Hackers_Exploiting_MinIO_Storage_System
LOW
+
—
—
- Intel Source:
- Security Joes
- Intel Name:
- Hackers_Exploiting_MinIO_Storage_System
- Date of Scan:
- 2023-09-05
- Impact:
- LOW
- Summary:
- Infected Microsoft SQL Server (MSSQL) databases were being used to deliver Cobalt Strike and ransomware payloads, according to Securonix Threat Lab research. Using MSSQL as a beachhead, the attackers deploy a variety of payloads, including remote-access Trojans (RATs) and a fresh Mimic ransomware variant named FreeWorld, after first infiltrating the target machine.
Cyberattack_by_APT28_Using_msedge_as_a_Bootloader
LOW
+
—
—
- Intel Name:
- Cyberattack_by_APT28_Using_msedge_as_a_Bootloader
- Date of Scan:
- 2023-09-05
- Impact:
- LOW
- Summary:
- Researchers from CERT-UA have observed a deliberate cyber attack against a crucial Ukrainian energy infrastructure site. An email message with a phony sender address and a link to an archive, like “photo.zip,” is being distributed to carry out the malicious scheme.
Okta_Warns_of_Social_Engineering_Attacks
LOW
+
—
—
- Intel Source:
- Okta
- Intel Name:
- Okta_Warns_of_Social_Engineering_Attacks
- Date of Scan:
- 2023-09-04
- Impact:
- LOW
- Summary:
- Recent weeks have seen an increase in social engineering attacks against IT service desk staff, according to several U.S.-based Okta customers. The caller’s tactic was to persuade the service desk staff to reset all multi-factor authentication (MFA) factors enrolled by highly privileged users.
Source:
https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
Following_the_Spread_of_Fileless_Malware_Through_Spam_Emails
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Following_the_Spread_of_Fileless_Malware_Through_Spam_Emails
- Date of Scan:
- 2023-09-04
- Impact:
- LOW
- Summary:
- A phishing campaign that spreads via spam emails and runs a PE file (EXE) without placing the file on the user’s computer has been uncovered by ASEC researchers. The malware strains AgentTesla, Remcos, and LimeRAT are finally executed by the malware attachment in the hta extension.
ZeroDay_Vulnerabilities_Detected_on_WinRAR
MEDIUM
+
—
—
- Intel Source:
- Seqrite
- Intel Name:
- ZeroDay_Vulnerabilities_Detected_on_WinRAR
- Date of Scan:
- 2023-09-04
- Impact:
- MEDIUM
- Summary:
- In the widely used WinRAR software, the zero-day vulnerabilities CVE-2023-38831 and CVE-2023-40477 have been discovered. The possibility of remote code execution presented by these vulnerabilities raises serious security concerns. With half a billion users globally, it is a well-liked compression tool that is essential to numerous digital processes.
Source:
https://www.seqrite.com/blog/threat-advisory-zero-day-vulnerabilities-detected-on-winrar/
FreeWorld_Ransomware_Attacks_on_MSSQL_Databases
MEDIUM
+
—
—
- Intel Source:
- Securonix Threat Labs
- Intel Name:
- FreeWorld_Ransomware_Attacks_on_MSSQL_Databases
- Date of Scan:
- 2023-09-04
- Impact:
- MEDIUM
- Summary:
- Infected Microsoft SQL Server (MSSQL) databases were being used to deliver Cobalt Strike and ransomware payloads, according to Securonix Threat Lab research. Using MSSQL as a beachhead, the attackers deploy a variety of payloads, including remote-access Trojans (RATs) and a fresh Mimic ransomware variant named FreeWorld, after first infiltrating the target machine.
A_new_campaign_of_novel_RAT
LOW
+
—
—
- Intel Source:
- Interlab
- Intel Name:
- A_new_campaign_of_novel_RAT
- Date of Scan:
- 2023-09-02
- Impact:
- LOW
- Summary:
- On 8/28/2023, Interlab got some a sample which was sent to a journalist with highly targeted content luring the recipient to open the document. After checking it, Interlab discovered that after initial compromise, the execution of an AutoIT script that was used to perform process injection using a process hollowing technique. The injected process contained a novel RAT, which was named “SuperBear” due to naming conventions in the code.
Analyses_on_new_open_source_infostealer
LOW
+
—
—
- Intel Source:
- Talos
- Intel Name:
- Analyses_on_new_open_source_infostealer
- Date of Scan:
- 2023-09-02
- Impact:
- LOW
- Summary:
- This week’s edition of the Threat Source newsletter. Talos is seeing more and more bad guys take advantage of the availability of tools that have been added to public malware sites, such as the infostealer “SaphireStealer” which was analyzed by Talos reserachers and shared in their blog.
Source:
https://blog.talosintelligence.com/new-open-source-infostealer-and-reflections-on-2023-so-far/
New_IDAT_Loader_executes_StealC_and_Lumma_Infostealers
LOW
+
—
—
- Intel Source:
- Rapid7
- Intel Name:
- New_IDAT_Loader_executes_StealC_and_Lumma_Infostealers
- Date of Scan:
- 2023-09-02
- Impact:
- LOW
- Summary:
- Recently, Rapid7 discoverd the Fake Browser Update tricking users into executing malicious binaries. While analyzing the dropped binaries, Rapid7 determined a new loader is utilized in order to execute infostealers on compromised systems including StealC and Lumma.
An_Open_Source_Info_Stealer_Named_SapphireStealer
LOW
+
—
—
- Intel Source:
- Talos
- Intel Name:
- An_Open_Source_Info_Stealer_Named_SapphireStealer
- Date of Scan:
- 2023-09-01
- Impact:
- LOW
- Summary:
- In December 2022, SapphireStealer was first published by the open-source community as an information stealing malware. Since then, it’s been observed across a number of public malware repositories with increasing frequency. The researchers have moderate confidence that multiple entities are using SapphireStealer. They have separately improved and modified the original code base, extending it to support additional data exfiltration mechanisms.
Source:
https://blog.talosintelligence.com/sapphirestealer-goes-open-source/
The_attacks_on_USPS_and_US_Citizens_for_data_theft
LOW
+
—
—
- Intel Source:
- Resecurity
- Intel Name:
- The_attacks_on_USPS_and_US_Citizens_for_data_theft
- Date of Scan:
- 2023-09-01
- Impact:
- LOW
- Summary:
- Resecurity has discovered a big-scale smishing campaign targeting the US Citizens. Similar scams have been noticed before targeting Fedex and UPS. The bad actors attributed to Chinese-speaking cybercriminals are leveraging a package tracking text scam sent via iMessage to collect personal (PII) and payment information from the victims with the goal of identity theft and credit card fraud. The cybercriminal group with associated campaign has been named “Smishing Triad” as it leverages smishing as the main attack vector and originates from China.
Source:
https://www.resecurity.com/blog/article/smishing-triad-targeted-usps-and-us-citizens-for-data-theft
Malicious_PDFs
LOW
+
—
—
- Intel Source:
- Trustwave
- Intel Name:
- Malicious_PDFs
- Date of Scan:
- 2023-09-01
- Impact:
- LOW
- Summary:
- Last couple months, Trustwave SpiderLabs analysts have noticed a spikein threat actors employing PDF documents to gain initial access through email-borne attacks. Though the use of PDF files as a malicious vector is not a novel approach, it has become more popular as threat actors continue to experiment with techniques to bypass conventional security controls.
A_detailed_analyses_of_Brute_Ratel_C4_payloads
LOW
+
—
—
- Intel Source:
- Cybergeeks
- Intel Name:
- A_detailed_analyses_of_Brute_Ratel_C4_payloads
- Date of Scan:
- 2023-09-01
- Impact:
- LOW
- Summary:
- Cyber Geeks did deep analyses of Brute Ratel C4 payloads. Brute Ratel C4 is a Red Team & Adversary simulation software that can be considered an alternative to Cobalt Strike.
Source:
https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/
Decrypting_Key_Group_Ransomware
LOW
+
—
—
- Intel Source:
- Eclecticiq
- Intel Name:
- Decrypting_Key_Group_Ransomware
- Date of Scan:
- 2023-09-01
- Impact:
- LOW
- Summary:
- EclecticIQ analysts discovered that Key Group ransomware can be classified as a low-sophisticated threat actor. The ransomware samples contained multiple cryptographic mistakes that enabled EclecticIQ to create a decryption tool for this specific ransomware version built in August 03,2023. Key Group or KEYGROUP777, is a Russian-speaking cybercrime actor focusing on financial gain by selling Personal Identifying Information (PII) or initial access to compromised devices and obtaining ransom money.
Exploitation_of_CVE_2023_38831
LOW
+
—
—
- Intel Source:
- CERT-UA
- Intel Name:
- Exploitation_of_CVE_2023_38831
- Date of Scan:
- 2023-09-01
- Impact:
- LOW
- Summary:
- The Ukrainian CERT-UA government computer emergency response team has noted a cyberattack by the UAC-0057 group. It was discovered that the “Zbirnyk_tez_Y_23.rar” file contained an exploit for the CVE-2023-38831 vulnerability. If this exploit is successful, it will cause the BAT file “16872_16_2023_03049.pdf.cmd” to be launched, which will cause the LNK file “16872_16_2023_03049.lnk” to launch, which will then use the mshta.
Taking_down_the_main_admin_of_phishing_as_a_service_16shop
LOW
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- Taking_down_the_main_admin_of_phishing_as_a_service_16shop
- Date of Scan:
- 2023-09-01
- Impact:
- LOW
- Summary:
- TrendMicro did analyses and investigations on phishing-as-a-service 16shop through the years. Plus was mentioned about he partnership between Trend Micro and Interpol in taking down the main administrators and servers of this massive phishing campaign.
Custom_Executable_Formats_From_Hidden_Bee_to_Rhadamanthys
LOW
+
—
—
- Intel Source:
- Checkpoint
- Intel Name:
- Custom_Executable_Formats_From_Hidden_Bee_to_Rhadamanthys
- Date of Scan:
- 2023-09-01
- Impact:
- LOW
- Summary:
- The design and implementation of Hidden Bee coin miner and Rhadamanthys stealer considerably overlap. Custom executable formats, the usage of comparable virtual filesystems, the use of LUA scripts, identical routes to some of the components, reused functions, similar use of steganography, and overall related architecture are just a few examples of the similarities that are readily obvious.
A_new_wave_of_Good_Day_ransomware_attacks
LOW
+
—
—
- Intel Source:
- Sentilone
- Intel Name:
- A_new_wave_of_Good_Day_ransomware_attacks
- Date of Scan:
- 2023-08-31
- Impact:
- LOW
- Summary:
- Sentilone reserachers shared in their blog several unique Good Day ransom notes and victim portals and shared their analysis of a sample associated with a URL leading to a known Cloak extortion site. Good Day ransomware, a variant within the ARCrypter family. This new wave of Good Day attacks feature individual TOR-based victim portals for each target.
The_attacks_on_Adobe_ColdFusion
LOW
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- The_attacks_on_Adobe_ColdFusion
- Date of Scan:
- 2023-08-31
- Impact:
- LOW
- Summary:
- Last month, Adobe took some counter measurementsto the exploitation of targeting pre-authentication remote code execution (RCE) vulnerabilities in their ColdFusion solution. FortiGuard Labs IPS telemetry data again detected numerous efforts to exploit the Adobe ColdFusion deserialization of untrusted data vulnerability, which creates a huge risk of arbitrary code execution. These attacks include probing, establishing reverse shells, and deploying malware for subsequent actions. Fortinet nalysts shared their detailed analysis of how this threat group exploits the Adobe ColdFusion vulnerability.
The_increased_threat_activity_against_Cisco_ASA_SSL_VPN_appliances
MEDIUM
+
—
—
- Intel Source:
- Rapid7
- Intel Name:
- The_increased_threat_activity_against_Cisco_ASA_SSL_VPN_appliances
- Date of Scan:
- 2023-08-31
- Impact:
- MEDIUM
- Summary:
- Rapid7’s managed detection and response team have discovered increased threat activity targeting Cisco ASA SSL VPN appliances (physical and virtual). In some cases, adversaries have created credential stuffing attacks that leveraged weak or default passwords; in others, the activity was observed appears to be the result of targeted brute-force attacks on ASA appliances where multi-factor authentication (MFA) was either not enabled or was not enforced for all users (i.e., via MFA bypass groups).
DGA_analysis_and_the_Gazavat_DMSniff_link
LOW
+
—
—
- Intel Source:
- Walmart Global Tech Blog
- Intel Name:
- DGA_analysis_and_the_Gazavat_DMSniff_link
- Date of Scan:
- 2023-08-31
- Impact:
- LOW
- Summary:
- Gazavat, a multi-functional backdoor that shares code with the POS malware DMSniff, is also known as Expiro, at least in part. It has been grouped alongside a few other malware versions throughout the years under the name Expiro, a file infector, by AV companies. This is a result of various malware families using the Carberp malware leak’s leaked code.
Source:
https://medium.com/walmartglobaltech/gazavat-expiro-dmsniff-connection-and-dga-analysis-8b965cc0221d
Examining_Andariel_Recent_Attacking_Activities
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Examining_Andariel_Recent_Attacking_Activities
- Date of Scan:
- 2023-08-31
- Impact:
- LOW
- Summary:
- Attacks thought to have been carried out by the Andariel group have been found by ASEC researchers. It is known that the Lazarus threat group or one of its affiliates is associated with the Andariel threat group, which typically targets Korean businesses and organizations. Since 2008, attacks on targets in Korea have been noted.
Earth_Estries_Targeting_Government_and_Technology_Sector
MEDIUM
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- Earth_Estries_Targeting_Government_and_Technology_Sector
- Date of Scan:
- 2023-08-30
- Impact:
- MEDIUM
- Summary:
- Researchers from TrendMicro have uncovered a fresh cyberespionage operation by the Earth Estries hacker collective. As Earth Estries targets governments and enterprises in the technology sector, they found parallels with the advanced persistent threat (APT) group FamousSparrow after analyzing the deployed tactics, methods, and procedures (TTPs).
RemcosRat_Malware_Peeled_Back
LOW
+
—
—
- Intel Source:
- McAfee
- Intel Name:
- RemcosRat_Malware_Peeled_Back
- Date of Scan:
- 2023-08-30
- Impact:
- LOW
- Summary:
- Researchers from McAfee have discovered a Remcos RAT operation that uses phishing emails to distribute malicious VBS scripts. A ZIP/RAR attachment was included in a phishing email. There is a highly obscured VBS file inside of this ZIP.
Source:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/peeling-back-the-layers-of-remcosrat-malware/
The_Rise_of_QR_Codes_in_Phishing
LOW
+
—
—
- Intel Source:
- Trustwave
- Intel Name:
- The_Rise_of_QR_Codes_in_Phishing
- Date of Scan:
- 2023-08-30
- Impact:
- LOW
- Summary:
- Threat actors are taking image phishing to the advance level by taking advantage of QR codes, a.k.a. ‘Qishing’, to hide their malicious URLs. The samples Tustwave analysts observed have been useing the technique are primarily disguised as Multifactor Authentication (MFA) notifications, which tricks their victims into scanning the QR code with their mobile phones to gain access. However, instead of going to the target’s desired location, the QR code leads them to the threat actor’s phishing page.
The_actions_against_the_Qakbot_botnet
MEDIUM
+
—
—
- Intel Source:
- Secureworks
- Intel Name:
- The_actions_against_the_Qakbot_botnet
- Date of Scan:
- 2023-08-30
- Impact:
- MEDIUM
- Summary:
- On August 29, 2023, U.S. law enforcement started a national operation for a that disruptionof the Qakbot botnet (also known as Qbot) and associated infrastructure. Secureworks Counter Threat Unit researchers have observed and monitored for a long time this botnet and detected the disruption activity on August 25. The initial access vector for these intrusions was a phishing email. Qakbot was one of the top malware threats, used by cybercriminals to deliver other malware such as Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta. The botnet was lucrative for the GOLD LAGOON threat group, which has operated the Qakbot malware since 2007. The threat actors reportedly received approximately $58 million in ransom payments between October 2021 and April 2023.
Source:
https://www.secureworks.com/blog/qakbot-campaign-delivered-black-basta-ransomware
The_exploition_of_Kinsing_Malware
LOW
+
—
—
- Intel Source:
- Aquasec
- Intel Name:
- The_exploition_of_Kinsing_Malware
- Date of Scan:
- 2023-08-30
- Impact:
- LOW
- Summary:
- Aqua Nautilus observed a new malware campaign that exploits the Openfire vulnerability (CVE-2023-32315) which deploys Kinsing malware and a cryptominer. This vulnerability leads to a path traversal attack, which grants an unauthenticated user access to the Openfire setup environment. This then allows the threat actor to create a new admin user and upload malicious plugins. Eventually the attacker can gain full control over the server.
Source:
https://blog.aquasec.com/kinsing-malware-exploits-novel-openfire-vulnerability
Target_on_Citrix_NetScaler_systems_in_massive_attacks
MEDIUM
+
—
—
- Intel Source:
- Security Affairs
- Intel Name:
- Target_on_Citrix_NetScaler_systems_in_massive_attacks
- Date of Scan:
- 2023-08-29
- Impact:
- MEDIUM
- Summary:
- Sophos X-Ops has tracked an ongoing campaign, which is targeting Citrix NetScaler systems, conducted by threat actors linked to the FIN8 group. The hackers are exploiting the remote code execution, tracked as CVE-2023-3519, in a large-scale campaign. The flaw CVE-2023-3519 (CVSS score: 9.8) is a code injection that could result in unauthenticated remote code execution.
Source:
https://securityaffairs.com/150028/hacking/fin8-citrix-netscaler.html?amp=1
Hackers_Targeting_Unpatched_Citrix_and_NetScaler_Systems
LOW
+
—
—
- Intel Source:
- Sophos
- Intel Name:
- Hackers_Targeting_Unpatched_Citrix_and_NetScaler_Systems
- Date of Scan:
- 2023-08-29
- Impact:
- LOW
- Summary:
-
A campaign by threat actors to target unpatched Citrix and NetScaler systems that are online is being monitored by Sophos X-Ops at the moment. The data shows a considerable similarity between CVE-2023-3519-based attacks that deliver malware and webshells and earlier attempts that used a lot of the same TTPs.
IOC link: https://github.com/sophoslabs/IoCs/blob/master/2023-08-25%20Citrix%20CVE-2023-3519%20attacks.csv
Source:
https://infosec.exchange/@SophosXOps/110951651051968204
NPM_Package_Masquerading
LOW
+
—
—
- Intel Source:
- Phylum
- Intel Name:
- NPM_Package_Masquerading
- Date of Scan:
- 2023-08-29
- Impact:
- LOW
- Summary:
- On August 24th 2023,, Phylum’s detection system observed a suspicious package published to npm called “emails-helper.” After investigating it, it was determined that this package was part of an sophisticated attack involving Base64-encoded and encrypted binaries. The scheme delivers encryption keys from a DNS TXT record hosted on a remote server. Additionally, a hex-encoded URL is retrieved from this remote server and then passed to the spawned binaries. The outcome of it is the deployment of powerful penetration testing tools such as dnscat2, mettle, and Cobalt Strike Beacon.
Source:
https://blog.phylum.io/npm-emails-validator-package-malware/
Embedding_a_malicious_Word_file_into_a_PDF_file
LOW
+
—
—
- Intel Source:
- JPCERT
- Intel Name:
- Embedding_a_malicious_Word_file_into_a_PDF_file
- Date of Scan:
- 2023-08-29
- Impact:
- LOW
- Summary:
- JPCERT/CC has discovered a new technique was used in a July attack, which bypassed detection by embedding a malicious Word file into a PDF file. They described in their blog the technique “MalDoc in PDF” and explained the details of and countermeasures against it.
Source:
https://blogs.jpcert.or.jp/en/2023/08/maldocinpdf.html
DarkGate_Malware_Activity_Spikes
LOW
+
—
—
- Intel Source:
- Telekom Security
- Intel Name:
- DarkGate_Malware_Activity_Spikes
- Date of Scan:
- 2023-08-29
- Impact:
- LOW
- Summary:
- Telekom security researchers have identified that a new malspam campaign was observed deploying an off-the-shelf malware called DarkGate. The current spike in DarkGate malware activity is plausible given the fact that the developer of the malware has recently started to rent out the malware to a limited number of affiliates.
Source:
https://github.security.telekom.com/2023/08/darkgate-loader.html
An_increase_in_MacOS_malware_detections
LOW
+
—
—
- Intel Source:
- Ironnet
- Intel Name:
- An_increase_in_MacOS_malware_detections
- Date of Scan:
- 2023-08-28
- Impact:
- LOW
- Summary:
- IronNet has observed an increase in MacOS malware within IronDome’s Education sector over the past couple of weeks. Their analysts investigated into these incidents found these infections were originating from already-infected personal devices that were brought into education networks, with the majority of these occurring at higher education institutions.
Source:
https://www.ironnet.com/blog/back-to-school-reminder-keep-your-macs-clean
Emails_Containing_BAT_Files_in_BZIP_GZIP_and_RAR_Archives
MEDIUM
+
—
—
- Intel Source:
- CERT-UA
- Intel Name:
- Emails_Containing_BAT_Files_in_BZIP_GZIP_and_RAR_Archives
- Date of Scan:
- 2023-08-28
- Impact:
- MEDIUM
- Summary:
- The distribution of emails with attachments in the form of BZIP, GZIP, and RAR archives containing BAT files made with the aid of the ScrubCrypt cryptor (price – from USD 249), the launch of which will guarantee that the computer is affected by the malicious program AsyncRAT, has been observed by CERT-UA researchers.
In_Depth_Analysis_of_ADHUBLLKA_Ransomware_Family
LOW
+
—
—
- Intel Source:
- Netenrich
- Intel Name:
- In_Depth_Analysis_of_ADHUBLLKA_Ransomware_Family
- Date of Scan:
- 2023-08-28
- Impact:
- LOW
- Summary:
- Researchers at Netenrich examined the Adhubllka ransomware, which is targeting regular people and small businesses with ransoms ranging from $800 to $1,600 since at least January 2020.
Source:
https://netenrich.com/blog/discovering-the-adhubllka-ransomware-family
DreamBus_Botnet_comes_back
LOW
+
—
—
- Intel Source:
- Juniper
- Intel Name:
- DreamBus_Botnet_comes_back
- Date of Scan:
- 2023-08-28
- Impact:
- LOW
- Summary:
- Juniper Threat Labs reserachers has observed multiple attacks where threat actors used a vulnerability affecting RocketMQ servers (CVE-2023-33246) to infiltrate systems and install the malicious DreamBus bot, a malware strain last seen in 2021. This vulnerability opened the door for hackers to exploit the RocketMQ platform, leading to a series of attacks. Juniper analysts shared the details in their blog of the attacks and the bot.
IoT_Targeting_Malware_Expands_Threat_Landscape
LOW
+
—
—
- Intel Source:
- Akamai
- Intel Name:
- IoT_Targeting_Malware_Expands_Threat_Landscape
- Date of Scan:
- 2023-08-28
- Impact:
- LOW
- Summary:
- The Akamai Security Intelligence Response Team (SIRT) has identified a concerning evolution in the KmsdBot malware campaign. The newly discovered Kmsdx binary marks a significant update, now focusing on targeting Internet of Things (IoT) devices. This version of the malware incorporates telnet scanning capabilities and supports a wider range of CPU architectures, expanding its attack potential. The update underscores the ongoing threat posed by vulnerable IoT devices and reinforces the critical need for continuous security measures and updates. KmsdBot’s scope encompasses private gaming servers, cloud hosting providers, and specific government and educational sites, suggesting a persistent concern for IoT security in a rapidly evolving threat landscape.
Source:
https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot
Widespread_Ransomware_is_Caused_by_HTML_Smuggling
LOW
+
—
—
- Intel Source:
- DFIR Report
- Intel Name:
- Widespread_Ransomware_is_Caused_by_HTML_Smuggling
- Date of Scan:
- 2023-08-28
- Impact:
- LOW
- Summary:
- Researchers from the DFIR report have noted that the threat actor behind the Nokoyawa Ransomware only deployed the final ransomware 12 hours after the initial intrusion. In November 2022, this threat actor used HTML smuggling to send businesses a password-protected ZIP file. An ISO file that distributed IcedID, which then used Cobalt Strike and finally Nokoyawa ransomware, was contained in the password-protected ZIP file.
Source:
https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
Case_Studies_of_MS_SQL_Server_Proxyjacking
MEDIUM
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Case_Studies_of_MS_SQL_Server_Proxyjacking
- Date of Scan:
- 2023-08-28
- Impact:
- MEDIUM
- Summary:
- Poorly managed MS-SQL servers have been the subject of proxyjacking attacks, according to ASEC experts. One of the primary attack methods for Windows systems is to employ publicly accessible MS-SQL servers with easy-to-guess passwords. Threat actors frequently attempt to obtain access to poorly maintained MS-SQL servers via brute force or dictionary assaults. If successful, they infect the system with malware.
Recent_activity_of_Scattered_Spider_threat_group
MEDIUM
+
—
—
- Intel Source:
- Trellix
- Intel Name:
- Recent_activity_of_Scattered_Spider_threat_group
- Date of Scan:
- 2023-08-26
- Impact:
- MEDIUM
- Summary:
- Trellix researchers in their blog describe the details of the modus operandi of Scattered Spider; their recent events and tools leveraged by tthem, vulnerabilities exploited, and their impact. It also indicates that this group has started targeting other sectors, including critical infrastructure organizations. Scattered Spider is known for theft of sensitive data and leveraging trusted organizational infrastructure for follow-on attacks on downstream customers.
The_Constant_Threat_Posed_by_Remcos_RAT
LOW
+
—
—
- Intel Source:
- Cyfirma
- Intel Name:
- The_Constant_Threat_Posed_by_Remcos_RAT
- Date of Scan:
- 2023-08-25
- Impact:
- LOW
- Summary:
- Researchers from Cyfirma have examined an ongoing operation run by the Remcos Remote Access Trojan (RAT). The analysis reveals a highly developed threat ecosystem that makes use of a number of strategies, including malicious IP addresses, covert payloads, and complex functions that infect systems and acquire sensitive data.
Source:
https://www.cyfirma.com/outofband/the-persistent-danger-of-remcos-rat/
A_Chinese_threat_actor_group_Flax_Typhoon_access_Taiwanese_organizations
LOW
+
—
—
- Intel Source:
- Microsoft
- Intel Name:
- A_Chinese_threat_actor_group_Flax_Typhoon_access_Taiwanese_organizations
- Date of Scan:
- 2023-08-25
- Impact:
- LOW
- Summary:
- Microsoft has detected a pattern of malicious activity affecting organizations in Taiwan using techniques that could be easily reused in other operations everywhere else. Microsoft assignes this campaign to Flax Typhoon (overlaps with ETHEREAL PANDA), a nation-state actor based out of China. Flax Typhoon’s observed behavior tells the threat actor intends to perform espionage and maintain access to organizations across a broad range of industries for as long as possible.
The_Investigation_of_RedLine_Stealer_Spam_Campaign
LOW
+
—
—
- Intel Source:
- Eclecticiq
- Intel Name:
- The_Investigation_of_RedLine_Stealer_Spam_Campaign
- Date of Scan:
- 2023-08-25
- Impact:
- LOW
- Summary:
- EclecticIQ researchers have gathered samples from a RedLine stealer spam campaign that ran between April and August 2023. The campaign was successful by distributing command and control among recently created domains hosted on IP addresses with reliable traffic, and Redline developers provide minor iterations to previous variants.
Source:
https://blog.eclecticiq.com/redline-stealer-variants-demonstrate-a-low-barrier-to-entry-threat
Lazarus_Group_Exploits_ManageEngine_Flaw_to_Launch_QuiteRAT
HIGH
+
—
—
- Intel Source:
- Talos
- Intel Name:
- Lazarus_Group_Exploits_ManageEngine_Flaw_to_Launch_QuiteRAT
- Date of Scan:
- 2023-08-25
- Impact:
- HIGH
- Summary:
- Researchers from Cisco Talos have identified the Lazarus Group as a state-sponsored actor operating against European and American healthcare organizations and internet backbone infrastructure. This is the third known effort that this actor is responsible for in less than a year, and they have all utilized the same infrastructure.
Source:
https://blog.talosintelligence.com/lazarus-quiterat/
Smoke_Loader_Dropping_Geolocation_Malware_And_Flimsy_Recon_WiFi_Scanning_Software
LOW
+
—
—
- Intel Source:
- Secureworks
- Intel Name:
- Smoke_Loader_Dropping_Geolocation_Malware_And_Flimsy_Recon_WiFi_Scanning_Software
- Date of Scan:
- 2023-08-25
- Impact:
- LOW
- Summary:
- Researchers from Secureworks have seen the Smoke Loader botnet deliver a specific Wi-Fi scanning program to compromised systems. This trojan was given the name Whiffy Recon. With the help of adjacent Wi-Fi access points as a source of information, it triangulates the coordinates of the infected PCs using Google’s geolocation API.
Lazarus_Group_new_threat_CollectionRAT
HIGH
+
—
—
- Intel Source:
- Talos
- Intel Name:
- Lazarus_Group_new_threat_CollectionRAT
- Date of Scan:
- 2023-08-25
- Impact:
- HIGH
- Summary:
- Researchers from Cisco Talos have discovered another Lazarus Group’s new threat called “CollectionRAT”. CollectionRAT has standard remote access trojan (RAT) capabilities, including the ability to run arbitrary commands on an infected system. Cisco Talos analysts made analysis on it and came to the conclusion that CollectionRAT appears to be connected to Jupiter/EarlyRAT, another malware family Kaspersky recently wrote about and attributed to Andariel, a subgroup within the Lazarus Group umbrella of threat actors.
Source:
https://blog.talosintelligence.com/lazarus-collectionrat/
New_Info_Stealer_Family_Named_Agniane
LOW
+
—
—
- Intel Source:
- Zscaler
- Intel Name:
- New_Info_Stealer_Family_Named_Agniane
- Date of Scan:
- 2023-08-24
- Impact:
- LOW
- Summary:
- Agniane Stealer is a novel information stealer family discovered by Zscaler researchers. This malware takes credentials, system data, and session information from browsers, tokens, and file transfer tools. When Agniane Stealer acquires sensitive data, it passes it to command-and-control servers, where threat actors can act on the stolen information.
Source:
https://www.zscaler.com/blogs/security-research/agniane-stealer-dark-webs-crypto-threat
Evolution_of_Ransomware_Linux_and_ESXi_Focused_Threats
LOW
+
—
—
- Intel Source:
- Sentinelone
- Intel Name:
- Evolution_of_Ransomware_Linux_and_ESXi_Focused_Threats
- Date of Scan:
- 2023-08-24
- Impact:
- LOW
- Summary:
- SentinelOne researchers have observed that Ransomware tactics have evolved, with attackers now targeting Linux and VMWare ESXi platforms alongside Windows. This article explores recent ransomware families like MONTI Locker, Akira Ransomware, Trigona Linux Locker, and Abyss Locker. These threats exhibit cross-platform capabilities and strategic code reuse.
Raccoon_Stealer_Returns_with_New_Version
LOW
+
—
—
- Intel Source:
- SOC Radar
- Intel Name:
- Raccoon_Stealer_Returns_with_New_Version
- Date of Scan:
- 2023-08-24
- Impact:
- LOW
- Summary:
- SOC Radar researchers have discovered that the creators of the data-stealing malware Raccoon Stealer have ended their six-month online silence. They are currently encouraging potential hackers to use the updated 2.3.0 malware (2.3.0.1 since August 15, 2023) version.
Source:
https://socradar.io/raccoon-stealer-resurfaces-with-new-enhancements/
Technical_Analysis_of_XWorm_Malware
LOW
+
—
—
- Intel Source:
- Any.Run
- Intel Name:
- Technical_Analysis_of_XWorm_Malware
- Date of Scan:
- 2023-08-24
- Impact:
- LOW
- Summary:
- AnyRun researchers have seen the latest version of an XWorm sample — a widespread malicious program that is advertised for sale on underground forums.
Source:
https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/
New_Threat_Coverage_Akira_8Base_and_Rorschach
MEDIUM
+
—
—
- Intel Source:
- Safebreach
- Intel Name:
- New_Threat_Coverage_Akira_8Base_and_Rorschach
- Date of Scan:
- 2023-08-24
- Impact:
- MEDIUM
- Summary:
- Safebreach researchers have observed that the Hacker’s Playbook Threat Coverage round-up unveils added coverage for recently identified ransomware and malware variants, including Akira ransomware, 8Base ransomware, Rorschach (BabLock) ransomware, and others. SafeBreach customers can now simulate and assess their defenses against these evolving threats using the SafeBreach Hacker’s Playbook™.
Source:
https://www.safebreach.com/resources/akira-ransomware-8base-threat-coverage/
Evolving_Malvertising_Tactics_advanced_Cloaking_Strategies
LOW
+
—
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Evolving_Malvertising_Tactics_advanced_Cloaking_Strategies
- Date of Scan:
- 2023-08-24
- Impact:
- LOW
- Summary:
- Malvertising campaigns are evolving with the adoption of advanced cloaking techniques that hinder detection and response. This article explores a recent malvertising chain that employs intricate fingerprinting, using encoded JavaScript, to assess visitor legitimacy. This escalating cyber battle underscores the challenges faced by defenders in countering these deceptive tactics
AI_Hype_Abused_in_Malicious_Facebook_Ads
LOW
+
—
—
- Intel Source:
- Trendmicro
- Intel Name:
- AI_Hype_Abused_in_Malicious_Facebook_Ads
- Date of Scan:
- 2023-08-23
- Impact:
- LOW
- Summary:
- Trendmicro researchers have identified Cybercriminals are capitalizing on the excitement surrounding Artificial Intelligence (AI) advancements through deceptive Facebook ads. These ads promise AI-powered advantages but instead distribute a malicious browser add-on that aims to steal victims’ credentials. By exploiting AI enthusiasm, attackers are using URL shorteners and cloud storage to spread their harmful payload.
Dropping_AgentTesla_Exotic_Excel_Files
LOW
+
—
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Dropping_AgentTesla_Exotic_Excel_Files
- Date of Scan:
- 2023-08-23
- Impact:
- LOW
- Summary:
- SANS researchers discovered that attackers prefer to employ more unusual extensions to boost their chances of escaping simple and foolish mail gateway regulations. This time, the extension “.xlam” was used.It discovered multiple emails that sent.xlam files to potential victims.
Source:
https://isc.sans.edu/diary/More+Exotic+Excel+Files+Dropping+AgentTesla/30150/
Spacecolon_Deploy_Scarab_Ransomware_on_Vulnerable_Servers
LOW
+
—
—
- Intel Source:
- Welivesecurity
- Intel Name:
- Spacecolon_Deploy_Scarab_Ransomware_on_Vulnerable_Servers
- Date of Scan:
- 2023-08-23
- Impact:
- LOW
- Summary:
- ESET researchers examined the Spacecolon, a modest toolset used to distribute Scarab ransomware versions to victims all around the world. It is most likely introduced into victim organisations by its operators exploiting insecure web servers or brute-forcing RDP credentials.
Source:
https://www.welivesecurity.com/en/eset-research/scarabs-colon-izing-vulnerable-servers/
APT_Attack_Patterns_Targeting_Web_Services_of_Korean_Corporations
MEDIUM
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- APT_Attack_Patterns_Targeting_Web_Services_of_Korean_Corporations
- Date of Scan:
- 2023-08-22
- Impact:
- MEDIUM
- Summary:
- ASEC reserachers has discovered the APT attacks on Korean corporate web servers. The attackers exploit vulnerabilities to infiltrate and execute malicious actions. The report covers attack techniques such as privilege escalation, credential theft, and remote control using tools like Mimikatz, Potato, and NetCat. The attackers’ objectives appear to evolve from ad insertion to potentially deploying ransomware.
CraxsRAT_and_CypherRAT_Created_by_EVLF_DEV
LOW
+
—
—
- Intel Source:
- Cyfirma
- Intel Name:
- CraxsRAT_and_CypherRAT_Created_by_EVLF_DEV
- Date of Scan:
- 2023-08-22
- Impact:
- LOW
- Summary:
- The CYFIRMA research team has identified a new Malware-as-a-Service (MaaS) operator known as EVLF DEV. This threat actor is responsible for the development of CypherRAT and CraxsRAT, which have been purchased on a lifetime licence by over 100 different threat actors in the previous three years.
Source:
https://www.cyfirma.com/outofband/unmasking-evlf-dev-the-creator-of-cypherrat-and-craxsrat/
Chinese_APT_Targeting_Hong_Kong_in_Supply_Chain_Attack
LOW
+
—
—
- Intel Source:
- Symantec
- Intel Name:
- Chinese_APT_Targeting_Hong_Kong_in_Supply_Chain_Attack
- Date of Scan:
- 2023-08-22
- Impact:
- LOW
- Summary:
- Symantec researchers have identified that an emerging China-backed advanced persistent threat group targeted organizations in Hong Kong in a supply chain attack that leveraged legitimate software to deploy the PlugX/Korplug backdoor.
New_Variant_of_XLoader_macOS_Malware
LOW
+
—
—
- Intel Source:
- Sentinelone
- Intel Name:
- New_Variant_of_XLoader_macOS_Malware
- Date of Scan:
- 2023-08-22
- Impact:
- LOW
- Summary:
- SentinelOne researchers have observed that a new variant of an Apple macOS malware called XLoader has surfaced in the wild, masquerading its malicious features under the guise of an office productivity app called OfficeNote.
The_WoofLocker_Tech_Support_Campaign_is_Back
LOW
+
—
—
- Intel Source:
- Malwarebytes
- Intel Name:
- The_WoofLocker_Tech_Support_Campaign_is_Back
- Date of Scan:
- 2023-08-21
- Impact:
- LOW
- Summary:
- Malwarebytes researchers have discovered that the WoofLocker tech support scam scheme has returned. The tactics and procedures are fairly similar, but the infrastructure has been strengthened to withstand future takedown attempts.
Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/08/wooflocker2
System_BCMalware_Activity
LOW
+
—
—
- Intel Source:
- ISC.SANS
- Intel Name:
- System_BCMalware_Activity
- Date of Scan:
- 2023-08-21
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed the captured request: /systembc/password.php. According to some references, this is likely the SystemBC Remote Access Trojan (RAT), all 4 IPs are part of the Digital Ocean ASN and only one has been reported as likely malicious.
Source:
https://isc.sans.edu/diary/SystemBC+Malware+Activity/30138/
Diving_Deep_into_Darkrace_Ransomware
LOW
+
—
—
- Intel Source:
- QuickHeal
- Intel Name:
- Diving_Deep_into_Darkrace_Ransomware
- Date of Scan:
- 2023-08-18
- Impact:
- LOW
- Summary:
- The incorporation of Lockbit’s strategies into DarkRace demonstrates how cybercriminals are utilizing tried-and-true techniques to strengthen their attacks and increase damage. Combining these strategies could increase infections, compromise data, and escalate ransom demands.
Source:
https://blogs.quickheal.com/darkrace-ransomware-a-deep-dive-into-its-techniques-and-impact/
Mallox_Ransomware_Targeting_Unprotected_Microsoft_SQL_Servers
MEDIUM
+
—
—
- Intel Source:
- QuickHeal
- Intel Name:
- Mallox_Ransomware_Targeting_Unprotected_Microsoft_SQL_Servers
- Date of Scan:
- 2023-08-18
- Impact:
- MEDIUM
- Summary:
- Researchers from QuickHeal have discovered that the Mallox (also known as TargetCompany) ransomware is presently using unprotected Microsoft SQL Servers as an attack vector to enter victims’ systems and spread itself.
