing

Date of Scan:

2024-04-09

Impact:

LOW

Summary:

Fortinet researchers have discovered an intricate multi-stage attack that leverages invoice-themed phishing decoys to deliver a wide range of malware such as Venom RAT, Remcos RAT, XWorm, NanoCore RAT, and a stealer that targets crypto wallets.

Source:
https://www.fortinet.com/blog/threat-research/scrubcrypt-deploys-venomrat-with-arsenal-of-plugins

Intel Source:

Palo Alto

Intel Name:

The_increased_activity_of_the_malware_initiated_vulnerability

Date of Scan:

2024-04-09

Impact:

MEDIUM

Summary:

Unit 42 Palo Alto detected an increased number of threat actors turning to malware-initiated scanning attacks. Palo Alto blog shared the details of how attackers use infected hosts for malware-based scans of their targets instead of the more traditional approach using direct scans. By launching scanning attacks from compromised hosts, attackers can accomplish the following: covering their traces, bypassing geofencing, Expanding botnets, and leveraging the resources of these compromised devices.

Source:
https://unit42.paloaltonetworks.com/malware-initiated-scanning-attacks/

Intel Source:

Greynoise

Intel Name:

A_wild_explotation_of_D_Link_NAS_RCE

Date of Scan:

2024-04-09

Impact:

LOW

Summary:

A remote code execution vulnerability in D-Link NAS devices is actively being exploited and is tracked under CVE-2024-3273. The vulnerability is believed to affect as many as 92,000 devices

Source:
https://www.greynoise.io/blog/cve-2024-3273-d-link-nas-rce-exploited-in-the-wild

Intel Source:

Harfanglab

Intel Name:

Raspberry_Robin_anti_emulation_trick

Date of Scan:

2024-04-09

Impact:

LOW

Summary:

An analysis of the constantly evolving evasion capabilities employed by the Raspberry Robin malware, which has emerged as a prominent threat. The report delves into the recent variant’s unique anti-emulation techniques that leverage undocumented functions from the Windows Defender emulator’s virtual DLLs, potentially marking the first instance of such exploitation. It highlights the malware’s ability to evade detection and facilitate access for other threat actors, emphasizing the need for proactive countermeasures.

Source:
https://harfanglab.io/en/insidethelab/raspberry-robin-and-its-new-anti-emulation-trick/

Intel Source:

CERT-AGID

Intel Name:

A_Constant_Was_Found_in_AgentTesla_Italian_Campaigns

Date of Scan:

2024-04-09

Impact:

MEDIUM

Summary:

CERT-AGID researchers have noticed unusually high activity that is distinguished by the usage of PDF files. The distribution of AgentTesla in Italy is the focus of yet another massive operation that has been underway for the past nine months or thereabouts. As a result, it appears to have a regular monthly timing.

Source:
https://cert-agid.gov.it/news/riscontrata-una-costante-nella-sequenza-di-campagne-agenttesla-mirate-allitalia/

Intel Source:

Palo Alto

Intel Name:

Boggy_Serpens_Use_of_AutodialDLL

Date of Scan:

2024-04-09

Impact:

LOW

Summary:

Researchers at PaloAlto have found that Boggy Serpens is exploiting the AutodialDLL function in the Windows Registry. They track an Iranian threat actor with state sponsorship under the name Boggy Serpens, also known as MuddyWater or TA450.

Source:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-Boggy-Serpens-use-of-AutodialDLL.txt

Intel Source:

0DAY IN {REA_TEAM}

Intel Name:

WarZone_RAT_Distributing_via_DBatLoader_Using_Phishing_Emails

Date of Scan:

2024-04-09

Impact:

LOW

Summary:

Researchers from 0DAY IN have discovered that a phishing email is using DBatLoader to spread the WarZone RAT. The user received an email from the attacker with a .html file attached. The PO-2200934-KINQTE.html file appears to contain scripts and a sizable blob of base64-encoded data when viewed in Hex mode.

Source:
https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/

Intel Source:

ASEC

Intel Name:

Malware_that_changes_the_Notepad_Plus_Plus_plugin

Date of Scan:

2024-04-08

Impact:

LOW

Summary:

ASEC Lab did the analysis and could confirm that “mimeTools.dll,” a basic plugin for Notepad++, had been modified and distributed. The malicious mimeTools.dll file was included in the installation file of a specific version of the Notepad++ package and mimicked as a normal package file. mimeTools is a module that performs encoding functions such as Base64.

Source:
https://asec.ahnlab.com/ko/63738/

Intel Source:

Any.Run

Intel Name:

Abusing_WebDAV_to_deliver_malicious_payload

Date of Scan:

2024-04-08

Impact:

LOW

Summary:

Any.Run analysts simulated the attack using a WebDAV file transfer protocol And they explained the details of how attackers often place malicious payloads on remote servers, which are then downloaded and executed on the user’s PC using scripts or other methods.

Source:
https://any.run/cybersecurity-blog/client-side-exploitation/

Intel Source:

Antiy

Intel Name:

Recent_activity_of_Youshe_malware_attack

Date of Scan:

2024-04-08

Impact:

LOW

Summary:

Recently, Antiy CERT has detected attacks carried out by the “Youshe” black product targeting companies and personnel related to finance and finance. There are three main types of initial malicious files dropped by attackers: executable programs, CHM files, and commercial remote control software “Third Eye”. Most of the forged file names are related to finance and taxation, information, letters, etc.

Source:
https://www.antiy.cn/research/notice&report/research_report/SwimSnake_Analysis_202404.html

Intel Source:

ISC.SANS

Intel Name:

Enhancing_Endpoint_Security_Through_Threat_Hunting

Date of Scan:

2024-04-08

Impact:

LOW

Summary:

Researchers from ISC.SANS highlight the importance of integrating threat hunting into Security Operations Teams to enhance endpoint security. Despite relying on Endpoint Detection and Response (EDR) tools, continuous fine-tuning is essential for maximum effectiveness. A case study showcases how threat hunters detected an attempt to install a browser hijacker via a deceptive .msi file, evading detection by the EDR.

Source:
https://isc.sans.edu/diary/rss/30816

Intel Source:

Trustwave

Intel Name:

Suspended_Domains_Show_Malevolent_Payload_for_Region_of_Latin_America

Date of Scan:

2024-04-08

Impact:

LOW

Summary:

Trustwave researchers have discovered a phishing campaign aimed at the Latin American continent. The phishing email had a ZIP attachment that, upon extraction, revealed an HTML page that, when opened, downloaded a malicious file that looked like an invoice.

Source:
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/phishing-deception-suspended-domains-reveal-malicious-payload-for-latin-american-region/

Intel Source:

SCmagazine

Intel Name:

NordVPN_posted_as_Bing_and_spreads_SecTopRAT_malware

Date of Scan:

2024-04-08

Impact:

LOW

Summary:

Threat actors designed a fake website and a link that looked real to install NordVPN was found to lead to an installer for the remote access trojan SecTopRAT. Malwarebytes reported the malware campaign to both Microsoft, which owns Bing, and Dropbox.

Source:
https://www.scmagazine.com/news/bing-ad-posing-as-nordvpn-aims-to-spread-sectoprat-malware

Intel Source:

ASEC

Intel Name:

Infostealers_Spread_via_Compromised_YouTube_Channels

Date of Scan:

2024-04-08

Impact:

LOW

Summary:

ASEC researchers have discovered a cyber breach involving the compromise of well-known YouTube channels, used to distribute Vidar and LummaC2 malware. These malicious tools, categorized as infostealers, are capable of harvesting sensitive user data from infected devices and facilitating the installation of additional malware.

Source:
https://asec.ahnlab.com/en/63980/

Intel Source:

CYFIRMA Research

Intel Name:

A_New_Campaign_Found_That_Is_Aimed_at_People_in_South_Asia

Date of Scan:

2024-04-08

Impact:

LOW

Summary:

Researchers from CYFIRMA have discovered a sophisticated cyberthreat that is aimed at people in South Asia. Their research team discovered a malware campaign that used an executable from an SFX file that was misleading. These files are a component of a complex attack used to compromise systems and carry out malicious activities. They are embedded in the malicious binaries and fake PDF. Additional investigation suggests that Russian cybercriminals may have worked together, which raises questions about C2 infrastructure that targets people in South Asia.

Source:
https://www.linkedin.com/posts/cyfirma-research-6a8073245_new-campaign-targeting-individuals-in-south-activity-7183078047187714048–alo?utm_source=li_share&utm_content=feedcontent&utm_medium=g_dt_web&utm_campaign=copy

Intel Source:

SOCRadar

Intel Name:

Mallox_ransomware_profile

Date of Scan:

2024-04-08

Impact:

LOW

Summary:

Mallox is a strain of ransomware and a group with the same name, encrypts its victims’ data and subsequently demands a ransom, typically in cryptocurrency. It is also called “TargetCompany,” “Tohnichi,” or “Fargo” ransomware and has been active since 2021.

Source:
https://socradar.io/dark-web-profile-mallox-ransomware/

Intel Source:

Fortinet

Intel Name:

Byakugan_malware_phishing_attack

Date of Scan:

2024-04-06

Impact:

MEDIUM

Summary:

FortiGuard Labs collected a sample that distributed a multi-functional new malware, Byakugan, discovered in January 2024 by FortiGuard Labs. It is distributed through a PDF file and has features such as screen monitoring, screen capture, and stealing browser information. It also has anti-analysis and persistence capabilities to avoid detection. Plus researchers shared information on the infection vector, webpage, features, and protections against the malware. It also includes IOCs for organizations to check if they have been impacted by this malware.

Source:
https://www.fortinet.com/blog/threat-research/byakugan-malware-behind-a-phishing-attack

Intel Source:

Deepinstinct

Intel Name:

The_latest_C2_framework_attack_in_MuddyWater_activity

Date of Scan:

2024-04-06

Impact:

MEDIUM

Summary:

Deepinstinct analysts dived into the details of the DarkBeatC2 attack framework, used by Iranian threat actors to target Israeli networks, and provided details on its capabilities and techniques. Also, it emphasizes the importance of sharing information and addressing vulnerabilities to prevent attacks and highlights the effectiveness of Deep Instinct’s prevention-first capabilities.

Source:
https://www.deepinstinct.com/blog/darkbeatc2-the-latest-muddywater-attack-framework

Intel Source:

PaloAlto

Intel Name:

The_Most_Recent_Round_of_Action_For_KoiLoader_or_KoiStealer

Date of Scan:

2024-04-05

Impact:

LOW

Summary:

PaloAlto researchers created an infection in a lab environment using the most recent round of KoiLoader/KoiStealer activities. The first bank-themed lures were released on 2024-04-02 earlier this week.

Source:
https://www.linkedin.com/posts/unit42_koiloader-koistealer-unit42threatintel-activity-7181656774993747968-DphD?utm_source=share&utm_medium=member_ios

Intel Source:

ISC.SANS

Intel Name:

Using_Binary_Ninja_to_Chop_Up_DoNex

Date of Scan:

2024-04-05

Impact:

LOW

Summary:

Researchers at INC.SANS have noted that, considering the popularity and effectiveness of LockBit, it is not surprising that more recent ransomware groups have opted to incorporate a significant portion of the LockBit code base into their own following the LockBit source code release in mid-June 2022. Darkrace, a ransomware group that emerged around the middle of June 2023, is one of LockBit’s more obvious spinoffs. Its samples closely resembled binaries from the disclosed LockBit builder, and it used a similar distribution process. Regrettably, Darkrace vanished from view when the LockBit clone’s operators chose to remove its leak site.

Source:
https://isc.sans.edu/diary/Slicing+up+DoNex+with+Binary+Ninja/30812/

Intel Source:

Bitdefender

Intel Name:

Next_gen_info_stealers

Date of Scan:

2024-04-05

Impact:

LOW

Summary:

Bitdefender shared in their blog information about artificial intelligence in social media malvertising campaigns, where cybercriminals exploit AI-powered software to steal sensitive information from unsuspecting users. It also mentions the malware-as-a-service (MaaS) business model and details a particular malicious extension, Rilide Stealer V4.

Source:
https://www.bitdefender.com/blog/labs/ai-meets-next-gen-info-stealers-in-social-media-malvertising-campaigns/

Intel Source:

Sonicwall

Intel Name:

Updated_StrelaStealer_infostealer_targets_Europe

Date of Scan:

2024-04-05

Impact:

LOW

Summary:

Sonicwall researchers shared the analysis of the updated version of a malware called StrelaStealer, which is targeting European countries. The malware is delivered via JavaScript in email attachments and is designed to steal email account credentials from Outlook and Thunderbird.

Source:
https://blog.sonicwall.com/en-us/2024/04/updated-strelastealer-targeting-european-countries/

Intel Source:

Talos

Intel Name:

The_need_for_companies_to_upgrade_their_security_measures

Date of Scan:

2024-04-05

Impact:

LOW

Summary:

The article provides a comprehensive overview of recent cybersecurity news and events. The “Top security headlines of the week” section highlights the joint charges and sanctions against a Chinese state-sponsored actor, a potential supply chain attack on Linux machines, and a backlog of vulnerabilities in the National Vulnerabilities Database. It also includes information about upcoming events and a list of prevalent malware files. The author also discusses the use of cybersecurity as an excuse for return-to-office policies and argues that security measures should remain consistent regardless of where employees are working from. The article emphasizes the need for companies to upgrade their security measures to combat the use of remote system management tools by adversaries.

Source:
https://blog.talosintelligence.com/threat-source-newsletter-april-4-2024/

Intel Source:

Malwarebytes

Intel Name:

NordVPN_Masquerade_Leads_to_Fake_Site

Date of Scan:

2024-04-05

Impact:

LOW

Summary:

Malwarebytes Labs researchers have discovered a malvertising campaign posing as the widely-used VPN service NordVPN. A malicious advertiser hijacks traffic from Bing searches, redirecting users to a fake site closely resembling the authentic NordVPN platform.

