LockBit_3_0_aka_LockBit_Black
MEDIUM
+
—
- Intel Source:
- Multiple
- Intel Name:
- LockBit_3_0_aka_LockBit_Black
- Date of Scan:
- 2022-09-30
- Impact:
- MEDIUM
- Summary:
- Researchers have analyzed the LockBit and identified it is back with LockBit 3.0
Hackers_using_Quantum_Builder_to_deliver_Agent_Tesla_RAT
LOW
+
—
- Intel Source:
- Zscaler
- Intel Name:
- Hackers_using_Quantum_Builder_to_deliver_Agent_Tesla_RAT
- Date of Scan:
- 2022-09-30
- Impact:
- LOW
- Summary:
- Zscaler ThreatLabz researchers have observed a campaign that delivers Agent Tesla, a .NET-based keylogger and remote access trojan (RAT), using a builder named “Quantum Builder” sold on the dark web.
Polyglot_File_Delivering_IcedID
LOW
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Polyglot_File_Delivering_IcedID
- Date of Scan:
- 2022-09-30
- Impact:
- LOW
- Summary:
- PaloAlto researchers have observed a polyglot Microsoft Compiled HTML Help file being employed in the infection process used by the information stealer IcedID.
New_Malware_Variants_Deliver_Fake_Cloudflare_DDoS_Captcha
LOW
+
—
- Intel Source:
- Sucuri
- Intel Name:
- New_Malware_Variants_Deliver_Fake_Cloudflare_DDoS_Captcha
- Date of Scan:
- 2022-09-30
- Impact:
- LOW
- Summary:
- Researchers from Sucuri have identified the user is prompted with a bogus Cloudflare DDoS protection screen, but in this new wave, they observed a fake CAPTCHA dialog masquerading as the popular Cloudflare service.
Finding_APTs_using_Unsigned_DLLs_Loader
MEDIUM
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Finding_APTs_using_Unsigned_DLLs_Loader
- Date of Scan:
- 2022-09-30
- Impact:
- MEDIUM
- Summary:
- PaloAlto researchers have observed a method called "unsigned DLL loading" which is the technique to evade detection and execute more sophisticated attacks.
The_examination_of_Wiper_Malware_Part_3
LOW
+
—
- Intel Source:
- Crowdstrike
- Intel Name:
- The_examination_of_Wiper_Malware_Part_3
- Date of Scan:
- 2022-09-30
- Impact:
- LOW
- Summary:
- Researchers from CrowdStrike have covered various input/output controls (IOCTLs) in more detail and how they are used to achieve different goals — including acquiring information about infected machines and locking/unlocking disk volumes, among others.
A_new_Cobalt_Strike_payload_campaign
MEDIUM
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- A_new_Cobalt_Strike_payload_campaign
- Date of Scan:
- 2022-09-30
- Impact:
- MEDIUM
- Summary:
- Researchers from Cisco have discovered a campaign that is delivering Cobalt Strike beacons that could be used in later, follow-on attacks.
Detecting_and_Removing_Malicious_Software_Masquerading_as_Doenerium_Stealer
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Detecting_and_Removing_Malicious_Software_Masquerading_as_Doenerium_Stealer
- Date of Scan:
- 2022-09-30
- Impact:
- LOW
- Summary:
- A spear phishing email campaign targeting Office365 users hve observed by Cyble researchers. The same domain has also been onserved hosting several other malware variants, such as Doenerium stealer.
Void_Balaur_hack_for_hire_campaigns
MEDIUM
+
—
- Intel Source:
- SentinelOne
- Intel Name:
- Void_Balaur_hack_for_hire_campaigns
- Date of Scan:
- 2022-09-29
- Impact:
- MEDIUM
- Summary:
- SentinelOne researchers have observed the cyber mercenary group known as Void Balaur continues to expand its hack-for-hire campaigns and targeting of a wide variety of individuals and organizations across the globe.
LockBit_3_0_Ransomware_Spreading_via_Word_Documents
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- LockBit_3_0_Ransomware_Spreading_via_Word_Documents
- Date of Scan:
- 2022-09-29
- Impact:
- LOW
- Summary:
- ASEC researchers have identified that LockBit 3.0 ransomware distributed while disguised as job application emails in NSIS format is also being distributed in Word document format.
A_Trojan_Downloader_Named_NullMixer
LOW
+
—
- Intel Source:
- Securelist
- Intel Name:
- A_Trojan_Downloader_Named_NullMixer
- Date of Scan:
- 2022-09-28
- Impact:
- LOW
- Summary:
- Researchers from Securelist have identified a large proportion of the malware families dropped by NullMixer are classified as Trojan-Downloaders.
Mass_Emailing_campaign_delivering_Agent_Tesla_malware
LOW
+
—
- Intel Source:
- Securelist
- Intel Name:
- Mass_Emailing_campaign_delivering_Agent_Tesla_malware
- Date of Scan:
- 2022-09-28
- Impact:
- LOW
- Summary:
- Researchers from Securelist have discovered a spam campaign that delivers Agent Tesla malware. After analysis, the email messages were pretended as high-quality imitations of business inquiries by real companies.
A_new_variant_of_Graphite_Malware
MEDIUM
+
—
- Intel Source:
- Cluster25
- Intel Name:
- A_new_variant_of_Graphite_Malware
- Date of Scan:
- 2022-09-28
- Impact:
- MEDIUM
- Summary:
- Cluster25 researchers have analyzed a lure document used to implant a variant of Graphite malware, which is linked to the threat actor known as APT28.
Malicious_NPM_package_discovered_in_supply_chain_attack
MEDIUM
+
—
- Intel Source:
- ReversingLab
- Intel Name:
- Malicious_NPM_package_discovered_in_supply_chain_attack
- Date of Scan:
- 2022-09-28
- Impact:
- MEDIUM
- Summary:
- Researchers from ReversingLabs have identified the Material Tailwind library is being impersonated for an apparent supply chain attack targeting developers. The team spotted a look-alike NPM package circulating on repositories, intended to trick unwitting developers into using the package in place of the real library.
FARGO_Ransomware_Targeting_Vulnerable_Microsoft_SQL_Servers
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- FARGO_Ransomware_Targeting_Vulnerable_Microsoft_SQL_Servers
- Date of Scan:
- 2022-09-27
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered the distribution of FARGO ransomware that is targeting vulnerable MS-SQL servers. Along with GlobeImposter, FARGO is one of the prominent ransomware that targets vulnerable MS-SQL servers.
BumbleBee_Malware_Deploying_Cobalt_Strike_and_Meterpreter
LOW
+
—
- Intel Source:
- DFIR Report
- Intel Name:
- BumbleBee_Malware_Deploying_Cobalt_Strike_and_Meterpreter
- Date of Scan:
- 2022-09-27
- Impact:
- LOW
- Summary:
- Researchers from DFIR have identified threat actors using BumbleBee malware to deploy Cobalt Strike and Meterpreter. They used RDP and SMB to move around the network looking at backup systems and file shares before being evicted from the network.
Floxif_Malware_Family_Leveraging_Cookies
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Floxif_Malware_Family_Leveraging_Cookies
- Date of Scan:
- 2022-09-27
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed a recently disclosed vulnerability by Vectra that affects Microsoft Teams.
Phishing_Campaign_Targeting_GitHub_Accounts
LOW
+
—
- Intel Source:
- GitHub Blog
- Intel Name:
- Phishing_Campaign_Targeting_GitHub_Accounts
- Date of Scan:
- 2022-09-27
- Impact:
- LOW
- Summary:
- Researchers from GitHub security team have identified that the hackers are targeting GitHub users to steal credentials and two-factor authentication (2FA) codes by impersonating the CircleCI DevOps platform.
Noberus_Ransomware_Continues_to_Develop_its_TTPs
LOW
+
—
- Intel Source:
- Symantec
- Intel Name:
- Noberus_Ransomware_Continues_to_Develop_its_TTPs
- Date of Scan:
- 2022-09-26
- Impact:
- LOW
- Summary:
- Symantec researchers have identified that the Noberus (aka BlackCat, ALPHV) ransomware is using new tactics, tools, and procedures in recent months which making the threat more dangerous than ever.
New_Hacking_Group_Metador_Targeting_Telecommunications_ISPs_and_Universities
MEDIUM
+
—
- Intel Source:
- SentinelOne
- Intel Name:
- New_Hacking_Group_Metador_Targeting_Telecommunications_ISPs_and_Universities
- Date of Scan:
- 2022-09-26
- Impact:
- MEDIUM
- Summary:
- Researchers from SentinelOne have discovered a new threat actor named Matador and targeting telecommunications, internet service providers, and universities in several countries in the Middle East and Africa.