Source:
https://blogs.quickheal.com/mallox-ransomware-strikes-unsecured-mssql-servers/
NoCry_and_Trash_Panda_Ransomware
LOW
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- NoCry_and_Trash_Panda_Ransomware
- Date of Scan:
- 2023-08-18
- Impact:
- LOW
- Summary:
- Researchers from Fortinet looked into Trash Panda and a fresh, tiny NoCry ransomware strain. Windows-based malware called Trash Panda was initially discovered in the first few days of August. On infected computers, it encrypts files, changes the desktop background, and drops a ransom note with political statements. The Windows platform ransomware known as NoCry was first identified in April 2021. The creators of the NoCry ransomware produce variations that are then offered for sale on the group’s Telegram channel.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-trash-panda-and-nocry-variant
New_Tool_Deployed_by_Cuba_Ransomware
MEDIUM
+
—
—
- Intel Source:
- Blackberry
- Intel Name:
- New_Tool_Deployed_by_Cuba_Ransomware
- Date of Scan:
- 2023-08-18
- Impact:
- MEDIUM
- Summary:
- BlackBerry researchers have discovered and documented new tools used by the Cuba ransomware threat group. It is currently in the fourth year of its operation and shows no sign of slowing down. In the first half of 2023 alone, the operators behind Cuba ransomware were the perpetrators of several high-profile attacks across disparate industries.
HiatusRAT_Returns_To_Action_After_A_Short_Break
LOW
+
—
—
- Intel Source:
- Lumen
- Intel Name:
- HiatusRAT_Returns_To_Action_After_A_Short_Break
- Date of Scan:
- 2023-08-18
- Impact:
- LOW
- Summary:
- Lumen researchers have continued to track threat actor resulting in new malware samples and infrastructure associated with the HiatusRAT cluster. In the latest campaign, they observed a shift in reconnaissance and targeting activity.
StealC_Delivering_via_Deceptive_Google_Sheets
MEDIUM
+
—
—
- Intel Source:
- eSentire
- Intel Name:
- StealC_Delivering_via_Deceptive_Google_Sheets
- Date of Scan:
- 2023-08-18
- Impact:
- MEDIUM
- Summary:
- Researchers at Esentire have discovered that a malicious advertisement that the user saw while trying to download Google Sheets was the infection’s point of origin. This advertisement sent the visitor to a malicious website that contained a downloader for the malware StealC infostealer.
Source:
https://www.esentire.com/blog/stealc-delivered-via-deceptive-google-sheets
From_a_Zalando_Phishing_to_a_RAT
LOW
+
—
—
- Intel Source:
- ISC.SANS
- Intel Name:
- From_a_Zalando_Phishing_to_a_RAT
- Date of Scan:
- 2023-08-18
- Impact:
- LOW
- Summary:
- ISC.SANS researchers have seen a bunch of phishing emails targeting Zalando customers.
Source:
https://isc.sans.edu/diary/From+a+Zalando+Phishing+to+a+RAT/30136/
Gozi_Malware_Launches_Another_Attack
LOW
+
—
—
- Intel Source:
- IBM Security Intelligence
- Intel Name:
- Gozi_Malware_Launches_Another_Attack
- Date of Scan:
- 2023-08-17
- Impact:
- LOW
- Summary:
- Researchers at IBM Security Intelligence have noticed that the Gozi malware has returned and is now focusing on cryptocurrency platforms, banks, and other financial institutions.
Source:
https://securityintelligence.com/posts/gozi-strikes-again-targeting-banks-cryptocurrency-and-more/
Malicious_Campaign_Targeting_GitLab
LOW
+
—
—
- Intel Source:
- Sysdig
- Intel Name:
- Malicious_Campaign_Targeting_GitLab
- Date of Scan:
- 2023-08-17
- Impact:
- LOW
- Summary:
- The Sysdig Threat Research Team have discovered a new, financially motivated operation, dubbed LABRAT. This operation set itself apart from others due to the attacker’s emphasis on stealth and defense evasion in their attacks.
Source:
https://sysdig.com/blog/labrat-cryptojacking-proxyjacking-campaign/
Massive_phishing_campaign_targets_energy_sector
MEDIUM
+
—
—
- Intel Source:
- Security Affairs
- Intel Name:
- Massive_phishing_campaign_targets_energy_sector
- Date of Scan:
- 2023-08-17
- Impact:
- MEDIUM
- Summary:
- Starting this May 2023, researchers from Cofense have observed a massive phishing campaign using QR codes in attacks to steal the Microsoft credentials of users from multiple industries. One of the organizations targeted by hackers is a notable energy company in the US.
Source:
https://securityaffairs.com/149567/hacking/phishing-campaign-qr-codes.html?amp=1
A_new_phishing_campaign_targeting_Zimbra_users
LOW
+
—
—
- Intel Source:
- Welivesecurity
- Intel Name:
- A_new_phishing_campaign_targeting_Zimbra_users
- Date of Scan:
- 2023-08-17
- Impact:
- LOW
- Summary:
- ESET researchers have uncovered a mass-spreading phishing campaign, aimed at collecting Zimbra account users’ credentials, active since at least April 2023 and still ongoing. Zimbra Collaboration is an open-core collaborative software platform, a popular alternative to enterprise email solutions. The campaign is mass-spreading; its targets are a variety of small and medium businesses and governmental entities. According to ESET telemetry, the greatest number of targets are located in Poland, followed by Ecuador and Italy. To date, we have not attributed this campaign to any known threat actors.
Source:
https://www.welivesecurity.com/en/eset-research/mass-spreading-campaign-targeting-zimbra-users/
Hakuna_Matata_ransomware
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Hakuna_Matata_ransomware
- Date of Scan:
- 2023-08-16
- Impact:
- LOW
- Summary:
- Recently, ASEC reserachers has discovered the Hakuna Matata ransomware is used to attack Korean companies. Hakuna Matata is a recent ransomware and it was first time identified in July, 2023 on Twitter. Later this month, a post of a threat actor using Hakuna Matata on the dark web was shared on Twitter as well. Also to be mentined by researchers that the ransomware strains uploaded on VirusTotal, the file uploaded on July 2nd, 2023 is confirmed to be the first case.
Raccoon_Stealer_Malware_Returns
LOW
+
—
—
- Intel Source:
- Cyberint
- Intel Name:
- Raccoon_Stealer_Malware_Returns
- Date of Scan:
- 2023-08-16
- Impact:
- LOW
- Summary:
- Cyberint researchers have seen that the developers of Raccoon Stealer information-stealing malware have ended their 6-month hiatus from hacker forums to promote a new 2.3.0 version of the malware to cyber criminals. It is one of the most well-known and widely used information-stealing malware families, having been around since 2019, sold via a subscription model for $200/month to threat actors.
Source:
https://cyberint.com/blog/financial-services/raccoon-stealer/
The_rise_of_LLM_engines_WormGPT_and_FraudGPT
LOW
+
—
—
- Intel Source:
- Trustwave
- Intel Name:
- The_rise_of_LLM_engines_WormGPT_and_FraudGPT
- Date of Scan:
- 2023-08-16
- Impact:
- LOW
- Summary:
- Trustwave researchers discussed in their blog two such LLM engines that were up for sale available on underground forums, WormGPT and FraudGPT. If criminals would get their own ChatGPT-like tool, the implications for cybersecurity, social engineering, and overall digital safety could be so damagimg. This prospect highlights the importance of staying vigilant in our efforts to secure, and responsibly develop, artificial intelligence technology in order to mitigate potential risks and safeguard against misuse.
Source:
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/wormgpt-and-fraudgpt-the-rise-of-malicious-llms/
https://netenrich.com/blog/fraudgpt-the-villain-avatar-of-chatgpt
QwixxRAT_aka_Telegram_RAT
LOW
+
—
—
- Intel Source:
- Uptycs
- Intel Name:
- QwixxRAT_aka_Telegram_RAT
- Date of Scan:
- 2023-08-16
- Impact:
- LOW
- Summary:
- The Uptycs researchers discovered QwixxRAT (aka Telegram RAT) in early August 2023. The threat actor is widely distributing their malicious tool through Telegram and Discord platforms. Once installed on the victim’s Windows platform machines, the RAT stealthily collects sensitive data, which is then sent to the attacker’s Telegram bot, providing them with unauthorized access to the victim’s sensitive information.
Source:
https://www.uptycs.com/blog/remote-access-trojan-qwixx-telegram
Phishing_Campaign_Steals_Cloud_Credentials
MEDIUM
+
—
—
- Intel Source:
- Netscope
- Intel Name:
- Phishing_Campaign_Steals_Cloud_Credentials
- Date of Scan:
- 2023-08-16
- Impact:
- MEDIUM
- Summary:
- Last couple months Netskope Threat Labs analysts has been monitoring a staggering 61-fold increase in traffic to phishing pages hosted in Cloudflare R2. The most of the phishing campaigns target Microsoft login credentials, although there are some pages targeting Adobe, Dropbox, and other cloud apps. The attacks have been targeting victims mainly in North America and Asia, across different segments, led by the technology, financial services, and banking sectors.
Amadey_Bot_leveraged_by_LummaC_Stealer_to_Deploy_SectopRAT
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Amadey_Bot_leveraged_by_LummaC_Stealer_to_Deploy_SectopRAT
- Date of Scan:
- 2023-08-16
- Impact:
- LOW
- Summary:
- Cyble reserachers has recently come across a novel approach for spreading SectopRAT. This technique entails delivering the SectopRAT payload by utilizing the Amadey bot malware, which is retrieved from the LummaC stealer.
Source:
https://cyble.com/blog/lummac-stealer-leveraging-amadey-bot-to-deploy-sectoprat/
The_Shadow_Nexus_of_Malware_and_Proxy_Application
MEDIUM
+
—
—
- Intel Source:
- AT&T
- Intel Name:
- The_Shadow_Nexus_of_Malware_and_Proxy_Application
- Date of Scan:
- 2023-08-16
- Impact:
- MEDIUM
- Summary:
- Researchers from AT&T Alien Labs found a significant campaign of attacks distributing a proxy server application on Windows computers. Additionally, a proxy service provider was found, whose proxy requests are forwarded through hacked systems that have been turned into residential exit nodes by malware invasion.
The_malware_campaigns_use_a_variety_of_programming_languages
LOW
+
—
—
- Intel Source:
- HP ThreatResearch
- Intel Name:
- The_malware_campaigns_use_a_variety_of_programming_languages
- Date of Scan:
- 2023-08-15
- Impact:
- LOW
- Summary:
- Last couple months, HP ThreatResrearch team have noticed a surge of finance-themed malicious spam campaigns spreading malware through batch scripts (.bat). The campaigns use a wide variety of programming languages to achieve different objectives within the infection chain – from batch scripts, PowerShell, Go, shellcode to .NET.
Source:
https://threatresearch.ext.hp.com/do-you-speak-multiple-languages-malware-does/
Continues_OSS_Supply_Chain_Attacks_Hidden_in_the_Python_Package
LOW
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- Continues_OSS_Supply_Chain_Attacks_Hidden_in_the_Python_Package
- Date of Scan:
- 2023-08-15
- Impact:
- LOW
- Summary:
- Python Package Index (PyPI) packages have become a common thing for threat actors to post malware that unsuspecting victims possible download. The FortiGuard Labs analysts has been monitoring that activity attack vector for some time and posted the update of the zero-day attacks they have discovered. Recently, they discovered several new zero-day PyPI attacks using this AI engine assistant.
Source:
https://www.fortinet.com/blog/threat-research/continued-oss-supply-chain-attacks-hidden-in-pypi
NetSupportRAT_exploring_new_techniques
LOW
+
—
—
- Intel Source:
- Trellix
- Intel Name:
- NetSupportRAT_exploring_new_techniques
- Date of Scan:
- 2023-08-15
- Impact:
- LOW
- Summary:
- Trellix researchers observed a new campaign using fake Chrome browser updates to trick victims to install a remote administration software tool called NetSupport Manager. The threat actors take advantage of this software to steal information and take control of victim computers. The detected campaign has similarity with previously reported SocGholish campaign, which was run by a suspected Russian threat actor.
Stealthy_Malicious_MSI_Loader
LOW
+
—
—
- Intel Source:
- Cyfirma
- Intel Name:
- Stealthy_Malicious_MSI_Loader
- Date of Scan:
- 2023-08-15
- Impact:
- LOW
- Summary:
- The Cyfirma reserachers has observed a disguised Stealthy MSI Loader being advertised in dark web forums by Russian threat actor, showcasing it has a potential ability to evade detection by both Virus Total scan and Windows Defender. Additionally, through the researchers’s investigation, it was established a link between this MSI Loader and the BatLoader campaign observed in March 2023, highlighting potential coordination between these threats.
New_Magento_Campaign_Discovered_called_Xurum
LOW
+
—
—
- Intel Source:
- Akamai
- Intel Name:
- New_Magento_Campaign_Discovered_called_Xurum
- Date of Scan:
- 2023-08-14
- Impact:
- LOW
- Summary:
- Over the past few months, Akamai has been closely monitoring a focused campaign that specifically targets a relatively small number of Magento deployments. They dubbed the campaign Xurum to reference the domain name of the C2 server utilized by the attacker.
Source:
https://www.akamai.com/blog/security-research/new-sophisticated-magento-campaign-xurum-webshell#:~:text=Akamai%20researchers%20have%20discovered%20an%20ongoing%20server-side%20template
of%20the%20attacker%E2%80%99s%20command%20and%20control%20%28C2%29%20server.
Unraveling_a_New_Threat_Targeting_LATAM_FinTech_Users
MEDIUM
+
—
—
- Intel Source:
- Zscaler
- Intel Name:
- Unraveling_a_New_Threat_Targeting_LATAM_FinTech_Users
- Date of Scan:
- 2023-08-14
- Impact:
- MEDIUM
- Summary:
- JanelaRAT, a newly discovered cyber threat, has been unveiled by Zscaler ThreatLabz. Primarily focused on the Latin American (LATAM) financial sector, this sophisticated malware employs advanced techniques including DLL side-loading and dynamic command and control infrastructure. With capabilities ranging from evasive maneuvers to self-defense mechanisms, the threat aims to compromise sensitive financial data. The malware’s origins are suggested by Portuguese strings in its code and a Portuguese-speaking developer, highlighting its targeted region and intentions.
Monti_Ransomware_Group_Resumes_Attacks_with_New_Linux_Variant
MEDIUM
+
—
—
- Intel Source:
- Trendmicro
- Intel Name:
- Monti_Ransomware_Group_Resumes_Attacks_with_New_Linux_Variant
- Date of Scan:
- 2023-08-14
- Impact:
- MEDIUM
- Summary:
- Trend Micro researchers observe the Monti ransomware group, resembling Conti, resumes attacks on legal and government sectors with a fresh Linux variant. Unlike previous versions, this variant modifies encryption methods, uses an infection marker, and alters system files.
Phishing_Attack_Targeting_Government_Agencies
MEDIUM
+
—
—
- Intel Source:
- CERT UA
- Intel Name:
- Phishing_Attack_Targeting_Government_Agencies
- Date of Scan:
- 2023-08-14
- Impact:
- MEDIUM
- Summary:
- CERT-UA has identified a phishing attack on government agencies involving fraudulent emails from CERT-UA urging password change through a malicious link. The attackers imitate Roundcube’s interface and use a deceptive subdomain
Updates_on_SEASPY_and_WHIRLPOOL_Backdoors
MEDIUM
+
—
—
- Intel Source:
- CISA
- Intel Name:
- Updates_on_SEASPY_and_WHIRLPOOL_Backdoors
- Date of Scan:
- 2023-08-14
- Impact:
- MEDIUM
- Summary:
- The US Department of Homeland Security (CISA) has published a report on Barracuda email servers that were compromised by cyber-thieves in the summer of 2016 and the following year. CISA obtained four malware samples – including SEASPY and WHIRLPOOL backdoors. The device was compromised by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG).
Source:
https://www.cisa.gov/news-events/analysis-reports/ar23-221a
The_surge_in_malware_cases_linked_to_a_Gootloader_payload_delivery
LOW
+
—
—
- Intel Source:
- Sucuri
- Intel Name:
- The_surge_in_malware_cases_linked_to_a_Gootloader_payload_delivery
- Date of Scan:
- 2023-08-12
- Impact:
- LOW
- Summary:
- This month, Sucuri analysts traced a noticeable surge in malwares linked to a malicious payload delivery system known as Gootloader. The group behind this malware is believed to operate a malware-as-a-service operation, exclusively providing a malware delivery service for other threat actors. In their blog, Sucuri is dicussing why Gootloader is so effective, and go into the details of inner workings and shed light on the tactics employed by the operators behind it.
The_SugarCRM_CVE_2023_22952_zero_day_vulnerability
MEDIUM
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- The_SugarCRM_CVE_2023_22952_zero_day_vulnerability
- Date of Scan:
- 2023-08-12
- Impact:
- MEDIUM
- Summary:
- A zero-day vulnerability in the SugarCRM customer relationship management platform was used by threat actors to gain access to customers’ AWS accounts, according to a report from Palo Alto Networks Unit 42.
Source:
https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/
A_new_cybercriminals_service_called_Dark_Utilities
MEDIUM
+
—
—
- Intel Source:
- SOCRadar
- Intel Name:
- A_new_cybercriminals_service_called_Dark_Utilities
- Date of Scan:
- 2023-08-12
- Impact:
- MEDIUM
- Summary:
- In their blog, Cisco Talos shared that they observed malware samples using Dark Utilities service in the wild to establish C2 communications channels and remote access capabilities on infected systems. They discovered malware targeted Windows and Linux systems leveraging Dark Utilities
Source:
https://socradar.io/dark-utilities-platform-provides-c2-server-for-threat-actors/
Attackers_Using_Freezers_And_SYK_Crypter_to_Distribute_Malware
LOW
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- Attackers_Using_Freezers_And_SYK_Crypter_to_Distribute_Malware
- Date of Scan:
- 2023-08-11
- Impact:
- LOW
- Summary:
- Researchers from FortiGuard have discovered a brand-new Rust-written injector that can introduce XWorm and shellcode into a victim’s environment. Additionally, an investigation by researchers showed a sharp rise in injector activity in May 2023. To avoid antivirus detection, shellcode can be encrypted using AES, RC4, or LZMA, and it can be Base64-encoded.
Source:
https://www.fortinet.com/blog/threat-research/malware-distributed-via-freezers-and-syk-crypter
Unknown_Actor_Using_DroxiDat_and_Cobalt_Strike
LOW
+
—
—
- Intel Source:
- Securelist
- Intel Name:
- Unknown_Actor_Using_DroxiDat_and_Cobalt_Strike
- Date of Scan:
- 2023-08-11
- Impact:
- LOW
- Summary:
- Securelist researchers have seen a new SystemBC variant deployed to a critical infrastructure target. This time, the proxy-capable backdoor was deployed alongside Cobalt Strike beacons in a South African nation’s critical infrastructure.
Source:
https://securelist.com/focus-on-droxidat-systembc/110302/
MoustachedBouncer_cyberespionage_activity_against_diplomats
LOW
+
—
—
- Intel Source:
- WeliveSecurity
- Intel Name:
- MoustachedBouncer_cyberespionage_activity_against_diplomats
- Date of Scan:
- 2023-08-11
- Impact:
- LOW
- Summary:
- MoustachedBouncer is a cyberespionage group discovered by ESET Research since 2014. Thousands of IPs have been seen by AT&T Alien Labs to act as proxy exit nodes in a way that resembles corrupted AdLoad systems. This activity might be a sign that tens of thousands of Mac computers have been taken over and used as proxy exit nodes. Over the past year, at least 150 samples have been seen in the wild. Welinesecurity reserachers believe that MoustachedBouncer uses a lawful interception system (such as SORM) to conduct its AitM operations.
Common_TTPs_of_attacks_against_industrial_organizations
LOW
+
—
—
- Intel Source:
- Kaspersky
- Intel Name:
- Common_TTPs_of_attacks_against_industrial_organizations
- Date of Scan:
- 2023-08-11
- Impact:
- LOW
- Summary:
- Kaspersky ICS Cert analysts identified over 15 implants and their variants planted by the threat actor(s) in various combinations. The attackers aimed to establish a permanent channel for data exfiltration, including data stored on air-gapped systems. Analysts have medium to high confidence that a threat actor called APT31, also known as Judgment Panda and Zirconium, is behind the activities described in their report.
The_Most_Recent_STRRAT_Version_Contains_Dual_Obfuscation_Layers
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- The_Most_Recent_STRRAT_Version_Contains_Dual_Obfuscation_Layers
- Date of Scan:
- 2023-08-11
- Impact:
- LOW
- Summary:
- The Cyble Research and Intelligence Labs have discovered a fresh method of infection that is used to spread STRRAT. This novel approach entails disseminating STRRAT version 1.6, which makes use of two string obfuscation strategies.
Source:
https://cyble.com/blog/strrats-latest-version-incorporates-dual-obfuscation-layers/
Changes_in_CHM_Malware_Distribution
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Changes_in_CHM_Malware_Distribution
- Date of Scan:
- 2023-08-11
- Impact:
- LOW
- Summary:
- ASEC has previously published a CHM malware type coping Korean financial institutes and insurance companies. Recently, the execution method of this malware type has been changing every week. ASEC post will cover how the changed execution processes of the CHM malware are recorded in AhnLab’s EDR products.
Hybrid_malware_leveraging_various_internet_protocols
LOW
+
—
—
- Intel Source:
- Sucuri
- Intel Name:
- Hybrid_malware_leveraging_various_internet_protocols
- Date of Scan:
- 2023-08-11
- Impact:
- LOW
- Summary:
- Sucuri analysts discover periodically an unique hybrid malware leveraging various internet protocols. During a recent investigation, the analysts found an interesting piece of JavaScript malware that indirectly uses the DNS protocol to obtain redirect URLs.
In_Depth_Analysis_of_LOLKEK_Payloads
LOW
+
—
—
- Intel Source:
- Sentinelone
- Intel Name:
- In_Depth_Analysis_of_LOLKEK_Payloads
- Date of Scan:
- 2023-08-11
- Impact:
- LOW
- Summary:
- Researchers from SentinelLabs have examined LOLKEK Payload sample sets. Small to medium-sized enterprises (SMBs) and individual users are typically the main objectives.
Zero_Day_Exploit_Case_Study_CVE_2023_36874
MEDIUM
+
—
—
- Intel Source:
- CrowdStrike
- Intel Name:
- Zero_Day_Exploit_Case_Study_CVE_2023_36874
- Date of Scan:
- 2023-08-11
- Impact:
- MEDIUM
- Summary:
- In July 2023, the CrowdStrike Falcon team observed an unknown exploit with unknown vulnerability affecting the Windows Error Reporting (WER) component. Crowdstrike team put their findings to their report about this new vulnerability to Microsoft. Microsoft assigned the identifier CVE-2023-36874 to the vulnerability.
Source:
https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/
Campaign_Against_NATO_Aligned_Foreign_Ministries
MEDIUM
+
—
—
- Intel Source:
- Eclecticiq
- Intel Name:
- Campaign_Against_NATO_Aligned_Foreign_Ministries
- Date of Scan:
- 2023-08-11
- Impact:
- MEDIUM
- Summary:
- Two PDF documents have been spotted, and EclecticIQ researchers believe with high confidence that they are a part of a continuous campaign aimed at NATO member countries’ foreign ministries. The PDF files contained two fake diplomatic invitations that appeared to be coming from the German embassy.
Attackers_Using_EvilProxy_Phishing_Kit
HIGH
+
—
—
- Intel Source:
- Proofpoint
- Intel Name:
- Attackers_Using_EvilProxy_Phishing_Kit
- Date of Scan:
- 2023-08-10
- Impact:
- HIGH
- Summary:
- Threat actors have been using the phishing toolkit EvilProxy to take control of cloud-based Microsoft 365 accounts belonging to executives at prominent companies.Researchers said the attacks exhibited both the prevalence of pre-packaged phishing-as-a-service toolkits, as well as the increased bypassing of multi-factor authentication to gain access to accounts.
AdLoad_Turns_Mac_Systems_into_Proxy_Exit_Nodes
LOW
+
—
—
- Intel Source:
- AT&T
- Intel Name:
- AdLoad_Turns_Mac_Systems_into_Proxy_Exit_Nodes
- Date of Scan:
- 2023-08-10
- Impact:
- LOW
- Summary:
- Thousands of IPs have been seen by AT&T Alien Labs to act as proxy exit nodes in a way that resembles corrupted AdLoad systems. This activity might be a sign that tens of thousands of Mac computers have been taken over and used as proxy exit nodes. Over the past year, at least 150 samples have been seen in the wild.
Source:
https://cybersecurity.att.com/blogs/labs-research/mac-systems-turned-into-proxy-exit-nodes-by-adload
Tax_Invoices_and_Shipping_Statements_Posing_as_GuLoader_Malware
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Tax_Invoices_and_Shipping_Statements_Posing_as_GuLoader_Malware
- Date of Scan:
- 2023-08-10
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered instances in which GuLoader was sent as an attachment in emails that were falsely labeled as shipping bills and tax invoices. A RAR (Roshal Archive packed) packed file included the freshly discovered GuLoader variation. GuLoader eventually downloads well-known malware strains including Remcos, AgentTesla, and Vidar when it is run by a user.
Magniber_Ransomware_Injection
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Magniber_Ransomware_Injection
- Date of Scan:
- 2023-08-10
- Impact:
- LOW
- Summary:
- High numbers of the Magniber ransomware are routinely disseminated. It has been disseminated through the Internet Explorer vulnerability for the past few years, however when the browser’s support ended, the vulnerability is no longer being exploited. Recently, the ransomware has started spreading through Chrome and Edge browsers using filenames impersonating Windows security update packages (such as ERROR.Center.Security.msi). Currently, Magniber injects the ransomware into an active process, causing damage by encrypting the user’s files.
Kubernetes_Exposed
LOW
+
—
—
- Intel Source:
- Aquasec
- Intel Name:
- Kubernetes_Exposed
- Date of Scan:
- 2023-08-09
- Impact:
- LOW
- Summary:
- The potential catastrophe of having Kubernetes (k8s) cluster hijacked is could be a disaster magnified a million times over. Aquasec researchers investigated and uncovered Kubernetes clusters belonging to more than 350 organizations, open-source projects, and individuals, openly accessible and largely unprotected. At least 60% of them were breached and had an active campaign that deployed malware and backdoors.
Source:
https://blog.aquasec.com/kubernetes-exposed-one-yaml-away-from-disaster
The_AgentTesla_malware_attack
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- The_AgentTesla_malware_attack
- Date of Scan:
- 2023-08-09
- Impact:
- LOW
- Summary:
- Cyble Research and Intelligence Labs (CRIL) has recently observed an AgentTesla malware attack that employs a well-developed process with multiple stages. The campaign is designed to trick unsuspecting users into opening Tax related documents and accompanying control panel files (CPL).
Source:
https://cyble.com/blog/agenttesla-malware-targets-users-with-malicious-control-panel-file/
New_InfoStealer_Named_Statc_Stealer
LOW
+
—
—
- Intel Source:
- Zscalar
- Intel Name:
- New_InfoStealer_Named_Statc_Stealer
- Date of Scan:
- 2023-08-09
- Impact:
- LOW
- Summary:
- Zscaler ThreatLabz researchers have discovered a new information stealer family called Statc Stealer. It is a sophisticated malware that infects devices powered by Windows, gains access to computer systems, and steals sensitive information.
Source:
https://www.zscaler.com/blogs/security-research/statc-stealer-decoding-elusive-malware-threat
Malicious_Python_Package_Campaign_Targets_Developers_through_PyPI
MEDIUM
+
—
—
- Intel Source:
- ReversingLabs
- Intel Name:
- Malicious_Python_Package_Campaign_Targets_Developers_through_PyPI
- Date of Scan:
- 2023-08-09
- Impact:
- MEDIUM
- Summary:
- Researchers from ReversingLabs identified persistent campaign leverages malicious Python packages on PyPI to deceive developers. Attackers mimic popular open-source tools, embedding hidden malicious code. They create matching GitHub repositories for credibility and employ dynamic command and control URLs
Uncovering_Tech_Scammers_involved_in_different_ransomware_attacks
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Uncovering_Tech_Scammers_involved_in_different_ransomware_attacks
- Date of Scan:
- 2023-08-09
- Impact:
- LOW
- Summary:
- Cyble researchers recently observed a new Tech Scam campaign. It seemed it has involved scammers setting up a non-existent antivirus solution site to deceive users into paying for non-existent services. During analysis, researchers discovered various ransomware variants leveraged by tech scammers to propagate their fraudulent schemes.
Source:
https://cyble.com/blog/utilization-of-leaked-ransomware-builders-in-tech-related-scams/
The_Malware_distribution_as_Coin_exchange
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- The_Malware_distribution_as_Coin_exchange
- Date of Scan:
- 2023-08-09
- Impact:
- LOW
- Summary:
- ASEC lab response Center has recently discovered a new malware disguised with coin exchange and investment-related topics. The malware is pretended in the form of an executable and a Word file.It is suspected that it was created by the Kimsuky group.
The_malware_installation_as_normal_file_of_a_Korean_Development_Company
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- The_malware_installation_as_normal_file_of_a_Korean_Development_Company
- Date of Scan:
- 2023-08-09
- Impact:
- LOW
- Summary:
- AhnLab has previously mentioned about the malware that is generated by the installation file of a Korean program development company. When malware is distributed alongside an installation file, users will struggle to notice that malware is being executed concurrently.
Investigating_the_Big_Head_Ransomware
LOW
+
—
—
- Intel Source:
- SOC Radar
- Intel Name:
- Investigating_the_Big_Head_Ransomware
- Date of Scan:
- 2023-08-08
- Impact:
- LOW
- Summary:
- After first appearing in May 2023, Big Head Ransomware is a relatively new actor in the cyber threat environment. This malicious program is made up of several different varieties, each with its own features and powers. Little is known about the threat actor who is responsible for the Big Head Ransomware. The actor has been seen interacting with victims on Telegram and through emails.
Source:
https://socradar.io/dark-web-profile-big-head-ransomware/
An_Overview_of_Qakbot_Infrastructure
LOW
+
—
—
- Intel Source:
- Team-Cymru
- Intel Name:
- An_Overview_of_Qakbot_Infrastructure
- Date of Scan:
- 2023-08-08
- Impact:
- LOW
- Summary:
- Team-Cymru researchers have provided an update on the high-level analysis of QakBot infrastructure, this represents an ongoing piece of research, their analysis of QakBot is fluid with various hypotheses being identified and tested. As and when they uncover new insights into QakBot campaigns they will seek to provide further written updates.
Source:
https://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory
TargetCompany_Ransomware_Abusing_FUD_Obfuscator_Packers
LOW
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- TargetCompany_Ransomware_Abusing_FUD_Obfuscator_Packers
- Date of Scan:
- 2023-08-07
- Impact:
- LOW
- Summary:
- In order to persistently deploy its initial stage, the most recent version of the TargetCompany ransomware first exploits weak SQL servers. The code tries many approaches to try persistence, such as switching the URLs or relevant routes, until it successfully locates a location to run the Remcos RAT.
DoDo_and_Proton_Ransomware_targeting_windows_users
MEDIUM
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- DoDo_and_Proton_Ransomware_targeting_windows_users
- Date of Scan:
- 2023-08-07
- Impact:
- MEDIUM
- Summary:
- Researchers from Fortinet have discovered the Ransomware Roundup report highlights the emerging threats of DoDo and Proton ransomware variants, both specifically designed to target Microsoft Windows users. DoDo ransomware, a derivative of Chaos ransomware, disguises itself as an educational application called “Mercurial Grabber” to steal information and encrypt victims’ files. Its recent variants demand ransom for file decryption and data non-disclosure. Meanwhile, Proton ransomware encrypts files on Windows systems, demanding a ransom for file recovery.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-dodo-and-proton
Water_minyades_batloader_malware
MEDIUM
+
—
—
- Intel Source:
- Trend Micro
- Intel Name:
- Water_minyades_batloader_malware
- Date of Scan:
- 2023-08-07
- Impact:
- MEDIUM
- Summary:
- Trend Micro researchers observe the Water Minyades Batloader malware has evolved with Pyarmor Pro obfuscation, making manual de-obfuscation difficult. Using large MSI files, it initiates a sophisticated kill chain, fingerprinting victim networks and delivering second-stage payloads for stealthy attacks.
Source:
https://www.trendmicro.com/en_us/research/23/h/batloader-campaigns-use-pyarmor-pro-for-evasion.html
New_Threat_Actor_Leveraging_Customized_Yashma_Ransomware
LOW
+
—
—
- Intel Source:
- Talos
- Intel Name:
- New_Threat_Actor_Leveraging_Customized_Yashma_Ransomware
- Date of Scan:
- 2023-08-07
- Impact:
- LOW
- Summary:
- Researchers from Cisco Talos have identified an unknown threat actor, who appears to be of Vietnamese descent, who has been operating ransomware since at least June 4, 2023. This continuing attack makes use of a Yashma ransomware version that mimics WannaCry traits and is expected to target several locations. The ransom note is sent using an unusual method by the threat actor. They execute an embedded batch file to download the ransom note from the actor-controlled GitHub repository rather than inserting the ransom note strings in the malware.
Source:
https://blog.talosintelligence.com/new-threat-actor-using-yashma-ransomware/
North_Korea_icompromised_Russian_Missile_Engineering_Company
MEDIUM
+
—
—
- Intel Source:
- Sentilone
- Intel Name:
- North_Korea_icompromised_Russian_Missile_Engineering_Company
- Date of Scan:
- 2023-08-07
- Impact:
- MEDIUM
- Summary:
- SentinelLabs identified an intrusion into the Russian defense industrial base, specifically a missile engineering organization NPO Mashinostroyeniya. Our analysis attributes the email server compromise to the ScarCruft threat actor. We also identify the separate use of a Lazarus Group backdoor for compromise of their internal network.
MerlinAgent_cyber_attacks_against_Ukraine
LOW
+
—
—
- Intel Source:
- CERT UA
- Intel Name:
- MerlinAgent_cyber_attacks_against_Ukraine
- Date of Scan:
- 2023-08-07
- Impact:
- LOW
- Summary:
- Ukraine’s CERT-UA is warning of malicious emails posing as official communications. The emails contain harmful attachments, leading to the execution of dangerous scripts and the deployment of the malicious “ctlhost.exe” associated with the MerlinAgent program
NPM_highly_targeted_attacks
LOW
+
—
—
- Intel Source:
- Security Affairs
- Intel Name:
- NPM_highly_targeted_attacks
- Date of Scan:
- 2023-08-07
- Impact:
- LOW
- Summary:
- Security Affairs researchers discovered a new set of malicious packages on the npm package manager that can exfiltrate sensitive developer data.
Source:
https://securityaffairs.com/149165/hacking/npm-highly-targeted-attacks.html
The_Cyber_Campaign_by_Space_Pirates_in_Russia_and_Serbia
MEDIUM
+
—
—
- Intel Source:
- PT Security
- Intel Name:
- The_Cyber_Campaign_by_Space_Pirates_in_Russia_and_Serbia
- Date of Scan:
- 2023-08-05
- Impact:
- MEDIUM
- Summary:
- Using unique strategies and acquiring new cyber weapons, the threat actor known as Space Pirates has been connected to attacks on at least 16 organizations in Serbia and Russia over the past year. Governmental organizations, educational institutions, private security firms, aerospace makers, agricultural producers, defense, energy, and healthcare companies are among the targets.
Remcos_Malware_Analysis
LOW
+
—
—
- Intel Source:
- Any.Run
- Intel Name:
- Remcos_Malware_Analysis
- Date of Scan:
- 2023-08-04
- Impact:
- LOW
- Summary:
- Any.Run malware hunting service recorded a video for Remcos RAT execution and analysis. Remcos is a remote access trojan – a malware used to take remote control over infected PCs. This trojan is created and sold to clients by a “business” called Breaking Security. Remcos trojan can be delivered in different forms. Based on RAT’s analysis, it can be spread as an executable file with the name that should convince users to open it, or it pretends to bne a Microsoft Word file that exploits vulnerabilities.
From_Small_LNK_to_Large_Malicious_BAT_File_With_Zero_VT_Score
LOW
+
—
—
- Intel Source:
- ISC.SANS
- Intel Name:
- From_Small_LNK_to_Large_Malicious_BAT_File_With_Zero_VT_Score
- Date of Scan:
- 2023-08-04
- Impact:
- LOW
- Summary:
- ISC.SANS researchers have seen my spam trap caught an e-mail with LNK attachment, the e-mail message was the usual malspam fare trying to appear as a purchase order sent to the recipient.
Source:
https://isc.sans.edu/diary/From+small+LNK+to+large+malicious+BAT+file+with+zero+VT+score/30094/
Redline_Malware_Analysis
LOW
+
—
—
- Intel Source:
- Any Run
- Intel Name:
- Redline_Malware_Analysis
- Date of Scan:
- 2023-08-04
- Impact:
- LOW
- Summary:
- ANY.RUN researchers did the analysis and watched the RedLine malware actions in an interactive sandbox simulation. RedLine Stealer or RedLine is malware that can collect users’ confidential information and deliver other malicious programs.
Botnet_Fenix_new_botnet
LOW
+
—
—
- Intel Source:
- MetaBase Q
- Intel Name:
- Botnet_Fenix_new_botnet
- Date of Scan:
- 2023-08-04
- Impact:
- LOW
- Summary:
- The Threat Intel team at Metabase Q has discovered a local group that created a new botnet called as “Fenix,” which specifically targets users accessing government services, particularly tax-paying individuals in Mexico and Chile. The attackers redirect victims to fraudulent websites that mimic the official portals These fake websites prompt users to download a supposed security tool, claiming it will enhance their portal navigation safety
The_Play_ransomware_activity
MEDIUM
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- The_Play_ransomware_activity
- Date of Scan:
- 2023-08-04
- Impact:
- MEDIUM
- Summary:
- TrendMicro have observed the Play ransomware group amplified their activity with a number of new tools and exploits, including the vulnerabilities ProxyNotShell, OWASSRF, and a Microsoft Exchange Server Remote Code Execution. More recently, it’s also begun to use new tools like Grixba, a custom network scanner and infostealer, and the open-source VSS management tool AlphaVSS.
Source:
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play
Emotet_DarkGate_and_LokiBot_new_analyses
MEDIUM
+
—
—
- Intel Source:
- Securelist
- Intel Name:
- Emotet_DarkGate_and_LokiBot_new_analyses
- Date of Scan:
- 2023-08-04
- Impact:
- MEDIUM
- Summary:
- Securelist researchers found new Emotet samples, a new loader dubbed “DarkGate”, and a new LokiBot infostealer campaign. They described all three in private reports, from which this post contains an excerpt.
Source:
https://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/
The_Attack_Method_of_Rhysida_Ransomware
LOW
+
—
—
- Intel Source:
- SOC Radar
- Intel Name:
- The_Attack_Method_of_Rhysida_Ransomware
- Date of Scan:
- 2023-08-04
- Impact:
- LOW
- Summary:
- The Rhysida Ransomware Group has become a serious threat in the online environment. In a short period of time, Rhysida posed a significant concern to businesses all across the world with its powerful encryption capabilities and double extortion tactics. The group’s emphasis on attacking military and governmental institutions, as seen in their assault on the Chilean Army, emphasizes how serious their actions may be.
Source:
https://socradar.io/threat-profile-rhysida-ransomware/
The_Back_to_School_Scams
LOW
+
—
—
- Intel Source:
- McAfee
- Intel Name:
- The_Back_to_School_Scams
- Date of Scan:
- 2023-08-04
- Impact:
- LOW
- Summary:
- McAfee Labs analysts has discovered the following PDFs targeting back-to-school trends. Their article warns the parents on what to educate their children on and how not to fall victim to such fraud. McAfee Labs encountered a PDF file campaign featuring a fake CAPTCHA on its first page, to verify human interaction.