Source:
https://www.malwarebytes.com/blog/threat-intelligence/2024/04/bing-ad-for-nordvpn-leads-to-sectoprat

Intel Source:

Cisco Talos

Intel Name:

A_New_Threat_Group_Named_CoralRaider

Date of Scan:

2024-04-05

Impact:

LOW

Summary:

Researchers from Cisco Talos have identified a new threat actor known as “CoralRaider,” who they assume is financially driven and of Vietnamese descent. CoralRaider has been targeting victims in several Asian and Southeast Asian nations since at least 2023. Credentials, bank information, and social media accounts including those for businesses and advertisements are the main targets of this group.

Source:
https://blog.talosintelligence.com/coralraider-targets-socialmedia-accounts/

Intel Source:

Mandiant

Intel Name:

Chinese_Hacker_Groups_Exploit_Ivanti_Security_Flaws

Date of Scan:

2024-04-05

Impact:

LOW

Summary:

Mandiant researchers have Identified several Chinese hacker groups exploiting vulnerabilities in Ivanti systems, particularly targeting CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. In addition, they have observed financially driven actors exploiting CVE-2023-46805 and CVE-2024-21887 to potentially engage in cryptocurrency mining activities.

Source:
https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement

Intel Source:

SANSEC

Intel Name:

Vulnerability_in_Magento_Used_to_Install_Persistent_Backdoor

Date of Scan:

2024-04-05

Impact:

LOW

Summary:

A novel technique for infection persistence on Magento servers is being employed by attackers. Researchers from Sansec have found that malware was automatically injected into the database using a well-designed layout template.

Source:
https://sansec.io/research/magento-xml-backdoor

Intel Source:

ReversingLabs

Intel Name:

VS_Code_Extensions_Caught_Harvesting_Sensitive_Data

Date of Scan:

2024-04-04

Impact:

LOW

Summary:

Researchers at ReversingLabs uncovered a recent malicious campaign featuring a range of malicious packages, from basic infostealers and downloaders to more sophisticated reverse shells and complex payloads. Among these, two Visual Studio Code extensions were discovered, characterized by their simple design and heavy reliance on sample code provided by Microsoft for VS Code beginners.

Source:
https://www.reversinglabs.com/blog/malicious-helpers-vs-code-extensions-observed-stealing-sensitive-information

Intel Source:

Resecurity

Intel Name:

JsOutProx_Malware_Targets_Financial_Institutions

Date of Scan:

2024-04-04

Impact:

LOW

Summary:

Resecurity researchers discovered an updated iteration of JSOutProx, showcasing the malicious actors’ persistent and sophisticated tactics through the exploitation of platforms such as GitHub and GitLab. Initially identified in 2019, JSOutProx continues to pose a substantial and evolving threat, especially targeting customers of financial institutions.

Source:
https://www.resecurity.com/blog/article/the-new-version-of-jsoutprox-is-attacking-financial-institutions-in-apac-and-mena-via-gitlab-abuse

Intel Source:

Proofpoint

Intel Name:

Emergence_of_Latrodectus_Malware_in_Email_Threat_Campaigns

Date of Scan:

2024-04-04

Impact:

MEDIUM

Summary:

Proofpoint researchers have noticed a recent addition to email threat campaigns called Latrodectus. It first surfaced in late November 2023. Although its presence declined in December 2023 and January 2024, it made a resurgence in February and March 2024. Latrodectus functions as a downloader and comes equipped with several features to evade sandbox detection. While it shares similarities with IcedID, it’s a distinct malware believed to originate from the developers of IcedID.

Source:
https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice

Intel Source:

Norfolkinfosec

Intel Name:

North_Korea_threat_group_Python_Payloads

Date of Scan:

2024-04-04

Impact:

LOW

Summary:

Norfolkinfosec researchers provided technical details of the second and third-stage malware used by a North Korean threat actor group. Their details included code analysis and names and hashes of the files involved like for example main.py which is an obfuscated Python script that downloads and executes the next two stages, while the brow.py file steals browser data and the pay.py file acts as a backdoor with keylogging capabilities.

Source:
https://norfolkinfosec.com/north-koreas-post-infection-python-payloads/

Intel Source:

Cyble

Intel Name:

Unveiling_the_Advanced_Tactics_of_the_Counterfeit_E_Commerce_Scheme

Date of Scan:

2024-04-04

Impact:

LOW

Summary:

Cyble researchers have identified an escalating fake e-shop campaign targeting 18 Malaysian banks with upgraded malicious applications. This campaign, which initially targeted Malaysian banks, has expanded its scope to include banks in Vietnam and Myanmar. The latest iteration of the malware introduces advanced functionalities, including screen-sharing capabilities, the use of accessibility services, and complex communication with command and control servers.

Source:
https://cyble.com/blog/elevating-the-stakes-the-enhanced-arsenal-of-the-fake-e-shop-campaign/

Intel Source:

Trend Micro

Intel Name:

Effect_on_LockBit_Post_Significant_Disruption

Date of Scan:

2024-04-04

Impact:

LOW

Summary:

Trend Micro’s latest publication offers significant insights into the aftermath of Operation Cronos, shedding light on LockBit’s post-disruption strategies. Their research delves into telemetry data showcasing LockBit’s transition to a .NET core, highlighting the necessity for innovative security detection methods. Furthermore, the exposure of LockBit’s backend details has not only unveiled affiliate identities and victim information but also potentially disrupted trust and collaboration within the cybercriminal ecosystem.

Source:
https://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html

Intel Source:

ASEC

Intel Name:

Rhadamanthys_Malware_Concealed_within_Groupware_Installer

Date of Scan:

2024-04-04

Impact:

LOW

Summary:

ASEC researchers uncovered that Rhadamanthys malware was being distributed disguised as a groupware installer. The attackers created a fake website resembling the original and promoted it through online ads. The malware employs a stealthy technique called “indirect syscall” to evade detection by security tools, making it challenging to spot.

Source:
https://asec.ahnlab.com/en/63864/

Intel Source:

Crowdstrike

Intel Name:

XZ_Upstream_Supply_Chain_Attack

Date of Scan:

2024-04-03

Impact:

HIGH

Summary:

The article discusses the CVE-2024-3094 vulnerability found in the XZ Utils library and how CrowdStrike is actively protecting its customers from potential exploitation. It provides an overview of the vulnerability, its impact, and how it can be detected and prevented using CrowdStrike’s Falcon platform. The article also offers guidance for organizations to defend against the exploitation of this vulnerability, along with relevant hashes and additional resources for further information.

Source:
https://www.crowdstrike.com/blog/cve-2024-3094-xz-upstream-supply-chain-attack/

Intel Source:

McAfee

Intel Name:

A_significant_change_in_the_campaigns_that_distribute_Pikabot

Date of Scan:

2024-04-03

Impact:

LOW

Summary:

Recently, McAfee Labs observed a significant change in the campaigns that distribute Pikabot. Pikabot is distributed through multiple file types for various reasons, depending on the objectives and nature of the attack. In this campaign, Pikabot is distributed through a zip file that includes an HTML file. This HTML file then proceeds to download a text file, ultimately resulting in the deployment of the payload.

Source:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/distinctive-campaign-evolution-of-pikabot-malware/

Intel Source:

Domain tools

Intel Name:

The_resurgence_of_the_Manipulaters_cybercrime_group

Date of Scan:

2024-04-03

Impact:

LOW

Summary:

The article discusses the resurgence of the “Manipulaters” team, a cybercrime group known for their spamming and phishing activities. The team uses various techniques such as DP access, “bulletproof” hosting, and forged identity documents to carry out their operations. They also rebrand and combine existing tools for their software applications, with a focus on selling spam services. The article provides specific domains, IP addresses, and email addresses associated with the Manipulaters and their use of the spamming tool HeartSender. The article also discusses the use of JavaScript and XML in HeartSender and mentions several email addresses and usernames linked to the Manipulaters. It also highlights registering nearly 500 domains associated with the email address “[email protected]” and using various aliases by the Manipulaters. The article urges businesses and consumers to remain vigilant against threat actor groups like the Manipulaters and provides resources for further information. It also includes a list of active shops and associated email addresses and usernames used by the Manipulaters. The article also delves into the history and current activities of the Manipulaters, their lack of technical sophistication, and their expansion into selling web domains. It also discusses their potential involvement in impersonating the USPS and their use of session cookie grabbers. The article highlights the Manipulaters’ operational security failures and the potential risks to their own customers. It also mentions the compromise of several PCs associated with the Manipulaters and the exposure of customer data and operational details. The article concludes by providing information on two clusters of activity associated with the Manipulaters, including usernames, email addresses, and associated domains.

Source:
https://www.domaintools.com/resources/blog/the-resurgence-of-the-manipulaters-team-breaking-heartsenders/

Intel Source:

Mcafee

Intel Name:

Diverse_Campaign_Tactics_and_Payload_Analysis

Date of Scan:

2024-04-03

Impact:

LOW

Summary:

Pikabot, a malicious backdoor, has exhibited a significant evolution in its campaign tactics, distribution methods, and infection vectors since early 2023. McAfee Labs’ recent analysis reveals distinctive campaign variations employed by Pikabot, including HTML, JavaScript, SMB share, Excel, and JAR campaigns. Each campaign utilizes unique infection chains, such as utilizing meta tag refreshes in HTML, leveraging JavaScript to execute curl.exe, exploiting the MonikerLink bug via SMB shares, embedding SMB share links in Excel files, and dropping payloads through JAR files.

Source:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/distinctive-campaign-evolution-of-pikabot-malware/

Intel Source:

SOC Radar

Intel Name:

The_Anatomy_of_Stealers

Date of Scan:

2024-04-03

Impact:

LOW

Summary:

This article provides a comprehensive overview of stealer malware and its impact on cybersecurity. It emphasizes the need for continuous research and investigation into the operational mechanisms and tactics used by cybercriminals. The article also highlights the importance of threat intelligence and the use of the MITRE ATT&CK framework in understanding and defending against stealer malware. It discusses the characteristics and common techniques used by these malicious programs, as well as the need for continuous education and awareness, and the use of effective security tools and practices. The article also introduces the top five most common stealers and their unique features, and discusses the use of the MITRE ATT&CK framework in analyzing and understanding these threats. It also provides a detailed analysis of the Amadey Stealer malware and its techniques, as well as the top 15 most common ASN firms in stealer malware’s IP connections. The article also discusses the prevalence of HTTP connections in stealer malware and the need for caution when considering blocking this protocol. It concludes by emphasizing the importance of integrating threat intelligence and using advanced cybersecurity solutions to detect and prevent these evolving threats.

Source:
https://socradar.io/the-anatomy-of-stealers-how-are-they-stealing-our-information-where-are-they-taking-it/

Intel Source:

Sucuri

Intel Name:

Magento_Ecommerce_Malware

Date of Scan:

2024-04-03

Impact:

LOW

Summary:

The article discusses the threat of “Magento Shoplift” malware, which targets ecommerce websites using WordPress and Magento CMS platforms. The malware is designed to steal payment information and has been found in different forms, including one that disguises as a Google Analytics script. The author, a security analyst, provides steps for mitigating the risk of this malware, such as keeping CMS software and plugins updated and using strong passwords.

Source:
https://blog.sucuri.net/2024/04/magento-shoplift-ecommerce-malware-targets-both-wordpress-magento-cms.html

Intel Source:

Bi.Zone

Intel Name:

Cloud_Werewolf_attacks_government_officials_in_Russia_and_Belarus

Date of Scan:

2024-04-02

Impact:

LOW

Summary:

A cyberthreat group, identified as Cloud Werewolf, is conducting phishing campaigns targeting government employees in Russia and Belarus. The adversaries employ crafted emails mimicking legitimate documents, such as medical vouchers and federal orders, to lure victims into downloading malicious payloads. These payloads are hosted on remote servers, and their distribution is limited, allowing the threat actors to evade cybersecurity defenses within the targeted organizations.

Source:
https://bi.zone/expertise/blog/cloud-werewolf-atakuet-gossluzhashchikh-rossii-i-belarusi-putevkami-na-lechenie-i-prikazami-sluzhb

Intel Source:

linkedin(Perception Point)

Intel Name:

Venom_RAT_poses_a_threat_across_various_sectors

Date of Scan:

2024-04-02

Impact:

LOW

Summary:

This article highlights how attackers are employing phishing emails to distribute Venom RAT, a variant of Quasar RAT, across a wide array of sectors including hotels, travel, trading, finance, manufacturing, industry, and government in countries like Spain, Mexico, the United States, Colombia, Portugal, Brazil, the Dominican Republic, and Argentina. The threat actor TA558 is identified as the mastermind behind this extensive phishing campaign targeting Latin America.

Source:
https://www.linkedin.com/feed/update/urn:li:activity:7180255262807572480/

Intel Source:

Embeeresearch

Intel Name:

Additional_malicious_infrastructure_of_the_ACTINIUM_threat_group

Date of Scan:

2024-04-02

Impact:

MEDIUM

Summary:

This report demonstrates the process of leveraging publicly available intelligence reports and passive DNS analysis tools to uncover additional malicious infrastructure associated with a specific threat actor, referred to as ACTINIUM. By analyzing patterns in domains, IP addresses, registration dates, and subdomain structures provided in an initial report by Microsoft, the analysis identifies 122 new domains exhibiting similar characteristics. The report serves as an educational guide on how analysts can expand on existing intelligence using accessible tooling and open-source data.

Source:
https://www.embeeresearch.io/uncovering-apt-infrastructure-with-passive-dns-pivoting/

Intel Source:

Checkpoint

Intel Name:

Agent_Tesla_targeting_US_and_Australia

Date of Scan:

2024-04-02

Impact:

MEDIUM

Summary:

Check Point Research discovered a recent malware campaign of Agent Tesla operation which targeted American and Australian organizations. Phishing campaigns mainly target organization email credentials to access entities and perform further campaigns but with the next goal, to execute the malware samples of Agent Tesla. After further investigation, CPR tracked down the activity of 2 cyber-crime actors behind Agent Tesla operations with the evidence of being connected with each other: Bignosa and Gods.