Chinese_Hacker_Group_TA413_Evolves_Capabilities_to_Targeting_Tibetan
LOW
+
—
- Intel Source:
- Recorded Future
- Intel Name:
- Chinese_Hacker_Group_TA413_Evolves_Capabilities_to_Targeting_Tibetan
- Date of Scan:
- 2022-09-26
- Impact:
- LOW
- Summary:
- RecordedFuture researchers have observed the targeting of ethnic and religious minority communities by Chinese state-sponsored groups for surveillance and intelligence-gathering purposes.
Cybercriminals_target_Magento_vulnerability_in_new_wave_of_attacks
LOW
+
—
- Intel Source:
- Sansec
- Intel Name:
- Cybercriminals_target_Magento_vulnerability_in_new_wave_of_attacks
- Date of Scan:
- 2022-09-26
- Impact:
- LOW
- Summary:
- Researchers from Sansec have observed a surge in hacking attempts targeting CVE-2022-24086, a critical Magento 2 vulnerability allowing unauthenticated attackers to execute code on unpatched sites.
NFT_Malware_Gets_New_Evasion_Abilities
LOW
+
—
- Intel Source:
- Morphisec
- Intel Name:
- NFT_Malware_Gets_New_Evasion_Abilities
- Date of Scan:
- 2022-09-26
- Impact:
- LOW
- Summary:
- Researchers from Morphisec have tracked several waves of the NFT malware delivering the Remcos RAT. In June 2022 they found a shift in the crypter used to deliver the Remcos RAT. The Babadeda crypter has now been discarded for a newly staged downloader.
A_Technical_Analysis_of_Lockbit_3_0_Builder
LOW
+
—
- Intel Source:
- Cybergeeks
- Intel Name:
- A_Technical_Analysis_of_Lockbit_3_0_Builder
- Date of Scan:
- 2022-09-26
- Impact:
- LOW
- Summary:
- Researchers from Cybergeeks have analyzed LockBit 3.0 builder that was leaked online on 21st September 2022.
Cybercriminals_are_Increasingly_Using_Domain_Shadowing
MEDIUM
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Cybercriminals_are_Increasingly_Using_Domain_Shadowing
- Date of Scan:
- 2022-09-23
- Impact:
- MEDIUM
- Summary:
- PaloAlto researchers have discovered that domain shadowing is more widespread than previously thought, discovering 12,197 cases between April and June 2022.
FODHelper_Delivering_Remcos_RAT
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- FODHelper_Delivering_Remcos_RAT
- Date of Scan:
- 2022-09-23
- Impact:
- LOW
- Summary:
- Researchers from SANS have identified a simple batch file that drops a Remcos RAT through an old UAC Bypass technique.
A_Deep_Analysis_of_Lazarus_Group_Rootkit_Attack_Using_BYOVD
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- A_Deep_Analysis_of_Lazarus_Group_Rootkit_Attack_Using_BYOVD
- Date of Scan:
- 2022-09-23
- Impact:
- LOW
- Summary:
- Researchers from ASEC have done a deep analysis of Lazarus Group Rootkit Attack using BYOVD. They are known to be hackers from North Korea, who have attacked various countries in America, Asia, and Europe.
SystemBC_Malware_Turns_Infected_Computers_into_SOCKS5_Proxies
LOW
+
—
- Intel Source:
- BitSight
- Intel Name:
- SystemBC_Malware_Turns_Infected_Computers_into_SOCKS5_Proxies
- Date of Scan:
- 2022-09-23
- Impact:
- LOW
- Summary:
- BitSight researchers have observed that SystemBC malware still turns infected computers into SOCKS5 proxy servers. Most bots cannot be reached from the internet, so this malware uses a backconnect architecture that allows clients to access proxy servers without having to interact directly with them.
Distribution_of_NetSupport_RAT_via_SocGholish
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Distribution_of_NetSupport_RAT_via_SocGholish
- Date of Scan:
- 2022-09-22
- Impact:
- LOW
- Summary:
- Researchers from Cyble have observed that hackers are using fake browser update (SocGholish) to deliver the NetSupport RAT.
Iranian_hackers_Conduct_Cyber_Operations_Against_the_Government_of_Albania
MEDIUM
+
—
- Intel Source:
- CISA
- Intel Name:
- Iranian_hackers_Conduct_Cyber_Operations_Against_the_Government_of_Albania
- Date of Scan:
- 2022-09-22
- Impact:
- MEDIUM
- Summary:
- Researchers from CISA have identified one of the Iranian threat groups behind the destructive attack on the Albanian government's network in July lurking inside its systems for roughly 14 months.
Hackers_Abusing_LinkedIn_Slink_to_Bypass_Secure_Email_Gateway
LOW
+
—
- Intel Source:
- Cofense
- Intel Name:
- Hackers_Abusing_LinkedIn_Slink_to_Bypass_Secure_Email_Gateway
- Date of Scan:
- 2022-09-22
- Impact:
- LOW
- Summary:
- Cofense researchers have observed a phishing campaign that abuses LinkedIn smart links. While exploiting a well-known postal brand is nothing out of the ordinary, these phishing emails continue to pass undetected by popular email gateways.
Diving_Deep_into_Crytox_Ransomware
LOW
+
—
- Intel Source:
- Zscaler
- Intel Name:
- Diving_Deep_into_Crytox_Ransomware
- Date of Scan:
- 2022-09-22
- Impact:
- LOW
- Summary:
- Researchers from Zscaler have done technical analysis of Crytox Ransomware which is multi-stage ransomware with a weak key generation algorithm.
Active_Exploitation_of_Atlassian_Confluence_Vulnerability
LOW
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- Active_Exploitation_of_Atlassian_Confluence_Vulnerability
- Date of Scan:
- 2022-09-22
- Impact:
- LOW
- Summary:
- Researchers from Trendmicro have observed the active exploitation samples abusing the Atlassian Confluence vulnerability (CVE-2022-26134) in the wild for malicious cryptocurrency mining.
Magniber_Ransomware_file_extension_changed_from_jse_to_js
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Magniber_Ransomware_file_extension_changed_from_jse_to_js
- Date of Scan:
- 2022-09-21
- Impact:
- LOW
- Summary:
- Researchers from ASEC have analyzed the Magniber ransomware script and found that is still a javascript but its file extension changed from *.jse to *.js.
Zoom_Users_Targeted_by_Vidar_Stealer
MEDIUM
+
—
- Intel Source:
- Cyble
- Intel Name:
- Zoom_Users_Targeted_by_Vidar_Stealer
- Date of Scan:
- 2022-09-21
- Impact:
- MEDIUM
- Summary:
- The researchers from Cyble have observed numerous fake Zoom sites that look exactly like the real Zoom sites. The purpose of these sites is to distribute malware disguised as the legitimate Zoom application.
Konni_(RAT)_phishing_activity
LOW
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Konni_(RAT)_phishing_activity
- Date of Scan:
- 2022-09-21
- Impact:
- LOW
- Summary:
- Researchers at Fortinet recently caught a sophisticated phishing attempt deploying malware which they tied to APT 37 group's arsenal related to Konni and other RAT.
Attackers_Leveraging_Free_Online_Resources_for_Phishing_Campaigns
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Attackers_Leveraging_Free_Online_Resources_for_Phishing_Campaigns
- Date of Scan:
- 2022-09-21
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed phishing campaigns using free online resources.
Hackers_Leveraging_Browser_Extensions
LOW
+
—
- Intel Source:
- MalwareBytes
- Intel Name:
- Hackers_Leveraging_Browser_Extensions
- Date of Scan:
- 2022-09-21
- Impact:
- LOW
- Summary:
- Malwarebytes researchers have detected a browser extension named PUP.Optional.AdMax. They have claimed to be adblockers and do have some, limited, functionality.
Attackers_Abusing_Google_Tag_Manager_Payment_Card_E-Skimming
LOW
+
—
- Intel Source:
- Recorded Future
- Intel Name:
- Attackers_Abusing_Google_Tag_Manager_Payment_Card_E-Skimming
- Date of Scan:
- 2022-09-21
- Impact:
- LOW
- Summary:
- According to Recorded Future researchers, 569 e-commerce domains have been infected by Magecart e-skimmers that exfiltrate stolen payment card information to GTM-based e-skimmer domains.