Source:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-season-of-back-to-school-scams/
New_Rilide_Stealer_Version
LOW
+
—
—
- Intel Source:
- Trustwave
- Intel Name:
- New_Rilide_Stealer_Version
- Date of Scan:
- 2023-08-04
- Impact:
- LOW
- Summary:
- Securelist researchers found new Emotet samples, a new loader dubbed “DarkGate”, and a new LokiBot infostealer campaign. They described all three in private reports, from which this post contains an excerpt.
Hackers_Sent_Phishing_Emails_Masquerading_as_Microsoft_Teams_Chats
MEDIUM
+
—
—
- Intel Source:
- Microsoft
- Intel Name:
- Hackers_Sent_Phishing_Emails_Masquerading_as_Microsoft_Teams_Chats
- Date of Scan:
- 2023-08-03
- Impact:
- MEDIUM
- Summary:
- In “highly targeted social engineering attacks,” hackers within the Russian military utilized Microsoft Teams discussions as phishing baits. The IT giant announced on Wednesday that it has discovered a campaign by the well-known Russian hacker collective Midnight Blizzard, also known as NOBELIUM, Cozy Bear, or APT29. According to U.S. and U.K. law enforcement organizations, the group is a component of the Russian Federation’s Foreign Intelligence Service.
Russian_APT_BlueCharlie_Swaps_Infrastructure_to_Evade_Detection
LOW
+
—
—
- Intel Source:
- Recorded Future
- Intel Name:
- Russian_APT_BlueCharlie_Swaps_Infrastructure_to_Evade_Detection
- Date of Scan:
- 2023-08-03
- Impact:
- LOW
- Summary:
- Researchers from Recorded Future have identified the latest campaign from BlueCharlie, the group completely switched up its infrastructure, creating nearly 100 new domains from which to perform credential harvesting and follow-on espionage attacks.
Source:
https://go.recordedfuture.com/hubfs/reports/cta-2023-0802.pdf
Illicit_Brand_Impersonation
LOW
+
—
—
- Intel Source:
- Sentilone
- Intel Name:
- Illicit_Brand_Impersonation
- Date of Scan:
- 2023-08-03
- Impact:
- LOW
- Summary:
- Santilone researchers continually observe brands being impersonated for illicit use, including credential phishing and malware delivery. In their blog they shared examples of opportunistic and targeted threat actors impersonating trusted brands and they can make use of new tooling for the purposes of hunting and tracking them moving forward.
Source:
https://www.sentinelone.com/blog/illicit-brand-impersonation-a-threat-hunting-approach/
Linux_Systems_Are_Affected_by_Reptile_Malware
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Linux_Systems_Are_Affected_by_Reptile_Malware
- Date of Scan:
- 2023-08-03
- Impact:
- LOW
- Summary:
- ASEC has recently observed Reptile, an open-source Linux rootkit with powerful concealment features and Port Knocking capabilities. It examines real-world attacks, including those targeting Korean companies, and draws parallels to the Mélofée malware.
Sliver_C2_malware_being_distributed
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Sliver_C2_malware_being_distributed
- Date of Scan:
- 2023-08-03
- Impact:
- LOW
- Summary:
- ASEC has recently observed similar malware from the past SparkRAT being distributed while being pretending as setup files for Korean VPN service providers and marketing program producers. Contrary the past cases where SparkRAT was used, Sliver C2 was used in the recent attacks and techniques to avoid detection were employed.
Attackers_Exploiting_Ivanti_EPMM_Vulnerabilities
MEDIUM
+
—
—
- Intel Source:
- CISA
- Intel Name:
- Attackers_Exploiting_Ivanti_EPMM_Vulnerabilities
- Date of Scan:
- 2023-08-02
- Impact:
- MEDIUM
- Summary:
- In response to the active exploitation of CVE-2023-35078 and CVE-2023-35081, the Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) have released a joint cybersecurity advisory. From at least April 2023 to July 2023, advanced persistent threat actors used CVE-2023-35078 as a zero-day exploit to collect data from a number of Norwegian enterprises as well as to access and compromise the network of a Norwegian government agency.
Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-213a
Ransomware_Command_and_Control_Providers_report
LOW
+
—
—
- Intel Source:
- Halcyon
- Intel Name:
- Ransomware_Command_and_Control_Providers_report
- Date of Scan:
- 2023-08-02
- Impact:
- LOW
- Summary:
- The Halcyon researchers shared their research that observed new techniques used to unmask yet another Ransomware Economy player that is speed up ransomware attacks and state-sponsored APT operations like Command-and-Control Providers (C2P) who sell services to threat actors while assuming a legal business profile. In their report, titled Cloudzy with a Chance of Ransomware, Halcyon showed a unique method for identifying C2P entities that can be used to forecast the pioneer to major ransomware campaigns and other advanced attacks. Halcyon also identifies two new, previously undisclosed ransomware affiliates Halcyon named them as Ghost Clown and Space Kook that currently deploy BlackBasta and Royal, respectively.
New_P2Pinfect_Malware_Campaign_Against_Redis_Servers_Detailed
LOW
+
—
—
- Intel Source:
- Cado Security
- Intel Name:
- New_P2Pinfect_Malware_Campaign_Against_Redis_Servers_Detailed
- Date of Scan:
- 2023-08-02
- Impact:
- LOW
- Summary:
- Researchers from Cado Security Labs have just discovered a brand-new malware campaign that targets Redis data store deployments that are open to the general public. The malware, which was created in Rust and given the name “P2Pinfect” by the creators, functions as a botnet agent. An embedded Portable Executable (PE) and an additional ELF executable are both included in the sample that researchers analyzed, indicating cross-platform compatibility between Windows and Linux.
New_Variant_of_SkidMap_Targeting_Redis
LOW
+
—
—
- Intel Source:
- Trustwave
- Intel Name:
- New_Variant_of_SkidMap_Targeting_Redis
- Date of Scan:
- 2023-08-02
- Impact:
- LOW
- Summary:
- Researchers from Trustwave examined the most recent logs from a honeypot in central Europe and discovered an intriguing entry that appeared again less than two weeks later. Only open Redis instances are targeted by SkidMap (also known as “NO AUTH”). They haven’t noticed brute-force attacks coming from the precise IP where the initial attack started.
NodeStealer_2_0_The_Python_Version
LOW
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- NodeStealer_2_0_The_Python_Version
- Date of Scan:
- 2023-08-02
- Impact:
- LOW
- Summary:
- Unit 42 researchers have recently discovered a previously unreported phishing campaign that distributed an infostealer equipped to fully take over Facebook business accounts. Facebook business accounts were targeted with a phishing lure offering tools such as spreadsheet templates for busines
Source:
https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/
The_Cunning_XWorms_Multi_Staged_Attack
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- The_Cunning_XWorms_Multi_Staged_Attack
- Date of Scan:
- 2023-08-01
- Impact:
- LOW
- Summary:
- The XWorm malware uses a new multistage approach to deliver its payload utilizing LOLBins, according to an analysis by Cyble researchers.
Source:
https://cyble.com/blog/sneaky-xworm-uses-multistaged-attack/
WikiLoader_Favors_Complex_Evasion
LOW
+
—
—
- Intel Source:
- Proofpoint
- Intel Name:
- WikiLoader_Favors_Complex_Evasion
- Date of Scan:
- 2023-08-01
- Impact:
- LOW
- Summary:
- WikiLoader is a new piece of malware that Proofpoint researchers have discovered. It was originally discovered in December 2022 being delivered by TA544, an attacker who frequently targets Italian enterprises with Ursnif malware. They also noticed numerous succeeding initiatives, the majority of which had Italian groups as their target.
Source:
https://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion
The_IcedID_BackConnect_Protocol_Internals
LOW
+
—
—
- Intel Source:
- Team-Cymru
- Intel Name:
- The_IcedID_BackConnect_Protocol_Internals
- Date of Scan:
- 2023-08-01
- Impact:
- LOW
- Summary:
- Researchers from Team-Cymru have updated their investigation and monitoring of the infrastructure linked to IcedID’s BackConnect protocol.
Source:
https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol-part-2
The_Unknown_Risks_of_Dot_Zip_Domains
LOW
+
—
—
- Intel Source:
- Avast
- Intel Name:
- The_Unknown_Risks_of_Dot_Zip_Domains
- Date of Scan:
- 2023-08-01
- Impact:
- LOW
- Summary:
- Cybercriminals have begun using.zip domains to trick people into thinking they are downloadable files rather than URLs, according to Avast researchers. According to research, one-third of the top 30.zip domains blacklisted by threat detection engines misuse the names of well-known IT firms like Microsoft, Google, Amazon, and Paypal to deceive users into thinking they are files from reputable businesses.
Source:
https://decoded.avast.io/matejkrcma/unpacking-the-threats-within-the-hidden-dangers-of-zip-domains/
URLs_That_Deliver_Ransomware
LOW
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- URLs_That_Deliver_Ransomware
- Date of Scan:
- 2023-08-01
- Impact:
- LOW
- Summary:
- Researchers from Palo Alto have seen that threat actors are increasingly using URLs to deliver ransomware as they look for new ways to get their inventions past victims’ defenses. Additionally, they are utilizing more dynamic behaviors to spread their malware. Threat actors frequently switch hostnames, paths, filenames, or a combination of all three to disperse ransomware, in addition to following the tried-and-true method of deploying polymorphic variants of their ransomware.
Source:
https://unit42.paloaltonetworks.com/url-delivered-ransomware/#post-129339-_cfw3vjr99swz
v2_SUBMARINE_Backdoor
MEDIUM
+
—
—
- Intel Source:
- CISA
- Intel Name:
- v2_SUBMARINE_Backdoor
- Date of Scan:
- 2023-07-31
- Impact:
- MEDIUM
- Summary:
- The US Department of Homeland Security (CISA) has released a report on a new type of backdoor malware, which could be used by hackers to gain access to a network of secure email addresses. CISA obtained seven malware samples related to a novel backdoor CISA has named SUBMARINE. The malware was used by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting certain versions 5.1.3.001 – 9.2.0.006 of Barracuda Email Security Gateway (ESG).
Source:
https://www.cisa.gov/news-events/analysis-reports/ar23-209a
Threat_Actors_Abusing_the_Ad_Network
MEDIUM
+
—
—
- Intel Source:
- Bitdefender
- Intel Name:
- Threat_Actors_Abusing_the_Ad_Network
- Date of Scan:
- 2023-07-31
- Impact:
- MEDIUM
- Summary:
- A threat actor with previous roots in cybercrime has shifted its initial access techniques to search engine advertisements to hijack searches for business applications such as AnyDesk, WinSCP, Cisco AnyConnect, Slack, TreeSize and potentially more. Bitdefender research showed that the actor(s) has successfully used this type of attack since late May 2023. Based on their threat insights, attackers seem to exclusively focus on North America. Until now, we have identified six target organizations in the US and one in Canada.
Fruity_Trojan_Downloaders_Infect_Windows_Systems_in_Multiple_Stages
LOW
+
—
—
- Intel Source:
- Dr. Web
- Intel Name:
- Fruity_Trojan_Downloaders_Infect_Windows_Systems_in_Multiple_Stages
- Date of Scan:
- 2023-07-31
- Impact:
- LOW
- Summary:
- Dr.Web researchers have observed that threat actors are creating fake websites hosting trojanized software installers to trick unsuspecting users into downloading a downloader malware called Fruity with the goal of installing remote trojans tools like Remcos RAT.
CISA_Analyses_Report_v1_Exploit_Payload_Backdoor
MEDIUM
+
—
—
- Intel Source:
- CISA
- Intel Name:
- CISA_Analyses_Report_v1_Exploit_Payload_Backdoor
- Date of Scan:
- 2023-07-31
- Impact:
- MEDIUM
- Summary:
- CISA obtained 14 malware samples comprised of Barracuda exploit payloads and reverse shell backdoors. The malware was used by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG). The payload triggers a command injection (exploiting CVE-2023-2868), leading to dropping and execution of reverse shells on the ESG appliance. The reverse shells establish backdoor communications via OpenSSL with threat actor command and control (C2) servers. The actors delivered this payload to the victim via a phishing email with a malicious .tar attachment.
Source:
https://www.cisa.gov/news-events/analysis-reports/ar23-209c
STARK_MULE_Targeting_Koreans_With_US_Military_Themed_Document_Lures
MEDIUM
+
—
—
- Intel Source:
- Securonix Threat Labs
- Intel Name:
- STARK_MULE_Targeting_Koreans_With_US_Military_Themed_Document_Lures
- Date of Scan:
- 2023-07-31
- Impact:
- MEDIUM
- Summary:
- Securonix researchers have detected an ongoing cyber assault campaign that is targeting Korean-speaking people by using document lures with American military themes to fool them into launching malware on compromised systems.
SEASPY_Backdoor
MEDIUM
+
—
—
- Intel Source:
- CISA
- Intel Name:
- SEASPY_Backdoor
- Date of Scan:
- 2023-07-31
- Impact:
- MEDIUM
- Summary:
- CISA obtained two SEASPY malware samples. The malware was used by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG). SEASPY is a persistent and passive backdoor that masquerades as a legitimate Barracuda service “BarracudaMailService” that allows the threat actors to execute arbitrary commands on the ESG appliance.
Source:
https://www.cisa.gov/news-events/analysis-reports/ar23-209b
Behavioral_detection_tips_for_the_RomCom_campaign
MEDIUM
+
—
—
- Intel Source:
- Blackberry
- Intel Name:
- Behavioral_detection_tips_for_the_RomCom_campaign
- Date of Scan:
- 2023-07-28
- Impact:
- MEDIUM
- Summary:
- This article provides a technical analysis of the RomCom threat group, which is targeting politicians in Ukraine and U.S.-based healthcare organizations. It outlines process activity, IoCs, and Sigma rules to detect malicious behavior, such as the execution of a file from the Temp folder with a specific command line, and the use of COM objects to establish system persistence.
Source:
https://blogs.blackberry.com/en/2023/07/decoding-romcom-behaviors-and-opportunities-for-detection
BlueBravo_Attacks_European_Diplomatic_Entities
MEDIUM
+
—
—
- Intel Source:
- Recorded Future
- Intel Name:
- BlueBravo_Attacks_European_Diplomatic_Entities
- Date of Scan:
- 2023-07-28
- Impact:
- MEDIUM
- Summary:
- In order to deliver a new backdoor named GraphicalProton, the Russian nation-state actor known as BlueBravo has been detected targeting diplomatic institutions around Eastern Europe. This illustrates the threat’s ongoing evolution. The use of lawful internet services (LIS) for command-and-control (C2) obfuscation is a defining feature of the phishing campaign.
Source:
https://go.recordedfuture.com/hubfs/reports/cta-2023-0727-1.pdf
A_New_Malicious_Campaign_Distributing_IT_Tools
LOW
+
—
—
- Intel Source:
- Sophos
- Intel Name:
- A_New_Malicious_Campaign_Distributing_IT_Tools
- Date of Scan:
- 2023-07-28
- Impact:
- LOW
- Summary:
- Researchers from Sophos have discovered a new malvertising campaign that targets users looking for IT tools like AnyDesk, Cisco AnyConnect VPN, and WinSCP by using ads on Google Search and Bing. This campaign attempts to trick users into downloading trojanized installers in order to access corporate networks and possibly launch future ransomware attacks.
Source:
https://news.sophos.com/en-us/2023/07/26/into-the-tank-with-nitrogen/
The_discover_of_apps_targeting_Iranian_bank_customers
LOW
+
—
—
- Intel Source:
- Sophos
- Intel Name:
- The_discover_of_apps_targeting_Iranian_bank_customers
- Date of Scan:
- 2023-07-28
- Impact:
- LOW
- Summary:
- Sophos X-Ops researchers discovered malicious apps targeting Iranian banks, which collect internet banking login credentials and credit card details, and have capabilities such as hiding icons and intercepting SMS messages. The threat actors used Firebase as a C2 mechanism and leveraged legitimate domains for C2 servers. The malware also searches for other banking, payment, and cryptocurrency apps, and the certificate used to sign the malicious apps was previously used by an IT consulting and development firm in Malaysia. The malicious apps request permissions to read SMS messages and urge users to grant them.
Source:
https://news.sophos.com/en-us/2023/07/27/uncovering-an-iranian-mobile-malware-campaign/
Jade_Sleet_Storm_0954_Social_Engineering_Campaign
LOW
+
—
—
- Intel Source:
- GitHub Blog
- Intel Name:
- Jade_Sleet_Storm_0954_Social_Engineering_Campaign
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- GitHub has observed a Jade Sleet social engineering campaign which targets employees of technology firms, those who are connected to the blockchain, cryptocurrency, online gambling, and cybersecurity sectors. Jade Sleet (Storm-0954) is an activity group originally from North Korea and specializes in targeting cryptocurrency-related organizations. They utilize a range of tactics lke the development of applications that look like legitimate cryptocurrency apps, to spread their attacks. Jade Sleet has used the multi-platform targeted malware framework (MATA) and Electron frameworks to create implants for both Microsoft Windows and Mac-based systems.
Attack_Tactics_Against_Industrial_Organizations
LOW
+
—
—
- Intel Source:
- ICS CERT
- Intel Name:
- Attack_Tactics_Against_Industrial_Organizations
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- Researchers from Kaspersky ICS CERT have looked at a number of assaults on commercial targets in Eastern Europe. The attackers’ goal in the attacks was to create an ongoing conduit for data exfiltration, including data from air-gapped systems. Based on the commonalities between these operations and other efforts that have been previously studied (such as ExCone and DexCone), including the use of FourteenHi variants, particular TTPs, and the scale of the attack.
Diving_Deep_into_Mallox_Ransomware
MEDIUM
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- Diving_Deep_into_Mallox_Ransomware
- Date of Scan:
- 2023-07-27
- Impact:
- MEDIUM
- Summary:
- Unit 42 researchers have observed an uptick of Mallox ransomware activities with an increase of almost 174% compared to the previous year exploiting MS-SQL servers to distribute the ransomware. Mallox (aka TargetCompany, FARGO and Tohnichi) is a ransomware strain that targets Microsoft Windows systems. It has been active since June 2021, and is notable for exploiting unsecured MS-SQL servers as a penetration vector to compromise victims’ networks.
Source:
https://unit42.paloaltonetworks.com/mallox-ransomware/
The_Investigation_of_Cloud_Compute_Resource_Abuse
LOW
+
—
—
- Intel Source:
- Microsoft
- Intel Name:
- The_Investigation_of_Cloud_Compute_Resource_Abuse
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- Microsoft researchers have observed an attack that is targeting organizations that incurred more than $300,000 in computing fees due to cryptojacking attacks
Hackers_Targeting_Developers_via_Trojanized_MS_Visual_Studio
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Hackers_Targeting_Developers_via_Trojanized_MS_Visual_Studio
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- Cyble researchers have uncovered a deceitful installer masquerading as an authentic Microsoft Visual Studio installer delivering a Cookie Stealer. This stealer is specifically designed to infiltrate and extract sensitive information stored in browser cookies, allowing attackers to compromise user accounts and invade privacy.
Source:
https://blog.cyble.com/2023/07/25/threat-actor-targeting-developers-via-trojanized-ms-visual-studio/
Exploiting_of_the_search_ms_URI_Protocol_Handler
LOW
+
—
—
- Intel Source:
- Trellix
- Intel Name:
- Exploiting_of_the_search_ms_URI_Protocol_Handler
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- This article discusses the use of malicious payloads, such as AsyncRAT and Remcos RAT, by attackers to gain remote control over an infected system. It also covers the use of the “search” / “search-ms” URI protocol handler to launch attacks using a variety of file types, and how to disable this protocol handler. Additionally, it provides configuration information for AsyncRAT, including two IP addresses, six ports, a default botnet, a version number, and various settings.
Source:
https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
PurpleFox_Loader_Distributing_via_MS_SQL_Server
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- PurpleFox_Loader_Distributing_via_MS_SQL_Server
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered the PurpleFox malware being installed on poorly managed MS-SQL servers. PurpleFox is a Loader that downloads additional malware and is known to mainly install CoinMiners.
In_depth_Campaign_Analysis_of_QakBot
LOW
+
—
—
- Intel Source:
- Zscaler
- Intel Name:
- In_depth_Campaign_Analysis_of_QakBot
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- Researchers from Zscaler have conducted in-depth investigations to uncover the various attack chains employed by Qakbot. In this research, they delve into the depths of Qakbot, conducting a comprehensive technical analysis to understand its behavior, attack vectors, and distribution methods.
Casbaneiro_Infection_Chain_is_Back
LOW
+
—
—
- Intel Source:
- Sygnia
- Intel Name:
- Casbaneiro_Infection_Chain_is_Back
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- Sygnia researchers have observed that threat actors behind the Casbaneiro campaign are still active to this day, with some changes over the years in their attack chain, C2 infrastructure, and TTPs. The threat actors are still making effective use of spear-phishing attack to initiate their infection chain, and still appear to be focused on Latin American targets.
Source:
https://blog.sygnia.co/breaking-down-casbaneiro-infection-chain-part2
The_Analysis_of_Amadey_Threat
LOW
+
—
—
- Intel Source:
- Splunk
- Intel Name:
- The_Analysis_of_Amadey_Threat
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- The Amadey Trojan Stealer, an active and prominent malware, first emerged on the cybersecurity landscape in 2018 and has maintained a persistent botnet infrastructure ever since. Several campaigns have used this malware.
Source:
https://www.splunk.com/en_us/blog/security/amadey-threat-analysis-and-detections.html
Lazarus_Threat_Group_Attacking_Windows_Servers
MEDIUM
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Lazarus_Threat_Group_Attacking_Windows_Servers
- Date of Scan:
- 2023-07-27
- Impact:
- MEDIUM
- Summary:
- ASEC researchers have discovered that Lazarus, a threat group deemed to be nationally funded, is attacking Windows Internet Information Service (IIS) web servers and using them as distribution points for their malware.
A_Deceptive_and_Evolving_Malware_Tool
LOW
+
—
—
- Intel Source:
- Cyfirma
- Intel Name:
- A_Deceptive_and_Evolving_Malware_Tool
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- Cyfirma has identified a new threat in the cybersecurity landscape – Attacker-Crypter. This powerful tool allows cybercriminals to encrypt, obfuscate, and manipulate malicious code, evading detection by security tools and antivirus software. The freely available tool offers various features to enhance malware capabilities, including process injection, debugger evasion, and network communication.
Tomcat_attacked_by_Mirai_Malware_and_beyond
LOW
+
—
—
- Intel Source:
- Aquasec
- Intel Name:
- Tomcat_attacked_by_Mirai_Malware_and_beyond
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- This article discusses the misconfiguration of Apache Tomcat, the impact of the malware ‘l4sd4sx64’, and the prevalence of Apache Tomcat in cloud, big data, and website development. It also provides an analysis of the attacks against Tomcat server honeypots over a two-year period, including the detection of a web shell hidden in a WAR file, the execution of a shell script, and the execution of the Mirai malware.
Source:
https://blog.aquasec.com/tomcat-under-attack-investigating-the-mirai-malware
The_Deep_Investigation_of_JumpCloud_System_Breach
MEDIUM
+
—
—
- Intel Source:
- Mandiant
- Intel Name:
- The_Deep_Investigation_of_JumpCloud_System_Breach
- Date of Scan:
- 2023-07-27
- Impact:
- MEDIUM
- Summary:
- Mandiant researchers have investigated the JumpCloud system breach and its impact on customers. Mandiant attributed these intrusions to UNC4899, a Democratic People’s Republic of Korea (DPRK)-nexus actor, with a history of targeting companies within the cryptocurrency vertical.
Source:
https://www.mandiant.com/resources/blog/north-korea-supply-chain
Targeted_Open_Source_Software_Supply_Chain_Attacks_on_Banking_Sector
LOW
+
—
—
- Intel Source:
- Checkmarx
- Intel Name:
- Targeted_Open_Source_Software_Supply_Chain_Attacks_on_Banking_Sector
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- The banking sector is facing targeted open-source software supply chain attacks. Malicious actors exploit vulnerabilities in open-source packages, utilizing advanced techniques and deceptive tactics. Traditional controls fall short, necessitating proactive security measures throughout the Software Development Lifecycle (SDLC). Collaboration is key to strengthen defenses against these evolving threats. Checkmarx’s Supply Chain Intelligence offers protection and ongoing tracking.
Source:
https://checkmarx.com/blog/first-known-targeted-oss-supply-chain-attacks-against-the-banking-sector/
Cl0p_Ransomware_Financially_Motivated_Menace_Exploiting_Critical_Vulnerabilities
MEDIUM
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- Cl0p_Ransomware_Financially_Motivated_Menace_Exploiting_Critical_Vulnerabilities
- Date of Scan:
- 2023-07-27
- Impact:
- MEDIUM
- Summary:
- Cl0p ransomware, operated by the FIN11 threat group, has been a persistent and financially motivated menace since early 2019. This malicious software targets organizations in North America and Europe, encrypting files and exfiltrating sensitive data. Recent attacks have exploited critical vulnerabilities in software, including the MOVEit Transfer SQL injection flaw. The ransom group demands payment in exchange for file decryption and to prevent the public exposure of stolen information
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-cl0p
Scammers_Targeting_Universities_With_Bioscience_Lures
LOW
+
—
—
- Intel Source:
- Proofpoint
- Intel Name:
- Scammers_Targeting_Universities_With_Bioscience_Lures
- Date of Scan:
- 2023-07-26
- Impact:
- LOW
- Summary:
- Researchers from Proofpoint have seen a campaign that targets university students in North America in late May 2023 using a variety of email lures with job-related themes. The emails claimed to be from several different organizations, the bulk of which were involved in the biosciences, healthcare, and biotechnology, as well as a few other unrelated ones. The operation went on until June 2023.
Zyxel_Vulnerability_Targeted_by_DDoS_Botnets
MEDIUM
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- Zyxel_Vulnerability_Targeted_by_DDoS_Botnets
- Date of Scan:
- 2023-07-26
- Impact:
- MEDIUM
- Summary:
- Researchers from FortiGuard have discovered the spread of many DDoS botnets that are taking use of the Zyxel vulnerability (CVE-2023-28771). It is possible for an unauthorized attacker to execute arbitrary code by sending a specially designed packet to the targeted device, which is how this vulnerability is defined by a command injection bug impacting several firewall models.
Source:
https://www.fortinet.com/blog/threat-research/ddos-botnets-target-zyxel-vulnerability-cve-2023-28771
The_Rusty_peer_to_Peer_self_Replicating_worm_Called_P2PInfect
LOW
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- The_Rusty_peer_to_Peer_self_Replicating_worm_Called_P2PInfect
- Date of Scan:
- 2023-07-26
- Impact:
- LOW
- Summary:
- Cloud researchers at Unit 42 have found a fresh peer-to-peer (P2P) worm that they named P2PInfect. This worm is capable of cross-platform infections and is written in the highly scalable and cloud-friendly programming language Rust. It targets Redis, a well-known open-source database application that is frequently utilized in cloud environments.
Source:
https://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/
Hackers_Behind_Big_Head_and_Poop69_Ransomware_Are_DEV0970_Storm_0970
LOW
+
—
—
- Intel Source:
- Cyfirma
- Intel Name:
- Hackers_Behind_Big_Head_and_Poop69_Ransomware_Are_DEV0970_Storm_0970
- Date of Scan:
- 2023-07-26
- Impact:
- LOW
- Summary:
- CYFIRMA research team have observed Poop69 ransomware appearing in the wild, and shortly after that, another ransomware named BIG HEAD emerged, thought to originate from the same threat actor, which has become popular recently due to its fake Windows update method.
The_Dangers_of_Downloading_Illegal_Software_and_the_Hidden_AutoHotkey_Script
MEDIUM
+
—
—
- Intel Source:
- Avast
- Intel Name:
- The_Dangers_of_Downloading_Illegal_Software_and_the_Hidden_AutoHotkey_Script
- Date of Scan:
- 2023-07-26
- Impact:
- MEDIUM
- Summary:
- In a recent rise in malware activity, malicious AutoHotkey scripts that started the HotRat virus on victims’ PCs were bundled with illicit software, according to Avast researchers. This malware spreads via open repositories, with URLs being shared on social media and online discussion boards.
Spearphishing_Campaign_Targeting_Zimbra_Webmail_Portals_of_Government_Organizations
MEDIUM
+
—
—
- Intel Source:
- Eclecticiq
- Intel Name:
- Spearphishing_Campaign_Targeting_Zimbra_Webmail_Portals_of_Government_Organizations
- Date of Scan:
- 2023-07-26
- Impact:
- MEDIUM
- Summary:
- Researchers at EclecticIQ have discovered a spearphishing effort that uses vulnerable Zimbra and Roundcube email servers to target governmental institutions. The effort began in January 2023 and has primarily targeted Ukrainian government organizations, however it has also targeted Spain, Indonesia, and France.
JumpCloud_Intrusion_linked_to_North_Korean_APT_Activity
MEDIUM
+
—
—
- Intel Source:
- Sentilone
- Intel Name:
- JumpCloud_Intrusion_linked_to_North_Korean_APT_Activity
- Date of Scan:
- 2023-07-26
- Impact:
- MEDIUM
- Summary:
- Sentilone shared the details after investigation and attributed this attack to an unnamed “sophisticated nation-state sponsored threat actor”. Additionally, there are updated IOCs released and researchers associated the cluster of threat activity to a North Korean state sponsored APT. The IOCs are linked to a wide variety of activity that Sentilone attributes to DPRK, overall centric to the supply chain targeting approach seen in previous campaigns.
Cybercriminals_Using_Ads_to_Spread_IcedID_and_Infostealers
MEDIUM
+
—
—
- Intel Source:
- HP Labs
- Intel Name:
- Cybercriminals_Using_Ads_to_Spread_IcedID_and_Infostealers
- Date of Scan:
- 2023-07-25
- Impact:
- MEDIUM
- Summary:
- Researchers from HP Labs have observed two major malware campaigns delivering Vidar Stealer and IcedID, both of which use malvertising and imitate well-known software. Also, seen other families distributed using this method, including BatLoader and Rhadamanthys Stealer, indicating the growing popularity of this delivery mechanism among threat actors.
Source:
https://threatresearch.ext.hp.com/adverts-mimicking-popular-software-leads-to-malware/?web_view=true
DangerousPasswords_Python_and_Nodejs_Malware_Across_Platforms
LOW
+
—
—
- Intel Source:
- JPCERT/CC
- Intel Name:
- DangerousPasswords_Python_and_Nodejs_Malware_Across_Platforms
- Date of Scan:
- 2023-07-25
- Impact:
- LOW
- Summary:
- JPCERT/CC has shared about DangerousPassword, a targeted attack group, is targeting developers of cryptocurrency exchange businesses on Windows, macOS, and Linux environments. They use Python and Node.js malware to infect systems. The malware downloads and executes MSI files (Windows) and Python files (macOS, Linux) from external sources, communicating with a C2 server every minute.
Source:
https://blogs.jpcert.or.jp/en/2023/07/dangerouspassword_dev.html
Turla_Attacks_Using_CAPIBAR_and_KAZUAR_Malware
MEDIUM
+
—
—
- Intel Source:
- CERT-UA
- Intel Name:
- Turla_Attacks_Using_CAPIBAR_and_KAZUAR_Malware
- Date of Scan:
- 2023-07-25
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have discovered that in addition to the use of XSLT (Extensible Stylesheet Language Transformations) and COM-hijacking, the specificity of CAPIBAR is the presence of a server part, which is typically installed on infected MS Exchange servers in the form of a MOF (Managed Object Format) file using the Desired State Configuration (DCS) PowerShell tool, effectively converting a legitimate server into a malware control center.
Outlook_Vulnerability_and_Clever_Attacker_Tactics
LOW
+
—
—
- Intel Source:
- Securilist
- Intel Name:
- Outlook_Vulnerability_and_Clever_Attacker_Tactics
- Date of Scan:
- 2023-07-25
- Impact:
- LOW
- Summary:
- Securilist shared retheir analyses CVE-2023-23397 vulnerability in Microsoft Outlook for Windows allowed attackers to leak Net-NTLMv2 hashes by sending malicious objects. Samples exploiting this flaw targeted various entities from March 2022 to March 2023. Attackers used compromised ISP routers for hosting fake SMB servers.
Source:
https://securelist.com/analysis-of-attack-samples-exploiting-cve-2023-23397/110202/
New_Campaign_Distributing_NetSupport_RAT_Through_Fake_Browser_Updates
LOW
+
—
—
- Intel Source:
- Malwarebytes
- Intel Name:
- New_Campaign_Distributing_NetSupport_RAT_Through_Fake_Browser_Updates
- Date of Scan:
- 2023-07-25
- Impact:
- LOW
- Summary:
- Researchers from Malwarebytes have observed a new campaign called FakeSG is distributing the NetSupport RAT through hacked WordPress websites. It uses fake browser update templates to deceive users. The payload is delivered via Internet shortcuts or zipped downloads.
Threat_Actors_Embrace_ZIP_Domains_in_Deceptive_Attacks
LOW
+
—
—
- Intel Source:
- Fotinet
- Intel Name:
- Threat_Actors_Embrace_ZIP_Domains_in_Deceptive_Attacks
- Date of Scan:
- 2023-07-25
- Impact:
- LOW
- Summary:
- FortiGate researchers have observed new ‘.ZIP’ Top-Level Domain (TLD) to launch sophisticated phishing attacks. These domains can trick users into thinking they are downloading files when they’re actually visiting malicious websites.
Source:
https://www.fortinet.com/blog/industry-trends/threat-actors-add-zip-domains-to-phishing-arsenals
BundleBot_A_Stealthy_Threat_Abusing_Self_Contained_Dotnet_Format
MEDIUM
+
—
—
- Intel Source:
- Checkpoint
- Intel Name:
- BundleBot_A_Stealthy_Threat_Abusing_Self_Contained_Dotnet_Format
- Date of Scan:
- 2023-07-25
- Impact:
- MEDIUM
- Summary:
- Check Point Research (CPR) conducted an analysis of a new malware strain called BundleBot, which is spreading covertly. BundleBot uses the dotnet bundle (single-file), self-contained format, making static detection challenging. The malware is commonly distributed via Facebook Ads and compromised accounts, masquerading as legitimate program utilities, AI tools, and games.
Source:
https://research.checkpoint.com/2023/byos-bundle-your-own-stealer/
Agile_Approach_to_Mass_Cloud_Credential_Harvesting_and_Crypto_Mining_Sprints_Ahead
LOW
+
—
—
- Intel Source:
- Permiso
- Intel Name:
- Agile_Approach_to_Mass_Cloud_Credential_Harvesting_and_Crypto_Mining_Sprints_Ahead
- Date of Scan:
- 2023-07-24
- Impact:
- LOW
- Summary:
- Researchers from Permiso have observed Attackers are using an agile approach for mass cloud credential harvesting and crypto mining. They developed and deployed incremental iterations of their malware, targeting multiple cloud services. The campaign includes multi-cloud support, possible German-speaking actors, and hosting on Nice VPS.
Modified_Sardonic_Backdoor_by_FIN8_Group
LOW
+
—
—
- Intel Source:
- Symantec
- Intel Name:
- Modified_Sardonic_Backdoor_by_FIN8_Group
- Date of Scan:
- 2023-07-24
- Impact:
- LOW
- Summary:
- Symantec researchers have found evidence of the financially motivated threat actor known as FIN8 employing a “revamped” variation of the Sardonic backdoor to spread the BlackCat ransomware.
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/Syssphinx-FIN8-backdoor
NullRAT_InfoStealer_Targeting_PyPI_Package_for_Windows
LOW
+
—
—
- Intel Source:
- Sonatype
- Intel Name:
- NullRAT_InfoStealer_Targeting_PyPI_Package_for_Windows
- Date of Scan:
- 2023-07-24
- Impact:
- LOW
- Summary:
- Sonatype’s automated malware detection systems discovered sonatype-2023-2950, a malicious PyPI package with the name “feur,” which has since been taken down.
The_Use_of_HTML_Attachments_in_Phishing_Campaigns_Has_Increased
LOW
+
—
—
- Intel Source:
- Cofense
- Intel Name:
- The_Use_of_HTML_Attachments_in_Phishing_Campaigns_Has_Increased
- Date of Scan:
- 2023-07-24
- Impact:
- LOW
- Summary:
- Researchers from Cofense have observed developments in the phishing and email security scene. The use of HTML attachments in dangerous phishing attempts has increased significantly, by 168% and 450%, respectively, compared to both Q1 and Q2 of the preceding two years.
Source:
https://cofense.com/blog/html-attachments-used-in-malicious-phishing-campaigns/
Exploiting_Several_Adobe_ColdFusion_Vulnerabilities_Actively
LOW
+
—
—
- Intel Source:
- Rapid7
- Intel Name:
- Exploiting_Several_Adobe_ColdFusion_Vulnerabilities_Actively
- Date of Scan:
- 2023-07-24
- Impact:
- LOW
- Summary:
- Researchers from Rapid7 have discovered that criminals are actively taking advantage of two ColdFusion flaws to circumvent authentication, remotely execute commands, and install webshells on vulnerable servers. Threat actors are combining exploits for the critical remote code execution vulnerability CVE-2023-38203 and the access control bypass vulnerability CVE-2023-29298.
The_deeper_details_of_Storm_0558_techniques_for_unauthorized_access
LOW
+
—
—
- Intel Source:
- Microsoft
- Intel Name:
- The_deeper_details_of_Storm_0558_techniques_for_unauthorized_access
- Date of Scan:
- 2023-07-23
- Impact:
- LOW
- Summary:
- Earlier this month, Microsoft shared detailed information about a malicious campaign by a threat actor Storm-0558 that targeted customer email. Microsoft continued their investigation into this incident and deployed defense in depth to harden all systems involved, additionally they are providing their deeper analysis of the observed actor techniques for obtaining unauthorized access to email data, tools, and unique infrastructure characteristics.
AWS_Amplify_Hosted_Phishing_Campaigns
LOW
+
—
—
- Intel Source:
- Netscope
- Intel Name:
- AWS_Amplify_Hosted_Phishing_Campaigns
- Date of Scan:
- 2023-07-23
- Impact:
- LOW
- Summary:
- Last couple months, Netskope Threat Labs researchers observed an increase in traffic to phishing pages hosted in AWS Amplify. These attacks have been targeting victims across different segments, led by the technology and finance verticals.
Source:
https://www.netskope.com/de/blog/aws-amplify-hosted-phishing-campaigns-abusing-telegram-static-forms
JumpCloud_had_a_breach_by_state_backed_APT_hacking_group
MEDIUM
+
—
—
- Intel Source:
- Bleeding Computer, Jumpcloud
- Intel Name:
- JumpCloud_had_a_breach_by_state_backed_APT_hacking_group
- Date of Scan:
- 2023-07-23
- Impact:
- MEDIUM
- Summary:
- US-based enterprise software firm JumpCloud says a state-backed hacking group breached its systems almost one month ago as part of a highly targeted attack focused on a limited set of customers. The company discovered the incident on June 27, one week after the attackers breached its systems via a spear-phishing attack. On July 5, JumpCloud discovered “unusual activity in the commands framework for a small set of customers” while investigating the attack and analyzing logs for signs of malicious activity.
Source:
https://www.bleepingcomputer.com/news/security/jumpcloud-discloses-breach-by-state-backed-apt-hacking-group/
https://jumpcloud.com/support/july-2023-iocs
A_complex_phishing_operation_Manipulated_Caiman
LOW
+
—
—
- Intel Source:
- Perception Point
- Intel Name:
- A_complex_phishing_operation_Manipulated_Caiman
- Date of Scan:
- 2023-07-22
- Impact:
- LOW
- Summary:
- Perception Point investigated for a complex phishing operation that cwas called “Manipulated Caiman”. The threat actor, Manipulated Caiman, based on one of the files analyzed, containing the words “Loader Manipulado” in the pdb path. Seems like attacker’s origin is likely Latin America. Manipulated Caiman employs spear phishing with malicious attachments to deliver malware, such as URSA, SMTP bruteforce client, malicious extension installer, net info checker, and spammer client.