Source:
https://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/

Intel Source:

Intelcorgi

Intel Name:

Bellingcat_Malware_analysis

Date of Scan:

2024-04-02

Impact:

LOW

Summary:

The analysis involves an email campaign targeting the journalist group Bellingcat, delivering a malicious zip file that ultimately deploys an HTTP reverse shell. The infection chain involves a malicious zip archive, a .lnk file masquerading as a PDF, and a PowerShell script executing a reverse shell that enables data exfiltration. The campaign is attributed to a Russia-nexus threat actor based on consistently targeting organizations critical of Russia.

Source:
https://intelcorgi.com/2024/03/24/bellingcat-malware-investigation/

Intel Source:

Trend Micro

Intel Name:

DLL_Hijacking_and_API_Unhooking_in_the_Face_of_UNAPIMON_Malware

Date of Scan:

2024-04-02

Impact:

LOW

Summary:

Researchers at Trend Micro found recent cyberespionage attack attributed to Earth Freybug, a sophisticated threat group known for its espionage and financially motivated activities. The attack employs dynamic-link library (DLL) hijacking and application programming interface (API) unhooking techniques to evade detection, particularly by a newly discovered malware named UNAPIMON

Source:
https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html

Intel Source:

Moonlock

Intel Name:

Masked_macOS_stealer_found

Date of Scan:

2024-04-01

Impact:

LOW

Summary:

Researchers at Moonlock Lab examined AppleScript and Bash’s payload hosted on a remote server and concluded that suspicious pieces of software have a big risk to the security and privacy of unsuspecting users. Moonlock blog details there the info about these threats posed by the Apple/Bash payload, the trojan’s modus operandi, and the potential consequences for macOS users.

Source:
https://moonlock.com/macos-stealer-apple-bash-payload

Intel Source:

Checkpoint

Intel Name:

Cyberattacks_in_Multiple_Countries_Using_the_Linux_Version_of_DinodasRAT

Date of Scan:

2024-04-01

Impact:

MEDIUM

Summary:

Researchers at Check Point have been closely observing the actions of a threat actor with a Chinese connection that is targeting Southeast Asia, Africa, and South America through cyber espionage. This action closely corresponds with the findings that Trend Micro researchers made available to the public in their thorough examination of Earth Krahang, a threat actor. One noteworthy tool in this actor’s arsenal is a cross-platform backdoor called DinodasRAT, alias XDealer, which was previously seen in assaults carried out by the Chinese threat actor LuoYu.

Source:
https://research.checkpoint.com/2024/29676/

Intel Source:

Jamf Threat Labs

Intel Name:

Hackers_target_macOS_users_with_malicious_ads_spreading_Stealer_Malware

Date of Scan:

2024-04-01

Impact:

LOW

Summary:

Researchers from Jamf Threat Labs discovered that attackers are targeting individuals in the crypto industry, recognizing the potential for substantial profits. Those involved in this sector must remain highly vigilant, as public information often reveals their status as asset holders or their association with crypto-related companies, making them prime targets.

Source:
https://www.jamf.com/blog/infostealers-pose-threat-to-macos/

Intel Source:

Malwation

Intel Name:

New_MuddyWater_Campaigns

Date of Scan:

2024-04-01

Impact:

MEDIUM

Summary:

The MuddyWater APT group has recently launched new attacks in Israel, Africa, and Turkiye using products developed in-house and taking over third-party tools. Phishing attacks use PDF attachments with agents from services like Atera and ConnectWise. Once installed, actors gain privileges to monitor and execute files. MuddyWater is expanding tactics to reduce digital footprint, likely increasing spear-phishing via compromised accounts. Technical analysis shows tailored attack files named for targets. Compromised business accounts used to build agents, increasing victim persuasion. Remote access tools ensure persistence and capabilities like command execution and file operations. MuddyWater aligns attacks with Iran’s interests, adding techniques and using legitimate tools for anonymity.

Source:
https://www.malwation.com/blog/new-muddywater-campaigns-after-operation-swords-of-iron

Intel Source:

TheDFIRreport

Intel Name:

IcedID_Malware_Leveraged_in_Multi_Stage_Attack

Date of Scan:

2024-04-01

Impact:

LOW

Summary:

In a cyber intrusion that occurred between late February and late March 2023, threat actors exploited a phishing campaign using Microsoft OneNote files to deliver the IcedID malware. The attack evolved through multiple stages, starting with IcedID deployment and persistence establishment. Subsequently, the attackers leveraged Cobalt Strike and AnyDesk to target file and backup servers, followed by data exfiltration using FileZilla and deployment of Nokoyawa ransomware.

Source:
https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/

Intel Source:

CYFIRMA Research

Intel Name:

ACR_Stealer_Promotion_on_a_Well_Known_Russian_Forum

Date of Scan:

2024-04-01

Impact:

LOW

Summary:

Researchers from Cyfirma have discovered that an ACR stealer is being promoted on a well-known Russian forum. The threat actors’ OPSEC errors allowed them to follow the compromised bots, which led us to the samples. These were all gathered at roughly the same time in late December 2023 and have less than ten VT detections between them. The timeframe aligns with the threat actor’s story, which describes how they started out operating in secret before going public.

Source:
https://www.linkedin.com/posts/cyfirma-research-6a8073245_acr-stealer-is-being-advertised-on-a-prominent-activity-7179498200632872960-S6Jb?utm_source=li_share&utm_content=feedcontent&utm_medium=g_dt_web&utm_campaign=copy

Intel Source:

ASEC

Intel Name:

Deceptive_Malware_Distribution_via_Google_Ads_Tracking

Date of Scan:

2024-04-01

Impact:

MEDIUM

Summary:

AhnLab Security Intelligence Center (ASEC) has uncovered a sophisticated malware distribution campaign exploiting Google Ads tracking. The attackers disguise malicious software as installers for popular groupware like Notion and Slack, tricking users into downloading and executing malware onto their systems. Through a complex redirection sequence, users are led to a seemingly legitimate landing page, where malware payloads are injected into critical Windows files. This Rhadamanthys malware poses a significant threat as it operates stealthily within legitimate system processes, enabling data theft without user detection.

Source:
https://asec.ahnlab.com/en/63477/

Intel Source:

Huntress

Intel Name:

Malicious_activity_on_endpoints_running_MSSQL_Server_or_MSSQL_Express

Date of Scan:

2024-03-29

Impact:

MEDIUM

Summary:

Huntress SOC analysts tracked the new alerts showing malicious activity on endpoints running MSSQL Server or MSSQL Express, either as stand-alone installations or as part of a larger application package installation. A recent series of incidents across three endpoints running the Fortinet Enterprise Management Server (EMS) system were initiated by alerts

Source:
https://www.huntress.com/blog/mssql-to-screenconnect

Intel Source:

Rapid7

Intel Name:

Technical_analysis_of_IDAT_Loader_to_download_BruteRatel

Date of Scan:

2024-03-29

Impact:

MEDIUM

Summary:

This month, in two recent investigations, Rapid7’s Managed Detection & Response team observed the IDAT loader being used again. Based on the recent tactics, techniques, and procedures tracked, Rapid7’s team confirmed the activity is associated with financially motivated threat groups.

Source:
https://www.rapid7.com/blog/post/2024/03/28/stories-from-the-soc-part-1-idat-loader-to-bruteratel/

Intel Source:

Netcraft

Intel Name:

Attacks_on_USPS_and_global_postal_services

Date of Scan:

2024-03-29

Impact:

LOW

Summary:

Chinese Phishing-as-a-Service platform ‘darcula’ targets organizations in multiple countries with sophisticated techniques using more than 20,000 phishing domains. ‘darcula’ [sic] is a new, sophisticated Phishing-as-a-Service (PhaaS) platform used on more than 20,000 phishing domains that provide cyber criminals with easy access to branded phishing campaigns.

Source:
https://www.netcraft.com/blog/darcula-smishing-attacks-target-usps-and-global-postal-services/

Intel Source:

Adlumin

Intel Name:

Zero_Trust_Solution_Misconfiguration_Enables_Threat_Actors_to_Bypass_2FA

Date of Scan:

2024-03-29

Impact:

LOW

Summary:

Adlumin researchers detected a breach where attackers evaded Duo, a widely-used zero-trust security tool, to illicitly access a company’s networks. Adlumin urges organizations to review user access policies for accuracy and evaluate the security implications of allowing select users to bypass 2FA.

Source:
https://adlumin.com/post/misconfiguration-in-zero-trust-solution-could-allow-threat-actors-to-bypass-2fa/

Intel Source:

PaloAlto

Intel Name:

Exploiting_FortiClient_EMS_Vulnerability_Actively

Date of Scan:

2024-03-29

Impact:

MEDIUM

Summary:

Researchers from Unit 42 have discovered ongoing exploits for the recently discovered FortiClient EMS vulnerability, CVE-2023-48788. Unauthorized installs of Meterpreter, ScreenConnect Client, and Atera Agent were caused by this action.

Source:
https://www.linkedin.com/posts/unit42_atera-screenconnect-meterpreter-activity-7179196571689922560-tgvm?utm_source=li_share&utm_content=feedcontent&utm_medium=g_dt_web&utm_campaign=copy

Intel Source:

Checkmarx

Intel Name:

PyPi_Suspends_Project_Creation_and_User_Registration_Amid_Security_Threat

Date of Scan:

2024-03-28

Impact:

LOW

Summary:

Checkmarx researchers uncovered a campaign leveraging numerous malicious packages, employing Typosquatting attacks through CLI for Python package installations. The attackers aim to pilfer crypto wallets, browser data, and credentials, employing persistence mechanisms for survival across reboots.

Source:
https://checkmarx.com/blog/pypi-is-under-attack-project-creation-and-user-registration-suspended/

Intel Source:

ISC.SANS

Intel Name:

JavaScript_to_AsyncRAT_Transition

Date of Scan:

2024-03-28

Impact:

LOW

Summary:

SANS researchers have analyzed and discovered an intriguing piece of JavaScript. This one was obfuscated quite effectively. The file was named “_Rechnung_01941085434_PDF.js” (Invoice in German). The first obfuscation method is simple yet effective, as it stops a lot of utilities from operating correctly on distributions such as REMnux.

Source:
https://isc.sans.edu/diary/From+JavaScript+to+AsyncRAT/30788

Intel Source:

PaloAlto

Intel Name:

Malicious_Google_Ad_Leads_To_Matanbuchus_Infection_With_DanaBot

Date of Scan:

2024-03-28

Impact:

LOW

Summary:

Researchers at PaloAlto have discovered that a Google advertisement leads users to a fake funds claim website, which spreads the Danabot Matanbuchus.

Source:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-03-26-IOCs-for-Matanbuchus-infection-with-Danabot.txt

Intel Source:

CERT-AGID

Intel Name:

AgentTesla_Expands_Its_Footprint_in_Italy

Date of Scan:

2024-03-28

Impact:

MEDIUM

Summary:

Operators of AgentTesla have recently stepped up their malspam efforts in Italy, supporting the upward trend in PDF attachment usage that has been noted in recent months. These documents have links that, when clicked, cause files containing malicious JavaScript code to be downloaded.

Source:
https://cert-agid.gov.it/news/agenttesla-intensifica-la-sua-presenza-in-italia-il-ruolo-cruciale-degli-allegati-pdf/

Intel Source:

EclecticIQ

Intel Name:

Cyber_Espionage_Campaign_Targeting_Indian_Government_Entities_and_Energy_Sector

Date of Scan:

2024-03-28

Impact:

MEDIUM

Summary:

Researchers at EclecticIQ have discovered a new espionage effort that uses a customized version of HackBrowserData, an open-source information stealer that can gather cookies, history, and browser login credentials, to target Indian government entities and the nation’s energy sector.

Source:
https://blog.eclecticiq.com/operation-flightnight-indian-government-entities-and-energy-sector-targeted-by-cyber-espionage-campaign

Intel Source:

Esentire

Intel Name:

Exploitation_of_Fortinet_Vulnerability_CVE_2023_48788

Date of Scan:

2024-03-28

Impact:

MEDIUM

Summary:

This month, eSentire has tracked a spike in the exploitation of CVE-2023-48788 (CVSS: 9.8). CVE-2023-48788 is a SQL injection flaw in FortiClientEMS software. Exploitation would allow an unauthenticated remote threat actor to execute code or commands through specially crafted requests, enabling initial organizational access.

Source:
https://www.esentire.com/security-advisories/widespread-exploitation-of-fortinet-vulnerability-cve-2023-48788

Intel Source:

CYFIRMA Research

Intel Name:

A_New_Info_Stealer_Named_Sync_Scheduler

Date of Scan:

2024-03-28

Impact:

LOW

Summary:

Cyfirma researchers have found Sync-Scheduler, an information-stealing malware that targets documents in particular and has anti-analysis built in. The research details the procedures used to create malware payloads and investigates the evasion strategies used by threat actors to avoid detection through in-depth examination.

Source:
https://www.linkedin.com/posts/cyfirma-research-6a8073245_sync-scheduler-stealer-activity-7178734723601485824-gOFs?utm_source=li_share&utm_content=feedcontent&utm_medium=g_dt_web&utm_campaign=copy

Intel Source:

Cyble

Intel Name:

After_FBI_Seizure_WarzoneRAT_Returns_With_Multi_Stage_Attack

Date of Scan:

2024-03-28

Impact:

MEDIUM

Summary:

Researchers at Cyble have noticed a campaign with a tax theme that may have spread via spam emails. Investigations revealed that the campaign disseminated the malware WarzoneRAT (Avemaria). The malware known as AveMaria is a Remote Administration Tool (RAT) that possesses the ability to take commands from a Command and Control (C&C) server and carry out a range of malevolent activities.

Source:
https://cyble.com/blog/warzonerat-returns-with-multi-stage-attack-post-fbi-seizure/

Intel Source:

Securelist

Intel Name:

DinodasRAT_Linux_backdoor

Date of Scan:

2024-03-28

Impact:

MEDIUM

Summary:

DinodasRAT, also known as XDealer, is a multi-platform backdoor written in C++ that offers a range of capabilities. This RAT allows the malicious actor to surveil and harvest sensitive data from a target’s computer. A Windows version of this RAT was used in attacks against government entities in Guyana.