Fake_Telegram_Site_Delivering_RAT
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Fake_Telegram_Site_Delivering_RAT
- Date of Scan:
- 2022-09-20
- Impact:
- LOW
- Summary:
- Cyble Research and Intelligence Labs team identified a fake Telegram website masquerading as a legitimate website that downloads a malicious installer. This installer abuses the Windows Defender application to perform RAT operations.
The_Ragnar_Locker_ransomware_roundup_cover
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Ragnar_Locker_ransomware_roundup_cover
- Date of Scan:
- 2022-09-20
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs gathered data on ransomware variants of interest that have been gaining traction within the OSINT community and our datasets. The Ransomware Roundup report aimed the Ragnar Locker ransomware to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against this variant.
Microsoft_365_Phishing_Attacks_Targeting_US_Government_Agencies
MEDIUM
+
—
- Intel Source:
- Cofense
- Intel Name:
- Microsoft_365_Phishing_Attacks_Targeting_US_Government_Agencies
- Date of Scan:
- 2022-09-20
- Impact:
- MEDIUM
- Summary:
- Cofense researchers have identified an ongoing phishing campaign targeting U.S. government contractors. In these phishing emails, scammers ask for bids for lucrative government projects, leading users to cloned versions of legitimate government websites.
The_Growth_of_Chromeloader_Malware
LOW
+
—
- Intel Source:
- VMware
- Intel Name:
- The_Growth_of_Chromeloader_Malware
- Date of Scan:
- 2022-09-20
- Impact:
- LOW
- Summary:
- Researchers from VMware have analyzed Chromeloader malware and warned of an ongoing campaign, In the campaign, malicious browser extensions, malware based on node-WebKit, and ransomware are being distributed.
Multiple_Malwares_delivered_by_Excel_Document
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Multiple_Malwares_delivered_by_Excel_Document
- Date of Scan:
- 2022-09-20
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs recently caught captured an Excel document with an embedded malicious file in the wild. After some research on the file, Fortinet reserachers learned that it exploits a particular vulnerability —CVE-2017-11882—to execute malicious code which affecting Microoft Windows platforms and Windows users. Researchers picked the “lsbjqoyofgkmqbuleooykdekgopmtglvjl.exe” file (being saved as “C:\Users\{UserName}\AppData\Roaming\word.exe”) as an example to analyze. It is the latest Formbook sample in the malware sample logs.
Monster_RaaS_campaign_returned_as_a_new_variant
MEDIUM
+
—
- Intel Source:
- BlackBerry
- Intel Name:
- Monster_RaaS_campaign_returned_as_a_new_variant
- Date of Scan:
- 2022-09-20
- Impact:
- MEDIUM
- Summary:
- BlackBerry Research & Intelligence team examined all samples about Monster ransomware which is delivered as a 32-bit binary. A hidden user interface gives threat actors control of multiple features of the ransomware on a victim’s machine, including selective encryption, self-deletion, and control over services and processes. Monster is also highly configurable, so threat actors can set their own custom extension and personalized ransom note.
Preventing_ISO_Malware
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Preventing_ISO_Malware
- Date of Scan:
- 2022-09-19
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed Chromeloader malware. This malware is a malicious extension for your browser, redirecting it to ad sites and hijacking searches. But with the success of this technique recently, I would not be surprised if others will take notice and switch to using it for other things.
The_widespread_of_RedLine_stealer
LOW
+
—
- Intel Source:
- Securelist
- Intel Name:
- The_widespread_of_RedLine_stealer
- Date of Scan:
- 2022-09-19
- Impact:
- LOW
- Summary:
- Securelist's reserachers recently caught a suspicious activity which was a part of collection of malicious programs distributed in the form of a single installation file, self-extracting archive or other file with installer-type functionality.
The_details_of_a_Publicly_Available_Slam_Ransomware_Builder
LOW
+
—
- Intel Source:
- SentinelOne
- Intel Name:
- The_details_of_a_Publicly_Available_Slam_Ransomware_Builder
- Date of Scan:
- 2022-09-19
- Impact:
- LOW
- Summary:
- SentinelOne analysts detailed out thoroughly about Slam Ransomware Builder and how free ransomware builders like Slam offer an easy route into cybercrime and yet present a credible threat to organizations and enterprises. Plus they provided a detailed list of indicators to help security teams detect and protect against Slam ransomware payloads.
TeamTNT_threat_actors_targeting_cloud_environments
LOW
+
—
- Intel Source:
- Aquasec
- Intel Name:
- TeamTNT_threat_actors_targeting_cloud_environments
- Date of Scan:
- 2022-09-19
- Impact:
- LOW
- Summary:
- Aquasec analysts observed and analyzed three different attacks on their honeypots past week. The scripts and malware that were used bear a striking resemblance to none other than the threat actor TeamTNT.
Russia-Nexus_UAC-0113_Emulating_Telecommunication_Providers_in_Ukraine
LOW
+
—
- Intel Source:
- Recorded Future
- Intel Name:
- Russia-Nexus_UAC-0113_Emulating_Telecommunication_Providers_in_Ukraine
- Date of Scan:
- 2022-09-19
- Impact:
- LOW
- Summary:
- Researchers at Insikt Group while monitoring UAC-0113 infrastructure, including the recurring use of dynamic DNS domains masquerading as telecommunication providers operating in Ukraine, which shows that the group's efforts to target entities in Ukraine remains ongoing. Domain masquerades can enable spearphishing campaigns or redirects that pose a threat to victim networks.
PreventingISOMalware
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- PreventingISOMalware
- Date of Scan:
- 2022-09-19
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed Chromeloader malware. This malware is a malicious extension for your browser, redirecting it to ad sites and hijacking searches. But with the success of this technique recently, I would not be surprised if others will take notice and switch to using it for other things.
BlackTech_Threat_Group_ExploitsF5_BIG-IP_Vulnerability
MEDIUM
+
—
- Intel Source:
- JPCERT
- Intel Name:
- BlackTech_Threat_Group_ExploitsF5_BIG-IP_Vulnerability
- Date of Scan:
- 2022-09-16
- Impact:
- MEDIUM
- Summary:
- The JPCERT have identified an attack activity exploiting the F5 BIG-IP vulnerability (CVE-2022-1388) against Japanese organizations. It has been confirmed by the targeted organizations that data in BIG-IP has been compromised.
PrivateLoader_the_most_widely_used_loader_in_2022
LOW
+
—
- Intel Source:
- Sekoia
- Intel Name:
- PrivateLoader_the_most_widely_used_loader_in_2022
- Date of Scan:
- 2022-09-16
- Impact:
- LOW
- Summary:
- PrivateLoader became one of the most widespread loaders used for a PPI service in 2022. SEKOIA analysts tracked PrivateLoader’s network infrastructure for several months and recently conducted an in-depth analysis of the malware. In parallel, we also monitored activities related to the ruzki PPI malware service.
Revived_Version_of_Raccoon_Stealer
LOW
+
—
- Intel Source:
- Cloudsek
- Intel Name:
- Revived_Version_of_Raccoon_Stealer
- Date of Scan:
- 2022-09-16
- Impact:
- LOW
- Summary:
- CloudSEK researchers analyzed a Raccoon malware sample and found it to be an updated version of Raccoon stealer. In underground forums, the developer of Raccoon stealer is very active, regularly updating the malware and posting about new feature builds.
Scammers_Abuse_Microsoft_Edge's_News_Feed_Ads
LOW
+
—
- Intel Source:
- MalwareBytes
- Intel Name:
- Scammers_Abuse_Microsoft_Edge's_News_Feed_Ads
- Date of Scan:
- 2022-09-16
- Impact:
- LOW
- Summary:
- Researchers from Malwarebytes have identified an ongoing malvertising campaign that is injecting ads in the Microsoft Edge News Feed to redirect potential victims to websites pushing tech support scams.
Russia_linked_Gamaredon_APT_Targeting_Ukraine_Using_InfoStealer_Malware
LOW
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Russia_linked_Gamaredon_APT_Targeting_Ukraine_Using_InfoStealer_Malware
- Date of Scan:
- 2022-09-16
- Impact:
- LOW
- Summary:
- Researchers at CiscoTalos have observed that Russian-linked Gamaredon has been targeting Ukrainian government, defense, and law enforcement agencies with a piece of a custom-made information stealer implant.
