2022-09-30
LockBit_3_0_aka_LockBit_Black
MEDIUM
+
Intel Source:
Multiple
Intel Name:
LockBit_3_0_aka_LockBit_Black
Date of Scan:
2022-09-30
Impact:
MEDIUM
Summary:
Researchers have analyzed the LockBit and identified it is back with LockBit 3.0
Source: https://docs.google.com/spreadsheets/d/1Now95XPSkvEiCJy5H5iqgTDKi_ATZeBY_PhnxSUhWl8/edit#gid=0
2022-09-30
Hackers_using_Quantum_Builder_to_deliver_Agent_Tesla_RAT
LOW
+
Intel Source:
Zscaler
Intel Name:
Hackers_using_Quantum_Builder_to_deliver_Agent_Tesla_RAT
Date of Scan:
2022-09-30
Impact:
LOW
Summary:
Zscaler ThreatLabz researchers have observed a campaign that delivers Agent Tesla, a .NET-based keylogger and remote access trojan (RAT), using a builder named “Quantum Builder” sold on the dark web.
Source: https://www.zscaler.com/blogs/security-research/agent-tesla-rat-delivered-quantum-builder-new-ttps
2022-09-30
Polyglot_File_Delivering_IcedID
LOW
+
Intel Source:
Palo Alto
Intel Name:
Polyglot_File_Delivering_IcedID
Date of Scan:
2022-09-30
Impact:
LOW
Summary:
PaloAlto researchers have observed a polyglot Microsoft Compiled HTML Help file being employed in the infection process used by the information stealer IcedID.
Source: https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload/
2022-09-30
New_Malware_Variants_Deliver_Fake_Cloudflare_DDoS_Captcha
LOW
+
Intel Source:
Sucuri
Intel Name:
New_Malware_Variants_Deliver_Fake_Cloudflare_DDoS_Captcha
Date of Scan:
2022-09-30
Impact:
LOW
Summary:
Researchers from Sucuri have identified the user is prompted with a bogus Cloudflare DDoS protection screen, but in this new wave, they observed a fake CAPTCHA dialog masquerading as the popular Cloudflare service.
Source: https://blog.sucuri.net/2022/09/new-malware-variants-serve-bogus-cloudflare-ddos-captcha.html
2022-09-30
Finding_APTs_using_Unsigned_DLLs_Loader
MEDIUM
+
Intel Source:
Palo Alto
Intel Name:
Finding_APTs_using_Unsigned_DLLs_Loader
Date of Scan:
2022-09-30
Impact:
MEDIUM
Summary:
PaloAlto researchers have observed a method called "unsigned DLL loading" which is the technique to evade detection and execute more sophisticated attacks.
Source: https://unit42.paloaltonetworks.com/unsigned-dlls/
2022-09-30
The_examination_of_Wiper_Malware_Part_3
LOW
+
Intel Source:
Crowdstrike
Intel Name:
The_examination_of_Wiper_Malware_Part_3
Date of Scan:
2022-09-30
Impact:
LOW
Summary:
Researchers from CrowdStrike have covered various input/output controls (IOCTLs) in more detail and how they are used to achieve different goals — including acquiring information about infected machines and locking/unlocking disk volumes, among others.
Source: https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/
2022-09-30
A_new_Cobalt_Strike_payload_campaign
MEDIUM
+
Intel Source:
Cisco Talos
Intel Name:
A_new_Cobalt_Strike_payload_campaign
Date of Scan:
2022-09-30
Impact:
MEDIUM
Summary:
Researchers from Cisco have discovered a campaign that is delivering Cobalt Strike beacons that could be used in later, follow-on attacks.
Source: https://blog.talosintelligence.com/2022/09/new-campaign-uses-government-union.html
2022-09-30
Detecting_and_Removing_Malicious_Software_Masquerading_as_Doenerium_Stealer
LOW
+
Intel Source:
Cyble
Intel Name:
Detecting_and_Removing_Malicious_Software_Masquerading_as_Doenerium_Stealer
Date of Scan:
2022-09-30
Impact:
LOW
Summary:
A spear phishing email campaign targeting Office365 users hve observed by Cyble researchers. The same domain has also been onserved hosting several other malware variants, such as Doenerium stealer.
Source: https://blog.cyble.com/2022/09/28/new-information-stealer-targeting-crypto-wallets/
2022-09-29
Void_Balaur_hack_for_hire_campaigns
MEDIUM
+
Intel Source:
SentinelOne
Intel Name:
Void_Balaur_hack_for_hire_campaigns
Date of Scan:
2022-09-29
Impact:
MEDIUM
Summary:
SentinelOne researchers have observed the cyber mercenary group known as Void Balaur continues to expand its hack-for-hire campaigns and targeting of a wide variety of individuals and organizations across the globe.
Source: https://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/
2022-09-29
LockBit_3_0_Ransomware_Spreading_via_Word_Documents
LOW
+
Intel Source:
ASEC
Intel Name:
LockBit_3_0_Ransomware_Spreading_via_Word_Documents
Date of Scan:
2022-09-29
Impact:
LOW
Summary:
ASEC researchers have identified that LockBit 3.0 ransomware distributed while disguised as job application emails in NSIS format is also being distributed in Word document format.
Source: https://asec.ahnlab.com/en/39242/ https://asec.ahnlab.com/en/39259/
2022-09-28
A_Trojan_Downloader_Named_NullMixer
LOW
+
Intel Source:
Securelist
Intel Name:
A_Trojan_Downloader_Named_NullMixer
Date of Scan:
2022-09-28
Impact:
LOW
Summary:
Researchers from Securelist have identified a large proportion of the malware families dropped by NullMixer are classified as Trojan-Downloaders.
Source: https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/
2022-09-28
Mass_Emailing_campaign_delivering_Agent_Tesla_malware
LOW
+
Intel Source:
Securelist
Intel Name:
Mass_Emailing_campaign_delivering_Agent_Tesla_malware
Date of Scan:
2022-09-28
Impact:
LOW
Summary:
Researchers from Securelist have discovered a spam campaign that delivers Agent Tesla malware. After analysis, the email messages were pretended as high-quality imitations of business inquiries by real companies.
Source: https://securelist.com/agent-tesla-malicious-spam-campaign/107478/
2022-09-28
A_new_variant_of_Graphite_Malware
MEDIUM
+
Intel Source:
Cluster25
Intel Name:
A_new_variant_of_Graphite_Malware
Date of Scan:
2022-09-28
Impact:
MEDIUM
Summary:
Cluster25 researchers have analyzed a lure document used to implant a variant of Graphite malware, which is linked to the threat actor known as APT28.
Source: https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/
2022-09-28
Malicious_NPM_package_discovered_in_supply_chain_attack
MEDIUM
+
Intel Source:
ReversingLab
Intel Name:
Malicious_NPM_package_discovered_in_supply_chain_attack
Date of Scan:
2022-09-28
Impact:
MEDIUM
Summary:
Researchers from ReversingLabs have identified the Material Tailwind library is being impersonated for an apparent supply chain attack targeting developers. The team spotted a look-alike NPM package circulating on repositories, intended to trick unwitting developers into using the package in place of the real library.
Source: https://blog.reversinglabs.com/blog/threat-analysis-malicious-npm-package-mimicks-material-tailwind-css-tool
2022-09-27
FARGO_Ransomware_Targeting_Vulnerable_Microsoft_SQL_Servers
LOW
+
Intel Source:
ASEC
Intel Name:
FARGO_Ransomware_Targeting_Vulnerable_Microsoft_SQL_Servers
Date of Scan:
2022-09-27
Impact:
LOW
Summary:
Researchers from ASEC have discovered the distribution of FARGO ransomware that is targeting vulnerable MS-SQL servers. Along with GlobeImposter, FARGO is one of the prominent ransomware that targets vulnerable MS-SQL servers.
Source: https://asec.ahnlab.com/en/39152/
2022-09-27
BumbleBee_Malware_Deploying_Cobalt_Strike_and_Meterpreter
LOW
+
Intel Source:
DFIR Report
Intel Name:
BumbleBee_Malware_Deploying_Cobalt_Strike_and_Meterpreter
Date of Scan:
2022-09-27
Impact:
LOW
Summary:
Researchers from DFIR have identified threat actors using BumbleBee malware to deploy Cobalt Strike and Meterpreter. They used RDP and SMB to move around the network looking at backup systems and file shares before being evicted from the network.
Source: https://thedfirreport.com/2022/09/26/bumblebee-round-two/
2022-09-27
Floxif_Malware_Family_Leveraging_Cookies
LOW
+
Intel Source:
ISC.SANS
Intel Name:
Floxif_Malware_Family_Leveraging_Cookies
Date of Scan:
2022-09-27
Impact:
LOW
Summary:
Researchers from SANS have analyzed a recently disclosed vulnerability by Vectra that affects Microsoft Teams.
Source: https://isc.sans.edu/forums/diary/Kids+Like+Cookies+Malware+Too/29082/
2022-09-27
Phishing_Campaign_Targeting_GitHub_Accounts
LOW
+
Intel Source:
GitHub Blog
Intel Name:
Phishing_Campaign_Targeting_GitHub_Accounts
Date of Scan:
2022-09-27
Impact:
LOW
Summary:
Researchers from GitHub security team have identified that the hackers are targeting GitHub users to steal credentials and two-factor authentication (2FA) codes by impersonating the CircleCI DevOps platform.
Source: https://github.blog/2022-09-21-security-alert-new-phishing-campaign-targets-github-users/
2022-09-26
Noberus_Ransomware_Continues_to_Develop_its_TTPs
LOW
+
Intel Source:
Symantec
Intel Name:
Noberus_Ransomware_Continues_to_Develop_its_TTPs
Date of Scan:
2022-09-26
Impact:
LOW
Summary:
Symantec researchers have identified that the Noberus (aka BlackCat, ALPHV) ransomware is using new tactics, tools, and procedures in recent months which making the threat more dangerous than ever.
Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps
2022-09-26
New_Hacking_Group_Metador_Targeting_Telecommunications_ISPs_and_Universities
MEDIUM
+
Intel Source:
SentinelOne
Intel Name:
New_Hacking_Group_Metador_Targeting_Telecommunications_ISPs_and_Universities
Date of Scan:
2022-09-26
Impact:
MEDIUM
Summary:
Researchers from SentinelOne have discovered a new threat actor named Matador and targeting telecommunications, internet service providers, and universities in several countries in the Middle East and Africa.
Source: https://assets.sentinelone.com/sentinellabs22/metador
2022-09-26
Chinese_Hacker_Group_TA413_Evolves_Capabilities_to_Targeting_Tibetan
LOW
+
Intel Source:
Recorded Future
Intel Name:
Chinese_Hacker_Group_TA413_Evolves_Capabilities_to_Targeting_Tibetan
Date of Scan:
2022-09-26
Impact:
LOW
Summary:
RecordedFuture researchers have observed the targeting of ethnic and religious minority communities by Chinese state-sponsored groups for surveillance and intelligence-gathering purposes.
Source: https://www.recordedfuture.com/chinese-state-sponsored-group-ta413-adopts-new-capabilities-in-pursuit-of-tibetan-targets
2022-09-26
Cybercriminals_target_Magento_vulnerability_in_new_wave_of_attacks
LOW
+
Intel Source:
Sansec
Intel Name:
Cybercriminals_target_Magento_vulnerability_in_new_wave_of_attacks
Date of Scan:
2022-09-26
Impact:
LOW
Summary:
Researchers from Sansec have observed a surge in hacking attempts targeting CVE-2022-24086, a critical Magento 2 vulnerability allowing unauthenticated attackers to execute code on unpatched sites.
Source: https://sansec.io/research/magento-2-template-attacks
2022-09-26
NFT_Malware_Gets_New_Evasion_Abilities
LOW
+
Intel Source:
Morphisec
Intel Name:
NFT_Malware_Gets_New_Evasion_Abilities
Date of Scan:
2022-09-26
Impact:
LOW
Summary:
Researchers from Morphisec have tracked several waves of the NFT malware delivering the Remcos RAT. In June 2022 they found a shift in the crypter used to deliver the Remcos RAT. The Babadeda crypter has now been discarded for a newly staged downloader.
Source: https://blog.morphisec.com/nft-malware-new-evasion-abilities
2022-09-26
A_Technical_Analysis_of_Lockbit_3_0_Builder
LOW
+
Intel Source:
Cybergeeks
Intel Name:
A_Technical_Analysis_of_Lockbit_3_0_Builder
Date of Scan:
2022-09-26
Impact:
LOW
Summary:
Researchers from Cybergeeks have analyzed LockBit 3.0 builder that was leaked online on 21st September 2022.
Source: https://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-builder/
2022-09-23
Cybercriminals_are_Increasingly_Using_Domain_Shadowing
MEDIUM
+
Intel Source:
Palo Alto
Intel Name:
Cybercriminals_are_Increasingly_Using_Domain_Shadowing
Date of Scan:
2022-09-23
Impact:
MEDIUM
Summary:
PaloAlto researchers have discovered that domain shadowing is more widespread than previously thought, discovering 12,197 cases between April and June 2022.
Source: https://unit42.paloaltonetworks.com/domain-shadowing/
2022-09-23
FODHelper_Delivering_Remcos_RAT
LOW
+
Intel Source:
ISC.SANS
Intel Name:
FODHelper_Delivering_Remcos_RAT
Date of Scan:
2022-09-23
Impact:
LOW
Summary:
Researchers from SANS have identified a simple batch file that drops a Remcos RAT through an old UAC Bypass technique.
Source: https://isc.sans.edu/diary/rss/29078
2022-09-23
A_Deep_Analysis_of_Lazarus_Group_Rootkit_Attack_Using_BYOVD
LOW
+
Intel Source:
ASEC
Intel Name:
A_Deep_Analysis_of_Lazarus_Group_Rootkit_Attack_Using_BYOVD
Date of Scan:
2022-09-23
Impact:
LOW
Summary:
Researchers from ASEC have done a deep analysis of Lazarus Group Rootkit Attack using BYOVD. They are known to be hackers from North Korea, who have attacked various countries in America, Asia, and Europe.
Source: https://asec.ahnlab.com/wp-content/uploads/2022/09/Analysis-Report-on-Lazarus-Groups-Rootkit-Attack-Using-BYOVD_Sep-22-2022.pdf
2022-09-23
SystemBC_Malware_Turns_Infected_Computers_into_SOCKS5_Proxies
LOW
+
Intel Source:
BitSight
Intel Name:
SystemBC_Malware_Turns_Infected_Computers_into_SOCKS5_Proxies
Date of Scan:
2022-09-23
Impact:
LOW
Summary:
BitSight researchers have observed that SystemBC malware still turns infected computers into SOCKS5 proxy servers. Most bots cannot be reached from the internet, so this malware uses a backconnect architecture that allows clients to access proxy servers without having to interact directly with them.
Source: https://www.bitsight.com/blog/systembc-multipurpose-proxy-bot-still-breathes
2022-09-22
Distribution_of_NetSupport_RAT_via_SocGholish
LOW
+
Intel Source:
Cyble
Intel Name:
Distribution_of_NetSupport_RAT_via_SocGholish
Date of Scan:
2022-09-22
Impact:
LOW
Summary:
Researchers from Cyble have observed that hackers are using fake browser update (SocGholish) to deliver the NetSupport RAT.
Source: https://blog.cyble.com/2022/09/21/netsupport-rat-distributed-via-socgholish/
2022-09-22
Iranian_hackers_Conduct_Cyber_Operations_Against_the_Government_of_Albania
MEDIUM
+
Intel Source:
CISA
Intel Name:
Iranian_hackers_Conduct_Cyber_Operations_Against_the_Government_of_Albania
Date of Scan:
2022-09-22
Impact:
MEDIUM
Summary:
Researchers from CISA have identified one of the Iranian threat groups behind the destructive attack on the Albanian government's network in July lurking inside its systems for roughly 14 months.
Source: https://www.cisa.gov/uscert/ncas/alerts/aa22-264a
2022-09-22
Hackers_Abusing_LinkedIn_Slink_to_Bypass_Secure_Email_Gateway
LOW
+
Intel Source:
Cofense
Intel Name:
Hackers_Abusing_LinkedIn_Slink_to_Bypass_Secure_Email_Gateway
Date of Scan:
2022-09-22
Impact:
LOW
Summary:
Cofense researchers have observed a phishing campaign that abuses LinkedIn smart links. While exploiting a well-known postal brand is nothing out of the ordinary, these phishing emails continue to pass undetected by popular email gateways.
Source: https://cofense.com/blog/threat-actors-abuse-linkedin-slink-to-bypass-secure-email-gateways
2022-09-22
Diving_Deep_into_Crytox_Ransomware
LOW
+
Intel Source:
Zscaler
Intel Name:
Diving_Deep_into_Crytox_Ransomware
Date of Scan:
2022-09-22
Impact:
LOW
Summary:
Researchers from Zscaler have done technical analysis of Crytox Ransomware which is multi-stage ransomware with a weak key generation algorithm.
Source: https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware
2022-09-22
Active_Exploitation_of_Atlassian_Confluence_Vulnerability
LOW
+
Intel Source:
TrendMicro
Intel Name:
Active_Exploitation_of_Atlassian_Confluence_Vulnerability
Date of Scan:
2022-09-22
Impact:
LOW
Summary:
Researchers from Trendmicro have observed the active exploitation samples abusing the Atlassian Confluence vulnerability (CVE-2022-26134) in the wild for malicious cryptocurrency mining.
Source: https://www.trendmicro.com/en_us/research/22/i/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware.html
2022-09-21
Magniber_Ransomware_file_extension_changed_from_jse_to_js
LOW
+
Intel Source:
ASEC
Intel Name:
Magniber_Ransomware_file_extension_changed_from_jse_to_js
Date of Scan:
2022-09-21
Impact:
LOW
Summary:
Researchers from ASEC have analyzed the Magniber ransomware script and found that is still a javascript but its file extension changed from *.jse to *.js.
Source: https://asec.ahnlab.com/en/39030/
2022-09-21
Zoom_Users_Targeted_by_Vidar_Stealer
MEDIUM
+
Intel Source:
Cyble
Intel Name:
Zoom_Users_Targeted_by_Vidar_Stealer
Date of Scan:
2022-09-21
Impact:
MEDIUM
Summary:
The researchers from Cyble have observed numerous fake Zoom sites that look exactly like the real Zoom sites. The purpose of these sites is to distribute malware disguised as the legitimate Zoom application.
Source: https://blog.cyble.com/2022/09/19/new-malware-campaign-targets-zoom-users/
2022-09-21
Konni_(RAT)_phishing_activity
LOW
+
Intel Source:
Fortinet
Intel Name:
Konni_(RAT)_phishing_activity
Date of Scan:
2022-09-21
Impact:
LOW
Summary:
Researchers at Fortinet recently caught a sophisticated phishing attempt deploying malware which they tied to APT 37 group's arsenal related to Konni and other RAT.
Source: https://www.fortinet.com/blog/threat-research/konni-rat-phishing-email-deploying-malware
2022-09-21
Attackers_Leveraging_Free_Online_Resources_for_Phishing_Campaigns
LOW
+
Intel Source:
ISC.SANS
Intel Name:
Attackers_Leveraging_Free_Online_Resources_for_Phishing_Campaigns
Date of Scan:
2022-09-21
Impact:
LOW
Summary:
Researchers from SANS have analyzed phishing campaigns using free online resources.
Source: https://isc.sans.edu/forums/diary/Phishing+Campaigns+Use+Free+Online+Resources/29074/
2022-09-21
Hackers_Leveraging_Browser_Extensions
LOW
+
Intel Source:
MalwareBytes
Intel Name:
Hackers_Leveraging_Browser_Extensions
Date of Scan:
2022-09-21
Impact:
LOW
Summary:
Malwarebytes researchers have detected a browser extension named PUP.Optional.AdMax. They have claimed to be adblockers and do have some, limited, functionality.
Source: https://www.malwarebytes.com/blog/detections/pup-optional-admax
2022-09-21
Attackers_Abusing_Google_Tag_Manager_Payment_Card_E-Skimming
LOW
+
Intel Source:
Recorded Future
Intel Name:
Attackers_Abusing_Google_Tag_Manager_Payment_Card_E-Skimming
Date of Scan:
2022-09-21
Impact:
LOW
Summary:
According to Recorded Future researchers, 569 e-commerce domains have been infected by Magecart e-skimmers that exfiltrate stolen payment card information to GTM-based e-skimmer domains.
Source: https://go.recordedfuture.com/hubfs/reports/cta-2022-0920.pdf
2022-09-20
Fake_Telegram_Site_Delivering_RAT
LOW
+
Intel Source:
Cyble
Intel Name:
Fake_Telegram_Site_Delivering_RAT
Date of Scan:
2022-09-20
Impact:
LOW
Summary:
Cyble Research and Intelligence Labs team identified a fake Telegram website masquerading as a legitimate website that downloads a malicious installer. This installer abuses the Windows Defender application to perform RAT operations.
Source: https://blog.cyble.com/2022/09/17/fake-telegram-site-delivering-rat-aimed-at-chinese-users/
2022-09-20
The_Ragnar_Locker_ransomware_roundup_cover
MEDIUM
+
Intel Source:
Fortinet
Intel Name:
The_Ragnar_Locker_ransomware_roundup_cover
Date of Scan:
2022-09-20
Impact:
MEDIUM
Summary:
FortiGuard Labs gathered data on ransomware variants of interest that have been gaining traction within the OSINT community and our datasets. The Ransomware Roundup report aimed the Ragnar Locker ransomware to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against this variant.
Source: https://www.fortinet.com/blog/threat-research/ransomware-roundup-ragnar-locker-ransomware
2022-09-20
Microsoft_365_Phishing_Attacks_Targeting_US_Government_Agencies
MEDIUM
+
Intel Source:
Cofense
Intel Name:
Microsoft_365_Phishing_Attacks_Targeting_US_Government_Agencies
Date of Scan:
2022-09-20
Impact:
MEDIUM
Summary:
Cofense researchers have identified an ongoing phishing campaign targeting U.S. government contractors. In these phishing emails, scammers ask for bids for lucrative government projects, leading users to cloned versions of legitimate government websites.
Source: https://cofense.com/blog/credential-phishing-targeting-government-contractors-evolves-over-time
2022-09-20
The_Growth_of_Chromeloader_Malware
LOW
+
Intel Source:
VMware
Intel Name:
The_Growth_of_Chromeloader_Malware
Date of Scan:
2022-09-20
Impact:
LOW
Summary:
Researchers from VMware have analyzed Chromeloader malware and warned of an ongoing campaign, In the campaign, malicious browser extensions, malware based on node-WebKit, and ransomware are being distributed.
Source: https://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html
2022-09-20
Multiple_Malwares_delivered_by_Excel_Document
MEDIUM
+
Intel Source:
Fortinet
Intel Name:
Multiple_Malwares_delivered_by_Excel_Document
Date of Scan:
2022-09-20
Impact:
MEDIUM
Summary:
FortiGuard Labs recently caught captured an Excel document with an embedded malicious file in the wild. After some research on the file, Fortinet reserachers learned that it exploits a particular vulnerability —CVE-2017-11882—to execute malicious code which affecting Microoft Windows platforms and Windows users. Researchers picked the “lsbjqoyofgkmqbuleooykdekgopmtglvjl.exe” file (being saved as “C:\Users\{UserName}\AppData\Roaming\word.exe”) as an example to analyze. It is the latest Formbook sample in the malware sample logs.
Source: https://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882
2022-09-20
Monster_RaaS_campaign_returned_as_a_new_variant
MEDIUM
+
Intel Source:
BlackBerry
Intel Name:
Monster_RaaS_campaign_returned_as_a_new_variant
Date of Scan:
2022-09-20
Impact:
MEDIUM
Summary:
BlackBerry Research & Intelligence team examined all samples about Monster ransomware which is delivered as a 32-bit binary. A hidden user interface gives threat actors control of multiple features of the ransomware on a victim’s machine, including selective encryption, self-deletion, and control over services and processes. Monster is also highly configurable, so threat actors can set their own custom extension and personalized ransom note.
Source: https://blogs.blackberry.com/en/2022/09/some-kind-of-monster-raas-hides-itself-using-traits-from-other-malware
2022-09-19
Preventing_ISO_Malware
LOW
+
Intel Source:
ISC.SANS
Intel Name:
Preventing_ISO_Malware
Date of Scan:
2022-09-19
Impact:
LOW
Summary:
Researchers from SANS have analyzed Chromeloader malware. This malware is a malicious extension for your browser, redirecting it to ad sites and hijacking searches. But with the success of this technique recently, I would not be surprised if others will take notice and switch to using it for other things.
Source: https://isc.sans.edu/diary/rss/29062
2022-09-19
The_widespread_of_RedLine_stealer
LOW
+
Intel Source:
Securelist
Intel Name:
The_widespread_of_RedLine_stealer
Date of Scan:
2022-09-19
Impact:
LOW
Summary:
Securelist's reserachers recently caught a suspicious activity which was a part of collection of malicious programs distributed in the form of a single installation file, self-extracting archive or other file with installer-type functionality.
Source: https://securelist.com/self-spreading-stealer-attacks-gamers-via-youtube/107407/
2022-09-19
The_details_of_a_Publicly_Available_Slam_Ransomware_Builder
LOW
+
Intel Source:
SentinelOne
Intel Name:
The_details_of_a_Publicly_Available_Slam_Ransomware_Builder
Date of Scan:
2022-09-19
Impact:
LOW
Summary:
SentinelOne analysts detailed out thoroughly about Slam Ransomware Builder and how free ransomware builders like Slam offer an easy route into cybercrime and yet present a credible threat to organizations and enterprises. Plus they provided a detailed list of indicators to help security teams detect and protect against Slam ransomware payloads.
Source: https://www.sentinelone.com/blog/from-the-front-lines-slam-anatomy-of-a-publicly-available-ransomware-builder/
2022-09-19
TeamTNT_threat_actors_targeting_cloud_environments
LOW
+
Intel Source:
Aquasec
Intel Name:
TeamTNT_threat_actors_targeting_cloud_environments
Date of Scan:
2022-09-19
Impact:
LOW
Summary:
Aquasec analysts observed and analyzed three different attacks on their honeypots past week. The scripts and malware that were used bear a striking resemblance to none other than the threat actor TeamTNT.
Source: https://blog.aquasec.com/new-malware-in-the-cloud-by-teamtnt
2022-09-19
Russia-Nexus_UAC-0113_Emulating_Telecommunication_Providers_in_Ukraine
LOW
+
Intel Source:
Recorded Future
Intel Name:
Russia-Nexus_UAC-0113_Emulating_Telecommunication_Providers_in_Ukraine
Date of Scan:
2022-09-19
Impact:
LOW
Summary:
Researchers at Insikt Group while monitoring UAC-0113 infrastructure, including the recurring use of dynamic DNS domains masquerading as telecommunication providers operating in Ukraine, which shows that the group's efforts to target entities in Ukraine remains ongoing. Domain masquerades can enable spearphishing campaigns or redirects that pose a threat to victim networks.
Source: https://www.recordedfuture.com/russia-nexus-uac-0113-emulating-telecommunication-providers-in-ukraine https://go.recordedfuture.com/hubfs/reports/cta-2022-0919.pdf
2022-09-19
PreventingISOMalware
LOW
+
Intel Source:
ISC.SANS
Intel Name:
PreventingISOMalware
Date of Scan:
2022-09-19
Impact:
LOW
Summary:
Researchers from SANS have analyzed Chromeloader malware. This malware is a malicious extension for your browser, redirecting it to ad sites and hijacking searches. But with the success of this technique recently, I would not be surprised if others will take notice and switch to using it for other things.
Source: https://isc.sans.edu/diary/rss/29062
2022-09-16
BlackTech_Threat_Group_ExploitsF5_BIG-IP_Vulnerability
MEDIUM
+
Intel Source:
JPCERT
Intel Name:
BlackTech_Threat_Group_ExploitsF5_BIG-IP_Vulnerability
Date of Scan:
2022-09-16
Impact:
MEDIUM
Summary:
The JPCERT have identified an attack activity exploiting the F5 BIG-IP vulnerability (CVE-2022-1388) against Japanese organizations. It has been confirmed by the targeted organizations that data in BIG-IP has been compromised.
Source: https://blogs.jpcert.or.jp/en/2022/09/bigip-exploit.html
2022-09-16
PrivateLoader_the_most_widely_used_loader_in_2022
LOW
+
Intel Source:
Sekoia
Intel Name:
PrivateLoader_the_most_widely_used_loader_in_2022
Date of Scan:
2022-09-16
Impact:
LOW
Summary:
PrivateLoader became one of the most widespread loaders used for a PPI service in 2022. SEKOIA analysts tracked PrivateLoader’s network infrastructure for several months and recently conducted an in-depth analysis of the malware. In parallel, we also monitored activities related to the ruzki PPI malware service.
Source: https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/
2022-09-16
Revived_Version_of_Raccoon_Stealer
LOW
+
Intel Source:
Cloudsek
Intel Name:
Revived_Version_of_Raccoon_Stealer
Date of Scan:
2022-09-16
Impact:
LOW
Summary:
CloudSEK researchers analyzed a Raccoon malware sample and found it to be an updated version of Raccoon stealer. In underground forums, the developer of Raccoon stealer is very active, regularly updating the malware and posting about new feature builds.
Source: https://cloudsek.com/recordbreaker-the-resurgence-of-raccoon/?utm_source=rss&utm_medium=rss&utm_campaign=recordbreaker-the-resurgence-of-raccoon
2022-09-16
Scammers_Abuse_Microsoft_Edge's_News_Feed_Ads
LOW
+
Intel Source:
MalwareBytes
Intel Name:
Scammers_Abuse_Microsoft_Edge's_News_Feed_Ads
Date of Scan:
2022-09-16
Impact:
LOW
Summary:
Researchers from Malwarebytes have identified an ongoing malvertising campaign that is injecting ads in the Microsoft Edge News Feed to redirect potential victims to websites pushing tech support scams.
Source: https://www.malwarebytes.com/blog/threat-intelligence/2022/09/microsoft-edges-news-feed-pushes-tech-support-scam
2022-09-16
Russia_linked_Gamaredon_APT_Targeting_Ukraine_Using_InfoStealer_Malware
LOW
+
Intel Source:
Cisco Talos
Intel Name:
Russia_linked_Gamaredon_APT_Targeting_Ukraine_Using_InfoStealer_Malware
Date of Scan:
2022-09-16
Impact:
LOW
Summary:
Researchers at CiscoTalos have observed that Russian-linked Gamaredon has been targeting Ukrainian government, defense, and law enforcement agencies with a piece of a custom-made information stealer implant.
Source: https://blog.talosintelligence.com/2022/09/gamaredon-apt-targets-ukrainian-agencies.html
2022-09-16
Hackers_Continue_to_Abuse_Google_Sites_and_Microsoft_Azure
LOW
+
Intel Source:
Netscope
Intel Name:
Hackers_Continue_to_Abuse_Google_Sites_and_Microsoft_Azure
Date of Scan:
2022-09-16
Impact:
LOW
Summary:
Netskope researchers discovered a phishing campaign where attackers are abusing Google Sites and Microsoft Azure Web Apps to steal cryptocurrency wallets and accounts from Coinbase, MetaMask, Kraken, and Gemini.
Source: https://www.netskope.com/es/blog/attackers-continue-to-abuse-google-sites-and-microsoft-azure-to-host-cryptocurrency-phishing
2022-09-16
Word_Maldoc_With_CustomXML_and_Renamed_VBAProject
LOW
+
Intel Source:
ISC.SANS
Intel Name:
Word_Maldoc_With_CustomXML_and_Renamed_VBAProject
Date of Scan:
2022-09-16
Impact:
LOW
Summary:
Researchers from SANS have analyzed samples and found one of them is that the VBA project file (ole file) is named FIzzyWAbnj.bin instead of the usual VBAProject.bin.
Source: https://isc.sans.edu/diary/rss/29056
2022-09-16
Trojanized_Putty_through_Phishing
LOW
+
Intel Source:
Mandiant
Intel Name:
Trojanized_Putty_through_Phishing
Date of Scan:
2022-09-16
Impact:
LOW
Summary:
Researchers from Mandiant identified a Trojanized Putty ISO payload being delivered through a fabricated job lure spear employed by the threat cluster tracked as UNC4034, suspected to be a part of "Operation Dream Job" campaigns.
Source: https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing
2022-09-15
Iranian_Cyber_Actors_Exploiting_Known_Vulnerabilities
MEDIUM
+
Intel Source:
CISA
Intel Name:
Iranian_Cyber_Actors_Exploiting_Known_Vulnerabilities
Date of Scan:
2022-09-15
Impact:
MEDIUM
Summary:
Researchers from CISA have identified Iranian Islamic revolutionary guard corps-affiliated cyber actors exploiting vulnerabilities for data extortion and disk encryption for ransom operations.
Source: https://www.cisa.gov/uscert/ncas/alerts/aa22-257a
2022-09-15
Webworm_hackers_modify_old_malware_in_new_attacks
LOW
+
Intel Source:
Symantec
Intel Name:
Webworm_hackers_modify_old_malware_in_new_attacks
Date of Scan:
2022-09-15
Impact:
LOW
Summary:
Researcher from Symantec have observed that the Chinese 'Webworm' hacking group is experimenting with customizing old malware in new attacks, likely to evade attribution and reduce operations costs.
Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats
2022-09-15
Malicious_Word_Document_With_a_Frameset
LOW
+
Intel Source:
ISC.SANS
Intel Name:
Malicious_Word_Document_With_a_Frameset
Date of Scan:
2022-09-15
Impact:
LOW
Summary:
SANS researchers have discovered a malicious Word OOXML document (the new ".docx" format) that is a simple downloader. No malicious code is contained in this document, but merely a reference to a second stage which will be delivered when the document is opened.
Source: https://isc.sans.edu/diary/rss/29052
2022-09-15
Exploiting_Notepad++_Plugins_for_Evasion_and_Persistence
LOW
+
Intel Source:
Cybereason
Intel Name:
Exploiting_Notepad++_Plugins_for_Evasion_and_Persistence
Date of Scan:
2022-09-15
Impact:
LOW
Summary:
Researchers from Cybereason have analyzed a specific technique that leverages Notepad++ plugins to persist and evade security mechanisms on a machine.
Source: https://www.cybereason.com/blog/threat-analysis-report-abusing-notepad-plugins-for-evasion-and-persistence
2022-09-15
One_of_the_most_used_infostealer_Erbium
LOW
+
Intel Source:
Cluster25
Intel Name:
One_of_the_most_used_infostealer_Erbium
Date of Scan:
2022-09-15
Impact:
LOW
Summary:
Cluster25' analysts observed that Erbium can become one of the most used infostealer by cyber criminals due to its wide range of capabilities and due to the growing demand for M-a-a-S.
Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer
2022-09-15
Greek_Banking_Users_Targeted_in_Phishing_Campaign
LOW
+
Intel Source:
Cyble
Intel Name:
Greek_Banking_Users_Targeted_in_Phishing_Campaign
Date of Scan:
2022-09-15
Impact:
LOW
Summary:
Researchers from Cyble discovered multiple URLs hosting pages pretending to be Greece's tax refund website. In order to transfer funds, users must confirm their current account number and the amount of their tax refund.
Source: https://blog.cyble.com/2022/09/14/phishing-campaign-targets-greek-banking-users/
2022-09-15
Japanese_Taxpayers_Targeted_in_Phishing_Campaign
LOW
+
Intel Source:
Cyble
Intel Name:
Japanese_Taxpayers_Targeted_in_Phishing_Campaign
Date of Scan:
2022-09-15
Impact:
LOW
Summary:
Researchers from Cyble Research & Intelligence Labs discovered a new phishing campaign imitating the National Tax Agency, which targets Japanese users by tricking them into sharing sensitive information.
Source: https://blog.cyble.com/2022/09/13/phishing-campaign-targets-japanese-tax-payers/
2022-09-15
Hackers_Are_Using_Name_of_Queen_Elizabeth_II_in_Phishing_Attacks
LOW
+
Intel Source:
ProofPoint
Intel Name:
Hackers_Are_Using_Name_of_Queen_Elizabeth_II_in_Phishing_Attacks
Date of Scan:
2022-09-15
Impact:
LOW
Summary:
Researchers at Proofpoint have identified threat actors exploiting the death of Queen Elizabeth II in phishing attacks to steal their targets' Microsoft accounts.
Source: https://twitter.com/threatinsight/status/1570092339984584705
2022-09-14
Hackers_Exploiting_Oracle_WebLogic_Server_Vulnerabilities
MEDIUM
+
Intel Source:
TrendMicro
Intel Name:
Hackers_Exploiting_Oracle_WebLogic_Server_Vulnerabilities
Date of Scan:
2022-09-14
Impact:
MEDIUM
Summary:
Trendmicro researchers have observed malicious actors exploiting both newly disclosed and older Oracle WebLogic Server vulnerabilities to deliver cryptocurrency-mining malware.
Source: https://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html
2022-09-14
A_new_variant_of_Agent_Tesla
LOW
+
Intel Source:
Palo Alto
Intel Name:
A_new_variant_of_Agent_Tesla
Date of Scan:
2022-09-14
Impact:
LOW
Summary:
The Agent Tesla keylogger’s developers announced and posted on the Agent Tesla Discord server that people should switch over to a new keylogger OriginLogger, a powerful software like Agent Tesla. OriginLogger is an AT-based software and has all the features. OriginLogger is a variant of Agent Tesla. As such, the majority of tools and detections for Agent Tesla will still trigger on OriginLogger samples.
Source: https://unit42.paloaltonetworks.com/originlogger/
2022-09-14
New_Linux_SideWalk_backdoor_Variant_used_by_SparklingGoblin_APT_Hackers
LOW
+
Intel Source:
WeliveSecurity
Intel Name:
New_Linux_SideWalk_backdoor_Variant_used_by_SparklingGoblin_APT_Hackers
Date of Scan:
2022-09-14
Impact:
LOW
Summary:
ESET researchers have discovered a Linux variant of the SideWalk backdoor used by SparklingGoblin. This is a group of APTs that partially overlaps with APT41 and BARIUM in terms of its tactics, techniques, and procedures.
Source: https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/
2022-09-14
Easy_Process_Injection_within_Python
LOW
+
Intel Source:
ISC.SANS
Intel Name:
Easy_Process_Injection_within_Python
Date of Scan:
2022-09-14
Impact:
LOW
Summary:
Researchers from SANS have analyzed malicious Python scripts. It can call any Microsoft API and perform process injection using the classic VirtualAlloc, CreateRemoteThreat, etc.
Source: https://isc.sans.edu/diary/rss/29048
2022-09-14
A_detailed_Analysis_of_Iranian_COBALT_MIRAGE_Threat_Group
LOW
+
Intel Source:
Secureworks
Intel Name:
A_detailed_Analysis_of_Iranian_COBALT_MIRAGE_Threat_Group
Date of Scan:
2022-09-14
Impact:
LOW
Summary:
Researchers at Secureworks have analyzed ransomware incidents and uncovered details about Iranian COBALT MIRAGE operations. During this incident, COBALT MIRAGE exploited ProxyShell vulnerabilities (CVE-2021-34473, 2021-34523, and 2021-30207).
Source: https://www.secureworks.com/blog/opsec-mistakes-reveal-cobalt-mirage-threat-actors
2022-09-14
A_distribution_of_masking_phishing_websites
LOW
+
Intel Source:
ASEC
Intel Name:
A_distribution_of_masking_phishing_websites
Date of Scan:
2022-09-14
Impact:
LOW
Summary:
During the collecting of various malware strains the ASEC analysts caught one targeting Korean users, which was being distributed continuously to Korean email accounts only since August. This phishing website’s URL is not only distributed through email but is also exposed among the top search results of the Google search engine.
Source: https://asec.ahnlab.com/en/38786/
2022-09-13
Ransomware_Campaigns_Linked_to_Iranian_Govt's_DEV_0270_Hackers
LOW
+
Intel Source:
Microsoft
Intel Name:
Ransomware_Campaigns_Linked_to_Iranian_Govt's_DEV_0270_Hackers
Date of Scan:
2022-09-13
Impact:
LOW
Summary:
Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS.
Source: https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
2022-09-13
Mitel_VoIP_Appliance_Vulnerability_Exploited_by_Lorenz_Ransomware_Group
LOW
+
Intel Source:
Arcticwolf
Intel Name:
Mitel_VoIP_Appliance_Vulnerability_Exploited_by_Lorenz_Ransomware_Group
Date of Scan:
2022-09-13
Impact:
LOW
Summary:
The Lorenz ransomware group was seen exploiting a critical-severity vulnerability in Mitel MiVoice VoIP appliance for initial access into a victim’s network, Arctic Wolf cybersecurity firm researchers reported.
Source: https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/
2022-09-13
New_Espionage_Activity_Targeting_Asian_Governments
LOW
+
Intel Source:
Symantec
Intel Name:
New_Espionage_Activity_Targeting_Asian_Governments
Date of Scan:
2022-09-13
Impact:
LOW
Summary:
Researchers from Symantec have identified a campaign that targets government and state-owned organizations in several Asian countries, including the offices of multiple prime ministers or heads of government.
Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments
2022-09-13
Iranian_Hackers_Targeting_Nuclear_Security_and_Genomic_Research
LOW
+
Intel Source:
ProofPoint
Intel Name:
Iranian_Hackers_Targeting_Nuclear_Security_and_Genomic_Research
Date of Scan:
2022-09-13
Impact:
LOW
Summary:
Proofpoint researchers have discovered a cyberespionage campaign conducted by TA453 threat actors linked to Iran. It targeted individuals specializing in nuclear security, Middle Eastern affairs, and genome research. To target their victims, threat actors used at least two actor-controlled personas.
Source: https://www.proofpoint.com/us/blog/threat-insight/ta453-uses-multi-persona-impersonation-capitalize-fomo
2022-09-12
Phishing_Word_Documents_with_Suspicious_URL
LOW
+
Intel Source:
ISC.SANS
Intel Name:
Phishing_Word_Documents_with_Suspicious_URL
Date of Scan:
2022-09-12
Impact:
LOW
Summary:
Researchers from SANS have analyzed a quarantined email that is marked as phishing by Defender with the Subject: Urgent Payment Issue.
Source: https://isc.sans.edu/diary/rss/29034
2022-09-12
A_new_form_of_delivery_of_the_Lampion_banking_trojan
LOW
+
Intel Source:
Cofense
Intel Name:
A_new_form_of_delivery_of_the_Lampion_banking_trojan
Date of Scan:
2022-09-12
Impact:
LOW
Summary:
Threat actors have been spotted by PDC analyst using a new form of Lampion malware thru using of a VBS loader. Using the trusted cloud platform used for payments, WeTransfer, threat actors are attempting to gain the trust of users while taking advantage of the service provided by the popular site.
Source: https://cofense.com/blog/lampion-trojan-utilizes-new-delivery-through-cloud-based-sharing
2022-09-12
Diving_Deep_into_Emotet_Malware
LOW
+
Intel Source:
DFIR Report
Intel Name:
Diving_Deep_into_Emotet_Malware
Date of Scan:
2022-09-12
Impact:
LOW
Summary:
Researchers from DFIR have done a deep analysis of Emotet Malware
Source: https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/
2022-09-09
Lazarus_Hackers_Targeting_Energy_Providers_Around_the_World
MEDIUM
+
Intel Source:
Cisco Talos
Intel Name:
Lazarus_Hackers_Targeting_Energy_Providers_Around_the_World
Date of Scan:
2022-09-09
Impact:
MEDIUM
Summary:
A CiscoTalos study discovered that North Korea-linked Lazarus Group targeted energy providers around the world from February through July 2022, including U.S., Canadian, and Japanese companies.
Source: https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
2022-09-09
Ransomware_Developers_Leveraging_Intermittent_Encryption_to_Avoid_Detection
LOW
+
Intel Source:
SentinelOne
Intel Name:
Ransomware_Developers_Leveraging_Intermittent_Encryption_to_Avoid_Detection
Date of Scan:
2022-09-09
Impact:
LOW
Summary:
SentinelOne researchers have observed that ransomware developers use intermittent encryption to evade detection. As a result of this encryption method, ransomware operators are able to evade detection systems and encrypt victims' files more quickly.
Source: https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/
2022-09-09
Bronze_President_Group_Targeting_Government_Officials
LOW
+
Intel Source:
Secureworks
Intel Name:
Bronze_President_Group_Targeting_Government_Officials
Date of Scan:
2022-09-09
Impact:
LOW
Summary:
Researchers from Secureworks have identified a PlugX malware campaign targeting computers belonging to government officials of several countries in Europe, the Middle East, and South America.
Source: https://www.secureworks.com/blog/bronze-president-targets-government-officials
2022-09-09
A_Deep_Investigation_of_Albanian_Government_Cyberattacks
LOW
+
Intel Source:
Microsoft
Intel Name:
A_Deep_Investigation_of_Albanian_Government_Cyberattacks
Date of Scan:
2022-09-09
Impact:
LOW
Summary:
Microsoft researchers investigated Albanian government cyberattacks which disrupt public services and government websites. Besides the destructive cyberattack, MSTIC reports that an Iranian state-sponsored actor released sensitive information that had already been exfiltrated.
Source: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/
2022-09-09
Collecting_Credentials_Through_Third-Party_Software
LOW
+
Intel Source:
Palo Alto
Intel Name:
Collecting_Credentials_Through_Third-Party_Software
Date of Scan:
2022-09-09
Impact:
LOW
Summary:
PaloAlto researchers explored some common third-party software scenarios related to credential gathering, examining how passwords are stored, retrieved, and monitored based on real-world attack scenarios.
Source: https://unit42.paloaltonetworks.com/credential-gathering-third-party-software/
2022-09-08
An_Unusual_Case_of_Monti_Ransomware
LOW
+
Intel Source:
BlackBerry
Intel Name:
An_Unusual_Case_of_Monti_Ransomware
Date of Scan:
2022-09-08
Impact:
LOW
Summary:
The BlackBerry Incident Response team have investigated an attack by a previously unknown group, calling itself "MONTI," which encrypted nearly 20 user hosts as well as a multi-host VMware ESXi cluster that brought down over 20 servers.
Source: https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger
2022-09-08
Conti_Cybercrime_Hackers_Targeting_Ukraine
LOW
+
Intel Source:
Google blog
Intel Name:
Conti_Cybercrime_Hackers_Targeting_Ukraine
Date of Scan:
2022-09-08
Impact:
LOW
Summary:
Researchers from Google Threat Analysis Group have identified some former Conti ransomware gang members are now part of a threat group tracked as UAC-0098, which is targeting Ukrainian organizations and European non-governmental organizations.
Source: https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/
2022-09-08
Moobot_Botnet_Targeting_Unpatched_D-Link_Routers
LOW
+
Intel Source:
Palo Alto
Intel Name:
Moobot_Botnet_Targeting_Unpatched_D-Link_Routers
Date of Scan:
2022-09-08
Impact:
LOW
Summary:
Researchers from PaloAlto have discovered attacks leveraging several vulnerabilities in D-Link routers and the vulnerabilities exploited include CVE-2015-2051, CVE-2018-6530, CVE-2022-26258, and CVE-2022-28958.
Source: https://unit42.paloaltonetworks.com/moobot-d-link-devices/?web_view=true#post-124794-_73lw4g4a4pw2
2022-09-08
A_new_remote_access_trojan_MagicRAT
LOW
+
Intel Source:
Cisco Talos
Intel Name:
A_new_remote_access_trojan_MagicRAT
Date of Scan:
2022-09-08
Impact:
LOW
Summary:
Researchers at Cisco Talos have observed a new Remote Access Trojan from the Lazarus APT group being exploited in the wild for arbitrary command execution.
Source: https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html https://github.com/Cisco-Talos/IOCs/tree/main/2022/09
2022-09-08
Vice_Society_Ransomware_Targeting_Education_Sector
LOW
+
Intel Source:
CISA
Intel Name:
Vice_Society_Ransomware_Targeting_Education_Sector
Date of Scan:
2022-09-08
Impact:
LOW
Summary:
The FBI, CISA, and the MS-ISAC have recently observed Vice Society actors disproportionately targeting the education sector with ransomware attacks and they provided the network defenders with Vice Society IOCs and TTPs observed by the FBI in attacks for September 2022.
Source: https://www.cisa.gov/uscert/ncas/alerts/aa22-249a
2022-09-08
A_Deep_Examination_of_PlugX_RAT_Loader
LOW
+
Intel Source:
Cybereason
Intel Name:
A_Deep_Examination_of_PlugX_RAT_Loader
Date of Scan:
2022-09-08
Impact:
LOW
Summary:
Cybereason researchers have investigated PlugX malware, a Remote Access Tool/Trojan (RAT) often used by Asian APT groups like APT27. With its many malicious "plugins," the malware has backdoor capabilities that allow it to take complete control over the environment.
Source: https://www.cybereason.com/blog/threat-analysis-report-plugx-rat-loader-evolution
2022-09-08
Zero-Day_Vulnerability_Exploited_in_BackupBuddy_Plugin
LOW
+
Intel Source:
Wordsfence
Intel Name:
Zero-Day_Vulnerability_Exploited_in_BackupBuddy_Plugin
Date of Scan:
2022-09-08
Impact:
LOW
Summary:
Wordfence's Threat Intelligence team have discovered a zero-day vulnerability being actively exploited in BackupBuddy. It is a WordPress plugin with approximately 140,000 installations. The vulnerability allows unauthenticated users to download sensitive information from the affected site.
Source: https://www.wordfence.com/blog/2022/09/psa-nearly-5-million-attacks-blocked-targeting-0-day-in-backupbuddy-plugin/?web_view=true
2022-09-08
Bumblebee_Malware_Back_With_New_Technique
LOW
+
Intel Source:
Cyble
Intel Name:
Bumblebee_Malware_Back_With_New_Technique
Date of Scan:
2022-09-08
Impact:
LOW
Summary:
Researchers from Cyble have came across a Twitter post wherein a researcher mentioned an interesting infection chain of the Bumblebee loader malware being distributed via spam campaigns.
Source: https://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/
2022-09-08
In-depth_exploration_of_APT42
LOW
+
Intel Source:
Mandiant
Intel Name:
In-depth_exploration_of_APT42
Date of Scan:
2022-09-08
Impact:
LOW
Summary:
Mandiant researchers have conducted a deep analysis of APT42 and published a report. This report examines APT42's recent and historical activities, its tactics, techniques, and procedures, targeting patterns, and historical connections to APT35.
Source: https://www.mandiant.com/media/17826 https://www.mandiant.com/resources/blog/apt42-charms-cons-compromises
2022-09-07
Worok_Hackers_Targeting_Asian_Companies_and_Governments
LOW
+
Intel Source:
WeliveSecurity
Intel Name:
Worok_Hackers_Targeting_Asian_Companies_and_Governments
Date of Scan:
2022-09-07
Impact:
LOW
Summary:
The new cyberespionage group Worok have discovered by WeLiveSecuruty reserachers which targeted attacks that used undocumented tools against various high-profile companies and local governments mostly in Asia.
Source: https://www.welivesecurity.com/2022/09/06/worok-big-picture/
2022-09-07
Diving_Deep_into_TA505_Group
LOW
+
Intel Source:
PRODAFT
Intel Name:
Diving_Deep_into_TA505_Group
Date of Scan:
2022-09-07
Impact:
LOW
Summary:
Researchers from PRODAFT Threat Intelligence team have done in-depth analysis of TA505 Group. Also, identified the group’s control panel and used it to glean insight into how the organization works.
Source: https://www.prodaft.com/resource/detail/ta505-ta505-groups-tesla-gun-depth-analysis
2022-09-07
Cyber_Attackers_Leveraging_Red_Teaming_Tools
LOW
+
Intel Source:
Cyble
Intel Name:
Cyber_Attackers_Leveraging_Red_Teaming_Tools
Date of Scan:
2022-09-07
Impact:
LOW
Summary:
Cyble Researchers have discovered threat actors actively using PowerShell Empire to spread multiple infections and also employ these tools to perform highly stealthy and dangerous attacks against their targets.
Source: https://blog.cyble.com/2022/09/06/adversaries-actively-utilizing-powershell-empire/
2022-09-07
The_Ares_Banking_Trojan_Updated_with_Domain_Generation_Algorithm
LOW
+
Intel Source:
Zscaler
Intel Name:
The_Ares_Banking_Trojan_Updated_with_Domain_Generation_Algorithm
Date of Scan:
2022-09-07
Impact:
LOW
Summary:
In an update to the Ares banking trojan, researchers at Zscaler ThreatLabz observed a domain generation algorithm (DGA) that resembles Qakbot's. Threat actors attempt to maximize the life of an infection, which provides them with the opportunity to monetize compromised systems through wire fraud and ransomware attacks.
Source: https://www.zscaler.com/blogs/security-research/ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga
2022-09-06
DangerousSavanna_Malicious_Campaign_Targeting_Financial_Institutions
LOW
+
Intel Source:
Checkpoint
Intel Name:
DangerousSavanna_Malicious_Campaign_Targeting_Financial_Institutions
Date of Scan:
2022-09-06
Impact:
LOW
Summary:
Researchers from Checkpoint have analysied a malicious campaign called DangerousSavanna which has been targeting multiple major financial service groups in French-speaking Africa for the last two years.
Source: https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/
2022-09-06
Shikitega_Malware_Targeting_Linux
MEDIUM
+
Intel Source:
AT&T
Intel Name:
Shikitega_Malware_Targeting_Linux
Date of Scan:
2022-09-06
Impact:
MEDIUM
Summary:
Researchers from AT&T Alien Labs have discovered a new malware named Shikitega targeting endpoints and IoT devices that are running Linux operating systems.
Source: https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
2022-09-06
A_Detailed_Analysis_of_Mythic_C2_Framework
LOW
+
Intel Source:
TeamCymru
Intel Name:
A_Detailed_Analysis_of_Mythic_C2_Framework
Date of Scan:
2022-09-06
Impact:
LOW
Summary:
Researchers from TeamCymru have done detailed examinations of Mythic C2 Framework. It is a free-to-use, open-source tool, written in Python and provides cross-platform payload creation options for Linux, MacOS, and Windows.
Source: https://team-cymru.com/blog/2022/09/06/mythic-case-study-assessing-common-offensive-security-tools/
2022-09-06
NoName057(16)_Hacker_Group_Targeting_Ukraine_Supporters_with_DDoS_Attack
LOW
+
Intel Source:
Avast
Intel Name:
NoName057(16)_Hacker_Group_Targeting_Ukraine_Supporters_with_DDoS_Attack
Date of Scan:
2022-09-06
Impact:
LOW
Summary:
Researchers from Avast Threat Lab have identified a Pro-Russian Group named NoName057(16) that is performing DDoS attacks on websites belonging to governments, news agencies, armies, suppliers, telecommunications companies, transportation authorities, financial institutions, and more in Ukraine and neighboring countries supporting Ukraine, like Ukraine itself, Estonia, Lithuania, Norway, and Poland
Source: https://decoded.avast.io/martinchlumecky/bobik/?utm_source=rss&utm_medium=rss&utm_campaign=bobik
2022-09-06
Play_Ransomware_Following_the_Tactics_of_Hive_and_Nokoyawa_Ransomware
LOW
+
Intel Source:
TrendMicro
Intel Name:
Play_Ransomware_Following_the_Tactics_of_Hive_and_Nokoyawa_Ransomware
Date of Scan:
2022-09-06
Impact:
LOW
Summary:
Trendmicro researchers have investigated Play ransomware and found It uses many tactics that follow the playbook of both Hive and Nokoyawa ransomware, including similarities in the file names and file paths of their respective tools and payloads.
Source: https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html
2022-09-05
A_New_CodeRAT_is_Being_Exposed
LOW
+
Intel Source:
SafeBreach
Intel Name:
A_New_CodeRAT_is_Being_Exposed
Date of Scan:
2022-09-05
Impact:
LOW
Summary:
SafeBreach Labs researchers have discovered a new targeted attack and uncovered New Remote Access Trojan. It is targeting Farsi-speaking code developers using a Microsoft Dynamic Data Exchange (DDE) exploit.
Source: https://www.safebreach.com/resources/blog/remote-access-trojan-coderat/
2022-09-05
HWP_File_Exploit_OLE_Objects_and_Flash_Vulnerabilities
LOW
+
Intel Source:
ASEC
Intel Name:
HWP_File_Exploit_OLE_Objects_and_Flash_Vulnerabilities
Date of Scan:
2022-09-05
Impact:
LOW
Summary:
Researchers from ASEC have identified a malicious HWP file that exploits OLE objects and flash vulnerabilities. The identified HWP file includes OLE objects, and the corresponding files are generated in the %TEMP% folder when the HWP file is opened.
Source: https://asec.ahnlab.com/en/38479/
2022-09-05
BumbleBee_is_Refactored_Version_of_Bookworm_Backdoor
LOW
+
Intel Source:
TrendMicro
Intel Name:
BumbleBee_is_Refactored_Version_of_Bookworm_Backdoor
Date of Scan:
2022-09-05
Impact:
LOW
Summary:
Researchers from Trendmicro analyzed a backdoor with a unique modular architecture and named it BumbleBee due to a string embedded in it. The features of BumbleBee and Bookworm are similar, so BumbleBee is likely to be a refactored version of the latter and target Asian local governments.
Source: https://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html
2022-09-05
EvilProxy_PhaaS_with_MFA_Bypass_Rising_in_DarkWeb
LOW
+
Intel Source:
Resecurity
Intel Name:
EvilProxy_PhaaS_with_MFA_Bypass_Rising_in_DarkWeb
Date of Scan:
2022-09-05
Impact:
LOW
Summary:
Researchers from Resecurity have identified a new Phishing-as-a-Service (PhaaS) called EvilProxy advertised in the Dark Web. The threat actors are using Reverse Proxy and Cookie Injection methods to bypass 2FA authentication.
Source: https://resecurity.com/blog/article/evilproxy-phishing-as-a-service-with-mfa-bypass-emerged-in-dark-web
2022-09-02
The_Evidence_of_Connection_between_Raspberry_Robin_malware_and_Dridex
LOW
+
Intel Source:
IBM Security Intelligence
Intel Name:
The_Evidence_of_Connection_between_Raspberry_Robin_malware_and_Dridex
Date of Scan:
2022-09-02
Impact:
LOW
Summary:
Researchers from IBM have identified functional similarities between a malicious component used in the Raspberry Robin infection chain and a Dridex malware loader, further strengthening the operators' connections to the Russia-based Evil Corp group.
Source: https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/
2022-09-02
Diving_Deep_into_BianLian_Ransomware
MEDIUM
+
Intel Source:
Redacted
Intel Name:
Diving_Deep_into_BianLian_Ransomware
Date of Scan:
2022-09-02
Impact:
MEDIUM
Summary:
Researchers from Redacted have observed the BianLian threat actor tripling their known command and control (C2) infrastructure in the month of August, suggesting a possible increase in the actor’s operational tempo.
Source: https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/?utm_source=PR&utm_campaign=BianLian&utm_content=media
2022-09-02
Ransomware_targating_Microsoft_and_VMware_ESXiservers
LOW
+
Intel Source:
CSIRT
Intel Name:
Ransomware_targating_Microsoft_and_VMware_ESXiservers
Date of Scan:
2022-09-02
Impact:
LOW
Summary:
CSIRT have reported an incident that affected a government service. The incident corresponds to ransomware that affected Microsoft and VMware ESXi servers in the corporate networks of the institution.
Source: https://www.csirt.gob.cl/noticias/alerta-de-seguridad-cibernetica-incidente-en-servicio-publico/
2022-09-02
ELF_Based_Ransomware_targating_Linux_system
LOW
+
Intel Source:
Uptycs
Intel Name:
ELF_Based_Ransomware_targating_Linux_system
Date of Scan:
2022-09-02
Impact:
LOW
Summary:
Researchers from Uptycs have observed an Executable and Linkable Format (ELF) ransomware which encrypts the files inside Linux systems based on the given folder path and they dropped a README note.
Source: https://www.uptycs.com/blog/another-ransomware-for-linux-likely-in-development
2022-09-02
A_Detailed_Analysis_of_Redeemer_Ransomware
LOW
+
Intel Source:
Cloudsek
Intel Name:
A_Detailed_Analysis_of_Redeemer_Ransomware
Date of Scan:
2022-09-02
Impact:
LOW
Summary:
Researchers from CloudSEK have deeply analyzed Redeemer Ransomware. It was initially identified in June 2021, and since then, four public versions (1.0, 1.5, 1.7, and 2.0) have been released.
Source: https://cloudsek.com/what-is-redeemer-ransomware-and-how-does-it-spread-a-technical-analysis/?utm_source=rss&utm_medium=rss&utm_campaign=what-is-redeemer-ransomware-and-how-does-it-spread-a-technical-analysis
2022-09-02
Prynt_Stealer_Malware_Secret_Backdoor_Exposed
LOW
+
Intel Source:
Zscaler
Intel Name:
Prynt_Stealer_Malware_Secret_Backdoor_Exposed
Date of Scan:
2022-09-02
Impact:
LOW
Summary:
Researchers from Zscaler have uncovered the Prynt Stealer builder, attributed with WorldWind, and DarkEye has a secret backdoor in the code that ends up in every derivative copy and variant of these malware families.
Source: https://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed
2022-09-02
Snake_Keylogger_Returns_with_New_Malspam_Campaign
LOW
+
Intel Source:
BitDefender
Intel Name:
Snake_Keylogger_Returns_with_New_Malspam_Campaign
Date of Scan:
2022-09-02
Impact:
LOW
Summary:
According to BitDefender researchers, the IP addresses used in the attack originated from Vietnam, while the campaign's main targets were based in the USA. To lure victims into opening ZIP archives, attackers use the profile of one of Qatar's largest IT and cloud service providers. It contains an executable called CPMPANY PROFILE.exe.
Source: https://www.bitdefender.com/blog/hotforsecurity/snake-keylogger-returns-in-malspam-campaign-disguised-as-business-portfolio-from-it-vendor/
2022-09-01
A_new_wild_version_of_ChromeLoader
LOW
+
Intel Source:
Cyber Geeks
Intel Name:
A_new_wild_version_of_ChromeLoader
Date of Scan:
2022-09-01
Impact:
LOW
Summary:
Cybergeeks analyzed a new version of ChromeLoader (also known as Choziosi Loader)last couple weeks weeks and it appears that this campaign that has become widespread and has spawned multiple versions, making atomic indicators ineffective for detections.
Source: https://cybergeeks.tech/chromeloader-browser-hijacker/
2022-09-01
Malicious_MS_Word_Files_Targeting_North_Korea
LOW
+
Intel Source:
ASEC
Intel Name:
Malicious_MS_Word_Files_Targeting_North_Korea
Date of Scan:
2022-09-01
Impact:
LOW
Summary:
Researchers from ASEC have discovered the continuous distribution of malicious Word files targeting specific individuals related to national defense and North Korea. Most of the confirmed Word files had filenames that included the names of individuals related to North Korea.
Source: https://asec.ahnlab.com/en/38182/
2022-09-01
RAT_Tool_Distributed_on_Github_as_Solution_File
LOW
+
Intel Source:
ASEC
Intel Name:
RAT_Tool_Distributed_on_Github_as_Solution_File
Date of Scan:
2022-09-01
Impact:
LOW
Summary:
ASEC researchers have discovered a RAT Tool disguised as a solution file (*.sln) on GitHub. To avoid detection, the malware disguised itself as a solution file. Upon execution, it injects into normal Windows programs, such as AppLaunch.exe, RegAsm.exe, and InstallUtil.exe, to run a RAT.
Source: https://asec.ahnlab.com/en/38150/
2022-09-01
Hackers_Leveraging_Fast_Reverse_Proxy_tool_to_Attack_Korean_Companies
LOW
+
Intel Source:
ASEC
Intel Name:
Hackers_Leveraging_Fast_Reverse_Proxy_tool_to_Attack_Korean_Companies
Date of Scan:
2022-09-01
Impact:
LOW
Summary:
ASEC researchers have identified hackers scanning and attacking externally accessible corporate PCs such as IIS web servers or MS Exchange servers. Afterward, they use Webshell to access a part of the system and abuse Potato or Exploit tools that support privilege escalation, thereby obtaining system privileges.
Source: https://asec.ahnlab.com/en/38156/
2022-09-01
Ragnar_Locker_Ransomware_Targeting_Energy_Sector
LOW
+
Intel Source:
Cybereason
Intel Name:
Ragnar_Locker_Ransomware_Targeting_Energy_Sector
Date of Scan:
2022-09-01
Impact:
LOW
Summary:
Researchers from Cybereason have investigated the Ragnar Locker malware family, a ransomware and a ransomware operator which has recently claimed to have breached DESFA, a Greek pipeline company.
Source: https://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector
2022-09-01
Diving_Deep_into_Industrial_Espionage_Operation
LOW
+
Intel Source:
BitDefender
Intel Name:
Diving_Deep_into_Industrial_Espionage_Operation
Date of Scan:
2022-09-01
Impact:
LOW
Summary:
BitDefender researchers have analyzed corporate espionage in depth. As it is one of the common misconceptions that espionage is affecting only large corporations or government entities, but it is more common than expected.
Source: https://businessinsights.bitdefender.com/deep-dive-into-a-corporate-espionage-operation
2022-09-01
The_cash_payments_online_fraud
LOW
+
Intel Source:
CERT-UA
Intel Name:
The_cash_payments_online_fraud
Date of Scan:
2022-09-01
Impact:
LOW
Summary:
CERT-UA observed an increase in the number of scam pages in the Facebook social network. The content of these pages refers to the topic of monetary compensation, the eHelp platform, financial assistance from various organizations and partners.
Source: https://cert.gov.ua/article/1545776
2022-09-01
MagecartJavaScriptSkimmerStealingPaymentInformation
LOW
+
Intel Source:
Cyble
Intel Name:
MagecartJavaScriptSkimmerStealingPaymentInformation
Date of Scan:
2022-09-01
Impact:
LOW
Summary:
Researchers from Cyble Intelligence Labs have identified that JavaScript skimmer created by the Magecart threat group has been stealing payment information from the Magento e-commerce website.
Source: https://blog.cyble.com/2022/09/01/highly-evasive-magecart-javascript-skimmer-active-in-the-wild/
2022-09-01
The_AgentTesla_malware_increased_distribution
LOW
+
Intel Source:
CERT-UA
Intel Name:
The_AgentTesla_malware_increased_distribution
Date of Scan:
2022-09-01
Impact:
LOW
Summary:
CERT-UA has tracked mass mailings of emails with the topic "Technisches Zeichnen" and attached to the e-mail is an IMG file containing a CHM file of the same name, opening which will execute JavaScript code.
Source: https://cert.gov.ua/article/1563322
2022-09-01
VBScript_downloads_a_malicious_HWP_file
LOW
+
Intel Source:
ASEC
Intel Name:
VBScript_downloads_a_malicious_HWP_file
Date of Scan:
2022-09-01
Impact:
LOW
Summary:
Researchers from ASEC team have discovered a VBScript that downloads a malicious HWP file and the distribution path of malware is yet to be determined, but the VBScript is downloaded through curl.
Source: https://asec.ahnlab.com/en/38203/
2022-09-01
Hackers_Using_ModernLoader_RAT_to_Infect_Systems_with_Stealers_and_Cryptominers
MEDIUM
+
Intel Source:
Cisco Talos
Intel Name:
Hackers_Using_ModernLoader_RAT_to_Infect_Systems_with_Stealers_and_Cryptominers
Date of Scan:
2022-09-01
Impact:
MEDIUM
Summary:
Researchers at Cisco Talos have observed three distinct campaigns between March and June 2022 that delivered a number of threats, including the ModernLoader bot, the RedLine information stealer, and cryptocurrency mining malware.
Source: https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html
2022-08-31
The_activation_of_PureCrypter_Loader_continues
MEDIUM
+
Intel Source:
Netlab 360
Intel Name:
The_activation_of_PureCrypter_Loader_continues
Date of Scan:
2022-08-31
Impact:
MEDIUM
Summary:
Researchers from Netlab have identified that PureCrypter Loader is continued to be active this year, and spread over 10 other families including Formbook, SnakeKeylogger, AgentTesla, Redline, AsyncRAT, and more.
Source: https://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/
2022-08-30
AsyncRAT_Leveraging_Fully_Undetected_Downloader
LOW
+
Intel Source:
Netskope
Intel Name:
AsyncRAT_Leveraging_Fully_Undetected_Downloader
Date of Scan:
2022-08-30
Impact:
LOW
Summary:
Researchers from Netskope have analysied the complete infection flow of AsyncRAT, from the FUD BAT downloader spotted by the MalwareHunterTeam to the last payload. Although no AV vendor is detecting the file, it contains many detections via Sigma and IDS rules, as well as by sandboxes used by VirusTotal.
Source: https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader
2022-08-30
TA423_threat_group_targeting_countries_in_South_China_Sea
MEDIUM
+
Intel Source:
ProofPoint
Intel Name:
TA423_threat_group_targeting_countries_in_South_China_Sea
Date of Scan:
2022-08-30
Impact:
MEDIUM
Summary:
Researchers from Proofpoint and Pwc threat intelligence team have identified a phishing campaign, running for over a year and currently ongoing, and targeting countries in the South China Sea, as well as further intrusions in Australia, Europe, and the United States.
Source: https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea
2022-08-30
New_Golang_Attack_Campaign_GO#WEBBFUSCATOR_Leverages_Office_Macros
MEDIUM
+
Intel Source:
Securonix
Intel Name:
New_Golang_Attack_Campaign_GO#WEBBFUSCATOR_Leverages_Office_Macros
Date of Scan:
2022-08-30
Impact:
MEDIUM
Summary:
Securonix Threat Labs Threat Research Team has analysed recently a unique sample of a persistent Golang-based attack campaign tracked by Securonix as GO#WEBBFUSCATOR who infects the target system with the malware.
Source: https://www.securonix.com/blog/golang-attack-campaign-gowebbfuscator-leverages-office-macros-and-james-webb-images-to-infect-systems/
2022-08-30
Crypto_miners_updated_with_latest_techniques
LOW
+
Intel Source:
AT&T
Intel Name:
Crypto_miners_updated_with_latest_techniques
Date of Scan:
2022-08-30
Impact:
LOW
Summary:
Researchers from AT&T Alien Labs have provided an overview of an ongoing crypto mining campaign that caught our eye due to the big number of loaders that have shown up during the month of June, as well as how staged the execution is for a simple malware like a miner.
Source: https://cybersecurity.att.com/blogs/labs-research/crypto-miners-latest-techniques
2022-08-30
Mini_Stealer_Builder_and_Panel_For_Free
LOW
+
Intel Source:
Cyble
Intel Name:
Mini_Stealer_Builder_and_Panel_For_Free
Date of Scan:
2022-08-30
Impact:
LOW
Summary:
Cyble Research and Intelligence Labs have discovered a post on a cybercrime forum where a Threat Actor released MiniStealer’s builder and panel for free, and they claim that the stealer can target operating systems such as Windows 7, 10, and 11.
Source: https://blog.cyble.com/2022/08/29/mini-stealer-possible-predecessor-of-parrot-stealer/
2022-08-29
A_Crypto_Miner_Malware_Campaign_Named_Nitrokod
LOW
+
Intel Source:
Checkpoint
Intel Name:
A_Crypto_Miner_Malware_Campaign_Named_Nitrokod
Date of Scan:
2022-08-29
Impact:
LOW
Summary:
Researchers from Checkpoint have detected a cryptomining campaign, called Nitrokod, which potentially infected thousands of machines worldwide. It is created by a Turkish speaking entity and the campaign dropped malware from free software available on popular websites such as Softpedia and uptodown.
Source: https://research.checkpoint.com/2022/check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications/
2022-08-29
TeamTNT_Group_Targeting_Cloud_Instances_and_Containerized_Environments
LOW
+
Intel Source:
Cloudsek
Intel Name:
TeamTNT_Group_Targeting_Cloud_Instances_and_Containerized_Environments
Date of Scan:
2022-08-29
Impact:
LOW
Summary:
CloudSEK researchers have identified the known threat actor TeamTNT has been targeting cloud instances and containerized environments on systems around the world for at least two years.
Source: https://cloudsek.com/threatintelligence/timeline-ttps-of-teamtnt-cybercrime-group/
2022-08-29
Remcos_RAT_updated_with_New_TTPs
LOW
+
Intel Source:
SocInvestigations
Intel Name:
Remcos_RAT_updated_with_New_TTPs
Date of Scan:
2022-08-29
Impact:
LOW
Summary:
Researchers from SOCInvestigation have identified new TTPs of Remcos RAT. It is a dangerous trojan available to attackers for a relatively low price and it comes equipped with enough robust features to allow attackers to set up their own effective botnets.
Source: https://www.socinvestigation.com/remcos-rat-new-ttps-detection-response/
2022-08-29
The_emerging_of_BlueSky_ransomware
LOW
+
Intel Source:
Sentilone
Intel Name:
The_emerging_of_BlueSky_ransomware
Date of Scan:
2022-08-29
Impact:
LOW
Summary:
The researchers paid close attention again to BlueSky late June 2022. SentinelOne observed this ransomware has being spread via trojanized downloads from questionable websites as well as in phishing emails.
Source: https://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/
2022-08-29
First_Known_Phishing_Attack_Against_PyPI_Users
LOW
+
Intel Source:
CheckMarx
Intel Name:
First_Known_Phishing_Attack_Against_PyPI_Users
Date of Scan:
2022-08-29
Impact:
LOW
Summary:
Researchers from CheckMarx have identified an ongoing phishing campaign that aims to steal developer credentials and inject malicious updates to the packages in the repository, and It is the first known phishing attack against Python Package Index, PyPI.
Source: https://medium.com/checkmarx-security/first-known-phishing-attack-against-pypi-contributor-95db34548868
2022-08-29
Spear-phishing_and_AiTM_Used_to_Hack_MS_Office_365_Accounts
LOW
+
Intel Source:
Mitiga
Intel Name:
Spear-phishing_and_AiTM_Used_to_Hack_MS_Office_365_Accounts
Date of Scan:
2022-08-29
Impact:
LOW
Summary:
Mitiga Research Team have identified a sophisticated, advanced business email compromise (BEC) campaign, directly targeting relevant executives of organizations using Office 365.
Source: https://www.mitiga.io/blog/advanced-bec-scam-campaign-targeting-executives-on-o365
2022-08-26
New_Agenda_Ransomware_Customized_for_Each_Victim
LOW
+
Intel Source:
TrendMicro
Intel Name:
New_Agenda_Ransomware_Customized_for_Each_Victim
Date of Scan:
2022-08-26
Impact:
LOW
Summary:
Researchers from TrendMicro have discovered a new ransomware that is written in the Go programming language and targeting healthcare and education enterprises in Asia and Africa. This ransomware is called Agenda and is customized per victim.
Source: https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html
2022-08-26
A_deployment_of_32-bits_or_64-bits_malware
LOW
+
Intel Source:
ISC.SANS
Intel Name:
A_deployment_of_32-bits_or_64-bits_malware
Date of Scan:
2022-08-26
Impact:
LOW
Summary:
The reseracher did some experiment by dowloading some samples from MalwareBazaar and got a report of some interesting stats based on YARA rules.
Source: https://isc.sans.edu/diary/32+or+64+bits+Malware%3F/28968
2022-08-26
A_Dot_Net_Based_Moisha_Ransomware
LOW
+
Intel Source:
Cyble
Intel Name:
A_Dot_Net_Based_Moisha_Ransomware
Date of Scan:
2022-08-26
Impact:
LOW
Summary:
Researchers from Cyble have come across a Twitter post about a new ransomware variant named Moisha. A .Net-based ransomware, Moisha was first identified in mid-August 2022, and the name of the TA is PT_MOISHA team.
Source: https://blog.cyble.com/2022/08/25/moisha-ransomware-in-action/
2022-08-26
A_Deep_Analysis_of_Karakurt_Ransomware
LOW
+
Intel Source:
HC3
Intel Name:
A_Deep_Analysis_of_Karakurt_Ransomware
Date of Scan:
2022-08-26
Impact:
LOW
Summary:
Researchers from HC3 have analyzed Karakurt Threat Profile deeply and identified four attacks affecting the US Healthcare and Public Health Sector since June 2022. The observed attacks have affected an assisted living facility, a dental firm, a healthcare provider, and a hospital.
Source: https://www.hhs.gov/sites/default/files/karakurt-threat-profile-analyst-note.pdf
2022-08-26
Iran_Based_Threat_Actor_MERCURY_Leveraging_Exploitation_of_Log4j_2_Vulnerabilities
MEDIUM
+
Intel Source:
Microsoft
Intel Name:
Iran_Based_Threat_Actor_MERCURY_Leveraging_Exploitation_of_Log4j_2_Vulnerabilities
Date of Scan:
2022-08-26
Impact:
MEDIUM
Summary:
Microsoft Threat Intelligence and 365 Defender Research team have detected Iran-based threat actor MERCURY leveraging exploitation of Log4j 2 vulnerabilities in SysAid applications against organizations all located in Israel.
Source: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/
2022-08-26
BleachGap_ransomware_reappeared
LOW
+
Intel Source:
Labs K7 Security
Intel Name:
BleachGap_ransomware_reappeared
Date of Scan:
2022-08-26
Impact:
LOW
Summary:
Researchers from Labs K7 Security have analyzed the BleachGap ransomware and found that threat actors are modifying the attack techniques of this malware for a possible major attack that might be planned in the future.
Source: https://labs.k7computing.com/index.php/bleachgap-revamped/
2022-08-25
Ransomware_Actors_Leveraging_Genshin_Impact_Driver
MEDIUM
+
Intel Source:
TrendMicro
Intel Name:
Ransomware_Actors_Leveraging_Genshin_Impact_Driver
Date of Scan:
2022-08-25
Impact:
MEDIUM
Summary:
TrendMicro researchers investigated the mhyprot2.sys and found a vulnerability of an anti-cheat driver for the popular role-playing game Genshin Impact. The driver is currently being abused by a ransomware actor to kill antivirus processes and services for mass-deploying ransomware.
Source: https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html
2022-08-25
AgentTesla_is_Back_With_a_New_Campaign
LOW
+
Intel Source:
Avast
Intel Name:
AgentTesla_is_Back_With_a_New_Campaign
Date of Scan:
2022-08-25
Impact:
LOW
Summary:
Threat researchers from Avast have identified a new malicious campaign and it is threatening businesses around the world. The campaign is targeting users in Spain, Portugal, Romania, and multiple countries in South America.
Source: https://decoded.avast.io/pavelnovak/agenttesla-is-threatening-businesses-around-the-world-with-a-new-campaign/?utm_source=rss&utm_medium=rss&utm_campaign=agenttesla-is-threatening-businesses-around-the-world-with-a-new-campaign
2022-08-25
Multiple_Known_Malware_Findings_from_the_BlackHat_NOC
LOW
+
Intel Source:
IronNet
Intel Name:
Multiple_Known_Malware_Findings_from_the_BlackHat_NOC
Date of Scan:
2022-08-25
Impact:
LOW
Summary:
IroNet Hunters uncovered several active malware infections on the Black Hat network, including Shlayer malware, North Korean-attributed SHARPEXT malware, and NetSupport RAT malware.
Source: https://www.ironnet.com/blog/a-view-from-the-black-hat-noc-key-findings
2022-08-25
Kimsukys_hackers_using_C2_operations_with_GoldDragon_malware
LOW
+
Intel Source:
Securelist
Intel Name:
Kimsukys_hackers_using_C2_operations_with_GoldDragon_malware
Date of Scan:
2022-08-25
Impact:
LOW
Summary:
Researchers from Securelist have identified the Kimsuky threat group continuously evolves its malware infection schemes and adopts novel techniques to hinder analysis. It is one of the most prolific and active threat actors on the Korean Peninsula, operates several clusters and GoldDragon malware is one of the most frequently used.
Source: https://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/
2022-08-25
A_0ktapus_Phishing_Campaign
LOW
+
Intel Source:
Group-IB
Intel Name:
A_0ktapus_Phishing_Campaign
Date of Scan:
2022-08-25
Impact:
LOW
Summary:
Researchers from Group-IB Threat Intelligence Team have detected 169 unique domains involved in the 0ktapus phishing campaign. While analyzing the phishing sites, they found an image that is legitimately used by sites leveraging Okta authentication, being used by the phishing kit.
Source: https://blog.group-ib.com/0ktapus
2022-08-25
The_Deep_examination_of_Wiper_Malware
LOW
+
Intel Source:
Crowdstrike
Intel Name:
The_Deep_examination_of_Wiper_Malware
Date of Scan:
2022-08-25
Impact:
LOW
Summary:
Researchers from CrowdStrikes Research Team have identified how threat actors use legitimate third-party drivers to bypass the visibility and detection capabilities of security mechanisms and solutions.
Source: https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-2/
2022-08-25
Threat_Actors_Leveraging_Compromised_Microsoft_Dynamics_365_Voice_Account_for_Phishing_Attack
LOW
+
Intel Source:
Cofense
Intel Name:
Threat_Actors_Leveraging_Compromised_Microsoft_Dynamics_365_Voice_Account_for_Phishing_Attack
Date of Scan:
2022-08-25
Impact:
LOW
Summary:
Researchers from Cofense have identified a widespread campaign where threat actors use a compromised Dynamics 365 Customer Voice business account and a link posing as a survey to steal Microsoft 365 credentials.
Source: https://cofense.com/blog/compromised-microsoft-dynamic-365-customer-voice-account-used-for-phishing-attack
2022-08-25
Diving_Deep_into_Qbot_Malware
LOW
+
Intel Source:
Trellix
Intel Name:
Diving_Deep_into_Qbot_Malware
Date of Scan:
2022-08-25
Impact:
LOW
Summary:
Researchers from the Trellix SecOps team have observed an uptick in the Qbot malware infections in recent months. It is an active threat for over 14 years and continues to evolve, adopting new infection vectors to evade detection mechanisms.