Source:
https://securelist.com/dinodasrat-linux-implant/112284/

Intel Source:

Checkpoint

Intel Name:

The_Tax_Scam_Tsunami

Date of Scan:

2024-03-28

Impact:

LOW

Summary:

Check Point Research team has observed multiple instances of tax-related phishing scams and malware. The attack is focusing on to induce the end-user to either give over sensitive information or money.

Source:
https://blog.checkpoint.com/security/beware-the-tax-scam-tsunami-unmasking-qr-code-schemes-bogus-refunds-and-ai-imposters/

Intel Source:

Cyble

Intel Name:

A_recent_leak_of_a_Solana_drainer_source_code

Date of Scan:

2024-03-28

Impact:

LOW

Summary:

Cyble Research and Intelligence Labs (CRIL) found multiple drainer source codes leaked on cybercrime forums, including a recent leak of a Solana drainer’s source code.

Source:
https://cyble.com/blog/solana-drainers-source-code-saga-tracing-its-lineage-to-the-developers-of-ms-drainer/

Intel Source:

ISC.SANS

Intel Name:

An_interesting_piece_of_JavaScript

Date of Scan:

2024-03-28

Impact:

LOW

Summary:

Senior ISC Handler Xavier Mertens recently found an interesting piece of JavaScript payload and provided analysis. This payload was downloaded from hxxp://gklmeliificagac[.]top/vc7etyp5lhhtr.php?id=win10vm&key=127807548032&s=mints1. Once you fetched the page, it won’t work and will redirect you to another side. And Finally, another payload is delivered.

Source:
https://isc.sans.edu/diary/rss/30788

Intel Source:

Lumen

Intel Name:

The_Shadowy_Side_Of_TheMoon_Malware

Date of Scan:

2024-03-27

Impact:

LOW

Summary:

Researchers at Lumen have discovered a multi-year campaign that targeting Internet of Things (IoT) devices and routers that are nearing end of life (EoL). This campaign is linked to an upgraded version of the malware known as “TheMoon.” Since its inception in 2014, TheMoon has been running in the background, amassing almost 40,000 bots from 88 countries in January and February of 2024. As researchers have observed, most of these bots serve as the backbone of Faceless, a well-known proxy service targeted at cybercriminals.

Source:
https://blog.lumen.com/the-darkside-of-themoon/?utm_source=rss&utm_medium=rss&utm_campaign=the-darkside-of-themoon

Intel Source:

PaloAlto

Intel Name:

Enhance_Cyberespionage_Activities_Against_ASEAN_Nations_by_Two_Chinese_APT_Groups

Date of Scan:

2024-03-27

Impact:

MEDIUM

Summary:

Researchers from Unit 42 have discovered two Chinese advanced persistent threat (APT) groups that are involved in cyberespionage against members and organizations connected to the Association of Southeast Asian Nations (ASEAN). Stately Taurus, the first APT organization, is believed to have targeted entities in Myanmar, the Philippines, Japan, and Singapore with two malware packages. An ASEAN-affiliated entity was infiltrated by the second Chinese APT outfit. In recent months, this APT group has attacked a number of government institutions in Southeast Asia, including those in Singapore, Laos, and Cambodia.

Source:
https://unit42.paloaltonetworks.com/chinese-apts-target-asean-entities/

Intel Source:

SOC Radar

Intel Name:

A_Robust_Cyberthreat_to_Brazil_Monetary_Security_CHAVECLOAK

Date of Scan:

2024-03-27

Impact:

LOW

Summary:

CHAVECLOAK, a banking trojan that has become a serious threat, is a strong cyber threat threatening the Brazilian financial system. This sophisticated malware is made to get past security measures and steal confidential financial data from unsuspecting users.

Source:
https://socradar.io/chavecloak-cyber-threat-to-brazils-financial-security/

Intel Source:

Rewterz

Intel Name:

FormBook_Malware

Date of Scan:

2024-03-27

Impact:

MEDIUM

Summary:

FormBook, an information stealer (infostealer) malware discovered in 2016, has various capabilities such as tracking keystrokes, accessing files, capturing screenshots, and stealing passwords from web browsers. It can execute additional malware as directed by a command-and-control server and is adept at evading detection through techniques like code obfuscation and encryption. FormBook’s flexibility allows customization for specific targets and its obfuscation methods make removal challenging. Cybercriminals distribute FormBook through email attachments like PDFs and Office Documents, with notable use during the 2022 Russia-Ukraine conflict. FormBook’s successor, XLoader, is currently active.

Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-formbook-malware-active-iocs-98

Intel Source:

Oligo Security

Intel Name:

Cyberattacks_Risk_Thousands_of_Businesses_Using_Ray_Framework

Date of Scan:

2024-03-27

Impact:

LOW

Summary:

Researchers at Oligo have recently uncovered an ongoing campaign of attacks aimed at a flaw in the popular open-source AI framework Ray. There is no patch for a significant vulnerability that exposes thousands of businesses and servers using AI infrastructure to attack. Due to this flaw, hackers can commandeer the processing power of the organizations and reveal confidential information. For the past seven months, this vulnerability has been actively exploited, impacting a variety of industries including biopharma, education, and cryptocurrencies.

Source:
https://www.oligo.security/blog/shadowray-attack-ai-workloads-actively-exploited-in-the-wild

Intel Source:

Morphisec

Intel Name:

Increase_in_activity_linked_to_Mispadu_banking_trojan

Date of Scan:

2024-03-27

Impact:

LOW

Summary:

Morphisec Labs identified a significant increase in activity linked to Mispadu, a banking trojan first flagged in 2019. Initially concentrated on LATAM countries and Spanish-speaking individuals, Mispadu has broadened its scope in the latest campaign.

Source:
https://blog.morphisec.com/mispadu-infiltration-beyond-latam

Intel Source:

Cybereason

Intel Name:

The_Effects_of_the_Anydesk_Breach

Date of Scan:

2024-03-27

Impact:

LOW

Summary:

Researchers at Cybereason have looked at cases of AnyDesk code signing certificates being misused. On February 2, 2024, AnyDesk, a prominent global supplier of Remote Management and Monitoring (RMM) software, made a public announcement announcing that they had discovered a compromise involving production systems. As a result, they started an incident response process and, as part of their remediation activities, they issued fresh certificates and revoked all of their security-related ones.

Source:
https://www.cybereason.com/blog/threat-alert-the-anydesk-breach-aftermath

Intel Source:

SonicWall

Intel Name:

Introducing_The_Most_Recent_Version_of_WhiteSnake_Stealer

Date of Scan:

2024-03-27

Impact:

LOW

Summary:

Researchers at SonicWall have discovered a new WhiteSnake Stealer version that makes it possible to steal vital, private information from infected systems.The string decryption code has been eliminated in this updated version, which also makes the code easier to understand.

Source:
https://blog.sonicwall.com/en-us/2024/03/whitesnake-stealer-unveiling-the-latest-version-less-obfuscated-more-dangerous/

Intel Source:

Sekoia

Intel Name:

Phishing_Kit_With_New_MFA_Targeting_Gmail_And_Microsoft_365_Accounts

Date of Scan:

2024-03-26

Impact:

LOW

Summary:

Tycoon 2FA was first detected by Sekoia researchers in October 2023 while conducting standard threat hunting. However, it has been operational since August 2023, when the Saad Tycoon group made it available via secret Telegram channels. The Sekoia team thoroughly examined the Tycoon 2FA PhaaS kit and shared some of their discoveries to the Twitter community. Since then, researchers have been keeping a close eye on the putative developer’s activity, campaigns using the kit, source code upgrades, and the infrastructure of Tycoon 2FA phishing URLs.

Source:
https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/#h-iocs-amp-technical-details

Intel Source:

ASEC

Intel Name:

Unraveling_the_Kimsuky_Groups_Malware_Attacks_on_South_Korea

Date of Scan:

2024-03-26

Impact:

LOW

Summary:

The Kimsuky group’s latest cyber espionage efforts against South Korean targets involve sophisticated malware, including a dropper masquerading as an installer from a public institution and the Endoor and Nikidoor backdoors for system infiltration and data theft. These attacks leverage social engineering, misuse of legitimate certificates, and command-and-control servers to achieve stealth, persistence, and exfiltration. Highlighting the critical need for updated security defenses and awareness, this analysis underscores the ongoing threat posed by the Kimsuky group’s advanced tactics.

Source:
https://asec.ahnlab.com/en/63396/

Intel Source:

TrendMicro

Intel Name:

Custom_PowerShell_Script_Allows_Agenda_Ransomware_to_Spreadto_vCenters_and_ESXi

Date of Scan:

2024-03-26

Impact:

LOW

Summary:

Newer variants of the ransomware, particularly for its Rust form, have been discovered by TrendMicro researchers. Based on their observations, the Agenda ransomware gang deploys the ransomware binary using Cobalt Strike and Remote Monitoring and Management (RMM) technologies. Regarding the Agenda ransomware executable, it can spread using PsExec and SecureShell in addition to using other weak SYS drivers to get around security measures.

Source:
https://www.trendmicro.com/en_us/research/24/c/agenda-ransomware-propagates-to-vcenters-and-esxi-via-custom-pow.html

Intel Source:

CERT-AGID

Intel Name:

An_Attempt_to_Phish_Outlook_Addresses_PAs

Date of Scan:

2024-03-26

Impact:

MEDIUM

Summary:

Researchers from CERT-AgID have alerted authorities to an ongoing campaign targeting public administrations with the goal of obtaining login credentials for Microsoft Outlook email accounts. In an effort to get login passwords and other sensitive data, attackers posing as company HR or accounting departments are sending fraudulent emails that purport to offer salary adjustments or access to electronic payslips.

Source:
https://cert-agid.gov.it/news/campagna-di-phishing-outlook-rivolta-alle-pa/

Intel Source:

Trustwave

Intel Name:

The_rise_of_Agent_Tesla

Date of Scan:

2024-03-26

Impact:

MEDIUM

Summary:

SpiderLabs discovered some phishing email on March 8, 2024, with a Windows executable disguised as a fraudulent bank payment attached to the email. This activity initiated an infection chain culminating in the deployment of Agent Tesla. Trustwave blog shared their deep analysis of a newly identified loader, showing the attack’s advanced tactics, techniques, and procedures (TTPs) used in both the loader and its command and control (C2) framework.

Source:
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/agent-teslas-new-ride-the-rise-of-a-novel-loader/

Intel Source:

CERT-AGID

Intel Name:

Phishing_Attack_Designed_to_Steal_Security_Information_And_Credentials

Date of Scan:

2024-03-26

Impact:

LOW

Summary:

Researchers from CERT-AGID have discovered a phishing page that targeting users of the Revenue Agency’s Siatel v2.0 – PuntoFisico of the Revenue Agency. It has been live online from the early afternoon of March 21, 2024. Once the victims have been tricked into entering their password and tax code as part of their access credentials, the attackers ask them to upload or complete a photo of the Security Matrix that corresponds with the given credentials. Access to Punto Fisico, Report Register, and Punto Fisico User Management are all dependent on the latter.

Source:
https://cert-agid.gov.it/news/agenzia-delle-entrate-punto-fisico-campagna-di-phishing-mirata-al-furto-di-credenziali-e-matrici-di-sicurezza/

Intel Source:

Resecurity

Intel Name:

Online_scams_during_Ramadan_and_Eid_Fitr

Date of Scan:

2024-03-25

Impact:

LOW

Summary:

This month during the holiday of Ramadan, Resecurity researchers discovered a significant spike in fraud activities and scams, coinciding with a surge in retail and online transactions.

Source:
https://www.resecurity.com/blog/article/cybercriminals-accelerate-online-scams-during-ramadan-and-eid-fitr

Intel Source:

Sonatype

Intel Name:

Attackers_next_target_ML_AI_models

Date of Scan:

2024-03-25

Impact:

LOW

Summary:

Sonatype analysts discovered a couple of open-source ML/AI models shared by data scientists and security researchers that proved that malware can creep onto AI platforms. Other examples include malicious models that were already reported by the community members and have since been booted off the platform.

Source:
https://blog.sonatype.com/open-source-ml/ai-models-attackers-next-potential-target

Intel Source:

Checkmarx

Intel Name:

Attack_using_fake_Python_Infrastructure

Date of Scan:

2024-03-25

Impact:

LOW

Summary:

This month the Checkmarx researchers discovered a campaign targeting the software supply chain, with proof of the successful exploitation of multiple victims. These include the Top.gg GitHub organization (a community of over 170k users) and several individual developers.

Source:
https://checkmarx.com/blog/over-170k-users-affected-by-attack-using-fake-python-infrastructure/

Intel Source:

Malwarebytes

Intel Name:

New_Go_loader_uses_Rhadamanthys_stealer

Date of Scan:

2024-03-25

Impact:

MEDIUM

Summary:

Malwarebytes researchers described in their post a malvertising campaign with a new loader. The program is in the Go language and deploys a payload, the Rhadamanthys stealer. PuTTY is a trendy SSH and Telnet client for Windows that IT admins have used for years. The threat actor bought an ad that pretended to be the PuTTY homepage and appeared at the top of the Google search results page, right before the official website.

Source:
https://www.malwarebytes.com/blog/threat-intelligence/2024/03/new-go-loader-pushes-rhadamanthys

Intel Source:

Infoblox

Intel Name:

Cobalt_strike_DNS_early_detection

Date of Scan:

2024-03-25

Impact:

LOW

Summary:

Infoblox presented their study demonstrating the value of detecting attempted DNS exfiltration and Command and Control (C2) communications. They focused their study on two anonymized customers: a large e-commerce/retail company (Customer #1) and an educational institution (Customer #2).