Hackers_Continue_to_Abuse_Google_Sites_and_Microsoft_Azure
LOW
+
—
- Intel Source:
- Netscope
- Intel Name:
- Hackers_Continue_to_Abuse_Google_Sites_and_Microsoft_Azure
- Date of Scan:
- 2022-09-16
- Impact:
- LOW
- Summary:
- Netskope researchers discovered a phishing campaign where attackers are abusing Google Sites and Microsoft Azure Web Apps to steal cryptocurrency wallets and accounts from Coinbase, MetaMask, Kraken, and Gemini.
Word_Maldoc_With_CustomXML_and_Renamed_VBAProject
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Word_Maldoc_With_CustomXML_and_Renamed_VBAProject
- Date of Scan:
- 2022-09-16
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed samples and found one of them is that the VBA project file (ole file) is named FIzzyWAbnj.bin instead of the usual VBAProject.bin.
Trojanized_Putty_through_Phishing
LOW
+
—
- Intel Source:
- Mandiant
- Intel Name:
- Trojanized_Putty_through_Phishing
- Date of Scan:
- 2022-09-16
- Impact:
- LOW
- Summary:
- Researchers from Mandiant identified a Trojanized Putty ISO payload being delivered through a fabricated job lure spear employed by the threat cluster tracked as UNC4034, suspected to be a part of "Operation Dream Job" campaigns.
Iranian_Cyber_Actors_Exploiting_Known_Vulnerabilities
MEDIUM
+
—
- Intel Source:
- CISA
- Intel Name:
- Iranian_Cyber_Actors_Exploiting_Known_Vulnerabilities
- Date of Scan:
- 2022-09-15
- Impact:
- MEDIUM
- Summary:
- Researchers from CISA have identified Iranian Islamic revolutionary guard corps-affiliated cyber actors exploiting vulnerabilities for data extortion and disk encryption for ransom operations.
Webworm_hackers_modify_old_malware_in_new_attacks
LOW
+
—
- Intel Source:
- Symantec
- Intel Name:
- Webworm_hackers_modify_old_malware_in_new_attacks
- Date of Scan:
- 2022-09-15
- Impact:
- LOW
- Summary:
- Researcher from Symantec have observed that the Chinese 'Webworm' hacking group is experimenting with customizing old malware in new attacks, likely to evade attribution and reduce operations costs.
Malicious_Word_Document_With_a_Frameset
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Malicious_Word_Document_With_a_Frameset
- Date of Scan:
- 2022-09-15
- Impact:
- LOW
- Summary:
- SANS researchers have discovered a malicious Word OOXML document (the new ".docx" format) that is a simple downloader. No malicious code is contained in this document, but merely a reference to a second stage which will be delivered when the document is opened.
Exploiting_Notepad++_Plugins_for_Evasion_and_Persistence
LOW
+
—
- Intel Source:
- Cybereason
- Intel Name:
- Exploiting_Notepad++_Plugins_for_Evasion_and_Persistence
- Date of Scan:
- 2022-09-15
- Impact:
- LOW
- Summary:
- Researchers from Cybereason have analyzed a specific technique that leverages Notepad++ plugins to persist and evade security mechanisms on a machine.
One_of_the_most_used_infostealer_Erbium
LOW
+
—
- Intel Source:
- Cluster25
- Intel Name:
- One_of_the_most_used_infostealer_Erbium
- Date of Scan:
- 2022-09-15
- Impact:
- LOW
- Summary:
- Cluster25' analysts observed that Erbium can become one of the most used infostealer by cyber criminals due to its wide range of capabilities and due to the growing demand for M-a-a-S.
Greek_Banking_Users_Targeted_in_Phishing_Campaign
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Greek_Banking_Users_Targeted_in_Phishing_Campaign
- Date of Scan:
- 2022-09-15
- Impact:
- LOW
- Summary:
- Researchers from Cyble discovered multiple URLs hosting pages pretending to be Greece's tax refund website. In order to transfer funds, users must confirm their current account number and the amount of their tax refund.
Japanese_Taxpayers_Targeted_in_Phishing_Campaign
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Japanese_Taxpayers_Targeted_in_Phishing_Campaign
- Date of Scan:
- 2022-09-15
- Impact:
- LOW
- Summary:
- Researchers from Cyble Research & Intelligence Labs discovered a new phishing campaign imitating the National Tax Agency, which targets Japanese users by tricking them into sharing sensitive information.
Hackers_Are_Using_Name_of_Queen_Elizabeth_II_in_Phishing_Attacks
LOW
+
—
- Intel Source:
- ProofPoint
- Intel Name:
- Hackers_Are_Using_Name_of_Queen_Elizabeth_II_in_Phishing_Attacks
- Date of Scan:
- 2022-09-15
- Impact:
- LOW
- Summary:
- Researchers at Proofpoint have identified threat actors exploiting the death of Queen Elizabeth II in phishing attacks to steal their targets' Microsoft accounts.
Hackers_Exploiting_Oracle_WebLogic_Server_Vulnerabilities
MEDIUM
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- Hackers_Exploiting_Oracle_WebLogic_Server_Vulnerabilities
- Date of Scan:
- 2022-09-14
- Impact:
- MEDIUM
- Summary:
- Trendmicro researchers have observed malicious actors exploiting both newly disclosed and older Oracle WebLogic Server vulnerabilities to deliver cryptocurrency-mining malware.
A_new_variant_of_Agent_Tesla
LOW
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- A_new_variant_of_Agent_Tesla
- Date of Scan:
- 2022-09-14
- Impact:
- LOW
- Summary:
- The Agent Tesla keylogger’s developers announced and posted on the Agent Tesla Discord server that people should switch over to a new keylogger OriginLogger, a powerful software like Agent Tesla. OriginLogger is an AT-based software and has all the features. OriginLogger is a variant of Agent Tesla. As such, the majority of tools and detections for Agent Tesla will still trigger on OriginLogger samples.
New_Linux_SideWalk_backdoor_Variant_used_by_SparklingGoblin_APT_Hackers
LOW
+
—
- Intel Source:
- WeliveSecurity
- Intel Name:
- New_Linux_SideWalk_backdoor_Variant_used_by_SparklingGoblin_APT_Hackers
- Date of Scan:
- 2022-09-14
- Impact:
- LOW
- Summary:
- ESET researchers have discovered a Linux variant of the SideWalk backdoor used by SparklingGoblin. This is a group of APTs that partially overlaps with APT41 and BARIUM in terms of its tactics, techniques, and procedures.
Easy_Process_Injection_within_Python
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Easy_Process_Injection_within_Python
- Date of Scan:
- 2022-09-14
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed malicious Python scripts. It can call any Microsoft API and perform process injection using the classic VirtualAlloc, CreateRemoteThreat, etc.
A_detailed_Analysis_of_Iranian_COBALT_MIRAGE_Threat_Group
LOW
+
—
- Intel Source:
- Secureworks
- Intel Name:
- A_detailed_Analysis_of_Iranian_COBALT_MIRAGE_Threat_Group
- Date of Scan:
- 2022-09-14
- Impact:
- LOW
- Summary:
- Researchers at Secureworks have analyzed ransomware incidents and uncovered details about Iranian COBALT MIRAGE operations. During this incident, COBALT MIRAGE exploited ProxyShell vulnerabilities (CVE-2021-34473, 2021-34523, and 2021-30207).
A_distribution_of_masking_phishing_websites
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- A_distribution_of_masking_phishing_websites
- Date of Scan:
- 2022-09-14
- Impact:
- LOW
- Summary:
- During the collecting of various malware strains the ASEC analysts caught one targeting Korean users, which was being distributed continuously to Korean email accounts only since August. This phishing website’s URL is not only distributed through email but is also exposed among the top search results of the Google search engine.
Ransomware_Campaigns_Linked_to_Iranian_Govt's_DEV_0270_Hackers
LOW
+
—
- Intel Source:
- Microsoft
- Intel Name:
- Ransomware_Campaigns_Linked_to_Iranian_Govt's_DEV_0270_Hackers
- Date of Scan:
- 2022-09-13
- Impact:
- LOW
- Summary:
- Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS.
Mitel_VoIP_Appliance_Vulnerability_Exploited_by_Lorenz_Ransomware_Group
LOW
+
—
- Intel Source:
- Arcticwolf
- Intel Name:
- Mitel_VoIP_Appliance_Vulnerability_Exploited_by_Lorenz_Ransomware_Group
- Date of Scan:
- 2022-09-13
- Impact:
- LOW
- Summary:
- The Lorenz ransomware group was seen exploiting a critical-severity vulnerability in Mitel MiVoice VoIP appliance for initial access into a victim’s network, Arctic Wolf cybersecurity firm researchers reported.