Source: https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/demystifying-qbot-malware.html
2022-08-24
The_active_exploitation_of_multiple_vulnerabilities_and_Exposures_against_Zimbra_Collaboration_Suite
LOW
+
Intel Source:
CISA
Intel Name:
The_active_exploitation_of_multiple_vulnerabilities_and_Exposures_against_Zimbra_Collaboration_Suite
Date of Scan:
2022-08-24
Impact:
LOW
Summary:
CISA and MS-ISAC researchers have identified cyber threat actors targeting unpatched Zimbra Collaboration Suite instances in both government and private sector networks.
Source: https://www.cisa.gov/uscert/ncas/alerts/aa22-228a
2022-08-24
PiratedSoftwareDownloadSitesDeliveringInfoStealerMalware
LOW
+
Intel Source:
Zscaler
Intel Name:
PiratedSoftwareDownloadSitesDeliveringInfoStealerMalware
Date of Scan:
2022-08-24
Impact:
LOW
Summary:
Researchers from Zscaler Threat Labs have discovered multiple ongoing threat campaigns distributing info-stealer malware by targeting victims trying to download pirated software applications.
Source: https://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download
2022-08-24
BitRAT_and_XMRig_CoinMiner_Leveraging_Windows_License_Verification_Tool
LOW
+
Intel Source:
ASEC
Intel Name:
BitRAT_and_XMRig_CoinMiner_Leveraging_Windows_License_Verification_Tool
Date of Scan:
2022-08-24
Impact:
LOW
Summary:
Researchers from ASEC have discovered the distribution of BitRAT and XMRig CoinMiner disguised as a Windows license verification tool.
Source: https://asec.ahnlab.com/en/37939/
2022-08-24
Pirated_Software_Download_Sites_Delivering_InfoStealer_Malware
LOW
+
Intel Source:
Zscaler
Intel Name:
Pirated_Software_Download_Sites_Delivering_InfoStealer_Malware
Date of Scan:
2022-08-24
Impact:
LOW
Summary:
Researchers from Zscaler Threat Labs have discovered multiple ongoing threat campaigns distributing info-stealer malware by targeting victims trying to download pirated software applications.
Source: https://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download
2022-08-24
AsyncRAT_Being_Distributed_in_Fileless_Form
LOW
+
Intel Source:
ASEC
Intel Name:
AsyncRAT_Being_Distributed_in_Fileless_Form
Date of Scan:
2022-08-24
Impact:
LOW
Summary:
Researchers from ASEC have discovered malicious AsyncRAT codes that are being distributed in fileless form. It is executed in fileless form through multiple script files and is thought to be distributed as a compressed file attachment in emails.
Source: https://asec.ahnlab.com/en/37954/
2022-08-23
Iranian_hackers_Leveraging_New_Tool_to_Steal_Email_From_Victims
LOW
+
Intel Source:
Google blog
Intel Name:
Iranian_hackers_Leveraging_New_Tool_to_Steal_Email_From_Victims
Date of Scan:
2022-08-23
Impact:
LOW
Summary:
Researchers from Google Threat Analysis Group have observed New Iranian APT data extraction tool called HYPERSCRAPE. It is written in .NET for Windows PCs and is designed to run on the attacker's machine.
Source: https://blog.google/threat-analysis-group/new-iranian-apt-data-extraction-tool/
2022-08-23
XCSSET_Malware_updated_with_latest_version
LOW
+
Intel Source:
SentinelOne
Intel Name:
XCSSET_Malware_updated_with_latest_version
Date of Scan:
2022-08-23
Impact:
LOW
Summary:
Researchers from SentinelOne have reviewed the changes made to the latest versions of XCSSET malware and reveal some of the contexts in which these threat actors operate.
Source: https://www.sentinelone.com/blog/xcsset-malware-update-macos-threat-actors-prepare-for-life-without-python/
2022-08-23
MalspamusedbyattackerstodeliverAgentTeslaRAT
LOW
+
Intel Source:
MalwareBytes
Intel Name:
MalspamusedbyattackerstodeliverAgentTeslaRAT
Date of Scan:
2022-08-23
Impact:
LOW
Summary:
Malwarebytes Threat Intelligence researchers have identified spam emails containing images and CHM files. Upon clicking, It's calling PowerShell commands and started executing AgentTesla through RegAsm.exe.
Source: https://twitter.com/MBThreatIntel/status/1561736526819639298
2022-08-23
Trends_in_Ukrainian_Domain_attacks
LOW
+
Intel Source:
Wordsfence
Intel Name:
Trends_in_Ukrainian_Domain_attacks
Date of Scan:
2022-08-23
Impact:
LOW
Summary:
Researchers from Wordfence have identified 16 attack types that triggered more than 85 different firewall rules across protected websites with Ukrainian top-level domains.
Source: https://www.wordfence.com/blog/2022/08/analyzing-attack-data-and-trends-targeting-ukrainian-domains/
2022-08-23
IBAN_clipper_malware_targeting_Windows_operating_systems
LOW
+
Intel Source:
Cyble
Intel Name:
IBAN_clipper_malware_targeting_Windows_operating_systems
Date of Scan:
2022-08-23
Impact:
LOW
Summary:
Researchers from Cyble Labs have highlighted an International Bank Account Number (IBAN) Clipper Malware after identifying a Threat Actor on a cybercrime forum offering monthly subscription-based services of clipper malware targeting Windows operating systems.
Source: https://blog.cyble.com/2022/08/22/dissecting-iban-clipper/
2022-08-23
Astaroth_Guildma_malware_pushed_by_malspam
LOW
+
Intel Source:
ISC.SANS
Intel Name:
Astaroth_Guildma_malware_pushed_by_malspam
Date of Scan:
2022-08-23
Impact:
LOW
Summary:
Researchers from SANS have observed an Astaroth (Guildma) malware infection generated from a malicious Boleto-themed email pretending to be from Grupo Solução & CIA. Boleto is a payment method used in Brazil, while Grupo Solução & CIA is Brazil-based company.
Source: https://isc.sans.edu/diary/rss/28962
2022-08-23
A_Detailed_Analysis_of_PivNoxy_and_Chinoxy_malware
MEDIUM
+
Intel Source:
Fortinet
Intel Name:
A_Detailed_Analysis_of_PivNoxy_and_Chinoxy_malware
Date of Scan:
2022-08-23
Impact:
MEDIUM
Summary:
Researchers from Fortinet have identified an attack against the telecommunication agency in South Asia that began with a simple email that initially appeared to be a standard malicious spam email message. However, the attached Word document was weaponized using a malicious tool, Royal Road, and is equipped with an exploit for an Equation Editor vulnerability (CVE-2018-0798).
Source: https://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis
2022-08-23
A_malicious_use_of_Tox_protocol_for_coinminers
LOW
+
Intel Source:
Uptycs
Intel Name:
A_malicious_use_of_Tox_protocol_for_coinminers
Date of Scan:
2022-08-23
Impact:
LOW
Summary:
Researchers from Uptycs have examined malware samples that do not do anything explicitly malicious, but they feel that it might be part of a coinminer campaign. Additionally, they are observing it for the first time where Tox protocol is used to run scripts onto the machine.
Source: https://www.uptycs.com/blog/is-tox-the-new-cc-method-for-coinminers
2022-08-22
XWorm_RAT_with_Ransomware_and_HNVC_attack_capabilities
LOW
+
Intel Source:
Cyble
Intel Name:
XWorm_RAT_with_Ransomware_and_HNVC_attack_capabilities
Date of Scan:
2022-08-22
Impact:
LOW
Summary:
Researchers from Cyble labs have discovered a dark web post where a malware developer was advertising a powerful Windows RAT and its redirecting to the website of malware developer, where multiple malicious tools are being sold.
Source: https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/
2022-08-22
A_malicious_JavaScript_injection_affecting_WordPress_websites
LOW
+
Intel Source:
Sucuri
Intel Name:
A_malicious_JavaScript_injection_affecting_WordPress_websites
Date of Scan:
2022-08-22
Impact:
LOW
Summary:
A recent spike in JavaScript injections targeting WordPress sites has resulted in fake DDoS prevent prompts which takes victims to download remote access trojan malware was observed and analyzed by Sucuri reserachers
Source: https://blog.sucuri.net/2022/08/fake-ddos-pages-on-wordpress-lead-to-drive-by-downloads.html
2022-08-22
FIN7_rewrite_JSSLoader_malware_with_expanded_capabilities
MEDIUM
+
Intel Source:
MalwareBytes
Intel Name:
FIN7_rewrite_JSSLoader_malware_with_expanded_capabilities
Date of Scan:
2022-08-22
Impact:
MEDIUM
Summary:
Researchers at Malwarebytes has identified a malspamcampaign in late June that they attribute to the FIN7 APT group. FIN7 has rewritten JSSLoader malware with expanded capabilities as well as new functions that include data exfiltration.
Source: https://malwarebytes.app.box.com/s/ym6r7o5hq0rx2nxjbctfv2sw5vx386ni
2022-08-22
SocGholish_JavaScript_Malware_Back_into_Action
LOW
+
Intel Source:
Sucuri
Intel Name:
SocGholish_JavaScript_Malware_Back_into_Action
Date of Scan:
2022-08-22
Impact:
LOW
Summary:
Researchers from Sucuri have analysed the SocGholish JavaScript Malware and they are outlining the injections and URLs used in the website malware portion of the SocGholish attack outside of the NDSW/NDSX campaign.
Source: https://blog.sucuri.net/2022/08/socgholish-5-years-of-massive-website-infections.html
2022-08-22
New_BianLian_Ransomware_Targeting_Multiple_Industries
MEDIUM
+
Intel Source:
Cyble
Intel Name:
New_BianLian_Ransomware_Targeting_Multiple_Industries
Date of Scan:
2022-08-22
Impact:
MEDIUM
Summary:
Researchers from Cyble have observed that malware written in the programming language “Go” has recently been popular among Threat Actors. Also, during their daily threat hunting exercise, they came across a Twitter post about a ransomware variant written in Go named BianLian.
Source: https://blog.cyble.com/2022/08/18/bianlian-new-ransomware-variant-on-the-rise/
2022-08-22
Grandoreiro_Banking_Malware_Targeting_Spanish_and_Mexican_Organizations
LOW
+
Intel Source:
Zscaler
Intel Name:
Grandoreiro_Banking_Malware_Targeting_Spanish_and_Mexican_Organizations
Date of Scan:
2022-08-22
Impact:
LOW
Summary:
Researchers from Zscaler ThreatLabs have observed a Grandoreiro banking malware campaign. In this campaign, the threat actors impersonate government officials from the Attorney General's Office of Mexico City and from the Public Ministry in the form of spear-phishing emails in order to lure victims to download and execute 'Grandoreiro,' a prolific banking trojan.
Source: https://www.zscaler.com/blogs/security-research/grandoreiro-banking-trojan-new-ttps-targeting-various-industry-verticals
2022-08-21
ATMZOW_JS_Sniffer_Campaign_Connected_to_Hancitor_Malware
MEDIUM
+
Intel Source:
Group-IB
Intel Name:
ATMZOW_JS_Sniffer_Campaign_Connected_to_Hancitor_Malware
Date of Scan:
2022-08-21
Impact:
MEDIUM
Summary:
Researchers from Group-IB have identified the connection between ATMZOW JS sniffer campaign and Hancitor malware downloader were both operated by the same threat actor. They have collected information about ATMZOW’s recent activity and found ties with a phishing campaign targeting clients of a US bank based on the same JS obfuscation technique.
Source: https://blog.group-ib.com/switching-side-jobs
2022-08-21
APT41_targeted13entitiesinU.S,_Taiwan,_India,_Vietnam_and_China
MEDIUM
+
Intel Source:
Group-IB
Intel Name:
APT41_targeted13entitiesinU.S,_Taiwan,_India,_Vietnam_and_China
Date of Scan:
2022-08-21
Impact:
MEDIUM
Summary:
GroupIB has been monitoring APT41 activities since 2021 and generated report which documents about their target across 13 organizations geographically spanning across the U.S, Taiwan, India, Vietnam, and China.
Source: https://blog.group-ib.com/apt41-world-tour-2021
2022-08-20
TA558_Targets_Hospitality_and_Travel_firms
MEDIUM
+
Intel Source:
ProofPoint
Intel Name:
TA558_Targets_Hospitality_and_Travel_firms
Date of Scan:
2022-08-20
Impact:
MEDIUM
Summary:
Researchers at ProofPoint has monitoring activities of threat actor TA558 since 2018, and in 2022 the actor has still targeting hospitality, travel and related industries based in Latin America, North America, and western Europe. Moreover currently TA558 has shifted tactics to URLs and container files to distribute malware.
Source: https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel
2022-08-19
Reemergence_of_Raccoon_Infostealer_Malware_with_New_TTPS
LOW
+
Intel Source:
SocInvestigations
Intel Name:
Reemergence_of_Raccoon_Infostealer_Malware_with_New_TTPS
Date of Scan:
2022-08-19
Impact:
LOW
Summary:
SocInvestigation researchers found new TTPs of Raccoon Infostealer Malware. It is an info stealer type malware available as malware-as-a-service on underground forums and this is a robust stealer that allows the stealing of data such as passwords, cookies, and autofill data from browsers.
Source: https://www.socinvestigation.com/raccoon-infostealer-malware-returns-with-new-ttps-detection-response/
2022-08-19
Diving_Deep_into_DarkTortilla_Malware
LOW
+
Intel Source:
Secureworks
Intel Name:
Diving_Deep_into_DarkTortilla_Malware
Date of Scan:
2022-08-19
Impact:
LOW
Summary:
Researchers from Secureworks Counter Threat Unit have found long-term threat DarkTortilla crypter is still evolving. It usually delivers information stealers and remote access trojans (RATs) like AgentTesla, AsyncRat, NanoCore, and RedLine, though some samples have been seen delivering such targeted payloads as Cobalt Strike and Metasploit.
Source: https://www.secureworks.com/research/darktortilla-malware-analysis
2022-08-19
Malicious_PyPi_packages_turn_Discord_into_info_stealing_malware
LOW
+
Intel Source:
Securelist
Intel Name:
Malicious_PyPi_packages_turn_Discord_into_info_stealing_malware
Date of Scan:
2022-08-19
Impact:
LOW
Summary:
Researchers from Kaspersky have analyzed two PyPi packages that contain info-stealing malware and also modify the Discord client as well. The stealers in those packages focus on collecting account credentials from cryptocurrency wallets, Steam, and Minecraft, while an injected script monitors for inputs like email addresses, passwords, and billing information.
Source: https://securelist.com/two-more-malicious-python-packages-in-the-pypi/107218/
2022-08-19
Attackers_Leveraging_Bumblebee_Loader
LOW
+
Intel Source:
Cybereason
Intel Name:
Attackers_Leveraging_Bumblebee_Loader
Date of Scan:
2022-08-19
Impact:
LOW
Summary:
Cybereason GSOC team have analyzed a case that involved a Bumblebee Loader infection and its operators conduct intensive reconnaissance activities and redirect the output of executed commands to files for exfiltration.
Source: https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control
2022-08-19
Lazarus_Group_Targeting_Job_Seekers_with-macOS_Malware
LOW
+
Intel Source:
ESET
Intel Name:
Lazarus_Group_Targeting_Job_Seekers_with-macOS_Malware
Date of Scan:
2022-08-19
Impact:
LOW
Summary:
Slovak cybersecurity firm ESET have identified the North Korea-backed Lazarus Group targeting job seekers with malware capable of executing on Apple Macs with Intel and M1 chipsets.
Source: https://twitter.com/ESETresearch/status/1559553342057205761
2022-08-19
Detailed_Analysis_of_Follina_Vulnerability
LOW
+
Intel Source:
VirusTotal
Intel Name:
Detailed_Analysis_of_Follina_Vulnerability
Date of Scan:
2022-08-19
Impact:
LOW
Summary:
VirusTotal cyber threat hunting team deeply analyzed the Follina vulnerability and provided a high-level overview of all observed attacks with a focus on the ones that took place before the 0-day was publicly disclosed and practical recommendations on how to monitor and hunt Follina samples.
Source: https://blog.virustotal.com/2022/08/hunting-follina.html
2022-08-19
Newly_Active_Malicious_Scanner_IPs
LOW
+
Intel Source:
Securonix
Intel Name:
Newly_Active_Malicious_Scanner_IPs
Date of Scan:
2022-08-19
Impact:
LOW
Summary:
Internal scan, No git required
Source: Internal Source
2022-08-18
Cyber_Weapons_Used_in_the_Ukraine_Russia_War
MEDIUM
+
Intel Source:
Trustwave
Intel Name:
Cyber_Weapons_Used_in_the_Ukraine_Russia_War
Date of Scan:
2022-08-18
Impact:
MEDIUM
Summary:
Cyberattacks leveraging malware are an important part of modern hybrid war strategy While conventional warfare is conducted on the battlefield and limited by several factors, cyber warfare continues in cyber space, offering the chance to infiltrate and damage targets far behind the frontlines
Source: https://www.trustwave.com/media/18925/final_spiderlabs_cyber-weapons-used-in-the-ukraine-russia-war.pdf
2022-08-18
Iranian_Threat_Actor_UNC3890_targets_Israeli_entities
MEDIUM
+
Intel Source:
Mandiant
Intel Name:
Iranian_Threat_Actor_UNC3890_targets_Israeli_entities
Date of Scan:
2022-08-18
Impact:
MEDIUM
Summary:
Mandiant researchers found a cyber espionage campaign targeting Israeli entities and organizations of various sectors, including government, shipping, energy and healthcare via social engineering lures and a potential watering hole. The attack have been attributed to UNC3890.
Source: https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping
2022-08-18
A_new_variant_of_NJRAT
LOW
+
Intel Source:
Esentire
Intel Name:
A_new_variant_of_NJRAT
Date of Scan:
2022-08-18
Impact:
LOW
Summary:
Esentire Cyber Threat Hunting team have discovered a new variant of NJRAT which is capable of logging keystrokes, viewing the victim’s camera, and remotely controlling the system.
Source: https://www.esentire.com/blog/njrat-comes-disguised-as-video-streaming-software
2022-08-18
Python_s_Top_Packages_attack
LOW
+
Intel Source:
CheckMarx
Intel Name:
Python_s_Top_Packages_attack
Date of Scan:
2022-08-18
Impact:
LOW
Summary:
Researchers from Checkmarx security have detected a large-scale attack on the Python ecosystem with multi-stage persistent malware. A PyPi user account published a dozen malicious Typosquatting packages under the names of popular projects with slight permutation.
Source: https://medium.com/checkmarx-security/typosquatting-campaign-targeting-12-of-pythons-top-packages-downloading-malware-hosted-on-github-9501f35b8efb
2022-08-17
Diving_deep_into_RedAlphas_cyber_espionage_activity
LOW
+
Intel Source:
Recorded Future
Intel Name:
Diving_deep_into_RedAlphas_cyber_espionage_activity
Date of Scan:
2022-08-17
Impact:
LOW
Summary:
Researchers from Recordedfuture have analyzed multiple campaigns conducted by the Chinese state-sponsored threat activity group RedAlpha. It is very likely sought to gain access to email accounts and other online communications of targeted individuals and organizations.
Source: https://go.recordedfuture.com/hubfs/reports/ta-2022-0816.pdf
2022-08-17
Surge_in_attack_through_malicious_Browser_Extension
LOW
+
Intel Source:
Securelist
Intel Name:
Surge_in_attack_through_malicious_Browser_Extension
Date of Scan:
2022-08-17
Impact:
LOW
Summary:
Securelist analysts documented their findings about multiple Browser Extensions which have been targeting atleast 1.31 million users. The most prevalent threat is a family of adware called WebSearch, which masquerade as PDF viewers.
Source: https://securelist.com/threat-in-your-browser-extensions/107181/
2022-08-17
Trend_Micro_Research_on_Cloud_based_Cryptocurrency_mining
MEDIUM
+
Intel Source:
Trend Micro
Intel Name:
Trend_Micro_Research_on_Cloud_based_Cryptocurrency_mining
Date of Scan:
2022-08-17
Impact:
MEDIUM
Summary:
TrendMicro in their research document shared their concerns about the impact on organization who running cloud instances and that potential victims of malicious cryptocurrency mining could be from any country or sector, making cloud-based cryptocurrency-mining attacks a global concern for companies.
Source: https://documents.trendmicro.com/assets/white_papers/wp-navigating-the-landscape-of-cloud-based-cryptocurrency-mining.pdf
2022-08-16
UAC_0010_Armageddon_leveraging_GammaLoad_and_GammaSteel_malwares
LOW
+
Intel Source:
CERT-UA
Intel Name:
UAC_0010_Armageddon_leveraging_GammaLoad_and_GammaSteel_malwares
Date of Scan:
2022-08-16
Impact:
LOW
Summary:
CERT-UA has tracked an attack since the first half of 2022, where the distribution of HTM-droppers via email leads to delivery of GammaLoad.PS1 malware and later delivers GammaSteel.PS1.
Source: https://cert.gov.ua/article/1229152
2022-08-16
Phishing_campaign_by_Russian_Threat_Actor_SEABORGIUM
MEDIUM
+
Intel Source:
Microsoft
Intel Name:
Phishing_campaign_by_Russian_Threat_Actor_SEABORGIUM
Date of Scan:
2022-08-16
Impact:
MEDIUM
Summary:
MSTIC disrupted SEABORGIUM threat actor campaign which belongs to Russia. Its campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft.
Source: https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/
2022-08-16
Russian_hackers_targeting_Ukraine_with_default_Word_template_hijacker
MEDIUM
+
Intel Source:
Symantec
Intel Name:
Russian_hackers_targeting_Ukraine_with_default_Word_template_hijacker
Date of Scan:
2022-08-16
Impact:
MEDIUM
Summary:
Researchers from Symantec have observed campaigns that show phishing messages carrying a self-extracting 7-Zip archive that fetches an XML file from an “xsph.ru” subdomain associated with Gamaredon since May 2022.
Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/russia-ukraine-shuckworm
2022-08-16
Typhon_Stealer_being_spread_through_Phishing_sites
LOW
+
Intel Source:
Cyble
Intel Name:
Typhon_Stealer_being_spread_through_Phishing_sites
Date of Scan:
2022-08-16
Impact:
LOW
Summary:
Cyble researchers analyzed a sample url which hosts a Windows executable payload. This Windows executable is a variant of Typhon stealer malware delivered via a crafted .lnk file.
Source: https://blog.cyble.com/2022/08/16/phishing-site-used-to-spread-typhon-stealer/
2022-08-16
PyPI_Package_Drops_Fileless_Cryptominer_to_Linux_Systems
LOW
+
Intel Source:
Sonatype
Intel Name:
PyPI_Package_Drops_Fileless_Cryptominer_to_Linux_Systems
Date of Scan:
2022-08-16
Impact:
LOW
Summary:
Researchers from Sonatype have identified a 'secretslib' PyPI package that means 'secrets matching and verification made easy'. On a closer inspection though, the package covertly runs cryptominers on the Linux machine in-memory, a technique largely employed by fileless malware and crypters.
Source: https://blog.sonatype.com/pypi-package-secretslib-drops-fileless-linux-malware-to-mine-monero
2022-08-15
A_chat_application_MiMi_compromised_by_Iron_Tiger_malware
MEDIUM
+
Intel Source:
TrendMicro
Intel Name:
A_chat_application_MiMi_compromised_by_Iron_Tiger_malware
Date of Scan:
2022-08-15
Impact:
MEDIUM
Summary:
Researchers from TrendMcro discovered a server hosting the malicious samples who compromised chat application Mimi. This sample malware family a HyperBro used by Iron Tiger, an advanced persistent threat (APT) group that has been performing cyberespionage for almost a decade and now targeting Windows and Mac OS.
Source: https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html
2022-08-15
The_observation_of_Conti_Group_activity_used_by_Russian_threat_actors
MEDIUM
+
Intel Source:
Weixin
Intel Name:
The_observation_of_Conti_Group_activity_used_by_Russian_threat_actors
Date of Scan:
2022-08-15
Impact:
MEDIUM
Summary:
Qi Anxin Threat Intelligence Center has been tracking on Russian-speaking threat actors and observed that Conti Group used Exchange vulnerabilities to target companies have a label "rich".
Source: https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g
2022-08-15
MikuBot_spies_on_Victims_using_hidden_VNC
MEDIUM
+
Intel Source:
Cyble
Intel Name:
MikuBot_spies_on_Victims_using_hidden_VNC
Date of Scan:
2022-08-15
Impact:
MEDIUM
Summary:
Researchers at Cyble Research Labs has identified a new malware called 'MikuBot', which Threat Actor was advertising in cybercrime forums. The bot steals sensitive data and runs hiddden VNC sessions, that allow threat actors to remotely access the target's system.
Source: https://blog.cyble.com/2022/08/11/mikubot-spotted-in-the-wild/
2022-08-15
A_new_deployment_of_CopperStealer_s_distributing_malware
MEDIUM
+
Intel Source:
TrendMicro
Intel Name:
A_new_deployment_of_CopperStealer_s_distributing_malware
Date of Scan:
2022-08-15
Impact:
MEDIUM
Summary:
TrendMicro shared their analyses with a public on the a new development of CopperStealer distributing malware by abusing browser stealer, adware browser extension, or remote desktop.
Source: https://www.trendmicro.com/en_us/research/22/h/copperstealer-distributes-malicious-chromium-browser-extension-steal-cryptocurrencies.html
2022-08-12
A_distribution_of_Monero_CoinMiner_by_Webhards
LOW
+
Intel Source:
ASEC
Intel Name:
A_distribution_of_Monero_CoinMiner_by_Webhards
Date of Scan:
2022-08-12
Impact:
LOW
Summary:
The ASEC analysis team has discovered that Monero CoinMiner, also known as XMRig, is being distributed via file-sharing websites such as Korean webhards and torrents.
Source: https://asec.ahnlab.com/en/37526/
2022-08-12
Zeppelin_Ransomware
MEDIUM
+
Intel Source:
CISA
Intel Name:
Zeppelin_Ransomware
Date of Scan:
2022-08-12
Impact:
MEDIUM
Summary:
Cyble researchers found an updated Onyx ransomware which is based on Chaos ransomware and that ransomware renamed its leak site from “ONYX NEWS” to “VSOP NEWS.”
Source: https://www.cisa.gov/uscert/ncas/alerts/aa22-223a
2022-08-12
A_new_upgrade_on_the_activity_of_APT_C_35_or_DoNot_Team
MEDIUM
+
Intel Source:
Morphisec
Intel Name:
A_new_upgrade_on_the_activity_of_APT_C_35_or_DoNot_Team
Date of Scan:
2022-08-12
Impact:
MEDIUM
Summary:
Researchers at Morphisec Labs has monitored the activity of DoNot Team/APT-C-35, where the group updates a new module to its Windows framework.
Source: https://blog.morphisec.com/apt-c-35-new-windows-framework-revealed
2022-08-12
Onyx_Ransomware_s_Recent_Operations
LOW
+
Intel Source:
Cyble
Intel Name:
Onyx_Ransomware_s_Recent_Operations
Date of Scan:
2022-08-12
Impact:
LOW
Summary:
Cyble researchers found an updated Onyx ransomware which is based on Chaos ransomware and that ransomware renamed its leak site from “ONYX NEWS” to “VSOP NEWS.”
Source: https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/
2022-08-11
Tropical_Scorpius_deploys_ROMCOM_RAT_in_Cuba_Ransomware_operations
MEDIUM
+
Intel Source:
Palo Alto
Intel Name:
Tropical_Scorpius_deploys_ROMCOM_RAT_in_Cuba_Ransomware_operations
Date of Scan:
2022-08-11
Impact:
MEDIUM
Summary:
A threat actor Tropical Scorpius dubbed by PaloAlto researchers have changed their TTPs and is also said to be associated with Cuba ransomware operations.
Source: https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/
2022-08-11
DeathStalker's_VileRAT_continue_target_Foreign_and_Crypto_Exchanges
MEDIUM
+
Intel Source:
Securelist
Intel Name:
DeathStalker's_VileRAT_continue_target_Foreign_and_Crypto_Exchanges
Date of Scan:
2022-08-11
Impact:
MEDIUM
Summary:
Securelist has shared that the threat actor known as DeathStalker has continued to target and disrupt foreign and cryptocurrency exchanges around the world throughout 2022 using the VileRAT malware. Since late 2021, the infection technique has changed a little bit, but the initial infection vector is still a malicious message is sent to targets via email. In July 2022, Securelist also noticed that the attackers leveraged chatbots that are embedded in targeted companies’ public websites to send malicious DOCX to their targets.
Source: https://securelist.com/vilerat-deathstalkers-continuous-strike/107075/
2022-08-11
Emotet_re-introduction_SMB_spreader_module
LOW
+
Intel Source:
Bitsight
Intel Name:
Emotet_re-introduction_SMB_spreader_module
Date of Scan:
2022-08-11
Impact:
LOW
Summary:
Researchers at Bitsight has observed the Emotet botnets version Epoch4 delivering a new module to the infected systems that turned out to be a credit card stealer targeting Google Chrome. Later, they found that Emotet version Epoch4 also re-introduced the SMB spreader module.
Source: https://www.bitsight.com/blog/emotet-smb-spreader-back
2022-08-11
BlueSky_Ransomware_targets_Windows_hosts_and_utilizes_multithreading
MEDIUM
+
Intel Source:
Palo Alto
Intel Name:
BlueSky_Ransomware_targets_Windows_hosts_and_utilizes_multithreading
Date of Scan:
2022-08-11
Impact:
MEDIUM
Summary:
Researchers at Palo Alto has analysed code samples of BlueSky Ranswomware, which they found to be connected with Conti Ransomware Group. The multithreaded structure of BlueSky code similarities with Conti V3. Moreover, BlueSky also closely resembles algorithm for file encryption with Babuk Ransomware too.
Source: https://unit42.paloaltonetworks.com/bluesky-ransomware/
2022-08-11
AiTM_attack_targets_Gmail_Enterprise_users
MEDIUM
+
Intel Source:
Zscaler
Intel Name:
AiTM_attack_targets_Gmail_Enterprise_users
Date of Scan:
2022-08-11
Impact:
MEDIUM
Summary:
Zscaler researchers followed upon their last findings about AiTM phishing campaign againts the Microsoft email services and found that same campaign has been targeting enterprise users of Gmail.
Source: https://www.zscaler.com/blogs/security-research/aitm-phishing-attack-targeting-enterprise-users-gmail
2022-08-11
Raspberry_Robin_tries_to_remain_undetected
MEDIUM
+
Intel Source:
Cisco
Intel Name:
Raspberry_Robin_tries_to_remain_undetected
Date of Scan:
2022-08-11
Impact:
MEDIUM
Summary:
Researchers at Cisco has analysed a distingushed pattern of msiexec.exe usage across different endpoints. As they drilled down to individual assets, they found traces of Raspberry Robin malware.
Source: https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-external-disks
2022-08-11
Yanluowang ransomware gang targets Cisco
MEDIUM
+
Intel Source:
Cisco Talos
Intel Name:
Yanluowang ransomware gang targets Cisco
Date of Scan:
2022-08-11
Impact:
MEDIUM
Summary:
Cisco Talos has analyzed a recent attack on Cisco by Yanluowang ransomware group which breached its corporate network in late May. The attackers could only harvest and steal non-sensitive data from a Box folder linked to a compromised employee's account.
Source: https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html
2022-08-10
LogoKit_returns_leveraging_Open_Redirect_Vulnerabilities
LOW
+
Intel Source:
Resecurity
Intel Name:
LogoKit_returns_leveraging_Open_Redirect_Vulnerabilities
Date of Scan:
2022-08-10
Impact:
LOW
Summary:
Researchers at Resecurity has discovered that threat actors leveraging Open Redirect Vulnerabilities popular in online services and apps to bypass spam filters to ultimately deliver phishing content.
Source: https://resecurity.com/blog/article/logokit-update-the-phishing-kit-leveraging-open-redirect-vulnerabilities
2022-08-10
Korean_speaking_APT_deploys_DTrack_and_Maui_Ransomware
MEDIUM
+
Intel Source:
Securelist
Intel Name:
Korean_speaking_APT_deploys_DTrack_and_Maui_Ransomware
Date of Scan:
2022-08-10
Impact:
MEDIUM
Summary:
Researchers from SecureList were able to attribute Maui ransomware attack to korean speaking APT group called Andriel. They also found out that before deploying the ransomware they deployed a variant of DTrack malware.
Source: https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/
2022-08-10
SmokeLoader_malware_drops_zgRAT_by_exploiting_old_flaws
MEDIUM
+
Intel Source:
Fortinet
Intel Name:
SmokeLoader_malware_drops_zgRAT_by_exploiting_old_flaws
Date of Scan:
2022-08-10
Impact:
MEDIUM
Summary:
Researchers at FortiGuard Labs has analysed a recent instance of SmokeLoader, where the malware exploiting five years old CVE-2017-0199 and CVE-2017-11882. This malware sample drops zgRAT, a rare payload compared to previously delivers by SmokeLoader.
Source: https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities?&web_view=true
2022-08-10
IcedID_or_Bokbot_infection_led_to_Cobalt_Strike
MEDIUM
+
Intel Source:
Palo Alto
Intel Name:
IcedID_or_Bokbot_infection_led_to_Cobalt_Strike
Date of Scan:
2022-08-10
Impact:
MEDIUM
Summary:
Securonix Threat Labs has monitored OSINT sources and identified a new infection of IcedID delivering CobaltStrike.
Source: https://twitter.com/Unit42_Intel/status/1557009330762809348 https://github.com/pan-unit42/tweets/blob/master/2022-08-08-IOCs-for-IcedID-and-Cobalt-Strike.txt
2022-08-09
BumbleBee_malware_found_its_way_to_Domain_Admin
MEDIUM
+
Intel Source:
DFIR Report
Intel Name:
BumbleBee_malware_found_its_way_to_Domain_Admin
Date of Scan:
2022-08-09
Impact:
MEDIUM
Summary:
DFIR Report researchers analyzed an intrusion which involved BumbleBee as the initial access vector. The intrusion began with a password protected zipped ISO file.
Source: https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
2022-08-09
Chinese_APT_group_targets_Asia_and_Eastern_Europe
MEDIUM
+
Intel Source:
Kaspersky
Intel Name:
Chinese_APT_group_targets_Asia_and_Eastern_Europe
Date of Scan:
2022-08-09
Impact:
MEDIUM
Summary:
Kaspersky reseacrhers found series of attacks targeting organizations in Asia and Eastern Europe. These attacks have been attributed to Chinese APT group TA428.
Source: https://ics-cert.kaspersky.com/publications/reports/2022/08/08/targeted-attack-on-industrial-enterprises-and-public-institutions/
2022-08-09
Drilling_down_into_SharpEx_browser_extension_malware
LOW
+
Intel Source:
Walmart
Intel Name:
Drilling_down_into_SharpEx_browser_extension_malware
Date of Scan:
2022-08-09
Impact:
LOW
Summary:
Walmart researchers further drilled down on analyzing a browser extension dubbed SharpExt used by north korean threat actor Kimsuky. The goal of the extension is to steal emails and attachments from the victims.
Source: https://medium.com/walmartglobaltech/pivoting-on-a-sharpext-to-profile-kimusky-panels-for-great-good-1920dc1bcef9
2022-08-09
Orchard_Botnet_used_to_generate_malicious_domains
LOW
+
Intel Source:
Netlab 360
Intel Name:
Orchard_Botnet_used_to_generate_malicious_domains
Date of Scan:
2022-08-09
Impact:
LOW
Summary:
Researchers from Qihoo 360's Netlab security team came across a new botnet named Orchard which was using Bitcoin creator Satoshi Nakamoto's account transaction information to generate malicious domain names to conceal its command-and-control (C2) infrastructure.
Source: https://blog.netlab.360.com/a-new-botnet-orchard-generates-dga-domains-with-bitcoin-transaction-information/
2022-08-08
Four_CATAPULT_SPIDER_Challenges
LOW
+
Intel Source:
Crowdstrike
Intel Name:
Four_CATAPULT_SPIDER_Challenges
Date of Scan:
2022-08-08
Impact:
LOW
Summary:
Crowdstrike has published a blog describing about intended approach to solvE the challenges of the eCrime track. The participants in the Adversary Quest analyzed new activity by CATAPULT SPIDER.
Source: https://www.crowdstrike.com/blog/catapult-spider-adversary-quest-walkthrough-2022/
2022-08-08
GwisinLocker_Ransomware_Targets_Linux_Based_Systems
LOW
+
Intel Source:
ReversingLabs
Intel Name:
GwisinLocker_Ransomware_Targets_Linux_Based_Systems
Date of Scan:
2022-08-08
Impact:
LOW
Summary:
A new ransomware family called 'GwisinLocker' has emerged targeting South Korean healthcare, industrial, and pharmaceutical companies with Windows and Linux encryptors.
Source: https://blog.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies
2022-08-08
Two_cyber_espionage_operations_by_Bitter_APT_and_APT36
MEDIUM
+
Intel Source:
Meta
Intel Name:
Two_cyber_espionage_operations_by_Bitter_APT_and_APT36
Date of Scan:
2022-08-08
Impact:
MEDIUM
Summary:
Researchers at Meta has published a Quarter Threat report where they took action on two cyber espionage operations in South Asia, both the operations was linked to Biter APT and APT36 respectively. Researchers has also shared new and notewrothy TTPs for both the actors.
Source: https://about.fb.com/wp-content/uploads/2022/08/Quarterly-Adversarial-Threat-Report-Q2-2022.pdf
2022-08-08
APT31_targets_Russian_companies
MEDIUM
+
Intel Source:
PTSecurity
Intel Name:
APT31_targets_Russian_companies
Date of Scan:
2022-08-08
Impact:
MEDIUM
Summary:
PT Expert Security Center analysts found an attack targeting Russian media and energy companies. These attacks have been attributed to APT31.
Source: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-cloud-attacks/
2022-08-05
Bumblebee_malware_activity_distributed_through_Projector_Libra
MEDIUM
+
Intel Source:
Palo Alto
Intel Name:
Bumblebee_malware_activity_distributed_through_Projector_Libra
Date of Scan:
2022-08-05
Impact:
MEDIUM
Summary:
Researchers from PaloAlto have identified Bumblebee malware distributing through Projector Libra. It is a criminal group that uses file sharing services to distribute malware after direct email correspondence with a potential victim.
Source: https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/
2022-08-05
A_new_IoT_malware_family_called_RapperBot
MEDIUM
+
Intel Source:
Fortinet
Intel Name:
A_new_IoT_malware_family_called_RapperBot
Date of Scan:
2022-08-05
Impact:
MEDIUM
Summary:
FortiGuard Labs has identified a new family of IoT malware that uses code derived from the Mirai network to gain access to SSH servers and maintain persistence on a victim device after it is removed.
Source: https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery
2022-08-05
Threat_Actor_leverages_Confluence_Bug_to_Deploy_Ljl_Backdoor
MEDIUM
+
Intel Source:
Deepwatch
Intel Name:
Threat_Actor_leverages_Confluence_Bug_to_Deploy_Ljl_Backdoor
Date of Scan:
2022-08-05
Impact:
MEDIUM
Summary:
A novel backdoor called Ljl discovered by Deepwatch Adversary Tactics and Intelligence Team. The evidence indicates that the threat actor executed malicious commands with a parent process of tomcat9.exe in Atlassian's Confluence directory," the company said. "After the initial compromise, the threat actor ran various commands to enumerate the local system, network, and Active Directory environment."
Source: https://cdn1.hubspot.net/hubfs/5556002/2022%20PDF%20Download%20Assets/ADA%20Compliant%20pdfs/eBooks/Deepwatch%20Incident%20Intel%20Report%20-%20Novel%20Backdoor%20Discovered%20-%20Aug%202022.pdf https://5556002.fs1.hubspotusercontent-na1.net/hubfs/5556002/2022%20PDF%20Download%20Assets/ADA%20Compliant%20pdfs/Reports/ljlBackdoor%20Analysis.pdf
2022-08-04
Malware_disguised_as_Legitimate_Software
LOW
+
Intel Source:
VirusTotal
Intel Name:
Malware_disguised_as_Legitimate_Software
Date of Scan:
2022-08-04
Impact:
LOW
Summary:
Researchers from VirusTotal have analyzed malware samples and found 1,816 samples since January 2020 that masqueraded as legitimate software by packaging the malware in installers for other popular software such as Google Chrome, Malwarebytes, Zoom, Brave, Mozilla Firefox, and Proton VPN.
Source: https://blog.virustotal.com/2022/08/deception-at-scale.html
2022-08-04
LOLI_Stealer_A_new_Golang_Based_InfoStealer
LOW
+
Intel Source:
Cyble
Intel Name:
LOLI_Stealer_A_new_Golang_Based_InfoStealer
Date of Scan:
2022-08-04
Impact:
LOW
Summary:
Cyble researchers came across a new golang based infostealer dubbed LOLI stealer. This stealer was being sold via Maas Model.