The_delivery_of_BlotchyQuasar_malware
MEDIUM
+
—
—
- Intel Source:
- Security Intelligence
- Intel Name:
- The_delivery_of_BlotchyQuasar_malware
- Date of Scan:
- 2023-07-22
- Impact:
- MEDIUM
- Summary:
- IBM Security X-Force discovered some phishing emails leading to packed executable files delivering malware called BlotchyQuasar, likely developed by a group X-Force tracks as Hive0129. BlotchyQuasar is hardcoded to collect credentials from multiple Latin American-based banking applications and websites used within public and private environments.
The_Delivery_of_Sorillus_RAT
LOW
+
—
—
- Intel Source:
- eSentire
- Intel Name:
- The_Delivery_of_Sorillus_RAT
- Date of Scan:
- 2023-07-21
- Impact:
- LOW
- Summary:
- Esentire researchers have identified Sorillus RAT, and a phishing page delivering using HTML smuggled files and links using Google’s Firebase Hosting service.
Source:
https://www.esentire.com/blog/google-firebase-hosting-abused-to-deliver-sorillus-rat-phishing-page
A_High_Evasive_Blank_Grabber_Returns
LOW
+
—
—
- Intel Source:
- Cyfirma
- Intel Name:
- A_High_Evasive_Blank_Grabber_Returns
- Date of Scan:
- 2023-07-20
- Impact:
- LOW
- Summary:
- CYFIRMA researchers have identified an infostealer builder known as ‘Blank Grabber’. It is released in 2022, however, since then, it has been frequently updated with 85 contributions to the project in the last one month alone. The infostealer targets Windows operating systems and possesses a wide range of capabilities aimed at stealing sensitive information from unsuspecting users.
Source:
https://www.cyfirma.com/outofband/blank-grabber-returns-with-high-evasiveness/
Diving_Deep_into_Rancoz_Ransomware
LOW
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- Diving_Deep_into_Rancoz_Ransomware
- Date of Scan:
- 2023-07-20
- Impact:
- LOW
- Summary:
- FortiGate researchers have observed that a few months back the Rancoz ransomware first came to the public’s attention. However, it’s important to raise awareness of this ransomware variant, as the most recent victim on their data leak site on TOR dates back just a few weeks to mid-June.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-rancoz
The_Analysis_of_HKLEAKS_Campaign
LOW
+
—
—
- Intel Source:
- Citizenlab
- Intel Name:
- The_Analysis_of_HKLEAKS_Campaign
- Date of Scan:
- 2023-07-20
- Impact:
- LOW
- Summary:
- Researchers from Citizen Lab have conducted a forensic analysis of the entire identifiable digital footprint of the HKLEAKS campaign. In August 2019, at the height of the Anti-Extradition Bill protests that rocked Hong Kong, a series of websites branded “HKLEAKS” began surfacing on the web. Claiming to be run by anonymous citizens, they systematically exposed (“dotted”) the personal identifiable information of protesters, journalists, and other individuals perceived as affiliated with the protest movement.
M365_Phishing_Email_Analysis
LOW
+
—
—
- Intel Source:
- Vadesecure
- Intel Name:
- M365_Phishing_Email_Analysis
- Date of Scan:
- 2023-07-20
- Impact:
- LOW
- Summary:
- Vade’s researchers have detected a new Microsoft 365 phishing attack and analyzed an email containing a malicious HTML attachment.
Source:
https://www.vadesecure.com/en/blog/m365-phishing-email-analysis-eevilcorp
WordPress_Plugin_ULTIMATE_MEMBER_Is_Vulnerable
LOW
+
—
—
- Intel Source:
- CERT-HR
- Intel Name:
- WordPress_Plugin_ULTIMATE_MEMBER_Is_Vulnerable
- Date of Scan:
- 2023-07-19
- Impact:
- LOW
- Summary:
- CERT-HR researchers have observed that ‘Ultimate Member’ is a plugin that allows registration and management of communities on WordPress sites. The critical vulnerability (CVE-2023-3460) has been rated 9.8. All versions of the plugin, which has more than 200,000 active installations, are vulnerable.
Enterprise_Applications_Honeypot_revealed_some_findings
LOW
+
—
—
- Intel Source:
- Trustwave
- Intel Name:
- Enterprise_Applications_Honeypot_revealed_some_findings
- Date of Scan:
- 2023-07-19
- Impact:
- LOW
- Summary:
- Trustwave researchers have established a honeypot sensors network across six countries: Russia, Ukraine, Poland, UK, China, and the United States. Also, they present the most intriguing findings from the research into exposing vulnerable enterprise applications, such as Fortra GoAnywhere MFT, Microsoft Exchange, Fortinet FortiNAC, Atlassian BitBucket, and F5 Big-IP.s
Fake_PoC_for_Linux_Kernel_Vulnerability_on_GitHub
LOW
+
—
—
- Intel Source:
- Uptycs
- Intel Name:
- Fake_PoC_for_Linux_Kernel_Vulnerability_on_GitHub
- Date of Scan:
- 2023-07-19
- Impact:
- LOW
- Summary:
- Cybersecurity researchers continue to be under the radar of malicious actors, a proof-of-concept (PoC) has been discovered on GitHub, concealing a backdoor with a “crafty” persistence method.
Source:
https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware
The_activities_of_the_UAC_0010_group_as_of_July_2023
LOW
+
—
—
- Intel Source:
- CERT-UA
- Intel Name:
- The_activities_of_the_UAC_0010_group_as_of_July_2023
- Date of Scan:
- 2023-07-19
- Impact:
- LOW
- Summary:
- The continuous accumulation and analysis of data on cyber incidents allows us to conclude that one of the most persistent cyber threats is UAC-0010 (Armageddon), the activities of which are carried out by former “officers” of the State Security Service of Crimea, who in 2014 betrayed their military oath and began to serve the FSB of Russia. The main task of the group is cyberespionage against the security and defense forces of Ukraine. At the same time, we know at least one case of destructive activity at an information infrastructure facility.
DomainNetworks_Mail_Scam
LOW
+
—
—
- Intel Source:
- KrebsonSecurity
- Intel Name:
- DomainNetworks_Mail_Scam
- Date of Scan:
- 2023-07-19
- Impact:
- LOW
- Summary:
- Researchers from KrebsonSecurity have identified domainNetworks is a fraudulent company behind a snail mail scam targeting domain owners. Its true operators remain unidentified, despite connections to thedomainsvault.com and UBSagency. These scams trick organizations into paying for unnecessary services.
Malicious_extensions_in_Chrome_Web_Store
LOW
+
—
—
- Intel Source:
- Kaspersky, Palant
- Intel Name:
- Malicious_extensions_in_Chrome_Web_Store
- Date of Scan:
- 2023-07-19
- Impact:
- LOW
- Summary:
- The subpage of the Kaspersky official blog discusses the discovery of malicious extensions in the Chrome Web Store with a total of 87 million downloads. The most popular extension, “Autoskip for Youtube,” had nine million downloads. Users are advised to check and uninstall any malicious extensions as they can access user data.
Source:
https://www.kaspersky.com/blog/dangerous-chrome-extensions-87-million/48562/
https://palant.info/2023/05/31/more-malicious-extensions-in-chrome-web-store/
New_Invitation_From_APT29_to_Use_CCleaner
LOW
+
—
—
- Intel Source:
- Lab52
- Intel Name:
- New_Invitation_From_APT29_to_Use_CCleaner
- Date of Scan:
- 2023-07-19
- Impact:
- LOW
- Summary:
- Researchers from Lab52 have seen a phishing effort that appears to be the Norwegian embassy inviting people to a party. The format of this particular “invitation” is in .svg. When the file is opened, a script is run that mounts and downloads an ISO file that contains the subsequent infection stage. The .svg file serves as an HTML smuggler in this manner, infecting the target and causing them to skip the subsequent stage.
Source:
https://lab52.io/blog/2344-2/
Old_Blackmoon_Trojan_NEW_Monetization_Approach
LOW
+
—
—
- Intel Source:
- Rapid7
- Intel Name:
- Old_Blackmoon_Trojan_NEW_Monetization_Approach
- Date of Scan:
- 2023-07-18
- Impact:
- LOW
- Summary:
-
Rapid7 has discovered a new campaign using the Blackmoon trojan targeting businesses in the USA and Canada.
This campaign focuses on implementing evasion and persistence techniques, such as disabling Windows Defender.
The trojan uses various persistence techniques, process injection, and exploits for remote services.
It disables security tools, hijacks resources, and communicates with a Command and Control server using web protocols.
The webpage includes file names, MD5 hashes, email addresses, a reference to a C&C server, and a link to a related article on monitor persistence.
Source:
https://www.rapid7.com/blog/post/2023/07/13/old-blackmoon-trojan-new-monetization-approach/
SCARLETEEL_2
LOW
+
—
—
- Intel Source:
- Sysdig
- Intel Name:
- SCARLETEEL_2
- Date of Scan:
- 2023-07-18
- Impact:
- LOW
- Summary:
- Sysdig observed the their most recent activities of new version of SCARLTEEL 2.0. The analysts saw a similar strategy to previously reported of compromise AWS accounts through exploiting vulnerable compute services, gain persistence, and attempt to make money using cryptominers. Had we not thwarted their attack, our conservative estimate is that their mining would have cost over $4,000 per day until stopped. By knowing the details of SCARLETEEL previously, it was discovered they are not only after cryptomining, but stealing intellectual property as well. In their recent attack, the actor discovered and exploited a customer mistake in an AWS policy which allowed them to escalate privileges to AdministratorAccess and gain control over the account, enabling them to then do with it what they wanted. We also watched them target Kubernetes in order to significantly scale their attack.
A_variant_of_a_common_malware_injection
LOW
+
—
—
- Intel Source:
- Sucuri
- Intel Name:
- A_variant_of_a_common_malware_injection
- Date of Scan:
- 2023-07-18
- Impact:
- LOW
- Summary:
- A recent investigation found malware injecting obfuscated JavaScript into legitimate files, redirecting website traffic to a parked domain for ad monetization. The injected script creates an invisible iframe from the parked domain, generating ad revenue and potentially redirecting visitors to questionable sites.
Source:
https://blog.sucuri.net/2023/07/malicious-injection-redirects-traffic-to-parked-domain.html
Microsoft_ZeroDay_Vulnerability_Exploited_by_Attackers
HIGH
+
—
—
- Intel Source:
- Symantec, Cyble
- Intel Name:
- Microsoft_ZeroDay_Vulnerability_Exploited_by_Attackers
- Date of Scan:
- 2023-07-18
- Impact:
- HIGH
- Summary:
-
Attackers are making use of a zero-day vulnerability (CVE-2023-36884) that affects Microsoft Windows and Office products. The exploit has so far been applied in extremely targeted attacks against businesses in the European and North American government and defense industries.
Link: https://blog.cyble.com/2023/07/12/microsoft-zero-day-vulnerability-cve-2023-36884-being-actively-exploited/
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-zeroday-exploit
RedCurl_Hackers_Return_to_Spy_on_Major_Russian_Banks
MEDIUM
+
—
—
- Intel Source:
- FACCT
- Intel Name:
- RedCurl_Hackers_Return_to_Spy_on_Major_Russian_Banks
- Date of Scan:
- 2023-07-18
- Impact:
- MEDIUM
- Summary:
- According to FACCT, the Russian-speaking Red Curl organization has attacked businesses in the UK, Germany, Canada, Norway, Ukraine, and Australia at least 34 times. Twenty of the attacks—more than half—took place in Russia. Construction, financial, consultancy, retail, banking, insurance, and legal enterprises were among the victims of cyber espionage.
Source:
https://www.facct.ru/blog/redcurl-2023/?utm_source=twitter&utm_campaign=redcurl-23&utm_medium=social
Massive_Targeted_Exploit_Campaign_Against_WooCommerce_Payments
LOW
+
—
—
- Intel Source:
- Wordfence
- Intel Name:
- Massive_Targeted_Exploit_Campaign_Against_WooCommerce_Payments
- Date of Scan:
- 2023-07-18
- Impact:
- LOW
- Summary:
- Wordfence researchers have identified there is an ongoing exploit campaign targeting a vulnerability in the WooCommerce Payments plugin. Attackers can gain administrative privileges on vulnerable websites. Wordfence provides protection against this vulnerability
Malicious_Campaigns_Targeting_Civilian_Military_and_Governmental_Organisations
MEDIUM
+
—
—
- Intel Source:
- Talos
- Intel Name:
- Malicious_Campaigns_Targeting_Civilian_Military_and_Governmental_Organisations
- Date of Scan:
- 2023-07-17
- Impact:
- MEDIUM
- Summary:
- Researchers from Talos have identified a threat actor who has been running various campaigns in Poland and Ukraine against civilian users, military groups, and governmental institutions. They determined that these actions are most likely carried out with the intent to steal data and gain ongoing remote access.
Source:
https://blog.talosintelligence.com/malicious-campaigns-target-entities-in-ukraine-poland/
Microsoft_Office_Vulnerabilities_and_Macros_Used_by_LokiBot_Campaign
MEDIUM
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- Microsoft_Office_Vulnerabilities_and_Macros_Used_by_LokiBot_Campaign
- Date of Scan:
- 2023-07-17
- Impact:
- MEDIUM
- Summary:
- Several malicious Microsoft Office documents created to take advantage of known vulnerabilities have been found by FortiGate researchers. Remote code execution flaws include CVE-2021-40444 and CVE-2022-30190 specifically. By taking advantage of these flaws, the attackers were able to insert malicious macros into Microsoft documents that, when used, installed the LokiBot malware on the victim’s computer
Credential_Stealer_Expands_to_Azure_GCP_from_AWS
LOW
+
—
—
- Intel Source:
- Sentinelone
- Intel Name:
- Credential_Stealer_Expands_to_Azure_GCP_from_AWS
- Date of Scan:
- 2023-07-17
- Impact:
- LOW
- Summary:
- This ad shows the development of an experienced cloud actor who is knowledgeable about a variety of technologies. The actor apparently underwent a great deal of trial and error, as evidenced by decisions like feeding the curl binary to systems that do not already have it. Additionally, the actor has enhanced the tool’s data layout to promote more autonomous engagement, displaying a certain amount of maturity and proficiency.
Beware_of_Cloaked_Ursa_Phishing_Scam
LOW
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- Beware_of_Cloaked_Ursa_Phishing_Scam
- Date of Scan:
- 2023-07-17
- Impact:
- LOW
- Summary:
- Unit 42 researchers have observed instances of Cloaked Ursa using lures focusing on the diplomats themselves more than the countries they represent. Also, identified Cloaked Ursa targeting diplomatic missions within Ukraine by leveraging something that all recently placed diplomats need – a vehicle.
Source:
https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/
Exploring_AVrecon_Underground_Routers
LOW
+
—
—
- Intel Source:
- Lumen
- Intel Name:
- Exploring_AVrecon_Underground_Routers
- Date of Scan:
- 2023-07-16
- Impact:
- LOW
- Summary:
- Another multi-year scheme involving infected routers all around the world is discovered by Lumen Black Lotus Labs. Small-office/home-office (SOHO) routers are infected as part of a sophisticated operation that uses the Linux-based Remote Access Trojan (RAT) known as “AVrecon.”
Source:
https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/
Introducing_TeamTNT_New_Cloud_Campaign
LOW
+
—
—
- Intel Source:
- Aquasec
- Intel Name:
- Introducing_TeamTNT_New_Cloud_Campaign
- Date of Scan:
- 2023-07-16
- Impact:
- LOW
- Summary:
- AquaSec researchers have uncovered an emerging campaign that is targeting exposed Docker APIs and JupyterLab instances. Upon further investigation of the infrastructure, found evidence of a broader campaign orchestrated by TeamTNT.
Source:
https://blog.aquasec.com/teamtnt-reemerged-with-new-aggressive-cloud-campaign
Attackers_Leveraging_OneNote_to_Deliver_Malware
LOW
+
—
—
- Intel Source:
- AT&T
- Intel Name:
- Attackers_Leveraging_OneNote_to_Deliver_Malware
- Date of Scan:
- 2023-07-16
- Impact:
- LOW
- Summary:
- Malware distributed using phishing emails with a OneNote attachment has increased from December 22nd, 2022. The end user would open the OneNote attachment, as they do with most phishing emails, but OneNote does not support macros like Microsoft Word or Excel do. Threat actors have historically used this method to launch programs that install malware.
Hackers_Modify_TeamViewer_Installer_to_Deliver_njRAT
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Hackers_Modify_TeamViewer_Installer_to_Deliver_njRAT
- Date of Scan:
- 2023-07-15
- Impact:
- LOW
- Summary:
- Researchers from Cyble have discovered a noteworthy occurrence involving the false use of a TeamViewer program file. A popular software program called TeamViewer enables remote control, desktop sharing, online meetings, file transfers, and group collaboration across numerous devices.
Source:
https://blog.cyble.com/2023/07/13/trojanized-application-preying-on-teamviewer-users/
A_New_Sophisticated_Toolkit_For_Vishing_Called_Letscall
LOW
+
—
—
- Intel Source:
- ThreatFabric
- Intel Name:
- A_New_Sophisticated_Toolkit_For_Vishing_Called_Letscall
- Date of Scan:
- 2023-07-15
- Impact:
- LOW
- Summary:
- Researchers from Threat Fabric have identified a new sophisticated Vishing toolset called Letscall which currently targeting individuals from South Korea.
Source:
https://www.threatfabric.com/blogs/letscall-new-sophisticated-vishing-toolset
Stealing_Secrets_With_Infected_USB_Drives
LOW
+
—
—
- Intel Source:
- Mandiant
- Intel Name:
- Stealing_Secrets_With_Infected_USB_Drives
- Date of Scan:
- 2023-07-14
- Impact:
- LOW
- Summary:
- Mandiant researchers have observed a threefold increase in the number of attacks using infected USB drives to steal secrets. The campaign named ‘Sogu,’ attributed to a Chinese espionage threat group ‘TEMP.HEX,’ and another named ‘Snowydrive,’ attributed to UNC4698, which targets oil and gas firms in Asia.
Source:
https://www.mandiant.com/resources/blog/infected-usb-steal-secrets
SmokeLoader_Distribution_via_Email
MEDIUM
+
—
—
- Intel Source:
- CERT-UA
- Intel Name:
- SmokeLoader_Distribution_via_Email
- Date of Scan:
- 2023-07-14
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have identified a mass mailing of electronic messages with the subject “Invoice” and an attachment in the form of the file “Act_Zvirky_ta_rah.fakt_vid_12_07_2023.zip” containing the VBS file “invoice_from_12_07_2023_to_payment .vbs “, the opening of which will ensure that the SmokeLoader malware is downloaded and launched.
BPFDoor_Backdoor_Variants_Abusing_BPF_Filters
LOW
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- BPFDoor_Backdoor_Variants_Abusing_BPF_Filters
- Date of Scan:
- 2023-07-14
- Impact:
- LOW
- Summary:
- BPFDoor has since become more difficult to detect due to the improved usage of Berkeley Packet Filter (BPF), a technology that allows programs to attach network filters to an open socket that’s being used by the threat actors behind BPFDoor to bypass firewalls’ inbound traffic rules and similar network protection solutions in Linux and Solaris operating systems (OS).
Malicious_Extension
LOW
+
—
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Malicious_Extension
- Date of Scan:
- 2023-07-14
- Impact:
- LOW
- Summary:
- The specific information on this subpage includes a password-protected RAR archive with the passwords 888 or 999. An MSI file has been analyzed, and it is mentioned that Malwarebytes EDR and MDR can remove ransomware remnants and prevent reinfection. There is also a free trial available for Malwarebytes’ cybersecurity services
Kimsuky_Threat_Group_Using_Chrome_Remote_Desktop
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Kimsuky_Threat_Group_Using_Chrome_Remote_Desktop
- Date of Scan:
- 2023-07-14
- Impact:
- LOW
- Summary:
- Remote Desktop by the Kimsuky threat group, supported by North Korea, for their attacks. The group utilizes their own AppleSeed malware, as well as other remote control tools like Meterpreter and VNC, to gain control over infected systems. The Kimsuky group mainly distributes malware through spear phishing emails containing HWP and MS Office document files or CHM files. They also use Infostealer to gather sensitive information.
Business_Email_Compromise_hunting_details
LOW
+
—
—
- Intel Source:
- Huntress
- Intel Name:
- Business_Email_Compromise_hunting_details
- Date of Scan:
- 2023-07-13
- Impact:
- LOW
- Summary:
- The subpage specifically discusses threat hunting for business email compromise (BEC) using user agents on Microsoft 365. The author shares their approach and examples of suspicious user agents.vThey emphasize the importance of baseline user behavior, detection technology, The subpage also includes information on terms of use, privacy policy, legalities, and cookie policy of Huntress, with an option to sign up for blog updates.and prevention measures like multi-factor authentication.
Source:
https://www.huntress.com/blog/threat-hunting-for-business-email-compromise-through-user-agents
The_cloud_workloads_targeted_by_Python_based_fileless_malware
LOW
+
—
—
- Intel Source:
- Wiz
- Intel Name:
- The_cloud_workloads_targeted_by_Python_based_fileless_malware
- Date of Scan:
- 2023-07-13
- Impact:
- LOW
- Summary:
- This subpage discusses the PyLoose fileless malware that targets cloud workloads. It provides information on the attack flow, including initial access, Python script drop, fileless execution, and in-memory XMRig execution. It mentions the attacker’s Monero wallet address and provides details about the PyLoose loader’s associated files and hash values. The subpage also references other articles and promotes the Wiz platform for cloud security.
Source:
https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads
RedDriver_targets_Chinese_speakers_and_internet_cafes
LOW
+
—
—
- Intel Source:
- Talos
- Intel Name:
- RedDriver_targets_Chinese_speakers_and_internet_cafes
- Date of Scan:
- 2023-07-13
- Impact:
- LOW
- Summary:
- The specific information on this subpage describes an undocumented browser hijacker called RedDriver. It explains that RedDriver targets Chinese speakers and internet cafes, and uses the Windows Filtering Platform to intercept browser traffic. It bypasses driver signature enforcement policies and utilizes stolen certificates. The authors of RedDriver are skilled in driver development and have deep knowledge of the Windows operating system. The subpage also includes a list of domains associated with RedDriver and provides various software and support resources offered by Talos.
Source:
https://blog.talosintelligence.com/undocumented-reddriver/
The_suspicion_of_targeting_Ukraine_s_NATO_Membership_Talks_by_RomCom_Threat_Actor
MEDIUM
+
—
—
- Intel Source:
- Blackberry
- Intel Name:
- The_suspicion_of_targeting_Ukraine_s_NATO_Membership_Talks_by_RomCom_Threat_Actor
- Date of Scan:
- 2023-07-12
- Impact:
- MEDIUM
- Summary:
- In the bebinning of this month, the BlackBerry Threat researchers found two malicious documents came from an IP address in Hungary, sent as bate to an organization supporting Ukraine abroad, and a document targeting upcoming NATO Summit guests. Blackberry analysis assume to conclude that the threat actor known as RomCom who is behind this operation. Based on our internal network data analysis, and the full set of cyber tools were collected, was believed the threat actor behind this campaign ran their first drills on June 22, and also a few days before the command-and-control (C2) mentioned in their report was registered and went live.
Source:
https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
Deceptive_PoC_poses_hidden_backdoor
LOW
+
—
—
- Intel Source:
- Uptycs
- Intel Name:
- Deceptive_PoC_poses_hidden_backdoor
- Date of Scan:
- 2023-07-12
- Impact:
- LOW
- Summary:
- Uptycs reserachers discovered Backdoor disguised as innocuous learning tool targets Linux systems. Ensure removal of unauthorized SSH keys, delete kworker file, remove kworker path from bashrc file, and check /tmp/.iCE-unix.pid for potential threats. Exercise caution when testing PoCs and utilize isolated environments for protection.
Source:
https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware
StormP_0978_phishing_campaign_uncovered_by_Microsoft
LOW
+
—
—
- Intel Source:
- Microsoft
- Intel Name:
- StormP_0978_phishing_campaign_uncovered_by_Microsoft
- Date of Scan:
- 2023-07-12
- Impact:
- LOW
- Summary:
- Microsoft identifies Storm-0978 targeting defense and government entities in Europe and North America. Exploiting CVE-2023-36884, they employ phishing campaigns and distribute the RomCom backdoor. Storm-0978 conducts opportunistic ransomware and espionage-related operations
Rootkit_acts_as_a_universal_loader
LOW
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- Rootkit_acts_as_a_universal_loader
- Date of Scan:
- 2023-07-11
- Impact:
- LOW
- Summary:
- TrendMicro researchers observed New signed rootkit discovered originating from China targets the gaming sector. The rootkit acts as a universal loader and communicates with a command-and-control infrastructure. It has passed through the Windows Hardware Quality Labs process and obtained a valid signature. Reported to Microsoft’s Security Response Center.
Analysis_of_New_MultiStage_Attack_Targeting_LATAM_Region
LOW
+
—
—
- Intel Source:
- Zscalar
- Intel Name:
- Analysis_of_New_MultiStage_Attack_Targeting_LATAM_Region
- Date of Scan:
- 2023-07-11
- Impact:
- LOW
- Summary:
- Zscaler researchers have uncovered a concerning development, a new targeted attack campaign striking businesses in the Latin American (LATAM) region. This sophisticated campaign employs a trojan that follows a multi-staged infection chain, utilizing specially crafted modules throughout each stage.
Distribution_of_malicious_batch_file
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Distribution_of_malicious_batch_file
- Date of Scan:
- 2023-07-11
- Impact:
- LOW
- Summary:
- AhnLab Security Emergency response Center (ASEC) has confirmed the distribution of malware in the form of a batch file (*.bat). This malware is designed to download various scripts based on the anti-malware process, including AhnLab products, installed in the user’s environment. Based on the function names used by the malware and the downloaded URL parameters, it is suspected to have been distributed by the Kimsuky group
Rekoobe_Backdoor_targeting_Linux_systems_in_Korea
MEDIUM
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Rekoobe_Backdoor_targeting_Linux_systems_in_Korea
- Date of Scan:
- 2023-07-11
- Impact:
- MEDIUM
- Summary:
- AhnLab Security Emergency Response Center (ASEC) has been receiving reports of the Rekoobe malware from tenants in Korea for several years, and will hereby share its brief analysis. Additionally, the Rekoobe variants will be categorized along with a summary of the ones used to target Korean companies.
Unknown_Actor_Targeting_Chinese_Users_With_APT29_TTP
LOW
+
—
—
- Intel Source:
- Lab52
- Intel Name:
- Unknown_Actor_Targeting_Chinese_Users_With_APT29_TTP
- Date of Scan:
- 2023-07-10
- Impact:
- LOW
- Summary:
- Lab52 researchers have identified a different maldoc samples of a potential malicious campaign. The maldoc seems to be a campaign against Chinese speaking users as the content of the maldoc is written in Chinese. The infection chain is similar to the threat actor APT29, however it has been identified significant differences related to the typical APT29’s infection chain that makes consider that it does not seem to be this threat actor.
Source:
https://lab52.io/blog/beyond-appearances-unknown-actor-using-apt29s-ttp-against-chinese-users/
A_BlackByte_ransomware_deep_analyses
LOW
+
—
—
- Intel Source:
- Microsoft
- Intel Name:
- A_BlackByte_ransomware_deep_analyses
- Date of Scan:
- 2023-07-10
- Impact:
- LOW
- Summary:
- Microsoft Incident Response team observed threat actor went through the full attack chain, from initial access to impact in less than five days, causing a huge impact on the business disruption for the victim organization. Their findings dicovered that within those five days, the threat actor employed a range of tools and techniques, culminating in the deployment of BlackByte 2.0 ransomware, to achieve their objectives.
The_malvertising_USPS_campaign
LOW
+
—
—
- Intel Source:
- Malwarebytes
- Intel Name:
- The_malvertising_USPS_campaign
- Date of Scan:
- 2023-07-10
- Impact:
- LOW
- Summary:
- Malwarebytes researechers observed a recent phishing attack that was targeting both mobile and Desktop users looking up to track their packages via the United States Postal Service website.
Ukrainian_Public_Entities_Are_Targeted_by_UAC_0057
MEDIUM
+
—
—
- Intel Source:
- CERT-UA
- Intel Name:
- Ukrainian_Public_Entities_Are_Targeted_by_UAC_0057
- Date of Scan:
- 2023-07-10
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have identified a new targeted cyber attack by the UAC-0057 group against Ukrainian public officials leveraging XLS files that contain a malicious macro spreading PicassoLoader malware. The malicious loader is capable of dropping another malicious strain dubbed njRAT to spread the infection further.
Phishing_Attacks_by_APT28_Group
LOW
+
—
—
- Intel Source:
- CERT-UA
- Intel Name:
- Phishing_Attacks_by_APT28_Group
- Date of Scan:
- 2023-07-10
- Impact:
- LOW
- Summary:
- CERT-UA researchers have discovered HTML files that imitate the web interface of mail services and implement the technical possibility of exfiltrating authentication data entered by the victim using HTTP POST requests. At the same time, the transfer of stolen data is carried out using previously compromised Ubiquiti devices (EdgeOS)
Deep_details_of_Big_Head_Ransomware_s_Variants
LOW
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- Deep_details_of_Big_Head_Ransomware_s_Variants
- Date of Scan:
- 2023-07-10
- Impact:
- LOW
- Summary:
- Deeper analyses and updates IOCs
The_distribution_of_NetSupport_RAT
LOW
+
—
—
- Intel Source:
- ASEC, Ciberdefensa
- Intel Name:
- The_distribution_of_NetSupport_RAT
- Date of Scan:
- 2023-07-10
- Impact:
- LOW
- Summary:
- ASEC lab reserachers discovered NetSupport RAT being distributed via a spear phishing email that has recently been in circulation. Their analyses showed the whole provess flow from its distribution via phishing emails and its detection.
Source:
https://ciberdefensa.cat/archivos/16021
https://asec.ahnlab.com/en/55146/
Increasing_TrueBot_Malware_Attacks
MEDIUM
+
—
—
- Intel Source:
- CISA
- Intel Name:
- Increasing_TrueBot_Malware_Attacks
- Date of Scan:
- 2023-07-09
- Impact:
- MEDIUM
- Summary:
- CISA researchers have warned about the emergence of new variants of the TrueBot malware. These variants specifically target organizations in the United States and Canada, aiming to extract sensitive data from compromised networks.
Analysis_of_TA453s_Foray_into_LNKs_and_Mac_Malware
LOW
+
—
—
- Intel Source:
- Proofpoint
- Intel Name:
- Analysis_of_TA453s_Foray_into_LNKs_and_Mac_Malware
- Date of Scan:
- 2023-07-08
- Impact:
- LOW
- Summary:
- Proofpoint researchers have observed that TA453 continues to adapt its malware arsenal, deploying novel file types and targeting new operating systems, specifically sending Mac malware to one of its recent targets.
Ransomware_Lists_Victim_Host_Information_in_Ransom_Note
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Ransomware_Lists_Victim_Host_Information_in_Ransom_Note
- Date of Scan:
- 2023-07-08
- Impact:
- LOW
- Summary:
- Cyble researchers have identified a new ransomware strain named “Underground team ransomware,” The ransom note of the Underground Team ransomware introduces novel elements that distinguish it from typical ransom notes. In addition to guaranteeing a fair and confidential deal within a short timeframe, the group offers more than just a decryptor.
Source:
https://blog.cyble.com/2023/07/05/underground-team-ransomware-demands-nearly-3-million/
ARCrypter_ransomware_activity
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- ARCrypter_ransomware_activity
- Date of Scan:
- 2023-07-08
- Impact:
- LOW
- Summary:
- ARCrypter ransomware, also known as ChileLocker, got attention since last August 2022 with their attack in Chile. Soon, researchers discovered that this ransomware started targeting organizations worldwide. It has been observed that ARCrypter ransomware targets both Windows and Linux operating systems.This year, researchers reported the existanse of a new Linux variant of ARCrypter, developed using the GO programming language and also an updated version of the ARCrypt Windows executable. The TA discovered the new techniques of TA to interact with their victims. In comparasing with the older variant of ARCrypt ransomware, the researcgers identified the following: The ransom note of each binary was pointing to a mirror site and the TA created dedicated chat sites hosted on Tor for each victim.
Malicious_NPM_Packages_Fuel_Supply_Chain_and_Phishing_Attacks
LOW
+
—
—
- Intel Source:
- ReversingLabs
- Intel Name:
- Malicious_NPM_Packages_Fuel_Supply_Chain_and_Phishing_Attacks
- Date of Scan:
- 2023-07-07
- Impact:
- LOW
- Summary:
- ReversingLabs researchers have discovered more than a dozen malicious packages published to the npm open-source repository that appear to target application end users while also supporting email phishing campaigns targeting Microsoft 365 users.
Hackers_From_China_Targeting_Europe_in_SmugX_Campaign
MEDIUM
+
—
—
- Intel Source:
- Checkpoint
- Intel Name:
- Hackers_From_China_Targeting_Europe_in_SmugX_Campaign
- Date of Scan:
- 2023-07-07
- Impact:
- MEDIUM
- Summary:
- Checkpoint researchers have identified a campaign where a Chinese threat actor targeting government entities in Europe, with a focus on foreign and domestic policy entities.
Source:
https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
The_Details_of_Infection_of_Gootloader_Led_to_Credential_Access
LOW
+
—
—
- Intel Source:
- Reliaquest
- Intel Name:
- The_Details_of_Infection_of_Gootloader_Led_to_Credential_Access
- Date of Scan:
- 2023-07-07
- Impact:
- LOW
- Summary:
- The ReliaQuest researchers have responded to an incident involving credential access and exfiltration that was traced back to the JavaScript-based initial access malware “Gootloader.”
Source:
https://www.reliaquest.com/blog/gootloader-infection-credential-access/
Diving_Deep_into_Emotet_Malware_Family
LOW
+
—
—
- Intel Source:
- Welivesecurity
- Intel Name:
- Diving_Deep_into_Emotet_Malware_Family
- Date of Scan:
- 2023-07-07
- Impact:
- LOW
- Summary:
- Emotet is a malware family active since 2014, operated by a cybercrime group known as Mealybug or TA542. It is launched multiple spam campaigns since it re-appeared after its takedown. Also, Mealybug created multiple new modules and multiple times updated and improved all existing modules.
Source:
https://www.welivesecurity.com/2023/07/06/whats-up-with-emotet/
Analysis_of_Silentbobs_Cloud_Attack
MEDIUM
+
—
—
- Intel Source:
- Aquasec
- Intel Name:
- Analysis_of_Silentbobs_Cloud_Attack
- Date of Scan:
- 2023-07-07
- Impact:
- MEDIUM
- Summary:
- Aqua Nautilus researchers have identified an infrastructure of a potentially massive campaign against cloud-native environments. It is in early stages of testing and deployment, and is mainly consistent of an aggressive cloud worm, designed to deploy on exposed JupyterLab and Docker APIs in order to deploy Tsunami malware, cloud credentials hijack, resource hijack and further infestation of the worm.
Source:
https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack
NoName_057_16_DDoSia_Project_Gets_an_Upgrade
LOW
+
—
—
- Intel Source:
- Sekoia
- Intel Name:
- NoName_057_16_DDoSia_Project_Gets_an_Upgrade
- Date of Scan:
- 2023-07-06
- Impact:
- LOW
- Summary:
- Researchers from Sekoia have analyzed an updated variant of the DDoSia attack tool that was developed and used by the pro-Russia collective NoName(057)16.
Source:
https://blog.sekoia.io/following-noname05716-ddosia-projects-targets/
Multiple_New_Clipper_Malware_Variants
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Multiple_New_Clipper_Malware_Variants
- Date of Scan:
- 2023-07-06
- Impact:
- LOW
- Summary:
- Cyble researchers discovered several Clipper malware variants, including Laplas Clipper, IBAN Clipper, Keona Clipper, and many others in the past. Recently, they observed several variants of Clipper malware and saw a significant number of samples related to these variants being submitted to VirusTotal. The Clipper malware operates by cunningly hijacking cryptocurrency transactions, stealthily replacing the victim’s wallet address with that of the Threat Actors’ (TAs) wallet address. Suppose an unsuspecting user tries to pay from their cryptocurrency account, and the transaction has been diverted to an entirely different recipient (the account of the TAs instead of the intended recipient). This alarming turn of events can lead to significant financial losses and potential devastation for the victim.
Source:
https://blog.cyble.com/2023/06/30/multiple-new-clipper-malware-variants-discovered-in-the-wild/
White_Snake_stealer_threat
LOW
+
—
—
- Intel Source:
- Quickheal
- Intel Name:
- White_Snake_stealer_threat
- Date of Scan:
- 2023-07-06
- Impact:
- LOW
- Summary:
- Quick heal researchers provided the technical aspects of the updated White snake stealer version 1.6, to provide insights into its behaviour and shed light on its latest capabilities.
Attackers_Targeting_North_Atlantic_Treaty_Organization
MEDIUM
+
—
—
- Intel Source:
- CERT-UA
- Intel Name:
- Attackers_Targeting_North_Atlantic_Treaty_Organization
- Date of Scan:
- 2023-07-06
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have discovered the website, which copies the English version of the web resource of the international non-governmental organization “World Congress of Ukrainians” legitimate page.
New_Variant_of_North_Korea_linked_RUSTBUCKET_macOS_Malware
LOW
+
—
—
- Intel Source:
- Elastic
- Intel Name:
- New_Variant_of_North_Korea_linked_RUSTBUCKET_macOS_Malware
- Date of Scan:
- 2023-07-06
- Impact:
- LOW
- Summary:
- Researchers from the Elastic Security Labs have spotted a new variant of the RustBucket Apple macOS malware. It allows operators to download and execute various payloads.
Source:
https://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket
Neo_Nets_eCrime_campaign_targeted_financial_institutions
LOW
+
—
—
- Intel Source:
- Sentinelone
- Intel Name:
- Neo_Nets_eCrime_campaign_targeted_financial_institutions
- Date of Scan:
- 2023-07-06
- Impact:
- LOW
- Summary:
- SentinelLabs has been tracking Neo_Net conducted an eCrime campaign targeting clients of financial institutions, primarily in Spain and Chile. Using SMS phishing messages and fake banking pages, Neo_Net stole over 350,000 EUR and compromised personal information of thousands of victims. The campaign involved renting out infrastructure, selling victim data, and offering a Smishing-as-a-Service platform.
Source:
https://www.sentinelone.com/blog/neo_net-the-kingpin-of-spanish-ecrime/
Meduza_Stealer
LOW
+
—
—
- Intel Source:
- Uptycs
- Intel Name:
- Meduza_Stealer
- Date of Scan:
- 2023-07-05
- Impact:
- LOW
- Summary:
- Recently, while monitoring the Uptycs Threat Research team dscovered a menace named The Meduza Stealer. Created by an enigmatic actor known as ‘Meduza’, this malware has been specifically designed to target Windows users and organizations, currently targeting only ten specific countries. The Meduza Stealer has a purpose to perform data theft. It pilfers users’ browsing activities, extracting a wide array of browser-related data. From critical login credentials to the valuable record of browsing history and meticulously curated bookmarks, no digital artifact is safe. Even crypto wallet extensions, password managers, and 2FA extensions are vulnerable.