New_Espionage_Activity_Targeting_Asian_Governments
LOW
+
—
- Intel Source:
- Symantec
- Intel Name:
- New_Espionage_Activity_Targeting_Asian_Governments
- Date of Scan:
- 2022-09-13
- Impact:
- LOW
- Summary:
- Researchers from Symantec have identified a campaign that targets government and state-owned organizations in several Asian countries, including the offices of multiple prime ministers or heads of government.
Iranian_Hackers_Targeting_Nuclear_Security_and_Genomic_Research
LOW
+
—
- Intel Source:
- ProofPoint
- Intel Name:
- Iranian_Hackers_Targeting_Nuclear_Security_and_Genomic_Research
- Date of Scan:
- 2022-09-13
- Impact:
- LOW
- Summary:
- Proofpoint researchers have discovered a cyberespionage campaign conducted by TA453 threat actors linked to Iran. It targeted individuals specializing in nuclear security, Middle Eastern affairs, and genome research. To target their victims, threat actors used at least two actor-controlled personas.
Phishing_Word_Documents_with_Suspicious_URL
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Phishing_Word_Documents_with_Suspicious_URL
- Date of Scan:
- 2022-09-12
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed a quarantined email that is marked as phishing by Defender with the Subject: Urgent Payment Issue.
A_new_form_of_delivery_of_the_Lampion_banking_trojan
LOW
+
—
- Intel Source:
- Cofense
- Intel Name:
- A_new_form_of_delivery_of_the_Lampion_banking_trojan
- Date of Scan:
- 2022-09-12
- Impact:
- LOW
- Summary:
- Threat actors have been spotted by PDC analyst using a new form of Lampion malware thru using of a VBS loader. Using the trusted cloud platform used for payments, WeTransfer, threat actors are attempting to gain the trust of users while taking advantage of the service provided by the popular site.
Diving_Deep_into_Emotet_Malware
LOW
+
—
- Intel Source:
- DFIR Report
- Intel Name:
- Diving_Deep_into_Emotet_Malware
- Date of Scan:
- 2022-09-12
- Impact:
- LOW
- Summary:
- Researchers from DFIR have done a deep analysis of Emotet Malware
Lazarus_Hackers_Targeting_Energy_Providers_Around_the_World
MEDIUM
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Lazarus_Hackers_Targeting_Energy_Providers_Around_the_World
- Date of Scan:
- 2022-09-09
- Impact:
- MEDIUM
- Summary:
- A CiscoTalos study discovered that North Korea-linked Lazarus Group targeted energy providers around the world from February through July 2022, including U.S., Canadian, and Japanese companies.
Ransomware_Developers_Leveraging_Intermittent_Encryption_to_Avoid_Detection
LOW
+
—
- Intel Source:
- SentinelOne
- Intel Name:
- Ransomware_Developers_Leveraging_Intermittent_Encryption_to_Avoid_Detection
- Date of Scan:
- 2022-09-09
- Impact:
- LOW
- Summary:
- SentinelOne researchers have observed that ransomware developers use intermittent encryption to evade detection. As a result of this encryption method, ransomware operators are able to evade detection systems and encrypt victims' files more quickly.
Bronze_President_Group_Targeting_Government_Officials
LOW
+
—
- Intel Source:
- Secureworks
- Intel Name:
- Bronze_President_Group_Targeting_Government_Officials
- Date of Scan:
- 2022-09-09
- Impact:
- LOW
- Summary:
- Researchers from Secureworks have identified a PlugX malware campaign targeting computers belonging to government officials of several countries in Europe, the Middle East, and South America.
A_Deep_Investigation_of_Albanian_Government_Cyberattacks
LOW
+
—
- Intel Source:
- Microsoft
- Intel Name:
- A_Deep_Investigation_of_Albanian_Government_Cyberattacks
- Date of Scan:
- 2022-09-09
- Impact:
- LOW
- Summary:
- Microsoft researchers investigated Albanian government cyberattacks which disrupt public services and government websites. Besides the destructive cyberattack, MSTIC reports that an Iranian state-sponsored actor released sensitive information that had already been exfiltrated.
Collecting_Credentials_Through_Third-Party_Software
LOW
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Collecting_Credentials_Through_Third-Party_Software
- Date of Scan:
- 2022-09-09
- Impact:
- LOW
- Summary:
- PaloAlto researchers explored some common third-party software scenarios related to credential gathering, examining how passwords are stored, retrieved, and monitored based on real-world attack scenarios.
An_Unusual_Case_of_Monti_Ransomware
LOW
+
—
- Intel Source:
- BlackBerry
- Intel Name:
- An_Unusual_Case_of_Monti_Ransomware
- Date of Scan:
- 2022-09-08
- Impact:
- LOW
- Summary:
- The BlackBerry Incident Response team have investigated an attack by a previously unknown group, calling itself "MONTI," which encrypted nearly 20 user hosts as well as a multi-host VMware ESXi cluster that brought down over 20 servers.
Conti_Cybercrime_Hackers_Targeting_Ukraine
LOW
+
—
- Intel Source:
- Google blog
- Intel Name:
- Conti_Cybercrime_Hackers_Targeting_Ukraine
- Date of Scan:
- 2022-09-08
- Impact:
- LOW
- Summary:
- Researchers from Google Threat Analysis Group have identified some former Conti ransomware gang members are now part of a threat group tracked as UAC-0098, which is targeting Ukrainian organizations and European non-governmental organizations.
Moobot_Botnet_Targeting_Unpatched_D-Link_Routers
LOW
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Moobot_Botnet_Targeting_Unpatched_D-Link_Routers
- Date of Scan:
- 2022-09-08
- Impact:
- LOW
- Summary:
- Researchers from PaloAlto have discovered attacks leveraging several vulnerabilities in D-Link routers and the vulnerabilities exploited include CVE-2015-2051, CVE-2018-6530, CVE-2022-26258, and CVE-2022-28958.
A_new_remote_access_trojan_MagicRAT
LOW
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- A_new_remote_access_trojan_MagicRAT
- Date of Scan:
- 2022-09-08
- Impact:
- LOW
- Summary:
- Researchers at Cisco Talos have observed a new Remote Access Trojan from the Lazarus APT group being exploited in the wild for arbitrary command execution.
Vice_Society_Ransomware_Targeting_Education_Sector
LOW
+
—
- Intel Source:
- CISA
- Intel Name:
- Vice_Society_Ransomware_Targeting_Education_Sector
- Date of Scan:
- 2022-09-08
- Impact:
- LOW
- Summary:
- The FBI, CISA, and the MS-ISAC have recently observed Vice Society actors disproportionately targeting the education sector with ransomware attacks and they provided the network defenders with Vice Society IOCs and TTPs observed by the FBI in attacks for September 2022.
A_Deep_Examination_of_PlugX_RAT_Loader
LOW
+
—
- Intel Source:
- Cybereason
- Intel Name:
- A_Deep_Examination_of_PlugX_RAT_Loader
- Date of Scan:
- 2022-09-08
- Impact:
- LOW
- Summary:
- Cybereason researchers have investigated PlugX malware, a Remote Access Tool/Trojan (RAT) often used by Asian APT groups like APT27. With its many malicious "plugins," the malware has backdoor capabilities that allow it to take complete control over the environment.
Zero-Day_Vulnerability_Exploited_in_BackupBuddy_Plugin
LOW
+
—
- Intel Source:
- Wordsfence
- Intel Name:
- Zero-Day_Vulnerability_Exploited_in_BackupBuddy_Plugin
- Date of Scan:
- 2022-09-08
- Impact:
- LOW
- Summary:
- Wordfence's Threat Intelligence team have discovered a zero-day vulnerability being actively exploited in BackupBuddy. It is a WordPress plugin with approximately 140,000 installations. The vulnerability allows unauthenticated users to download sensitive information from the affected site.
Bumblebee_Malware_Back_With_New_Technique
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Bumblebee_Malware_Back_With_New_Technique
- Date of Scan:
- 2022-09-08
- Impact:
- LOW
- Summary:
- Researchers from Cyble have came across a Twitter post wherein a researcher mentioned an interesting infection chain of the Bumblebee loader malware being distributed via spam campaigns.
In-depth_exploration_of_APT42
LOW
+
—
- Intel Source:
- Mandiant
- Intel Name:
- In-depth_exploration_of_APT42
- Date of Scan:
- 2022-09-08
- Impact:
- LOW
- Summary:
- Mandiant researchers have conducted a deep analysis of APT42 and published a report. This report examines APT42's recent and historical activities, its tactics, techniques, and procedures, targeting patterns, and historical connections to APT35.