Source:
https://blogs.infoblox.com/cyber-threat-intelligence/dns-early-detection-cobalt-strike-dns-c2/

Intel Source:

Mandiant

Intel Name:

German_political_parties_attacked_by_APT29_with_WINELOADER

Date of Scan:

2024-03-25

Impact:

MEDIUM

Summary:

In late February 2024, Mandiant identified APT29 — a Russian Federation-backed threat group linked by multiple governments to Russia’s Foreign Intelligence Service (SVR) — conducting a phishing campaign targeting German political parties.

Source:
https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties

Intel Source:

Any.Run

Intel Name:

Reverse_Engineering_Snake_Keylogger_analysis

Date of Scan:

2024-03-25

Impact:

LOW

Summary:

Any.Run researcher provided her sandbox analysis to understand the malware’s behavior. The insights from sandbox analysis provide a foundational understanding of reverse Engineering Snake Keylogger and of what to anticipate and what specific aspects to investigate during the reverse engineering process.

Source:
https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/

Intel Source:

PaloAlto

Intel Name:

Massive_StrelaStealer_Initiative_in_First_Half_of_2024

Date of Scan:

2024-03-22

Impact:

LOW

Summary:

Researchers at PaloAlto have discovered a wave of extensive StrelaStealer campaigns that are affecting more than 100 organizations in the US and the EU. Spam emails with attachments that finally start the StrelaStealer DLL payload are the shape that these campaigns take.

Source:
https://unit42.paloaltonetworks.com/strelastealer-campaign/#post-133130-_vl741f7mzldf

Intel Source:

Sentilone

Intel Name:

AcidPour_new_embedded_wiper_variant_of_AcidRain

Date of Scan:

2024-03-22

Impact:

MEDIUM

Summary:

The article discusses the discovery of a new variant of the malware AcidRain, called AcidPour, which has been causing disruptions in Ukraine and Europe during the Russian invasion. The section titled “Title-Abstract. Section intro” provides an overview of the AcidPour variant, including technical details such as its MD5, SHA1, SHA256, size, and type. It also highlights the similarities between AcidRain and AcidPour, as well as the added functionality of AcidPour for handling Unsorted Block Image (UBI) and Device Mapper (DM) logic. The section also notes the coding style of AcidPour and its self-delete function and alternate device wiping mechanism.

Source:
https://www.sentinelone.com/labs/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine/

Intel Source:

PaloAlto

Intel Name:

Technical_Analysis_of_FalseFont_Backdoor

Date of Scan:

2024-03-22

Impact:

MEDIUM

Summary:

The article provides a detailed analysis of the FalseFont backdoor, a new malware developed by the Curious Serpens threat actor. The backdoor targets the aerospace and defense industries by masquerading as legitimate human resources software. The article discusses the backdoor’s architecture, functionality, and communication with threat actors, as well as ways to detect and prevent it. It also includes indicators of compromise and recommendations for improving security practices. The article also delves into the methods used by attackers to interact with the backdoor, including predefined commands and real-time communication through SignalR. It also describes the process of sending recurring requests to the backdoor’s command and control server.

Source:
https://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/

Intel Source:

Proofpoint

Intel Name:

TA450_Uses_Embedded_Links_in_PDF_Attachments

Date of Scan:

2024-03-22

Impact:

LOW

Summary:

The article discusses a recent phishing campaign by the threat actor TA450, targeting Israeli employees at large multinational organizations. The campaign used a pay-related social engineering lure and contained PDF attachments with malicious links to file-sharing sites. This marks a change in tactics for the threat actor, who typically uses malicious links directly in email bodies. The campaign also used a sender email account that matched the lure content and continued TA450’s trend of targeting Israeli individuals using Hebrew language lures and compromised .IL accounts. The section provides ET signatures and indicators of compromise for organizations to protect against this threat.

Source:
https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign

Intel Source:

Talos

Intel Name:

New_Details_on_TinyTurla_Post_Compromise_Activity

Date of Scan:

2024-03-22

Impact:

LOW

Summary:

The article discusses the ongoing campaign by the Russian espionage group Turla, specifically their use of the TinyTurla-NG implant. New information is revealed on the group’s tactics, techniques, and procedures (TTPs) used to steal valuable information and spread through infected networks. The analysis, in collaboration with CERT.NGO, shows that Turla has infected multiple systems in a European NGO’s network. The attackers have taken preliminary post-compromise actions such as establishing persistence and adding exclusions to anti-virus products. They also used a custom-built Chisel beacon from an open-sourced offensive framework. The article provides a visual representation of the infection chain and offers ways for customers to detect and block this threat. It also includes a list of associated hashes, domains, and IP addresses.

Source:
https://blog.talosintelligence.com/tinyturla-full-kill-chain/

Intel Source:

Talos

Intel Name:

Pig_butchering_scams

Date of Scan:

2024-03-22

Impact:

LOW

Summary:

The article discusses the evolution of social engineering tactics, specifically “catfishing” or “romance scams,” which involve scammers building relationships with targets to eventually scam them out of money. The section explains the process and differences between “pig butchering” and traditional romance scams, emphasizing the importance of user education and law enforcement involvement. It then transitions to discussing Talos’ research on the Turla APT and their use of a new tool, TinyTurla-NG, to target Polish NGOs and steal sensitive data. The section concludes by mentioning Talos’ efforts to provide detection content for Cisco Secure products and highlighting the top security headlines of the week.

Source:
https://blog.talosintelligence.com/threat-source-newsletter-march-21-2024/

Intel Source:

Mandiant

Intel Name:

Chinese_Government_Hacker_Using_ScreenConnect_and_F5_Bugs_to_Attack_Defense_and_Government_Entities

Date of Scan:

2024-03-22

Impact:

MEDIUM

Summary:

A hacker allegedly connected to the People’s Republic of China has been exploiting two popular vulnerabilities to attack U.S. defense contractors, U.K. government entities and institutions in Asia.

Source:
https://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-screenconnect

Intel Source:

Recorded Future

Intel Name:

Numerous_Chinese_State_Sponsored_Groups_Are_Associated_With_Private_Contractor

Date of Scan:

2024-03-21

Impact:

LOW

Summary:

A fresh perspective on the latest i-SOON leak is provided by New Insight Group Research. China’s state-sponsored cyber espionage operations were made public on February 18, 2024, according to an anonymous document leak from Anxun Information Technology Co., Ltd. (i-SOON), a cybersecurity and IT company in China. The breach is noteworthy because it exposes the links between i-SOON and a number of state-sponsored cyber groups in China, including RedAlpha, RedHotel, and POISON CARP. These connections point to a complex web of espionage activities, including the theft of communications records in order for tracking down specific individuals.

Source:
https://go.recordedfuture.com/hubfs/reports/cta-2024-0320.pdf

Intel Source:

ASEC

Intel Name:

Caution_Regarding_Infostealer_Posing_as_Installer

Date of Scan:

2024-03-21

Impact:

LOW

Summary:

Researchers from ASEC have seen a widespread distribution of the StealC malware, which is disguising itself as an installer. It was found to be downloaded through Dropbox, GitHub, Discord, and other services. It is anticipated that victims will be redirected several times from a malicious webpage masquerading as a download page for a specific program to the download URL, given the incidents of dissemination via similar pathways.

Source:
https://asec.ahnlab.com/en/63308/

Intel Source:

Welivesecurity

Intel Name:

AceCryptor_Malware_Increased_Throughout_Europe

Date of Scan:

2024-03-21

Impact:

LOW

Summary:

ESET researchers have been studying AceCryptor for years, and on Wednesday they said that the latest campaign differed from earlier versions due to the attackers’ increased arsenal of harmful code. Typically, AceCryptor is used in conjunction with malware called Remcos or Rescoms, a potent remote surveillance tool that researchers have frequently observed being utilized against Ukrainian businesses.

Source:
https://www.welivesecurity.com/en/eset-research/rescoms-rides-waves-acecryptor-spam/

Intel Source:

Rapid7

Intel Name:

The_Kimsuky_threat_actor_group_activity

Date of Scan:

2024-03-21

Impact:

MEDIUM

Summary:

The article discusses the latest tactics and techniques used by the Kimsuky threat actor group, also known as Black Banshee or Thallium. The group, originating from North Korea, primarily focuses on intelligence gathering and has targeted South Korean government entities, individuals involved in the Korean peninsula’s unification process, and global experts in fields relevant to the regime’s interests. The section highlights the group’s evolving methods, such as using weaponized Office documents, ISO files, and shortcut files (LNK files) to bypass modern security measures. The latest findings reveal that the group is now using CHM files, which are compiled HTML help files, to distribute malware and gain access to their targets. The section provides a detailed analysis of a CHM file used by the group, including its file structure, language, and code snippets. It also explains how the group uses HTML and ActiveX to execute arbitrary commands on a victim’s machine and create persistence. The article also includes a visualization of the attack flow and a list of detections that Rapid7 customers can use to protect against this campaign. Overall, the article sheds light on the Kimsuky threat actor group’s tactics and provides valuable insights for organizations to protect themselves against this campaign.

Source:
https://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/

Intel Source:

ISC.SANS

Intel Name:

Investigations_into_CVE_2024_21762_Vulnerability_and_Fortinet_FortiOS

Date of Scan:

2024-03-21

Impact:

LOW

Summary:

ISC.SANS researchers have noticed that an attack for CVE-2024-21762 has leaked on GitHub. The FortiOS operating system from Fortinet is vulnerable. February 8th saw the release of a patch. Device owners were given more than a month to apply the fix. A few days before the exploit was released on GitHub, it was made available on the Chinese QQ messaging network.

Source:
https://isc.sans.edu/diary/Scans+for+Fortinet+FortiOS+and+the+CVE202421762+vulnerability/30762/

Intel Source:

Sucuri

Intel Name:

Sign1_malware_analysis

Date of Scan:

2024-03-21

Impact:

LOW

Summary:

The article titled “Sign1 Malware: Analysis, Campaign History & Indicators of Compromise” delves into the details of a recent malware campaign known as Sign1. The campaign has affected over 39,000 websites in the past 6 months and is typically injected through custom HTML widgets. The malware redirects users to malicious sites, often related to the VexTrio scam. The section provides a comprehensive analysis of the campaign, including its evolution since it was first noticed in 2023. The attackers have changed their obfuscation methods and use a timestamp trick in their URLs. The section also lists the various domains used by the attackers and their registration dates, as well as the number of infected sites associated with each domain. The author recommends securing the admin panel and using website monitoring tools to protect against this type of malware. The article also includes a case study of a client who experienced the Sign1 malware and how they traced it back to the campaign. The section discusses the various indicators of compromise for this malware, including its campaign history, obfuscation techniques, and how to detect and mitigate it. The author provides a breakdown of the JavaScript code used in the malware and how it dynamically generates URLs to redirect visitors to scam sites. The section concludes with a list of conditions that must be met for the malware to execute, including a specific cookie and correct referrer. Overall, the article provides a detailed overview of the Sign1 malware campaign and offers valuable insights for website owners to protect against it.

Source:
https://blog.sucuri.net/2024/03/sign1-malware-analysis-campaign-history-indicators-of-compromise.html

Intel Source:

Imperva

Intel Name:

New_Sysrv_botnet_variant_spreads_XMRig_Miner

Date of Scan:

2024-03-21

Impact:

MEDIUM

Summary:

A new variant of the Sysrv botnet was observed exploiting vulnerabilities in Apache Struts and Atlassian Confluence to spread an XMRig cryptominer payload. The malware made use of a compromised Malaysian academic website and Google subdomain to distribute malicious files. Enhancements include obfuscation and architecture preparation functions. The malware connects to MoneroOcean mining pool endpoints and mines to a specific wallet. Defenders should block suspicious outbound connections and inspect seemingly legitimate sites for malicious files.

Source:
https://www.imperva.com/blog/new-sysrv-botnet-variant-makes-use-of-google-subdomain-to-spread-xmrig-miner/

Intel Source:

Trend Micro

Intel Name:

Exploits_For_TeamCity_Vulnerabilities_Lead_to_Jasmin_Ransomware

Date of Scan:

2024-03-20

Impact:

LOW

Summary:

A serious risk to enterprises using TeamCity On-Premises for their CI/CD procedures is the active exploitation of vulnerabilities in the platform. According to Trend Micro telemetry, threat actors are using these vulnerabilities to infect infected TeamCity servers with ransomware, coinminers, and backdoor payloads.

Source:
https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html

Intel Source:

Juniper

Intel Name:

Androshield_malware_targets_networks

Date of Scan:

2024-03-20

Impact:

MEDIUM

Summary:

The article discusses the importance of patch management and network security measures in protecting networks from cyber threats. It specifically focuses on the Androxgh0st malware, which targets Laravel applications and exploits vulnerabilities such as CVE-2017-9841 and CVE-2018-15133. The article provides a technical analysis of the malware and its methods of exploitation, as well as ways to protect against it, such as encrypting sensitive information and using multi-factor authentication. It also highlights the use of Juniper IDS and ATP Cloud as a proactive defense against Androxgh0st and other cyber attacks. The article also discusses potential network disruptions caused by exploits of SMTP, AWS, SendGrid, and Twilio, and the risk of data breaches through the exploitation of .env files. It concludes by emphasizing the importance of regularly updating and patching systems, as well as implementing strong security measures to prevent unauthorized access and mitigate risks.

Source:
https://blogs.juniper.net/en-us/security/shielding-networks-against-androxgh0st

Intel Source:

SentinelLabs

Intel Name:

New_AcidPour_Data_Wiper_Targeting_Linux_x86_Network_Devices

Date of Scan:

2024-03-20

Impact:

LOW

Summary:

Researchers at SentinelLabs have discovered AcidPour, a new harmful malware that targets Linux x86 networking and Internet of Things devices and has data-wiper functionality. While AcidPour and AcidRain target comparable directories and device paths found in embedded Linux distributions, there is an estimated 30% overlap in their codebases.