Source:
https://www.uptycs.com/blog/what-is-meduza-stealer-and-how-does-it-work
Decryption_tool_for_the_Akira_ransomware
LOW
+
—
—
- Intel Source:
- Avast
- Intel Name:
- Decryption_tool_for_the_Akira_ransomware
- Date of Scan:
- 2023-07-05
- Impact:
- LOW
- Summary:
- Researchers for Avast have developed a decryptor for the Akira ransomware and released it for public download. The Akira ransomware appeared in March 2023 and since then, the gang claims successful attacks on various organizations in the education, finance and real estate industries, amongst others.
Source:
https://decoded.avast.io/threatresearch/decrypted-akira-ransomware/
Hackers_Exploiting_Unpatched_WordPress_Plugin_Flaw
HIGH
+
—
—
- Intel Source:
- Wordfence
- Intel Name:
- Hackers_Exploiting_Unpatched_WordPress_Plugin_Flaw
- Date of Scan:
- 2023-07-05
- Impact:
- HIGH
- Summary:
- Wordfence researchers have identified the unpatched privilege escalation vulnerability being actively exploited in Ultimate Member, a WordPress plugin installed on over 200,000 sites. Also, discovered that this vulnerability is being actively exploited and it hasn’t been adequately patched in the latest version available, which is 2.6.6.
Malicious_QR_Codes_are_getting_to_employee_credentials
LOW
+
—
—
- Intel Source:
- Inky
- Intel Name:
- Malicious_QR_Codes_are_getting_to_employee_credentials
- Date of Scan:
- 2023-07-05
- Impact:
- LOW
- Summary:
- INKY recently discovered multitude of QR Code phish and shared their findings.
Th_connection_investigation_of_2_clients_in_2_threat_hunts
LOW
+
—
—
- Intel Source:
- Sophos
- Intel Name:
- Th_connection_investigation_of_2_clients_in_2_threat_hunts
- Date of Scan:
- 2023-07-05
- Impact:
- LOW
- Summary:
- Two clients, two threat hunts have been researched for any connection between them. Using Microsoft’s cloud-security API to parse piles of disparate data leads to captivation results.
Crysis_Threat_Actor_Using_RDP_to_Install_Venus_Ransomware
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Crysis_Threat_Actor_Using_RDP_to_Install_Venus_Ransomware
- Date of Scan:
- 2023-07-05
- Impact:
- LOW
- Summary:
- ASEC researchers have disclosed that the Crysis ransomware’s threat actor is also using the Venus ransomware in the attacks. Crysis and Venus are both major ransomware types known to target externally exposed remote desktop services.
New_C2_Framework_Leveraging_by_MuddyWater
LOW
+
—
—
- Intel Source:
- Deep Instinct
- Intel Name:
- New_C2_Framework_Leveraging_by_MuddyWater
- Date of Scan:
- 2023-07-04
- Impact:
- LOW
- Summary:
- Deep Instinct researchers have observed the Iranian state-sponsored group dubbed MuddyWater has been attributed to a previously unseen command-and-control (C2) framework called PhonyC2 that’s been put to use by the actor since 2021.
Malware_being_executed_using_DNS_TXT_records
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Malware_being_executed_using_DNS_TXT_records
- Date of Scan:
- 2023-07-04
- Impact:
- LOW
- Summary:
- The AhnLab Security Emergency response Center (ASEC) has discovered instances where malware is being executed using DNS TXT records. This method of malware execution is significant because it is not commonly utilized, making it challenging to detect and analyze.
Ransomware_Entrapped_in_WinSCP_by_Blackcat_Operators
LOW
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- Ransomware_Entrapped_in_WinSCP_by_Blackcat_Operators
- Date of Scan:
- 2023-07-04
- Impact:
- LOW
- Summary:
- TrendMicro researchers have identified malicious actors using malvertising to distribute malware via cloned webpages of legitimate organizations. The distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer.
Updated_GuLoader_loader
LOW
+
—
—
- Intel Source:
- ISC. SANS
- Intel Name:
- Updated_GuLoader_loader
- Date of Scan:
- 2023-07-03
- Impact:
- LOW
- Summary:
- This blog post on the SANS Internet Storm Center website details an infection chain for the Remcos RAT malware. It explains how the infection began with a malicious email containing a zip archive, which resulted in the download of a password-protected zip file. Inside this zip file, there was a decoy audio file and a malicious Windows shortcut. The Windows shortcut triggered the execution of a VBS file with a PowerShell script, leading to further infection on the host. The post also provides indicators of compromise (IOCs) including email headers and file hashes.
Malware_Disguised_as_HWP_Document_File_Kimsuky
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Malware_Disguised_as_HWP_Document_File_Kimsuky
- Date of Scan:
- 2023-07-03
- Impact:
- LOW
- Summary:
- AhnLab Security Emergency response Center (ASEC) has discovered that the Kimsuky threat group is distributing malware disguised as HWP document files. The malware is a compressed file containing a readme.txt file and an executable file with an HWP document file extension. Running the executable file decodes a PowerShell command and saves it as update.vbs in the %APPDATA% folder. The update.vbs file conducts malicious activities, including the leakage of user credentials.
HMRC_Self_Assessment_Phish_Outsmart_SEGs
LOW
+
—
—
- Intel Source:
- Cofense
- Intel Name:
- HMRC_Self_Assessment_Phish_Outsmart_SEGs
- Date of Scan:
- 2023-07-03
- Impact:
- LOW
- Summary:
- During the busy self-assessment season in the UK, threat actors take advantage of the heightened online activity to deceive unsuspecting individuals into revealing their sensitive information on fraudulent HM Revenue & Customs (HMRC) self-assessment websites. Phishing Defense Center (PDC) has noted this wave of attacks across various sectors and regrettably, these phishing emails often evade popular secure email gateways (SEGs) that are meant to provide protection for users. The phishing emails begin by pressuring users to immediately update their self-assessment online profile. This is a common tactic employed by threat actors to generate a deceptive perception of urgency and legitimacy.
GuLoader_Campaign_Targets_Law_Firms_in_the_US
LOW
+
—
—
- Intel Source:
- Morphisec
- Intel Name:
- GuLoader_Campaign_Targets_Law_Firms_in_the_US
- Date of Scan:
- 2023-07-03
- Impact:
- LOW
- Summary:
- the GuLoader campaign from infecting systems was discussed that the campaign’s targeting of specific industries and highlights the use of legitimate hosting services for distributing malware. The main focus is on the delivery of the Remcos RAT through GuLoader and how Morphisec’s AMTD technology can protect systems from these attacks.
Source:
https://blog.morphisec.com/guloader-campaign-targets-law-firms-in-the-us
Charming_Kitten_updates_backdoor_called_POWERSTAR
MEDIUM
+
—
—
- Intel Source:
- volexity
- Intel Name:
- Charming_Kitten_updates_backdoor_called_POWERSTAR
- Date of Scan:
- 2023-07-02
- Impact:
- MEDIUM
- Summary:
- Volexity reserachers very often sees one threat actor that using techniques is Charming Kitten, who is assumed to be operating out of Iran. Charming Kitten is primarily concerned with collecting intelligence by compromising account credentials and, the email of individuals they successfully spear phishing. The new version of POWERSTAR backddor was analyzed by the Volexity team and led the to the discovery that Charming Kitten has been spreading their malware alongside their spear-phishing techniques.
ASEC_Weekly_Phishing_Email_Threats_analyses_June11_17_2023
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Phishing_Email_Threats_analyses_June11_17_2023
- Date of Scan:
- 2023-07-02
- Impact:
- LOW
- Summary:
- The ASEC analysis team keeps monitoring phishing email threats with their system and honeypot. This article explains the distribution of phishing emails during the week from June 11th to June 17th, 2023 and provide statistical information on each type.
Detecting_Popular_Cobalt_Strike_Malleable_C2_Profile_Techniques
LOW
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- Detecting_Popular_Cobalt_Strike_Malleable_C2_Profile_Techniques
- Date of Scan:
- 2023-07-02
- Impact:
- LOW
- Summary:
- Overall, Unit 42 researchers have discovered two Cobalt Strike Team Server instances hosted online. They have also found new malleable C2 profiles that are not publicly available, which attackers use to avoid detection and exploit Cobalt Strike. They have also found new malleable C2 profiles that are not publicly available, which attackers use to avoid detection and exploit Cobalt Strike. The operators of these Team Server instances hide their C2 infrastructure using popular services and public cloud infrastructure providers. Additionally, the researchers have provided guidance for Palo Alto Networks customers on how to receive protection and mitigation against Cobalt Strike Beacon and other related Cobalt Strike tools.
Source:
https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2/
8Base_Ransomware
LOW
+
—
—
- Intel Source:
- vmware
- Intel Name:
- 8Base_Ransomware
- Date of Scan:
- 2023-07-02
- Impact:
- LOW
- Summary:
- The 8Base ransomware group has remained relatively unknown despite the massive spike in activity in Summer of 2023. The subpage provides information about an HTTP 403 error, but does not offer any further details.
Source:
https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html
The_exposion_of_active_adversary_JokerSpy
LOW
+
—
—
- Intel Source:
- Sentilone
- Intel Name:
- The_exposion_of_active_adversary_JokerSpy
- Date of Scan:
- 2023-07-01
- Impact:
- LOW
- Summary:
- The researchers at BitDefender and Elastic have discovered an active adversary starting a novel spyware, cross-platform backdoors and an open-source reconnaissance tool to compromise organizations with macOS devices in their cortege. So far there are not a lot of known victims at this time, the analysis suggest that the threat actors have likely targeted other organizations. Sentilone reserachers shared their key components and indicators used in the campaign to help raise awareness and aid security teams and threat hunters.
Manic_Menagerie_2_0_threat_actor
MEDIUM
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- Manic_Menagerie_2_0_threat_actor
- Date of Scan:
- 2023-07-01
- Impact:
- MEDIUM
- Summary:
- Unit 42 researchers discovered an active campaign that aims several web hosting and IT providers in the United States and European Union from late 2020 to late 2022. Unit 42 assumes the activity associated with this campaign as CL-CRI-0021 and believes it stems from the same threat actor responsible for the previous campaign known as Manic Menagerie.
Source:
https://unit42.paloaltonetworks.com/manic-menagerie-targets-web-hosting-and-it/
New_Fast_Developing_ThirdEye_Infostealer
LOW
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- New_Fast_Developing_ThirdEye_Infostealer
- Date of Scan:
- 2023-06-30
- Impact:
- LOW
- Summary:
- FortiGuard Labs recently discovered some files that look suspicious. Their investigation discovered that the files are malicious and revealed there is more to them than meets the eye: they are a previously unseen infostealer that was named “ThirdEye”. While this malware is not considered sophisticated, it’s targeting to steal various information from compromised machines that can be used as step for future attacks.
Malicious_Actors_deploy_phishing_pages_to_mobile_devices
LOW
+
—
—
- Intel Source:
- Cofense
- Intel Name:
- Malicious_Actors_deploy_phishing_pages_to_mobile_devices
- Date of Scan:
- 2023-06-30
- Impact:
- LOW
- Summary:
- The Cofense Phishing Defense Center analysts has discovered a spike in the number of malicious emails utilizing this attack vector. In order to bypass traditional file and text detection software, QR codes provide threat actors with a different tactic to encode malicious URLs.
ASEC_Weekly_Malware_Analysis_June_5_June_11th_2023
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_Analysis_June_5_June_11th_2023
- Date of Scan:
- 2023-06-29
- Impact:
- LOW
- Summary:
- The ASEC analysis team keeps monitoring a weekly malware collection samples for June 5-11th, 2023. They used their automatic analysis system RAPIT to categorize and respond to known malware.The top malwares for this week are Amadey, Lokibot, Guloader, AgentTesla and Formbook.
Linux_Users_at_Risk_From_Akira_Ransomware
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Linux_Users_at_Risk_From_Akira_Ransomware
- Date of Scan:
- 2023-06-28
- Impact:
- LOW
- Summary:
- Cyble researchers have recently shared crucial details about the activities of a newly identified ransomware group known as “Akira.” This group is actively targeting numerous organizations, compromising their sensitive data. It is worth noting that Akira ransomware has expanded its operations to include the Linux platform.
Source:
https://blog.cyble.com/2023/06/28/akira-ransomware-extends-reach-to-linux-platform/
PDF_Based_Attacks_Are_Becoming_More_Common
LOW
+
—
—
- Intel Source:
- Avanan
- Intel Name:
- PDF_Based_Attacks_Are_Becoming_More_Common
- Date of Scan:
- 2023-06-28
- Impact:
- LOW
- Summary:
- Researchers from Avanan have deep-dived into PDF-based attacks and identified that the malicious PDF file masquerades as a legitimate ‘DocuSign’ document, luring unsuspecting users to a fraudulent webpage where they are asked to enter their login credentials, including the recipient’s email address.
Source:
https://www.avanan.com/blog/pdf-based-attacks-on-the-rise-heres-how-deep-learning-can-prevent-them
The_details_of_the_Saltwater_Backdoor_used_in_Barracuda_vulnerability
MEDIUM
+
—
—
- Intel Source:
- Cybergeeks
- Intel Name:
- The_details_of_the_Saltwater_Backdoor_used_in_Barracuda_vulnerability
- Date of Scan:
- 2023-06-27
- Impact:
- MEDIUM
- Summary:
- SALTWATER is a backdoor that exploiting the Barracuda 0-day vulnerability CVE-2023-2868. It is a module for the Barracuda SMTP daemon called bsmtpd. The malware hooked the recv, send, and close functions using an open-source hooking library called funchook. The following functionalities are implemented: execute arbitrary commands, download and upload files, proxy functionality, and tunneling functionality.
SMS_Phishers_hacked_sensitive_data_from_UPS_Tracking_Tool
LOW
+
—
—
- Intel Source:
- Krebson Security
- Intel Name:
- SMS_Phishers_hacked_sensitive_data_from_UPS_Tracking_Tool
- Date of Scan:
- 2023-06-27
- Impact:
- LOW
- Summary:
- The United Parcel Service (UPS) says fraudsters have been harvesting phone numbers and other information from its online shipment tracking tool in Canada to send highly targeted SMS phishing (a.k.a. “smishing”) messages that spoofed UPS and other top brands.
The_Black_Basta_ransomware_cover_of_roundup
MEDIUM
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Black_Basta_ransomware_cover_of_roundup
- Date of Scan:
- 2023-06-27
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs analysts analyzed data on ransomware variants that have been gaining intrest within their datasets and the OSINT community. Their Ransomware Roundup report shares with readers the brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-black-basta
The_details_of_Wagner_Groups_Cyber_campaign
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- The_details_of_Wagner_Groups_Cyber_campaign
- Date of Scan:
- 2023-06-27
- Impact:
- LOW
- Summary:
- Cyble researchers investigated a new ransomware called Wagner. This ransomware is possible a variant of Chaos ransomware. The reserachers analyzed that the ransom note insists users to join the PMC Wagner. It was discovered that the ransomware sample was initially submitted on VirusTotal from Russia. Because the ransom note is written in Russian, it assumes that the ransomware may primarily target victims within Russia. The Wagner ransomware is a 32-bit binary targeting the Windows operating system.
Source:
https://blog.cyble.com/2023/06/27/unveiling-wagner-groups-cyber-recruitment/
The_Examination_of_Trickbot_and_Conti_Crypters
LOW
+
—
—
- Intel Source:
- IBM Security Intelligence
- Intel Name:
- The_Examination_of_Trickbot_and_Conti_Crypters
- Date of Scan:
- 2023-06-27
- Impact:
- LOW
- Summary:
- IBM Security X-Force researchers have deep-dived into the crypters used by the Trickbot/Conti syndicate.
Source:
https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/
Email_Spam_using_Modiloader_Attachments
LOW
+
—
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Email_Spam_using_Modiloader_Attachments
- Date of Scan:
- 2023-06-26
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed 2 emails attachment in quarantine that had different text with the same attachment.
Source:
https://isc.sans.edu/diary/Email+Spam+with+Attachment+Modiloader/29978/
Word_Document_with_Online_Template_Attached
LOW
+
—
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Word_Document_with_Online_Template_Attached
- Date of Scan:
- 2023-06-26
- Impact:
- LOW
- Summary:
- Researchers from SANS has been found behaving like a dropper. It uses a remote Word template and makes an HTTP request to an external website.
Source:
https://isc.sans.edu/diary/Word+Document+with+an+Online+Attached+Template/29976/
Qakbot_Distributing_Tag_via_Obama_Series
LOW
+
—
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Qakbot_Distributing_Tag_via_Obama_Series
- Date of Scan:
- 2023-06-24
- Impact:
- LOW
- Summary:
- Qakbot using the Obama-series distribution tag has been active this week on Tuesday 2023-06-20 (obama269), Wednesday 2023-06-21 (obama270), and Thursday 2023-06-22 (obama271).
Source:
https://isc.sans.edu/diary/Qakbot+Qbot+activity+obama271+distribution+tag/29968/
Powerful_JavaScript_Dropper_PindOS_Spreading_Bumblebee_and_IcedID_Malware
MEDIUM
+
—
—
- Intel Source:
- Deep Instinct
- Intel Name:
- Powerful_JavaScript_Dropper_PindOS_Spreading_Bumblebee_and_IcedID_Malware
- Date of Scan:
- 2023-06-24
- Impact:
- MEDIUM
- Summary:
- Deep Instinct researchers have observed a new strain of JavaScript dropper which is delivering next-stage payloads like Bumblebee and IcedID.
Source:
https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid
An_Overview_of_Trigona_Ransomware_Various_Versions
LOW
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- An_Overview_of_Trigona_Ransomware_Various_Versions
- Date of Scan:
- 2023-06-23
- Impact:
- LOW
- Summary:
- The Trigona ransomware is a relatively new ransomware family that began activities around late October 2022 — although samples of it existed as early as June 2022. Since then, Trigona’s operators have remained highly active, and in fact, have been continuously updating their ransomware binaries.
Source:
https://www.trendmicro.com/en_us/research/23/f/an-overview-of-the-trigona-ransomware.html
Hackers_Using_USB_Driven_Self_Propagating_Malware_to_Attack_the_Camaro_Dragon
MEDIUM
+
—
—
- Intel Source:
- Checkpoint
- Intel Name:
- Hackers_Using_USB_Driven_Self_Propagating_Malware_to_Attack_the_Camaro_Dragon
- Date of Scan:
- 2023-06-23
- Impact:
- MEDIUM
- Summary:
- Checkpoint researchers have identified that the Chinese cyber espionage actor known as Camaro Dragonleveraging a new strain of self-propagating malware that spreads through compromised USB drives.
The_Service_in_question_rents_email_addresses
LOW
+
—
—
- Intel Source:
- Krebson Security
- Intel Name:
- The_Service_in_question_rents_email_addresses
- Date of Scan:
- 2023-06-23
- Impact:
- LOW
- Summary:
- The service in question from KrebosSecurity blog was kopeechka[.]store — is a kind of unidirectional email confirmation-as-a-service that lures you to “save your time and money for successfully registering multiple accounts.” That new service offers to help to save and cut costs associated with large-scale spam and account creation campaigns, by paying people to sell their email account credentials and letting customers temporarily rent access to a vast pool of established accounts at major providers.
RedEnergy_Stealer_as_a_Ransomware_Attacks
LOW
+
—
—
- Intel Source:
- Zscaler
- Intel Name:
- RedEnergy_Stealer_as_a_Ransomware_Attacks
- Date of Scan:
- 2023-06-23
- Impact:
- LOW
- Summary:
- Zscaler researchers have discovered a new malware variant, RedEnergy stealer that fits into the hybrid Stealer-as-a-Ransomware threat category. RedEnergy stealer uses a fake update campaign to target multiple industry verticals and possesses the ability to steal information from various browsers, enabling the exfiltration of sensitive data, while also incorporating different modules for carrying out ransomware activities.
New_Infection_Strategy_Implemented_by_Mallox_Ransomware
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- New_Infection_Strategy_Implemented_by_Mallox_Ransomware
- Date of Scan:
- 2023-06-23
- Impact:
- LOW
- Summary:
- Cyble researchers have observed a new variation of the Mallox ransomware that now appends the file extension .malox to the encrypted files, whereas previously, it used the .mallox extension. This ransomware binary is deployed using BatLoader, which is similar to the one reported – spreading RATs and Stealers.
Source:
https://blog.cyble.com/2023/06/22/mallox-ransomware-implements-new-infection-strategy/
Multiple_IoT_Exploits_Used_in_Latest_Mirai_Campaign
LOW
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- Multiple_IoT_Exploits_Used_in_Latest_Mirai_Campaign
- Date of Scan:
- 2023-06-23
- Impact:
- LOW
- Summary:
- Paloalto researchers have observed threat actors leveraging several IoT vulnerabilities to spread a variant of the Mirai botnet.
Source:
https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/
New_Infection_Strategy_of_Mallox_Ransomware
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- New_Infection_Strategy_of_Mallox_Ransomware
- Date of Scan:
- 2023-06-23
- Impact:
- LOW
- Summary:
- Two years ago, the new ransomware appeared known as “TargetCompany”. and got a lot of attention due to its unique method of appending the name of the targeted company as a file extension This ransomware variant was also noticed using a “.mallox” extension to encrypted files, linking it to its previous identification as “Mallox”. Last year, Cyble Research analysts also observed a significant spike in the Mallox ransomware samples. Cyble analysts discovered a new variation of the Mallox ransomware that now appends the file extension “.malox” to the encrypted files, whereas previously, it used the “.mallox” extension. This ransomware binary is deployed using BatLoader, which is similar to the one reported – spreading RATs and Stealers.
Source:
https://blog.cyble.com/2023/06/22/mallox-ransomware-implements-new-infection-strategy/
Cryptocurrency_Mining_Campaigns_Targeting_Linux_and_IoT_Devices
LOW
+
—
—
- Intel Source:
- Microsoft
- Intel Name:
- Cryptocurrency_Mining_Campaigns_Targeting_Linux_and_IoT_Devices
- Date of Scan:
- 2023-06-23
- Impact:
- LOW
- Summary:
- Microsoft researchers have identified that Internet-facing Linux systems and Internet of Things (IoT) devices are being targeted as part of a new campaign designed to illicitly mine cryptocurrency.
New_MULTI_STORM_Attack_Campaign_by_Python_Loader
MEDIUM
+
—
—
- Intel Source:
- Securonix Threat Labs
- Intel Name:
- New_MULTI_STORM_Attack_Campaign_by_Python_Loader
- Date of Scan:
- 2023-06-22
- Impact:
- MEDIUM
- Summary:
- An interesting phishing campaign was recently analyzed by the Securonix Threat Research Team. The attack kicks off when the user clicks on a heavily obfuscated JavaScript file contained in a password protected zip file. The attack chain ends with the victim machine infected with multiple unique RAT (remote access trojan) malware instances, such as Warzone RAT and Quasar RAT. Both are used for command and control during different stages of the infection chain.
Condi_DDoS_Botnet_Spreading_Through_TP_Link_Vulnerability
LOW
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- Condi_DDoS_Botnet_Spreading_Through_TP_Link_Vulnerability
- Date of Scan:
- 2023-06-22
- Impact:
- LOW
- Summary:
- Fortinet researchers have observed that a new DDoS-as-a-Service botnet called “Condi” emerged in May 2023, exploiting a vulnerability in TP-Link Archer AX21 (AX1800) Wi-Fi routers to build an army of bots to conduct attacks.
Source:
https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389
The_Examination_of_Ransomware_With_BAT_File_Extension_Attacking_MS_SQL_Servers
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- The_Examination_of_Ransomware_With_BAT_File_Extension_Attacking_MS_SQL_Servers
- Date of Scan:
- 2023-06-22
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered the Mallox ransomware with the BAT file extension distributing to poorly managed MS-SQL servers. Extensions of files distributed to poorly managed MS-SQL servers include not only EXE but also BAT, which is a fileless format. The files distributed with the BAT file extension that has been discovered so far are Remcos RAT and Mallox.
Evaluation_of_Threat_Group_Muddled_Libra
LOW
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- Evaluation_of_Threat_Group_Muddled_Libra
- Date of Scan:
- 2023-06-22
- Impact:
- LOW
- Summary:
- PaloAlto researchers have identified that a new threat group dubbed “Muddled Libra” is targeting large outsourcing firms with multi-layered, persistent attacks that start with smishing and end with data theft. The group is also using the infrastructure that it compromises in downstream attacks on victims’ customers.
RedEyes_Group_Wiretapping_Individuals
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- RedEyes_Group_Wiretapping_Individuals
- Date of Scan:
- 2023-06-22
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered the redEyes (APT37) is a state-sponsored APT group targeting individuals. They recently used an Infostealer with wiretapping capabilities and a GoLang backdoor. Spear phishing emails were used for initial access, and Ably platform for command and control. Privilege escalation techniques were employed, and an Infostealer named FadeStealer stole data and wiretapped microphones.
Kimsuky_Distributing_CHM_Malware
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Kimsuky_Distributing_CHM_Malware
- Date of Scan:
- 2023-06-22
- Impact:
- LOW
- Summary:
- ASEC researchers have continuously tracked the Kimsuky group’s APT attacks. While the Kimsuky group often used document files for malware distribution, there have been many recent cases where CHM files were used in distribution. Also, unlike in the past when the document files contained North Korea-related topics, the group is now attempting to attack using a variety of subjects.
APT28_Group_Leveraging_Three_Roundcube_Exploits
LOW
+
—
—
- Intel Source:
- CERT-UA
- Intel Name:
- APT28_Group_Leveraging_Three_Roundcube_Exploits
- Date of Scan:
- 2023-06-22
- Impact:
- LOW
- Summary:
- CERT-UA researchers have discovered APT28 utilized three exploits targeting Roundcube (CVE-2020-35730, CVE-2021-44026, CVE-2020-12641) during a recent espionage campaign against a Ukrainian government organization. The attack involved malicious emails containing exploit code and JavaScript files for exfiltration
Chinese_Hacking_Group_Flea_Targeting_American_Ministries
MEDIUM
+
—
—
- Intel Source:
- Symantec
- Intel Name:
- Chinese_Hacking_Group_Flea_Targeting_American_Ministries
- Date of Scan:
- 2023-06-22
- Impact:
- MEDIUM
- Summary:
- Symantec researchers have identified that a Chinese state-sponsored actor named Flea targeting Foreign affairs ministries in the Americas as part of a recent campaign that spanned from late 2022 to early 2023.
Hackers_Running_an_Active_Cryptojacking_Campaign
LOW
+
—
—
- Intel Source:
- Bitdefender
- Intel Name:
- Hackers_Running_an_Active_Cryptojacking_Campaign
- Date of Scan:
- 2023-06-21
- Impact:
- LOW
- Summary:
- Bitdefender security researchers have discovered a threat group likely based in Romania that’s been active since at least 2020. They’ve been targeting Linux-based machines with weak SSH credentials, mainly to deploy Monero mining malware, but their toolbox allows for other kinds of attacks.
ASEC_Weekly_Phishing_Email_analysis_June_4_10_2023
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Phishing_Email_analysis_June_4_10_2023
- Date of Scan:
- 2023-06-21
- Impact:
- LOW
- Summary:
- The ASEC analysis team keep monitoring phishing email threats with their automatic sample analysis system (RAPIT) and honeypot. Their post explained the samples of distribution of phishing emails during the week from June 4, 2023 to June 10th, 2023. They covered the cases of distribution of phishing emails during the week from June 4th, 2023 to June 10th, 2022 and provide statistical information on each type.
Disguised_malware_as_a_security_update_installer
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Disguised_malware_as_a_security_update_installer
- Date of Scan:
- 2023-06-21
- Impact:
- LOW
- Summary:
- AhnLab recently discovered the attack of a hacking group that is supported by a certain government. The discovered malware disguised itself as a security update installer and was developed using the Inno Setup software.
Aurora_Stealer_malware_analysis
LOW
+
—
—
- Intel Source:
- Esentire
- Intel Name:
- Aurora_Stealer_malware_analysis
- Date of Scan:
- 2023-06-21
- Impact:
- LOW
- Summary:
- The subpage discusses the Aurora Stealer malware targeting the manufacturing industry through fake downloads distributed via Google Ads. The malware gathers sensitive data, has a pricing plan, and is written in the Go Programming language. It also provides indicators of compromise and recommendations for protection against the malware.
Source:
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Attackers_Abusing_Legitimate_Services_For_Credential_Theft
LOW
+
—
—
- Intel Source:
- Checkpoint
- Intel Name:
- Attackers_Abusing_Legitimate_Services_For_Credential_Theft
- Date of Scan:
- 2023-06-21
- Impact:
- LOW
- Summary:
- Check Point researchers have detected an ongoing phishing campaign that uses legitimate services for credential harvesting and data exfiltration in order to evade detection.
New_Ransomware_Variant_Big_Head
LOW
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- New_Ransomware_Variant_Big_Head
- Date of Scan:
- 2023-06-21
- Impact:
- LOW
- Summary:
- FortiGuard Labs have recently come across a new ransomware variant called Big Head, which came out in May 2023. Although there are at least three variants of Big Head ransomware, all are designed to encrypt files on victims’ machines to extort money, like other ransomware variants.
Source:
https://www.fortinet.com/blog/threat-research/fortiguard-labs-ransomware-roundup-big-head
New_Malware_Campaign_Targeting_LetsVPN_Users
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- New_Malware_Campaign_Targeting_LetsVPN_Users
- Date of Scan:
- 2023-06-21
- Impact:
- LOW
- Summary:
- Cyble researchers have discovered the existence of numerous counterfeit LetsVPN websites while conducting a routine threat-hunting exercise. These fraudulent sites share a common user interface and are deliberately designed to distribute malware, masquerading as the genuine LetsVPN application.
Source:
https://blog.cyble.com/2023/06/16/new-malware-campaign-targets-letsvpn-users/
The_Analysis_of_Resident_Campaign
LOW
+
—
—
- Intel Source:
- eSentire
- Intel Name:
- The_Analysis_of_Resident_Campaign
- Date of Scan:
- 2023-06-21
- Impact:
- LOW
- Summary:
- eSentire researchers have observed the resurgence of what we believe to be a malicious campaign targeting manufacturing, commercial, and healthcare organizations.
Source:
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
DcRAT_a_clone_of_AsyncRAT
LOW
+
—
—
- Intel Source:
- Esentire
- Intel Name:
- DcRAT_a_clone_of_AsyncRAT
- Date of Scan:
- 2023-06-21
- Impact:
- LOW
- Summary:
- In May 2023, eSentire identified DcRAT, a clone of AsyncRAT, at a consumer services customer. DcRAT is a remote access tool with info-stealing and ransomware capabilities. The malware is actively distributed using explicit lures for OnlyFans pages and other adult content.
The_Aesi_Return_with_Darth_Vidar
LOW
+
—
—
- Intel Source:
- Team Cymru
- Intel Name:
- The_Aesi_Return_with_Darth_Vidar
- Date of Scan:
- 2023-06-21
- Impact:
- LOW
- Summary:
- Researchers from Team-Cymru have observed that Vidar threat actors continue to rotate their backend IP infrastructure, favoring providers in Moldova and Russia.
Source:
https://www.team-cymru.com/post/darth-vidar-the-aesir-strike-back
The_Aesir_Return_with_Darth_Vidar
LOW
+
—
—
- Intel Source:
- Bitdefender
- Intel Name:
- The_Aesir_Return_with_Darth_Vidar
- Date of Scan:
- 2023-06-20
- Impact:
- LOW
- Summary:
- BitDefender researchers have identified the behaviors in a recent incident investigated by them, where a presumably custom malware tracked by researchers as Logutil backdoor was deployed. The operation was active for more than a year with the end goal of compromising credentials and data exfiltration.
Hackers_Targeting_Middle_Eastern_and_African_Governments_with_Advanced_Techniques
MEDIUM
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- Hackers_Targeting_Middle_Eastern_and_African_Governments_with_Advanced_Techniques
- Date of Scan:
- 2023-06-20
- Impact:
- MEDIUM
- Summary:
- PaloAlto researchers have identified that Governmental entities in the Middle East and Africa have been at the receiving end of sustained cyber-espionage attacks that leverage never-before-seen and rare credential theft and Exchange email exfiltration techniques.
RecordBreaker_Infostealer_Disguised_as_a_Dot_NET_Installer
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- RecordBreaker_Infostealer_Disguised_as_a_Dot_NET_Installer
- Date of Scan:
- 2023-06-20
- Impact:
- LOW
- Summary:
- ASEC researchers have observed that the encrypted malware file is downloaded from the threat actor’s server and executed. The malware in this instance is the RecordBreaker (Raccoon Stealer V2) Infostealer.
Malware_Delivering_Through_Dot_inf_File
LOW
+
—
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Malware_Delivering_Through_Dot_inf_File
- Date of Scan:
- 2023-06-20
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed the .inf files and observed that it is delivering malware.
Tsunami_DDoS_Malware_Distributing_to_Linux_SSH_Servers
MEDIUM
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Tsunami_DDoS_Malware_Distributing_to_Linux_SSH_Servers
- Date of Scan:
- 2023-06-20
- Impact:
- MEDIUM
- Summary:
- ASEC researchers have discovered an attack campaign that consists of the Tsunami DDoS Bot being installed on inadequately managed Linux SSH servers. Not only did the threat actor install Tsunami, but they also installed various other malware such as ShellBot, XMRig CoinMiner, and Log Cleaner.
RAT_Delivering_Through_VBS
LOW
+
—
—
- Intel Source:
- ISC.SANS
- Intel Name:
- RAT_Delivering_Through_VBS
- Date of Scan:
- 2023-06-19
- Impact:
- LOW
- Summary:
- Researchers from SANS have observed that RAT is delivering via VBS.
Cyberattacks_Against_Users_of_UKR_NET_Service
MEDIUM
+
—
—
- Intel Source:
- CERT-UA
- Intel Name:
- Cyberattacks_Against_Users_of_UKR_NET_Service
- Date of Scan:
- 2023-06-19
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have identified an e-mail was received from a participant of the information exchange with the subject “Suspicious activity observed @UKR.NET” and an attachment in the form of a PDF file “Security warning.pdf” sent, apparently, on behalf of UKR.NET technical support. The mentioned PDF document contains a link to a fraudulent web resource that imitates the web page of the postal service.
GhostWriter_Group_Targeting_State_Organization_of_Ukraine
MEDIUM
+
—
—
- Intel Source:
- CERT-UA
- Intel Name:
- GhostWriter_Group_Targeting_State_Organization_of_Ukraine
- Date of Scan:
- 2023-06-19
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have discovered the PPT document “daewdfq342r.ppt”, which contains a macro and a thumbnail image with the emblem of the National Defense University of Ukraine named after Ivan Chernyakhivskyi.
Formbook_From_Possible_ModiLoader
LOW
+
—
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Formbook_From_Possible_ModiLoader
- Date of Scan:
- 2023-06-19
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed the recent Formbook samples and came across an example that kicks off with an Excel file exploiting CVE-2017-11882 to use what seems like ModiLoader (also known as DBatLoader).
An_Evolving_Stealer_Called_Mystic
LOW
+
—
—
- Intel Source:
- Cyfirma
- Intel Name:
- An_Evolving_Stealer_Called_Mystic
- Date of Scan:
- 2023-06-18
- Impact:
- LOW
- Summary:
- CYFIRMA researchers’ team recently discovered an information stealer called Mystic Stealer being promoted in an underground forum, with the threat actor utilizing a Telegram channel for their operations.
Source:
https://www.cyfirma.com/outofband/mystic-stealer-evolving-stealth-malware/
MultiStage_Phishing_Attac_Targeted_Xneelo_Users
LOW
+
—
—
- Intel Source:
- Cofense
- Intel Name:
- MultiStage_Phishing_Attac_Targeted_Xneelo_Users
- Date of Scan:
- 2023-06-17
- Impact:
- LOW
- Summary:
- Cofense researchers have observed multi-stage phishing campaign targeting Xneelo customers was discovered, involving a fake KonsoleH login page to obtain login details, credit card information, and SMS 2FA codes.
Source:
https://cofense.com/blog/xneelo-users-targeted-in-a-multi-stage-phishing-attack/
Analazying_a_global_adversary_in_the_middle_campaign
LOW
+
—
—
- Intel Source:
- Sygnia
- Intel Name:
- Analazying_a_global_adversary_in_the_middle_campaign
- Date of Scan:
- 2023-06-17
- Impact:
- LOW
- Summary:
- In the begining of this year, Sygnia’s IR team was investigating and analyzing about a Business Email Compromise (BEC) attack against one of its clients.The threat actor gained initial access to one of the victim employees’ accounts and executed an ‘Adversary In The Middle’ attack to bypass Office365 authentication and gain persistent access to that account. After getting the access, the threat actor exfiltrated data from the compromised account and used his access to spread phishing attacks to other victim’s employees along with several external targeted organizations.
Source:
https://blog.sygnia.co/cracking-global-phishing-campaign-using-threat-intelligence-toolkit
Chinese_Hackers_Using_DNS_Over_HTTPS_For_Linux_Malware_Communication
LOW
+
—
—
- Intel Source:
- Stairwell
- Intel Name:
- Chinese_Hackers_Using_DNS_Over_HTTPS_For_Linux_Malware_Communication
- Date of Scan:
- 2023-06-17
- Impact:
- LOW
- Summary:
- Researchers from Stairwell have observed that the Chinese threat group ‘ChamelGang’ infecting Linux devices with a previously unknown implant named ‘ChamelDoH,’ allowing DNS-over-HTTPS communications with attackers’ servers.
Source:
https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/
Supply_Chain_Attackers_Exploiting_New_Technique
LOW
+
—
—
- Intel Source:
- Checkmarx
- Intel Name:
- Supply_Chain_Attackers_Exploiting_New_Technique
- Date of Scan:
- 2023-06-17
- Impact:
- LOW
- Summary:
- Checkmarx researchers have identified a new attack technique for hijacking S3 buckets by Supply Chain Attackers.
An_Emerging_Romanian_Threat_Actor_Named_Diicot
LOW
+
—
—
- Intel Source:
- CADO Security
- Intel Name:
- An_Emerging_Romanian_Threat_Actor_Named_Diicot
- Date of Scan:
- 2023-06-17
- Impact:
- LOW
- Summary:
- Cado security researchers have identified an interesting attack pattern that could be attributed to the threat actor Diicot (formerly, “Mexals”).
Source:
https://www.cadosecurity.com/tracking-diicot-an-emerging-romanian-threat-actor/
Long_Running_Shuckworm_Intrusions_Against_Ukrainian_Organizations
LOW
+
—
—
- Intel Source:
- Symantec
- Intel Name:
- Long_Running_Shuckworm_Intrusions_Against_Ukrainian_Organizations
- Date of Scan:
- 2023-06-17
- Impact:
- LOW
- Summary:
- Symantec researchers have identified that the Russian threat actor known as Shuckworm has continued its cyber assault spree against Ukrainian entities in a bid to steal sensitive information from compromised environments.
Netskope_DL_based_Inline_Phishing_Detection
LOW
+
—
—
- Intel Source:
- Netskope
- Intel Name:
- Netskope_DL_based_Inline_Phishing_Detection
- Date of Scan:
- 2023-06-16
- Impact:
- LOW
- Summary:
- Netskope Threat Labs have observed ChatGPT facilitates natural language processing and communication, while Netskope’s Inline Phishing Detection focuses on identifying and blocking phishing attacks in real-time.
A_New_ChromeLoader_Campaign_Named_Shampoo
MEDIUM
+
—
—
- Intel Source:
- HP Wolf Security
- Intel Name:
- A_New_ChromeLoader_Campaign_Named_Shampoo
- Date of Scan:
- 2023-06-16
- Impact:
- MEDIUM
- Summary:
- HP Wolf Security detects new malware campaign “Shampoo” utilizing malicious ChromeLoader extension. It steals sensitive information, injects ads, and poses challenges for removal.