Worok_Hackers_Targeting_Asian_Companies_and_Governments
LOW
+
—
- Intel Source:
- WeliveSecurity
- Intel Name:
- Worok_Hackers_Targeting_Asian_Companies_and_Governments
- Date of Scan:
- 2022-09-07
- Impact:
- LOW
- Summary:
- The new cyberespionage group Worok have discovered by WeLiveSecuruty reserachers which targeted attacks that used undocumented tools against various high-profile companies and local governments mostly in Asia.
Diving_Deep_into_TA505_Group
LOW
+
—
- Intel Source:
- PRODAFT
- Intel Name:
- Diving_Deep_into_TA505_Group
- Date of Scan:
- 2022-09-07
- Impact:
- LOW
- Summary:
- Researchers from PRODAFT Threat Intelligence team have done in-depth analysis of TA505 Group. Also, identified the group’s control panel and used it to glean insight into how the organization works.
Cyber_Attackers_Leveraging_Red_Teaming_Tools
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Cyber_Attackers_Leveraging_Red_Teaming_Tools
- Date of Scan:
- 2022-09-07
- Impact:
- LOW
- Summary:
- Cyble Researchers have discovered threat actors actively using PowerShell Empire to spread multiple infections and also employ these tools to perform highly stealthy and dangerous attacks against their targets.
The_Ares_Banking_Trojan_Updated_with_Domain_Generation_Algorithm
LOW
+
—
- Intel Source:
- Zscaler
- Intel Name:
- The_Ares_Banking_Trojan_Updated_with_Domain_Generation_Algorithm
- Date of Scan:
- 2022-09-07
- Impact:
- LOW
- Summary:
- In an update to the Ares banking trojan, researchers at Zscaler ThreatLabz observed a domain generation algorithm (DGA) that resembles Qakbot's. Threat actors attempt to maximize the life of an infection, which provides them with the opportunity to monetize compromised systems through wire fraud and ransomware attacks.
DangerousSavanna_Malicious_Campaign_Targeting_Financial_Institutions
LOW
+
—
- Intel Source:
- Checkpoint
- Intel Name:
- DangerousSavanna_Malicious_Campaign_Targeting_Financial_Institutions
- Date of Scan:
- 2022-09-06
- Impact:
- LOW
- Summary:
- Researchers from Checkpoint have analysied a malicious campaign called DangerousSavanna which has been targeting multiple major financial service groups in French-speaking Africa for the last two years.
Shikitega_Malware_Targeting_Linux
MEDIUM
+
—
- Intel Source:
- AT&T
- Intel Name:
- Shikitega_Malware_Targeting_Linux
- Date of Scan:
- 2022-09-06
- Impact:
- MEDIUM
- Summary:
- Researchers from AT&T Alien Labs have discovered a new malware named Shikitega targeting endpoints and IoT devices that are running Linux operating systems.
A_Detailed_Analysis_of_Mythic_C2_Framework
LOW
+
—
- Intel Source:
- TeamCymru
- Intel Name:
- A_Detailed_Analysis_of_Mythic_C2_Framework
- Date of Scan:
- 2022-09-06
- Impact:
- LOW
- Summary:
- Researchers from TeamCymru have done detailed examinations of Mythic C2 Framework. It is a free-to-use, open-source tool, written in Python and provides cross-platform payload creation options for Linux, MacOS, and Windows.
NoName057(16)_Hacker_Group_Targeting_Ukraine_Supporters_with_DDoS_Attack
LOW
+
—
- Intel Source:
- Avast
- Intel Name:
- NoName057(16)_Hacker_Group_Targeting_Ukraine_Supporters_with_DDoS_Attack
- Date of Scan:
- 2022-09-06
- Impact:
- LOW
- Summary:
- Researchers from Avast Threat Lab have identified a Pro-Russian Group named NoName057(16) that is performing DDoS attacks on websites belonging to governments, news agencies, armies, suppliers, telecommunications companies, transportation authorities, financial institutions, and more in Ukraine and neighboring countries supporting Ukraine, like Ukraine itself, Estonia, Lithuania, Norway, and Poland
Play_Ransomware_Following_the_Tactics_of_Hive_and_Nokoyawa_Ransomware
LOW
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- Play_Ransomware_Following_the_Tactics_of_Hive_and_Nokoyawa_Ransomware
- Date of Scan:
- 2022-09-06
- Impact:
- LOW
- Summary:
- Trendmicro researchers have investigated Play ransomware and found It uses many tactics that follow the playbook of both Hive and Nokoyawa ransomware, including similarities in the file names and file paths of their respective tools and payloads.
A_New_CodeRAT_is_Being_Exposed
LOW
+
—
- Intel Source:
- SafeBreach
- Intel Name:
- A_New_CodeRAT_is_Being_Exposed
- Date of Scan:
- 2022-09-05
- Impact:
- LOW
- Summary:
- SafeBreach Labs researchers have discovered a new targeted attack and uncovered New Remote Access Trojan. It is targeting Farsi-speaking code developers using a Microsoft Dynamic Data Exchange (DDE) exploit.
HWP_File_Exploit_OLE_Objects_and_Flash_Vulnerabilities
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- HWP_File_Exploit_OLE_Objects_and_Flash_Vulnerabilities
- Date of Scan:
- 2022-09-05
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified a malicious HWP file that exploits OLE objects and flash vulnerabilities. The identified HWP file includes OLE objects, and the corresponding files are generated in the %TEMP% folder when the HWP file is opened.
BumbleBee_is_Refactored_Version_of_Bookworm_Backdoor
LOW
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- BumbleBee_is_Refactored_Version_of_Bookworm_Backdoor
- Date of Scan:
- 2022-09-05
- Impact:
- LOW
- Summary:
- Researchers from Trendmicro analyzed a backdoor with a unique modular architecture and named it BumbleBee due to a string embedded in it. The features of BumbleBee and Bookworm are similar, so BumbleBee is likely to be a refactored version of the latter and target Asian local governments.
EvilProxy_PhaaS_with_MFA_Bypass_Rising_in_DarkWeb
LOW
+
—
- Intel Source:
- Resecurity
- Intel Name:
- EvilProxy_PhaaS_with_MFA_Bypass_Rising_in_DarkWeb
- Date of Scan:
- 2022-09-05
- Impact:
- LOW
- Summary:
- Researchers from Resecurity have identified a new Phishing-as-a-Service (PhaaS) called EvilProxy advertised in the Dark Web. The threat actors are using Reverse Proxy and Cookie Injection methods to bypass 2FA authentication.
The_Evidence_of_Connection_between_Raspberry_Robin_malware_and_Dridex
LOW
+
—
- Intel Source:
- IBM Security Intelligence
- Intel Name:
- The_Evidence_of_Connection_between_Raspberry_Robin_malware_and_Dridex
- Date of Scan:
- 2022-09-02
- Impact:
- LOW
- Summary:
- Researchers from IBM have identified functional similarities between a malicious component used in the Raspberry Robin infection chain and a Dridex malware loader, further strengthening the operators' connections to the Russia-based Evil Corp group.
Diving_Deep_into_BianLian_Ransomware
MEDIUM
+
—
- Intel Source:
- Redacted
- Intel Name:
- Diving_Deep_into_BianLian_Ransomware
- Date of Scan:
- 2022-09-02
- Impact:
- MEDIUM
- Summary:
- Researchers from Redacted have observed the BianLian threat actor tripling their known command and control (C2) infrastructure in the month of August, suggesting a possible increase in the actor’s operational tempo.
Ransomware_targating_Microsoft_and_VMware_ESXiservers
LOW
+
—
- Intel Source:
- CSIRT
- Intel Name:
- Ransomware_targating_Microsoft_and_VMware_ESXiservers
- Date of Scan:
- 2022-09-02
- Impact:
- LOW
- Summary:
- CSIRT have reported an incident that affected a government service. The incident corresponds to ransomware that affected Microsoft and VMware ESXi servers in the corporate networks of the institution.
ELF_Based_Ransomware_targating_Linux_system
LOW
+
—
- Intel Source:
- Uptycs
- Intel Name:
- ELF_Based_Ransomware_targating_Linux_system
- Date of Scan:
- 2022-09-02
- Impact:
- LOW
- Summary:
- Researchers from Uptycs have observed an Executable and Linkable Format (ELF) ransomware which encrypts the files inside Linux systems based on the given folder path and they dropped a README note.