Source: https://blog.cyble.com/2022/08/03/loli-stealer-golang-based-infostealer-spotted-in-the-wild/
2022-08-04
Malware_campaigns_leveraging_"Dark Utilities"_platform
LOW
+
Intel Source:
Cisco Talos
Intel Name:
Malware_campaigns_leveraging_"Dark Utilities"_platform
Date of Scan:
2022-08-04
Impact:
LOW
Summary:
Researchers at Cisco Talos has identified a C2-as-a-service (C2aaS) platform known as "Dark Utilities" offering a variety of services such as remote system access, DDoS capabilities and cryptocurrency mining. The payloads provided by the platform support Windows, Linux and Python-based implementations.
Source: https://blog.talosintelligence.com/2022/08/dark-utilities.html
2022-08-04
Russian_organizations_attacked_with_new_Woody_RAT_malware
LOW
+
Intel Source:
MalwareBytes
Intel Name:
Russian_organizations_attacked_with_new_Woody_RAT_malware
Date of Scan:
2022-08-04
Impact:
LOW
Summary:
Researchers from Malwarebytes Threat Intelligence team have identified a new Remote Access Trojan called Woody Rat that allows them to control and steal information from compromised devices remotely.
Source: https://blog.malwarebytes.com/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild/
2022-08-04
A_distribution_of_malicious_Word_files_with_North_Korea_related_materials
LOW
+
Intel Source:
ASEC
Intel Name:
A_distribution_of_malicious_Word_files_with_North_Korea_related_materials
Date of Scan:
2022-08-04
Impact:
LOW
Summary:
The ASEC analysis team has discovered another distribution of malicious Word files with North Korea-related materials. The malicious Word files are distributed in various names most likely through the email and with a file related to a specific webinar and accesses C2 through mshta.
Source: https://asec.ahnlab.com/en/37396/
2022-08-04
IcedID_leveraging_PrivateLoader
LOW
+
Intel Source:
Walmart
Intel Name:
IcedID_leveraging_PrivateLoader
Date of Scan:
2022-08-04
Impact:
LOW
Summary:
Researcchers from Walmart have analysed PrivateLoader is continue to function as an effective loading service and recently leveraging the use of SmokeLoader for their loads.
Source: https://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f
2022-08-04
New_campaign_by_Iranian_Threat_Actor
MEDIUM
+
Intel Source:
Mandiant
Intel Name:
New_campaign_by_Iranian_Threat_Actor
Date of Scan:
2022-08-04
Impact:
MEDIUM
Summary:
Researchers from Mandiant identified politically motivated disruptive attack against Albanian government organizations. Usage of ROADSWEEP ransomware and CHIMNEYSWEEP backdoor was also noted by the researchers.
Source: https://www.mandiant.com/resources/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against
2022-08-04
Deep_Analysis_of_Bumblebee_Malware
LOW
+
Intel Source:
Cloudsek
Intel Name:
Deep_Analysis_of_Bumblebee_Malware
Date of Scan:
2022-08-04
Impact:
LOW
Summary:
Researchers from CloadSEK did a deep analysis of the Bumblebee malware loader where the adversaries push ISO files through compromised email chains, known as thread hijacked emails, to deploy the Bumblebee loader.
Source: https://cloudsek.com/technical-analysis-of-bumblebee-malware-loader/?utm_source=rss&utm_medium=rss&utm_campaign=technical-analysis-of-bumblebee-malware-loader
2022-08-03
Robin_Banks_PhaaS_Targeting_Citibank_Customers
LOW
+
Intel Source:
Iornnet
Intel Name:
Robin_Banks_PhaaS_Targeting_Citibank_Customers
Date of Scan:
2022-08-03
Impact:
LOW
Summary:
Researchers from IronNet have identified Phishing-as-a-Service platform Robin Banks selling ready to use phishing kits to cybercriminals. The kits are used to obtain financial details of victims living in the U.S, the U.K, Canada, and Australia.
Source: https://www.ironnet.com/blog/robin-banks-a-new-phishing-as-a-service-platform
2022-08-02
Manjusaka_Offensive_Framework
MEDIUM
+
Intel Source:
Cisco Talos
Intel Name:
Manjusaka_Offensive_Framework
Date of Scan:
2022-08-02
Impact:
MEDIUM
Summary:
Researchers at Cisco Talos has discovered a new attack framework called Manjusaka. This framework is advertised as reproduction of Cobalt Strike framework. Moreover, implants for the malware are written in Rust language for Windows and Linux.
Source: https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html
2022-08-02
Analysis_on_Industrial_Spy_Ransomware
MEDIUM
+
Intel Source:
Zscaler
Intel Name:
Analysis_on_Industrial_Spy_Ransomware
Date of Scan:
2022-08-02
Impact:
MEDIUM
Summary:
Zscaler published their technical analyses on the Industrial Spy ransomware group that emerged in April 2022 that started by ransoming stolen data and more recently has combined these attacks with ransomware.The threat group exfiltrates and sells data on their dark web marketplace, but does not always encrypt a victim’s files. Also they utilizes a combination of RSA and 3DES to encrypt files.
Source: https://www.zscaler.com/blogs/security-research/technical-analysis-industrial-spy-ransomware?&web_view=true
2022-08-02
Mars_Stealer_distributing_via_fake_wallet_site
LOW
+
Intel Source:
Cyble
Intel Name:
Mars_Stealer_distributing_via_fake_wallet_site
Date of Scan:
2022-08-02
Impact:
LOW
Summary:
Cyble Research Labs due to their research, discovered Mars stealer and the threat actors behind Mars stealer are adopting sophisticated phishing attacks to distribute Mars Stealer and gather user credentials, system information, and other sensitive data.
Source: https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/
2022-08-02
A_Deep_Dive_Analysis_of_RedLine_Stealer_Malware
LOW
+
Intel Source:
Security Scorecard
Intel Name:
A_Deep_Dive_Analysis_of_RedLine_Stealer_Malware
Date of Scan:
2022-08-02
Impact:
LOW
Summary:
Researchers have recently done an in-depth investigation on RedLine Stealer which is distributing cracked games, applications, and services.
Source: https://securityscorecard.com/research/detailed-analysis-redline-stealer
2022-08-02
Emotet_Downloader_Leveraging_Regsvr32_tool
LOW
+
Intel Source:
EclecticIQ
Intel Name:
Emotet_Downloader_Leveraging_Regsvr32_tool
Date of Scan:
2022-08-02
Impact:
LOW
Summary:
Researchers from EclecticIQ have observed Emotet downloader distributing via the Regsvr32 tool for execution.
Source: https://blog.eclecticiq.com/emotet-downloader-document-uses-regsvr32-for-execution
2022-08-02
LockBit_Ransomware_Leveraging_Windows Defender_to_load_Cobalt_Strike_Payload
MEDIUM
+
Intel Source:
SentinelOne
Intel Name:
LockBit_Ransomware_Leveraging_Windows Defender_to_load_Cobalt_Strike_Payload
Date of Scan:
2022-08-02
Impact:
MEDIUM
Summary:
Researchers from SentinelOne have recently investigated the LockBit Ransomware and found that threat actor is abusing the Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads.
Source: https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
2022-08-02
An_updated_variant_of_SolidBit_ransomware_new_targets
LOW
+
Intel Source:
Trendmicro
Intel Name:
An_updated_variant_of_SolidBit_ransomware_new_targets
Date of Scan:
2022-08-02
Impact:
LOW
Summary:
Threndmicro published the technical analysis of a new SolidBit variant that is a threat to different applications to lure gamers and social media users. SolidBit has been suspected of being a LockBit ransomware copycat. Also, this ransomware group appears to be planning to expand its operations through these fraudulent apps and its recruitment of ransomware-as-a-service affiliates.
Source: https://www.trendmicro.com/en_us/research/22/h/solidbit-ransomware-enters-the-raas-scene-and-takes-aim-at-gamer.html https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/solidbit-ransomware-enters-the-raas-scene-and-takes-aim-at-gamers-and-social-media-users-with-new-variant-/IOCs-SolidBit-Ransomware-Enters-the-RaaS-Scene-and-Takes-Aim-at-Gamers-and-Social-Media-Users-With-New-Variant%20.txt
2022-08-01
An_increasing_number_of_phishing_emails_containing_IPFS_URLs
LOW
+
Intel Source:
Trustwave
Intel Name:
An_increasing_number_of_phishing_emails_containing_IPFS_URLs
Date of Scan:
2022-08-01
Impact:
LOW
Summary:
Trustwave noticed an increasing number of phishing emails containing IPFS URLs as their payload. Also they have observed more than 3,000 emails containing phishing URLs that have utilized IPFS for the past 90 days and it is evident that IPFS is increasingly becoming a popular platform for phishing websites.
Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/ipfs-the-new-hotbed-of-phishing/
2022-08-01
Green_Stone_sample_attributed_to_Iran
LOW
+
Intel Source:
Inquest
Intel Name:
Green_Stone_sample_attributed_to_Iran
Date of Scan:
2022-08-01
Impact:
LOW
Summary:
Inquest discovered a maliciuos sample that was uploaded from Iran. The document is a contract for the supply of services to an energy company from southern Iran «Tavangoostar Niro va Gashtavar Jonob». The document also contains a link to this energy company. www.tavangyl.com. Analysts named it Green Stone since this family of malicious documents containing executable files was not previously known.
Source: https://inquest.net/blog/2022/07/27/green-stone
2022-08-01
Phishing_Attacks_Increase_Using_Decentralized_IPFS_Network
LOW
+
Intel Source:
SpiderLabs
Intel Name:
Phishing_Attacks_Increase_Using_Decentralized_IPFS_Network
Date of Scan:
2022-08-01
Impact:
LOW
Summary:
Researchers from SpiderLab have identified that the decentralized file system solution 'IPFS' is becoming the new place for hosting phishing sites. Also, they identified no less than 3,000 emails containing IPFS phishing URLs as an attack vector in the last three months.
Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/ipfs-the-new-hotbed-of-phishing/
2022-08-01
Multiple_APT_Groups_Leveraging_Quasar_RAT
MEDIUM
+
Intel Source:
Qualys
Intel Name:
Multiple_APT_Groups_Leveraging_Quasar_RAT
Date of Scan:
2022-08-01
Impact:
MEDIUM
Summary:
Researchers from Qualys have analyzed the Quasar RAT which is widely leveraged by multiple threat actor groups targeting government and private organizations in Southeast Asia and other geographies.
Source: https://www.qualys.com/docs/whitepapers/qualys-wp-stealthy-quasar-evolving-to-lead-the-rat-race-v220727.pdf
2022-08-01
A new_malicious_campaign_LofyLife
LOW
+
Intel Source:
Securelist
Intel Name:
A new_malicious_campaign_LofyLife
Date of Scan:
2022-08-01
Impact:
LOW
Summary:
The Kaspersky has discovered a new threat in the open-source software repository “LofyLife” - a malicious campaign to steal tokens and bank card data.
Source: https://securelist.com/lofylife-malicious-npm-packages/107014/
2022-08-01
Attackers_Leveraging_New_Phishing_Techniques
LOW
+
Intel Source:
Cofense
Intel Name:
Attackers_Leveraging_New_Phishing_Techniques
Date of Scan:
2022-08-01
Impact:
LOW
Summary:
Researchers from the Phishing Defense Center of Cofense have observed a huge variety of phishing techniques. In this, some of the techniques are quite unique in methods of getting the end user to interact with the message.
Source: https://cofense.com/blog/countdown-timer-ransomware-themed-phishing-attack
2022-08-01
Diving_Deep_into_BPFDoor_Malware
LOW
+
Intel Source:
Qualys
Intel Name:
Diving_Deep_into_BPFDoor_Malware
Date of Scan:
2022-08-01
Impact:
LOW
Summary:
Researchers from the Phishing Defense Center of Cofense have observed a huge variety of phishing techniques. In this, some of the techniques are quite unique in methods of getting the end user to interact with the message.
Source: https://blog.qualys.com/vulnerabilities-threat-research/2022/08/01/heres-a-simple-script-to-detect-the-stealthy-nation-state-bpfdoor
2022-07-29
The_new_discovered_Follina_exploit_used by_attackers_again
MEDIUM
+
Intel Source:
ReversingLabs
Intel Name:
The_new_discovered_Follina_exploit_used by_attackers_again
Date of Scan:
2022-07-29
Impact:
MEDIUM
Summary:
ReversingLabs analyzed three malicious payloads circulating online that have been linked to use of the newly discovered Follina exploit in Microsoft’s Support Diagnostic Tool (MSDT).
Source: https://blog.reversinglabs.com/blog/threat-analysis-follina-exploit-powers-live-off-the-land-attacks
2022-07-29
WebAssembly_frequently_used_for_cryptomining
LOW
+
Intel Source:
Sucuri
Intel Name:
WebAssembly_frequently_used_for_cryptomining
Date of Scan:
2022-07-29
Impact:
LOW
Summary:
Sucuri recently contacted by a their client who noticed that their computer slowed down to a crawl every time they navigated to their own WordPress website. A cursory review of their site files revealed the following snippet of code injected into one of their theme files.
Source: https://blog.sucuri.net/2022/07/cryptominers-webassembly-in-website-malware.html
2022-07-29
An_Excel_Infection_Chain
LOW
+
Intel Source:
Inquest
Intel Name:
An_Excel_Infection_Chain
Date of Scan:
2022-07-29
Impact:
LOW
Summary:
Inquest researcher discovered that th threat actor make user tempt trying to enable content in Excel in order to run whatever surprise they have hidden inside.
Source: https://inquest.net/blog/2022/07/25/convoluted-infection-chain-using-excel
2022-07-29
Analysis_on_Symbiote_Malware
LOW
+
Intel Source:
Cybergeeks
Intel Name:
Analysis_on_Symbiote_Malware
Date of Scan:
2022-07-29
Impact:
LOW
Summary:
The malware’s purpose is to steal credentials from the SSH and SCP processes by hooking the libc read function.
Source: https://cybergeeks.tech/how-to-analyze-linux-malware-a-case-study-of-symbiote/
2022-07-29
North_Korean_threat_actor_SharpTongue
LOW
+
Intel Source:
Volexity
Intel Name:
North_Korean_threat_actor_SharpTongue
Date of Scan:
2022-07-29
Impact:
LOW
Summary:
Volexity discovered a new MAIL-THEFT malware "SHARPEXT" that believed has been used by a thret actor SharpTongue. This actor is believed to be North Korean in origin and is often publicly referred to under the name Kimsuky.
Source: https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/?s=09
2022-07-28
A_Korean_Web_Portal_Page_Daum_using_for_Spreading_Phishing_Emails
LOW
+
Intel Source:
ASEC
Intel Name:
A_Korean_Web_Portal_Page_Daum_using_for_Spreading_Phishing_Emails
Date of Scan:
2022-07-28
Impact:
LOW
Summary:
Researchers from ASEC have discovered the distribution of phishing emails impersonating a Korean Web Portal Page (Daum) and attackers using attachments to redirect the user to a phishing webpage.
Source: https://asec.ahnlab.com/en/37270/
2022-07-28
KnotWeed_targets_UK_Austria_with_SubZero_malware
MEDIUM
+
Intel Source:
Microsoft
Intel Name:
KnotWeed_targets_UK_Austria_with_SubZero_malware
Date of Scan:
2022-07-28
Impact:
MEDIUM
Summary:
MSTIC identified a private threat actor who is Austria based and dubbed KnotWeed have been targeting law firms, banks, and strategic consultancies in Austria, the United Kingdom, and Panama with SubZero malware.
Source: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/
2022-07-28
Threat_Actors_leveraging_Microsoft_Applications_via_DLL_SideLoading
MEDIUM
+
Intel Source:
Cyble, SocInvestigations
Intel Name:
Threat_Actors_leveraging_Microsoft_Applications_via_DLL_SideLoading
Date of Scan:
2022-07-28
Impact:
MEDIUM
Summary:
Researchers from Cyble and SOCInvestigation have identified the DLL (Dynamic-Link Library) sideloading technique leveraged by Threat Actors to spread payloads to users using legitimate applications which load malicious DLL files that spoof legitimate ones.
Source: https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ https://www.socinvestigation.com/threat-actors-leveraging-microsoft-applications-via-dll-sideloading-detection-response/
2022-07-28
Gootkit_Loaders_Updated_TTPs_of_Cobalt Strike
LOW
+
Intel Source:
TrendMicro
Intel Name:
Gootkit_Loaders_Updated_TTPs_of_Cobalt Strike
Date of Scan:
2022-07-28
Impact:
LOW
Summary:
Researchers from Trend Micro have identified the new tactics of Gootkit Loader. It is used for fileless techniques to drop Cobalt Strike and other malicious payloads.
Source: https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html?&web_view=true
2022-07-27
UAC_0100_Group_leveraging_phishing_sites to_target_Ukrainian_Banks
LOW
+
Intel Source:
CERT-UA
Intel Name:
UAC_0100_Group_leveraging_phishing_sites to_target_Ukrainian_Banks
Date of Scan:
2022-07-27
Impact:
LOW
Summary:
CERT-UA has discovered an online fraud using phishing sites with the subject line of "aid from the Red Cross" which is targeting popular Ukrainian banks.
Source: https://cert.gov.ua/article/987552
2022-07-27
UAC_0041_Group_distributing_Formbook_and_Snake_Keylogger
LOW
+
Intel Source:
CERT-UA
Intel Name:
UAC_0041_Group_distributing_Formbook_and_Snake_Keylogger
Date of Scan:
2022-07-27
Impact:
LOW
Summary:
CERT-UA has analysed a phishing email which contains an attachment of malicious document related to Final payment. The document contains an EXE file classified as the RelicRace .NET downloader, the activation of which running of payload.
Source: https://cert.gov.ua/article/955924
2022-07-27
Gootloader_expands_its_payload_to_deliver_IcedID_malware
LOW
+
Intel Source:
Esentire
Intel Name:
Gootloader_expands_its_payload_to_deliver_IcedID_malware
Date of Scan:
2022-07-27
Impact:
LOW
Summary:
eSentire’s Threat Response Unit (TRU) team has recently observed multiple Gootloader infections. One notable Gootloader incident delivered an IcedID loader. The malware targets domain joined machines. The infection starts with the user visiting the infected website with a lure to download a ZIP file.
Source: https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-gootloader-and-icedid
2022-07-27
Diving_Deep_into_Hive_Ransomware
MEDIUM
+
Intel Source:
Yoroi ZLab
Intel Name:
Diving_Deep_into_Hive_Ransomware
Date of Scan:
2022-07-27
Impact:
MEDIUM
Summary:
Researchers from Yoroi ZLab deep dives into Hive Ransomware and identified it as a most sophisticated active threat. Also, they are tracking this infamous threat actor and observing any modification in its technique to provide a guideline.
Source: https://yoroi.company/research/on-the-footsteps-of-hive-ransomware/?&web_view=true
2022-07-27
Similarities_between_LockBit_3_0_and_BlackMatter_ransomware
MEDIUM
+
Intel Source:
Trend Micro
Intel Name:
Similarities_between_LockBit_3_0_and_BlackMatter_ransomware
Date of Scan:
2022-07-27
Impact:
MEDIUM
Summary:
Researchers from TrendMicro found similarities between New version of LockBit and Blackmatter ransomware. LockBit's extensive similarities to BlackMatter come from overlaps in the privilege escalation and harvesting routines used to identify APIs.
Source: https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html
2022-07-27
Analysis_of_SSH_Honeypot_Data_with_PowerBI
LOW
+
Intel Source:
ISC.SANS
Intel Name:
Analysis_of_SSH_Honeypot_Data_with_PowerBI
Date of Scan:
2022-07-27
Impact:
LOW
Summary:
The reseracher from ISC Sans providing some analysis of SSH Honeypot Data experimenting for a while with Microsoft PowerBI (1) using honeypot data, parsing it into comma delimited (CSV).
Source: https://isc.sans.edu/diary.html?date=2022-07-23
2022-07-27
IcedID_malware_leveraging_Cobalt_Strike_and_Dark_VNC
LOW
+
Intel Source:
ISC.SANS
Intel Name:
IcedID_malware_leveraging_Cobalt_Strike_and_Dark_VNC
Date of Scan:
2022-07-27
Impact:
LOW
Summary:
The researcher from ISC SANS provides an analysis of IcedID malware which is using Dark VNC activity and Cobalt Strike.
Source: https://isc.sans.edu/diary/rss/28884
2022-07-27
UAC_0010_Group_leveraging_GammaLoad_PS1_v2_malware_to_target_Ukraine
LOW
+
Intel Source:
CERT-UA
Intel Name:
UAC_0010_Group_leveraging_GammaLoad_PS1_v2_malware_to_target_Ukraine
Date of Scan:
2022-07-27
Impact:
LOW
Summary:
CERT-UA has analysed a phishing email which contains an attachment of malicious document related to National Academy of Security of Ukraine. The document contains an HTM dropper, the activation of which will lead to the creation of RAR archive file and further LNK file, running of LNK file lead to the download and execution of the HTA file.
Source: https://cert.gov.ua/article/971405
2022-07-27
IIS_extensions_persistently_used_as_Exchange_backdoors
LOW
+
Intel Source:
Microsoft
Intel Name:
IIS_extensions_persistently_used_as_Exchange_backdoors
Date of Scan:
2022-07-27
Impact:
LOW
Summary:
Microsoft says attackers increasingly use malicious Internet Information Services (IIS) web server extensions to backdoor unpatched Exchange servers as they have lower detection rates compared to web shells.
Source: https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
2022-07-26
New_tool_by_Charming_Kitten_and_its_OPSEC_errors
MEDIUM
+
Intel Source:
PWC
Intel Name:
New_tool_by_Charming_Kitten_and_its_OPSEC_errors
Date of Scan:
2022-07-26
Impact:
MEDIUM
Summary:
PWC researchers analyzed activity of Yellow Garuda threat actor aka Charming Kitten and found that they have come up with new tools and also their operational security errors.
Source: https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/old-cat-new-tricks.html
2022-07-26
The_Source_Code_of_Luca_Stealer_Malware_Leaked
LOW
+
Intel Source:
Cyble
Intel Name:
The_Source_Code_of_Luca_Stealer_Malware_Leaked
Date of Scan:
2022-07-26
Impact:
LOW
Summary:
The Cyble Threat Hunting team recently discovered an unknown Rust-based stealer, which is known as Luca Stealer, and the source code of this stealer was leaked on a popular cybercrime forum for free on July 3, 2022.
Source: https://blog.cyble.com/2022/07/25/luca-stealer-source-code-leaked-on-a-cybercrime-forum/
2022-07-26
The_Source_Code_of_Luca_Stealer_Malware_Leaked
LOW
+
Intel Source:
Cyble
Intel Name:
The_Source_Code_of_Luca_Stealer_Malware_Leaked
Date of Scan:
2022-07-26
Impact:
LOW
Summary:
The Cyble Threat Hunting team recently discovered an unknown Rust-based stealer, which is known as Luca Stealer, and the source code of this stealer was leaked on a popular cybercrime forum for free on July 3, 2022.
Source: https://blog.cyble.com/2022/07/25/luca-stealer-source-code-leaked-on-a-cybercrime-forum/
2022-07-26
Attacks_against_a_pair_of_vulnerabilities_in_Microsoft_SQL
LOW
+
Intel Source:
Sophos
Intel Name:
Attacks_against_a_pair_of_vulnerabilities_in_Microsoft_SQL
Date of Scan:
2022-07-26
Impact:
LOW
Summary:
Sophos Managed Threat Response (MTR) and Sophos Rapid Response had been investigating the attacks against Microsoft SQL Server installations. Sophos observed that threat group targeting externally exposed and unpatched SQL servers and during their initial investigations into this threat group, they saw them leveraging malware infrastructure impersonating a download site for KMSAuto, a non-malicious software utility used for evading Windows license key activations.
Source: https://news.sophos.com/en-us/2022/07/20/ooda-x-ops-takes-on-burgeoning-sql-server-attacks/
2022-07-26
A_New_CosmicStrand_UEFI_Firmware_Rootkit
LOW
+
Intel Source:
Securelist
Intel Name:
A_New_CosmicStrand_UEFI_Firmware_Rootkit
Date of Scan:
2022-07-26
Impact:
LOW
Summary:
A sophisticated UEFI firmware rootkit has been developed by an unknown Chinese-speaking threat actor, according to security firm Kaspersky. The rootkit is located in the firmware images of Gigabyte or ASUS motherboards, and Kaspersky noticed that all these images are related to designs using the H81 chipset.
Source: https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/
2022-07-25
Dot_PLAY_Ransomware
MEDIUM
+
Intel Source:
NoLogs NoBreach
Intel Name:
Dot_PLAY_Ransomware
Date of Scan:
2022-07-25
Impact:
MEDIUM
Summary:
A Threat Researcher has identified new ransomware variant during an IR engagement, which is called as .PLAY ransomware. Researcher confirms the initial access was exploitation of Fortigate Firewall vulnerabilities over Fortigate SSL-VPN, after initial access threat actors achieved privilege escalation and ransomware deployment in less than 24 hours. Moreover, No C2 traffic or tooling was detected. All actions were carried out over the VPN and through RDP.
Source: https://nologs-nobreach.com/2022/07/24/play-ransomware/
2022-07-25
Attackers_targeting_unpatched_Atlassian_Confluence_Servers
MEDIUM
+
Intel Source:
ASEC
Intel Name:
Attackers_targeting_unpatched_Atlassian_Confluence_Servers
Date of Scan:
2022-07-25
Impact:
MEDIUM
Summary:
Researchers from ASEC have analyzed that attackers are targeting vulnerable servers which are not patched. They are using RCE vulnerabilities and if successful, an attacker can install WebShell or malware to gain control of the infected system.
Source: https://asec.ahnlab.com/en/36820/
2022-07-25
Magniber_Ransomware_started_using_Windows_installer_package_file
LOW
+
Intel Source:
ASEC
Intel Name:
Magniber_Ransomware_started_using_Windows_installer_package_file
Date of Scan:
2022-07-25
Impact:
LOW
Summary:
Researchers from ASEC have identified Magniber Ransomware that started using a Windows installer package file (.msi) instead of IE browser vulnerability for its distribution.
Source: https://asec.ahnlab.com/en/37012/
2022-07-25
Candiru_Spyware_exploiting_Chrome_Zero_days_in_Middle_East
LOW
+
Intel Source:
Avast
Intel Name:
Candiru_Spyware_exploiting_Chrome_Zero_days_in_Middle_East
Date of Scan:
2022-07-25
Impact:
LOW
Summary:
Avast researchers discovered a zero-day vulnerability in Google Chrome but now its fixed. The vulnerability was weaponized by an Israeli spyware company and used in attacks targeting journalists in the Middle East.
Source: https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/
2022-07-25
Costa_Rican_Government_hacked_by_Conti_Ransomware
LOW
+
Intel Source:
AdvIntel
Intel Name:
Costa_Rican_Government_hacked_by_Conti_Ransomware
Date of Scan:
2022-07-25
Impact:
LOW
Summary:
ADVIntel researchers uncovered how Conti ransomware hacked and encrypted the Costa Rican government. The Russian hacker steps from an initial foothold to exfiltrating 672GB of data on April 15.
Source: https://www.advintel.io/post/anatomy-of-attack-truth-behind-the-costa-rica-government-ransomware-5-day-intrusion
2022-07-25
North_Korean_linked_APT37_group_attack_with_Konni_RAT_malware
MEDIUM
+
Intel Source:
Securonix
Intel Name:
North_Korean_linked_APT37_group_attack_with_Konni_RAT_malware
Date of Scan:
2022-07-25
Impact:
MEDIUM
Summary:
Securonix Threat Labs is investigating a new attack campaign exploiting high-value targets, including North Korea, which could be linked to a North Korean cyber-espionage group (APT37).
Source: https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/
2022-07-25
Qakbot_continue_with_New_Techniques
LOW
+
Intel Source:
Cyble
Intel Name:
Qakbot_continue_with_New_Techniques
Date of Scan:
2022-07-25
Impact:
LOW
Summary:
Researchers from Cyble Lab came across Twitter post in which a user shared new IOCs related to the well known Qakbot malware.
Source: https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/
2022-07-25
IcedID_malware_sperading_through_ISO_files
LOW
+
Intel Source:
ASEC
Intel Name:
IcedID_malware_sperading_through_ISO_files
Date of Scan:
2022-07-25
Impact:
LOW
Summary:
Researchers from ASEC have identified that IcedID banking malware distributing with the help of ISO Files. They discovered two methods, the First is by the help of Bubblebee malware and the second is with script files and cmd command.
Source: https://asec.ahnlab.com/en/37005/
2022-07-24
GoMet_2_0_backdoor_attacks_Ukraine
MEDIUM
+
Intel Source:
Cisco Talos
Intel Name:
GoMet_2_0_backdoor_attacks_Ukraine
Date of Scan:
2022-07-24
Impact:
MEDIUM
Summary:
Cisco Talos has discovered a modified piece of malware targeting Ukraine and confirmed that the malware is a slightly modified version of the open-source backdoor named “GoMet2".
Source: https://blog.talosintelligence.com/2022/07/attackers-target-ukraine-using-gomet.html
2022-07-24
A_malvertising_chain_abusing_Google_s_ad_network
LOW
+
Intel Source:
MalwareBytes
Intel Name:
A_malvertising_chain_abusing_Google_s_ad_network
Date of Scan:
2022-07-24
Impact:
LOW
Summary:
Malwarebytes researchers uncovered a malvertising chain abusing Google’s ad network to redirect visitors to an infrastructure of tech support scams. Unsuspecting users searching for popular keywords will click an advert and their browser will get hijacked with fake warnings urging them to call rogue Microsoft agents for support.
Source: https://blog.malwarebytes.com/threat-intelligence/2022/07/google-ads-lead-to-major-malvertising-campaign/
2022-07-22
CNMF_Discloses_Malware_in_Ukraine
MEDIUM
+
Intel Source:
Mandiant
Intel Name:
CNMF_Discloses_Malware_in_Ukraine
Date of Scan:
2022-07-22
Impact:
MEDIUM
Summary:
Mandiant shared in their blog a new malicious activity targeting Ukrainian entities during the ongoing conflict.They higlighted the operations of suspected UNC1151 and suspected UNC2589 by sending phishing with malicious documents leading to malware infection chains.
Source: https://www.mandiant.com/resources/spear-phish-ukrainian-entities
2022-07-22
Lighting_Framework_A_new_Linux_centric_malware
MEDIUM
+
Intel Source:
Intezer
Intel Name:
Lighting_Framework_A_new_Linux_centric_malware
Date of Scan:
2022-07-22
Impact:
MEDIUM
Summary:
Researchers at Intezers have detected a new undetected Swiss Army Knife-like Linux malware called Lightning Framework.
Source: https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/
2022-07-22
LockBit_3_0_updated_with_new_techniques
MEDIUM
+
Intel Source:
Sentinelone
Intel Name:
LockBit_3_0_updated_with_new_techniques
Date of Scan:
2022-07-22
Impact:
MEDIUM
Summary:
Researchers at SentinelLab have detected the new techniques and features of LockBit 3.0. They are updating their encryption routines and adding several new features.
Source: https://www.sentinelone.com/labs/lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques/
2022-07-22
Magniber_Ransomware_changing_its_Injection_Method
LOW
+
Intel Source:
ASEC
Intel Name:
Magniber_Ransomware_changing_its_Injection_Method
Date of Scan:
2022-07-22
Impact:
LOW
Summary:
ASEC researchers constantly monitoring Magniber ransomware and found recently it is changing injection methods and started distributing as a Windows installer package file (.msi) on Edge and Chrome browsers.
Source: https://asec.ahnlab.com/en/36475/
2022-07-22
TA4563_leverages_EvilNum_malware_to_target_European_financial_entities
MEDIUM
+
Intel Source:
ProofPoint
Intel Name:
TA4563_leverages_EvilNum_malware_to_target_European_financial_entities
Date of Scan:
2022-07-22
Impact:
MEDIUM
Summary:
ProofPoint researchers tracked threat actor which they named TA4563 have been leveraging EvilNum malware to target European financial and investment entities.
Source: https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities
2022-07-21
SmokeLoader_malware_leveraging_Amadey_Bot
LOW
+
Intel Source:
ASEC
Intel Name:
SmokeLoader_malware_leveraging_Amadey_Bot
Date of Scan:
2022-07-21
Impact:
LOW
Summary:
ASEC researchers discovered that Amadey Bot is being installed by SmokeLoader. Amadey Bot is capable of stealing information and installing additional malware by receiving commands from the attacker. Where SmokeLoader is used to install additional malware strains as a downloader.
Source: https://asec.ahnlab.com/en/36634/
2022-07-21
A_new_variant_of_QakBot
LOW
+
Intel Source:
Fortinet
Intel Name:
A_new_variant_of_QakBot
Date of Scan:
2022-07-21
Impact:
LOW
Summary:
Fortinet’s researchers observered a phishing email as part of a phishing campaign spreading a new variant of QakBot.
Source: https://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails?&web_view=true
2022-07-21
Redeemer_Ransomware_released_new_version_Redeemer_2_0
MEDIUM
+
Intel Source:
Cyble
Intel Name:
Redeemer_Ransomware_released_new_version_Redeemer_2_0
Date of Scan:
2022-07-21
Impact:
MEDIUM
Summary:
Researchers at Cyble has identified the latest version of Redeemer ransomware on darkweb cybercrime forums. The author of Redeemer ransomware released new version with updated features.
Source: https://blog.cyble.com/2022/07/20/redeemer-ransomware-back-action/?utm_content=215383953&utm_medium=social&utm_source=twitter&hss_channel=tw-1141929006603866117
2022-07-21
CloudMensis_spyware_targets_MacOS_systems
LOW
+
Intel Source:
WeLivesecurity
Intel Name:
CloudMensis_spyware_targets_MacOS_systems
Date of Scan:
2022-07-21
Impact:
LOW
Summary:
Researchers from ESET discovered a previously undetected macOS backdoor, tracked as CloudMensis, that targets macOS systems and exclusively uses public cloud storage services as C2.
Source: https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/ https://www.jamf.com/blog/cloudmensis-malware/
2022-07-21
Analysis_of_NukeSped_Malware
LOW
+
Intel Source:
Cyfirma
Intel Name:
Analysis_of_NukeSped_Malware
Date of Scan:
2022-07-21
Impact:
LOW
Summary:
Researchers at Cyfirma analyzed NukeSped Malware. The malware is associated with North Korean #APT Group Lazarus which is known to target US, South Korea, Japan and Asia Pacific countries.
Source: https://www.cyfirma.com/outofband/nukesped-rat-report/
2022-07-21
PyAutoGUI_lets_your_Python_scripts_control_the_mouse_and_keyboard
LOW
+
Intel Source:
ISC SANS
Intel Name:
PyAutoGUI_lets_your_Python_scripts_control_the_mouse_and_keyboard
Date of Scan:
2022-07-21
Impact:
LOW
Summary:
PyAutoGUI lets malicious Python scripts control the mouse and keyboard to automate interactions with other applications
Source: https://isc.sans.edu/diary/Malicious+Python+Script+Behaving+Like+a+Rubber+Ducky/28860
2022-07-21
Threat_actors_leveraging_AgentTesla_to_target_Ukraine_state_bodies
LOW
+
Intel Source:
Cert-UA
Intel Name:
Threat_actors_leveraging_AgentTesla_to_target_Ukraine_state_bodies
Date of Scan:
2022-07-21
Impact:
LOW
Summary:
CERT-UA discovered the file "Report_050722_4.ppt", which contains a thumbnail image that mentions the operational command "South". In the case of opening the document and activating the macro, the latter will ensure the creation of the files "gksg023ig.lnk" and "sgegkseg23mjl.exe", as well as the execution of the LNK file using rundll32.exe, which in turn will lead to the launch of the mentioned EXE file.
Source: https://cert.gov.ua/article/861292
2022-07-21
Continued_cyber_activity_in_Eastern_Europe
MEDIUM
+
Intel Source:
Google blog
Intel Name:
Continued_cyber_activity_in_Eastern_Europe
Date of Scan:
2022-07-21
Impact:
MEDIUM
Summary:
Google’s Threat Analysis Group (TAG) continues to closely monitor Russian APT activity outside of Ukraine. TAG has disrupted coordinated influence operations from several actors including the Internet Research Agency and a Russian consulting firm, Turla, COLDRIVER, Ghostwriter/UNC1151 groups and The Follina vulnerability.
Source: https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag/
2022-07-20
WatchDog_Adds_Steganography_in_Cryptojacking_Operations
LOW
+
Intel Source:
Lacework
Intel Name:
WatchDog_Adds_Steganography_in_Cryptojacking_Operations
Date of Scan:
2022-07-20
Impact:
LOW
Summary:
Reserachers from Lacework reported about WatchDog’s cryptojacking campaign has adopted the unique steganography technique for malware propagation and other objectives. The XMRig miner was disguised as an image and hosted on compromised cloud storage (Alibaba Object Storage Service).
Source: https://www.lacework.com/blog/how-watchdog-smuggles-malware-into-your-network-as-uninteresting-photos/
2022-07-20
Industrial_Espionage_Operation_explained
MEDIUM
+
Intel Source:
BitDefender
Intel Name:
Industrial_Espionage_Operation_explained
Date of Scan:
2022-07-20
Impact:
MEDIUM
Summary:
Researchers from BitDefender analyzed an incident which was an industrial Espionage operation. In this attack the attacker managed to compromise a Patient Zero computer and used it to establish a secondary access avenue through a web shell planted on the company’s Exchange Server.
Source: https://www.bitdefender.com/blog/labs/under-siege-for-months-the-anatomy-of-an-industrial-espionage-operation/ https://www.bitdefender.com/files/News/CaseStudies/study/421/Bitdefender-PR-Whitepaper-IndEs-creat6269-en-EN.pdf
2022-07-20
Open_Document_malware_targets_Latin_American_Hotels
LOW
+
Intel Source:
HP Wolf Security
Intel Name:
Open_Document_malware_targets_Latin_American_Hotels
Date of Scan:
2022-07-20
Impact:
LOW
Summary:
Researchers from HP Wolf Security analyzed a stealthy malware campaign which uses OpenDocument text (.odt) files to distribute malware. The campaign targets the hotel industry in Latin America.
Source: https://threatresearch.ext.hp.com/stealthy-opendocument-malware-targets-latin-american-hotels/?web_view=true
2022-07-20
8220_Gang_Massively_Expands_Cloud_Botnet
MEDIUM
+
Intel Source:
Sentinelone
Intel Name:
8220_Gang_Massively_Expands_Cloud_Botnet
Date of Scan:
2022-07-20
Impact:
MEDIUM
Summary:
Over the last month a crimeware group best known as 8220 Gang has expanded their botnet to roughly 30,000 hosts globally through the use of Linux and common cloud application vulnerabilities and poorly secured configurations.
Source: https://www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/
2022-07-19
A_continued_exploitation of Log4Shell in VMware Horizon Systems
MEDIUM
+
Intel Source:
CISA
Intel Name:
A_continued_exploitation of Log4Shell in VMware Horizon Systems
Date of Scan:
2022-07-19
Impact:
MEDIUM
Summary:
CISA has updated the Cybersecurity Advisory AA22-174A: Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon, originally released June 23, 2022. The advisory now includes updated IOCs provided in Malware Analysis Report (MAR)-10382580-2.
Source: https://www.cisa.gov/uscert/ncas/alerts/aa22-174a
2022-07-19
APT29_Group_leveraging_Online_Storage_Services
MEDIUM
+
Intel Source:
Palo Alto
Intel Name:
APT29_Group_leveraging_Online_Storage_Services
Date of Scan:
2022-07-19
Impact:
MEDIUM
Summary:
PaloAlto researchers noticed that Russian SVR hackers using Google Drive and Dropbox to evade detection. APT29 has adopted this new tactic in recent campaigns targeting Western diplomatic missions and foreign embassies worldwide.
Source: https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/
2022-07-19
Attackers_leveraging_tools_to_generate_LNK_Files_to_deliver_payload
LOW
+
Intel Source:
Resecurity
Intel Name:
Attackers_leveraging_tools_to_generate_LNK_Files_to_deliver_payload
Date of Scan:
2022-07-19
Impact:
LOW
Summary:
Threat Hunters from Resecurity have detected popular tools used by cybercriminals. Attackers are actively leveraging tools allowing them to generate malicious shortcut files (.LNK files) for payload delivery.
Source: https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise?&web_view=true
2022-07-19
Pegasus_Spyware_Used_Against_Thailand_s_Pro_Democracy_Movement
LOW
+
Intel Source:
Citizen Lab
Intel Name:
Pegasus_Spyware_Used_Against_Thailand_s_Pro_Democracy_Movement
Date of Scan:
2022-07-19
Impact:
LOW
Summary:
Citizen Lab discovered an extensive espionage campaign targeting Thai pro-democracy protesters, and activists calling for reforms to the monarchy
Source: https://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement/
2022-07-19
Lazarus_Forged_Analysis_Report_on_Ecommerce_Component_Attack_Activities
MEDIUM
+
Intel Source:
Weixin
Intel Name:
Lazarus_Forged_Analysis_Report_on_Ecommerce_Component_Attack_Activities
Date of Scan:
2022-07-19
Impact:
MEDIUM
Summary:
The APT-C-26 (Lazarus) organization has a clear purpose of this attack. It continue the attack activity disguised itself as an Alibaba-related component to attack. The payload component is related to the NukeSped family.