Source:
https://threatresearch.ext.hp.com/shampoo-a-new-chromeloader-campaign/
Lazarus_group_exploiting_Korean_finance_security_solution_vulnerability
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Lazarus_group_exploiting_Korean_finance_security_solution_vulnerability
- Date of Scan:
- 2023-06-16
- Impact:
- LOW
- Summary:
- The ASEC team have observed Lazarus threat group exploiting new vulnerabilities in VestCert and TCO!Stream. Update software promptly to mitigate risks. Stay informed, strengthen security measures against advanced threats.
Phishing_Attacks_Using_HTML_Attachments
LOW
+
—
—
- Intel Source:
- Trellix
- Intel Name:
- Phishing_Attacks_Using_HTML_Attachments
- Date of Scan:
- 2023-06-16
- Impact:
- LOW
- Summary:
- Trellix researchers have identified a phishing attacks using HTML attachments are increasing rapidly, targeting global industries with obfuscation techniques and evasion methods, requiring heightened vigilance and strong email security measures.
Introducing_Cadet_Blizzard_as_a_Significant_New_Russian_Threat_Actor
MEDIUM
+
—
—
- Intel Source:
- Microsoft
- Intel Name:
- Introducing_Cadet_Blizzard_as_a_Significant_New_Russian_Threat_Actor
- Date of Scan:
- 2023-06-15
- Impact:
- MEDIUM
- Summary:
- Microsoft researchers have updated details about techniques of a threat actor formerly tracked as DEV-0586—a distinct Russian state-sponsored threat actor that has now been elevated to the name Cadet Blizzard.
The_risks_of_zip_and_mov_domains
LOW
+
—
—
- Intel Source:
- Netscope
- Intel Name:
- The_risks_of_zip_and_mov_domains
- Date of Scan:
- 2023-06-14
- Impact:
- LOW
- Summary:
- Sometime ago Google discovered and shared eight new top level domains. Two of them (.zip and .mov) have been a concern because they are similar to well known file extensions. Both .zip and .mov TLD are not new, as they have been available since 2014. The main threat was that anyone now can own a .zip or .mov domain and be taken advantage for social engineering at a cheap price. The threat with the .zip and .mov domains is that attackers will be able to craft URLs that appear to be delivering ZIP and MOV files, but instead will redirect victims to malicious websites.
Source:
https://www.netskope.com/blog/zip-and-mov-top-level-domain-abuse-one-month-after-being-made-public
A_Look_into_Earth_Preta_Hidden_Working
LOW
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- A_Look_into_Earth_Preta_Hidden_Working
- Date of Scan:
- 2023-06-14
- Impact:
- LOW
- Summary:
- TrendMicro researchers have discussed the more technical details of the most recent tools, techniques, and procedures (TTPs) leveraged by the Earth Preta APT group.
Analyzing_a_global_adversary_in_the_middle_campaign
LOW
+
—
—
- Intel Source:
- Sygnia
- Intel Name:
- Analyzing_a_global_adversary_in_the_middle_campaign
- Date of Scan:
- 2023-06-14
- Impact:
- LOW
- Summary:
- In the begining of this year, Sygnia’s IR team was investigating and analyzing about a Business Email Compromise (BEC) attack against one of its clients.The threat actor gained initial access to one of the victim employees’ accounts and executed an ‘Adversary In The Middle’ attack to bypass Office365 authentication and gain persistent access to that account. After getting the access, the threat actor exfiltrated data from the compromised account and used his access to spread phishing attacks to other victim’s employees along with several external targeted organizations.
Source:
https://blog.sygnia.co/cracking-global-phishing-campaign-using-threat-intelligence-toolkit
Pirated_Windows_10_ISOs_Install_Clipper_Malware
MEDIUM
+
—
—
- Intel Source:
- Dr.WEB
- Intel Name:
- Pirated_Windows_10_ISOs_Install_Clipper_Malware
- Date of Scan:
- 2023-06-14
- Impact:
- MEDIUM
- Summary:
- Dr.WEB researchers have identified that hackers are distributing Windows 10 using torrents that hide cryptocurrency hijackers in the EFI (Extensible Firmware Interface) partition to evade detection.
WannaCry_Imitator_targets_Russian_Gaming_Community
MEDIUM
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- WannaCry_Imitator_targets_Russian_Gaming_Community
- Date of Scan:
- 2023-06-14
- Impact:
- MEDIUM
- Summary:
- Cyble reserachers observed recently some phishing campaigns that use gaming sites as a distribution channel for various malware families. They discovered a phishing campaign targeting Russian-speaking gamers targeting to distribute ransomware. The fake website lets install a file that contains a legitimate game installer and ransomware. The ransomware has used the name “WannaCry 3.0” and utilizes the “wncry” file extension for encrypting files, although it is not a orogonal variant of the WannaCry ransomware. This ransomware is a modified version of an open-source Ransomware “Crypter”, developed for Windows and written purely in Python.
New_Golang_Based_Skuld_Malware
MEDIUM
+
—
—
- Intel Source:
- Trellix
- Intel Name:
- New_Golang_Based_Skuld_Malware
- Date of Scan:
- 2023-06-14
- Impact:
- MEDIUM
- Summary:
- Trellix researchers have identified a new Golang-based information stealer called Skuld that has compromised Windows systems across Europe, Southeast Asia, and the US.
Diving_Deep_into_Pikabot_Cyber_Threat
LOW
+
—
—
- Intel Source:
- Sophos
- Intel Name:
- Diving_Deep_into_Pikabot_Cyber_Threat
- Date of Scan:
- 2023-06-13
- Impact:
- LOW
- Summary:
- Sophos researchers have identified Pikabot malware, Pikabot is a modular malware trojan acting as a backdoor, allowing unauthorized remote access and executing diverse commands received from a command-and-control server. It has the potential for multi-staged attacks
Source:
https://news.sophos.com/en-us/2023/06/12/deep-dive-into-the-pikabot-cyber-threat/
Multistage_DoubleFinger_loads_GreetingGhoul_stealer
LOW
+
—
—
- Intel Source:
- Securelist
- Intel Name:
- Multistage_DoubleFinger_loads_GreetingGhoul_stealer
- Date of Scan:
- 2023-06-13
- Impact:
- LOW
- Summary:
- Securilist shared their analyses about the multi-stage DoubleFinger loader delivering a cryptocurrency stealer. DoubleFinger is deployed on the target machine, when the victim opens a malicious PIF attachment in an email message, ultimately executing the first of DoubleFinger’s loader stages.
Source:
https://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptocurrency-stealer/109982/
ASEC_Weekly_Phishing_Threats_analyses_May_28_June_3_20
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Phishing_Threats_analyses_May_28_June_3_20
- Date of Scan:
- 2023-06-13
- Impact:
- LOW
- Summary:
- The ASEC analysis team keeps monitoring phishing email threats with their system and honeypot. This article explains the distribution of phishing emails during the week from May 28th to June 3rd, 2023 and provide statistical information on each type.
Hackers_Targeting_Vietnamese_Public_Companies_With_SPECTRALVIPER_Backdoor
LOW
+
—
—
- Intel Source:
- Elastic
- Intel Name:
- Hackers_Targeting_Vietnamese_Public_Companies_With_SPECTRALVIPER_Backdoor
- Date of Scan:
- 2023-06-12
- Impact:
- LOW
- Summary:
- Researchers from Elastic have identified an ongoing campaign that deploys a novel backdoor called SPECTRALVIPER which is targeting Vietnamese public companies. It is a heavily obfuscated, previously undisclosed, x64 backdoor that brings PE loading and injection, file upload and download, file and directory manipulation, and token impersonation capabilities.
Source:
https://www.elastic.co/security-labs/elastic-charms-spectralviper
Darkrace_Ransomware_Resembles_LockBit_Ransomware
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Darkrace_Ransomware_Resembles_LockBit_Ransomware
- Date of Scan:
- 2023-06-12
- Impact:
- LOW
- Summary:
- Cyble researchers have discovered a new ransomware named Darkrace which has similarities with Lockbit Ransomware. It is specifically targeting Windows operating systems and exhibits several similarities to the LockBit ransomware, including the deployment of batch files to terminate processes, the dropping of file icons, and the utilization of random encryption extensions.
Source:
https://blog.cyble.com/2023/06/08/unmasking-the-darkrace-ransomware-gang/
Malicious_PyPI_Packages
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Malicious_PyPI_Packages
- Date of Scan:
- 2023-06-12
- Impact:
- LOW
- Summary:
- Cyble Research and Intelligence Labs analysts have been actively tracking malicious python packages and recently observed different infostealersr, one is dubbed as KEKW that was spreading through multiple malicious python packages, another one was the Creal Stealer, which is an open-source stealer that has been extensively utilized by threat actors. There was no evidence of it being propagated through Python packages. Cyble researches discovered several Python packages that were found to distribute the Creal Stealer. Another ones, The TIKCOCK GRABBER, The Hazard Token Grabber, the W4SP stealer, are type of Information Stealer malwares that focuse on extracting sensitive information from victims’ systems. Cyble’s analysis revealed that InfoStealers, a specific type of malware, was predominantly propagated through malicious Python packages. The presence of readily accessible code for information Stealers on platforms like GitHub has empowered multiple threat actors to leverage this particular strain of malware in their campaigns.
Source:
https://blog.cyble.com/2023/06/09/over-45-thousand-users-fell-victim-to-malicious-pypi-packages/
Undetected_PowerShell_Backdoor
LOW
+
—
—
- Intel Source:
- ISC. SANS
- Intel Name:
- Undetected_PowerShell_Backdoor
- Date of Scan:
- 2023-06-12
- Impact:
- LOW
- Summary:
- ISC. SANS researcher Xavier Mertens found a script that scored 0/59 on VT. He provided the details on his findings on it. The file was found with the name « Microsoft.PowerShell_profile.ps1 ». The attacker decided to select that name because this is a familiar name used by Microsoft to manage PowerShell profiles.
Satacom_malware_steals_cryptocurrency
LOW
+
—
—
- Intel Source:
- Securelist
- Intel Name:
- Satacom_malware_steals_cryptocurrency
- Date of Scan:
- 2023-06-12
- Impact:
- LOW
- Summary:
- Securilist shared retheir analyses about recent malware distribution campaign related to the Satacom downloader, also known as LegionLoader, is a renewed malware family that has been around since 2019. The main goal of this malware that is dropped by the Satacom downloader is to steal BTC from the victim’s account by performing web injections into targeted cryptocurrency websites. The malware tries to install an extension for Chromium-based web browsers, which later communicates with its C2 server, whose address is stored in the BTC transaction data.
Source:
https://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-extension/109807/
Activity_of_DShield_Honeypot
LOW
+
—
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Activity_of_DShield_Honeypot
- Date of Scan:
- 2023-06-12
- Impact:
- LOW
- Summary:
- Researchers from SANS have reviewed the DShield honeypot stored the previous month. Also interesting is how the activity varies from week to week.
Source:
https://isc.sans.edu/diary/DShield+Honeypot+Activity+for+May+2023/29932/
A_SaaS_ransomware_attack_against_a_Sharepoint_365
LOW
+
—
—
- Intel Source:
- Obsidian
- Intel Name:
- A_SaaS_ransomware_attack_against_a_Sharepoint_365
- Date of Scan:
- 2023-06-12
- Impact:
- LOW
- Summary:
- Obsidian’s Threat Research team has observed a SaaS ransomware attack against a company’s Sharepoint Online (Microsoft 365) without using a compromised endpoint. Our team and product were leveraged post-compromise to determine the finer details of the attack.
Source:
https://www.obsidiansecurity.com/blog/saas-ransomware-observed-sharepoint-microsoft-365/
Truebot_Using_Cobalt_Strike_and_FlawedGrace
LOW
+
—
—
- Intel Source:
- DFIR Report
- Intel Name:
- Truebot_Using_Cobalt_Strike_and_FlawedGrace
- Date of Scan:
- 2023-06-12
- Impact:
- LOW
- Summary:
- The DFIR Report researchers have identified that Truebot is delivering through a Traffic Distribution System. This campaign, observed in May 2023, leveraged email for the initial delivery mechanism. After clicking through the link in an email, the victim would be redirected through a series of URLs before being presented with a file download at the final landing page.
Source:
https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/
RomCom_Group_Targeting_Politicians_in_Ukraine_and_US_Based_Healthcare
MEDIUM
+
—
—
- Intel Source:
- Blackberry
- Intel Name:
- RomCom_Group_Targeting_Politicians_in_Ukraine_and_US_Based_Healthcare
- Date of Scan:
- 2023-06-09
- Impact:
- MEDIUM
- Summary:
- Blackberry researchers have observed RomCom targeting politicians in Ukraine who are working closely with Western countries, and a U.S.-based healthcare company providing humanitarian aid to the refugees fleeing from Ukraine and receiving medical assistance in the U.S.
Source:
https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine
Caffeine_phishing_domains_and_patterns_still_active_despite_store_closure
LOW
+
—
—
- Intel Source:
- Cofense
- Intel Name:
- Caffeine_phishing_domains_and_patterns_still_active_despite_store_closure
- Date of Scan:
- 2023-06-09
- Impact:
- LOW
- Summary:
- Cofense researchers have observed an ongoing and evolving campaign of credential phishing activity has been detected, specifically targeting Microsoft Office 365 credentials. This campaign involves the distribution of fraudulent emails that aim to deceive recipients and trick them into divulging their Office 365 login credentials.
The_Details_About_Asylum_Ambuscade_Cybercrime_Group
LOW
+
—
—
- Intel Source:
- Welivesecurity
- Intel Name:
- The_Details_About_Asylum_Ambuscade_Cybercrime_Group
- Date of Scan:
- 2023-06-09
- Impact:
- LOW
- Summary:
- Researchers from Welivesecurity have analyzed the Asylum Ambuscade cybercrime group that has been performing cyberespionage operations on the side and provided details about the early 2022 espionage campaign and about multiple cybercrime campaigns in 2022 and 2023.
Source:
https://www.welivesecurity.com/2023/06/08/asylum-ambuscade-crimeware-or-cyberespionage/
North_African_Espionage_Attacks_Using_Stealth_Soldier_Backdoors
MEDIUM
+
—
—
- Intel Source:
- Checkpoint
- Intel Name:
- North_African_Espionage_Attacks_Using_Stealth_Soldier_Backdoors
- Date of Scan:
- 2023-06-09
- Impact:
- MEDIUM
- Summary:
- Check Point researchers have identified an ongoing operation against targets in North Africa involving a previously undisclosed multi-stage backdoor called Stealth Soldier. The malware Command and Control network is part of a larger set of infrastructure, used at least in part for spear-phishing campaigns against government entities.
GobRAT_malware_targeting_Linux_routers
MEDIUM
+
—
—
- Intel Source:
- JPCERT
- Intel Name:
- GobRAT_malware_targeting_Linux_routers
- Date of Scan:
- 2023-06-09
- Impact:
- MEDIUM
- Summary:
- JPCERT/CC has shared about attacks that infected routers in Japan with malware around February 2023. Their analyses blog gives the details of the attack confirmed by JPCERT/CC and GobRAT malware, which was used in the attack. Based on JPCERT analyses, the attack vector and target initially was a router whose WEBUI is open to the public, executes scripts possibly by using vulnerabilities, and finally infects the GobRAT
Dark_Pink_APT_Group_Return_With_5_Victims_in_New_Countries
LOW
+
—
—
- Intel Source:
- Group-IB
- Intel Name:
- Dark_Pink_APT_Group_Return_With_5_Victims_in_New_Countries
- Date of Scan:
- 2023-06-09
- Impact:
- LOW
- Summary:
- Group-IB researchers have identified new tools, exfiltration mechanisms, and victims in new industries, in countries that Dark Pink has never targeted before. It has continued to attack government, military, and non-profit organizations in the Asia-Pacific expanding its operations to Thailand and Brunei. Another victim, an educational sector organization, has also been identified in Belgium.
Hackers_Distributing_Malicious_Job_Application_Letters
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Hackers_Distributing_Malicious_Job_Application_Letters
- Date of Scan:
- 2023-06-08
- Impact:
- LOW
- Summary:
- ASEC researchers have identified that malware disguised as a job application letter is continuously being distributed. This malware is equipped with a feature that checks for the presence of various antivirus processes.
Zero_Day_Flaw_in_Barracuda_Email_Security_Gateway_Appliances
MEDIUM
+
—
—
- Intel Source:
- Barracuda
- Intel Name:
- Zero_Day_Flaw_in_Barracuda_Email_Security_Gateway_Appliances
- Date of Scan:
- 2023-06-08
- Impact:
- MEDIUM
- Summary:
- Researchers from Barracuda have urged their customers who were impacted by a recently disclosed zero-day flaw in its Email Security Gateway (ESG) appliances to immediately replace them.
Source:
https://www.barracuda.com/company/legal/esg-vulnerability
The_Return_of_Vacation_Request_Phishing_Emails
LOW
+
—
—
- Intel Source:
- Cofense
- Intel Name:
- The_Return_of_Vacation_Request_Phishing_Emails
- Date of Scan:
- 2023-06-08
- Impact:
- LOW
- Summary:
- Cofense researchers have observed a phishing campaign where the threat actor sends an email to a user that claims to be from the ‘HR Department’ and provided the user with a link to submit their annual leave requests.
Source:
https://cofense.com/blog/summer-time-scams-the-return-of-vacation-request-phishing-emails/
Qakbot_Retool_Reinfect_Recycle
LOW
+
—
—
- Intel Source:
- Lumen
- Intel Name:
- Qakbot_Retool_Reinfect_Recycle
- Date of Scan:
- 2023-06-07
- Impact:
- LOW
- Summary:
- Lumen researchers observed recent Qakbot’s campaigns to see insights of their network structure, and gained key insights into the methods that support Qakbot’s reputation as an evasive and tenacious threat.
Source:
https://blog.lumen.com/qakbot-retool-reinfect-recycle/?utm_source=substack&utm_medium=email
The_Examination_of_TargetCompany_Ransomware
LOW
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- The_Examination_of_TargetCompany_Ransomware
- Date of Scan:
- 2023-06-07
- Impact:
- LOW
- Summary:
- TrendMicro researchers have identified that threat actors behind TargetCompany ransomware clarified that each major update of the ransomware entailed a change in the encryption algorithm and different decryptor characteristics. These are accompanied by a change in file name extensions, hence the evolution of names by which the ransomware group is known.
ITG10_Group_Targeting_South_Korean_Entities
LOW
+
—
—
- Intel Source:
- IBM Security Intelligence
- Intel Name:
- ITG10_Group_Targeting_South_Korean_Entities
- Date of Scan:
- 2023-06-07
- Impact:
- LOW
- Summary:
- IBM Security researchers have uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware.
Source:
https://securityintelligence.com/posts/itg10-targeting-south-korean-entities/
North_Korean_TAG71_Group_Spoofs_Asian_and_US_Financial_Institutions
MEDIUM
+
—
—
- Intel Source:
- Recorded Future
- Intel Name:
- North_Korean_TAG71_Group_Spoofs_Asian_and_US_Financial_Institutions
- Date of Scan:
- 2023-06-07
- Impact:
- MEDIUM
- Summary:
- Recorded Future researchers have discovered malicious cyber threat activity spoofing several financial institutions and venture capital firms in Japan, Vietnam, and the United States. They refer to the group behind this activity as Threat Activity Group 71 (TAG-71). Also, identified 74 domains resolving to 5 IP addresses, as well as 6 malicious files, in the most recent cluster of activity from September 2022 to March 2023.
Source:
https://go.recordedfuture.com/hubfs/reports/cta-2023-0606.pdf
Hackers_Targeting_Korean_Users_via_Malicious_Document_Files
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Hackers_Targeting_Korean_Users_via_Malicious_Document_Files
- Date of Scan:
- 2023-06-07
- Impact:
- LOW
- Summary:
- Cyble researchers have discovered an ongoing campaign associated with the notorious ransomware group LockBit. It has once again embraced the approach of disseminating malware through malicious document files targeting Korean individuals. Notably, the group utilized the same template injection techniques to deliver their payload.
Source:
https://blog.cyble.com/2023/06/06/lockbit-ransomware-2-0-resurfaces/
New_Social_Engineering_Campaign_Aims_to_Steal_Credentials_and_Gather_Strategic_Intelligence
MEDIUM
+
—
—
- Intel Source:
- Sentinelone
- Intel Name:
- New_Social_Engineering_Campaign_Aims_to_Steal_Credentials_and_Gather_Strategic_Intelligence
- Date of Scan:
- 2023-06-06
- Impact:
- MEDIUM
- Summary:
- SentinelLabs researchers have tracked a social engineering campaign by the North Korean APT group Kimsuky targeting experts in North Korean affairs, part of a broader campaign discussed in a recent NSA advisory.
Cyberespionage_Against_Ukrainian_State_Bodies_and_Media
MEDIUM
+
—
—
- Intel Source:
- CERT-UA
- Intel Name:
- Cyberespionage_Against_Ukrainian_State_Bodies_and_Media
- Date of Scan:
- 2023-06-06
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have identified that files (.HTA, .EXE, .RAR, .LNK) are distributed by unknown persons using e-mail and instant messengers, the launch of which leads to damage to the victim’s computer by the LONEPAGE malicious program.
Hackers_Take_Over_Legitimate_Sites_to_Host_Credit_Card_Stealer_Scripts
LOW
+
—
—
- Intel Source:
- Akamai
- Intel Name:
- Hackers_Take_Over_Legitimate_Sites_to_Host_Credit_Card_Stealer_Scripts
- Date of Scan:
- 2023-06-06
- Impact:
- LOW
- Summary:
- Akamai researchers have observed a new Magecart credit card stealing campaign hijacks legitimate sites to act as “makeshift” command and control (C2) servers to inject and hide the skimmers on targeted eCommerce sites.
Source:
https://www.akamai.com/blog/security-research/new-magecart-hides-behind-legit-domains
MOVEit_Transfer_Critical_Vulnerability
LOW
+
—
—
- Intel Source:
- Huntress
- Intel Name:
- MOVEit_Transfer_Critical_Vulnerability
- Date of Scan:
- 2023-06-06
- Impact:
- LOW
- Summary:
- Researchers from Hunteers have investigated the exploitation of critical MOVEit transfer vulnerability CVE-2023-34362.
Source:
https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
Detection_and_Analysis_of_RedLine_Stealer
LOW
+
—
—
- Intel Source:
- Splunk
- Intel Name:
- Detection_and_Analysis_of_RedLine_Stealer
- Date of Scan:
- 2023-06-06
- Impact:
- LOW
- Summary:
- RedLine Stealer is a malware strain designed to steal sensitive information from compromised systems. It is typically distributed through phishing emails, social engineering tactics, and malicious URL links.
Diving_Deep_into_Red_Deer
LOW
+
—
—
- Intel Source:
- Perception Point
- Intel Name:
- Diving_Deep_into_Red_Deer
- Date of Scan:
- 2023-06-05
- Impact:
- LOW
- Summary:
- Researchers from Perception Point have deeply analyzed a malware campaign crafted specifically for the Israeli audience called Red Deer.
Source:
https://perception-point.io/blog/operation-red-deer/
Return_of_GuLoader_VBScript_Variant_with_PowerShell_Updates
LOW
+
—
—
- Intel Source:
- Esentire
- Intel Name:
- Return_of_GuLoader_VBScript_Variant_with_PowerShell_Updates
- Date of Scan:
- 2023-06-05
- Impact:
- LOW
- Summary:
- GuLoader is a sophisticated malware loader which has heavily abused tax-themed lures. TRU reported on ongoing GuLoader activity using tax-themed lures and decoy files TRU identified an updated VBScript GuLoader variant across multiple customers.
Source:
https://www.esentire.com/blog/guloader-vbscript-variant-returns-with-powershell-updates
Detection_of_Carbon_Black_TrueBot_Malware
LOW
+
—
—
- Intel Source:
- VMware
- Intel Name:
- Detection_of_Carbon_Black_TrueBot_Malware
- Date of Scan:
- 2023-06-05
- Impact:
- LOW
- Summary:
- VMware’s Carbon Black Managed Detection and Response (MDR) team began seeing a surge of TrueBot activity. TrueBot is under active development by Silence, with recent versions using a Netwrix vulnerability for delivery.
Source:
https://blogs.vmware.com/security/2023/06/carbon-blacks-truebot-detection.html
Analysis_of_XeGroups_Attack_Techniques_Detected
LOW
+
—
—
- Intel Source:
- Menlo Security
- Intel Name:
- Analysis_of_XeGroups_Attack_Techniques_Detected
- Date of Scan:
- 2023-06-05
- Impact:
- LOW
- Summary:
- XeGroup’s tactics, techniques, and procedures have been detailed in a report by Volexity, which suggests that the group may be associated with other cybercriminal organizations and may have links to state-sponsored hacking groups.
Chinese_Hackers_Using_Modified_Cobalt_Strike_Variant_to_Attack_Taiwanese_Critical_Infrastructure
LOW
+
—
—
- Intel Source:
- Eclecticiq
- Intel Name:
- Chinese_Hackers_Using_Modified_Cobalt_Strike_Variant_to_Attack_Taiwanese_Critical_Infrastructure
- Date of Scan:
- 2023-06-05
- Impact:
- LOW
- Summary:
- EclecticIQ researchers have identified a malicious web server very likely operated by a Chinese threat actor used to target Taiwanese government entities, including critical infrastructure
The_Camaro_Dragon_Strikes_with_a_New_TinyNote_Backdoor
LOW
+
—
—
- Intel Source:
- Checkpoint
- Intel Name:
- The_Camaro_Dragon_Strikes_with_a_New_TinyNote_Backdoor
- Date of Scan:
- 2023-06-03
- Impact:
- LOW
- Summary:
- Checkpoint researchers have observed that a Chinese nation-stage group known as Camaro Dragon has been linked to yet another backdoor that’s designed to meet its intelligence-gathering goals.
Source:
https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/
Lancefly_APT_Targets_Governments_Aviation_and_Organizations_with_Custom_Backdoors
LOW
+
—
—
- Intel Source:
- Symantec
- Intel Name:
- Lancefly_APT_Targets_Governments_Aviation_and_Organizations_with_Custom_Backdoors
- Date of Scan:
- 2023-06-03
- Impact:
- LOW
- Summary:
- Researchers from Symantec have identified that Lancefly APT goup has been using custom backdoors for several years to target organizations in South and Southeast Asia.
Who_and_What_Threatens_the_World_Column_exe_malware
LOW
+
—
—
- Intel Source:
- ReversingLabs
- Intel Name:
- Who_and_What_Threatens_the_World_Column_exe_malware
- Date of Scan:
- 2023-06-02
- Impact:
- LOW
- Summary:
- The ReversingLabs research team has identified a novel attack on PyPI using compiled Python code to evade detection possibly the first attack to take advantage of PYC file direct execution.
New_unidentified_botnet_campaign_Horabot
LOW
+
—
—
- Intel Source:
- Talos
- Intel Name:
- New_unidentified_botnet_campaign_Horabot
- Date of Scan:
- 2023-06-02
- Impact:
- LOW
- Summary:
- Cisco Talos researchers have identified that unidentified botnet program Talos is calling “Horabot,” which delivers a known banking trojan and spam tool onto victim machines in a campaign.
Source:
https://blog.talosintelligence.com/new-horabot-targets-americas/
Previously_unknown_malware_attacked_IOS_devices
LOW
+
—
—
- Intel Source:
- Securelist
- Intel Name:
- Previously_unknown_malware_attacked_IOS_devices
- Date of Scan:
- 2023-06-02
- Impact:
- LOW
- Summary:
- During of monitoring the network traffic of Securelist corporate Wi-Fi network, the researchers observed suspicious activity that originated from several iOS-based phones. Beucase it was impossible to inspect modern iOS devices from the inside, the researchers created offline backups of the devices in question, inspected them using the Mobile Verification Toolkit’s mvt-ios and discovered traces of compromise. The called this campaign “Operation Triangulation”.
Source:
https://securelist.com/operation-triangulation/109842/
Operation_CMDStealer
LOW
+
—
—
- Intel Source:
- Blackberry
- Intel Name:
- Operation_CMDStealer
- Date of Scan:
- 2023-06-02
- Impact:
- LOW
- Summary:
- BlackBerry researchers have identified an unknown financially motivated threat actor, very likely from Brazil, is targeting Spanish- and Portuguese-speaking victims, with the goal of stealing online banking access. The victims are primarily in Portugal, Mexico, and Peru. This threat actor employs tactics such as LOLBaS (Living Off the Land Binaries and Scripts), along with CMD-based scripts to carry out its malicious activities.
Source:
https://blogs.blackberry.com/en/2023/05/cmdstealer-targets-portugal-peru-and-mexico
Operation_Magalenha
LOW
+
—
—
- Intel Source:
- Sentinelone
- Intel Name:
- Operation_Magalenha
- Date of Scan:
- 2023-06-02
- Impact:
- LOW
- Summary:
- SentinelLabs has been tracking a campaign over the rst quarter of 2023 targeting users of Portuguese nancial institutions, including government, government-backed, and private institutions.
SharpPanda_APT_Campaign_Expands
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- SharpPanda_APT_Campaign_Expands
- Date of Scan:
- 2023-06-02
- Impact:
- LOW
- Summary:
- Cyble reserachers observed an ongoing campaign by SharpPanda APT. Before, this APT group has a history of targeting government officials, particularly in Southeast Asian countries. This latest campaign specifically targets high-level government officials from G20 nations.
Source:
https://blog.cyble.com/2023/06/01/sharppanda-apt-campaign-expands-its-arsenal-targeting-g20-nations/
Distribution_of_Malware_Disguised_as_Hancom_Office_Document_File_Detected
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Distribution_of_Malware_Disguised_as_Hancom_Office_Document_File_Detected
- Date of Scan:
- 2023-06-01
- Impact:
- LOW
- Summary:
- AhnLab Security Emergency response Center (ASEC) has confirmed the distribution of malware disguised as Hancom Office document files. The malware that is being distributed is named “Who and What Threatens the World (Column).exe” and is designed to deceive users by using an icon that is similar to that of Hancom Office.
The_attacks_against_Apache_NiFi
LOW
+
—
—
- Intel Source:
- ISC. SANS
- Intel Name:
- The_attacks_against_Apache_NiFi
- Date of Scan:
- 2023-06-01
- Impact:
- LOW
- Summary:
- On May 19th, Johannes Ullrich, ISC SANS analyst noted a rapid increase in requests like: Attacks Against Apache NiFi. Apache NiFi describes itself as “an easy-to-use, powerful, and reliable system to process and distribute data. For sure one actor is actively scanning the Internet for unprotected instances of Apache NiFi. That threat actor will add processors in Apache NiFi to either istall a crypto coin miner and then to perform lateral movement by searching the server for SSH credentials.
A_new_Quasar_variant_SeroXen_RAT
LOW
+
—
—
- Intel Source:
- AT&T
- Intel Name:
- A_new_Quasar_variant_SeroXen_RAT
- Date of Scan:
- 2023-06-01
- Impact:
- LOW
- Summary:
- AT&T Alien Labs researchers reviewed recent malicious samples, a new Quasar variant which was observed by Alien Labs in the wild -SeroXen. This new RAT is a modified branch of the open-source version, adding some modifications features to the original RAT.
Source:
https://cybersecurity.att.com/blogs/labs-research/seroxen-rat-for-sale
The_deeper_techniques_of_sLoad_Ramnit_and_drIBAN
LOW
+
—
—
- Intel Source:
- Cleafy
- Intel Name:
- The_deeper_techniques_of_sLoad_Ramnit_and_drIBAN
- Date of Scan:
- 2023-06-01
- Impact:
- LOW
- Summary:
- Cleafy analysts shared in their blog the deeper techniques that that made them connect sLoad, Ramnit, and drIBAN malwares. The analysts provided some Ramnit characteristics and the techniques used to perform the MiTB attack and deliver its injection kit.
Source:
https://www.cleafy.com/cleafy-labs/uncovering-driban-fraud-operations-chapter-2
The_connections_between_BlackSuit_and_Royal_ransomware
LOW
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- The_connections_between_BlackSuit_and_Royal_ransomware
- Date of Scan:
- 2023-06-01
- Impact:
- LOW
- Summary:
- Researchers from Trendmicro analyzed BlackSuit ransomware and how it compares to Royal Ransomware. Several researchers on Twitter discovered a new ransomware family called BlackSuit that targeted both Windows and Linux users. Some Twitter posts also mentioned connections between BlackSuit and Royal, which triggered Trendmicro reserchers interest. Trendmicro researchers shared in their blog the analyses of a Windows 32-bit sample of the ransomware from Twitter.
Gigabyte_App_Center_Backdoor_risk
LOW
+
—
—
- Intel Source:
- Eclypsium
- Intel Name:
- Gigabyte_App_Center_Backdoor_risk
- Date of Scan:
- 2023-06-01
- Impact:
- LOW
- Summary:
- Recently, the Eclypsium platform observed some suspicious backdoor behavior inside of Gigabyte systems. Their detectors detected new previously-unknown supply chain threats, where legitimate third-party technology products or updates have been compromised. The Eclypsium analysis discovered that firmware in Gigabyte systems is dropping and executing a Windows native executable file during the system startup process, and this executable one then downloads and executes additional payloads insecurely. It uses the same techniques as other OEM backdoor-like features like Computrace backdoor (a.k.a. LoJack DoubleAgent) abused by threat actors and even firmware implants such as Sednit LoJax, MosaicRegressor, Vector-EDK.
Source:
https://eclypsium.com/blog/supply-chain-risk-from-gigabyte-app-center-backdoor/
AceCryptor_cruptor_operation
LOW
+
—
—
- Intel Source:
- WeliveSecurity
- Intel Name:
- AceCryptor_cruptor_operation
- Date of Scan:
- 2023-05-31
- Impact:
- LOW
- Summary:
- ESET researchers shared details about a widespreaded cryptor, operating as a cryptor-as-a-service used by tens of malware families.
Source:
https://www.welivesecurity.com/2023/05/25/shedding-light-acecryptor-operation/
DocuSign_email_opens_to_script_based_infection
LOW
+
—
—
- Intel Source:
- ISC. SANS
- Intel Name:
- DocuSign_email_opens_to_script_based_infection
- Date of Scan:
- 2023-05-31
- Impact:
- LOW
- Summary:
- SomeTwitter user @0xToxin has discovered malicious emails imitating DocuSign with HTML attachments recently.
CryptoClippy_actively_expanding_its_capabilities
LOW
+
—
—
- Intel Source:
- Intezer
- Intel Name:
- CryptoClippy_actively_expanding_its_capabilities
- Date of Scan:
- 2023-05-31
- Impact:
- LOW
- Summary:
- Intezer analysts shared the details of the indication that the threat actors behind CryptoClippy are actively expanding its capabilities, now targeting a broader range of payment services commonly used in Brazil.
Source:
https://intezer.com/blog/research/cryptoclippy-evolves-to-pilfer-more-financial-data/
ChatGPT_safisticated_Phishing_Scam
LOW
+
—
—
- Intel Source:
- Inky
- Intel Name:
- ChatGPT_safisticated_Phishing_Scam
- Date of Scan:
- 2023-05-31
- Impact:
- LOW
- Summary:
- The Inky reserachers observed that cybercriminals have begun impersonating the brand in a sophisticated personalized phishing campaign ChatGPT whose impersonation fuels a Clever Phishing Scam.
Source:
https://www.inky.com/en/blog/fresh-phish-chatgpt-impersonation-fuels-a-clever-phishing-scam
Ducktail_Malware_targets_a_high_profile_accounts
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Ducktail_Malware_targets_a_high_profile_accounts
- Date of Scan:
- 2023-05-30
- Impact:
- LOW
- Summary:
- Recently Cyble researchers recently discovered Ducktail malware that targets specifically Marketing and HR professionals. The malware is designed to extract browser cookies and take advantage of social media sessions to steal sensitive information from the victim’s Social Media account. The malware operation purpose is to gain control of Social Media Business accounts with adequate access privileges. TAs then use their acquired access to conduct advertisements for their financial gain.
Chinese_APT_Group_BRONZE_SILHOUETTE_Targeting_US_Government_and_Defense_Organizations
MEDIUM
+
—
—
- Intel Source:
- NSA / Secureworks
- Intel Name:
- Chinese_APT_Group_BRONZE_SILHOUETTE_Targeting_US_Government_and_Defense_Organizations
- Date of Scan:
- 2023-05-30
- Impact:
- MEDIUM
- Summary:
- SecureWorks researchers have discovered a cluster of activity of interest associated with a People’s Republic of China (PRC) state-sponsored cyber actor, also known as Volt Typhoon. Private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide.
The_Invicta_Stealer_Spreading
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- The_Invicta_Stealer_Spreading
- Date of Scan:
- 2023-05-30
- Impact:
- LOW
- Summary:
- Cyble researcher Lab team discovered a new stealer called Invicta Stealer. The developer who is in charge of this malware is heavy involved on social media platforms, utilizing them to promote their information stealer and its lethal capabilities.
Source:
https://blog.cyble.com/2023/05/25/invicta-stealer-spreading-through-phony-godaddy-refund-invoices/
Obsidian_ORB_Ransomware_Demanding_Payment_With_Gift_Cards
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Obsidian_ORB_Ransomware_Demanding_Payment_With_Gift_Cards
- Date of Scan:
- 2023-05-30
- Impact:
- LOW
- Summary:
- Cyble researchers have come across a new and unique ransomware strain named Obsidian ORB. Extensive analysis has revealed compelling evidence that suggests a significant correlation between Obsidian ORB Ransomware and the underlying source code of the notorious Chaos ransomware.
Source:
https://blog.cyble.com/2023/05/25/obsidian-orb-ransomware-demands-gift-cards-as-payment/
Hackers_Targeting_Users_of_Portuguese_Financial_Institutions
MEDIUM
+
—
—
- Intel Source:
- Sentinelone
- Intel Name:
- Hackers_Targeting_Users_of_Portuguese_Financial_Institutions
- Date of Scan:
- 2023-05-29
- Impact:
- MEDIUM
- Summary:
- SentinelOne researchers have observed a campaign targeting users of Portuguese financial institutions conducted by a Brazilian threat group. The attackers can steal credentials and exfiltrate users’ data and personal information, which can be leveraged for malicious activities beyond financial gain.
Legion_Malware_Targeting_SSH_Servers_and_AWS_Credentials
LOW
+
—
—
- Intel Source:
- CADO Security
- Intel Name:
- Legion_Malware_Targeting_SSH_Servers_and_AWS_Credentials
- Date of Scan:
- 2023-05-29
- Impact:
- LOW
- Summary:
- CADO security researchers have identified an updated version of the commodity malware called Legion comes with expanded features to compromise SSH servers and Amazon Web Services (AWS) credentials associated with DynamoDB and CloudWatch.
Source:
https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/
Phishing_Delivering_via_Encrypted_Messages
MEDIUM
+
—
—
- Intel Source:
- Trustwave
- Intel Name:
- Phishing_Delivering_via_Encrypted_Messages
- Date of Scan:
- 2023-05-28
- Impact:
- MEDIUM
- Summary:
- Trustwave researchers have observed phishing attacks that use a combination of compromised Microsoft 365 accounts and .rpmsg encrypted emails to deliver the phishing message.
Ongoing_Kimsuky_Campaign_Utilizing_Custom_Reconnaissance_Toolkit
MEDIUM
+
—
—
- Intel Source:
- Sentilone
- Intel Name:
- Ongoing_Kimsuky_Campaign_Utilizing_Custom_Reconnaissance_Toolkit
- Date of Scan:
- 2023-05-27
- Impact:
- MEDIUM
- Summary:
- SentinelLabs have tracking a targeted campaign against information services, as well as organizations supporting human rights activists and defectors in relation to North Korea. The campaign focuses on file reconnaissance, and exfiltrating system and hardware information, laying the groundwork for subsequent precision attacks.