Source:
https://www.bleepingcomputer.com/news/security/new-acidpour-data-wiper-targets-linux-x86-network-devices/

Intel Source:

ASEC

Intel Name:

The_Revival_of_a_Notorious_Ransomware_Threat

Date of Scan:

2024-03-19

Impact:

MEDIUM

Summary:

AhnLab Security Intelligence Center (ASEC) has uncovered the resurgence of CryptoWire, a ransomware strain that wreaked havoc back in 2018. Utilizing Autoit scripting and distributed primarily through phishing emails, CryptoWire exhibits sophisticated features including self-replication, network exploration for file encryption, and data deletion measures to thwart recovery efforts. Unlike many ransomware variants, CryptoWire exposes decryption keys, either embedded within the malware or transmitted to the threat actor’s server. With its file encryption tactics and demand for ransom, users are urged to exercise caution, employ anti-malware solutions, and maintain up-to-date system security to thwart potential infections and safeguard against data loss.

Source:
https://asec.ahnlab.com/en/63200/

Intel Source:

ASEC

Intel Name:

Persistent_Cyber_Threats_Targeting_Korean_Corporations

Date of Scan:

2024-03-19

Impact:

LOW

Summary:

AhnLab Security Intelligence Center (ASEC) has uncovered a series of ongoing attacks by the Andariel group targeting Korean companies. Notably, the group leverages installations of MeshAgent alongside other remote management tools to facilitate diverse remote control capabilities. Exploiting Korean asset management solutions, the group installs malware such as AndarLoader and ModeLoader during lateral movement phases. AndarLoader, a downloader, retrieves executable data like .NET assemblies from C&C servers. MeshAgent, a remote management tool, enables screen control and was used for the first time by the Andariel group. ModeLoader, a JavaScript malware, is externally downloaded via Mshta for execution.

Source:
https://asec.ahnlab.com/en/63192/

Intel Source:

Docguard

Intel Name:

Analysis_of_AutoIt_Malware

Date of Scan:

2024-03-19

Impact:

LOW

Summary:

This article provides a comprehensive analysis of a lnk-based malware, including the process of static and AutoIt deobfuscation. It examines the important fields of the lnk file and identifies a malicious command that downloads and executes an HTA file from a remote server. The HTA file is manually downloaded and analyzed, revealing the use of forfiles.exe and PowerShell. The analysis also uncovers an embedded zip file, which is extracted and examined. A script is used to parse variables and remove unnecessary ones, and a list of IOCs is provided for this specific malware.

Source:
https://www.docguard.io/analysis-of-lnk-based-obfuscated-autoit-malware/

Intel Source:

Perception Point

Intel Name:

A_New_Phishing_Attack_That_Deploys_NetSupport_RAT

Date of Scan:

2024-03-19

Impact:

LOW

Summary:

Israeli researchers at Perception Point have discovered a latest spearphishing effort aimed at American companies with the goal of installing the remote access trojan NetSupport RAT, also known as Operation PhantomBlu. By using OLE (Object Linking and Embedding) template alteration to run malicious code while avoiding detection, the PhantomBlu operation presents a sophisticated exploitation technique that departs from the standard NetSupport RAT distribution methodology.

Source:
https://perception-point.io/blog/operation-phantomblu-new-and-evasive-method-delivers-netsupport-rat/

Intel Source:

Shadowstackre

Intel Name:

A_new_ransomware_gang_called_Donex

Date of Scan:

2024-03-19

Impact:

LOW

Summary:

The article discusses the operations of a new ransomware gang called Donex, specifically their ransomware variant known as ShadowStackRE. The section titled “Donex a new ransomware gang – ShadowStackRE” provides a thorough analysis of the pre-encryption setup, file and directory discovery, and encryption process used by this ransomware. The setup process involves creating a mutex, disabling file system redirection, and obtaining a cryptographic context. The file and directory discovery is carried out through multiple threads and targets specific processes for shutdown. The encryption process utilizes the Windows restart manager API and employs salsa20/chacha20 to encrypt data. The article also mentions the use of a blacklist, whitelist, and extensions in the configuration of the encryptor. The section concludes with a description of the cleanup process, which involves clearing event logs and restarting the system.

Source:
https://www.shadowstackre.com/analysis/donex

Intel Source:

Russian Panda

Intel Name:

The_GlorySprout_stealer_and_others

Date of Scan:

2024-03-19

Impact:

LOW

Summary:

A new information stealer named GlorySprout surfaced in cybercrime forums in March 2024. Technical analysis shows it is likely a clone of the older Taurus stealer, sharing code similarities but lacking some features like Anti-VM. GlorySprout is unlikely to gain popularity compared to other stealers.

Source:
https://russianpanda.com/2024/03/16/The-GlorySprout-Stealer-or-a-Failed-Clone-of-Taurus-Stealer/

Intel Source:

Fortinet

Intel Name:

RA_World_Ransomware_continued_activity

Date of Scan:

2024-03-19

Impact:

MEDIUM

Summary:

The blog provides an overview of the RA World ransomware, which encrypts files and steals data before demanding ransom for decryption and not leaking stolen files. The ransomware disables backups and deletes shadow copies to prevent recovery. It encrypts files and adds the .RAWLD extension, and drops a ransom note with contact info. The group operates TOR and non-TOR sites to publish stolen data. The blog covers infection vectors, victims, attack methods, protections, and mitigations.

Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-ra-world

Intel Source:

IBM X-Force

Intel Name:

Hackers_From_APT28_Targeting_Europe_America_Asia_in_Widespread_Phishing_Scheme

Date of Scan:

2024-03-18

Impact:

MEDIUM

Summary:

IBM X-Force researchers have discovered that the threat actor APT28, which is associated with Russia, is involved in several active phishing attacks. These campaigns use lure documents that mimic government and non-governmental organizations (NGOs) throughout North and South America, Europe, the South Caucasus, Central Asia, and Asia. In addition to potentially actor-generated documents pertaining to finance, key infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production, the unearthed lures comprise a combination of internal and publicly available documents.

Source:
https://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/

Intel Source:

Trend Micro

Intel Name:

Malicious_Attacks_on_Global_Government_Institutions

Date of Scan:

2024-03-18

Impact:

MEDIUM

Summary:

Trend Micro researchers have found that a malicious actor targeting global government institutions. Exploiting compromised government infrastructure, the group employs two distinct malware families known in Earth Krahang’s attacks. Their analysis also highlights the broad range of their targets and malicious activities, gleaned from telemetry data and exposed server files.

Source:
https://www.trendmicro.com/en_us/research/24/c/earth-krahang.html

Intel Source:

Cyble

Intel Name:

Hackers_Find_Vulnerable_Networks_by_Using_the_Aiohttp_Bug

Date of Scan:

2024-03-18

Impact:

LOW

Summary:

Researchers at Cyble have discovered that the ransomware actor “ShadowSyndicate” has been seen looking for servers that could be affected by CVE-2024-23334, a directory traversal vulnerability in the aiohttp Python module. Aiohttp is an open-source toolkit designed to manage massively concurrent HTTP requests without the need for conventional thread-based networking. It is built on top of Python’s Asyncio asynchronous I/O framework.

Source:
https://cyble.com/blog/cgsi-probes-shadowsyndicate-groups-possible-exploitation-of-aiohttp-vulnerability-cve-2024-23334/

Intel Source:

Hunt.IO

Intel Name:

Open_Directory_Exposes_Phishing_Campaign_Targeting_Google_And_Naver_Credentials

Date of Scan:

2024-03-18

Impact:

MEDIUM

Summary:

Hunt.IO researchers have observed an ongoing phishing campaign by a possible North Korean threat actor that aims to steal login credentials for Google and Naver. Apart from the numerous fake Google and Naver pages, the public folder that guided us to the finding additionally contains an instance of the open-source malware, Xeno-RAT, and KakaoTalk conversation transcripts between unidentified people talking about cryptocurrency trading.

Source:
https://hunt.io/blog/open-directory-exposes-phishing-campaign-targeting-google-and-naver-credentials?utm_source=substack&utm_medium=email

Intel Source:

Netskope

Intel Name:

An_Intimidating_Azorult_Campaign_Operated_Via_Google_Sites

Date of Scan:

2024-03-18

Impact:

LOW

Summary:

Researchers at Netskope have seen an evasive Azorult campaign in action that uses a variety of defense evasion strategies from delivery to execution in order to steal confidential information without drawing attention from the defense. This information thief was initially identified in 2016 and is capable of stealing private data, such as browser history, crypto wallet data, and user credentials.

Source:
https://www.netskope.com/blog/from-delivery-to-execution-an-evasive-azorult-campaign-smuggled-through-google-sites

Intel Source:

Uptycs

Intel Name:

Mac_malware_analysis_using_osquery

Date of Scan:

2024-03-18

Impact:

LOW

Summary:

This article discusses the use of osquery, an operating system instrumentation framework, for analyzing malware on macOS systems. It describes how malware can use commands like chown and chmod to gain control and persistence on a system. The article also provides a detailed overview of using osquery for malware analysis, including a comparison with sandboxing solutions and a step-by-step guide for analyzing a specific malware, OSX/Dummy. It concludes by highlighting the benefits of using osquery for dynamic malware analysis on macOS and Linux systems.

Source:
https://www.uptycs.com/blog/malware-analysis-using-osquery

Intel Source:

Securonix Threat Labs

Intel Name:

Examining_Latest_DEEP_GOSU_Attack_Campaign

Date of Scan:

2024-03-18

Impact:

MEDIUM

Summary:

Securonix researchers have been keeping an eye on a new campaign, identified as DEEP#GOSU, that appears to be connected to the Kimsuky organization. It includes both recycled and newly created code and stagers. Although the Kimsuky organization has previously targeted South Korean victims, it is clear from the tradecraft seen that the group has switched to use a new script-based attack chain that makes use of numerous PowerShell and VBScript stagers in order to covertly infect systems. The attackers can keep an eye on keystrokes, the clipboard, and other session activity through scripts that are used later on.

Source:
https://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/

Intel Source:

Any.Run

Intel Name:

ObserverStealer_Story_Continues_with_AsukaStealer

Date of Scan:

2024-03-18

Impact:

LOW

Summary:

AsukaStealer and ObserverStealer are fundamentally similar in that they both use XOR encryption and C2 communication. AsukaStealer distinguishes itself, nevertheless, by forgoing the need for external DLL dependencies for data parsing and decryption in favor of server-side processes, which increase stealth and reduce its digital footprint. The malware developers’ intention to improve the stealer based on prior criticisms and the unfavorable user comments are thought to be the driving forces behind the rebranding of ObserverStealer, although with a different moniker.

Source:
https://any.run/cybersecurity-blog/asukastealer-malware-analysis/#appendix-1-iocs-7288

Intel Source:

Geoedge

Intel Name:

ScamClub_Malicious_VAST_Attack

Date of Scan:

2024-03-18

Impact:

LOW

Summary:

A recent report details how a threat actor known as ScamClub has shifted to using video malvertising and VAST ads to distribute financial scams. The report analyzes ScamClub’s tactics, which involve exploiting the VAST protocol to embed malicious code in video ads that fingerprint users and redirect them to scam pages. The report highlights how ScamClub has infiltrated numerous ad platforms to reach a broad audience, with a focus on mobile users. It outlines the technical details of the attack flow, from crafting the malicious script to employing obfuscation techniques and evading detection. The report underscores the need for constant scanning of video assets to safeguard inventory and protect audiences.

Source:
https://www.geoedge.com/decoding-scamclubs-malicious-vast-attack

Intel Source:

ASEC

Intel Name:

CryptoWire_ransomware_distribution

Date of Scan:

2024-03-18

Impact:

MEDIUM

Summary:

This report provides an analysis of the CryptoWire ransomware, an open-source malware initially spread in 2018 via phishing emails. The malware is written in Autoit and contains the decryption keys within the code, allowing files to be decrypted without payment. It encrypts files and leaves a ransom note demanding payment, but does not require payment due to the presence of the keys.

Source:
https://asec.ahnlab.com/ko/62868/

Intel Source:

Cyble

Intel Name:

A_new_stealer_name_Xehook

Date of Scan:

2024-03-15

Impact:

MEDIUM

Summary:

Cyble analysts discovered a new stealer named Xehook back in January 2024. Xehook Stealer attacks the Windows operating system and is coded in the .Net programming language. The Threat Actor is insisting that this stealer offers dynamic data collection from all Chromium and Gecko-based browsers, supporting over 110 cryptocurrencies and 2FA extensions.

Source:
https://cyble.com/blog/xehook-stealer-evolution-of-cinoshis-project-targeting-over-100-cryptocurrencies-and-2fa-extensions/

Intel Source:

F1tym1

Intel Name:

Online_Scam_campaign

Date of Scan:

2024-03-15

Impact:

LOW

Summary:

Scammers aim for mobile phones because they are the most widespread, most utilized devices. They use subterfuge and scams to steal our money, information, and permissions.

Source:
https://f1tym1.com/2024/03/14/online-scam-scams-encountered-on-my-phone/

Intel Source:

PaloAlto

Intel Name:

A_Fake_Forum_Post_Contamining_GootLoader_Infection

Date of Scan:

2024-03-15

Impact:

LOW

Summary:

Researchers at Palo Alto have discovered that another fake forum post links to the GootLoader malware. Since at least 2021, this distribution strategy has shown remarkable consistency.

Source:
https://www.linkedin.com/posts/unit42_gootloader-timelythreatintel-unit42threatintel-ugcPost-7174049165306527746-aeLl?utm_source=share&utm_medium=member_ios

Intel Source:

Cisco Talos

Intel Name:

Threat_actors_leverage_document_for_credential_and_session_token_theft

Date of Scan:

2024-03-15

Impact:

LOW

Summary:

Cisco Talos Incident Response (Talos IR) has observed the ongoing use of legitimate digital document publishing (DDP) sites for phishing, credential theft, and session token theft during recent incident response and threat intelligence engagements.

Source:
https://blog.talosintelligence.com/threat-actors-leveraging-document-publishing-sites/

Intel Source:

CYFIRMA Research

Intel Name:

Exdefacer_Turns_Seller_of_Discord_Stealer_aka_Nikki_Stealer

Date of Scan:

2024-03-15

Impact:

LOW

Summary:

Researchers from CYFIRMA have discovered that a person who was formerly well-known for vandalizing websites has switched to offering a Discord stealer created using the Electron framework, named Nikki Stealer. The latest developments in Nikki Stealer v9 demonstrate how quickly this tool is evolving. Analysis of the Nikki Stealer Discord server’s conversation logs reveals that users are complaining about the device’s poor detection rate. Additionally, the stealer’s developer can be seen talking candidly about drug use in the conversation. Remarkable parallels have been noted between Fewer and Nikki Stealer.