Source: https://mp.weixin.qq.com/s/USitU4jAg9y2XkQxbwcAPQ
2022-07-18
Elastix_VoIP_systems_hacked_in_massive_campaign
LOW
+
Intel Source:
Palo Alto
Intel Name:
Elastix_VoIP_systems_hacked_in_massive_campaign
Date of Scan:
2022-07-18
Impact:
LOW
Summary:
Recently, Palo Alto Unit 42 observed another operation that targets the Elastix system used in Digium phones. The attacker implants a web shell to exfiltrate data by downloading and executing additional payloads inside the target's Digium phone software (a FreePBX module written in PHP)
Source: https://unit42.paloaltonetworks.com/digium-phones-web-shell/
2022-07-18
Phishing_campaign_involving_Emotet
LOW
+
Intel Source:
Cyfirma
Intel Name:
Phishing_campaign_involving_Emotet
Date of Scan:
2022-07-18
Impact:
LOW
Summary:
Cyfirma researchers noticed multiple phishing campaigns involving Emotet which is dropped through a n Excel 4.0 (.xls) file as attachment.
Source: https://media-exp2.licdn.com/dms/document/C561FAQFQ1G-qDcfWog/feedshare-document-pdf-analyzed/0/1658115611369?e=1658966400&v=beta&t=CrzicOViop8aDfMYLyTPjPGNhnX18D5OEvX1tTKP-sI
2022-07-16
The_Maha_grass_group_attack_activity_against_Pakistan
LOW
+
Intel Source:
Qianxin Blog
Intel Name:
The_Maha_grass_group_attack_activity_against_Pakistan
Date of Scan:
2022-07-16
Impact:
LOW
Summary:
Recenty the Red Raindrop team of Qi'anxin Threat Intelligence Center observed several attack samples of the organization in daily threat hunting. In this attack, the attacker uses a vulnerable RTF file to carry out a spear poking attack.
Source: https://ti.qianxin.com/blog/articles/analysis-of-the-attack-activities-of-patchwork-using-the-documents-of-relevant-government-agencies-in-pakistan-as-bait/
2022-07-16
The_Newly_Emerged_BlueSky_Ransomware
MEDIUM
+
Intel Source:
Cloudsek
Intel Name:
The_Newly_Emerged_BlueSky_Ransomware
Date of Scan:
2022-07-16
Impact:
MEDIUM
Summary:
CloudSEK discovered a financially motivated ransomware group, dubbed BlueSky, speculated to be connected to the Conti ransomware group.
Source: https://cloudsek.com/threatintelligence/tracking-the-operators-of-the-newly-emerged-bluesky-ransomware/
2022-07-16
Sudden_Increase_In_Attacks_On_Modern_WPBakery_Page_Builder_Addons_Vulnerability
LOW
+
Intel Source:
Wordsfence
Intel Name:
Sudden_Increase_In_Attacks_On_Modern_WPBakery_Page_Builder_Addons_Vulnerability
Date of Scan:
2022-07-16
Impact:
LOW
Summary:
The Wordfence Threat Intelligence team has been observed a spike in the attack attempts targeting Kaswara Modern WPBakery Page Builder Addons. This ongoing campaign is aiming to take advantage of an arbitrary file upload vulnerability, tracked as CVE-2021-24284, which has been previously disclosed and has not been patched on the now closed plugin.
Source: https://www.wordfence.com/blog/2022/07/attacks-on-modern-wpbakery-page-builder-addons-vulnerability/
2022-07-15
Indian_APT_group_Confucius_targets_Pakistan_government_and_military_institutions
LOW
+
Intel Source:
Antiy Group
Intel Name:
Indian_APT_group_Confucius_targets_Pakistan_government_and_military_institutions
Date of Scan:
2022-07-15
Impact:
LOW
Summary:
Antity group researcher published their findings on Indian APT Confucius campaigns targeting the Pakistani government and military institutions.
Source: https://mp.weixin.qq.com/s/n6XQAGtNEXfPZXp1mlwDTQ
2022-07-15
UAC_0100_group_leveraging_Online_Fraud_to_target_Ukraine
LOW
+
Intel Source:
CERT-UA
Intel Name:
UAC_0100_group_leveraging_Online_Fraud_to_target_Ukraine
Date of Scan:
2022-07-15
Impact:
LOW
Summary:
CERT-UA has discovered fraudulent pages on the Facebook containing links to "Unified Compensation Center for the Return of Unpaid Funds". The fraudulent pages suggesting users to provide personal information and make payments, which is harvesting payment card information.
Source: https://cert.gov.ua/article/761668
2022-07-15
ApolloRat_Malware_compiled_using_Nuitka
LOW
+
Intel Source:
Cyble
Intel Name:
ApolloRat_Malware_compiled_using_Nuitka
Date of Scan:
2022-07-15
Impact:
LOW
Summary:
Cyble Researcher team has discovered a new RAT dubbed ApolloRAT.it is written in Python and uses Discord as its Command and Control (C&C) Server.
Source: https://blog.cyble.com/2022/07/14/apollorat-evasive-malware-compiled-using-nuitka/
2022-07-15
New_campaign_ongoing_by_Transparent_Tribe_APT_group
LOW
+
Intel Source:
Cisco Talos
Intel Name:
New_campaign_ongoing_by_Transparent_Tribe_APT_group
Date of Scan:
2022-07-15
Impact:
LOW
Summary:
Researchers at Cisco Talos has discovered a malicious campaign targeting students of universities and colleges in India. it is also suggests that the APT is actively expanding its network of victims to include civilian users.
Source: https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html
2022-07-15
Everest_Ransomware_new_TTPs_and_relation_to_Black_Byte
MEDIUM
+
Intel Source:
NCC Group
Intel Name:
Everest_Ransomware_new_TTPs_and_relation_to_Black_Byte
Date of Scan:
2022-07-15
Impact:
MEDIUM
Summary:
Researchers at NCC Group analysed an Everest ransomware file, which they assess with medium confidence that Everest ransomware is related to Black-Byte. And documented new TTPs employed by the Everest Ransomware group.
Source: https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/
2022-07-15
North_Korean_threat_actors_uses_H0lyGh0st_ransomware
MEDIUM
+
Intel Source:
Microsoft
Intel Name:
North_Korean_threat_actors_uses_H0lyGh0st_ransomware
Date of Scan:
2022-07-15
Impact:
MEDIUM
Summary:
Microsoft threat intelligence center tracked a threat group DEV-0530 who is using H0lyGh0st ransomware to target small and midsize businesses.
Source: https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/
2022-07-07
NorthKorean_Threat_actors_uses_Maui_Ransomware
MEDIUM
+
Intel Source:
CISA
Intel Name:
NorthKorean_Threat_actors_uses_Maui_Ransomware
Date of Scan:
2022-07-07
Impact:
MEDIUM
Summary:
A joint CSA has been released by FBI,CISA and DOT about Maui ransomware being used by North Korean threat actors to target Healthcare and Public Health Sector.
Source: https://www.cisa.gov/uscert/ncas/alerts/aa22-187a
2022-07-07
Threat_Actors_abusing_Red_teaming_tools
MEDIUM
+
Intel Source:
Palo Alto
Intel Name:
Threat_Actors_abusing_Red_teaming_tools
Date of Scan:
2022-07-07
Impact:
MEDIUM
Summary:
Unit 42 PaloAlto recently hunted and discovered the new samples that match known advanced persistent threat (APT) patterns and tactics. These samples evaluated and raised an obvious detection concerns. The sample contained a malicious payload associated with Brute Ratel C4 (BRc4), the newest red-teaming and adversarial attack simulation tool to hit the market.
Source: https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/
2022-07-07
NoMercy_Stealer_Rapidly_Evolving_Into_Clipper_Malware
LOW
+
Intel Source:
Cyble
Intel Name:
NoMercy_Stealer_Rapidly_Evolving_Into_Clipper_Malware
Date of Scan:
2022-07-07
Impact:
LOW
Summary:
Threat Hunters by exercising discovered, a new stealer named “NoMercy”. The investigation indicated that the stealer is a very crude and simple information stealer in its initial stages and TAs behind this are actively modifying the stealer and adding additional capabilities.
Source: https://blog.cyble.com/2022/07/07/nomercy-stealer-adding-new-features/
2022-07-07
A_cryptomining_campaign_targets_Linux_servers
LOW
+
Intel Source:
Security Affairs
Intel Name:
A_cryptomining_campaign_targets_Linux_servers
Date of Scan:
2022-07-07
Impact:
LOW
Summary:
Microsoft Security Intelligence experts are warning of a long-running campaign conducted by a cloud threat actor group, tracked as 8220, that is now targeting Linux servers to install crypto miners.
Source: https://securityaffairs.co/wordpress/132777/cyber-crime/8220-cryptomining-campaign.html https://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134
2022-07-07
Orbit_Malware_targeting_Linux_goes_undetected
LOW
+
Intel Source:
Intezer
Intel Name:
Orbit_Malware_targeting_Linux_goes_undetected
Date of Scan:
2022-07-07
Impact:
LOW
Summary:
Intezer researchers provided technical analysis of a new and fully undetected malware dubbed “Orbit” that is targeting Linux systems. This malware implements advanced evasion techniques and gains persistence on the machine by hooking key functions, provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands.
Source: https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/
2022-07-07
Phishing_tax_scam_at_Canada
LOW
+
Intel Source:
Welivesecurity
Intel Name:
Phishing_tax_scam_at_Canada
Date of Scan:
2022-07-07
Impact:
LOW
Summary:
Phishing scammers pose as Canadian tax agency before Canada Day
Source: https://www.welivesecurity.com/2022/07/01/phishing-scam-posing-canadian-tax-agency-canada-day/
2022-07-06
Malicious_NPM_Packages_Stealing_Data
LOW
+
Intel Source:
ReversingLabs
Intel Name:
Malicious_NPM_Packages_Stealing_Data
Date of Scan:
2022-07-06
Impact:
LOW
Summary:
ReversingLabs researchers uncover malicious NMP packages stealing data as an evidence of a widespread software supply chain attack.
Source: https://blog.reversinglabs.com/blog/iconburst-npm-software-supply-chain-attack-grabs-data-from-apps-websites
2022-07-06
Cobalt_Strike_and_Meterpreter
LOW
+
Intel Source:
ASEC
Intel Name:
Cobalt_Strike_and_Meterpreter
Date of Scan:
2022-07-06
Impact:
LOW
Summary:
Reserachers from ASEC analyzed the attack case that installs Cobalt Strike and Meterpreter in vulnerable MS-SQL servers to gain control. The attacker then installs AnyDesk to control the infected system in a remote desktop environment.
Source: https://asec.ahnlab.com/en/36159/
2022-07-06
Bitter_APT_targets_Bangladesh
LOW
+
Intel Source:
SecuInfra
Intel Name:
Bitter_APT_targets_Bangladesh
Date of Scan:
2022-07-06
Impact:
LOW
Summary:
Researchers from Secuinfra analyzed a attack by Bitter APT group who has targeted military organizations of Bangladesh.
Source: https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/
2022-07-06
Diving_deep_into_BumbleBee_Loader_updated_IOCs
MEDIUM
+
Intel Source:
Securonix
Intel Name:
Diving_deep_into_BumbleBee_Loader_updated_IOCs
Date of Scan:
2022-07-06
Impact:
MEDIUM
Summary:
Securonix Threat Labs Threat Research Team has analysed a sample of BumbleBee, it appear to follow a similar delivery mechanism which we can use to detect the initial foothold of the loader. Currently, AV detection of the BumbleBee loader is very weak as vendors work to update their signatures and heuristic detections. But the main DLL payload of this loader is very much capable of evading EDR detection at the time of publication.
Source: https://www.securonix.com/blog/securonix-threat-labs-initial-coverage-advisory-analysis-and-detection-of-bumblebee-loader-using-securonix/
2022-07-06
The_new_Hive_variant
MEDIUM
+
Intel Source:
Microsoft
Intel Name:
The_new_Hive_variant
Date of Scan:
2022-07-06
Impact:
MEDIUM
Summary:
Microsoft Threat Intelligence Center discovered the new variant while analyzing detected Hive ransomware techniques for dropping .key files
Source: https://www.microsoft.com/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/
2022-07-06
DarkComet_RAT_returned_with_new_TTPs
LOW
+
Intel Source:
SocInvestigations
Intel Name:
DarkComet_RAT_returned_with_new_TTPs
Date of Scan:
2022-07-06
Impact:
LOW
Summary:
Researchers from SocInvestigation documented about the new TTPs of DarkComet RAT and also its detection and response. Generally the Darkcomet is spread via Phishing campaign
Source: https://www.socinvestigation.com/darkcomet-rat-returns-with-new-ttps-detection-response/
2022-07-05
Vsingle_Malware_used_by_Lazarus_Group
MEDIUM
+
Intel Source:
JPCERT
Intel Name:
Vsingle_Malware_used_by_Lazarus_Group
Date of Scan:
2022-07-05
Impact:
MEDIUM
Summary:
Researchers from JPCERT detailed about VSingle malware used by the Lazarus group, which has been updated to retrieve C2 servers information from GitHub.
Source: https://blogs.jpcert.or.jp/en/2022/07/vsingle.html
2022-07-05
Xloader_Malware_returns_with_new_infection_technique
MEDIUM
+
Intel Source:
Cyble
Intel Name:
Xloader_Malware_returns_with_new_infection_technique
Date of Scan:
2022-07-05
Impact:
MEDIUM
Summary:
Researchers at Cyble has analysed an infection chain of Xloader malware. The malware uses multiple file types such as PDF, XLSX, and RTF for its initial infection and execution. It is also designed to drop three modules in memory and execute the final payload using the Process-Hollowing technique.
Source: https://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/
2022-07-04
MedusaLocker_Ransomware
MEDIUM
+
Intel Source:
CISA
Intel Name:
MedusaLocker_Ransomware
Date of Scan:
2022-07-04
Impact:
MEDIUM
Summary:
In a joint advisory by CISA, FBI, Treasury, FinCEN to support the #StopRansomware camapign, providing information on MedusaLocker ransomware. Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol(RDP) to access victims’ networks
Source: https://www.cisa.gov/uscert/sites/default/files/publications/AA22-181A_stopransomware_medusalocker.pdf
2022-07-04
SessionManager_IIS_backdoor
MEDIUM
+
Intel Source:
SecureList
Intel Name:
SessionManager_IIS_backdoor
Date of Scan:
2022-07-04
Impact:
MEDIUM
Summary:
Researchers at SecureList were investigating IIS backdoor called SessionManager since early 2022. SessionManager has been used against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East, starting from at least March 2021.
Source: https://securelist.com/the-sessionmanager-iis-backdoor/106868/
2022-07-04
YTStealer_Malware
LOW
+
Intel Source:
Intezer
Intel Name:
YTStealer_Malware
Date of Scan:
2022-07-04
Impact:
LOW
Summary:
YTStealer is a malware that aims to steal YouTube authentication cookies. As a stealing program, it acts like many other stealing programs.
Source: https://www.intezer.com/blog/research/ytstealer-malware-youtube-cookies/
2022-07-04
GlowSand_Campaign
LOW
+
Intel Source:
Inquest
Intel Name:
GlowSand_Campaign
Date of Scan:
2022-07-04
Impact:
LOW
Summary:
Researchers at Inquest has analysed Multistage malicious documnet masquerading as a Ukrainian military payroll document. The document was Obfuscated and geofenced to only infect UKraine systems.
Source: https://inquest.net/blog/2022/06/27/glowsand
2022-07-01
PennyWise_Infostealer_leveraging_YouTube_to_infect_users
LOW
+
Intel Source:
Cyble
Intel Name:
PennyWise_Infostealer_leveraging_YouTube_to_infect_users
Date of Scan:
2022-07-01
Impact:
LOW
Summary:
Threat Hunters by exercising they discovered, a new stealer named “PennyWise”.The stealer appears to have been developed recently. The investigation indicated that the stealer is an emerging threat and the researchers witnessed multiple samples of this stealer active in the wild.
Source: https://blog.cyble.com/2022/06/30/infostealer/
2022-07-01
Countering_hack_for_hire_attacker_groups
LOW
+
Intel Source:
Google blog
Intel Name:
Countering_hack_for_hire_attacker_groups
Date of Scan:
2022-07-01
Impact:
LOW
Summary:
Google's Threat Analysis Group (TAG) on Thursday released that they blocked as many as 36 malicious domains operated by hack-for-hire groups from India, Russia, and the U.A.E. It has been seen hack-for-hire groups target human rights and political activists, journalists, and other high-risk users around the world, putting their privacy, safety and security at risk.
Source: https://blog.google/threat-analysis-group/countering-hack-for-hire-groups/
2022-06-30
New_ZuoRAT_malware_targets_SOHO_router
LOW
+
Intel Source:
Lumen blog
Intel Name:
New_ZuoRAT_malware_targets_SOHO_router
Date of Scan:
2022-06-30
Impact:
LOW
Summary:
Black Lotus Labs, the threat intelligence arm of Lumen Technologies has identified and tracking the details of a new and sophisticated multistage remote access trojan (RAT) that leveraging infected SOHO routers to target predominantly North American and European networks of interest. This trojan grants the actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain an undetected foothold.
Source: https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/ https://github.com/blacklotuslabs/IOCs/blob/main/ZuoRAT_IoCs.txt
2022-06-30
Raccoon_Stealer_v2
LOW
+
Intel Source:
Sekoia
Intel Name:
Raccoon_Stealer_v2
Date of Scan:
2022-06-30
Impact:
LOW
Summary:
It was observed by reserachers this weekthey that cyber criminals using a new and improved version of the productive malware Raccoon Stealer that was barely three months after its authors announced they were quitting.
Source: https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/
2022-06-30
Emotet_still_abusing_Microsoft_Office_Macros
MEDIUM
+
Intel Source:
NetSkope
Intel Name:
Emotet_still_abusing_Microsoft_Office_Macros
Date of Scan:
2022-06-30
Impact:
MEDIUM
Summary:
Researchers at Netskope Threat Labs has analysed campaign where Emotet is still being executed using malicious Mircosoft office documents. Despite the protection Microsoft released in 2022 to prevent the execution of Excel 4.0 (XLM) macros, this attack is still feasible against users who are using outdated versions of Office.
Source: https://www.netskope.com/blog/emotet-still-abusing-microsoft-office-macros https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/Emotet/2022-06-24
2022-06-30
Black_Basta_Ransomware_gang_added_Qakbot_and_PrintNightmare_Exploit_to_their_Arsenal
MEDIUM
+
Intel Source:
Trend Micro
Intel Name:
Black_Basta_Ransomware_gang_added_Qakbot_and_PrintNightmare_Exploit_to_their_Arsenal
Date of Scan:
2022-06-30
Impact:
MEDIUM
Summary:
Researchers at Trend Micro identified Black Basta ransomware ransomware group that used the banking trojan QakBot as a means of entry and movement and took advantage of the PrintNightmare vulnerability to perform privileged file operations.
Source: https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html
2022-06-29
Ukraine_targeted_by_Dark_Crystal_RAT_or_DCRat
LOW
+
Intel Source:
Fortinet
Intel Name:
Ukraine_targeted_by_Dark_Crystal_RAT_or_DCRat
Date of Scan:
2022-06-29
Impact:
LOW
Summary:
Researchers at FortiGuard Labs came across another file that was likely used in the attack campaign described by CERT-UA. However, the date of the file submission to VirusTotal, and the location of the submission being Ukraine. The new file however is in Excel (xlsx) format and contains malicious macros instead of the docx format and exploitation of CVE-2022-30190 (Follina).
Source: https://www.fortinet.com/blog/threat-research/ukraine-targeted-by-dark-crystal-rat
2022-06-29
AstraLocker_2.0_Ransomware_distributed_from_Microsoft_Word_files
MEDIUM
+
Intel Source:
ReversingLabs
Intel Name:
AstraLocker_2.0_Ransomware_distributed_from_Microsoft_Word_files
Date of Scan:
2022-06-29
Impact:
MEDIUM
Summary:
Researchers at ReversingLabs has discovered a new version of the AstraLocker ransomware (AstraLocker 2.0) that was being distributed directly from Microsoft Office files used as bait in phishing attacks.
Source: https://blog.reversinglabs.com/blog/smash-and-grab-astralocker-2-pushes-ransomware-direct-from-office-docs
2022-06-28
ShadowPad_backdoor_and_MS_Exchange_bug_leveraged_to_attack_ICS
LOW
+
Intel Source:
Kaspersky ICS CERT
Intel Name:
ShadowPad_backdoor_and_MS_Exchange_bug_leveraged_to_attack_ICS
Date of Scan:
2022-06-28
Impact:
LOW
Summary:
Researchers at Kaspersky ICS CERT has spotted a threat actor targeting organizations in the industrial, telecommunications, logistics and transport sectors in Pakistan, Afghanistan and Malaysia respectively exploiting Microsoft Exchange server vulnerability (CVE-2021-26855) and downloading Shadow backdoor.
Source: https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/
2022-06-28
Evilnum_APT_returns_with_new_Threat_and_TTPs
MEDIUM
+
Intel Source:
Zscaler
Intel Name:
Evilnum_APT_returns_with_new_Threat_and_TTPs
Date of Scan:
2022-06-28
Impact:
MEDIUM
Summary:
Researchers from Zscaler have been tracking Evilnum APT group since starting of 2022 and have seen this time with a newer target list and TTPs.The main distribution vector used by this threat group was Windows Shortcut files (LNK) sent inside malicious archive files (ZIP) as email attachments in spear phishing emails to the victims.
Source: https://www.zscaler.com/blogs/security-research/return-evilnum-apt-updated-ttps-and-new-targets
2022-06-28
Software_Cracks_Distributing_Recordbreaker_Stealer
LOW
+
Intel Source:
ASEC
Intel Name:
Software_Cracks_Distributing_Recordbreaker_Stealer
Date of Scan:
2022-06-28
Impact:
LOW
Summary:
ASEC Research Team has analysed
Source: https://asec.ahnlab.com/en/35981/
2022-06-27
Socgholish_initiated_through_Cobalt_Strike_payloads
LOW
+
Intel Source:
Esentire
Intel Name:
Socgholish_initiated_through_Cobalt_Strike_payloads
Date of Scan:
2022-06-27
Impact:
LOW
Summary:
ESentire had an observation of drive-by threats such as Socgholish, Gootkit Loader and Solarmarker are on the rise. Both Socgholish and Gootkit Loader have been linked to follow-on attacks initiated through Cobalt Strike payloads.
Source: https://www.esentire.com/blog/socgholish-to-cobalt-strike-in-10-minutes
2022-06-27
Python_malicious_script_executing_a_keylogger
LOW
+
Intel Source:
ISC.SANS
Intel Name:
Python_malicious_script_executing_a_keylogger
Date of Scan:
2022-06-27
Impact:
LOW
Summary:
Researcher from ISC.SANS disovered a Python script that has some interesting features that can conduct social engineering attacks
Source: https://isc.sans.edu/forums/diary/Python+abusing+The+Windows+GUI/28780/
2022-06-27
DarkCrystal_RAT_malware_attacking_Ukraining_telecom_operators
LOW
+
Intel Source:
CERT-UA
Intel Name:
DarkCrystal_RAT_malware_attacking_Ukraining_telecom_operators
Date of Scan:
2022-06-27
Impact:
LOW
Summary:
CERT-UA received information about Crystal RAT attack that is aimed at operators and telecommunications providers of Ukraine. It was distributed by e-mails with the topic "Free primary legal aid" and the attachment "Algorithm of actions of members of the family of a missing serviceman LegalAid.rar".
Source: https://cert.gov.ua/article/405538
2022-06-25
BlackBastaRansomware
MEDIUM
+
Intel Source:
Cybereason
Intel Name:
BlackBastaRansomware
Date of Scan:
2022-06-25
Impact:
MEDIUM
Summary:
Researchers from Cybereason analyzed the attack of BlackBasta ransomware and provided key details anbout its growth since inception
Source: https://www.cybereason.com/blog/cybereason-vs.-black-basta-ransomware
2022-06-24
Conti_ArmAttack_Campaign
MEDIUM
+
Intel Source:
Group-IB
Intel Name:
Conti_ArmAttack_Campaign
Date of Scan:
2022-06-24
Impact:
MEDIUM
Summary:
GroupIB researchers documented about CONTI ransomware new campaign dubbed as ARMattack. In this campaign they compromised at least more than 40 companies and it took 3 days for them to to that.
Source: https://www.group-ib.com/media/conti-armada-report/
2022-06-24
BRONZ_STARLIGHT_Ransomware_Operations_levearge_HUI_Loader
MEDIUM
+
Intel Source:
SecureWorks
Intel Name:
BRONZ_STARLIGHT_Ransomware_Operations_levearge_HUI_Loader
Date of Scan:
2022-06-24
Impact:
MEDIUM
Summary:
Researchers at Secureworks CTU has observed a China-linked state-sponsored hacking group named Bronze Starlight deploying various ransomware families to hide the true intent of its attacks.
Source: https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader
2022-06-24
CALISTO_Russian_Threat_Actor_continues_its_credential_harvesting_campaign
MEDIUM
+
Intel Source:
Sekoia
Intel Name:
CALISTO_Russian_Threat_Actor_continues_its_credential_harvesting_campaign
Date of Scan:
2022-06-24
Impact:
MEDIUM
Summary:
Sekoia Threat & Detection Research Team has followed GoogleTAG team finding on russian threat actor CALISTO, and identified a phishing campaign where CALISTO uses Evilginx on its VPS to capture the victim’s credentials. This well known open source tool creates an SSL reverse proxy between the victim and a legitimate website to capture web credentials, 2FA tokens.
Source: https://blog.sekoia.io/calisto-continues-its-credential-harvesting-campaign/
2022-06-24
New_malware_associated_with_Iranian_SiameseKitten_Group_or_Lyceum
MEDIUM
+
Intel Source:
ClearSky
Intel Name:
New_malware_associated_with_Iranian_SiameseKitten_Group_or_Lyceum
Date of Scan:
2022-06-24
Impact:
MEDIUM
Summary:
Researchers at ClearSky security has discovered a new malware linked with Lyceum group. The is downloaded from a domain registered on June 6th, and it communicates with a previously unknown command and control server whose IP address is adjacent to that of the domain.
Source: https://www.clearskysec.com/wp-content/uploads/2022/06/Lyceum-suicide-drone-23.6.pdf
2022-06-24
LockBit_Ransomware_being_distributed_using_Copyright_related_Emails
MEDIUM
+
Intel Source:
ASEC
Intel Name:
LockBit_Ransomware_being_distributed_using_Copyright_related_Emails
Date of Scan:
2022-06-24
Impact:
MEDIUM
Summary:
ASEC Research team has discovered the distribution of LockBit ransomware using phishing e-mail, and disguising itself as copyright claims e-mail. The phishing e-mail has a compressed file as an attachment that contains another compressed file inside.
Source: https://asec.ahnlab.com/en/35822/
2022-06-24
Log4Shell_exploits_still_being_used_to_hack_VMware_servers
MEDIUM
+
Intel Source:
CISA
Intel Name:
Log4Shell_exploits_still_being_used_to_hack_VMware_servers
Date of Scan:
2022-06-24
Impact:
MEDIUM
Summary:
CISA warned today that threat actors, including state-backed hacking groups, are still targeting VMware Horizon and Unified Access Gateway (UAG) servers using the Log4Shell (CVE-2021-44228) remote code execution vulnerability.
Source: https://www.cisa.gov/uscert/ncas/alerts/aa22-174a https://www.bleepingcomputer.com/news/security/cisa-log4shell-exploits-still-being-used-to-hack-vmware-servers/
2022-06-23
Chinese_Threat_actors_targets_Russian_Government_Agencies
LOW
+
Intel Source:
CERT-UA
Intel Name:
Chinese_Threat_actors_targets_Russian_Government_Agencies
Date of Scan:
2022-06-23
Impact:
LOW
Summary:
CERT UA researchers discovered malicious files which have been used to exploit vulnerabilities in MS Office. This attack has been linked to Chinese threat actors.
Source: https://cert.gov.ua/article/375404
2022-06-23
AA_distribution_Qakbot_with_DarkVNC_and_Cobalt Strike
MEDIUM
+
Intel Source:
Palo Alto
Intel Name:
AA_distribution_Qakbot_with_DarkVNC_and_Cobalt Strike
Date of Scan:
2022-06-23
Impact:
MEDIUM
Summary:
Securonix Threat Intelligence unit has identified a new wave of QBOT infection further delivering DarkVNC and Cobalt Strike.
Source: https://twitter.com/Unit42_Intel/status/1539700018558427140 https://github.com/pan-unit42/tweets/blob/master/2022-06-21-IOCs-for-AA-distribution-Qakbot-with-DarkVNC-and-Cobalt-Strike.txt
2022-06-23
Keona_Clipper_Leverages_Telegram_For_Anonymity
LOW
+
Intel Source:
Cyble
Intel Name:
Keona_Clipper_Leverages_Telegram_For_Anonymity
Date of Scan:
2022-06-23
Impact:
LOW
Summary:
Cyble researchers found a post advertising a new clipper malware, namely “Keona Clipper.” The Keona clipper is unique and anonymous software wrapped in a Telegram bot with stealth and anonymity. Additionally, the malware disguises itself as a system file and sends victim details to a Telegram bot.
Source: https://blog.cyble.com/2022/06/22/keona-clipper-leverages-telegram-for-anonymity/
2022-06-22
RIG_Exploit_campaign_rapidly_modified_Raccoon_malware_with_Dridex
LOW
+
Intel Source:
BitDefender
Intel Name:
RIG_Exploit_campaign_rapidly_modified_Raccoon_malware_with_Dridex
Date of Scan:
2022-06-22
Impact:
LOW
Summary:
Bitdefender researchers discovered a new RIG Exploit Kit campaign have rapidly adapted by replacing Raccoon malware with Dridex to make the most of the ongoing campaign.
Source: https://www.bitdefender.com/blog/labs/rig-exploit-kit-swaps-dead-raccoon-with-dridex/ https://www.bitdefender.com/files/News/CaseStudies/study/417/Bitdefender-PR-Whitepaper-Raccoon-creat6205-en-EN.pdf
2022-06-22
Rise_of_LNK_Malware
MEDIUM
+
Intel Source:
McAfee
Intel Name:
Rise_of_LNK_Malware
Date of Scan:
2022-06-22
Impact:
MEDIUM
Summary:
Researchers at McAfee Labs has identified three campiagns, where attackers abusing the windows shortcut LNK files and made them to be extremely dangerous to the common users. LNK files are being used to deliver malware such as Emotet, Qakbot, and IcedID.
Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/#:~:text=An%20LNK%20file%20is%20a to%20access%20another%20data%20object.
2022-06-22
Malicious_PowerShell_attack_in_Cryptocurrency_Browser_Extensions
LOW
+
Intel Source:
ISC.SANS
Intel Name:
Malicious_PowerShell_attack_in_Cryptocurrency_Browser_Extensions
Date of Scan:
2022-06-22
Impact:
LOW
Summary:
Researchers from SANS found a malicious powerShell script targeting cryptocurrency browser apps or extensions.
Source: https://isc.sans.edu/diary/rss/28772
2022-06-22
Tropic_Trooper_APT_new_TTPs
MEDIUM
+
Intel Source:
Checkpoint
Intel Name:
Tropic_Trooper_APT_new_TTPs
Date of Scan:
2022-06-22
Impact:
MEDIUM
Summary:
Check Point researchers shared findings of the infection chain which includes a previously undescribed loader (dubbed “Nimbda”) written in Nim language on a group / activity cluster with ties to Tropic Trooper:
Source: https://research.checkpoint.com/2022/chinese-actor-takes-aim-armed-with-nim-language-and-bizarro-aes/
2022-06-22
China_Linked_ToddyCat_APT_Pioneers_Novel_Spyware
MEDIUM
+
Intel Source:
Kaspersky
Intel Name:
China_Linked_ToddyCat_APT_Pioneers_Novel_Spyware
Date of Scan:
2022-06-22
Impact:
MEDIUM
Summary:
Researchers from Kaspersky found APT group dubbed ToddyCat has been targeting Microsoft Exchange servers throughout Asia and Europe for more than a year. Also, they found a previously unknown passive backdoor they named Samurai and new trojan malware dubbed Ninja Trojan.
Source: https://securelist.com/toddycat/106799/
2022-06-22
MuddyWater’s_new_campagin_targetting_Middle_East
MEDIUM
+
Intel Source:
Lab52
Intel Name:
MuddyWater’s_new_campagin_targetting_Middle_East
Date of Scan:
2022-06-22
Impact:
MEDIUM
Summary:
MuddyWater threat group, allegedly sponsored by the Iranian government and linked to the Iranian revolutionary guard, has mantained a “long-term” infection campaign targeting Middle East countries. Researchers from Lab52 found recent samples and discovered that attackers might modify its functionality in a later stage, based on the obtained information from the infected host or, at least, use it to download and drop the next infection stage.
Source: https://lab52.io/blog/muddywaters-light-first-stager-targetting-middle-east/
2022-06-22
Quantum Software Possibly Linked to Lazarus APT group
LOW
+
Intel Source:
Cyble
Intel Name:
Quantum Software Possibly Linked to Lazarus APT group
Date of Scan:
2022-06-22
Impact:
LOW
Summary:
Researchers from Cyble came across a post from a threat actor on deep web forum advertising about Quantum Software a LNK file based builder and it has possible links with Lazarus APT group.
Source: https://blog.cyble.com/2022/06/22/quantum-software-lnk-file-based-builders-growing-in-popularity/
2022-06-21
Avos_Ransomware_adds_new_Arsenal
MEDIUM
+
Intel Source:
Cisco Talos
Intel Name:
Avos_Ransomware_adds_new_Arsenal
Date of Scan:
2022-06-21
Impact:
MEDIUM
Summary:
Researchers from Cisco Talos found a month long AvosLocker ransomware campaign in which the threat actors have leveraged Cobalt Strike, Sliver and multiple commercial network scanners.
Source: https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html
2022-06-21
Cybercriminals_levearging_Azure_Front_Door_service_in_Phishing_attacks
LOW
+
Intel Source:
Resecurity
Intel Name:
Cybercriminals_levearging_Azure_Front_Door_service_in_Phishing_attacks
Date of Scan:
2022-06-21
Impact:
LOW
Summary:
Researchers at Resecurity has identified a phishing campaign delivered via Azure Front Door (AFD) service by Microsoft. This attack allows the bad actors to trick users and spread phishing content to intercept credentials from business applications and e-mail accounts.
Source: https://resecurity.com/blog/article/cybercriminals-use-azure-front-door-in-phishing-attacks
2022-06-21
APT28_levarging_CredoMap_Malware_to-target_Ukraine
LOW
+
Intel Source:
CERT-UA
Intel Name:
APT28_levarging_CredoMap_Malware_to-target_Ukraine
Date of Scan:
2022-06-21
Impact:
LOW
Summary:
CERT-UA has analysed a phishing email which contains an attachment of malicious document related to Nuclear Terrorism, after opening to it will leads to downloading an HTML file and executing JavaScript code (CVE-2022-30190), it will further download and launch the CredoMap malware.
Source: https://cert.gov.ua/article/341128
2022-06-21
UAC_0098_targeting_Ukraine_Critical_Infrastructure_facilities
LOW
+
Intel Source:
CERT-UA
Intel Name:
UAC_0098_targeting_Ukraine_Critical_Infrastructure_facilities
Date of Scan:
2022-06-21
Impact:
LOW
Summary:
CERT-UA has analysed an phishing email contains an attached malicious documents which open an HTML file and execute JavaScript code (CVE-2022-30190), it further download and run the malicious program Cobalt Strike Beacon.
Source: https://cert.gov.ua/article/339662
2022-06-20
Voicemail_themed_Phishing_attacks_targeting_industries_in_US
MEDIUM
+
Intel Source:
Zscaler
Intel Name:
Voicemail_themed_Phishing_attacks_targeting_industries_in_US
Date of Scan:
2022-06-20
Impact:
MEDIUM
Summary:
Researchers from Zscalar ThreatLabz has identified and monitoring the activities of a threat actor which targets users in various US-based organizations with malicious voicemail-notification-themed emails in an attempt to steal their Office365 and Outlook credentials.
Source: https://www.zscaler.com/blogs/security-research/resurgence-voicemail-themed-phishing-attacks-targeting-key-industry
2022-06-20
Client_side_Magecart_attacks_still_around_but_more_covert
MEDIUM
+
Intel Source:
Malwarebytes
Intel Name:
Client_side_Magecart_attacks_still_around_but_more_covert
Date of Scan:
2022-06-20
Impact:
MEDIUM
Summary:
Malwarebytes reseraches are saying that Magecart client-side attacks are still around and there are some changes took place in the threat landscape. Newly reported domains linked with ‘anti-VM’ skimmer. One thing known is that if the Magecart threat actors decided to switch their operations exclusively server-side then the majority of companies would lose visibility overnight.
Source: https://blog.malwarebytes.com/threat-intelligence/2022/06/client-side-magecart-attacks-still-around-but-more-covert/
2022-06-20
BlackGuard_Infostealer
LOW
+
Intel Source:
CyberInt
Intel Name:
BlackGuard_Infostealer
Date of Scan:
2022-06-20
Impact:
LOW
Summary:
Researchers at CyberInt discovered campaigns abusing gaming forums and Discord channels to distribute BlackGuard, along with a new data exfiltration technique using Telegram.
Source: https://cyberint.com/blog/research/blackguard-stealer/
2022-06-17
Malspam_pushes_Matanbuchus_malware
LOW
+
Intel Source:
ISC.SANS
Intel Name:
Malspam_pushes_Matanbuchus_malware
Date of Scan:
2022-06-17
Impact:
LOW
Summary:
Researchers from SANS found a malicious campaign pushing Matanbuchus malware which lead to Cobalt Strike.
Source: https://isc.sans.edu/diary/rss/28752
2022-06-17
New_Version_of_Raccon_Stealer
LOW
+
Intel Source:
S2W INC
Intel Name:
New_Version_of_Raccon_Stealer
Date of Scan:
2022-06-17
Impact:
LOW
Summary:
Researchers from S2W Inc shared details around the new version of Raccoon Stealer and its operator who made announcement on the dark web forum “Exploit”, stating that after three and a half months of being temporarily suspended, V2 of the stealer is operational.
Source: https://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d
2022-06-17
Cerber2021_Ransomware_Back_In_Action
MEDIUM
+
Intel Source:
Cyble
Intel Name:
Cerber2021_Ransomware_Back_In_Action
Date of Scan:
2022-06-17
Impact:
MEDIUM
Summary:
Cyble Research Labs has analysed a smaple of Cerber2021 ransomware, which suggests that threat actors exploit recently patched/unpatched Atlasian vulnerabilities to deliver the ransomware.
Source: https://blog.cyble.com/2022/06/17/cerber2021-ransomware-back-in-action/ https://otx.alienvault.com/indicator/domain/pigetrzlperjreyr3fbytm27bljaq4eungv3gdq2tohnoyfrqu4bx5qd.onion
2022-06-17
Malicious_HWP_Files_distributed_through_PC_messengers
LOW
+
Intel Source:
ASEC
Intel Name:
Malicious_HWP_Files_distributed_through_PC_messengers
Date of Scan:
2022-06-17
Impact:
LOW
Summary:
ASEC Research team has discovered the active distribution of APT files that are exploiting a feature of HWP files and targeting South-Korean users since long.
Source: https://asec.ahnlab.com/en/35405/
2022-06-17
CopperStealer_Malware_infecting_via_websites_hosting_fake_software
MEDIUM
+
Intel Source:
Trendmicro
Intel Name:
CopperStealer_Malware_infecting_via_websites_hosting_fake_software
Date of Scan:
2022-06-17
Impact:
MEDIUM
Summary:
Trendmicro noticed a new version of CopperStealer with the infection vector starts with a website offering fake cracks and 2 stages of the attack: cryptor and dropper.
Source: https://www.trendmicro.com/de_de/research/22/f/websites-hosting-fake-cracks-spread-updated-copperstealer.html https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/f/websites-hosting-fake-cracks-spread-updated-copperstealer-malware/IOCs-websites-hosting-fake-cracks-spread-updated-copperstealer.txt
2022-06-17
New_IceLoader_malware_3_0
MEDIUM
+
Intel Source:
Fortinet
Intel Name:
New_IceLoader_malware_3_0
Date of Scan:
2022-06-17
Impact:
MEDIUM
Summary:
While hunting for new malware families written in the Nim programming language, FortiGuard Labs discovered a loader malware with the strings “ICE_X” and “v3.0”. A loader is a type of malware that is intended for downloading and executing additional payloads provided by a threat actor to further their malicious objectives.
Source: https://www.fortinet.com/blog/threat-research/new-icexloader-3-0-developers-warm-up-to-nim
2022-06-16
QBot_returns_with_new_TTPs
LOW
+
Intel Source:
SocInvestigations
Intel Name:
QBot_returns_with_new_TTPs
Date of Scan:
2022-06-16
Impact:
LOW
Summary:
Socinvestigation detection and response analysts detected a banking trojan malware QBOT coming back with new TTPS: distribution via XLSB, and via XLTM.