Source:
https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/
Resurgence_of_Vacation_Request_Phishing_Emails_in_Summer_Time_Scams
LOW
+
—
—
- Intel Source:
- Cofense
- Intel Name:
- Resurgence_of_Vacation_Request_Phishing_Emails_in_Summer_Time_Scams
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- Cofense researchers have observed a phishing campaign where the threat actor sent an email to a user that claimed to be from the HR Department’ and provided the user with a link to submit their annual leave requests.
Source:
https://cofense.com/blog/summer-time-scams-the-return-of-vacation-request-phishing-emails/
The_Technical_Examination_of_Pikabot
LOW
+
—
—
- Intel Source:
- Zscaler
- Intel Name:
- The_Technical_Examination_of_Pikabot
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- Researchers from Zscaler have identified a new malware trojan named Pikabot which emerged in early 2023 that consists of two components a loader and a core module.
Source:
https://www.zscaler.com/blogs/security-research/technical-analysis-pikabot
Link_Found_Between_Korean_VPN_Installations_and_MeshAgent_Infections
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Link_Found_Between_Korean_VPN_Installations_and_MeshAgent_Infections
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- AhnLab Security Emergency response Center (ASEC) has previously covered the case where SparkRAT was distributed contained within a Korean VPN’s installer in the post, “SparkRAT Being Distributed Within a Korean VPN Installer”[1]. This VPN was commonly installed by Chinese users who required better access to the Internet, and the problem was addressed after the blog post was uploaded.
Israeli_Logistics_Industry_attacked_by_hackers
LOW
+
—
—
- Intel Source:
- ClearSky
- Intel Name:
- Israeli_Logistics_Industry_attacked_by_hackers
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- ClearSky Cyber Security reserachers has discovered a watering hole attack on at least eight Israeli websites. The attack most likely was orchestrated by a nation-state actor from Iran, with some attribution to Tortoiseshell (also called TA456 or Imperial Kitten). The Infected sites collect preliminary user information through a script. W
COSMICENERGY_new_OT_Malware_related_to_Russia
MEDIUM
+
—
—
- Intel Source:
- Mandiant
- Intel Name:
- COSMICENERGY_new_OT_Malware_related_to_Russia
- Date of Scan:
- 2023-05-27
- Impact:
- MEDIUM
- Summary:
- Mandiant discovered a new operational technology (OT) / industrial control system (ICS) malware, which was recognized as COSMICENERGY, uploaded by threat actor in Russia. The malware is capable of to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia.
Source:
https://www.mandiant.com/resources/blog/cosmicenergy-ot-malware-russian-response
Volt_Typhoon_stealthy_activity
HIGH
+
—
—
- Intel Source:
- Microsoft, CISA
- Intel Name:
- Volt_Typhoon_stealthy_activity
- Date of Scan:
- 2023-05-27
- Impact:
- HIGH
- Summary:
- Microsoft has discovered sneaky and malicious activity that targets on credential access and network system discovery attacking critical infrastructure organizations in the United States. The attack is carried out by Volt Typhoon, a state-sponsored actor based in China that focuses on espionage and information stealing. Microsoft is sure that this Volt Typhoon campaign is targeting development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.
Israeli_Logistics_Industry_targeted_by_hackers
LOW
+
—
—
- Intel Source:
- ClearSky
- Intel Name:
- Israeli_Logistics_Industry_targeted_by_hackers
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- ClearSky Cyber Security reserachers has discovered a watering hole attack on at least eight Israeli websites. The attack most likely was orchestrated by a nation-state actor from Iran, with some attribution to Tortoiseshell (also called TA456 or Imperial Kitten). The Infected sites collect preliminary user information through a script.
Return_of_BlackByte_Ransomware_with_New_Technology_Version
LOW
+
—
—
- Intel Source:
- Cluster25
- Intel Name:
- Return_of_BlackByte_Ransomware_with_New_Technology_Version
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- Cluster25 Threat Intel Team have identified that BlackByte is a Ransomware-as-a-Service group that is known for the use of the homonymous malware that is constantly updated and spread in different variants. The team used the above function in a IDAPython script that allowed to retrieve all invocations to the functions responsible for the dynamic loading of the APIs in order to continue with the static analysis of the malware.
Source:
https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt
Agrius_threat_actor_attacks_against_Israel
MEDIUM
+
—
—
- Intel Source:
- Checkpoint
- Intel Name:
- Agrius_threat_actor_attacks_against_Israel
- Date of Scan:
- 2023-05-27
- Impact:
- MEDIUM
- Summary:
- A threat actor Agrius who is believed Iranian keep trying to attack against Israeli targets, hiding destructive impact of ransomware attacks.Recently the group deployed Moneybird, a new ransomware written in C++. Despite calling themselves as a new group name– Moneybird, this is yet another Agrius alias.
Over_200_Corporate_Victims_Hit_by_New_Ransomware_Wave
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Over_200_Corporate_Victims_Hit_by_New_Ransomware_Wave
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- Cyble Research and Intelligence Labs (CRIL) discovered the increasing adoption of double extortion by ransomware groups is an alarming trend. We are witnessing a surge in ransomware attacks that not only encrypt valuable corporate data but also involve the threat of public exposure unless the attackers’ demands are fulfilled.
Source:
https://blog.cyble.com/2023/05/23/new-ransomware-wave-engulfs-over-200-corporate-victims/
Cyber_Crime_Forum_Offers_DDoS_As_A_Service_by_Russian_Hacktivists
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Cyber_Crime_Forum_Offers_DDoS_As_A_Service_by_Russian_Hacktivists
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- Cyble Research and Intelligence Labs (CRIL) has made a significant discovery on a cybercrime forum – a newly identified malware strain called “MDBotnet.” Our analysis suggests that this malware is believed to originate from a Threat Actor (TA) linked to Russia.
Source:
https://blog.cyble.com/2023/05/23/new-mdbotnet-unleashes-ddos-attacks/
Raccoon_and_Vidar_Stealers_Spreading_Fake_Cracked_Software
MEDIUM
+
—
—
- Intel Source:
- Sekoia
- Intel Name:
- Raccoon_and_Vidar_Stealers_Spreading_Fake_Cracked_Software
- Date of Scan:
- 2023-05-26
- Impact:
- MEDIUM
- Summary:
- Sekoia researchers have identified the infection chain that is using about a hundred fake cracked software catalog websites that redirect to several links before downloading the payload hosted on file share platforms, such as GitHub.
Diving_Deep_into_GoldenJackal_APT_Group
LOW
+
—
—
- Intel Source:
- Securelist
- Intel Name:
- Diving_Deep_into_GoldenJackal_APT_Group
- Date of Scan:
- 2023-05-26
- Impact:
- LOW
- Summary:
- Securelist researchers have monitored the GoldenJackal APT Group since mid-2020 and have observed a constant level of activity that indicates a capable and stealthy actor. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo, and JackalScreenWatcher.
Source:
https://securelist.com/goldenjackal-apt-group/109677/
Distribution_of_DarkCloud_Infostealer_Through_Spam_Emails_Detected
LOW
+
—
—
- Intel Source:
- Checkpoint
- Intel Name:
- Distribution_of_DarkCloud_Infostealer_Through_Spam_Emails_Detected
- Date of Scan:
- 2023-05-26
- Impact:
- LOW
- Summary:
- Checkpoint researchers have identified that malware developers strive to create new threats that can bypass the defenses of antivirus products. “Packing” and “crypting” services are specifically designed to resist analysis. GuLoader is one of the most prominent services cybercriminals use to evade antivirus detection.
Source:
https://research.checkpoint.com/2023/cloud-based-malware-delivery-the-evolution-of-guloader/
StrelaStealer_Malware_Targeting_Spanish_Users
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- StrelaStealer_Malware_Targeting_Spanish_Users
- Date of Scan:
- 2023-05-26
- Impact:
- LOW
- Summary:
- ASEC researchers have observed that the StrelaStealer Infostealer is distributed to Spanish users. It was initially discovered around November 2022 and distributed as an attachment to spam emails.
Lazarus_Group_Targeting_Windows_IIS_Web_Servers
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Lazarus_Group_Targeting_Windows_IIS_Web_Servers
- Date of Scan:
- 2023-05-26
- Impact:
- LOW
- Summary:
- ASEC researchers have identified that the Lazarus group is known to receive support on a national scale, carrying out attacks against Windows IIS web servers.
Espionage_Activity_UAC_0063
LOW
+
—
—
- Intel Source:
- CERT-UA
- Intel Name:
- Espionage_Activity_UAC_0063
- Date of Scan:
- 2023-05-26
- Impact:
- LOW
- Summary:
- CERT-UA researchers have observed that on 04/18/2023 and 04/20/2023, e-mails were sent to the department’s e-mail address from the official mailbox of the Embassy of Tajikistan in Ukraine (probably as a result of the latter being compromised), the first of which contained an attachment in the form of a document with a macro, and the second – reference to the same document.
Distribution_of_DarkCloud_Infostealer_Through_Spam_Emails
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Distribution_of_DarkCloud_Infostealer_Through_Spam_Emails
- Date of Scan:
- 2023-05-26
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered the DarkCloud malware is distributed via spam email. It is an Infostealer that steals account credentials saved on infected systems, and the threat actor installed ClipBanker alongside DarkCloud.
Middle_East_Targeted_by_New_Kernel_Driver_Exploit
LOW
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- Middle_East_Targeted_by_New_Kernel_Driver_Exploit
- Date of Scan:
- 2023-05-24
- Impact:
- LOW
- Summary:
- Fortinet researchers have discovered suspicious executables that make use of open-source tools and frameworks. One of the things that we keep an eye out for is tools that use the Donut project. Donut is a position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters.
Source:
https://www.fortinet.com/blog/threat-research/wintapix-kernal-driver-middle-east-countries
BatLoader_Campaign_Impersonates_ChatGPT_and_Midjourney_to_Deliver_Redline_Stealer
LOW
+
—
—
- Intel Source:
- Esentire
- Intel Name:
- BatLoader_Campaign_Impersonates_ChatGPT_and_Midjourney_to_Deliver_Redline_Stealer
- Date of Scan:
- 2023-05-22
- Impact:
- LOW
- Summary:
- Esentire researchers have observed threat actors are using BatLoader in the form of MSIX Windows App Installer files to deliver the Redline Stealer.
Source:
https://www.esentire.com/blog/batloader-impersonates-midjourney-chatgpt-in-drive-by-cyberattacks
IcedID_Macro_Ends_in_Nokoyawa_Ransomware
LOW
+
—
—
- Intel Source:
- DFIR Report
- Intel Name:
- IcedID_Macro_Ends_in_Nokoyawa_Ransomware
- Date of Scan:
- 2023-05-22
- Impact:
- LOW
- Summary:
- Researchers from DFIR Report have identified an incident taking place during Q4 of 2022 consisting of threat actors targeting Italian organizations with Excel maldocs that deploy IcedID. The threat actors deploying such a campaign may hope to target organizations who have not updated their Microsoft Office deployments after the newly released patches to block macros on documents downloaded from the internet.
Source:
https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/
New_Signed_Kernel_Driver_Deployed_BlackCat_Ransomware
MEDIUM
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- New_Signed_Kernel_Driver_Deployed_BlackCat_Ransomware
- Date of Scan:
- 2023-05-22
- Impact:
- MEDIUM
- Summary:
- TrendMicro researchers have analyzed the BlackCat ransomware incident that occurred in February 2023, where they observed a new capability, mainly used for the defense evasion phase, that overlaps with the earlier malicious drivers disclosed by the three vendors.
Hackers_Targeting_Vulnerable_WordPress_Elementor_plugin_Versions
LOW
+
—
—
- Intel Source:
- Wordfence
- Intel Name:
- Hackers_Targeting_Vulnerable_WordPress_Elementor_plugin_Versions
- Date of Scan:
- 2023-05-22
- Impact:
- LOW
- Summary:
- Wordfence researchers have identified Several versions of the WordPress plugin Essential Addons for Elementor impacted by the now-addressed critical CVE-2023-32243 vulnerability are being actively scanned and targeted by threat actors following the release of proof-of-concept exploit.
Brute_Ratel_remains_rare_and_targeted
LOW
+
—
—
- Intel Source:
- Sophos
- Intel Name:
- Brute_Ratel_remains_rare_and_targeted
- Date of Scan:
- 2023-05-19
- Impact:
- LOW
- Summary:
- The commercial attack tool’s use by threat actors has faded after an initial flurry, while Cobalt Strike remains the go-to post-exploitation tool for many.
Source:
https://news.sophos.com/en-us/2023/05/18/the-phantom-menace-brute-ratel-remains-rare-and-targeted/
CapCut_s_Video_to_Deliver_Multiple_Stealers
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- CapCut_s_Video_to_Deliver_Multiple_Stealers
- Date of Scan:
- 2023-05-19
- Impact:
- LOW
- Summary:
- Cyble Researchers recently discovered a couple of phishing websites disguised as video editing software. These ffake sites lure users into downloading and executing various types of malware families such as stealers, RAT, etc. In these campaigns, Threat Actors targeted the CapCut video editing tool, a product of ByteDance, the same parent company that owns TikTok.
Source:
https://blog.cyble.com/2023/05/19/capcut-users-under-fire/
AndoryuBot_s_DDOS_wild_behavior
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- AndoryuBot_s_DDOS_wild_behavior
- Date of Scan:
- 2023-05-19
- Impact:
- LOW
- Summary:
- The Cyble group observed active exploitation of CVE-2023-25717 and deployment of AndoryuBot. This incident indicates that Threat Actors are actively looking for vulnerable Ruckus assets for exploitation purposes. AndoryuBot is a new Botnet malware sold on Telegram on a subscription basis. The deployment of such malware by TAs allows them to orchestrate large-scale DDoS attacks, which can overwhelm targeted servers and infrastructure by flooding them with a massive volume of traffic.
Source:
https://blog.cyble.com/2023/05/17/andoryubots-ddos-rampage/
Distributing_DarkCrystal_RAT_by_fake_Desktop_Authenticator_App
LOW
+
—
—
- Intel Source:
- Bushidotoken
- Intel Name:
- Distributing_DarkCrystal_RAT_by_fake_Desktop_Authenticator_App
- Date of Scan:
- 2023-05-19
- Impact:
- LOW
- Summary:
- The Bushitoken reseracher recently discovered an threat actor campaign that is using fake websites to distribute malware. It seems like this TTP to be on the rise. A suspected Russia-based threat actor tried to duplicate the website of a legitimate open-source desktop app called Steam Desktop Authenticator which is simply a convenient desktop version of the mobile authenticator app.
Source:
https://blog.bushidotoken.net/2023/05/fake-steam-desktop-authenticator-app.html
TurkoRat_found_hiding_in_the_npm_package
LOW
+
—
—
- Intel Source:
- Reversing Labs
- Intel Name:
- TurkoRat_found_hiding_in_the_npm_package
- Date of Scan:
- 2023-05-19
- Impact:
- LOW
- Summary:
- ReversingLabs researchers found two malicious packages that contained TurkoRat, an open source infostealer that lurked on npm for two months before being detected.
Source:
https://www.reversinglabs.com/blog/rats-found-hiding-in-the-npm-attic
The_attackers_used_email_security_providers_for_spreading_phishing_attacks
LOW
+
—
—
- Intel Source:
- Cofense
- Intel Name:
- The_attackers_used_email_security_providers_for_spreading_phishing_attacks
- Date of Scan:
- 2023-05-18
- Impact:
- LOW
- Summary:
- Threat actors more often send malicious URLs within HTML attachments, which makes it more challenging for Secure Email gateways (SEGs) to block them. The Phishing Defence Centre did their analyses on a phishing campaign impersonating email security provider to trap recipients into providing their user credentials via malicious HTML attachment.
BlackSuit_Ransomware_ragets_VMware_ESXi_servers
HIGH
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- BlackSuit_Ransomware_ragets_VMware_ESXi_servers
- Date of Scan:
- 2023-05-18
- Impact:
- HIGH
- Summary:
- Cyble researchers from Labs observed an increase in the number of ransomware groups such as Cylance and Royal ransomware. The widespread use of Linux makes it an appealing target for ransomware groups, as a single attack can potentially compromise numerous systems.
Source:
https://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/
The_exploitation_of_critical_vulnerability_CVE_2023_32243
HIGH
+
—
—
- Intel Source:
- Wordfence
- Intel Name:
- The_exploitation_of_critical_vulnerability_CVE_2023_32243
- Date of Scan:
- 2023-05-18
- Impact:
- HIGH
- Summary:
- Recently, Essential Addons for Elementor, a WordPress plugin had a released a patch for a critical vulnerability which is capable for any unauthenticated user to reset arbitrary user passwords, including user accounts with administrative-level access. This vulnerability was discovered and responsibly disclosed by security researcher Rafie Muhammed.
The_analysis_of_QakBot_Infrastructure
MEDIUM
+
—
—
- Intel Source:
- Team Cymru
- Intel Name:
- The_analysis_of_QakBot_Infrastructure
- Date of Scan:
- 2023-05-18
- Impact:
- MEDIUM
- Summary:
- Team Cymru shared their research about their analysis of QakBot is full of various hypotheses being identified and tested. Their key findings are QakBot C2 servers are not separated by affiliate ID, QakBot C2 servers from older configurations continue to communicate with upstream C2 servers months after being used in campaigns and Identification of three upstream C2 servers located in Russia, two of which behave similarly based on network telemetry patterns and the geolocations of the bot C2s communicating with them.
Source:
https://www.team-cymru.com/post/visualizing-qakbot-infrastructure
The_Korean_VPN_installer_is_being_used_to_distribute_SparkRAT
MEDIUM
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- The_Korean_VPN_installer_is_being_used_to_distribute_SparkRAT
- Date of Scan:
- 2023-05-18
- Impact:
- MEDIUM
- Summary:
- AhnLab Security Emergency response Center (ASEC) has recently discovered SparkRAT being distributed within the installer of a certain VPN program. SparkRAT is a Remote Administration Tool (RAT) developed with GoLang. When installed on a user’s system, it can perform a variety of malicious behaviors, such as executing commands remotely, controlling files and processes, downloading additional payloads, and collecting information from the infected system like by taking screenshots.
Joint_Cybersecurity_Advisory_on_BianLian_Ransomware_Group
MEDIUM
+
—
—
- Intel Source:
- CISA
- Intel Name:
- Joint_Cybersecurity_Advisory_on_BianLian_Ransomware_Group
- Date of Scan:
- 2023-05-18
- Impact:
- MEDIUM
- Summary:
- The FBI, CISA and Australian Cyber Security Centre (ACSC) released the joint Cybersecurity Advisory to disseminate known BianLian ransomware and data extortion group IOCs and TTPs identified through FBI and ACSC investigations back in March 2023. BianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022. They have also targeted Australian critical infrastructure sectors in addition to professional services and property development.
Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a
Malicious_Python_Packages_via_Supply_Chain_Attacks
MEDIUM
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- Malicious_Python_Packages_via_Supply_Chain_Attacks
- Date of Scan:
- 2023-05-17
- Impact:
- MEDIUM
- Summary:
- The FortiGuard Labs team discovered over 30 new zero-day attacks in PyPI packages (Python Package Index). These were found between late March and late April by monitoring an open-source ecosystem.
The_Lancefly_APT_group_using_Merdoor_backdoor
MEDIUM
+
—
—
- Intel Source:
- Symantec
- Intel Name:
- The_Lancefly_APT_group_using_Merdoor_backdoor
- Date of Scan:
- 2023-05-17
- Impact:
- MEDIUM
- Summary:
- The Lancefly (APT) group is attacking and target organizations in South and Southeast Asiausing with a custom-written backdoor. Lancefly’s custom malware is named Merdoor, is a powerful backdoor that existed since 2018. The recent targets lately are based in South and Southeast Asia, attacking areas including government, aviation, education, and telecoms. Symantec researchers observed that activity also appeared to be highly targeted, with only a small number of machines infected.
Uncovering_RedStinger_new
MEDIUM
+
—
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Uncovering_RedStinger_new
- Date of Scan:
- 2023-05-17
- Impact:
- MEDIUM
- Summary:
- During the conflict between Russia and Ukraine began last year, there is a not only political conflict, there is no surprise that the cybersecurity landscape between these two countries has also been tense. The former reseracher from Malwarebytes Threat Intelligence Team discovered a new interesting bait that targeted the Eastern Ukraine region and reported that finding to the public and tracked this actor as Red Stinger. These findings remained private for a while, but Kaspersky recently shared information about the same actor (who it called Bad Magic).
Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger
New_8220_Gang_Strategies
MEDIUM
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- New_8220_Gang_Strategies
- Date of Scan:
- 2023-05-17
- Impact:
- MEDIUM
- Summary:
- Reserachers documentedon the gang’s recent activities of 8220 Gang who has been active in recent months. Researchers shared in their article aboutk observed attack exploiting the Oracle WebLogic vulnerability CVE-2017-3506 captured by one of our honeypots. This vulnerability, with a CVSS score of 7.4, impacts the WLS Security Component of Oracle WebLogic, and when exploited can enable attackers to execute arbitrary commands through an HTTP request remotely with a specifically crafted XML document.
Source:
https://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html
The_Water_Orthrus_s_New_Campaigns
MEDIUM
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- The_Water_Orthrus_s_New_Campaigns
- Date of Scan:
- 2023-05-17
- Impact:
- MEDIUM
- Summary:
- TrendMicro researchers have been monitoring the activities of a threat actor named Water Orthrus, which spreaded CopperStealer malware via pay-per-install (PPI) networks. In March 2023, we observed two campaigns delivering new malware that we named CopperStealth and CopperPhish. Both malware have characteristics that are close to those of CopperStealer and are likely developed by the same author, leading the researchers believe that these campaigns are likely Water Orthrus’ new activities.
Ongoing_Phishing_Campaign_uses_Meme_Filled_Code_to_Drop_XWorm_Payloads
MEDIUM
+
—
—
- Intel Source:
- Securonix
- Intel Name:
- Ongoing_Phishing_Campaign_uses_Meme_Filled_Code_to_Drop_XWorm_Payloads
- Date of Scan:
- 2023-05-16
- Impact:
- MEDIUM
- Summary:
- Last couple months was observed an interesting and ongoing attack campaign which was identified and tracked by the Securonix Threat Research team. The attack campaign (tracked by Securonix as MEME#4CHAN) was leveraging rather unusual meme-filled PowerShell code, followed by a heavily obfuscated XWorm payload to infect its victims. Securonix dived into this campaign by taking an in-depth technical analysis.
Source:
https://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/
A_new_ransomware_variant_Rancoz
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- A_new_ransomware_variant_Rancoz
- Date of Scan:
- 2023-05-16
- Impact:
- LOW
- Summary:
- This month Cyble researchers onserved a ransomware variant called Rancoz, that was identified by a researcher @siri_urz. During the investigation, it has been observed that this ransomware is similar and overlaps with the Vice Society ransomware.
Source:
https://blog.cyble.com/2023/05/11/dissecting-rancoz-ransomware/
Eastern_European_APT_Cyber_Operations_Undetected_Since_2020
LOW
+
—
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Eastern_European_APT_Cyber_Operations_Undetected_Since_2020
- Date of Scan:
- 2023-05-16
- Impact:
- LOW
- Summary:
- Malwarebytes researchers have discovered a new interesting lure that targeted the Eastern Ukraine region and reported that finding to the public. Moreover, we started tracking the actor behind it, which we internally codenamed Red Stinger.
Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger
LokiLocker_Ransomware_Distributed_in_Korea
MEDIUM
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- LokiLocker_Ransomware_Distributed_in_Korea
- Date of Scan:
- 2023-05-16
- Impact:
- MEDIUM
- Summary:
- AhnLab Security Emergency response Center(ASEC) has confirmed the distribution of the LokiLocker ransomware in Korea. This ransomware is almost identical to the BlackBit ransomware and their common traits
The_Aurora_stealer_via_Invalid_Printer_loader
LOW
+
—
—
- Intel Source:
- Malware Bytes
- Intel Name:
- The_Aurora_stealer_via_Invalid_Printer_loader
- Date of Scan:
- 2023-05-16
- Impact:
- LOW
- Summary:
- Malware Bytes Lab shared their discovery about this malicious campaing and its connections to other attacks. They discovered that a threat actor was using malicious ads to redirect users to what looks like a Windows security update. The scheme looked very legit ans very much resembled what you’d expect from Microsoft. That fake security update was using a newly identified loader that at the time of the campaign was oblivious to malware sandboxes and bypassed practically all antivirus engines. Malware Bytes Lab tool patched that loader and identified its actual payload as Aurora stealer.
Maori_Ransomware
MEDIUM
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- Maori_Ransomware
- Date of Scan:
- 2023-05-16
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs recently came across a new ransomware variant called Maori. Like other ransomware variants, it encrypts files on victims’ machines to extort money. Interestingly, this variant is designed to run on Linux architecture and is coded in Go, which is somewhat rare and increases the analysis difficulty
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-maori?&web_view=true
An_In_Depth_Look_at_Akira_Ransomware
MEDIUM
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- An_In_Depth_Look_at_Akira_Ransomware
- Date of Scan:
- 2023-05-16
- Impact:
- MEDIUM
- Summary:
- Cyble researchers have come across a Reddit post about a new ransomware variant named “Akira”, actively targeting numerous organizations and exposing their sensitive data. To increase the chances of payment from victims, Akira ransomware exfiltrates and encrypts their data using a double-extortion technique. The attackers then threaten to sell or leak the stolen data on the dark web if the ransom is not paid for decrypting the data.
Source:
https://blog.cyble.com/2023/05/10/unraveling-akira-ransomware/
A_new_undetected_variant_of_Linux_Backdoor_BPFDoor
MEDIUM
+
—
—
- Intel Source:
- Deep Instinct Blog
- Intel Name:
- A_new_undetected_variant_of_Linux_Backdoor_BPFDoor
- Date of Scan:
- 2023-05-15
- Impact:
- MEDIUM
- Summary:
- BPFdoor is a Linux-specific, low-profile, passive backdoor intended to maintain a persistent, long-term foothold in already-breached networks and environments and functions primarily to ensure an attacker can re-enter an infected system over an extended period of time, post-compromise.
Source:
https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
Exploitation_of_CVE_2023_27350
LOW
+
—
—
- Intel Source:
- CISA
- Intel Name:
- Exploitation_of_CVE_2023_27350
- Date of Scan:
- 2023-05-14
- Impact:
- LOW
- Summary:
- The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-27350. This vulnerability occurs in certain versions of PaperCut NG and PaperCut MF and enables an unauthenticated actor to execute malicious code remotely without credentials.
Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a
Analysis_of_a_evasive_Shellcode
LOW
+
—
—
- Intel Source:
- Mcafee
- Intel Name:
- Analysis_of_a_evasive_Shellcode
- Date of Scan:
- 2023-05-14
- Impact:
- LOW
- Summary:
- McAfee researchers have observed a NSIS-based installers delivered via E-mail as malspam that use plugin libraries to execute the GU shellcode on the victim system
ASEC_Weekly_Statistics_May_1_7th_2023
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Statistics_May_1_7th_2023
- Date of Scan:
- 2023-05-13
- Impact:
- LOW
- Summary:
- ASEC lab researchers continiusly monitor phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post shares the cases of distribution of phishing emails during the week from April 9th, 2023 to April 15st, 2023 and provide statistical information on each type.
A_cybercriminal_group_attempted_an_extortion_scheme_against_Dragos
LOW
+
—
—
- Intel Source:
- Dragos
- Intel Name:
- A_cybercriminal_group_attempted_an_extortion_scheme_against_Dragos
- Date of Scan:
- 2023-05-13
- Impact:
- LOW
- Summary:
- Last week, an known hacker group tried and didn’t have a success at an extortion scheme against Dragos. Nothing was breached at Dragos systems, including anything related to the Dragos Platform. Dragos has shared what happened during a recent incident of failed extortion scheme against them – Dragos. The cybercriminal group attempted to compromise Drago’s information resources. The criminal group got access by compromising the personal email address of a new sales employee prior to their start date, and subsequently used their personal information to impersonate the Dragos employee and accomplish initial steps in the employee onboarding process.
Source:
https://www.dragos.com/blog/deconstructing-a-cybersecurity-event/
Threat_Actors_Build_ESXi_Lockers_Using_Leaked_Babuk_Code
MEDIUM
+
—
—
- Intel Source:
- Sentinelone
- Intel Name:
- Threat_Actors_Build_ESXi_Lockers_Using_Leaked_Babuk_Code
- Date of Scan:
- 2023-05-13
- Impact:
- MEDIUM
- Summary:
- SentinelLabs researchers have identified unexpected connections between ESXi ransomware families, exposing likely relationships between Babuk and more illustrious operations like Conti and REvil.
An_Expansion_of_RapperBot_DDoS_Botnet_into_Cryptojacking
LOW
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- An_Expansion_of_RapperBot_DDoS_Botnet_into_Cryptojacking
- Date of Scan:
- 2023-05-12
- Impact:
- LOW
- Summary:
- FortiGate researchers have analyzed new samples of the RapperBot campaign active since January 2023. The threat actors have started venturing into cryptojacking, specifically for Intel x64 machines. Initially, they deployed and executed a separate Monero cryptominer alongside the usual RapperBot binary. But in late January 2023, they combined both functionalities into a single bot.
Source:
https://www.fortinet.com/blog/threat-research/rapperbot-ddos-botnet-expands-into-cryptojacking
DownEx_Espionage_activity_in_Central_Asia
MEDIUM
+
—
—
- Intel Source:
- Bitdefender
- Intel Name:
- DownEx_Espionage_activity_in_Central_Asia
- Date of Scan:
- 2023-05-12
- Impact:
- MEDIUM
- Summary:
- Last year Bitdefender Labs reserchers observed an attack on foreign government institutions in Kazakhstan. During the analyses, it was disovered that this was a highly targeted attack to get an access to exfiltrate data. Bitdefender Labs reserchers did moitored for awhile it and the region for other similar attacks. Recently they detected another attack in Afghanistan and collected additional samples and observations.
CLR_SqlShell_malware_Attack_MS_SQL_Servers
MEDIUM
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- CLR_SqlShell_malware_Attack_MS_SQL_Servers
- Date of Scan:
- 2023-05-12
- Impact:
- MEDIUM
- Summary:
- ASEC analyzed the CLR SqlShell malware that is being used to target MS-SQL servers. Similar to WebShell, which can be installed on web servers, SqlShell is a malware strain that supports various features after being installed on an MS-SQL server, such as executing commands from threat actors and carrying out all sorts of malicious behavior.
The_Examination_of_Highly_Evasive_Shellcode_Based_Loader
LOW
+
—
—
- Intel Source:
- Mcafee
- Intel Name:
- The_Examination_of_Highly_Evasive_Shellcode_Based_Loader
- Date of Scan:
- 2023-05-12
- Impact:
- LOW
- Summary:
- McAfee researchers have deeply analyzed the GULoader campaigns and found, a rise in NSIS-based installers delivered via E-mail as malspam that use plugin libraries to execute the GU shellcode on the victim system.
Malspam_Campaign_Delivering_PowerDash
LOW
+
—
—
- Intel Source:
- Cert-PL
- Intel Name:
- Malspam_Campaign_Delivering_PowerDash
- Date of Scan:
- 2023-05-12
- Impact:
- LOW
- Summary:
- CERT-PL researchers have observed a malspam campaign delivering previously unseen PowerShell malware. They also dubbed this malware family as “PowerDash” because of the “/dash” path on C2 server, used as a gateway for bots.
Royal_Ransomware_Expands_to_Target_Linux_and_VMware_ESXi
MEDIUM
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- Royal_Ransomware_Expands_to_Target_Linux_and_VMware_ESXi
- Date of Scan:
- 2023-05-10
- Impact:
- MEDIUM
- Summary:
- PaloAlto researchers have observed that the Royal ransomware group has recently launched a variant of its encryptor malware built in the form of executable and linkable format (ELF) binary. Also, they started using the BatLoader dropper and SEO poisoning for initial access.
Source:
https://unit42.paloaltonetworks.com/royal-ransomware/
Taking_a_Closer_Look_at_Israel_Based_BEC_Attacks
HIGH
+
—
—
- Intel Source:
- Abnormal
- Intel Name:
- Taking_a_Closer_Look_at_Israel_Based_BEC_Attacks
- Date of Scan:
- 2023-05-10
- Impact:
- HIGH
- Summary:
- Researchers from Abnormal Security have discovered that an Israel-based threat group has conducted 350 BEC campaigns since February 2021, with email attacks targeting employees from 61 countries across six continents.
MitM_Phishing_Growing_and_Using_Real_Login_Process_to_Steal_Credentials
LOW
+
—
—
- Intel Source:
- Cofense
- Intel Name:
- MitM_Phishing_Growing_and_Using_Real_Login_Process_to_Steal_Credentials
- Date of Scan:
- 2023-05-10
- Impact:
- LOW
- Summary:
- Cofense researchers have observed Man-in-the-middle attacks are increasing rapidly and identified a 35% increase in volume reaching inboxes between Q1 2022 and Q1 2023, 94% of MitM credential phishing attacks reaching inboxes targeted O365 authentication, and 89% of campaigns used at least one URL redirect, and 55% used two or more.
Source:
https://cofense.com/blog/cofense-intelligence-strategic-analysis-2/
AndoryuBot_Targeting_Ruckus_Wireless_Admin_Remote_Code_Execution_Vulnerability
LOW
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- AndoryuBot_Targeting_Ruckus_Wireless_Admin_Remote_Code_Execution_Vulnerability
- Date of Scan:
- 2023-05-09
- Impact:
- LOW
- Summary:
- FortiGate researchers have observed a unique botnet based on the SOCKS protocol distributed through the Ruckus vulnerability (CVE-2023-25717). It contains DDoS attack modules for different protocols and communicates with its command-and-control server using SOCKS5 proxies.
SideWinder_Using_Server_Based_Polymorphism_Technique
LOW
+
—
—
- Intel Source:
- Blackberry
- Intel Name:
- SideWinder_Using_Server_Based_Polymorphism_Technique
- Date of Scan:
- 2023-05-09
- Impact:
- LOW
- Summary:
- BlackBerry researchers have observed that APT Group SideWinder is accused of deploying a backdoor in attacks directed against Pakistan government organizations as part of a campaign that commenced in late November 2022.
Source:
https://blogs.blackberry.com/en/2023/05/sidewinder-uses-server-side-polymorphism-to-target-pakistan
IRCTC_fake_apps
LOW
+
—
—
- Intel Source:
- Quickheal
- Intel Name:
- IRCTC_fake_apps
- Date of Scan:
- 2023-05-09
- Impact:
- LOW
- Summary:
- Quickheal analysts went through the recent advisory published by the Indian Railway Catering and Tourism Corporation (IRCTC), about the IRCTC fakeapps. The Fake IRCTC app pretends like it is real IRCTC app but is in reality a full-fledged spyware that spies on victims with ease.
Source:
https://blogs.quickheal.com/beware-fake-applications-are-disguised-as-legitimate-ones/
Microsoft_Phish_Redirects_Victims_to_Catering_Voice_Recording
LOW
+
—
—
- Intel Source:
- Cofense
- Intel Name:
- Microsoft_Phish_Redirects_Victims_to_Catering_Voice_Recording
- Date of Scan:
- 2023-05-09
- Impact:
- LOW
- Summary:
- Cofense researchers have observed credential phishing campaigns that use a novel deception technique, luring unsuspecting users into a false sense of security after they’ve given away their Microsoft login information.
RecordBreaker_Stealer_Distributed_by_YouTube_Accounts
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- RecordBreaker_Stealer_Distributed_by_YouTube_Accounts
- Date of Scan:
- 2023-05-08
- Impact:
- LOW
- Summary:
- ASEC analyzed and confirmed the distribution of RecordBreaker through a YouTube account and possibly hacked recently. RecordBreaker is a new Infostealer version of Raccoon Stealer. It tries to pretend itself as a software installer and similar to CryptBot, RedLine, and Vidar. AhnLab Security Emergency response Center (ASEC) has confirmed the distribution of RecordBreaker through a YouTube account that is assumed to have been recently hacked.
New_MultiStage_Attack_and_Malware_Distribution_of_Amadey
LOW
+
—
—
- Intel Source:
- Mcafee
- Intel Name:
- New_MultiStage_Attack_and_Malware_Distribution_of_Amadey
- Date of Scan:
- 2023-05-08
- Impact:
- LOW
- Summary:
- McAfee Labs researchers have identified an increase in Wextract.exe samples, that drop a malware payload at multiple stages.
New_Web_Injection_Toolkit_DrIBAN_Targeting_Italian_Corporate_Banking_Clients
MEDIUM
+
—
—
- Intel Source:
- Cleafy
- Intel Name:
- New_Web_Injection_Toolkit_DrIBAN_Targeting_Italian_Corporate_Banking_Clients
- Date of Scan:
- 2023-05-08
- Impact:
- MEDIUM
- Summary:
- Researchers from Cleafy have observed that Italian corporate banking clients are the target of an ongoing financial fraud campaign that has been leveraging a new web-inject toolkit called drIBAN since at least 2019.
Source:
https://www.cleafy.com/cleafy-labs/uncovering-driban-fraud-operations-chapter1
SmokeLoader_and_RoarBAT_Malware_Attacks_Against_Ukraine
MEDIUM
+
—
—
- Intel Source:
- CERT-UA
- Intel Name:
- SmokeLoader_and_RoarBAT_Malware_Attacks_Against_Ukraine
- Date of Scan:
- 2023-05-08
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have identified an ongoing phishing campaign with invoice-themed lures being used to distribute the SmokeLoader malware in the form of a polyglot file.
SideCopy_Group_Delivering_Malware_via_Phishing_Emails
LOW
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- SideCopy_Group_Delivering_Malware_via_Phishing_Emails
- Date of Scan:
- 2023-05-08
- Impact:
- LOW
- Summary:
- FortiGate researchers have identified one file that referenced an Indian state military research organization and an in-development nuclear missile. The file is meant to deploy malware with characteristics matching the APT group SideCopy with activities dating back to at least 2019, this group has aligned its targeting with the goals and objectives of the Pakistani government.
Source:
https://www.fortinet.com/blog/threat-research/clean-rooms-nuclear-missiles-and-sidecopy
Phishing_Sites_Spreading_RAT_Called_DarkWatchMan
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Phishing_Sites_Spreading_RAT_Called_DarkWatchMan
- Date of Scan:
- 2023-05-08
- Impact:
- LOW
- Summary:
- Cyble researchers have identified a phishing website that imitated a renowned Russian website, CryptoPro CSP. TAs is using this website to distribute DarkWatchman malware.
Source:
https://blog.cyble.com/2023/05/05/sophisticated-darkwatchman-rat-spreads-through-phishing-sites/
US_Job_Services_Leaks_Customer_Data
LOW
+
—
—
- Intel Source:
- KrebsonSecurity
- Intel Name:
- US_Job_Services_Leaks_Customer_Data
- Date of Scan:
- 2023-05-08
- Impact:
- LOW
- Summary:
- Researchers from KrebsonSecurity have identified a huge tranche of full credit card records exposed online, and that at first glance the domain names involved appeared to be affiliated with the United States Postal Service.
An_Increase_in_SHTML_Phishing_Attacks
MEDIUM
+
—
—
- Intel Source:
- Mcafee
- Intel Name:
- An_Increase_in_SHTML_Phishing_Attacks
- Date of Scan:
- 2023-05-08
- Impact:
- MEDIUM
- Summary:
- McAfee researchers have observed a new wave of phishing attacks. In this wave, the attacker has been abusing server-parsed HTML (SHTML) files. The SHTML files are commonly associated with web servers redirecting users to malicious, credential-stealing websites or displaying phishing forms locally within the browser to harvest user-sensitive information.