Source:
https://media.licdn.com/dms/document/media/D561FAQEHMA1974p3pA/feedshare-document-pdf-analyzed/0/1710500504964?e=1711584000&v=beta&t=eC173BZYgGbUF25DLnBY-AgSTtSwfsTbN2aFuO9xOgE

Intel Source:

SOCRadar

Intel Name:

GhostSec_profile

Date of Scan:

2024-03-15

Impact:

LOW

Summary:

GhostSec’s primary target is online terrorism and violent extremism. GhostSec quickly gained recognition for its approach to confronting extremist groups online. The group even alleges that some of its members were employed by government agencies during an alleged meeting with the US government in those years. GhostSec’s initial goal revolved around the somewhat vague aim of disrupting the online presence and communication of terrorist organizations like ISIS (Islamic State of Iraq and Syria) and Al-Qaeda. However, while the group initially appeared neutral in the Israel-Hamas conflict, they later declared their support for Palestine against what they perceived as Israel’s war crimes.

Source:
https://socradar.io/dark-web-profile-ghostsec/

Intel Source:

Checkpoint

Intel Name:

DocLink_Defender_prevention_technology

Date of Scan:

2024-03-15

Impact:

LOW

Summary:

DocLink Defender leverages the latest in analytical technology to intercept and neutralize malicious documents instantly.

Source:
https://blog.checkpoint.com/security/shield-your-documents-introducing-doclink-defender-for-real-time-malware-blockade/

Intel Source:

Zscaler

Intel Name:

Roblox_Users_Targeted_with_Tweaks_Malware

Date of Scan:

2024-03-15

Impact:

LOW

Summary:

Zscaler’s Threat researchers observed a new attack campaign spreading an infostealer called Tweaks that targets Roblox users. Attackers are exploiting platforms, like YouTube and Discord, to distribute Tweaks to Roblox users, by evading detection by web filter block lists that typically block known malicious servers. Attackers share malicious files disguised as Frames Per Second (FPS) optimization packages with users and, in turn, users infect their systems with Tweaks malware.

Source:
https://www.zscaler.com/blogs/security-research/tweaks-stealer-targets-roblox-users-through-youtube-and-discord

Intel Source:

Trendmicro

Intel Name:

DarkGate_Operators_Exploit_Microsoft_Windows_SmartScreen_Bypass

Date of Scan:

2024-03-15

Impact:

MEDIUM

Summary:

The Zero Day Initiative tracked a DarkGate campaign which was observed last January 2024 where DarkGate operators exploited CVE-2024-21412 and linked to the Water Hydra APT zero-day analysis.

Source:
https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412–darkgate-operators-exploit-microsoft-windows-sma.html

Intel Source:

Esentire

Intel Name:

An_increase_in_tax_themed_phishing_emails

Date of Scan:

2024-03-15

Impact:

LOW

Summary:

This month, eSentire has seen a spike in malware delivered through tax-themed phishing emails. Threat Actors are trying to exploit the tax-related communications lures to trick individuals into opening malicious email links, leading to malware infections. The observed phishing campaigns utilize tax-themed lures, including tax documents, tax returns, and IRS letters. These emails often appear to be sent from legitimate tax authorities or financial institutions and include malicious links leading to malware payloads hosted on attacker-controlled infrastructure.

Source:
https://www.esentire.com/security-advisories/increase-in-tax-themed-email-lure

Intel Source:

Cybereason

Intel Name:

The_ActiveMQ_Vulnerability_Is_Being_Exploited_by_Messengers

Date of Scan:

2024-03-15

Impact:

LOW

Summary:

Researchers from Cybereason have looked into an event on a Linux server where malicious shell (bash) executions occurred via a Java process that was utilizing Apache ActiveMQ. An open-source message broker called ActiveMQ is used to facilitate communication across disparate servers that may be running different operating systems or have different languages.

Source:
https://www.cybereason.com/blog/beware-of-the-messengers-exploiting-activemq-vulnerability

Intel Source:

Palo Alto

Intel Name:

BunnyLoader_3_analysis

Date of Scan:

2024-03-15

Impact:

MEDIUM

Summary:

Unit 42 Palo Alto shared their analysis of the new released BunnyLoader 3.0 and on the infrastructure and an overview of its capabilities. BunnyLoader is a constantly developing malware with the capability to steal information, credentials, and cryptocurrency, as well as deliver additional malware to its victims. The threat actor behind this malware is known as “Player” or “Player_Bunny.” The buyer determines what malware BunnyLoader delivers. The author of this malware prohibits its use against Russian systems.

Source:
https://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/

Intel Source:

Securelist

Intel Name:

The_Chinese_users_targeted_by_infected_text_editors

Date of Scan:

2024-03-15

Impact:

LOW

Summary:

Securelist analysts discovered two related cases where modified versions of popular text editors were distributed in this system: in the first case, the malicious resource appeared in the advertisement section; in the second case, at the top of the search results.

Source:
https://securelist.com/trojanized-text-editor-apps/112167/

Intel Source:

Fortinet

Intel Name:

Attackers_Using_GitHub_and_AWS_to_Spread_RATs_Through_Phishing_Campaigns

Date of Scan:

2024-03-13

Impact:

LOW

Summary:

A recent phishing effort is discovered, in which attackers exploit publicly accessible platforms like GitHub and Amazon web servers to store malware, which is subsequently used via email to initiate an attack campaign and take over the newly compromised systems. According to FortiGuard Labs, the email tricks recipients into opening a dangerous, high-severity Java downloader that tries to disseminate the well-known STRRAT RAT and a brand-new VCURMS remote access trojan (RAT). Every platform that has Java installed is susceptible, and it can affect any kind of business.

Source:
https://www.fortinet.com/blog/threat-research/vcurms-a-simple-and-functional-weapon

Intel Source:

Malwarebytes

Intel Name:

Multiple_Ongoing_Malvertising_Activities_Used_to_Distribute_FakeBat

Date of Scan:

2024-03-13

Impact:

LOW

Summary:

FakeBat malvertising campaigns using two kinds of ad URLs. They were misusing URL/analytics shorteners, which are perfect for cloaking, as seen in past malvertising efforts. This technique gives a threat actor the ability to select a “good” or “bad” destination URL according to their own predetermined criteria (such as the IP address, user agent, and time of day).

Source:
https://www.malwarebytes.com/blog/threat-intelligence/2024/03/fakebat-delivered-via-several-active-malvertising-campaigns

Intel Source:

Securelist

Intel Name:

Malicious_Advertising_Using_Search_Engines

Date of Scan:

2024-03-13

Impact:

LOW

Summary:

Researchers at Securelist have noticed a rise in the quantity of malicious operations that disseminate and distribute malware via Google Advertising. Rhadamanthys and RedLine, two distinct stealers, were misusing the search engine promotion scheme to infect victims’ computers with malicious payloads. They appear to employ the same method of imitating a website connected to popular programs like Blender 3D and Notepad++.

Source:
https://securelist.com/malvertising-through-search-engines/108996/

Intel Source:

G DATA

Intel Name:

RisePro_Stealer_Is_Aiming_at_Github_Users

Date of Scan:

2024-03-13

Impact:

MEDIUM

Summary:

Researchers from G DATA Cyber Defense have found at least 13 of these repositories, which are part of a RisePro stealer campaign that the threat actors have dubbed “gitgub.” The repositories have a similar appearance and offer free cracked software in a README.md file. On Github, circles in the colors green and red are frequently used to indicate the status of automated builds. Four green Unicode circles that appear to show a status along with the current date and give the impression of validity and recentness were inserted by Gitgub threat actors to their README.md file.

Source:
https://www.gdatasoftware.com/blog/2024/03/37885-risepro-stealer-campaign-github

Intel Source:

ISC.SANS

Intel Name:

Decoding_Malicious_Scripts_Using_ChatGPT

Date of Scan:

2024-03-13

Impact:

LOW

Summary:

Researchers from INC.SANS have discovered a malicious Python script that has a low VirusTotal score of 2/61. By the time they looked at it, it had been obfuscated. All of the intriguing strings were compressed, Base64-encoded, and hex-encoded.

Source:
https://isc.sans.edu/diary/rss/30740

Intel Source:

SOC Radar

Intel Name:

A_Dark_Web_Profile_of_Meow_Ransomware

Date of Scan:

2024-03-12

Impact:

LOW

Summary:

Four ransomware strains that are descended from Conti’s ransomware strain that was leaked were found in late 2022. The Meow ransomware was one of them. This crypto-ransomware was detected operating between the end of August and the first part of September 2022, and it continued to do so until February 2023. They stopped operating in March 2023 after a free decryptor for the Meow ransomware was made available. There is still an active organization called Meow that entered 2024 rather quickly and has already claimed nine victims. It appears that this gang uses the RaaS paradigm; yet, in March 2024 alone, three victims were reported, and the institutions they target are not insignificant ones.

Source:
https://socradar.io/dark-web-profile-meow-ransomware/

Intel Source:

Reversing Labs

Intel Name:

Attacks_on_Crypto_Wallet_Recovery_Passwords_by_Malicious_PyPI_Packages

Date of Scan:

2024-03-12

Impact:

LOW

Summary:

Researchers at ReversingLabs have discovered a brand-new harmful campaign that consists of seven distinct open-source packages on the Python Package Index (PyPI) with 19 versions, the oldest of which was released in December 2022. The campaign aims to steal mnemonic phrases that are used to recover crypto wallets that have been lost or destroyed.

Source:
https://www.reversinglabs.com/blog/bipclip-malicious-pypi-packages-target-crypto-wallet-recovery-passwords

Intel Source:

Symantec

Intel Name:

Operators_Adapt_to_Disruption_as_Ransomware_Attacks_Rise

Date of Scan:

2024-03-12

Impact:

LOW

Summary:

Even though the number of attacks that ransomware operators claim to have carried out dropped by little more than 20% in the fourth quarter of 2023, ransomware activity is still on the rise. Attackers have continuously improved their strategies, shown that they can react quickly to disruptions, and discovered new means of infecting victims.

Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-attacks-exploits

Intel Source:

Splunk

Intel Name:

SnakeKeylogger_loader_technics_and_tactics

Date of Scan:

2024-03-12

Impact:

MEDIUM

Summary:

The Splunk Threat Research Team provided in their blog deep insights and details to share with security analysts and blue teamers on how to defend and be aware of these suspicious activities and tactics.

Source:
https://www.splunk.com/en_us/blog/security/under-the-hood-of-snakekeylogger-analyzing-its-loader-and-its-tactics-techniques-and-procedures.html

Intel Source:

ASEC

Intel Name:

Infostealer_Posing_as_Installer_For_Adobe_Reader

Date of Scan:

2024-03-12

Impact:

LOW

Summary:

Researchers from ASEC have found that an infostealer that poses as the installation for Adobe Reader is being distributed. The file is being distributed by the threat actor in PDF format, requesting that people download and execute it.

Source:
https://asec.ahnlab.com/en/62853/

Intel Source:

ASEC

Intel Name:

Spread_of_Malware_MSIX_Pretended_to_Be_Notion_Installer

Date of Scan:

2024-03-11

Impact:

LOW

Summary:

The Notion installation is actually a ruse to transmit MSIX malware. The distribution website bears a resemblance to the main Notion homepage. When the user clicks the download button, a file called “Notion-x86.msix” is downloaded. This file, a Windows app installation, has a legitimate certificate used to certify it. When the user runs the file, the pop-up appears. When you click the Install button, malware infects Notion and installs on your computer.

Source:
https://asec.ahnlab.com/en/62815/

Intel Source:

GuidePoint Security

Intel Name:

The_TeamCity_Exploit_Leads_BianLian_to_Embrace_PowerShell

Date of Scan:

2024-03-11

Impact:

MEDIUM

Summary:

Researchers at GuidePoint have discovered malicious activities on a client’s network. After locating a weak point in the TeamCity server, the threat actor used CVE-2024-27198 / CVE-2023-42793 to gain initial access to the system. Within TeamCity, the threat actor created users and executed malicious commands using the service account associated with the TeamCity product.

Source:
https://www.guidepointsecurity.com/blog/bianlian-gos-for-powershell-after-teamcity-exploitation/

Intel Source:

Darktrace

Intel Name:

A_New_Phishing_Attack_Targeting_Dropbox

Date of Scan:

2024-03-11

Impact:

LOW

Summary:

Darktrace researchers have alerted users to a well-known new phishing and malspam campaign that uses Dropbox emails to target users of well-known Software-as-a-Service (SaaS) platforms. According to recent research, a fresh phishing attempt targeting Dropbox has been effective in getting over MFA (multi-factor authentication) safeguards. By tricking users into downloading malware, this hack seeks to reveal login information.

Source:
https://darktrace.com/blog/legitimate-services-malicious-intentions-getting-the-drop-on-phishing-attacks-abusing-dropbox

Intel Source:

Sucuri

Intel Name:

Malicious_Campagin_Exploiting_Stored_XSS_in_Popup_Builder

Date of Scan:

2024-03-11

Impact:

LOW

Summary:

The malicious code that can be found in the Custom JS or CSS part of the WordPress admin interface which is internally saved in the wp_postmeta database table is injected by the attackers using a known vulnerability in the Popup Builder WordPress plugin.

Source:
https://blog.sucuri.net/2024/03/new-malware-campaign-found-exploiting-stored-xss-in-popup-builder-4-2-3.html?web_view=true

Intel Source:

Inquest

Intel Name:

An_emerging_information_stealing_Project_trojan

Date of Scan:

2024-03-08

Impact:

LOW

Summary:

The article discusses the emergence of a new trojan called Planet Stealer, which is designed to steal sensitive information from victim hosts. It is written in Go and is being sold in underground forums. This type of information-stealing malware is in high demand among financially motivated criminals, indicating a thriving market for such tools.