Source: https://www.socinvestigation.com/qbot-returns-returns-with-new-ttps-detection-response/
2022-06-16
New_Redline_InfoStealer_campaign
LOW
+
Intel Source:
Qualys
Intel Name:
New_Redline_InfoStealer_campaign
Date of Scan:
2022-06-16
Impact:
LOW
Summary:
Qualys researchers found a new Redline InfoStealer campaign which spreads via fake cracked software hosted on Discord’s content delivery network.
Source: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/15/new-qualys-research-report-inside-a-redline-infostealer-campaign https://www.qualys.com/docs/whitepapers/qualys-wp-fake-cracked-software-caught-peddling-redline-stealers-v220606.pdf
2022-06-16
Houdini_RAT_leveraging_JavaScript_Dropper
LOW
+
Intel Source:
ISC.SANS
Intel Name:
Houdini_RAT_leveraging_JavaScript_Dropper
Date of Scan:
2022-06-16
Impact:
LOW
Summary:
Houdini leveraging a phishing email with a ZIP archive that contains a JavaScript file called “New-Order.js
Source: https://isc.sans.edu/diary/rss/28746
2022-06-16
Confluence_exploits_leveraged_to_drop_ransomware_payloads
MEDIUM
+
Intel Source:
Sophos
Intel Name:
Confluence_exploits_leveraged_to_drop_ransomware_payloads
Date of Scan:
2022-06-16
Impact:
MEDIUM
Summary:
Researchers at Sophos Labs has identified attackers are leveraging Confluence exploits against Windows vulnerable servers and dropping Cerber Ransomware and also pushing down Cobalt Strike shellcode, running PowerShell commands.
Source: https://news.sophos.com/en-us/2022/06/16/confluence-exploits-used-to-drop-ransomware-on-vulnerable-servers/ https://github.com/sophoslabs/IoCs/blob/master/CVE-2022-26134_attacks.csv
2022-06-16
Monkeypox_phishing_outbreak
LOW
+
Intel Source:
Cofense
Intel Name:
Monkeypox_phishing_outbreak
Date of Scan:
2022-06-16
Impact:
LOW
Summary:
Cofense's Phishing Defence Center has seen attempts to deceive enterprise staff with a series of monkeypox themed phishing emails. As this rare infection spreads around the globe and gains media attention, attackers are likely to continue tweaking their tactics.
Source: https://cofense.com/blog/monkeypox-phishing-outbreak-becomes-latest-lure
2022-06-16
Zero_Day_Sophos_Firewall_Exploitation_and_an_Insidious_Breach_by_DriftingCloud_threat_actor
MEDIUM
+
Intel Source:
Volexity
Intel Name:
Zero_Day_Sophos_Firewall_Exploitation_and_an_Insidious_Breach_by_DriftingCloud_threat_actor
Date of Scan:
2022-06-16
Impact:
MEDIUM
Summary:
Volexity observesed a backdoored Shophos Firewall attack. This particular attack leveraged a zero-day exploit to compromise the customer's firewall. Also it was observed the attacker implement an interesting webshell backdoor, create a secondary form of persistence, and ultimately launch attacks against the customer's staff. These attacks aimed to further breach cloud-hosted web servers hosting the organization's public-facing websites.
Source: https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/ https://github.com/volexity/threat-intel/blob/main/2022/2022-06-15%20DriftingCloud%20-%20Zero-Day%20Sophos%20Firewall%20Exploitation%20and%20an%20Insidious%20Breach/indicators/indicators.csv
2022-06-15
Saitama_backdoor_using_DNS_tunneling
LOW
+
Intel Source:
ISC.SANS
Intel Name:
Saitama_backdoor_using_DNS_tunneling
Date of Scan:
2022-06-15
Impact:
LOW
Summary:
Researchers identified Saitama backdoor was used in a phishing e-mail that targeted a government official from Jordan’s foreign ministry in an attack attributed to the Iranian group APT34.
Source: https://isc.sans.edu/forums/diary/Translating+Saitamas+DNS+tunneling+messages/28738/ https://morphuslabs.com/translating-saitamas-dns-tunneling-messages-877e3a3ed1d6
2022-06-15
Old Telerik vulnerability exploitation delivering cryptominer and CobaltStrike infections
LOW
+
Intel Source:
Sophos
Intel Name:
Old Telerik vulnerability exploitation delivering cryptominer and CobaltStrike infections
Date of Scan:
2022-06-15
Impact:
LOW
Summary:
Researchers from Sophos discovered an exploitation of a three-year old vulnerability (CVE-2019-18935) in the Telerik UI web application framework to take control of web servers, installing Cobalt Strike beacons in the form of a DLL payload) to disk, then used the beacon to execute encoded PowerShell commands, which downloaded more malwares by an unknown threat actor.
Source: https://news.sophos.com/en-us/2022/06/15/telerik-ui-exploitation-leads-to-cryptominer-cobalt-strike-infections/
2022-06-15
Potential_attack_vector_using_Follina_Vulnerability
MEDIUM
+
Intel Source:
Qualys
Intel Name:
Potential_attack_vector_using_Follina_Vulnerability
Date of Scan:
2022-06-15
Impact:
MEDIUM
Summary:
Qualys researchers has examined a potential attack vector as well as technical details of Follina vulnerability.
Source: https://blog.qualys.com/product-tech/2022/06/14/detect-the-follina-msdt-vulnerability-cve-2022-30190-with-qualys-multi-vector-edr-context-xdr
2022-06-15
Old_Telerik_vulnerability_exploitation_delivering_cryptominer_and_CobaltStrike_infections
LOW
+
Intel Source:
Sophos
Intel Name:
Old_Telerik_vulnerability_exploitation_delivering_cryptominer_and_CobaltStrike_infections
Date of Scan:
2022-06-15
Impact:
LOW
Summary:
Researchers from Sophos discovered an exploitation of a three-year old vulnerability (CVE-2019-18935) in the Telerik UI web application framework to take control of web servers, installing Cobalt Strike beacons in the form of a DLL payload) to disk, then used the beacon to execute encoded PowerShell commands, which downloaded more malwares by an unknown threat actor.
Source: https://news.sophos.com/en-us/2022/06/15/telerik-ui-exploitation-leads-to-cryptominer-cobalt-strike-infections/
2022-06-15
Panchan_Botnet_targeting_Linux_servers
MEDIUM
+
Intel Source:
Akamai
Intel Name:
Panchan_Botnet_targeting_Linux_servers
Date of Scan:
2022-06-15
Impact:
MEDIUM
Summary:
Researchers at Akamai has discovered Panchan, a new peer-to-peer botnet and SSH worm and has been actively breaching Linux servers. Panchan is written in Golang, and utilizes its built-in concurrency features to maximize spreadability and execute malware modules.
Source: https://www.akamai.com/blog/security/new-p2p-botnet-panchan
2022-06-15
Hydra_Android_Distributed_Via_Play_Store
LOW
+
Intel Source:
Cyble
Intel Name:
Hydra_Android_Distributed_Via_Play_Store
Date of Scan:
2022-06-15
Impact:
LOW
Summary:
During the routine threat hunting exercise, Cyble Research Labs came across a Twitter Post wherein the researcher mentioned an Android malware variant published on the Play Store. The variant in question acts as a Hostile Downloader and downloads the Hydra Banking Trojan.
Source: https://blog.cyble.com/2022/06/13/hydra-android-malware-distributed-via-play-store/ https://twitter.com/AndroidInSecure/status/1534175436187500548
2022-06-14
The_IP2Scam_tech_support_campaign_scammers
LOW
+
Intel Source:
Malwarebytes
Intel Name:
The_IP2Scam_tech_support_campaign_scammers
Date of Scan:
2022-06-14
Impact:
LOW
Summary:
Malwarebytes break down what they call the IP2Scam tech support scheme, by going back in time to track previously used infrastructure
Source: https://blog.malwarebytes.com/threat-intelligence/2022/06/taking-down-the-ip2scam-tech-support-campaign/ https://github.com/MBThreatIntel/TSS/blob/master/digital_ocean_IP2Scam.csv https://github.com/MBThreatIntel/TSS/blob/master/digital_ocean_IP2Scam.csv
2022-06-14
ChromeLoader_adware_halted_from_broadcasting_by_Jamf_Protect
MEDIUM
+
Intel Source:
Jamf
Intel Name:
ChromeLoader_adware_halted_from_broadcasting_by_Jamf_Protect
Date of Scan:
2022-06-14
Impact:
MEDIUM
Summary:
CrowdStrike researchers tracked an adware campaign that injects ads into Chrome and Safari browsers on macOS. Victims are tricked into opening a DMG file and running a shell script which masquerades as a legitimate installer application.
Source: https://www.jamf.com/blog/chromeloader-adware/
2022-06-14
PureCrypter_dropping_RATs_and_InfoStealer
LOW
+
Intel Source:
Zscaler
Intel Name:
PureCrypter_dropping_RATs_and_InfoStealer
Date of Scan:
2022-06-14
Impact:
LOW
Summary:
Zscalers researchers documented workings of a fully-featured malware loader dubbed PureCrypter that's being purchased by cyber criminals to deliver remote access trojans (RATs) and information stealers.
Source: https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter
2022-06-14
Purple_Fox_malware_analysis
LOW
+
Intel Source:
Esentire
Intel Name:
Purple_Fox_malware_analysis
Date of Scan:
2022-06-14
Impact:
LOW
Summary:
eSentire’s Threat Response Unit (TRU) team recently observed multiple Purple Fox infections. The malware targets vulnerable versions of Internet Explorer (IE). The infection starts with the execution of a malicious script via mshta.exe, a utility that runs Microsoft HTML Applications (HTA) files.
Source: https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-purple-fox
2022-06-14
How_SeaFlower_installs_backdoors_in_iOS_Android_web3_wallets
MEDIUM
+
Intel Source:
Confiant
Intel Name:
How_SeaFlower_installs_backdoors_in_iOS_Android_web3_wallets
Date of Scan:
2022-06-14
Impact:
MEDIUM
Summary:
Confiant believes SeaFlower is the most technically sophisticated threat targeting web3 users, right after the infamous Lazarus Group
Source: https://blog.confiant.com/how-seaflower-%E8%97%8F%E6%B5%B7%E8%8A%B1-installs-backdoors-in-ios-android-web3-wallets-to-steal-your-seed-phrase-d25f0ccdffce
2022-06-14
New_Linux_Rootkit_Syslogk
LOW
+
Intel Source:
Avast
Intel Name:
New_Linux_Rootkit_Syslogk
Date of Scan:
2022-06-14
Impact:
LOW
Summary:
Researchers from Avast spotted a new Linux rootkit, dubbed ‘Syslogk,’ that uses specially crafted “magic packets” to activate a dormant backdoor on the device.
Source: https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/
2022-06-14
Iranian_phishing_campaign_linked_to_Phosphorous_APT_group
LOW
+
Intel Source:
Checkpoint
Intel Name:
Iranian_phishing_campaign_linked_to_Phosphorous_APT_group
Date of Scan:
2022-06-14
Impact:
LOW
Source: https://research.checkpoint.com/2022/check-point-research-exposes-an-iranian-phishing-campaign-targeting-former-israeli-foreign-minister-former-us-ambassador-idf-general-and-defense-industry-executives/
2022-06-13
Chinese_APT_GALLIUM_levarges_PingPull_RAT_in_Cyberespionage_Campaigns
MEDIUM
+
Intel Source:
Palo Alto
Intel Name:
Chinese_APT_GALLIUM_levarges_PingPull_RAT_in_Cyberespionage_Campaigns
Date of Scan:
2022-06-13
Impact:
MEDIUM
Summary:
Unit 42 recently identified a new, difficult-to-detect remote access trojan named PingPull being used by GALLIUM, an advanced persistent threat (APT) group.
Source: https://unit42.paloaltonetworks.com/pingpull-gallium/
2022-06-13
HelloXD_ransomware_and_links_with_x4k_threat_actor
LOW
+
Intel Source:
Palo Alto
Intel Name:
HelloXD_ransomware_and_links_with_x4k_threat_actor
Date of Scan:
2022-06-13
Impact:
LOW
Summary:
Researchers from PaloAlto noticed in increased activity of Hello XD ransomware, whose operators are now deploying an upgraded sample featuring stronger encryption.
Source: https://unit42.paloaltonetworks.com/helloxd-ransomware/
2022-06-13
UAC_0113_Sandworm_Group_targeting_media_organisations_in_Ukraine
LOW
+
Intel Source:
CERT-UA
Intel Name:
UAC_0113_Sandworm_Group_targeting_media_organisations_in_Ukraine
Date of Scan:
2022-06-13
Impact:
LOW
Summary:
CERT-UA has analysed an phishing email targeting media organizations of Ukraine which has the topic "LIST of links to interactive maps" and a document attached with same name. The malicious document is delivering malicious CrescentImp malware. CERT-UA has tracked this activity with medium confidence to UAC-0113, which is associated with the Sandworm Group.
Source: https://cert.gov.ua/article/160530
2022-06-13
Crypto_Miners_Leveraging_Atlassian_Zero_Day_Vulnerability
MEDIUM
+
Intel Source:
Checkpoint
Intel Name:
Crypto_Miners_Leveraging_Atlassian_Zero_Day_Vulnerability
Date of Scan:
2022-06-13
Impact:
MEDIUM
Summary:
Checkpoint Labs has uncovered an unauthenticated attacker who can use this vulnerability to execute arbitrary code on the target server by placing a malicious payload in the URI.
Source: https://blog.checkpoint.com/2022/06/09/crypto-miners-leveraging-atlassian-zero-day-vulnerability/
2022-06-10
Symbiote_malware_detected_in_Linux
LOW
+
Intel Source:
BlackBerry
Intel Name:
Symbiote_malware_detected_in_Linux
Date of Scan:
2022-06-10
Impact:
LOW
Summary:
Researchers have identified the Symbiote malware with an impact to harvest credentials and providing remote access for the threat actor.
Source: https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat
2022-06-10
Credit_card_skimmer_evades_Virtual_Machines
LOW
+
Intel Source:
Malwarebytes
Intel Name:
Credit_card_skimmer_evades_Virtual_Machines
Date of Scan:
2022-06-10
Impact:
LOW
Summary:
In this blog post Malwarebyres Labs show how a Magecart threat actor distributing a digital skimmer is avoiding researchers and possibly sandboxes by ensuring users are running genuine computers and not virtual ones
Source: https://blog.malwarebytes.com/threat-intelligence/2021/11/credit-card-skimmer-evades-virtual-machines/
2022-06-10
Lyceum_NET_DNS_Backdoor
MEDIUM
+
Intel Source:
ZScaler
Intel Name:
Lyceum_NET_DNS_Backdoor
Date of Scan:
2022-06-10
Impact:
MEDIUM
Summary:
The Iranian Lycaeum APT hacking group uses a new .NET-based DNS backdoor to conduct attacks on companies in the energy and telecommunication sectors
Source: https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor
2022-06-09
Malvertising_campaign_leads_to_fake_Firefox_update
LOW
+
Intel Source:
Malwarebytes
Intel Name:
Malvertising_campaign_leads_to_fake_Firefox_update
Date of Scan:
2022-06-09
Impact:
LOW
Summary:
Researchers from MalwareBytes came across a malvertising campaign leading to a fake Firefox update.
Source: https://blog.malwarebytes.com/threat-intelligence/2022/06/makemoney-malvertising-campaign-adds-fake-update-template/
2022-06-09
State_Backed_Hackers_Exploit_Microsoft _Follina'_Bug_to_Target_Entities_in_Europe_and_U.S
MEDIUM
+
Intel Source:
The Hacker News
Intel Name:
State_Backed_Hackers_Exploit_Microsoft _Follina'_Bug_to_Target_Entities_in_Europe_and_U.S
Date of Scan:
2022-06-09
Impact:
MEDIUM
Summary:
A suspected state-aligned threat actor has been attributed to a new set of attacks exploiting the Microsoft Office "Follina" vulnerability to target government entities in Europe and the U.S.
Source: https://thehackernews.com/2022/06/state-backed-hackers-exploit-microsoft.html
2022-06-09
Kinsing_&_Dark_IoT_botnet_among_threats_targeting_CVE_2022_26134
MEDIUM
+
Intel Source:
Lacework blog
Intel Name:
Kinsing_&_Dark_IoT_botnet_among_threats_targeting_CVE_2022_26134
Date of Scan:
2022-06-09
Impact:
MEDIUM
Summary:
Details regarding the recent Confluence OGNL (CVE-2022-26134) exploit were released to the public on June 3rd 2022 with Lacework seeing multiple attacks in the wild from both uncategorized and named threats. As of yesterday Lacework have observed active exploitation by known Cloud threat malware families such as Kinsing, “Hezb”, and the Dark.IoT botnet and provides a current inventory of top threats seen exploiting this latest Confluence vulnerability.
Source: https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/
2022-06-09
TA570_exploiting_Follina_to_deliver_Qbot_Malware
MEDIUM
+
Intel Source:
ISC.SANS HelpNet Security
Intel Name:
TA570_exploiting_Follina_to_deliver_Qbot_Malware
Date of Scan:
2022-06-09
Impact:
MEDIUM
Summary:
Researchers at ISC.SANS and HelpNet has identified a malicious DLL files used for Qakbot infections contain a tag indicating their specific distribution channel. This wave of malicious spam ultimately provided two separate methods of Qakbot infection. The first method is one also used by other threat actors, where a disk image contains a Windows shortcut that runs a malicious hidden DLL. The second method is a Word docx file using a CVE-2022-30190 (Follina) exploit.
Source: https://isc.sans.edu/diary/rss/28728 https://www.helpnetsecurity.com/2022/06/08/qbot-follina-exploit/
2022-06-09
Aoqin_Dragon_Chinese_linked_APT_spying_for_10 years
MEDIUM
+
Intel Source:
SentinelOne
Intel Name:
Aoqin_Dragon_Chinese_linked_APT_spying_for_10 years
Date of Scan:
2022-06-09
Impact:
MEDIUM
Summary:
SentinelLabs has uncovered a cluster of activity primarily targeting organizations in Southeast Asia and Australia. The threat actor’s primary focus is espionage and relates to targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. This activity ttracked as ‘Aoqin Dragon’. Attacks attributable to Aoqin Dragon typically drop one of two backdoors, Mongall and a modified version of the open source Heyoka project.
Source: https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/
2022-06-08
Fake_cracked_software_spreading_Crypto_Stealing_malware
LOW
+
Intel Source:
Avast
Intel Name:
Fake_cracked_software_spreading_Crypto_Stealing_malware
Date of Scan:
2022-06-08
Impact:
LOW
Summary:
Users who download cracked software risk sensitive personal data being stolen by hackers.
Source: https://blog.avast.com/fakecrack-campaign
2022-06-08
Operation_Tejas
LOW
+
Intel Source:
Qi Anxin Threat Intelligence Center
Intel Name:
Operation_Tejas
Date of Scan:
2022-06-08
Impact:
LOW
Summary:
Qi Anxin Threat Intelligence Center once published the article "Operation Magichm: A Brief Talk on the Manlinghua Organization's CHM File Delivery and Follow-up Operations" in 2021 . In addition to the new attack methods and samples used in the latest attack in April, this Intel Center also provides an overview of the recent phishing activities of the Maya Elephant (APT-Q-41) and the basics of the Diamondback (APT-Q-39) this year.
Source: https://mp-weixin-qq-com.translate.goog/s/8j_rHA7gdMxY1_X8alj8Zg?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en
2022-06-08
Spam_Campaign_targeting_victims_with_SVCReady_Malware
MEDIUM
+
Intel Source:
HP Wolf Security
Intel Name:
Spam_Campaign_targeting_victims_with_SVCReady_Malware
Date of Scan:
2022-06-08
Impact:
MEDIUM
Summary:
Researchers at HP Wolf Security has identified new malicious spam campaigns spreading a previously unknown malware family called 'SVCReady'. The malware is notable for the unusual way it is delivered to target PCs using shellcode hidden in the properties of Microsoft Office documents.
Source: https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/
2022-06-08
Black_Basta_Ransomware_leverage_QBot_for_lateral_movement
MEDIUM
+
Intel Source:
NCC Group
Intel Name:
Black_Basta_Ransomware_leverage_QBot_for_lateral_movement
Date of Scan:
2022-06-08
Impact:
MEDIUM
Summary:
Researchers at NCC Group spotted a new partnership between the Black Basta ransomware group and the QBot malware operation.
Source: https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/
2022-06-08
Bumblebee_Loader_on_the_rise
MEDIUM
+
Intel Source:
Cyble blog
Intel Name:
Bumblebee_Loader_on_the_rise
Date of Scan:
2022-06-08
Impact:
MEDIUM
Summary:
In March 2022, a new malware named “Bumblebee” was discovered and reportedly distributed via spam campaigns. Researchers identified that Bumblebee is a replacement for BazarLoader malware, which has delivered Conti Ransomware in the past. Bumblebee acts as a downloader and delivers known attack frameworks and open-source tools such as Cobalt Strike, Shellcode, Sliver, Meterpreter. Plus downloads other types of malware such as ransomware, trojans, etc. Cyble intelligence indicates that the incidents of Bumblebee infection are on the rise.
Source: https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/
2022-06-08
Cuba_Ransomware_Group_new_variant
LOW
+
Intel Source:
Trend Micro
Intel Name:
Cuba_Ransomware_Group_new_variant
Date of Scan:
2022-06-08
Impact:
LOW
Summary:
Researchers at Trend Micro identified that the malware authors seem to be pushing some updates to the current binary of a new variant.
Source: https://www.trendmicro.com/en_us/research/22/f/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html
2022-06-07
Popping_Eagle_Malware
MEDIUM
+
Intel Source:
Palo Alto
Intel Name:
Popping_Eagle_Malware
Date of Scan:
2022-06-07
Impact:
MEDIUM
Summary:
Researchers at Palo Alto has identified an unknown piece of malware dubbed as Popping Eagle, its activity includes performing a specially crafted DLL hijacking attack. Researchers also observed the attacker following DLL hijacking by performing several network scans and lateral movement steps.
Source: https://unit42.paloaltonetworks.com/popping-eagle-malware/
2022-06-07
Black_Basta_Ransomware_targeting_ESXi_servers
MEDIUM
+
Intel Source:
NCC Group
Intel Name:
Black_Basta_Ransomware_targeting_ESXi_servers
Date of Scan:
2022-06-07
Impact:
MEDIUM
Summary:
Black Basta is the latest ransomware gang to add support for encrypting VMware ESXi virtual machines (VMs) running on enterprise Linux servers.
Source: https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/
2022-06-07
WatchDog_Evolves_With_a_New_Multi-Stage_Cryptojacking_Attack
MEDIUM
+
Intel Source:
Cadosecurity
Intel Name:
WatchDog_Evolves_With_a_New_Multi-Stage_Cryptojacking_Attack
Date of Scan:
2022-06-07
Impact:
MEDIUM
Summary:
Cado Labs’ honeypot infrastructure was recently compromised by a complex and multi-stage cryptojacking attack
Source: https://www.cadosecurity.com/tales-from-the-honeypot-watchdog-evolves-with-a-new-multi-stage-cryptojacking-attack/
2022-06-07
Exploitation_of_ManageEngine_SupportCenter_Plus
LOW
+
Intel Source:
DFIR Report
Intel Name:
Exploitation_of_ManageEngine_SupportCenter_Plus
Date of Scan:
2022-06-07
Impact:
LOW
Summary:
DFIR observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus. The threat actor, discovered files on the server and dumped credentials using a web shell, moved laterally to key servers using Plink and RDP and exfiltrated sensitive information using the web shell and RDP.
Source: https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
2022-06-07
Mindware_Ransomware
MEDIUM
+
Intel Source:
SentinelOne
Intel Name:
Mindware_Ransomware
Date of Scan:
2022-06-07
Impact:
MEDIUM
Summary:
Researchers at SentinelOne has analysed Mindware Ransomware and its similarities with SFile Ransomware, and provided technical indicators.
Source: https://www.sentinelone.com/blog/from-the-front-lines-another-rebrand-mindware-and-sfile-ransomware-technical-breakdown/
2022-06-07
Spam_Email_Contains_BitRat_Malware
LOW
+
Intel Source:
ISC.SANS
Intel Name:
Spam_Email_Contains_BitRat_Malware
Date of Scan:
2022-06-07
Impact:
LOW
Summary:
Researchers at ISC.SANS has analysed a Zipped Email attachment which contains a very large ISO/EXE file, after executing the file in sandbox. It started communicating with BitRat C2 site.
Source: https://isc.sans.edu/diary/rss/28712
2022-06-06
YourCyanide_Ransomware_Propagates_With_PasteBin_Discord_Microsoft_Links
LOW
+
Intel Source:
Trend Micro
Intel Name:
YourCyanide_Ransomware_Propagates_With_PasteBin_Discord_Microsoft_Links
Date of Scan:
2022-06-06
Impact:
LOW
Summary:
The Trend Micro Threat Hunting team recently analyzed a series of CMD-based ransomware variants with a number capabilities such as stealing user information, bypassing remote desktop connections, and propagating through email and physical drives.
Source: https://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html
2022-06-06
Travel_Themed_attacks_surges_by_multiple_RATs
MEDIUM
+
Intel Source:
Fortinet
Intel Name:
Travel_Themed_attacks_surges_by_multiple_RATs
Date of Scan:
2022-06-06
Impact:
MEDIUM
Summary:
Multiple rat campaigns have been noted by researchers from Fortinet who are using travel themed lure to targets travel seekers victims. Those rats include Asyncrat, Netwire Rat, Quasar RAT.
Source: https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers
2022-06-06
WinDealer_malware_shows_extremely_sophisticated_network_abilities
LOW
+
Intel Source:
SecureList
Intel Name:
WinDealer_malware_shows_extremely_sophisticated_network_abilities
Date of Scan:
2022-06-06
Impact:
LOW
Summary:
Researchers have discovered that the malware known as WinDealer, spread by Chinese-speaking Advanced Persistent Threat (APT) actor LuoYu, has the ability to perform intrusions through a man-on-the-side attack.
Source: https://securelist.com/windealer-dealing-on-the-side/105946/
2022-06-06
Clipminer_Botnet
LOW
+
Intel Source:
Symantec
Intel Name:
Clipminer_Botnet
Date of Scan:
2022-06-06
Impact:
LOW
Summary:
Threat analysts have discovered a large operation of a new cryptocurrency mining malware called Clipminer that brought its operators at least $1.7 million from transaction hijacking.
Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clipminer-bitcoin-mining-hijacking
2022-06-06
Jasmin_ransomware_tool_rebranded_as_GoodWill_ransomware
MEDIUM
+
Intel Source:
NetSkope
Intel Name:
Jasmin_ransomware_tool_rebranded_as_GoodWill_ransomware
Date of Scan:
2022-06-06
Impact:
MEDIUM
Summary:
Researchers at Netskope Threat Labs has analysed few GoodWill ransomware samples and found that this threat is 100% based on an open-source ransomware named Jasmin, which is a red team tool that can be used to simulate real ransomware attacks.
Source: https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/Jasmin%20Ransomware/IOCs
2022-06-06
DeadBolt_Ransomware
MEDIUM
+
Intel Source:
Trend Micro
Intel Name:
DeadBolt_Ransomware
Date of Scan:
2022-06-06
Impact:
MEDIUM
Summary:
The DeadBolt ransomware kicked off 2022 with a slew of attacks that targeted internet-facing Network-Attached Storage (NAS) devices.
Source: https://www.trendmicro.com/en_us/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html
2022-06-06
Jasmin_ransomware_tool_rebranded_as_GoodWill_ransomware
MEDIUM
+
Intel Source:
NetSkope
Intel Name:
Jasmin_ransomware_tool_rebranded_as_GoodWill_ransomware
Date of Scan:
2022-06-06
Impact:
MEDIUM
Summary:
Researchers at Netskope Threat Labs has analysed few GoodWill ransomware samples and found that this threat is 100% based on an open-source ransomware named Jasmin, which is a red team tool that can be used to simulate real ransomware attacks.
Source: https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/Jasmin%20Ransomware/IOCs
2022-06-05
Massive_NDSW_NDSX_Malware_Campaign
MEDIUM
+
Intel Source:
Sucuri
Intel Name:
Massive_NDSW_NDSX_Malware_Campaign
Date of Scan:
2022-06-05
Impact:
MEDIUM
Summary:
Researchers at Sucuri has been tracking a campaign since Feb 2019, which they name as ndsw/ndsx malware campaign. The malware consists of several layers: the first of which prominently features the ndsw variable within JavaScript injections, the second of which leverages the ndsx variable in the payload.
Source: https://blog.sucuri.net/2022/06/analysis-massive-ndsw-ndsx-malware-campaign.html
2022-06-03
POLONIUM_targeting_Israeli_organizations
LOW
+
Intel Source:
Microsoft
Intel Name:
POLONIUM_targeting_Israeli_organizations
Date of Scan:
2022-06-03
Impact:
LOW
Summary:
POLONIUM has targeted and may compromised more than 20 organizations based in Israel and one intergovernmental organization with operations in Lebanon over the past three months.
Source: https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/
2022-06-03
Zero_Day_Exploitation_of_Atlassian_Confluence
HIGH
+
Intel Source:
Volexity
Intel Name:
Zero_Day_Exploitation_of_Atlassian_Confluence
Date of Scan:
2022-06-03
Impact:
HIGH
Summary:
Hackers are actively exploiting a new Atlassian Confluence zero-day vulnerability tracked as CVE-2022-26134 to install web shells, with no fix available at this time.
Source: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ https://github.com/volexity/threat-intel/blob/main/2022/2022-06-02%20Active%20Exploitation%20Of%20Confluence%200-day/indicators/indicators.csv https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
2022-06-03
UNC216_ Shifts_to_LOCKBIT_to_Evade_Sanctions
MEDIUM
+
Intel Source:
Mandiant
Intel Name:
UNC216_ Shifts_to_LOCKBIT_to_Evade_Sanctions
Date of Scan:
2022-06-03
Impact:
MEDIUM
Summary:
Mandiant has investigated multiple LOCKBIT ransomware intrusions attributed to UNC2165, a financially motivated threat cluster that shares numerous overlaps with the threat group publicly reported as "Evil Corp.
Source: https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
2022-06-03
Cobalt_Strike_Beacon_and_other_vulnerabilities_leveraged_to_target_Ukraine_government_bodies
LOW
+
Intel Source:
CERT-UA
Intel Name:
Cobalt_Strike_Beacon_and_other_vulnerabilities_leveraged_to_target_Ukraine_government_bodies
Date of Scan:
2022-06-03
Impact:
LOW
Summary:
CERT-UA has analysed an phishing email targeting Ukraine government bodies, it contains a file named "changes in wages with accruals.docx". The file contains a link to HTML external object, the execution of which, after exploiting vulnerabilities CVE-2021-40444 and CVE-2022-30190 and later damage the system with Cobalt Strike.
Source: https://cert.gov.ua/article/40559
2022-06-03
AsyncRAT_targeting_Colombian_Organisations
LOW
+
Intel Source:
Jstnk
Intel Name:
AsyncRAT_targeting_Colombian_Organisations
Date of Scan:
2022-06-03
Impact:
LOW
Summary:
Researcher Jose Luis Sánchez Martínez have analysed campaigns related to AsyncRAT targeting Colombia, where there are some modifications in TTPs.
Source: https://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/#summary
2022-06-02
Follina_zero-day_vulnerability_in_Microsoft_Office_getting_exploited
HIGH
+
Intel Source:
ISC.SANS Cisco Talos Recorded Future Fortinet
Intel Name:
Follina_zero-day_vulnerability_in_Microsoft_Office_getting_exploited
Date of Scan:
2022-06-02
Impact:
HIGH
Summary:
A recently discovered zero-day vulnerability CVE-2022-30190 in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. It is also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft Word or via an RTF file. The vulnerability has been widely exploited in the wild by threat actors and some of them have been attributed to Chinese threat actor.
Source: https://isc.sans.edu/forums/diary/First+Exploitation+of+Follina+Seen+in+the+Wild/28698/ https://blog.talosintelligence.com/2022/06/msdt-follina-coverage.html https://github.com/rl0hani/Multiple-Chinese-State-sponsored-Activity-Groups-likely-exploiting-MSDT-Follina-0-Day https://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day
2022-06-02
Yashma_Ransomware_Report_CYFIRMA
MEDIUM
+
Intel Source:
Cyfirma
Intel Name:
Yashma_Ransomware_Report_CYFIRMA
Date of Scan:
2022-06-02
Impact:
MEDIUM
Summary:
Yashma is a new ransomware seen in the wild since May 2022. This ransomware is the rebranded version of an earlier ransomware named Chaos.
Source: https://www.cyfirma.com/outofband/yashma-ransomware-report/
2022-06-02
NSIS_Installer_Malware_Included_with_Various_Malicious_Files
LOW
+
Intel Source:
ASEC
Intel Name:
NSIS_Installer_Malware_Included_with_Various_Malicious_Files
Date of Scan:
2022-06-02
Impact:
LOW
Summary:
The ASEC analysis team recently discovered attackers distributing multiple malicious files with NSIS installers.
Source: https://asec.ahnlab.com/en/34955/
2022-06-02
BITB_attack_impersonating_Indian_government_website
LOW
+
Intel Source:
Zscaler
Intel Name:
BITB_attack_impersonating_Indian_government_website
Date of Scan:
2022-06-02
Impact:
LOW
Summary:
Zscaler ThreatLabz team recently observed a new Browser-in-the Browser (BITB) attack impersonating an Indian government website to deliver a sextortion demand with the threat of releasing sensitive information about victims if they refuse to pay.
Source: https://www.zscaler.com/blogs/security-research/browser-browser-sextortion-scam-makes-victims-pay-imitating-indian-gov
2022-06-01
Karakurt_Data_Extortion_Group
MEDIUM
+
Intel Source:
CISA
Intel Name:
Karakurt_Data_Extortion_Group
Date of Scan:
2022-06-01
Impact:
MEDIUM
Summary:
Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom. Known ransom demands have ranged from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim.
Source: https://www.cisa.gov/uscert/sites/default/files/publications/AA22-152A_Karakurt_Data_Extortion_Group.pdf
2022-05-31
WSO2_Vulnerability_exploited_to_install_Linux_compatible_CobaltStrike_Beacons
MEDIUM
+
Intel Source:
Trend Micro
Intel Name:
WSO2_Vulnerability_exploited_to_install_Linux_compatible_CobaltStrike_Beacons
Date of Scan:
2022-05-31
Impact:
MEDIUM
Summary:
Researchers at TrendMicro has observed attackers are exploiting WSO2 vulnerability and intiating a outbound connection with malicious Cobalt Strike callback destination and command and control (C&C) server ipaddress.
Source: https://www.trendmicro.com/en_us/research/22/e/patch-your-wso2-cve-2022-29464-exploited-to-install-linux-compatible-cobalt-strike-beacons-other-malware.html
2022-05-31
APTC53_or_Gamaredon_new_DDoS_Attack_mission
MEDIUM
+
Intel Source:
360 Threat Intelligence Center
Intel Name:
APTC53_or_Gamaredon_new_DDoS_Attack_mission
Date of Scan:
2022-05-31
Impact:
MEDIUM
Summary:
360 Security Brain has detected more frequent network attacks related to the APT-C-53/Gamaredon Group. The Group began to release the open source DDoS Trojan program " LOIC " to carry out DDoS attacks.
Source: https://mp.weixin.qq.com/s/gJFSlpIlbaI11lcClNN_Xw
2022-05-31
EnemyBot_targeting_Content_Management_System_servers_and_Android_devices
MEDIUM
+
Intel Source:
AT&T Alien Labs
Intel Name:
EnemyBot_targeting_Content_Management_System_servers_and_Android_devices
Date of Scan:
2022-05-31
Impact:
MEDIUM
Summary:
Researchers at AT&T Alien Labs has identified that EnemyBot is expanding its capabilities, exploiting vulnerabilities of 2022, and now targeting IoT devices, web servers, Android devices and content management system (CMS) servers.
Source: https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers
2022-05-31
XLoader_Botnet_new_C&C_Infrastructure
MEDIUM
+
Intel Source:
Checkpoint
Intel Name:
XLoader_Botnet_new_C&C_Infrastructure
Date of Scan:
2022-05-31
Impact:
MEDIUM
Summary:
Researchers at Checkpoint Research has identified the real C&C servers among thousands of legitimate domains used by Xloader Botnet.
Source: https://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/
2022-05-31
CVE_2022_30190_Microsoft_Support_Diagnostic_Tool_(MSDT)_RCE_Vulnerability
MEDIUM
+
Intel Source:
Cyble
Intel Name:
CVE_2022_30190_Microsoft_Support_Diagnostic_Tool_(MSDT)_RCE_Vulnerability
Date of Scan:
2022-05-31
Impact:
MEDIUM
Summary:
Recently, Microsoft discussed a new Zero-Day vulnerability (CVE-2022-30190) that affects Microsoft Support Diagnostic Tool (MSDT) and allows the attackers to execute arbitrary code by exploiting it.
Source: https://blog.cyble.com/2022/05/31/new-zero-day-exploit-spotted-in-the-wild/
2022-05-30
XXL_Malware_distributed_through_Email
LOW
+
Intel Source:
ASEC
Intel Name:
XXL_Malware_distributed_through_Email
Date of Scan:
2022-05-30
Impact:
LOW
Summary:
XXL Malware distributed through Email
Source: https://asec.ahnlab.com/en/34756/
2022-05-30
Phishing_campaign_delivering_AveMariaRAT_BitRAT_PandoraHVNC_Part_II
MEDIUM
+
Intel Source:
Fortinet
Intel Name:
Phishing_campaign_delivering_AveMariaRAT_BitRAT_PandoraHVNC_Part_II
Date of Scan:
2022-05-30
Impact:
MEDIUM
Summary:
Researchers at Fortinet's FortiGaurd Labs has shared part-2 of the analysis where a phishing campaign delivering three fileless malware onto a victim’s device. Once executed, Malware are able to steal sensitive information from that device. It is majorly affecting Microsoft Windows platform users.
Source: https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware-part-two
2022-05-28
Magniber_ransomware_targeting_Windows11_users
MEDIUM
+
Intel Source:
360 Total Security
Intel Name:
Magniber_ransomware_targeting_Windows11_users
Date of Scan:
2022-05-28
Impact:
MEDIUM
Summary:
Researchers at 360 Total Security has detected a new attack on Windows11 users, where Magniber ransomware disguised as a Windows 10 upgrade patch package and spread widely.
Source: https://blog.360totalsecurity.com/en/win11-users-beware-magniber-ransomware-has-been-upgraded-again-aiming-at-win11/?web_view=true
2022-05-27
Grandoreiro_Banking_Malware
MEDIUM
+
Intel Source:
Trustwave
Intel Name:
Grandoreiro_Banking_Malware
Date of Scan:
2022-05-27
Impact:
MEDIUM
Summary:
Researchers from Trustwave SpiderLabs have identified Grandoreiro malware campaign targeting bank users from Brazil, Spain, and Mexico. The campaign exploits the tax season in target countries by sending out tax-themed phishing emails.
Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/grandoreiro-banking-malware-resurfaces-for-tax-season/
2022-05-27
GoodWill_Ransomware
MEDIUM
+
Intel Source:
CloudSEK
Intel Name:
GoodWill_Ransomware
Date of Scan:
2022-05-27
Impact:
MEDIUM
Summary:
Researchers at CloudSEK has analysed GoodWill ransomware group activity, which forces victims to donate to the poor and provides financial assistance to patients in need.
Source: https://cloudsek.com/threatintelligence/goodwill-ransomware-forces-victims-to-donate-to-the-poor-and-provides-financial-assistance-to-patients-in-need/
2022-05-27
Analysis_of_Black_Basta_Ransomware
MEDIUM
+
Intel Source:
IBM Security X-Force
Intel Name:
Analysis_of_Black_Basta_Ransomware
Date of Scan:
2022-05-27
Impact:
MEDIUM
Summary:
Researchers from IBM documented technical analysis of Black Basta ransomware and provided with IoC. Black Basta first appeared in April 2022.
Source: https://securityintelligence.com/posts/black-basta-ransomware-group-besting-network/
2022-05-27
Tandem_Espionage_Campaign
LOW
+
Intel Source:
Inquest
Intel Name:
Tandem_Espionage_Campaign
Date of Scan:
2022-05-27
Impact:
LOW
Summary:
Researcher Dmitry Melikov at Inquest has discovered an interesting campaign distributing malicious documents. Which used the download chain as well as legitimate payload hosting services.
Source: https://inquest.net/blog/2022/05/25/tandem-espionage
2022-05-26
Mirai_malware_variants_doubled_for_Intel_powered_Linux_systems
MEDIUM
+
Intel Source:
CrowdStrike
Intel Name:
Mirai_malware_variants_doubled_for_Intel_powered_Linux_systems
Date of Scan:
2022-05-26
Impact:
MEDIUM
Summary:
Crowdstrike research said, Mirai malware variants compiled for Intel-powered Linux systems double (101%) in Q1 2022 compared to Q1 2021.