A_Detailed_Analysis_of_Redeemer_Ransomware
LOW
+
—
- Intel Source:
- Cloudsek
- Intel Name:
- A_Detailed_Analysis_of_Redeemer_Ransomware
- Date of Scan:
- 2022-09-02
- Impact:
- LOW
- Summary:
- Researchers from CloudSEK have deeply analyzed Redeemer Ransomware. It was initially identified in June 2021, and since then, four public versions (1.0, 1.5, 1.7, and 2.0) have been released.
Prynt_Stealer_Malware_Secret_Backdoor_Exposed
LOW
+
—
- Intel Source:
- Zscaler
- Intel Name:
- Prynt_Stealer_Malware_Secret_Backdoor_Exposed
- Date of Scan:
- 2022-09-02
- Impact:
- LOW
- Summary:
- Researchers from Zscaler have uncovered the Prynt Stealer builder, attributed with WorldWind, and DarkEye has a secret backdoor in the code that ends up in every derivative copy and variant of these malware families.
Snake_Keylogger_Returns_with_New_Malspam_Campaign
LOW
+
—
- Intel Source:
- BitDefender
- Intel Name:
- Snake_Keylogger_Returns_with_New_Malspam_Campaign
- Date of Scan:
- 2022-09-02
- Impact:
- LOW
- Summary:
- According to BitDefender researchers, the IP addresses used in the attack originated from Vietnam, while the campaign's main targets were based in the USA. To lure victims into opening ZIP archives, attackers use the profile of one of Qatar's largest IT and cloud service providers. It contains an executable called CPMPANY PROFILE.exe.
A_new_wild_version_of_ChromeLoader
LOW
+
—
- Intel Source:
- Cyber Geeks
- Intel Name:
- A_new_wild_version_of_ChromeLoader
- Date of Scan:
- 2022-09-01
- Impact:
- LOW
- Summary:
- Cybergeeks analyzed a new version of ChromeLoader (also known as Choziosi Loader)last couple weeks weeks and it appears that this campaign that has become widespread and has spawned multiple versions, making atomic indicators ineffective for detections.
Malicious_MS_Word_Files_Targeting_North_Korea
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Malicious_MS_Word_Files_Targeting_North_Korea
- Date of Scan:
- 2022-09-01
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered the continuous distribution of malicious Word files targeting specific individuals related to national defense and North Korea. Most of the confirmed Word files had filenames that included the names of individuals related to North Korea.
RAT_Tool_Distributed_on_Github_as_Solution_File
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- RAT_Tool_Distributed_on_Github_as_Solution_File
- Date of Scan:
- 2022-09-01
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered a RAT Tool disguised as a solution file (*.sln) on GitHub. To avoid detection, the malware disguised itself as a solution file. Upon execution, it injects into normal Windows programs, such as AppLaunch.exe, RegAsm.exe, and InstallUtil.exe, to run a RAT.
Hackers_Leveraging_Fast_Reverse_Proxy_tool_to_Attack_Korean_Companies
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Hackers_Leveraging_Fast_Reverse_Proxy_tool_to_Attack_Korean_Companies
- Date of Scan:
- 2022-09-01
- Impact:
- LOW
- Summary:
- ASEC researchers have identified hackers scanning and attacking externally accessible corporate PCs such as IIS web servers or MS Exchange servers. Afterward, they use Webshell to access a part of the system and abuse Potato or Exploit tools that support privilege escalation, thereby obtaining system privileges.
Ragnar_Locker_Ransomware_Targeting_Energy_Sector
LOW
+
—
- Intel Source:
- Cybereason
- Intel Name:
- Ragnar_Locker_Ransomware_Targeting_Energy_Sector
- Date of Scan:
- 2022-09-01
- Impact:
- LOW
- Summary:
- Researchers from Cybereason have investigated the Ragnar Locker malware family, a ransomware and a ransomware operator which has recently claimed to have breached DESFA, a Greek pipeline company.
Diving_Deep_into_Industrial_Espionage_Operation
LOW
+
—
- Intel Source:
- BitDefender
- Intel Name:
- Diving_Deep_into_Industrial_Espionage_Operation
- Date of Scan:
- 2022-09-01
- Impact:
- LOW
- Summary:
- BitDefender researchers have analyzed corporate espionage in depth. As it is one of the common misconceptions that espionage is affecting only large corporations or government entities, but it is more common than expected.
The_cash_payments_online_fraud
LOW
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- The_cash_payments_online_fraud
- Date of Scan:
- 2022-09-01
- Impact:
- LOW
- Summary:
- CERT-UA observed an increase in the number of scam pages in the Facebook social network. The content of these pages refers to the topic of monetary compensation, the eHelp platform, financial assistance from various organizations and partners.
MagecartJavaScriptSkimmerStealingPaymentInformation
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- MagecartJavaScriptSkimmerStealingPaymentInformation
- Date of Scan:
- 2022-09-01
- Impact:
- LOW
- Summary:
- Researchers from Cyble Intelligence Labs have identified that JavaScript skimmer created by the Magecart threat group has been stealing payment information from the Magento e-commerce website.
The_AgentTesla_malware_increased_distribution
LOW
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- The_AgentTesla_malware_increased_distribution
- Date of Scan:
- 2022-09-01
- Impact:
- LOW
- Summary:
- CERT-UA has tracked mass mailings of emails with the topic "Technisches Zeichnen" and attached to the e-mail is an IMG file containing a CHM file of the same name, opening which will execute JavaScript code.
VBScript_downloads_a_malicious_HWP_file
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- VBScript_downloads_a_malicious_HWP_file
- Date of Scan:
- 2022-09-01
- Impact:
- LOW
- Summary:
- Researchers from ASEC team have discovered a VBScript that downloads a malicious HWP file and the distribution path of malware is yet to be determined, but the VBScript is downloaded through curl.
Hackers_Using_ModernLoader_RAT_to_Infect_Systems_with_Stealers_and_Cryptominers
MEDIUM
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Hackers_Using_ModernLoader_RAT_to_Infect_Systems_with_Stealers_and_Cryptominers
- Date of Scan:
- 2022-09-01
- Impact:
- MEDIUM
- Summary:
- Researchers at Cisco Talos have observed three distinct campaigns between March and June 2022 that delivered a number of threats, including the ModernLoader bot, the RedLine information stealer, and cryptocurrency mining malware.
The_activation_of_PureCrypter_Loader_continues
MEDIUM
+
—
- Intel Source:
- Netlab 360
- Intel Name:
- The_activation_of_PureCrypter_Loader_continues
- Date of Scan:
- 2022-08-31
- Impact:
- MEDIUM
- Summary:
- Researchers from Netlab have identified that PureCrypter Loader is continued to be active this year, and spread over 10 other families including Formbook, SnakeKeylogger, AgentTesla, Redline, AsyncRAT, and more.
AsyncRAT_Leveraging_Fully_Undetected_Downloader
LOW
+
—
- Intel Source:
- Netskope
- Intel Name:
- AsyncRAT_Leveraging_Fully_Undetected_Downloader
- Date of Scan:
- 2022-08-30
- Impact:
- LOW
- Summary:
- Researchers from Netskope have analysied the complete infection flow of AsyncRAT, from the FUD BAT downloader spotted by the MalwareHunterTeam to the last payload. Although no AV vendor is detecting the file, it contains many detections via Sigma and IDS rules, as well as by sandboxes used by VirusTotal.
TA423_threat_group_targeting_countries_in_South_China_Sea
MEDIUM
+
—
- Intel Source:
- ProofPoint
- Intel Name:
- TA423_threat_group_targeting_countries_in_South_China_Sea
- Date of Scan:
- 2022-08-30
- Impact:
- MEDIUM
- Summary:
- Researchers from Proofpoint and Pwc threat intelligence team have identified a phishing campaign, running for over a year and currently ongoing, and targeting countries in the South China Sea, as well as further intrusions in Australia, Europe, and the United States.
New_Golang_Attack_Campaign_GO#WEBBFUSCATOR_Leverages_Office_Macros
MEDIUM
+
—
- Intel Source:
- Securonix
- Intel Name:
- New_Golang_Attack_Campaign_GO#WEBBFUSCATOR_Leverages_Office_Macros
- Date of Scan:
- 2022-08-30
- Impact:
- MEDIUM
- Summary:
- Securonix Threat Labs Threat Research Team has analysed recently a unique sample of a persistent Golang-based attack campaign tracked by Securonix as GO#WEBBFUSCATOR who infects the target system with the malware.