Source:
https://inquest.net/blog/around-we-go-planet-stealer-emerges/

Intel Source:

Checkpoint

Intel Name:

Magnet_Goblin_Uses_1_Day_Vulnerabilities_to_Target_Publicly_Facing_Servers

Date of Scan:

2024-03-08

Impact:

MEDIUM

Summary:

A financially driven threat actor, Magnet Goblin swiftly embraces and makes use of one-day vulnerabilities in services that are accessible to the public as a means of spreading infection. In one instance using Ivanti Connect Secure VPN (CVE-2024-21887), the exploit was added to the group’s toolkit in less than a day following the publication of a proof of concept.

Source:
https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities/

Intel Source:

Security Intelligence

Intel Name:

New_Fakext_Malware_Targeting_Latin_American_Banks

Date of Scan:

2024-03-08

Impact:

LOW

Summary:

IBM security researchers have discovered a new, widely distributed malware called Fakext which leverages a malicious Edge plugin to launch web-injection and man-in-the-browser attacks. Over 35,000 infected sessions have been seen by researchers since November 2023; the majority of these sessions originate from Latin America (LATAM), with a lesser proportion from North America and Europe.

Source:
https://securityintelligence.com/posts/fakext-targeting-latin-american-banks/

Intel Source:

ESET

Intel Name:

Compromised_Supply_Chain_and_Sophisticated_Toolkit_Exposed

Date of Scan:

2024-03-08

Impact:

LOW

Summary:

ESET researchers identified a cyberespionage campaign directed at Tibetans across various regions. The threat actors deployed downloaders, droppers, and backdoors, such as the exclusive MgBot and the recently added Nightdoor, targeting networks in East Asia. Additionally, the attackers compromised the supply chain of a Tibetan language translation app developer.

Source:
https://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/

Intel Source:

Cisco Talos

Intel Name:

Navigating_the_tax_season_global_surge

Date of Scan:

2024-03-08

Impact:

MEDIUM

Summary:

As tax deadlines approach globally, individuals and businesses must be vigilant against an increase in tax-related scams and ransomware attacks. Scammers exploit this period to launch sophisticated phishing campaigns, aiming to steal personal information, financial data, or directly extract money through deceit. Notably, the collaboration between ransomware groups GhostSec and Stormous has marked a significant rise in ransomware threats, including the deployment of the STMX_GhostLocker ransomware-as-a-service.

Source:
https://blog.talosintelligence.com/threat-source-newsletter-march-7-2024/

Intel Source:

Zscaler

Intel Name:

Beware_of_Malware_Delivering_Spoofing_Websites

Date of Scan:

2024-03-07

Impact:

LOW

Summary:

Researchers at Zscaler have identified a threat actor that creates fake websites for Zoom, Google Meet, and Skype in order to disseminate malware. The threat actor infects Windows users with NjRAT and DCRat and distributes SpyNote RAT to Android users. By using shared web hosting, the attacker was able to host all of these fake online meeting sites under a single IP address. As seen by all of the numbers below, the fake websites were all in Russian. Furthermore, the attackers used URLs that closely matched the real websites to host these fictitious ones.

Source:
https://www.zscaler.com/blogs/security-research/android-and-windows-rats-distributed-online-meeting-lures

Intel Source:

Harfanglab

Intel Name:

A_Thorough_Examination_of_I_SOONs_Commercial_Offering

Date of Scan:

2024-03-06

Impact:

LOW

Summary:

I-Soon’s business proposal indicates that processing gathered data is the primary problem, not initially failing to meet goals. Their products classify and sort stolen documents with the aid of deep learning. The business seems to have problems finding malware and usually uses rudimentary techniques (phishing, for example). But in the last ten years, they have violated numerous strategic targets all around the world.

Source:
https://harfanglab.io/en/insidethelab/isoon-leak-analysis/

Intel Source:

Cado Security

Intel Name:

The_Spinning_Yarn_Linux_Malware_Campaign_Targeting_Misconfigured_Servers

Date of Scan:

2024-03-06

Impact:

MEDIUM

Summary:

Researchers at Cado Security Labs have discovered a new malware campaign that targets misconfigured servers that host web-facing services including Redis, Docker, Apache Hadoop YARN, and Confluence. The campaign makes use of several distinct and unreported payloads, such as four Golang binaries, which are instruments for automatically locating and infecting sites that are hosting the aforementioned services. By utilizing common misconfigurations and an n-day vulnerability, the attackers use these tools to generate exploit code that allows them to conduct Remote Code Execution (RCE) attacks and infect new hosts.

Source:
https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/

Intel Source:

Intel-Ops

Intel Name:

Examining_Infrastructure_That_8Base_Using_in_Relation_to_Phobos_Ransomware

Date of Scan:

2024-03-06

Impact:

MEDIUM

Summary:

Intel-Ops is actively monitoring infrastructure that has been determined to be a part of the 8Base Ransomware organization, which is responsible for operating the Phobos ransomware. A dispersed group of affiliates with extremely similar TTPs, along with several variants (Eking, Eight, Elbie, Devos, and Faust), make Phobos an estimated Ransomware-as-a-Service (RaaS).

Source:
https://medium.com/@Intel_Ops/phobos-ransomware-analysing-associated-infrastructure-used-by-8base-646560302a8d

Intel Source:

Qurium

Intel Name:

The_fake_video_connected_to_Russian_cyberscam_network

Date of Scan:

2024-03-06

Impact:

MEDIUM

Summary:

A deep fake video of Maria Ressa promoting a crypto-currency scam was released in early February 2024. The video was hosted on a domain that contained links to a Russian cyberscam network. Metadata analysis revealed Russian influence behind the creation of the deep fake and fake news articles designed to discredit Ressa.

Source:
https://www.qurium.org/alerts/philippines/deep-fake-video-of-maria-ressa-connected-to-cyberscam-network-in-russia/

Intel Source:

Sucuri

Intel Name:

Distributed_WordPress_Brute_Force_Attack

Date of Scan:

2024-03-06

Impact:

MEDIUM

Summary:

The article discusses a recent attack on WordPress websites, where infected websites are used to launch a distributed brute force attack to guess passwords for other third-party sites. The attackers then visit the target sites to download valid credentials. The article provides statistics and tips for mitigating the risk of such attacks, as well as a new development in website hacks involving Web3 crypto wallet drainers. It also explains the process of uploading encrypted credentials and the different stages of the attack. The article concludes by offering assistance for those who believe their website may be infected.

Source:
https://blog.sucuri.net/2024/03/from-web3-drainer-to-distributed-wordpress-brute-force-attack.html

Intel Source:

Cyfirma Research

Intel Name:

New_Lighter_Ransomware_Targeting_Individuals_in_UK_and_US

Date of Scan:

2024-03-06

Impact:

MEDIUM

Summary:

Researchers at Cyfirma have identified a brand-new malware developed by the Lighter Extortion group, which they have named Lighter malware. An uncommon instance of triple extortion, in which the threat actors make threats against the victim if the ransom is not paid in addition to encrypting the data and exfiltrating it. The threat actors are probably going to target people in the US and the UK based on the ransom note.

Source:
https://www.linkedin.com/posts/cyfirma-research-6a8073245_our-researcher-kaush%C3%ADk-pa%C5%82-discovered-a-new-activity-7171078602367594496-4w2G?utm_source=li_share&utm_content=feedcontent&utm_medium=g_dt_web&utm_campaign=copy

Intel Source:

Trend Micro

Intel Name:

Diving_Deep_into_Earth_Kapre_Group

Date of Scan:

2024-03-06

Impact:

LOW

Summary:

Researchers at Trend Micro have investigated Earth Kapre, also known as RedCurl and Red Wolf. The successful investigation that revealed Earth Kapre’s intrusion sets used in a recent event, as well as the way the team used threat intelligence to link the evidence that was taken out to the cyberespionage threat organization.

Source:
https://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html

Intel Source:

Proofpoint

Intel Name:

TA4903_Using_Phishing_Attack_on_US_Government_and_Small_Businesses

Date of Scan:

2024-03-06

Impact:

MEDIUM

Summary:

Researchers at Proofpoint have noticed a rise in credential phishing and fraud efforts in the middle of 2023 and early 2024 that use themes other than TA4903. The performer started parodying small and medium-sized enterprises (SMBs) across a range of sectors, including as manufacturing, energy, finance, food and beverage, and construction. The pace of BEC themes has also increased, according to Proofpoint, with themes like “cyberattacks” being used to entice victims to divulge their banking and payment information.

Source:
https://www.proofpoint.com/us/blog/threat-insight/ta4903-actor-spoofs-us-government-small-businesses-phishing-bec-bids

Intel Source:

ASEC

Intel Name:

WebLogic_Server_Exploited_by_z0Miner

Date of Scan:

2024-03-06

Impact:

LOW

Summary:

Researchers from ASEC have discovered multiple instances of threat actors targeting weak Korean servers. The following report describes a recent incident involving an attack against Korean WebLogic servers by the threat actor “z0Miner.”

Source:
https://asec.ahnlab.com/en/62564/

Intel Source:

Sekoia

Intel Name:

The_DDoSia_Project_of_NoName057_16

Date of Scan:

2024-03-06

Impact:

LOW

Summary:

Since the start of the conflict in Ukraine, a number of organizations dubbed “nationalist hacktivists” have surfaced, mostly on the Russian side, to fuel hostilities between Moscow and Kyiv. Of these organizations, the pro-Russian group NoName057(16) has gained notoriety for starting Project DDoSia, a group effort to launch massive distributed denial-of-service (DDoS) attacks against organizations (private companies, government agencies, and state institutions) that are part of nations that back Ukraine, primarily NATO members.

Source:
https://blog.sekoia.io/noname05716-ddosia-project-2024-updates-and-behavioural-shifts

Intel Source:

Sophos, GitHub

Intel Name:

Attackers_still_abusing_Terminator_tool_and_variants

Date of Scan:

2024-03-06

Impact:

MEDIUM

Summary:

A threat intelligence report describes that threat actors continue to leverage vulnerable drivers like Zemana Anti-Logger and Anti-Malware to disable security products through Bring Your Own Vulnerable Driver attacks. Variants of the Terminator tool that exploits these drivers are still observed in the wild. The actors use the drivers for lateral movement and privilege escalation as part of ransomware campaigns targeting healthcare and other industries.

Source:
https://news.sophos.com/en-us/2024/03/04/itll-be-back-attackers-still-abusing-terminator-tool-and-variants/
https://github.com/sophoslabs/IoCs/blob/master/Zemana-driver-IoCs.csv

Intel Source:

Double Agent

Intel Name:

A_novel_backdoor_GTPDOOR

Date of Scan:

2024-03-05

Impact:

LOW

Summary:

GTPDOOR is Linux malware that communicates C2 traffic over GTP-C signaling messages, blending in with normal telco traffic. It can execute commands sent in GTP echo requests and probe hosts covertly via TCP packets. Versions target x86 and i386 architectures.

Source:
https://doubleagent.net/telecommunications/backdoor/gtp/2024/02/27/GTPDOOR-COVERT-TELCO-BACKDOOR

Intel Source:

Cisco Talos

Intel Name:

A_surge_of_new_GhostLocker_2_ransomware_by_GhostSec_threat_group

Date of Scan:

2024-03-05

Impact:

MEDIUM

Summary:

The article discusses the evolution and joint operation of GhostSec and Stormous, two hacking groups that have collaborated to conduct double extortion attacks using the GhostLocker and StormousX ransomware programs. It provides details on the various versions of GhostLocker, its C2 panels, and the features provided to affiliates. The article also mentions two new tools in GhostSec’s arsenal, the GhostSec Deep Scan toolset and GhostPresser, which are used for scanning and attacking legitimate websites. It discusses the groups’ focus on raising funds for hacktivists and threat actors and their new ransomware-as-a-service program. The article also provides information on the capabilities of GhostPresser, a tool used to target WordPress websites, and how Cisco Secure Endpoint and other Cisco products can prevent the execution of this malware. It also includes a list of indicators associated with this threat.

Source:
https://blog.talosintelligence.com/ghostsec-ghostlocker2-ransomware/

Intel Source:

Cyfirma Research

Intel Name:

An_Extremely_Harmful_Malware_WinDestroyer

Date of Scan:

2024-03-05

Impact:

LOW

Summary:

Researchers from CYFIRMA have discovered WinDestroyer, a harmful malware. The ransomware does not seek a ransom, indicating that it is not motivated by money. This advanced threat uses sophisticated tactics to render systems unusable, including lateral movement capabilities, API hammering, and DLL reload attacks.

Source:
https://www.linkedin.com/posts/cyfirma-research-6a8073245_windestroyer-and-its-origin-activity-7170733140540346368-Rmvc?utm_source=li_share&utm_content=feedcontent&utm_medium=g_dt_web&utm_campaign=copy

Intel Source:

NS Focus Global

Intel Name:

The_security_threats_from_malicious_machine_learning_models

Date of Scan:

2024-03-05

Impact:

LOW

Summary:

The article discusses the potential security threats posed by malicious machine learning (ML) models on the Hugging Face platform. It provides background information on a recent report that found some ML models on Hugging Face may be used to attack the user environment, leading to code execution and providing attackers with full control of the infected machine. The affected models, specifically the baller423/goober2 model, are discussed in detail, along with a technical analysis of how they work and how they can be loaded and executed. The article also highlights the potential risks associated with PyTorch and Tensorflow models. It concludes with mitigation methods, such as using Hugging Face’s new format Safetensors and implementing security measures like malware and Pickle scanning. The article emphasizes the importance of thorough scrutiny and safety measures when dealing with ML models from untrusted sources and the urgency of AI model security.

Source:
https://nsfocusglobal.com/ai-supply-chain-security-hugging-face-malicious-ml-models/

Intel Source:

Cert.360

Intel Name:

New_variant_of_SupermanMiner_mining_malware

Date of Scan:

2024-03-05

Impact:

LOW