Source: https://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips/
2022-05-26
Threat_actors_using_Browser_automation_framework
LOW
+
Intel Source:
TeamCymru
Intel Name:
Threat_actors_using_Browser_automation_framework
Date of Scan:
2022-05-26
Impact:
LOW
Summary:
Researchers from Team Cymru have noticed and alerted about a free-to-use browser automation framework that's being increasingly used by threat actors as part of their attack campaigns.
Source: https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/
2022-05-26
Deep_Analysis_on_new_version_of_Mars_Stealer_Malware
LOW
+
Intel Source:
XJunior
Intel Name:
Deep_Analysis_on_new_version_of_Mars_Stealer_Malware
Date of Scan:
2022-05-26
Impact:
LOW
Summary:
Security Researcher Mohamed Ashraf has analysed a new version (V8) of Mars Stealer Malware. Researchers has identified anti-analysis technique, diffrent encryption algoithm, new anti debug technique, external dlls are in one zip file
Source: https://x-junior.github.io/malware%20analysis/MarsStealer/#iocs
2022-05-26
SocGholish_Campaigns_and_Initial_Access_Kit
MEDIUM
+
Intel Source:
WalMart
Intel Name:
SocGholish_Campaigns_and_Initial_Access_Kit
Date of Scan:
2022-05-26
Impact:
MEDIUM
Summary:
Researchers from WalMart found that SocGholish have been one of the prominent Initial Access vector for threat actors and have also partnered with Evil Corp.
Source: https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee
2022-05-26
TURLA_new_phishing_based_reconnaissance_campaign
LOW
+
Intel Source:
Sekoia
Intel Name:
TURLA_new_phishing_based_reconnaissance_campaign
Date of Scan:
2022-05-26
Impact:
LOW
Summary:
Sekoia Threat & Detection Team have exposed a reconnaissance and espionage campaign from the Turla intrusion set against the Baltic Defense College, the Austrian Economic Chamber which has a role in government decision-making such as economic sanctions and NATO’s eLearning platform JDAL pointing Russian Intelligence interest for defense sector in Eastern Europe.
Source: https://blog.sekoia.io/turla-new-phishing-campaign-eastern-europe/
2022-05-26
Deep_Analysis_on_new_version_of_Mars_Stealer_Malware
LOW
+
Intel Source:
XJunior
Intel Name:
Deep_Analysis_on_new_version_of_Mars_Stealer_Malware
Date of Scan:
2022-05-26
Impact:
LOW
Summary:
Security Researcher Mohamed Ashraf has analysed a new version (V8) of Mars Stealer Malware. Researchers has identified anti-analysis technique, diffrent encryption algoithm, new anti debug technique, external dlls are in one zip file
Source: https://x-junior.github.io/malware%20analysis/MarsStealer/#iocs
2022-05-25
New_variant_of_Nokoyawa_Ransomware
Medium
+
Intel Source:
Fortinet
Intel Name:
New_variant_of_Nokoyawa_Ransomware
Date of Scan:
2022-05-25
Impact:
Medium
Summary:
Researchers at Fortinet has discovered Nokoyawa Ransomware is a new variant of the Nemty ransomware that has been improving itself.
Source: https://www.fortinet.com/blog/threat-research/nokoyawa-variant-catching-up
2022-05-25
Yashma_Latest_version_of_Chaos_Ransomware
Medium
+
Intel Source:
BlackBerry
Intel Name:
Yashma_Latest_version_of_Chaos_Ransomware
Date of Scan:
2022-05-25
Impact:
Medium
Summary:
BlackBerry research and intelligence team have discovered details of the latest version of the Chaos ransomware line, dubbed Yashma. Though Chaos ransomware builder has only been in the wild for a year Yashma claims to be the sixth version (v6.0) of this malware.
Source: https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree
2022-05-25
Spoofed_Purchase_Order_drops_GuLoader_Malware
MEDIUM
+
Intel Source:
Fortinet
Intel Name:
Spoofed_Purchase_Order_drops_GuLoader_Malware
Date of Scan:
2022-05-25
Impact:
MEDIUM
Summary:
Researchers at Fortinet has analysed a phishing email purporting to be a purchase order by an oil provider in Saudi Arabia, the partial PDF file image displayed in the body of the email was actually a link to an ISO file hosted in the cloud that contained an executable for GuLoader.
Source: https://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader
2022-05-25
Web_Skimmers_mimicking_Google_Analytics_and_Meta_Pixel_Code
MEDIUM
+
Intel Source:
Microsoft
Intel Name:
Web_Skimmers_mimicking_Google_Analytics_and_Meta_Pixel_Code
Date of Scan:
2022-05-25
Impact:
MEDIUM
Summary:
Threat actors behind web skimming campaigns are leveraging malicious JavaScript code that mimics Google Analytics and Meta Pixel scripts in an attempt to sidestep detection.
Source: https://www.microsoft.com/security/blog/2022/05/23/beneath-the-surface-uncovering-the-shift-in-web-skimming/#ioc
2022-05-25
Threat_Actor_leverage_Fake_Proof_Of_Concept_to_deliver_CobaltStrike
LOW
+
Intel Source:
Cyble
Intel Name:
Threat_Actor_leverage_Fake_Proof_Of_Concept_to_deliver_CobaltStrike
Date of Scan:
2022-05-25
Impact:
LOW
Summary:
A threat actor targeted security researchers with fake Windows proof-of-concept exploits that infected devices with the Cobalt Strike backdoor.
Source: https://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon/
2022-05-25
Unknown_APT_group_targeted_Russia_repeatedly
Low
+
Intel Source:
Malwarebytes
Intel Name:
Unknown_APT_group_targeted_Russia_repeatedly
Date of Scan:
2022-05-25
Impact:
Low
Summary:
Researchers from MalwareBytes Threat Intelligence Team discovered campaigns by unknown threat actors targeting Russia. The APT group has launched at least four campaigns since late February.
Source: https://blog.malwarebytes.com/malwarebytes-news/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion/
2022-05-24
PDF_delivering_Snake_Keylogger_Malware
Medium
+
Intel Source:
HP Wolf Security
Intel Name:
PDF_delivering_Snake_Keylogger_Malware
Date of Scan:
2022-05-24
Impact:
Medium
Summary:
HP Wolf Security Researchers have discovered a recent malware distribution campaign using PDF attachments to smuggle malicious Word documents that infect users with malware.
Source: https://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/#
2022-05-24
Twisted_Panda_Espionage_Operation
Medium
+
Intel Source:
Checkpoint
Intel Name:
Twisted_Panda_Espionage_Operation
Date of Scan:
2022-05-24
Impact:
Medium
Summary:
Check Point Research team have details a targeted campaign that has been using sanctions-related baits to attack Russian defense institutes, part of the Rostec Corporation. The investigation shows that this campaign is part of a larger Chinese espionage operation that has been ongoing against Russian-related entities for several months.
Source: https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/
2022-05-24
PDF_delivering_Snake_Keylogger_Malware
Medium
+
Intel Source:
HP Wolf Security
Intel Name:
PDF_delivering_Snake_Keylogger_Malware
Date of Scan:
2022-05-24
Impact:
Medium
Summary:
HP Wolf Security Researchers have discovered a recent malware distribution campaign using PDF attachments to smuggle malicious Word documents that infect users with malware.
Source: https://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/#
2022-05-24
New_pymafka_malicious_package_drops_CobaltStrike_on_macOS_Windows_Linux
Low
+
Intel Source:
Sonatype
Intel Name:
New_pymafka_malicious_package_drops_CobaltStrike_on_macOS_Windows_Linux
Date of Scan:
2022-05-24
Impact:
Low
Summary:
Sonatype's automated malware detection bots have discovered malicious Python package 'pymafka' in the PyPI registry. PyMafka drops Cobalt Strike on Windows, macOS . The package, 'pymafka' may sound identical to the popular PyKafka. The package appears to typosquat a legitimate popular library PyKafka, a programmer-friendly Apache Kafka client for Python.
Source: https://blog.sonatype.com/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux
2022-05-24
Hackers_utilize_SwissTransfer_to_deploy_Phishing_Scam
Low
+
Intel Source:
Confense
Intel Name:
Hackers_utilize_SwissTransfer_to_deploy_Phishing_Scam
Date of Scan:
2022-05-24
Impact:
Low
Summary:
Recently the Cofense Phishing Defence Center noticed a number of emails utilising the SwissTransfer service to achieve successful phishes against recipients. An attack vector is file sharing services such as WeTransfer, Microsoft OneDrive and Dropbox have been utilized to spread files containing anything from scams to malware leading to ransomware.
Source: https://cofense.com/blog/hackers-utilize-swisstransfer-to-deploy-phishing-scam
2022-05-23
XorDdos_targeting_Linux_devices
Medium
+
Intel Source:
Microsoft
Intel Name:
XorDdos_targeting_Linux_devices
Date of Scan:
2022-05-23
Impact:
Medium
Summary:
Microsoft researchers saw and 254% increase in activity of a stealthy and modular malware which is used to hack into Linux devices and build a DDoS botnet. The malware is called XorDDoS.
Source: https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/
2022-05-23
Emotet getting distributed through Link Files
Low
+
Intel Source:
ASEC
Intel Name:
Emotet getting distributed through Link Files
Date of Scan:
2022-05-23
Impact:
Low
Summary:
ASEC researchers recently discovered Emotet getting distributed through various files including Link Files.
Source: https://asec.ahnlab.com/en/34556/
2022-05-23
Vidar_Malware_distributed_through_fake_Windows11_downloads
Low
+
Intel Source:
Zscaler
Intel Name:
Vidar_Malware_distributed_through_fake_Windows11_downloads
Date of Scan:
2022-05-23
Impact:
Low
Summary:
Researchers from Zscalers came across fraudulent domains masquerading as Microsoft's Windows 11 download portal which are attempting to trick users into deploying trojanized installation files to infect systems with the Vidar information stealer malware.
Source: https://www.zscaler.com/blogs/security-research/vidar-distributed-through-backdoored-windows-11-downloads-and-abusing
2022-05-23
Supply_Chain_Attack_targets_GitLab_CI_Pipelines
Medium
+
Intel Source:
SentinelOne
Intel Name:
Supply_Chain_Attack_targets_GitLab_CI_Pipelines
Date of Scan:
2022-05-23
Impact:
Medium
Summary:
Researchers from SentinelLabs identified a software chain supply attack targeting Rust developers with malware aimed directly at infecting GitLab Continuous Integration (CI) pipelines. The campaign has been dubbed as CrateDepression.
Source: https://www.sentinelone.com/labs/cratedepression-rust-supply-chain-attack-infects-cloud-ci-pipelines-with-go-malware/
2022-05-20
Chinese_Threat_group_Space_Pirates_targets_Russian_Aerospace_Firms
Medium
+
Intel Source:
PtSecurity
Intel Name:
Chinese_Threat_group_Space_Pirates_targets_Russian_Aerospace_Firms
Date of Scan:
2022-05-20
Impact:
Medium
Summary:
Analysts at Positive Technologies came across a previously unknown Chinese hacking group known as 'Space Pirates' targets enterprises in the Russian aerospace industry with phishing emails to install novel malware on their systems. They have dubbed the threat actor Space Pirates.
Source: https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/space-pirates-tools-and-connections/#id5-2
2022-05-20
BumbleBee_Malware_getting_delivered_via_TransferXL_Urls
Low
+
Intel Source:
ISC.SANS
Intel Name:
BumbleBee_Malware_getting_delivered_via_TransferXL_Urls
Date of Scan:
2022-05-20
Impact:
Low
Summary:
Researchers at ISC.SANS were able to relate Bumblebee malware with EXOTIC LILY threat actor, as they saw usage of active TransferXL URLs delivering ISO files for Bumblebee malware.
Source: https://isc.sans.edu/diary/rss/28664
2022-05-20
All_about_ITG23_Crypters
Medium
+
Intel Source:
Security Intelligence
Intel Name:
All_about_ITG23_Crypters
Date of Scan:
2022-05-20
Impact:
Medium
Summary:
IBM X-Force researchers analyzed thirteen crypters that have all been used with malware built or operated by ITG23 internal teams or third-party distributors — including Trickbot, BazarLoader, Conti, and Colibri.
Source: https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/
2022-05-20
Threat_Actors_exploiting_VMware_vulnerability
Medium
+
Intel Source:
CISA
Intel Name:
Threat_Actors_exploiting_VMware_vulnerability
Date of Scan:
2022-05-20
Impact:
Medium
Summary:
CISA released an advisory to warn organizations about threat actors exploiting unpatched VMware vulnerabilities. These vulnerabilities affect certain versions of VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.
Source: https://www.cisa.gov/uscert/ncas/alerts/aa22-138b
2022-05-20
Latest_APT_C_24_SideWinder_Rattlesnake_attack_activity
Medium
+
Intel Source:
WeiXin
Intel Name:
Latest_APT_C_24_SideWinder_Rattlesnake_attack_activity
Date of Scan:
2022-05-20
Impact:
Medium
Summary:
Researchers from 360 Threat Intelligence Center came across an attack activity launched by APT-C-24/Sidewinder in which the threat actor has come up with New TTP.
Source: https://mp-weixin-qq-com.translate.goog/s/qsGxZIiTsuI7o-_XmiHLHg?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en
2022-05-20
Lazarus_Group_Exploiting_Log4Shell_Vulnerability
Medium
+
Intel Source:
Asec
Intel Name:
Lazarus_Group_Exploiting_Log4Shell_Vulnerability
Date of Scan:
2022-05-20
Impact:
Medium
Summary:
Researchers from ASEC discovered Lazarus group distributing NukeSped by exploiting Log4Shell vulnerability. The threat actor used the log4j vulnerability on VMware Horizon products that were not applied with the security patch.
Source: https://asec.ahnlab.com/en/34461/
2022-05-19
Emotet_The_journey
Medium
+
Intel Source:
Palo Alto
Intel Name:
Emotet_The_journey
Date of Scan:
2022-05-19
Impact:
Medium
Summary:
Researchers from Palo Alto Networks documented the background on Emotet, its activity since november 2021 and ending with January 2022.
Source: https://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/
2022-05-19
Threat Actors targets US Business Online Checkout Page
Medium
+
Intel Source:
Palo Alto
Intel Name:
Threat Actors targets US Business Online Checkout Page
Date of Scan:
2022-05-19
Impact:
Medium
Summary:
Researchers from Palo Alto Networks documented the background on Emotet, its activity since november 2021 and ending with January 2022.
Source: https://www.ic3.gov/Media/News/2022/220516.pdf
2022-05-19
VMware_Bugs_Abused_to_Deliver_Mirai
Medium
+
Intel Source:
Barracuda
Intel Name:
VMware_Bugs_Abused_to_Deliver_Mirai
Date of Scan:
2022-05-19
Impact:
Medium
Summary:
Researchers from Barracuda discovered that attempts were made to exploit the recent vulnerabilities CVE-2022-22954 and CVE-2022-22960. Mirai was getting delivered by abusing the VMware Bug.
Source: https://blog.barracuda.com/2022/05/17/threat-spotlight-attempts-to-exploit-new-vmware-vulnerabilities/
2022-05-18
Operation RestyLink targeting Japenese Firms
Medium
+
Intel Source:
NTT Security
Intel Name:
Operation RestyLink targeting Japenese Firms
Date of Scan:
2022-05-18
Impact:
Medium
Summary:
Researchers from NTT security observed APT campaign targeting Japanese companies starting from mid of April 2022. The initial attack vector in this campaign was spear phishing email.
Source: https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies
2022-05-18
Wizard_Spider_Group_In_Depth_Analysis
Medium
+
Intel Source:
Prodaft
Intel Name:
Wizard_Spider_Group_In_Depth_Analysis
Date of Scan:
2022-05-18
Impact:
Medium
Summary:
Researchers from PRODAFT published the results of an investigation into Wizard Spider, believed to either be or be associated with the Grim Spider and Lunar Spider hacking groups.
Source: https://www.prodaft.com/resource/detail/ws-wizard-spider-group-depth-analysis
2022-05-18
Chaos_Ransomware_stands_with_Russia
Medium
+
Intel Source:
Fortinet
Intel Name:
Chaos_Ransomware_stands_with_Russia
Date of Scan:
2022-05-18
Impact:
Medium
Summary:
FortiGuard Labs came across a variant of the Chaos ransomware that appears to side with Russia. This variant of the ransomware have been leveraginhg Russia Ukraine conflict.
Source: https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia
2022-05-18
Uncovering_Kingminer_Botnet_Attack
Low
+
Intel Source:
Trend Micro
Intel Name:
Uncovering_Kingminer_Botnet_Attack
Date of Scan:
2022-05-18
Impact:
Low
Summary:
Researchers from Trend Micro details about the TTPs of the Kinginer Botnet. In 2020 threat actors deployed Kingminer to target SQL servers for cryptocurrency mining.
Source: https://www.trendmicro.com/en_us/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html
2022-05-18
RansomEXX_and_its_TTPs
Medium
+
Intel Source:
Trend Micro
Intel Name:
RansomEXX_and_its_TTPs
Date of Scan:
2022-05-18
Impact:
Medium
Summary:
Researchers from TrendMicro sheds light on the Tactics and Techniques of ransomware variant called RansomEXX which have been active since 2020.
Source: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx
2022-05-18
X_Cart_Skimmer_with_DOM_based_Obfuscation
Low
+
Intel Source:
Sucuri
Intel Name:
X_Cart_Skimmer_with_DOM_based_Obfuscation
Date of Scan:
2022-05-18
Impact:
Low
Summary:
Security researcher from Sucuri worked on an infected X-Cart website and found two interesting credit card stealers there — one skimmer located server-side, the other client-side.
Source: https://blog.sucuri.net/2022/05/x-cart-skimmer-with-dom-based-obfuscation.html
2022-05-17
Malicious_HTML_Help_File_Delivering_Agent_Tesla
Low
+
Intel Source:
Palo Alto
Intel Name:
Malicious_HTML_Help_File_Delivering_Agent_Tesla
Date of Scan:
2022-05-17
Impact:
Low
Summary:
Unit 42 researchers observed an attack utilizing malicious compiled HTML help files for the initial delivery. The method was used to deliver Agent Tesla.
Source: https://unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent-tesla/
2022-05-17
UpdateAgent_Returns_with_New_macOS_Malware_Dropper
Low
+
Intel Source:
Jamf
Intel Name:
UpdateAgent_Returns_with_New_macOS_Malware_Dropper
Date of Scan:
2022-05-17
Impact:
Low
Summary:
Researchers from Jamf Threat Labs came across a new variant of the macOS malware tracked as UpdateAgent. The malware relies on the AWS infrastructure to host its various payloads and perform its infection status updates to the server.
Source: https://www.jamf.com/blog/updateagent-adapts-again/
2022-05-17
Custom_PowerShell_RAT_targets_Germans
Low
+
Intel Source:
MalwareBytes
Intel Name:
Custom_PowerShell_RAT_targets_Germans
Date of Scan:
2022-05-17
Impact:
Low
Summary:
Researchers from MalwareBytes came across a new campaign that plays on concerns by trying to lure Germans with a promise of updates on the current threat situation in Ukraine and later infecting the victims with RAT.
Source: https://blog.malwarebytes.com/threat-intelligence/2022/05/custom-powershell-rat-targets-germans-seeking-information-about-the-ukraine-crisis/
2022-05-17
UN_social_program_themed_online_fraud
Medium
+
Intel Source:
CERT-UA
Intel Name:
UN_social_program_themed_online_fraud
Date of Scan:
2022-05-17
Impact:
Medium
Summary:
CERT-UA researchers recently responded to discovery of fraudulent page on facebook that mimics the resource of the TV channel "TSN".
Source: https://cert.gov.ua/article/40240
2022-05-17
Analysis_of_the_HUI_Loader
Low
+
Intel Source:
JPCERT
Intel Name:
Analysis_of_the_HUI_Loader
Date of Scan:
2022-05-17
Impact:
Low
Summary:
JPCERT researchers shared their analysis of the HUI Loader which has been used by multiple attack groups since around 2015, also the malware have been used by APT10.
Source: https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html
2022-05-17
Onyx_Ransomware
Low
+
Intel Source:
Cyfirma
Intel Name:
Onyx_Ransomware
Date of Scan:
2022-05-17
Impact:
Low
Summary:
Researchers from Cyfirma analyzed samples of a new ransomware called Onyx which was first seen in April 2022. This ransomware encrypts files and then modifies their filenames by appending the .ampkcz extension.
Source: https://www.cyfirma.com/outofband/onyx-ransomware-report/
2022-05-16
Telegram_used_to_spread_Eternity_Malware
Low
+
Intel Source:
Cyble
Intel Name:
Telegram_used_to_spread_Eternity_Malware
Date of Scan:
2022-05-16
Impact:
Low
Summary:
Researchers from Cyble came across a new malware service, dubbed the Eternity Project by the threat actors behind it, allows cybercriminals to target potential victims with a customized threat offering based on individual modules.
Source: https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/
2022-05-16
From_0_Day_to_Mirai
High
+
Intel Source:
ISC.SANS
Intel Name:
From_0_Day_to_Mirai
Date of Scan:
2022-05-16
Impact:
High
Summary:
Researchers at ISC.SANS found attacks exploiting the recent high severity vulnerability in F5 products and were able to attribute the attacks to Mirai.
Source: https://isc.sans.edu/diary/rss/28644
2022-05-16
APT29_Abusing_Legitimate_Software_For_Targeted_Operations_In_Europe
Medium
+
Intel Source:
Cluster25
Intel Name:
APT29_Abusing_Legitimate_Software_For_Targeted_Operations_In_Europe
Date of Scan:
2022-05-16
Impact:
Medium
Summary:
Cluster25 researchers analyzed several spear-phishing campaigns linked to APT29 that involve the usage of a side-loaded DLL through signed software (like Adobe suite) and legitimate webservices (like Dropbox) as communication vector for Command and Control (C&C).
Source: https://cluster25.io/2022/05/13/cozy-smuggled-into-the-box/
2022-05-16
KurayStealer_Malware
Low
+
Intel Source:
Uptycs
Intel Name:
KurayStealer_Malware
Date of Scan:
2022-05-16
Impact:
Low
Summary:
Researchers at Uptycs came across a new malware builder dubbed as KurayStealer that has password stealing and screenshot capabilities.The malware harvests the passwords and screenshots and sends them to the attackers’ Discord channel via webhooks.
Source: https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks
2022-05-16
Novel IceApple Post-Exploitation Framework
Low
+
Intel Source:
CrowdStrike
Intel Name:
Novel IceApple Post-Exploitation Framework
Date of Scan:
2022-05-16
Impact:
Low
Summary:
Researchers from CrowdStrike found New ‘post-exploitation’ threat getting deployed on Microsoft Exchange servers. The threat has been dubbed as IceApple.
Source: https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework.pdf
2022-05-16
Quantum_Locker_Ransomware
Medium
+
Intel Source:
Cybereason
Intel Name:
Quantum_Locker_Ransomware
Date of Scan:
2022-05-16
Impact:
Medium
Summary:
Researchers at Cybereason analyzed Quantum Locker ransomware and demonstrated its detection and prevention. The initial infection method used by the operators is infamous malware called IceID.
Source: https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware
2022-05-13
APT34_targets_Jordan_Government_using_new_Saitama_backdoor
Medium
+
Intel Source:
MalwareBytes
Intel Name:
APT34_targets_Jordan_Government_using_new_Saitama_backdoor
Date of Scan:
2022-05-13
Impact:
Medium
Summary:
Researchers at Malwarebytes have discovered a malicious email targeting a government official at Jordan’s foreign ministry and researchers identified a suspicious message on April 26. It contained a malicious Excel document that delivered Saitama - a new hacking tool used to provide a backdoor into systems. Malwarebytes attributed the email to a threat group commonly known as APT34.
Source: https://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/
2022-05-13
RedLine_Stealer_Campaign_spread_via_Github_hosted_payload
Medium
+
Intel Source:
NetSkope
Intel Name:
RedLine_Stealer_Campaign_spread_via_Github_hosted_payload
Date of Scan:
2022-05-13
Impact:
Medium
Summary:
Researchers at NetSpoke Threat Labs has discovered a new RedLine Stealer campaign spread on YouTube, using a fake bot to buy Mystery Box NFT from Binance. The video description leads the victim to download the fake bot which is hosted on GitHub.
Source: https://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload
2022-05-13
Iranian_threat_actor_COBALT_MIRAGE_conducting_Ransomware_operations_in_US
Medium
+
Intel Source:
SecureWorks
Intel Name:
Iranian_threat_actor_COBALT_MIRAGE_conducting_Ransomware_operations_in_US
Date of Scan:
2022-05-13
Impact:
Medium
Summary:
SecureWorks Counter Threat Unit has analysed REvil ransomware samples and this has resumed operations of GOLD SOUTHFIELD. The identification of multiple samples containing different modifications and the lack of an official new version indicate that REvil is under active development.
Source: https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us
2022-05-13
Phishing_campaign_delivering_AveMariaRAT_BitRAT_PandoraHVNC
Low
+
Intel Source:
Fortinet
Intel Name:
Phishing_campaign_delivering_AveMariaRAT_BitRAT_PandoraHVNC
Date of Scan:
2022-05-13
Impact:
Low
Summary:
Researchers at Fortinet's FortiGaurd Labs has analysed a phishing campaign that was delivering three fileless malware onto a victim’s device. Once executed, Malware are able to steal sensitive information from that device. It is majorly affecting Microsoft Windows platform users.
Source: https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware
2022-05-13
UAC_0010_Armageddon_leveraging_GammaLoad_PS1_v2_malware
Medium
+
Intel Source:
CERT-UA
Intel Name:
UAC_0010_Armageddon_leveraging_GammaLoad_PS1_v2_malware
Date of Scan:
2022-05-13
Impact:
Medium
Summary:
CERT-UA has analysed a phishing campaign with a subject as "On revenge in Kherson!" and containing an attachment in the form of a file "Plan Kherson.htm". The campaign is using a malicious program GammaLoad.PS1_v2 and attributed to a group called UAC-0010 (Armageddon).
Source: https://cert.gov.ua/article/40240
2022-05-12
Bitter APT expands its target list
Medium
+
Intel Source:
Cisco Talos
Intel Name:
Bitter APT expands its target list
Date of Scan:
2022-05-12
Impact:
Medium
Summary:
An espionage-focused threat actor(Bitter APT) known for targeting China, Pakistan, and Saudi Arabia has included Bangladeshi government organizations as part of an ongoing campaign.
Source: https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html
2022-05-12
Nerbian_RAT_targeting_firms_in_Italy_Spain_and_UK
Low
+
Intel Source:
Proofpoint
Intel Name:
Nerbian_RAT_targeting_firms_in_Italy_Spain_and_UK
Date of Scan:
2022-05-12
Impact:
Low
Summary:
Proofpoint researchers found previously undocumented remote access trojan (RAT) called Nerbian RAT written in the Go programming language has been spotted disproportionately targeting entities in Italy, Spain, and the U.K.
Source: https://www.proofpoint.com/us/blog/threat-insight/nerbian-rat-using-covid-19-themes-features-sophisticated-evasion-techniques
2022-05-12
Malicious_NPM_Packages_targets_German_Companies
Low
+
Intel Source:
JFrog
Intel Name:
Malicious_NPM_Packages_targets_German_Companies
Date of Scan:
2022-05-12
Impact:
Low
Summary:
Researchers from Jfrog have discovered a number of malicious packages in the NPM registry specifically targeting a number of prominent companies based in Germany to carry out supply chain attacks.
Source: https://jfrog.com/blog/npm-supply-chain-attack-targets-german-based-companies/
2022-05-12
TA578_distributing_Bumblebee_malware
Medium
+
Intel Source:
ISC.SANS
Intel Name:
TA578_distributing_Bumblebee_malware
Date of Scan:
2022-05-12
Impact:
Medium
Summary:
Researchers at ISC.SANS has analysed a campaign where threat actor TA578 leveraging thread-hijacked emails to push ISO files for Bumblebee malware. These threat-hijacked emails either have links to storage.googleapis.com URLs similar to those used in the Contact Forms campaign.
Source: https://isc.sans.edu/diary/rss/28636
2022-05-12
Critical_F5_BIG_IP_Vulnerability_New_IoCs
High
+
Intel Source:
Palo Alto
Intel Name:
Critical_F5_BIG_IP_Vulnerability_New_IoCs
Date of Scan:
2022-05-12
Impact:
High
Summary:
Researchers from PaloAlto have also released few indicators of compromise and their view on Critical F5 BIG-IP Vulnerability.
Source: https://unit42.paloaltonetworks.com/cve-2022-1388/
2022-05-11
New_Wave_of_Ursnif_Malware
High
+
Intel Source:
Qualys
Intel Name:
New_Wave_of_Ursnif_Malware
Date of Scan:
2022-05-11
Impact:
High
Summary:
Researchers at Qualys has discovered and analysed few phishing emails with a macro embedded XLS attachment or a zip attachment containing an HTA file initiated the infection chain. This targeted attack researchers attributed to Ursnif malware which is one of the most widespread banking trojans.
Source: https://blog.qualys.com/vulnerabilities-threat-research/2022/05/08/ursnif-malware-banks-on-news-events-for-phishing-attacks
2022-05-11
Different_elements_of_Cobalt_Strike
Medium
+
Intel Source:
Palo Alto
Intel Name:
Different_elements_of_Cobalt_Strike
Date of Scan:
2022-05-11
Impact:
Medium
Summary:
Palo Alto Unit42 researchers has analysed Cobalt Strike tool and gone through the encoding algorithm, describe definitions and differences of encoding types used in the Cobalt Strike framework, and cover some malicious attacks seen in the wild.
Source: https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/#Indicators-of-Compromise
2022-05-11
REvil_returns_reemergening_GOLD_SOUTHFIELD
High
+
Intel Source:
SecureWorks
Intel Name:
REvil_returns_reemergening_GOLD_SOUTHFIELD
Date of Scan:
2022-05-11
Impact:
High
Summary:
SecureWorks Counter Threat Unit has analysed REvil ransomware samples and this has resumed operations of GOLD SOUTHFIELD. The identification of multiple samples containing different modifications and the lack of an official new version indicate that REvil is under active development.
Source: https://www.secureworks.com/blog/revil-development-adds-confidence-about-gold-southfield-reemergence
2022-05-11
German_Automakers_targeted_by_InfoStealer_campaign
Low
+
Intel Source:
checkpoint
Intel Name:
German_Automakers_targeted_by_InfoStealer_campaign
Date of Scan:
2022-05-11
Impact:
Low
Summary:
Checkpoint researchers discovered A years-long phishing campaign has targeted German companies in the automotive industry, attempting to infect their systems with password-stealing malware.
Source: https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/
2022-05-11
Examining_BlackBasta_ransomware
Medium
+
Intel Source:
Trend Micro
Intel Name:
Examining_BlackBasta_ransomware
Date of Scan:
2022-05-11
Impact:
Medium
Summary:
TrendMicro researchers have examined the whole infection routine of Black Basta ransomware and its infection tactics.
Source: https://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html
2022-04-19
Recent Emotet Maldoc Outbreak
MEDIUM
+
Intel Source:
Fortinet
Intel Name:
Recent Emotet Maldoc Outbreak
Date of Scan:
2022-04-19
Impact:
MEDIUM
Summary:
Researchers at Fortinet has identified a recent Emotet outbreak is being spread through a variety of malicious Microsoft Office files or maldocs attached to phishing emails. Once a victim opens the attached document a VBA Macro or Excel 4.0 Macro is used to execute malicious code that downloads and runs the Emotet malware.
Source: https://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak
2022-04-19
SunnyDay Ransomware
LOW
+
Intel Source:
Seguranca-Informatica
Intel Name:
SunnyDay Ransomware
Date of Scan:
2022-04-19
Impact:
LOW
Summary:
Segurança-Informatica published an analysis of a recent sample of SunnyDay ransomware. As a result of the work some similarities between other ransomware samples such as Ever101 Medusa Locker Curator and Payment45 were found. According to the analysis “SunnyDay is a simple piece of ransomware based on the SALSA20 stream cipher”. SALSA20 is easy to recognize as it uses well-known values for its internal cryptographic operations.
Source: https://seguranca-informatica.pt/analysis-of-the-sunnyday-ransomware/#.Yl0eXdtBxPY
2022-04-19
Lazarus Group Targets Chemical Sector
MEDIUM
+
Intel Source:
Symantec
Intel Name:
Lazarus Group Targets Chemical Sector
Date of Scan:
2022-04-19
Impact:
MEDIUM
Summary:
Researchers from Symantec have observed Lazarus group conducting an espionage campaign targeting organizations operating within the chemical sector. This campaign has been dubbed Operation Drem Job.
Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical
2022-04-19
Coordinated disruption of Zloader operation
LOW
+
Intel Source:
Microsoft/ESET
Intel Name:
Coordinated disruption of Zloader operation
Date of Scan:
2022-04-19
Impact:
LOW
Summary:
DCU unit from Microsoft have taken technical action against Zloader and have disrupted their operations.ZLoader is run by a global internet-based organized crime gang operating malware as a service that is designed to steal and extort money.
Source: https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/ https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/
2022-04-18
CVE_2022_24527_Seeder_Queries_14042022
MEDIUM
+
Intel Source:
STR
Intel Name:
CVE_2022_24527_Seeder_Queries_14042022
Date of Scan:
2022-04-18
Impact:
MEDIUM
Summary:
This research is part of Securonix Threat Labs - Threat Research Team
Source: STR Repository
2022-04-18
XSS Vulnerability in Zimbra leveraged to target Ukraine Government
MEDIUM
+
Intel Source:
CERT-UA
Intel Name:
XSS Vulnerability in Zimbra leveraged to target Ukraine Government
Date of Scan:
2022-04-18
Impact:
MEDIUM
Summary:
CERT-UA has detected threat actors are targeting Ukrainian government agencies with new attacks exploiting Zimbra XSS Vulnerability (CVE-2018-6882). CERT-UA has attributed this campaign to UAC-0097 a currently unknown actor.
Source: https://cert.gov.ua/article/39606 https://docs.google.com/spreadsheets/d/1Y987F976R9j4ztw2IyDzazzfpGL2bL00kCYFAeeo2tE/edit#gid=0
2022-04-18
CVE_2022_22954_Seeder_Queries_14042022
MEDIUM
+
Intel Source:
STR
Intel Name:
CVE_2022_22954_Seeder_Queries_14042022
Date of Scan:
2022-04-18
Impact:
MEDIUM
Summary:
This research is part of Securonix Threat Labs - Threat Research Team
Source: STR Repository
2022-04-18
Indepth analysis of PYSA Ransomware Group
MEDIUM
+
Intel Source:
Prodaft
Intel Name:
Indepth analysis of PYSA Ransomware Group
Date of Scan:
2022-04-18
Impact:
MEDIUM
Summary:
Researchers at PRODAFT has identified and gained visibility into PYSA's ransomware infrastructure and analyzed its findings to gain insight into how the criminal operation works.
Source: https://www.prodaft.com/resource/detail/pysa-ransomware-group-depth-analysis
2022-04-18
New File extensions added to BlackCat ransomware's arsenal
MEDIUM
+
Intel Source:
SecureList
Intel Name:
New File extensions added to BlackCat ransomware's arsenal
Date of Scan:
2022-04-18
Impact:
MEDIUM
Summary:
Researchers at SecureList has analysed BlackCat Ransomware Group's activities since its inception. They are also comparing BlackCat TTPs with BlackMatter Group like a custom exflitration tool called 'Fendr' previously been used exclusively in BlackMatter ransomware activity.
Source: https://securelist.com/a-bad-luck-blackcat/106254/
2022-04-18
Emotet Modules and Recent Attacks
MEDIUM
+
Intel Source:
SecureList
Intel Name:
Emotet Modules and Recent Attacks
Date of Scan:
2022-04-18
Impact:
MEDIUM
Summary:
Researchers from Kaspersky were able to etrieve 10 of the 16 modules used by Emotet for Credential/Password/Account/E-mail stealing and spamming. Also the statistics on recent Emotet attacks were also shared.
Source: https://securelist.com/emotet-modules-and-recent-attacks/106290/
2022-04-18
BumbleBee Malware campaign
LOW
+
Intel Source:
Cynet
Intel Name:
BumbleBee Malware campaign
Date of Scan:
2022-04-18
Impact:
LOW
Summary:
Researchers from Cynet Security found a new campaign which instead of using malicious office documents is using malicious ISO image files luring victims to execute the BumbleBee malware.
Source: https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/
2022-04-18
New Fodcha DDoS botnet
MEDIUM
+
Intel Source:
netlab360
Intel Name:
New Fodcha DDoS botnet
Date of Scan:
2022-04-18
Impact:
MEDIUM
Summary:
Researchers at Qihoo 360's Network Security Research Lab has discovered a new DDoS botnet called 'Fodcha'. The Botnet has spread to over 62 000 devices between March 29 and April 10. The number of unique IP addresses linked to the botnet that researchers are tracking is10 000-strong Fodcha army of bots using Chinese IP addresses every day.
Source: https://blog.netlab.360.com/fodcha-a-new-ddos-botnet/
2022-04-14
Malware Campaigns Targeting African Banking Sector
MEDIUM
+
Intel Source:
HP Wolf Security
Intel Name:
Malware Campaigns Targeting African Banking Sector
Date of Scan:
2022-04-14
Impact:
MEDIUM
Summary:
Researchers from HP Wolf Security have been tracking the campaign since early 2022 an employee of an unnamed West African bank received an email purporting to be from a recruiter at another African bank with information about job opportunities. A cybercrime campaign targeting the African banking sector is leveraging phishing emails and HTML smuggling techniques to deploy malware.
Source: https://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/
2022-04-14
Enemybot leveraged by Keksec group
MEDIUM
+
Intel Source:
Fortinet
Intel Name:
Enemybot leveraged by Keksec group
Date of Scan:
2022-04-14
Impact:
MEDIUM
Summary:
Researchers at FortiGuard Labs have identified a new DDoS botnet called “Enemybot” and attributed it to a threat group called 'Keksec' that specializes in cryptomining and DDoS attacks. This botnet is mainly derived from Gafgyt’s source code but has been observed to borrow several modules from Mirai’s original source code.
Source: https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet
2022-04-14
OldGremlin Gang resumes attack with new methods
MEDIUM
+
Intel Source:
Group-IB
Intel Name:
OldGremlin Gang resumes attack with new methods
Date of Scan:
2022-04-14
Impact:
MEDIUM
Summary:
Group-IB has uncovered new attacks tools and methods used by OldGremlin Ransomware Group. In spring 2020 Group was first identified by Group-IB researchers over the past two years OldGremlin has conducted 13 malicious email campaigns. Researchers also discovered two variants of TinyFluff malware an earlier one that is more complex and a newer simplified version that copies the script and the Node.js interpreter from its storage location.
Source: https://blog.group-ib.com/oldgremlin_comeback
2022-04-14
Virus/XLS Xanpei Infecting Excel Files
MEDIUM
+
Intel Source:
ASEC
Intel Name:
Virus/XLS Xanpei Infecting Excel Files
Date of Scan:
2022-04-14
Impact:
MEDIUM
Summary:
ASEC Research team have identified a constant distribution of malware strains that spread the infection when Excel file is opened. Upon opening the infected Excel file the file containing virus VBA code is dropped to Excel startup path. And when any Excel file is opened the malicious file dropped in Excel startup path is automatically executed to infect with virus and perform additional malicious behaviors.
Source: https://asec.ahnlab.com/en/33630/
2022-04-14
ZingoStealer by Haskers Group
MEDIUM
+
Intel Source:
Cisco Talos
Intel Name:
ZingoStealer by Haskers Group
Date of Scan:
2022-04-14
Impact:
MEDIUM
Summary:
Researchers at Cisco Talos has identified a new information stealer called 'ZingoStealer' that has been released for free by a threat actor known as 'Haskers Gang.' This information stealer first introduced to the wild in March 2022 is currently undergoing active development and multiple releases of new versions have been observed recently.
Source: https://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/760/original/zingostealer-blog-iocs.txt?1649940925
2022-04-14
Critical Remote Code Execution Vulnerability in Windows RPC Runtime
HIGH
+
Intel Source:
Microsoft
Intel Name:
Critical Remote Code Execution Vulnerability in Windows RPC Runtime
Date of Scan:
2022-04-14
Impact:
HIGH
Summary:
Microsoft’s April 2022 Patch Tuesday introduced patches to more than a hundred new vulnerabilities in various components. Three critical vulnerabilities were found and patched in Windows RPC (Remote Procedure Call) runtime: CVE-2022-24492 CVE-2022-24528 and CVE-2022-26809. By exploiting these vulnerabilities a remote unauthenticated attacker can execute code on the vulnerable machine with the privileges of the RPC service which depends on the process hosting the RPC runtime.
Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809 https://www.securonix.com/blog/cve-2022-26809-remote-procedure-call-runtime-remote-code-execution-vulnerability-and-coverage/
2022-04-14
IcedID malware targeting Ukraine state bodies
MEDIUM
+
Intel Source:
CERT-UA
Intel Name:
IcedID malware targeting Ukraine state bodies
Date of Scan:
2022-04-14
Impact:
MEDIUM
Summary:
CERT-UA has issued a new heads-up that warns of an ongoing cyber-attack leveraging the infamous IcedID malware designed to compromise Ukrainian state bodies. The detected malware also dubbed as BankBot or BokBot is a banking Trojan primarily designed to target financial data and steal banking credentials.
Source: https://cert.gov.ua/article/39609 https://docs.google.com/spreadsheets/d/1QTwDDOO8JBpZbNyOnNvMm7VcZDQS0Y3CjYsMLrTKN7c/edit#gid=0
2022-04-12
EvilNominatus Ransomware
LOW
+
Intel Source:
ClearSky
Intel Name:
EvilNominatus Ransomware
Date of Scan:
2022-04-12
Impact:
LOW
Summary:
Researchers at ClearSky has detected a malicious BAT file that was uploaded to VirusTotal from Iran. This file executes a ransomware that was associated with the EvilNominatus ransomware initially exposed at the end of 2021. Researchers believe that the ransomware’s developer is a young Iranian who bragged about its development on Twitter.
Source: https://www.clearskysec.com/wp-content/uploads/2022/04/EvilNominatus_Ransomware_7.4.22.pdf
2022-04-12
Tarrask - HAFNIUM APT defense evasion malware
MEDIUM
+
Intel Source:
Microsoft
Intel Name:
Tarrask - HAFNIUM APT defense evasion malware
Date of Scan:
2022-04-12
Impact:
MEDIUM
Summary:
Microsoft Threat Intelligence Center has tracked the Chinese-backed Hafnium hacking group and identified that the group has been linked to a piece of a new malware that's used to maintain persistence on compromised Windows environments. MSTIC has dubbed the defense evasion malware 'Tarrask ' characterized it as a tool that creates 'hidden' scheduled tasks on the system.
Source: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/
2022-04-12
NetSupport RAT_Seeder_Queries_08/04/2022
MEDIUM
+
Intel Source:
STR
Intel Name:
NetSupport RAT_Seeder_Queries_08/04/2022
Date of Scan:
2022-04-12
Impact:
MEDIUM
Summary:
This research is part of Securonix Threat Labs - Threat Research Team
Source: STR Repository
2022-04-12
SystemBC Malware
MEDIUM
+
Intel Source:
ASEC
Intel Name:
SystemBC Malware
Date of Scan:
2022-04-12
Impact:
MEDIUM
Summary:
ASEC Research team have identified a proxy malware called SystemBC that has been used by various attackers for the last few years. While it is recently distributed through SmokeLoader or Emotet this malware has steadily been used in various ransomware attacks in the past.
Source: https://asec.ahnlab.com/en/33600/
2022-04-12
MoqHao Malware targeting European countries
LOW
+
Intel Source:
TeamCymru
Intel Name:
MoqHao Malware targeting European countries
Date of Scan:
2022-04-12
Impact:
LOW
Summary:
Researchers at TeamCymru has examined the current target base of Roaming Mantis group where the group is levearging MoqHao malware to target European countries. MoqHao is generally used to target Android users often via an initial attack vector of smishing.
Source: https://team-cymru.com/blog/2022/04/07/moqhao-part-2-continued-european-expansion/
2022-04-12
Bahamut group recent attacks
MEDIUM
+
Intel Source:
360 Beacon Lab
Intel Name:
Bahamut group recent attacks
Date of Scan:
2022-04-12
Impact:
MEDIUM
Summary:
Researcher at 360 Beacon Lab has identifed a suspected mobile terminal attack activity of Bahamut group. Bahamut is an advanced threat group targeting the Middle East and South Asia. Group mainly uses phishing websites fake news websites and social networking sites to attack.
Source: https://mp.weixin.qq.com/s/YAAybJBAvxqrQWYDg31BBw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=zh-CN
2022-04-12
New version of SolarMarker Malware
MEDIUM
+
Intel Source:
Palo Alto
Intel Name:
New version of SolarMarker Malware
Date of Scan:
2022-04-12
Impact:
MEDIUM
Summary:
A new version of SolarMarker a malware family known for its infostealing and backdoor capabilities has been identified by Palo Alto Networks and is believed to be active as of April 2022. This malware has been prevalent since September 2020 targeting U.S. organizations and part of the infrastructure is still active as of 2022 in addition to a new infrastructure that attackers have recently deployed.
Source: https://unit42.paloaltonetworks.com/solarmarker-malware/
2022-04-12
Fake COVID-19 forms targeting companies
MEDIUM
+
Intel Source:
Cofense
Intel Name:
Fake COVID-19 forms targeting companies
Date of Scan:
2022-04-12
Impact:
MEDIUM
Summary:
Cofense Phishing Defense Center has analysed a phishing campaign where threat actors impersonate companies to send out fake COVID-19 forms. CPDC team saw a phishing email masquerading as a general office wide email claiming someone in the building has been infected with COVID-19 and asking to review the company policy.
Source: https://cofense.com/blog/covid-19-phish-targeting-companies
2022-04-12
Sandworm Group (UAC-0082) targetiing Ukraine energy facilities using INDUSTROYER2 and CADDYWIPER
MEDIUM
+
Intel Source:
CERT-UA
Intel Name:
Sandworm Group (UAC-0082) targetiing Ukraine energy facilities using INDUSTROYER2 and CADDYWIPER
Date of Scan:
2022-04-12
Impact:
MEDIUM
Summary:
CERT-UA has taken urgent measures to respond to an information security incident related to a targeted attack on Ukraine's energy facility.
Source: https://cert.gov.ua/article/39518 https://docs.google.com/spreadsheets/d/1T2NyaCKfjszODa0hRu4xZFpnPe8yWP607aNHb7iB_ec/edit#gid=0
2022-04-11
DPRK-Nexus threat actor spear-phishing campaign
LOW
+
Intel Source:
Cluster25
Intel Name:
DPRK-Nexus threat actor spear-phishing campaign
Date of Scan:
2022-04-11
Impact:
LOW
Summary:
Researchers at Cluster25 has identified a recent activity that started in early days of April 2022 from a DPRK-nexus threat actor using spear-phishing emails containing korean-based malicious documents with different lures to compromise its victims.
Source: https://cluster25.io/2022/04/11/dprk-nexus-adversary-new-kitty-phishing/
2022-04-11
Mirai Botnet exploiting Spring4Shell Vulnerability
MEDIUM
+
Intel Source:
Trend Micro
Intel Name:
Mirai Botnet exploiting Spring4Shell Vulnerability
Date of Scan:
2022-04-11
Impact:
MEDIUM
Summary:
Trend Micro Research team has confirmed on some earlier reports that the new Spring4Shell vulnerability has been exploited by the Mirai Botnet. The Mirai sample is downloaded to the ‘/tmp’ folder and executed after permission change to make them executable using ‘chmod’.
Source: https://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html
2022-04-11
Multiple cyber espionage operations disrupted
MEDIUM
+
Intel Source:
Facebook
Intel Name:
Multiple cyber espionage operations disrupted
Date of Scan:
2022-04-11
Impact:
MEDIUM
Summary:
Meta has shared their Adversarial Threat report in which they provide a broader view into the cyber threats Facebook observes in Iran Azerbaijan Ukraine Russia South America and the Philippines.
Source: https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf
2022-04-11
FFDroider Stealer Targeting Social Media Platforms
LOW
+
Intel Source:
Zscaler
Intel Name:
FFDroider Stealer Targeting Social Media Platforms
Date of Scan:
2022-04-11
Impact:
LOW
Summary:
Researchers from Zscaler have discovered many new types of stealer malwares across different attack campaigns including a novel windows based malware creating a registry key dubbed FFDroider which is designed to send stolen credentials and cookies to C&C server.
Source: https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users
2022-04-11
Denonia Malware specifically targeting AWS Lambda
MEDIUM
+
Intel Source:
Cado security
Intel Name:
Denonia Malware specifically targeting AWS Lambda
Date of Scan:
2022-04-11
Impact:
MEDIUM
Summary:
Researchers from Cado Security published their findings on a new malware called 'Denonia' variant that targets AWS Lambda. After further investigation the researchers found the sample was a 64-bit ELF executable. The malware also relies on third-party GitHub libraries including those for writing Lambda functions and retrieving data from Lambda invoke requests.
Source: https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/
2022-04-08
Operation Bearded Barbie
MEDIUM
+
Intel Source:
Cybereason
Intel Name:
Operation Bearded Barbie
Date of Scan:
2022-04-08
Impact:
MEDIUM
Summary:
Researchers from Cyberreason discovered a new APT-C-23 campaign targeting a group of high-profile Israeli targets working for sensitive defense law enforcement and emergency services organizations. The investigation revealed that APT-C-23 has effectively upgraded its malware arsenal with new tools dubbed Barb(ie) Downloader and BarbWire Backdoor.
Source: https://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials#iocs
2022-04-08
Parrot TDS takes over compromised websites
MEDIUM
+
Intel Source:
Avast
Intel Name:
Parrot TDS takes over compromised websites
Date of Scan:
2022-04-08
Impact:
MEDIUM
Summary:
Avast researchers has published a report stating that a new traffic direction system (TDS) called Parrot has been spotted leveraging tens of thousands of compromised websites to launch further malicious campaigns. The TDS has infected various web servers hosting more than 16 500 websites ranging from adult content sites personal websites university sites and local government sites.
Source: https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/
2022-04-08
Remcos RAT phishing campaign
LOW
+
Intel Source:
Fortinet
Intel Name:
Remcos RAT phishing campaign
Date of Scan:
2022-04-08
Impact:
LOW
Summary:
Researchers from FortiGuard Labs share their analysis of the Remcos RAT being used by malicious actors to control victims’ devices delivered by a phishing campaign.
Source: https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing
2022-04-08
Chinese APT targets Indian Powegrid
MEDIUM
+
Intel Source:
Recorded Future
Intel Name:
Chinese APT targets Indian Powegrid
Date of Scan:
2022-04-08
Impact:
MEDIUM
Summary:
Researchers from Recorded Future finds continued targeting of the Indian power grid by Chinese state-sponsored activity group - likely intended to enable information gathering surrounding critical infrastructure systems.
Source: https://go.recordedfuture.com/hubfs/reports/ta-2022-0406.pdf
2022-04-08
UAC-0010 group/Armageddon targeting Ukraine government
MEDIUM
+
Intel Source:
CERT-UA
Intel Name:
UAC-0010 group/Armageddon targeting Ukraine government
Date of Scan:
2022-04-08
Impact:
MEDIUM
Summary:
Ukraine’s Computer Emergency Response Team (CERT-UA) revealed on Monday a string of phishing emails that they’ve linked to a Russian state-sponsored actor called Armageddon. The attacks baited Ukrainian and Latvian government officials with information concerning the war between Ukraine and Russia.
Source: https://cert.gov.ua/article/39138 https://therecord.media/ukrainian-cert-details-russia-linked-phishing-attacks-targeting-government-officials/
2022-04-08
UAC-0010 group/Armageddon targeting European Union institutions
MEDIUM
+
Intel Source:
CERT-UA
Intel Name:
UAC-0010 group/Armageddon targeting European Union institutions
Date of Scan:
2022-04-08
Impact:
MEDIUM
Summary:
Ukraine’s Computer Emergency Response Team (CERT-UA) revealed on Monday a string of phishing emails that they’ve linked to a Russian state-sponsored actor called Armageddon. The attacks baited Ukrainian and Latvian government officials with information concerning the war between Ukraine and Russia.
Source: https://cert.gov.ua/article/39086 https://www.bleepingcomputer.com/news/security/ukraine-russian-armageddon-phishing-targets-eu-govt-agencies/
2022-04-07
Scammers are Exploiting Ukraine Donations
LOW
+
Intel Source:
McAfee
Intel Name:
Scammers are Exploiting Ukraine Donations
Date of Scan:
2022-04-07
Impact:
LOW
Summary:
McAfee Researchers has identified some malicious sites and emails used by attackers to lure netizens on cryptocurrency donation scam.
Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/scammers-are-exploiting-ukraine-donations/
2022-04-07
Evolution of FIN7 group
MEDIUM
+
Intel Source:
Mandiant
Intel Name:
Evolution of FIN7 group
Date of Scan:
2022-04-07
Impact:
MEDIUM
Summary:
Mandiant published their research on the evolution of FIN7 from both historical and recent intrusions and describes the process of merging eight previously suspected UNC groups into FIN7. The researchers also highlighted notable shifts in FIN7 activity over time including their use of novel malware incorporation of new initial access vectors and shifts in monetization strategies.
Source: https://www.mandiant.com/resources/evolution-of-fin7
2022-04-07
Cicada/APT10 new espionage campaign
MEDIUM
+
Intel Source:
Symantec
Intel Name:
Cicada/APT10 new espionage campaign
Date of Scan:
2022-04-07
Impact:
MEDIUM
Summary:
Researchers at Symantec has discovered an espionage campaign by Chinese APT group called APT10/Cicada. Victims identified in this campaign include government legal religious and non-governmental organizations (NGOs) in multiple countries around the world including in Europe Asia and North America.
Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks
2022-04-07
New AsyncRAT campaign features 3LOSH crypter
MEDIUM
+
Intel Source:
Cisco Talos
Intel Name:
New AsyncRAT campaign features 3LOSH crypter
Date of Scan:
2022-04-07
Impact:
MEDIUM
Summary:
Cisco Talos Intelligence Group discovered ongoing malware distribution campaigns are using ISO disk images to deliver AsyncRAT and other commodity malware to victims. They found that these campaigns appear to be linked to a new version of the 3LOSH crypter.
Source: https://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html
2022-04-07
CaddyWiper Malware- New Analysis
MEDIUM
+
Intel Source:
Morphisec
Intel Name:
CaddyWiper Malware- New Analysis
Date of Scan:
2022-04-07
Impact:
MEDIUM
Summary:
Researchers from Morphisec shares a new analysis on Caddywiper malware which has surfaced as the fourth destructive wiper attacking Ukrainian infrastructure. Caddywiper destroys user data partitions information from attached drives and has been spotted on several dozen systems in a limited number of organizations.
Source: https://blog.morphisec.com/caddywiper-analysis-new-malware-attacking-ukraine
2022-04-07
Windows MetaStealer Malware
MEDIUM
+
Intel Source:
ISC.SANS
Intel Name:
Windows MetaStealer Malware
Date of Scan:
2022-04-07
Impact:
MEDIUM
Summary:
Researchers at SANS has analysed 16 sampled of Excel files submitted to VirusTotal on 30-03-2022 these Excel files are distributed as Email attachments. Post-infection traffic triggers signatures for Win32/MetaStealer Related Activity.
Source: https://isc.sans.edu/diary/rss/28522
2022-04-07
Colibri Loader campaign delivering the Vidar Stealer
LOW
+
Intel Source:
Malwarebytes
Intel Name:
Colibri Loader campaign delivering the Vidar Stealer
Date of Scan:
2022-04-07
Impact:
LOW
Summary:
Researchers from MalwareBytes recently uncovered a new Colibri Loader campaign delivering the Vidar Stealer as final payload that uses a clever persistence technique that combines Task Scheduler and PowerShell.
Source: https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
2022-04-07
BLISTER & SocGholish loaders delivering LockBit Ransomware
MEDIUM
+
Intel Source:
Trend Micro
Intel Name:
BLISTER & SocGholish loaders delivering LockBit Ransomware
Date of Scan:
2022-04-07
Impact:
MEDIUM
Summary:
Researchers from TrendMicro made a recent discovery in which BLISTER and SocGholish which are loaders and are known for evasion tactics were involved in a campaign which were used to deliver LockBit ransomware.
Source: https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html
2022-04-07
Malicious Word Documents Using MS Media Player
LOW
+
Intel Source:
ASEC
Intel Name:
Malicious Word Documents Using MS Media Player
Date of Scan:
2022-04-07
Impact:
LOW
Summary:
ASEC Researchers has analysed a malicious word file that is also being distributed with text that impersonates AhnLab. The Word files downloaded another Word file containing malicious VBA macro via the external URL and run it. The downloaded word file used the Windows Media Player() function instead of AutoOpen() to automatically run the VBA macro.
Source: https://asec.ahnlab.com/en/33477/
2022-04-06
New UAC-0056 Group activity
MEDIUM
+
Intel Source:
Malwarebytes
Intel Name:
New UAC-0056 Group activity
Date of Scan:
2022-04-06
Impact:
MEDIUM
Summary:
Researchers from Intezer Labs shared that UAC-0056 (TA471 SaintBear UNC2589) have been launching targeted spear phishing campaigns using spoofed Ukrainian governmental email addresses to deliver the Elephant malware framework written in Go.
Source: https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/ https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/
2022-04-06
Stolen Image Evidence Campaign
MEDIUM
+
Intel Source:
DFIR Report
Intel Name:
Stolen Image Evidence Campaign
Date of Scan:
2022-04-06
Impact:
MEDIUM
Summary:
Researchers at DFIR Report has identified a single Conti ransomware deployment from December that appears to be part of a larger campaign. The attack utilized IcedID a well known banking trojan was delivered via the 'Stolen Images Evidence' email campaign.
Source: https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
2022-04-06
Mirai campaign updated its arsenal of exploits
MEDIUM
+
Intel Source:
Fortinet
Intel Name:
Mirai campaign updated its arsenal of exploits
Date of Scan:
2022-04-06
Impact:
MEDIUM
Summary:
Researchers at Fortinet Labs has identified that the Beastmode Mirai-based DDoS campaign has aggressively updated its arsenal of exploits. Five new exploits were added within a month with three targeting various models of TOTOLINK routers.
Source: https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign
2022-04-06
Lazarus Group New Campaign
LOW
+
Intel Source:
SecureList
Intel Name:
Lazarus Group New Campaign
Date of Scan:
2022-04-06
Impact:
LOW
Summary:
Researchers at SecureList has discovered a Trojanized DeFi application was used to deliver backdoor by Lazarus Group. The DeFi application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet but also implants a malicious file when executed.
Source: https://securelist.com/lazarus-trojanized-defi-app/106195/
2022-04-06
New Rat campaign leverages Tax Season
LOW
+
Intel Source:
Cofense
Intel Name:
New Rat campaign leverages Tax Season
Date of Scan:
2022-04-06
Impact:
LOW
Summary:
Cofense Phishing Defense Center team has discovered a tatic that spoofs the U.S. Internal Revenue Service (IRS) to download malware onto user systems. This campaign leverages Netsupport Manager a troubleshooting and screen control program as a malicious remote access trojan (RAT) the threat actor employs to remotely enter user systems.
Source: https://cofense.com/blog/rat-campaign-looks-to-take-advantage-of-the-tax-season
2022-04-05
VajraEleph (APT-Q-43) group New campaign
LOW
+
Intel Source:
Qianxin
Intel Name:
VajraEleph (APT-Q-43) group New campaign
Date of Scan:
2022-04-05
Impact:
LOW
Summary:
The mobile security team of Qianxin Technology HK Co. Limited Virus Response Center identified the VajraEleph (APT-Q-43) group has been carrying out targeted military espionage intelligence activities against the Pakistani military.
Source: https://mp.weixin.qq.com/s/B0ElRhbqLzs-wGQh79fTww
2022-04-05
Remcos Rat Phishing Campaign
MEDIUM
+
Intel Source:
Morphisec
Intel Name:
Remcos Rat Phishing Campaign
Date of Scan:
2022-04-05
Impact:
MEDIUM
Summary:
Morphisec Labs has detected a new wave of Remcos RAT infections being spread through phishing emails masquerading as payment remittances sent from financial institutions.
Source: https://blog.morphisec.com/remcos-trojan-analyzing-attack-chain
2022-04-04
New PlugX variant used by Chinese APT group
MEDIUM
+
Intel Source:
Trellix
Intel Name:
New PlugX variant used by Chinese APT group
Date of Scan:
2022-04-04
Impact:
MEDIUM
Summary:
Researchers at Trellix has discovered a new variant of PlugX malware named 'Talisman'. The new variant follows usual execution process by abusing a signed and benign binary which loads a modified DLL to execute shellcode. The shellcode is used to decrypt the PlugX malware which then serves as a backdoor with plug-in capabilities.
Source: https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html
2022-04-04
State sponsored groups leveraging RU-UA conflict
MEDIUM
+
Intel Source:
Checkpoint
Intel Name:
State sponsored groups leveraging RU-UA conflict
Date of Scan:
2022-04-04
Impact:
MEDIUM
Summary:
Researchers from CheckPoint provides an overview of several campaigns by different APT groups using the ongoing Russia-Ukraine war to increase the efficiency of their campaigns. They also discuss the victimology of these campaigns; the tactics used and provides technical analysis of the observed malicious payloads and malware specially crafted for this cyber-espionage.
Source: https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/
2022-04-04
BlackGuard - new infostealer malware
MEDIUM
+
Intel Source:
Zscaler
Intel Name:
BlackGuard - new infostealer malware
Date of Scan:
2022-04-04
Impact:
MEDIUM
Summary:
The Zscaler ThreatLabz team came across BlackGuard a sophisticated stealer currently being advertised as malware-as-a-service with a monthly price of $200. Researcher share their analysis of the techniques the Blackguard stealer uses to steal information and evade detection using obfuscation as well as techniques used for anti-debugging.
Source: https://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking
2022-04-04
Acid Rain wiper malware targets Viasat KA-SAT modems
MEDIUM
+
Intel Source:
SentinelOne
Intel Name:
Acid Rain wiper malware targets Viasat KA-SAT modems
Date of Scan:
2022-04-04
Impact:
MEDIUM
Summary:
Sentinel Labs researchers a new modern wiper AcidRain which have beeb targeting Europe and on Viasat KA-SAT modems. This wiper is an ELF MIPS malware designed to wipe modems and routers.
Source: https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/
2022-04-04
Mars InfoStealer new operation
MEDIUM
+
Intel Source:
Morphisec
Intel Name:
Mars InfoStealer new operation
Date of Scan:
2022-04-04
Impact:
MEDIUM
Summary:
Morphisec Labs team has analysed a campaign where the actor distributed Mars Stealer via cloned websites offering well-known software. Morphisec team has attributed this actor to a Russian national by looking at the screenshots and keyboard details from the extracted system.txt.
Source: https://blog.morphisec.com/threat-research-mars-stealer
2022-04-04
North Korea related files distributed via malicious VB Scripts
LOW
+
Intel Source:
ASEC
Intel Name:
North Korea related files distributed via malicious VB Scripts
Date of Scan:
2022-04-04
Impact:
LOW
Summary:
ASEC Researchers has analysed a phishing emails related to North Korea and a compressed file is attached. Referring to writing a resume induce execution of the attached file. A malicious VBS script file exists inside the compressed file.
Source: https://asec.ahnlab.com/ko/33141/
2022-04-04
Hive Ransomware leveraging IPfuscation Technique
MEDIUM
+
Intel Source:
SentinelOne
Intel Name:
Hive Ransomware leveraging IPfuscation Technique
Date of Scan:
2022-04-04
Impact:
MEDIUM
Summary:
Researchers at SentinelOne have discovered a new obfuscation technique used by the Hive ransomware gang which involves IPv4 addresses and a series of conversions that eventually lead to downloading a Cobalt Strike beacon.
Source: https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/
2022-04-01
Deep Panda APT group exploiting Log4shell
MEDIUM
+
Intel Source:
Fortinet
Intel Name:
Deep Panda APT group exploiting Log4shell
Date of Scan:
2022-04-01
Impact:
MEDIUM
Summary:
FortiGuard Labs detected an opportunistic campaign by the Chinese nation-state “Deep Panda” APT group exploiting the Log4Shell vulnerability in VMware Horizon servers belonging to the financial academic cosmetics and travel industries.
Source: https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits
2022-04-01
Spring4Shell Vulnerability
HIGH
+
Intel Source:
Securonix
Intel Name:
Spring4Shell Vulnerability
Date of Scan:
2022-04-01
Impact:
HIGH
Summary:
Securonix Threat Research team has identified a currently unpatched zero-day vulnerability in Spring Core a widely used Java-based platform with cross platform support. Early details claim that the bug would allow full remote code execution (RCE) to affected systems.
Source: https://www.securonix.com/blog/detection-and-analysis-of-spring4shell/
2022-04-01
Spoofed Invoice delivering IcedID Trojan
MEDIUM
+
Intel Source:
Fortinet
Intel Name:
Spoofed Invoice delivering IcedID Trojan
Date of Scan:
2022-04-01
Impact:
MEDIUM
Summary:
FortiGuard Labs encountered spearphishing campaign targeting a fuel company in Kyiv Ukraine. The email contains an attached zip file which also contains a invoice file claiming to be from another fuel company. IcedID trojan drop via main.dll in windows registry.
Source: https://www.fortinet.com/blog/threat-research/spoofed-invoice-drops-iced-id
2022-03-31
Multiple APT groups targeting Eastern Europe
MEDIUM
+
Intel Source:
Google
Intel Name:
Multiple APT groups targeting Eastern Europe
Date of Scan:
2022-03-31
Impact:
MEDIUM
Summary:
Google TAG researchers has tracked 3 APT groups targeting government military organisations in Ukraine Kazakhstan Mongolia and NATO forces in Eastern Europe. All 3 APT groups conducting phishing campaigns to against the targets.
Source: https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/
2022-03-31
Transparent Tribe targets Indian government and military
MEDIUM
+
Intel Source:
Cisco Talos
Intel Name:
Transparent Tribe targets Indian government and military
Date of Scan:
2022-03-31
Impact:
MEDIUM
Summary:
Cisco Talos researchers has identified a new campaign by Transparent Tribe targeting Indian government and military bodies. The Threat actor is leveraging CrimsonRAT for infecting the victims.
Source: https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html
2022-03-31
Verblecon - A New Malware Loader
LOW
+
Intel Source:
Symantec
Intel Name:
Verblecon - A New Malware Loader
Date of Scan:
2022-03-31
Impact:
LOW
Summary:
Symantec researchers has identifed a malware named Trojan.Verblecon which has being leveraged in attacks that appear to have installing cryptocurrency miners on infected machines as their end goals. However the capabilities of this malware indicate that it could be highly dangerous if leveraged in ransomware or espionage campaigns.
Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord
2022-03-31
Chromium Based Browser Vulnerability
MEDIUM
+
Intel Source:
Google
Intel Name:
Chromium Based Browser Vulnerability
Date of Scan:
2022-03-31
Impact:
MEDIUM
Summary:
Google is urging users on Windows macOS and Linux to update Chrome builds to version 99.0.4844.84 following the discovery of a vulnerability that has an exploit in the wild.
Source: https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html
2022-03-30
Emotet New IoC and New Pattern
MEDIUM
+
Intel Source:
Cisco
Intel Name:
Emotet New IoC and New Pattern
Date of Scan:
2022-03-30
Impact:
MEDIUM
Summary:
Cisco conducted research to find new Emotet IOCs and URL patterns related to this new wave in Emotet activity since it’s re-emergence in November 2021. Cisco researchers summarizes the Emotet (Geodo/Heodo) malware threat it’s lifecycle and typical detectable patterns.
Source: https://blogs.cisco.com/security/emotet-is-back
2022-03-30
Kimsuky distributing VB Script disguised as PDF Files
LOW
+
Intel Source:
ASEC
Intel Name:
Kimsuky distributing VB Script disguised as PDF Files
Date of Scan:
2022-03-30
Impact:
LOW
Summary:
ASEC Researchers has identified an APT attacks by a group called Kimsuky using VB Script disguised as PDF files. Upon running the script file with the VBS extension the malware runs the innocuous PDF file that exists internally to trick the user into thinking that they opened an innocuous document file and uses a malicious DLL file to leak information.
Source: https://asec.ahnlab.com/en/33032/
2022-03-30
BitRAT malware disguised as office Installer
LOW
+
Intel Source:
ASEC
Intel Name:
BitRAT malware disguised as office Installer
Date of Scan:
2022-03-30
Impact:
LOW
Summary:
ASEC REsearchers has analysed a BitRAT malware sample which is being distributed as office installer with different files. The malware is being distributed actively via file-sharing websites such as Korean webhards.
Source: https://asec.ahnlab.com/en/33024/
2022-03-29
New Conversation Hijacking Campaign Delivering IcedID
MEDIUM
+
Intel Source:
Intezer
Intel Name:
New Conversation Hijacking Campaign Delivering IcedID
Date of Scan:
2022-03-29
Impact:
MEDIUM
Summary:
Researcher from Intezer provides a technical analysis of a new campaign which initiates attacks with a phishing email that uses conversation hijacking to deliver the IcedID malware.
Source: https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/
2022-03-29
Purple Fox using New variant of FatalRat
MEDIUM
+
Intel Source:
Trend Micro
Intel Name:
Purple Fox using New variant of FatalRat
Date of Scan:
2022-03-29
Impact:
MEDIUM
Summary:
Trend Micro Research were tracking an threat actor named 'Purple Fox' and their activities. Researchers identified Purple Fox’s new arrival vector and the early access loaders we believe are associated with the intrusion set behind this botnet. The operators are updating their arsenal with new malware including a variant of the remote access trojan FatalRAT that they seem to be continuously upgrading.
Source: https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html
2022-03-28
Conti Ransomware new update
MEDIUM
+
Intel Source:
Zscaler
Intel Name:
Conti Ransomware new update
Date of Scan:
2022-03-28
Impact:
MEDIUM
Summary:
Researchers at Zscaler ThreatLabz has been following Conti Ransomware group and identified an updated version of Conti ransomware as part of the global ransomware tracking efforts which includes improved file encryption introduced techniques to better evade security software and streamlined the ransom payment process.
Source: https://www.zscaler.com/blogs/security-research/conti-ransomware-attacks-persist-updated-version-despite-leaks
2022-03-28
Muhstik Gang targets Redis Servers
MEDIUM
+
Intel Source:
Juniper
Intel Name:
Muhstik Gang targets Redis Servers
Date of Scan:
2022-03-28
Impact:
MEDIUM
Summary:
Researchers at Juniper Threat Labs has revealed an attack that targets Redis Servers using a recently disclosed vulnerability namely CVE-2022-0543. This vulnerability exists in some Redis Debian packages. The payload used is a variant of Muhstik bot that can be used to launch DDOS attacks.
Source: https://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers
2022-03-25
JSSLoader RAT delivered through XLL Files
LOW
+
Intel Source:
Morphisec
Intel Name:
JSSLoader RAT delivered through XLL Files
Date of Scan:
2022-03-25
Impact:
LOW
Summary:
Morphisec labs has discovered a new variant of JSSLoader RAT. JSSLoader is a small very capable .NET remote access trojan (RAT). Its capabilities include data exfiltration persistence auto-updating additional payload delivery and more. Moreover attacker are now using .XLL files to deliver and obfuscated version of JSSLoader.
Source: https://blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files
2022-03-25
Operation Dragon Castling
LOW
+
Intel Source:
Avast
Intel Name:
Operation Dragon Castling
Date of Scan:
2022-03-25
Impact:
LOW
Summary:
Researchers from Avast found an APT campaign dubbed Operation Dragon Castling which has been targeting betting companies in Southeast Asian countries.The campaign has similarities with several old malware samples used by an unspecified Chinese-speaking APT group.
Source: https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies/
2022-03-25
Chinese APT Scarab targets Ukraine
MEDIUM
+
Intel Source:
SentinelOne
Intel Name:
Chinese APT Scarab targets Ukraine
Date of Scan:
2022-03-25
Impact:
MEDIUM
Summary:
Researchers at Sentinel Labs has further analysed the alert #4244 released by Ukrainian CERT on 22nd March 2022 which states about the malicious activity of UAC-0026 threat group. Sentinel team has confirmed UAC-0026 attribution with Chinese APT group called Scarab.
Source: https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/
2022-03-25
Tax Season and Refugee war scams delivering Emotet
MEDIUM
+
Intel Source:
Fortinet
Intel Name:
Tax Season and Refugee war scams delivering Emotet
Date of Scan:
2022-03-25
Impact:
MEDIUM
Summary:
FortiGuard Labs Research team has anlaysed emails related to tax season and the Ukrainian conflict. The Phishing emails are attributed to an unfamous malware called 'Emotet' are affecting Windows platform and compromised machines are under the control of the threat actor further stole personally identifiable information (PII) credential theft monetary loss etc.
Source: https://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams
2022-03-24
Crypto Phishing
LOW
+
Intel Source:
Confiant
Intel Name:
Crypto Phishing
Date of Scan:
2022-03-24
Impact:
LOW
Summary:
Researcher at Confiant has looked at several chains that start with an ad and end with cryptocurrency theft usually via phishing.
Source: https://blog.confiant.com/a-whirlwind-tour-of-crypto-phishing-8628da0a9e38
2022-03-24
Operation DreamJob and AppleJeus
MEDIUM
+
Intel Source:
Google
Intel Name:
Operation DreamJob and AppleJeus
Date of Scan:
2022-03-24
Impact:
MEDIUM
Summary:
Researchers from google discovered two new North Korean backed threat actors exploiting a remote code execution vulnerability in Chrome CVE-2022-0609.hese groups' activity has been publicly tracked as Operation Dream Job and Operation AppleJeus. These campaigns have been targeting U.S based organizations.
Source: https://blog.google/threat-analysis-group/countering-threats-north-korea/
2022-03-24
Password stealer disguised as private Fortnite server
LOW
+
Intel Source:
Avast
Intel Name:
Password stealer disguised as private Fortnite server
Date of Scan:
2022-03-24
Impact:
LOW
Summary:
Researchers at Avast have identified a password stealer malware disguised as private Fortnite server where users can meet for a private match and use skins for free. The malware is being heavily propagated on communications platform Discord.
Source: https://blog.avast.com/password-stealer-disguised-as-fortnite-server-spreading-on-discord
2022-03-24
Arid Viper using Arid Gopher malware
MEDIUM
+
Intel Source:
deepinstinct
Intel Name:
Arid Viper using Arid Gopher malware
Date of Scan:
2022-03-24
Impact:
MEDIUM
Summary:
Researchers from Deep Instinct's Threat Research team discovered a never before seen Micropsia malware dubbed Arid Gropher and is attributed to Arid Viper.
Source: https://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant
2022-03-24
Midas Ransomware - A Thanos Ransomware variant
LOW
+
Intel Source:
Zscaler
Intel Name:
Midas Ransomware - A Thanos Ransomware variant
Date of Scan:
2022-03-24
Impact:
LOW
Summary:
Researchers at Zscaler has analysed variants of Thanos ransomware and identified the shifting of tactics by the ransomware in 2021. Thanos ransomware was first identified in Feb 2020 as a RaaS on darkweb. In 2021 Thanos source code got leaked after that lot of variants has been identified by the researchers. One of the latest variant is Midas.
Source: https://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants
2022-03-24
Vidar Malware hidden in Microsoft Help file
MEDIUM
+
Intel Source:
Trustwave
Intel Name:
Vidar Malware hidden in Microsoft Help file
Date of Scan:
2022-03-24
Impact:
MEDIUM
Summary:
Trustwave Spider Labs researchers has detected a vidar malware based phishing campaign that abuses Microsoft HTML help files. Vidar is Windows spyware and an information stealer available for purchase by cybercriminals. Vidar can harvest OS & user data online service and cryptocurrency account credentials and credit card information.
Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vidar-malware-launcher-concealed-in-help-file/
2022-03-24
Conti Ransomware Affiliate Exposed
MEDIUM
+
Intel Source:
eSentire
Intel Name:
Conti Ransomware Affiliate Exposed
Date of Scan:
2022-03-24
Impact:
MEDIUM
Summary:
Researchers at eSentire has been tracking the movements of Conti gang for over two years and now publishing new set of indicators which are currently being used by Conti affiliate. Researchers analysis also focus on the infrastructre used by the gang.
Source: https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire
2022-03-24
New variants of Arkei Stealer
LOW
+
Intel Source:
ISC.SANS
Intel Name:
New variants of Arkei Stealer
Date of Scan:
2022-03-24
Impact:
LOW
Summary:
Researchers at SANS InfoSec Diary blog has analysed Vidar Oski and Mars stealer variants of Arkei Stealer malware. Researchers also found legitimate DLL files has been used by Vidar Oski and Mars variants which are hosted on the same C2 server.
Source: https://isc.sans.edu/diary.html?date=2022-03-23
2022-03-24
Meris and TrickBot joined Hands
MEDIUM
+
Intel Source:
Avast
Intel Name:
Meris and TrickBot joined Hands
Date of Scan:
2022-03-24
Impact:
MEDIUM
Summary:
As per Avast researchers Meris backdoor and Trickbot have joined hands. The botnet is known to exploit a known vulnerability in the Winbox component of MikroTik routers (CVE-2018-14847) enabling the attackers to gain unauthenticated remote administrative access to any affected device.
Source: https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/
2022-03-23
Mustang Panda deploying new Hodur Malware
MEDIUM
+
Intel Source:
WeLiveSecurity
Intel Name:
Mustang Panda deploying new Hodur Malware
Date of Scan:
2022-03-23
Impact:
MEDIUM
Summary:
A new cyber espionage campaign has been discovered by researchers from ESET in which APT group Mustang Panda who is China linked was deploying Hodur malware. The victims are from east and southeast Asia.
Source: https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/
2022-03-23
DoubleZero Destructive Malware targets Ukrainian firms
MEDIUM
+
Intel Source:
CERT-UA
Intel Name:
DoubleZero Destructive Malware targets Ukrainian firms
Date of Scan:
2022-03-23
Impact:
MEDIUM
Summary:
On March 17 CERT-UA found presence of a destructive malware dubbed as DoubleZero targeting Ukrainian firms. The malware erases files and destroys certain registry branches on the infected machine.
Source: https://cert.gov.ua/article/38088 https://socprime.com/blog/doublezero-destructive-malware-used-in-cyber-attacks-at-ukrainian-companies-cert-ua-alert/
2022-03-23
Clipper malware disguised as AvD Crypto Stealer
LOW
+
Intel Source:
Cyble
Intel Name:
Clipper malware disguised as AvD Crypto Stealer
Date of Scan:
2022-03-23
Impact:
LOW
Summary:
Researchers at Cyble has discovered a new malware dubbed as 'AvD crypto stealer' but it is does not function as crypto stealer. However it disguised variant of well-known clipper malware and it has capability of read and edit any text copied by vicitm.
Source: https://blog.cyble.com/2022/03/22/hunters-become-the-hunted/
2022-03-23
Document-borne APT attack targeting Carbon emissions companies
LOW
+
Intel Source:
ASEC
Intel Name:
Document-borne APT attack targeting Carbon emissions companies
Date of Scan:
2022-03-23
Impact:
LOW
Summary:
ASEC Team has analysed a malicious word document titled '**** Carbon Credit Institution.doc' which user downloaded thorugh a web browser. The team identified the malicious document from the logs collected by their Smart Defense tool. The malicious document comes with macro code and it is likely that its internal macro code runs wscript.ex.
Source: https://asec.ahnlab.com/en/32822/
2022-03-23
Vermin (UAC-0020) targets Ukraine Govt using Spectr malware
MEDIUM
+
Intel Source:
CERT-UA
Intel Name:
Vermin (UAC-0020) targets Ukraine Govt using Spectr malware
Date of Scan:
2022-03-23
Impact:
MEDIUM
Summary:
On March 17 CERT-UA found an active spear phishing campaign delivering SPECTR malware. The campaign was initiated by Vermin aks UAC-0020 who are associated with Luhansk People’s Republic (LPR).
Source: https://cert.gov.ua/article/37815 https://socprime.com/blog/vermin-uac-0020-hacking-collective-hits-ukrainian-government-and-military-with-spectr-malware/
2022-03-23
Phishing Campaign using QR code targets Ukraine
MEDIUM
+
Intel Source:
CERT-UA
Intel Name:
Phishing Campaign using QR code targets Ukraine
Date of Scan:
2022-03-23
Impact:
MEDIUM
Summary:
CERT UA discovered the distribution of e-mails that mimic messages from UKR.NET and contain a QR code encoding a URL created using one of the URL-shortener services and it was attributed with low confidence to APT28.
Source: https://cert.gov.ua/article/37788
2022-03-23
ClipBanker Malware disguised as Malware Creation Tool
LOW
+
Intel Source:
ASEC
Intel Name:
ClipBanker Malware disguised as Malware Creation Tool
Date of Scan:
2022-03-23
Impact:
LOW
Summary:
ASEC Team has indentified a ClipBanker malware which disguised as malware creation tool. ClipBanker malware monitors the clipbooard of the infected system and if the malware copies a string for a coin wallet address then changes its to the address designated by the attacker.
Source: https://asec.ahnlab.com/en/32825/
2022-03-23
UAC-0026 targets Ukraine by HeaderTIP malware
MEDIUM
+
Intel Source:
CERT-UA
Intel Name:
UAC-0026 targets Ukraine by HeaderTIP malware
Date of Scan:
2022-03-23
Impact:
MEDIUM
Summary:
CERT UA identified yet another nefarious malware dubbed headerTip which leveraged to drop additional DLL files to the infected instance and this has been targeting the nfrastructure of Ukrainian state bodies and organizations across the country.
Source: https://cert.gov.ua/article/38097