Source:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shtml-phishing-attack-with-blurred-image/
The_Analysis_of_CrossLock_Ransomware
LOW
+
—
—
- Intel Source:
- Netscope
- Intel Name:
- The_Analysis_of_CrossLock_Ransomware
- Date of Scan:
- 2023-05-07
- Impact:
- LOW
- Summary:
- Netskope researchers have identified a new ransomware named CrossLock. It emerged in April 2023, targeting a large digital certifier company in Brazil. This ransomware was written in Go, which has also been adopted by other ransomware groups, including Hive, due to the cross-platform capabilities offered by the language.
Source:
https://www.netskope.com/blog/netskope-threat-coverage-crosslock-ransomware
New_KEKW_Malware_Variant_Detected_in_PyPI_Packages
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- New_KEKW_Malware_Variant_Detected_in_PyPI_Packages
- Date of Scan:
- 2023-05-07
- Impact:
- LOW
- Summary:
- Cyble researchers have uncovered multiple malicious Python .whl (Wheel) files that are found to be distributing a new malware named ‘KEKW’. KEKW malware can steal sensitive information from infected systems, as well as perform clipper activities which can lead to the hijacking of cryptocurrency transactions.
Source:
https://blog.cyble.com/2023/05/03/new-kekw-malware-variant-identified-in-pypi-package-distribution/
DLL_sideloading_Attacks_Gain_New_Air_With_a_Doubled_Dragon_Breath
LOW
+
—
—
- Intel Source:
- Sophos
- Intel Name:
- DLL_sideloading_Attacks_Gain_New_Air_With_a_Doubled_Dragon_Breath
- Date of Scan:
- 2023-05-07
- Impact:
- LOW
- Summary:
- Sophos researchers have spotted malicious DLL sideloading activity that builds on the classic sideloading scenario but adds complexity and layers to its execution.
Source:
https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/
Multiple_Malware_Targeting_Business_Users
LOW
+
—
—
- Intel Source:
- Meta
- Intel Name:
- Multiple_Malware_Targeting_Business_Users
- Date of Scan:
- 2023-05-07
- Impact:
- LOW
- Summary:
- Researchers from Meta have analyzed the persistent malware campaigns targeting businesses across the internet, including threat indicators to help raise the industry’s collective defenses across the internet.
Source:
https://engineering.fb.com/2023/05/03/security/malware-nodestealer-ducktail/
Mustang_Panda_New_Campaign_Against_Australia
LOW
+
—
—
- Intel Source:
- Lab52
- Intel Name:
- Mustang_Panda_New_Campaign_Against_Australia
- Date of Scan:
- 2023-05-07
- Impact:
- LOW
- Summary:
- Lab52 researchers have found a zip file named Biography of Senator the Hon Don Farrell.zip. Hon Don Farrell is the current Australian Secretary of State for Trade and Tourism, indicating a targeted campaign against Australia.
Source:
https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/
The_Second_Variant_of_Atomic_Stealer_macOS_Malware
LOW
+
—
—
- Intel Source:
- Sentilone
- Intel Name:
- The_Second_Variant_of_Atomic_Stealer_macOS_Malware
- Date of Scan:
- 2023-05-06
- Impact:
- LOW
- Summary:
- The threat actor, however, has been busy looking for other ways to target macOS users with a different version of Atomic Stealer. In this post, we take a closer look at how Atomic Stealer works and describe a previously unreported second variant. We also provide a comprehensive list of indicators to aid threat hunters and security teams defending macOS endpoints.
Kimsuky_New_Global_Campaign
MEDIUM
+
—
—
- Intel Source:
- Sentilone
- Intel Name:
- Kimsuky_New_Global_Campaign
- Date of Scan:
- 2023-05-06
- Impact:
- MEDIUM
- Summary:
- SentinelLabs has observed ongoing attacks from Kimsuky, a North Korean state-sponsored APT that has a long history of targeting organizations across Asia, North America, and Europe. Ongoing campaigns use a new malware component called ReconShark, which is actively delivered to specifically attacked individuals through spear-phishing emails, OneDrive links leading to document downloads, and the execution of malicious macros. ReconShark operates as a reconnaissance tool with unique execution instructions and server communication methods. Recent activity has been linked to a broader set of skills are attributed to North Korea.
Source:
https://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/
Infostealer_Embedded_in_a_Word_Document
LOW
+
—
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Infostealer_Embedded_in_a_Word_Document
- Date of Scan:
- 2023-05-06
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed a malicious document which is an embedded object.
Source:
https://isc.sans.edu/diary/Infostealer+Embedded+in+a+Word+Document/29810/
Raspberry_Robin_USB_malware_campaign
LOW
+
—
—
- Intel Source:
- Bushidotoken
- Intel Name:
- Raspberry_Robin_USB_malware_campaign
- Date of Scan:
- 2023-05-06
- Impact:
- LOW
- Summary:
- Bushidotoken blog shares the technical details about this malware and analyses how it runs, works, the commands it runs, the processes it uses, and in this case how C2 communications look like.
Source:
https://blog.bushidotoken.net/2023/05/raspberry-robin-global-usb-malware.html
BlackBit_Ransomware
MEDIUM
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- BlackBit_Ransomware
- Date of Scan:
- 2023-05-06
- Impact:
- MEDIUM
- Summary:
- AhnLab shared their analyses about BlackBit ransomware is being distributed in Korea. BlackBit Ransomware is a LokiLocker ransomware variant that based on the RaaS model. The source code of the BlackBit shows the ransomware is a copy of the LokiLocker with some new changes such as icons, name, color scheme. BlackBit ransomware is a sophisticated one with multipleseveral capabilities to establish persistence, defense evasion, and impair recovery.
Source:
https://blog.cyble.com/2023/05/03/blackbit-ransomware-a-threat-from-the-shadows-of-lokilocker/
Malware_IcedID_information_stealer_configuration_analyses
LOW
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- Malware_IcedID_information_stealer_configuration_analyses
- Date of Scan:
- 2023-05-05
- Impact:
- LOW
- Summary:
- Palo Alto researchers shared an example of an IcedID malware (information stealer) configuration, how it was obfuscated and how they extracted it. It was one IcedID binary and how its configurations are encrypted.
Source:
https://unit42.paloaltonetworks.com/teasing-secrets-malware-configuration-parsing/
Vidar_Infostealer_targeted_a_Polish_Healthcare_Industry
LOW
+
—
—
- Intel Source:
- Eclecticiq
- Intel Name:
- Vidar_Infostealer_targeted_a_Polish_Healthcare_Industry
- Date of Scan:
- 2023-05-05
- Impact:
- LOW
- Summary:
- EclecticIQ researchers has observed a spearphishing email targeting the healthcare industry in Poland. The spoofed email looked like as real sent from a Polish government entity and contained a infectips Microsoft Excel XLL attachment that can download and execute Vidar Infostealer malware.
Destructive_cyberattack_UAC_0165_on_the_public_sector_of_Ukraine_using_RoarBat
MEDIUM
+
—
—
- Intel Source:
- CERT-UA
- Intel Name:
- Destructive_cyberattack_UAC_0165_on_the_public_sector_of_Ukraine_using_RoarBat
- Date of Scan:
- 2023-05-05
- Impact:
- MEDIUM
- Summary:
- Upon receiving information about interference in the information and communication system (ICS) of one of the state organizations of Ukraine, measures to investigate a cyber attack were initiated. It was found that the performance of electronic computing machines (server equipment, automated user workstations, data storage systems) was impaired as a result of the destructive influence carried out using the appropriate software.
The_Investigation_of_BRAINSTORM_and_RILIDE
LOW
+
—
—
- Intel Source:
- Mandiant
- Intel Name:
- The_Investigation_of_BRAINSTORM_and_RILIDE
- Date of Scan:
- 2023-05-04
- Impact:
- LOW
- Summary:
- Mandiant researchers have identified BRAINSTORM, a rust-based dropper, which ultimately led to RILIDE, a chromium-based extension first publicly reported by SpiderLabs. After careful investigation identified that the email and cryptocurrency theft ecosystem of RILIDE is larger than reported.
Source:
https://www.mandiant.com/resources/blog/lnk-between-browsers
Earth_Longzhi_is_Back_With_New_Technique
LOW
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- Earth_Longzhi_is_Back_With_New_Technique
- Date of Scan:
- 2023-05-04
- Impact:
- LOW
- Summary:
- TrendMicro researchers have discovered a new campaign by Earth Longzhi that is targeting organizations based in Taiwan, Thailand, the Philippines, and Fiji. The recent campaign follows months of dormancy, abuses a Windows Defender executable to perform DLL sideloading while also exploiting a vulnerable driver, zamguard64.sys, to disable security products installed on the hosts via a bring-your-own-vulnerable-driver (BYOVD) attack.
North_Korean_Group_ScarCruft_Deploying_RokRAT_Malware
LOW
+
—
—
- Intel Source:
- Checkpoint
- Intel Name:
- North_Korean_Group_ScarCruft_Deploying_RokRAT_Malware
- Date of Scan:
- 2023-05-04
- Impact:
- LOW
- Summary:
- Checkpoint researchers have identified that the North Korean threat actor known as ScarCruft started experimenting with oversized LNK files as a delivery route for RokRAT malware as early as July 2022, the same month Microsoft began blocking macros across Office documents by default.
Source:
https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/
Diving_Deep_into_BlackByte_Ransomware
LOW
+
—
—
- Intel Source:
- SocRadar
- Intel Name:
- Diving_Deep_into_BlackByte_Ransomware
- Date of Scan:
- 2023-05-03
- Impact:
- LOW
- Summary:
- Researchers from SOCRadar have analyzed the BlackByte ransomware. It is a Ransomware operation that began targeting corporate victims worldwide in July 2021. The first findings regarding the group emerged after victims sought help decrypting their files.
Source:
https://socradar.io/dark-web-profile-blackbyte-ransomware/
CoinMiner_Distributing_to_Linux_SSH_Servers
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- CoinMiner_Distributing_to_Linux_SSH_Servers
- Date of Scan:
- 2023-05-03
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered XMRig CoinMiner being installed on poorly managed Linux SSH servers. The attacks have been happening with a distinct pattern since 2022, they involve the usage of malware developed with Shell Script Compiler when installing the XMRig, as well as the creation of a backdoor SSH account.
Russian_APT_Hacked_Tajikistani_Carrier_to_Spy_on_Government_and_Public_Services
MEDIUM
+
—
—
- Intel Source:
- Prodaft
- Intel Name:
- Russian_APT_Hacked_Tajikistani_Carrier_to_Spy_on_Government_and_Public_Services
- Date of Scan:
- 2023-05-03
- Impact:
- MEDIUM
- Summary:
- Researchers from Prodaft have observed a Russian espionage group tracked as Nomadic Octopus spying on Tajikistan’s high-ranking government officials, public service infrastructures, and telecoms services, likely by infiltrating a mobile phone carrier.
Source:
https://www.prodaft.com/m/reports/PAPERBUG_TLPWHITE-1.pdf
Internet_Threats_Are_Impersonating_Common_Industries_via_Phishing_Attacks_Web_Skimmer_Analysis_and_Many_More
LOW
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- Internet_Threats_Are_Impersonating_Common_Industries_via_Phishing_Attacks_Web_Skimmer_Analysis_and_Many_More
- Date of Scan:
- 2023-05-03
- Impact:
- LOW
- Summary:
- PaloAlto researchers have observed the internet threat landscape and analyzed malicious URL distribution, geolocation, category analysis, and statistics describing attempted malware attacks. Also, this includes industry sectors being targeted for spoofing in phishing pages, as well as downloaded malware statistics, injected JavaScript malware analysis, and malicious DNS analysis.
Source:
https://unit42.paloaltonetworks.com/internet-threats-late-2022/
Malware_Families_Leveraging_AresLoader_for_Distribution
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Malware_Families_Leveraging_AresLoader_for_Distribution
- Date of Scan:
- 2023-05-03
- Impact:
- LOW
- Summary:
- Cyble researchers have observed a new loader called AresLoader that is used to spread several types of malware families. It is a loader malware written in the C programming language that first emerged in cybercrime forums and Telegram channels in 2022.
The_Unstoppable_Malverposting_Continues
LOW
+
—
—
- Intel Source:
- Guardio
- Intel Name:
- The_Unstoppable_Malverposting_Continues
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- In this post Gardio vresearchers shared the huge numbers of IOC detections of Malverposting, and also very detailed analyses of this one campaign using adult-rated click bates delivering sophisticated malware — making it even harder for detection, and too easy to mass propagate.
The_Overview_of_UNIZA_Ransomware
LOW
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Overview_of_UNIZA_Ransomware
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- Fortinet researchers have discovered a new ransomware variant called UNIZA. Like other ransomware variants. It uses the Command Prompt (cmd.exe) window to display its ransom message, and interestingly, it does not append the filename of the files it encrypts, making it more difficult to determine which files have been impacted.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-uniza-coverage
Ransomware_Family_Rapture_is_Similar_to_Paradise
MEDIUM
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- Ransomware_Family_Rapture_is_Similar_to_Paradise
- Date of Scan:
- 2023-05-01
- Impact:
- MEDIUM
- Summary:
- TrendMicro researchers have observed a type of ransomware targeting its victims via a minimalistic approach with tools that leave only a minimal footprint behind. The findings revealed many of the preparations made by the perpetrators and how quickly they managed to carry out the ransomware attack.
New_LOBSHOT_Malware_Deploying_Via_Google_Ads
LOW
+
—
—
- Intel Source:
- Elastic
- Intel Name:
- New_LOBSHOT_Malware_Deploying_Via_Google_Ads
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- Researchers from Elastic Security Labs have observed one malware family called LOBSHOT. It continues to collect victims while remaining undetected. Also, the infrastructure belongs to TA505, the well-known cybercriminal group associated with Dridex, Locky, and Necurs campaigns.
Source:
https://www.elastic.co/security-labs/elastic-security-labs-discovers-lobshot-malware
Threat_Actors_Leveraging_SEO_Poisoning
LOW
+
—
—
- Intel Source:
- Trellix
- Intel Name:
- Threat_Actors_Leveraging_SEO_Poisoning
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- Trellix researchers have identified that hackers continue to innovate their techniques to infect victims, with SEO poisoning being one of the recent trends.
ASEC_Weekly_Malware_Statistics
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_Statistics
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from November 21st, 2022 (Monday) to November 27th (Sunday).
A_malicious_Mitiga_document
LOW
+
—
—
- Intel Source:
- Mitiga
- Intel Name:
- A_malicious_Mitiga_document
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- Last January, an attacker uploaded a malicious .docx file to Virus Total. He used several of Mitiga’s publicly available branding elements which included logo, fonts and colors, to lend credibility to the document.
Source:
https://www.mitiga.io/blog/mitiga-advisory-virus-total
ASEC_Weekly_Phishing_Email_analyses_April_9_15th_2023
LOW
+
—
—
- Intel Name:
- ASEC_Weekly_Phishing_Email_analyses_April_9_15th_2023
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- ASEC lab researchers continiusly monitor phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post shares the cases of distribution of phishing emails during the week from April 9th, 2023 to April 15st, 2023 and provide statistical information on each type.
An_Ongoing_Magecart_Campaign
LOW
+
—
—
- Intel Source:
- Malwarebytes
- Intel Name:
- An_Ongoing_Magecart_Campaign
- Date of Scan:
- 2023-04-30
- Impact:
- LOW
- Summary:
- Malwarebytes researchers have identified an ongoing Magecart campaign that is leveraging realistic-looking fake payment screens to capture sensitive data entered by unsuspecting users.
Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/04/kritec-art
Hackers_From_APT28_Group_Distributing_Emails_With_Instructions_on_Updating_OS
MEDIUM
+
—
—
- Intel Source:
- CERT-UA
- Intel Name:
- Hackers_From_APT28_Group_Distributing_Emails_With_Instructions_on_Updating_OS
- Date of Scan:
- 2023-04-30
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have observed the distribution of emails with subject “Windows Update”, allegedly sent on behalf of system administrators of departments. At the same time, senders’ email addresses created on the @outlook.com public service can be formed using the real name and initials of the employee.
The_BellaCiao_Malware_of_Iran
MEDIUM
+
—
—
- Intel Source:
- Bitdefender
- Intel Name:
- The_BellaCiao_Malware_of_Iran
- Date of Scan:
- 2023-04-27
- Impact:
- MEDIUM
- Summary:
- BitDefender researchers have observed the modernization of Charming Kitten’s tactics, techniques, and procedures, including a new, previously unseen malware. This malware is tailored to suit individual targets and exhibits a higher level of complexity, evidenced by a unique communication approach with its command-and-control (C2) infrastructure.
Source:
https://businessinsights.bitdefender.com/unpacking-bellaciao-a-closer-look-at-irans-latest-malware
Raccoon_and_Vidar_Stealers_Spreading_Fake_Cracked_new
MEDIUM
+
—
—
- Intel Source:
- Sekoia
- Intel Name:
- Raccoon_and_Vidar_Stealers_Spreading_Fake_Cracked_new
- Date of Scan:
- 2023-04-27
- Impact:
- MEDIUM
- Summary:
- Sekoia researchers have identified the infection chain that is using about a hundred fake cracked software catalog websites that redirect to several links before downloading the payload hosted on file share platforms, such as GitHub.
The_Exploiting_of_Kubernetes_RBAC_by_attackers
LOW
+
—
—
- Intel Source:
- Aqua
- Intel Name:
- The_Exploiting_of_Kubernetes_RBAC_by_attackers
- Date of Scan:
- 2023-04-27
- Impact:
- LOW
- Summary:
- Aqua researchers have observed new evidence that attackers are exploiting Kubernetes (K8s) Role-Based Access Control (RBAC) in the wild to create backdoors. The attackers also tried to lunch a DaemonSets to take control and seize resources of the K8s clusters they attack. Aqua analyses suspects that this campaign is actively targeting at least 60 clusters in the wild.
Source:
https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters
RTM_Locker_Ransomware_as_a_Service_Now_Suits_Linux_Architecture
LOW
+
—
—
- Intel Source:
- Uptycs
- Intel Name:
- RTM_Locker_Ransomware_as_a_Service_Now_Suits_Linux_Architecture
- Date of Scan:
- 2023-04-27
- Impact:
- LOW
- Summary:
- Uptycs researchers have discovered a new ransomware binary attributed to the RTM group, a known ransomware-as-a-service (RaaS) provider. This is the first time the group has created a Linux binary. Its locker ransomware infects Linux, NAS, and ESXi hosts and appears to be inspired by Babuk ransomware’s leaked source code.
Source:
https://www.uptycs.com/blog/rtm-locker-ransomware-as-a-service-raas-linux
PingPull_Malware_is_Updated_by_Chinese_Alloy_Taurus
LOW
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- PingPull_Malware_is_Updated_by_Chinese_Alloy_Taurus
- Date of Scan:
- 2023-04-27
- Impact:
- LOW
- Summary:
- Unit 42 researchers have identified a new variant of PingPull malware used by Alloy Taurus actors designed to target Linux systems. While following the infrastructure leveraged by the actor for this PingPull variant, we also identified their use of another backdoor we track as Sword2033.
Hackers_Selling_New_Atomic_macOS_Stealer_on_Telegram
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- Hackers_Selling_New_Atomic_macOS_Stealer_on_Telegram
- Date of Scan:
- 2023-04-27
- Impact:
- LOW
- Summary:
- Cyble Researchers have discovered a Telegram channel advertising a new information-stealing malware called Atomic macOS Stealer (AMOS). The malware is specifically designed to target macOS and can steal sensitive information from the victim’s machine.
Source:
https://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/
TrafficStealer_Abusing_Open_Container_APIs
LOW
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- TrafficStealer_Abusing_Open_Container_APIs
- Date of Scan:
- 2023-04-27
- Impact:
- LOW
- Summary:
- Researchers from TrendMicro have discovered a different type of attack, a piece of software that leverages Docker containers to generate money through monetized traffic. Although the piece of software itself appears to be legitimate, it likely has compromised components that result in monitoring as a potentially unwanted application.
APT_Group_Panda_Delivering_Malware_via_Software_Updates
HIGH
+
—
—
- Intel Source:
- Welivesecurity
- Intel Name:
- APT_Group_Panda_Delivering_Malware_via_Software_Updates
- Date of Scan:
- 2023-04-27
- Impact:
- HIGH
- Summary:
- ESET researchers discovered a new campaign by the APT group known as Evasive Panda targeting an international NGO in China with malware delivered through updates of popular Chinese software.
PaperCut_actively_exploited_in_the_Wild
MEDIUM
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- PaperCut_actively_exploited_in_the_Wild
- Date of Scan:
- 2023-04-27
- Impact:
- MEDIUM
- Summary:
- Earlier this month, PaperCut shared a Security alert stating, they have an evidence that unpatched servers are being exploited in the wild. Russian Hacker Suspected Exploiting the PaperCut Vulnerability. The advisories provided by vendors shared insights into the two CVEs – CVE-2023-27350 (Severity: Critical) & CVE-2023-27351(Severity: High). Cyble researchers shared their details for the same in their post.
Source:
https://blog.cyble.com/2023/04/25/print-management-software-papercut-actively-exploited-in-the-wild/
RokRAT_Malware_Distributing_Through_LNK_Files
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- RokRAT_Malware_Distributing_Through_LNK_Files
- Date of Scan:
- 2023-04-26
- Impact:
- LOW
- Summary:
- ASEC researchers have observed that the RedEyes threat group (also known as APT37, ScarCruft), which distributed CHM Malware Disguised as Security Email from a Korean Financial Company last month, has also recently distributed the RokRAT malware through LNK files.
New_the_Mirai_botnet_exploit
MEDIUM
+
—
—
- Intel Source:
- Zero Day Initiative (ZDI)
- Intel Name:
- New_the_Mirai_botnet_exploit
- Date of Scan:
- 2023-04-26
- Impact:
- MEDIUM
- Summary:
- The Zero Day Initiative threat-hunting team discovered recently new exploit attempts in Eastern Europe showing that the Mirai botnet has updated its version to CVE-2023-1389, known as ZDI-CAN-19557/ZDI-23-451. This malicious activity in the TP-Link Archer AX21 Wi-Fi router was originally disclosed to ZDI during the Pwn2Own Toronto event, where it was used by Team Viettel in their LAN-side entry against the TP-Link device and by Qrious Security in their WAN-side entry.
Phishing_Attack_Increasing_in_Singapore_for_Tax_Portal
LOW
+
—
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Phishing_Attack_Increasing_in_Singapore_for_Tax_Portal
- Date of Scan:
- 2023-04-26
- Impact:
- LOW
- Summary:
- Researchers from SANS have identified an IRAS phishing website that looks legitimate, this website asks users to input their Singapore Personal Access (Singpass) credentials to access government and private services (such as banking) in Singapore.
Source:
https://isc.sans.edu/diary/Strolling+through+Cyberspace+and+Hunting+for+Phishing+Sites/29780/
Finding_Decoy_Dog_Toolkit_via_Anomalous_DNS_Traffic
LOW
+
—
—
- Intel Source:
- Infoblox
- Intel Name:
- Finding_Decoy_Dog_Toolkit_via_Anomalous_DNS_Traffic
- Date of Scan:
- 2023-04-26
- Impact:
- LOW
- Summary:
- Researchers from Infoblox have identified a new malware toolkit named Decoy Dog, that has been discovered that allows attackers to avoid standard detection techniques and target enterprises. It uses DNS query dribbling and strategic domain aging techniques to bypass security checks.
Tonto_Team_Using_Anti_Malware_Related_Files_for_DLL_Side_Loading
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Tonto_Team_Using_Anti_Malware_Related_Files_for_DLL_Side_Loading
- Date of Scan:
- 2023-04-26
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified the Tonto Team threat group is targeting mainly Asian countries and has been distributing Bisonal malware
The_Analysis_of_Tomiris_Group
LOW
+
—
—
- Intel Source:
- Securelist
- Intel Name:
- The_Analysis_of_Tomiris_Group
- Date of Scan:
- 2023-04-25
- Impact:
- LOW
- Summary:
- Securelist researchers have continued to track Tomiris as a separate threat actor over three new attack campaigns between 2021 and 2023 and it is targeting government and diplomatic entities in the CIS.
Source:
https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/
After_15_Years_release_Open_Source_Gh0st_RAT_still_Haunting_Inboxes
LOW
+
—
—
- Intel Source:
- Cofense
- Intel Name:
- After_15_Years_release_Open_Source_Gh0st_RAT_still_Haunting_Inboxes
- Date of Scan:
- 2023-04-25
- Impact:
- LOW
- Summary:
- Cofense Intelligence Unit discovered Gh0st RAT, old open-source RAT, that is targeting a healthcare organization. Gh0st RAT was created by a Chinese hacking group named C. The public release of Gh0st RAT source code made it easy for threat actors to manipulate victims. Their information-stealing capabilities: taking full control of the infected machine, recording keystrokes in real time with offline logging available, accessing live web cam feeds including microphone recording, downloading files remotely, remote shutdown and reboot, disabling user input
Source:
https://cofense.com/blog/open-source-gh0st-rat-still-haunting-inboxes-15-years-after-release/
New_Findings_of_Educated_Manticore
MEDIUM
+
—
—
- Intel Source:
- Checkpoint
- Intel Name:
- New_Findings_of_Educated_Manticore
- Date of Scan:
- 2023-04-25
- Impact:
- MEDIUM
- Summary:
- Researchers from Checkpoint have revealed new findings of an activity cluster closely related to Phosphorus. It presents a new and improved infection chain leading to the deployment of a new version of PowerLess. This implant is attributed to Phosphorus in the past, an Iran-affiliated threat group operating in the Middle East and North America.
Repurposing_Package_Name_on_PyPI_to_Push_Malware
LOW
+
—
—
- Intel Source:
- ReversingLabs
- Intel Name:
- Repurposing_Package_Name_on_PyPI_to_Push_Malware
- Date of Scan:
- 2023-04-25
- Impact:
- LOW
- Summary:
- Researchers from Reversing Labs have observed that a malicious package on the Python Package Index (PyPI) named termcolour, a three-stage downloader published in multiple versions.
Source:
https://www.reversinglabs.com/blog/package-names-repurposed-to-push-malware-on-pypi
Zero_Day_Vulnerabilities_in_PaperCut_Print_Management_Software
LOW
+
—
—
- Intel Source:
- Huntress
- Intel Name:
- Zero_Day_Vulnerabilities_in_PaperCut_Print_Management_Software
- Date of Scan:
- 2023-04-24
- Impact:
- LOW
- Summary:
- Researchers from Huntress have tracked the exploitation of zero-day vulnerabilities against PaperCut MF/NG which allow for unauthenticated remote code execution due to an authentication bypass.
Source:
https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software
ViperSoftX_Encryption_Updates
LOW
+
—
—
- Intel Source:
- TrendMicro
- Intel Name:
- ViperSoftX_Encryption_Updates
- Date of Scan:
- 2023-04-24
- Impact:
- LOW
- Summary:
- TrendMicro researchers have observed cryptocurrency and information stealer ViperSoftX evading initial loader detection and making its lure more believable by making the initial package loader via cracks, keygens, activators, and packers non-malicious.
Source:
https://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html
The_QakBot_Malware_Continues_to_Evolve
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- The_QakBot_Malware_Continues_to_Evolve
- Date of Scan:
- 2023-04-24
- Impact:
- LOW
- Summary:
- Cyble Research Intelligence Labs have observed that several malware families, such as AsyncRAT, QuasarRAT, DCRAT, etc., have been found using OneNote attachments as part of their tactics. In February 2023, the well-known malware, Qakbot, started using OneNote attachments in their spam campaigns.
Source:
https://blog.cyble.com/2023/04/21/qakbot-malware-continues-to-morph/
New_OCX_HARVESTER_Attack_Campaign_Using_Modernized_More_Eggs_Suite
MEDIUM
+
—
—
- Intel Source:
- Securonix Threat Labs
- Intel Name:
- New_OCX_HARVESTER_Attack_Campaign_Using_Modernized_More_Eggs_Suite
- Date of Scan:
- 2023-04-24
- Impact:
- MEDIUM
- Summary:
- Securonix Threat Labs researchers have observed a new attack campaign tracked as OCX#HARVESTER. Some of the malicious payloads leveraged as part of the attack campaign observed appear to be related to the More_eggs malicious payloads reported earlier.
X_Trader_Supply_Chain_Attack_Affecting_Critical_Infrastructure_Organizations_in_US_and_Europe
MEDIUM
+
—
—
- Intel Source:
- Symantec
- Intel Name:
- X_Trader_Supply_Chain_Attack_Affecting_Critical_Infrastructure_Organizations_in_US_and_Europe
- Date of Scan:
- 2023-04-24
- Impact:
- MEDIUM
- Summary:
- Researchers from Symantec have identified that North Korean-linked operations affected more organizations beyond 3CX, including two critical infrastructure organizations in the energy sector.
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain
BlueNoroff_APT_Group_Targeting_macOS_With_RustBucket_Malware
LOW
+
—
—
- Intel Source:
- Jamf
- Intel Name:
- BlueNoroff_APT_Group_Targeting_macOS_With_RustBucket_Malware
- Date of Scan:
- 2023-04-24
- Impact:
- LOW
- Summary:
- Jamf Threat Labs have discovered a macOS malware family that communicates with command and control (C2) servers to download and execute various payloads. They track and protect against this malware family under the name ‘RustBucket’ and suspect it to be attributed to a North Korean, state-sponsored threat actor.
Source:
https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/
Lazarus_Hackers_Pushing_Linux_Malware_via_Fake_Job_Offers
MEDIUM
+
—
—
- Intel Source:
- Welivesecurity
- Intel Name:
- Lazarus_Hackers_Pushing_Linux_Malware_via_Fake_Job_Offers
- Date of Scan:
- 2023-04-22
- Impact:
- MEDIUM
- Summary:
- Researchers from Welivesecurity identified a new Lazarus campaign considered part of “Operation DreamJob” has been discovered targeting Linux users with malware for the first time.
Scams_Involving_ChatGPT_Are_on_the_Rise
LOW
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- Scams_Involving_ChatGPT_Are_on_the_Rise
- Date of Scan:
- 2023-04-22
- Impact:
- LOW
- Summary:
- Unit42 researchers have monitored the newly registered domains and squatting domains related to ChatGPT, as it is one of the fastest-growing consumer applications in history. The dark side of this popularity is that ChatGPT is also attracting the attention of scammers seeking to benefit from using wording and domain names that appear related to the site.
Source:
https://unit42.paloaltonetworks.com/chatgpt-scam-attacks-increasing/
Two_New_QakBot_C2_Servers_Detected
LOW
+
—
—
- Intel Source:
- Sophos
- Intel Name:
- Two_New_QakBot_C2_Servers_Detected
- Date of Scan:
- 2023-04-22
- Impact:
- LOW
- Summary:
- Sophos researchers have detected two new QakBot servers that have not yet been publicly identified. These servers are used by threat actors to manage and control QakBot infections, a banking trojan that has been active since 2008 and primarily targets financial institutions and their customers.
Source:
https://news.sophos.com/en-us/2023/04/20/new-qakbot-c2-servers-detected-with-sophos-ndr/
The_Examination_of_EvilExtractor_Tool
MEDIUM
+
—
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Examination_of_EvilExtractor_Tool
- Date of Scan:
- 2023-04-22
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs researchers have analyzed the EvilExtractor tool which is an attack tool designed to target Windows operating systems and extract data and files from endpoint devices. Also, observed this malware in a phishing email campaign on 30 March.
Source:
https://www.fortinet.com/blog/threat-research/evil-extractor-all-in-one-stealer
Distribution_of_the_BlackBit_ransomware
LOW
+
—
—
- Intel Source:
- ASEC
- Intel Name:
- Distribution_of_the_BlackBit_ransomware
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of the BlackBit ransomware disguised as svchost.exe during the team’s monitoring. According to the ASEC’s internal infrastructure, the BlackBit ransomware has been continuously distributed
New_Attack_Chain_Uncovered_From_Blind_Eagle_Cyber_Espionage_Group
LOW
+
—
—
- Intel Source:
- Threatmon
- Intel Name:
- New_Attack_Chain_Uncovered_From_Blind_Eagle_Cyber_Espionage_Group
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- Researchers from Threatmon have observed that the cyber espionage actor tracked as Blind Eagle has been linked to a new multi-stage attack chain that leads to the deployment of the NjRAT remote access trojan on compromised systems.
Source:
https://threatmon.io/apt-blind-eagles-malware-arsenal-technical-analysis/
Bumblebee_Malware_Distributing_Via_Trojanized_Installer_Downloads
MEDIUM
+
—
—
- Intel Source:
- Secureworks
- Intel Name:
- Bumblebee_Malware_Distributing_Via_Trojanized_Installer_Downloads
- Date of Scan:
- 2023-04-21
- Impact:
- MEDIUM
- Summary:
- https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads
Source:
https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads
Daggerfly_APT_Group_Targeting_Telecoms_Company_in_Africa
LOW
+
—
—
- Intel Source:
- Symantec
- Intel Name:
- Daggerfly_APT_Group_Targeting_Telecoms_Company_in_Africa
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- Researchers from Symantec have identified that Telecommunication services providers in Africa are the target of a new campaign orchestrated by a China-linked threat actor at least since November 2022.
Play_Ransomware_Group_Using_New_Custom_Data_Gathering_Tools
MEDIUM
+
—
—
- Intel Source:
- Symantec
- Intel Name:
- Play_Ransomware_Group_Using_New_Custom_Data_Gathering_Tools
- Date of Scan:
- 2023-04-21
- Impact:
- MEDIUM
- Summary:
- Symantec researchers have identified that the Play ransomware group is using two new, custom-developed tools that allow it to enumerate all users and computers on a compromised network, and copy files from the Volume Shadow Copy Service (VSS) that are normally locked by the operating system.
Russian_Hackers_Conducting_Phishing_Attacks_in_Ukraine
LOW
+
—
—
- Intel Source:
- Google Blog
- Intel Name:
- Russian_Hackers_Conducting_Phishing_Attacks_in_Ukraine
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- Google Threat Analysis researchers have observed that Russian government-backed phishing campaigns targeted users in Ukraine the most, with the country accounting for over 60% of observed Russian targeting.
Source:
https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/
Hackers_Promptly_Adopting_Web3_IPFS_Technology
LOW
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- Hackers_Promptly_Adopting_Web3_IPFS_Technology
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- PaloAlto researchers have observed several types of cyberthreats using InterPlanetary File System (aka IPFS), including phishing, credential theft, command and control (C2) communications, and malicious payload distribution. Also, observed a significant jump in IPFS-related traffic at the beginning of 2022.
Source:
https://unit42.paloaltonetworks.com/ipfs-used-maliciously/
USB_Based_FlowCloud_Malware_Attacks
LOW
+
—
—
- Intel Source:
- NTT Security
- Intel Name:
- USB_Based_FlowCloud_Malware_Attacks
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- Researchers from NTT security have observed several companies have been infected with FlowCloud. It is known as malware used by an attack group called TA410 and has been observed since around 2019.
Source:
https://insight-jp.nttsecurity.com/post/102id0t/usbflowcloud
EDR_Killer_AuKill_Exploiting_Process_Explorer_Drivers
MEDIUM
+
—
—
- Intel Source:
- Sophos
- Intel Name:
- EDR_Killer_AuKill_Exploiting_Process_Explorer_Drivers
- Date of Scan:
- 2023-04-21
- Impact:
- MEDIUM
- Summary:
- Sophos researchers have investigated multiple incidents where attackers attempted to disable EDR clients with a new defense evasion tool dubbed AuKill. The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system.
Source:
https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/
Belarus_Linked_Hacking_Group_Targeting_Poland_With_New_Disinformation_Campaign
MEDIUM
+
—
—
- Intel Source:
- CSIRT-MON
- Intel Name:
- Belarus_Linked_Hacking_Group_Targeting_Poland_With_New_Disinformation_Campaign
- Date of Scan:
- 2023-04-21
- Impact:
- MEDIUM
- Summary:
- CSIRT-MON researchers have issued a warning Wednesday about a recent disinformation campaign that has been traced back to the Belarusian hacking group known as Ghostwriter.
Source:
https://csirt-mon.wp.mil.pl/pl/articles/6-aktualnosci/dezinformacja-o-rekrutacji-do-litpolukrbrig/
SideCopy_Attack_Chain_Deploying_AllaKore_RAT
LOW
+
—
—
- Intel Source:
- Team-Cymru
- Intel Name:
- SideCopy_Attack_Chain_Deploying_AllaKore_RAT
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- Researchers from Team-Cymru have analyzed the SideCopy group and discovered the SideCopy attack chain used to deploy AllaKore RAT. It is an open-source remote access tool that has been modified for the purposes of SideCopy operations and is commonly observed in their intrusions.
Source:
https://www.team-cymru.com/post/allakore-d-the-sidecopy-train
Hackers_Using_Abandoned_WordPress_Plugins_to_Backdoor_Websites
LOW
+
—
—
- Intel Source:
- Sucuri
- Intel Name:
- Hackers_Using_Abandoned_WordPress_Plugins_to_Backdoor_Websites
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- Sucuri researchers have identified that attackers are using Eval PHP, an outdated legitimate WordPress plugin, to compromise websites by injecting stealthy backdoors.
Source:
https://blog.sucuri.net/2023/04/massive-abuse-of-abandoned-evalphp-wordpress-plugin.html
Hackers_From_Pakistan_Using_Linux_Malware_Poseidon_to_Target_Indian_Government_Agencies
MEDIUM
+
—
—
- Intel Source:
- Uptycs
- Intel Name:
- Hackers_From_Pakistan_Using_Linux_Malware_Poseidon_to_Target_Indian_Government_Agencies
- Date of Scan:
- 2023-04-20
- Impact:
- MEDIUM
- Summary:
- Researchers from Uptycs have identified a Pakistan-based advanced persistent threat actor known as Transparent Tribe using a two-factor authentication (2FA) tool used by Indian government agencies as a ruse to deliver a new Linux backdoor called Poseidon.
Source:
https://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware
New_Strain_of_Ransomware_Named_CrossLock
LOW
+
—
—
- Intel Source:
- Cyble
- Intel Name:
- New_Strain_of_Ransomware_Named_CrossLock
- Date of Scan:
- 2023-04-20
- Impact:
- LOW
- Summary:
- Cyble researchers have discovered a new strain of ransomware called CrossLock, which is written in the programming language “Go”. It employs the double-extortion technique to increase the likelihood of payment from its victims and this technique involves encrypting the victim’s data as well as exfiltrating it from their system.
Phishing_Campaign_Targeting_EPOS_Net_Customers
LOW
+
—
—
- Intel Source:
- LOW
- Intel Name:
- Phishing_Campaign_Targeting_EPOS_Net_Customers
- Date of Scan:
- 2023-04-20
- Impact:
- LOW
- Summary:
- Cofense Phishing Defense Center have observed a sophisticated phishing campaign targeting EPOS Net customers, a large Japanese credit card company. The campaign is notable for its meticulously crafted emails and cloned website, as well as its use of official customer service numbers to establish an illusion of legitimacy.
Google_Ads_Abuse_and_Spear_Phishing_Campaigns_Impersonating_Spains_Tax_Agency
LOW
+
—
—
- Intel Source:
- Blackberry
- Intel Name:
- Google_Ads_Abuse_and_Spear_Phishing_Campaigns_Impersonating_Spains_Tax_Agency
- Date of Scan:
- 2023-04-20
- Impact:
- LOW
- Summary:
- Researchers from BlackBerry have observed two parallel malicious campaigns that use the same infrastructure but have different purposes. The first campaign is related to a malvertising Google Ads Platform and the second campaign is related to a massive spear-phishing campaign targeting large organizations based in Spain. The campaign impersonated Spain’s tax agency, with the goal of harvesting the email credentials of companies in Spain.