Crypto_miners_updated_with_latest_techniques
LOW
+
—
- Intel Source:
- AT&T
- Intel Name:
- Crypto_miners_updated_with_latest_techniques
- Date of Scan:
- 2022-08-30
- Impact:
- LOW
- Summary:
- Researchers from AT&T Alien Labs have provided an overview of an ongoing crypto mining campaign that caught our eye due to the big number of loaders that have shown up during the month of June, as well as how staged the execution is for a simple malware like a miner.
Mini_Stealer_Builder_and_Panel_For_Free
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Mini_Stealer_Builder_and_Panel_For_Free
- Date of Scan:
- 2022-08-30
- Impact:
- LOW
- Summary:
- Cyble Research and Intelligence Labs have discovered a post on a cybercrime forum where a Threat Actor released MiniStealer’s builder and panel for free, and they claim that the stealer can target operating systems such as Windows 7, 10, and 11.
A_Crypto_Miner_Malware_Campaign_Named_Nitrokod
LOW
+
—
- Intel Source:
- Checkpoint
- Intel Name:
- A_Crypto_Miner_Malware_Campaign_Named_Nitrokod
- Date of Scan:
- 2022-08-29
- Impact:
- LOW
- Summary:
- Researchers from Checkpoint have detected a cryptomining campaign, called Nitrokod, which potentially infected thousands of machines worldwide. It is created by a Turkish speaking entity and the campaign dropped malware from free software available on popular websites such as Softpedia and uptodown.
TeamTNT_Group_Targeting_Cloud_Instances_and_Containerized_Environments
LOW
+
—
- Intel Source:
- Cloudsek
- Intel Name:
- TeamTNT_Group_Targeting_Cloud_Instances_and_Containerized_Environments
- Date of Scan:
- 2022-08-29
- Impact:
- LOW
- Summary:
- CloudSEK researchers have identified the known threat actor TeamTNT has been targeting cloud instances and containerized environments on systems around the world for at least two years.
Remcos_RAT_updated_with_New_TTPs
LOW
+
—
- Intel Source:
- SocInvestigations
- Intel Name:
- Remcos_RAT_updated_with_New_TTPs
- Date of Scan:
- 2022-08-29
- Impact:
- LOW
- Summary:
- Researchers from SOCInvestigation have identified new TTPs of Remcos RAT. It is a dangerous trojan available to attackers for a relatively low price and it comes equipped with enough robust features to allow attackers to set up their own effective botnets.
The_emerging_of_BlueSky_ransomware
LOW
+
—
- Intel Source:
- Sentilone
- Intel Name:
- The_emerging_of_BlueSky_ransomware
- Date of Scan:
- 2022-08-29
- Impact:
- LOW
- Summary:
- The researchers paid close attention again to BlueSky late June 2022. SentinelOne observed this ransomware has being spread via trojanized downloads from questionable websites as well as in phishing emails.
First_Known_Phishing_Attack_Against_PyPI_Users
LOW
+
—
- Intel Source:
- CheckMarx
- Intel Name:
- First_Known_Phishing_Attack_Against_PyPI_Users
- Date of Scan:
- 2022-08-29
- Impact:
- LOW
- Summary:
- Researchers from CheckMarx have identified an ongoing phishing campaign that aims to steal developer credentials and inject malicious updates to the packages in the repository, and It is the first known phishing attack against Python Package Index, PyPI.
Spear-phishing_and_AiTM_Used_to_Hack_MS_Office_365_Accounts
LOW
+
—
- Intel Source:
- Mitiga
- Intel Name:
- Spear-phishing_and_AiTM_Used_to_Hack_MS_Office_365_Accounts
- Date of Scan:
- 2022-08-29
- Impact:
- LOW
- Summary:
- Mitiga Research Team have identified a sophisticated, advanced business email compromise (BEC) campaign, directly targeting relevant executives of organizations using Office 365.
New_Agenda_Ransomware_Customized_for_Each_Victim
LOW
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- New_Agenda_Ransomware_Customized_for_Each_Victim
- Date of Scan:
- 2022-08-26
- Impact:
- LOW
- Summary:
- Researchers from TrendMicro have discovered a new ransomware that is written in the Go programming language and targeting healthcare and education enterprises in Asia and Africa. This ransomware is called Agenda and is customized per victim.
A_deployment_of_32-bits_or_64-bits_malware
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- A_deployment_of_32-bits_or_64-bits_malware
- Date of Scan:
- 2022-08-26
- Impact:
- LOW
- Summary:
- The reseracher did some experiment by dowloading some samples from MalwareBazaar and got a report of some interesting stats based on YARA rules.
A_Dot_Net_Based_Moisha_Ransomware
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- A_Dot_Net_Based_Moisha_Ransomware
- Date of Scan:
- 2022-08-26
- Impact:
- LOW
- Summary:
- Researchers from Cyble have come across a Twitter post about a new ransomware variant named Moisha. A .Net-based ransomware, Moisha was first identified in mid-August 2022, and the name of the TA is PT_MOISHA team.
A_Deep_Analysis_of_Karakurt_Ransomware
LOW
+
—
- Intel Source:
- HC3
- Intel Name:
- A_Deep_Analysis_of_Karakurt_Ransomware
- Date of Scan:
- 2022-08-26
- Impact:
- LOW
- Summary:
- Researchers from HC3 have analyzed Karakurt Threat Profile deeply and identified four attacks affecting the US Healthcare and Public Health Sector since June 2022. The observed attacks have affected an assisted living facility, a dental firm, a healthcare provider, and a hospital.
Iran_Based_Threat_Actor_MERCURY_Leveraging_Exploitation_of_Log4j_2_Vulnerabilities
MEDIUM
+
—
- Intel Source:
- Microsoft
- Intel Name:
- Iran_Based_Threat_Actor_MERCURY_Leveraging_Exploitation_of_Log4j_2_Vulnerabilities
- Date of Scan:
- 2022-08-26
- Impact:
- MEDIUM
- Summary:
- Microsoft Threat Intelligence and 365 Defender Research team have detected Iran-based threat actor MERCURY leveraging exploitation of Log4j 2 vulnerabilities in SysAid applications against organizations all located in Israel.
BleachGap_ransomware_reappeared
LOW
+
—
- Intel Source:
- Labs K7 Security
- Intel Name:
- BleachGap_ransomware_reappeared
- Date of Scan:
- 2022-08-26
- Impact:
- LOW
- Summary:
- Researchers from Labs K7 Security have analyzed the BleachGap ransomware and found that threat actors are modifying the attack techniques of this malware for a possible major attack that might be planned in the future.
Ransomware_Actors_Leveraging_Genshin_Impact_Driver
MEDIUM
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- Ransomware_Actors_Leveraging_Genshin_Impact_Driver
- Date of Scan:
- 2022-08-25
- Impact:
- MEDIUM
- Summary:
- TrendMicro researchers investigated the mhyprot2.sys and found a vulnerability of an anti-cheat driver for the popular role-playing game Genshin Impact. The driver is currently being abused by a ransomware actor to kill antivirus processes and services for mass-deploying ransomware.
AgentTesla_is_Back_With_a_New_Campaign
LOW
+
—
- Intel Source:
- Avast
- Intel Name:
- AgentTesla_is_Back_With_a_New_Campaign
- Date of Scan:
- 2022-08-25
- Impact:
- LOW
- Summary:
- Threat researchers from Avast have identified a new malicious campaign and it is threatening businesses around the world. The campaign is targeting users in Spain, Portugal, Romania, and multiple countries in South America.
Multiple_Known_Malware_Findings_from_the_BlackHat_NOC
LOW
+
—
- Intel Source:
- IronNet
- Intel Name:
- Multiple_Known_Malware_Findings_from_the_BlackHat_NOC
- Date of Scan:
- 2022-08-25
- Impact:
- LOW
- Summary:
- IroNet Hunters uncovered several active malware infections on the Black Hat network, including Shlayer malware, North Korean-attributed SHARPEXT malware, and NetSupport RAT malware.
Kimsukys_hackers_using_C2_operations_with_GoldDragon_malware
LOW
+
—
- Intel Source:
- Securelist
- Intel Name:
- Kimsukys_hackers_using_C2_operations_with_GoldDragon_malware
- Date of Scan:
- 2022-08-25
- Impact:
- LOW
- Summary:
- Researchers from Securelist have identified the Kimsuky threat group continuously evolves its malware infection schemes and adopts novel techniques to hinder analysis. It is one of the most prolific and active threat actors on the Korean Peninsula, operates several clusters and GoldDragon malware is one of the most frequently used.
A_0ktapus_Phishing_Campaign
LOW
+
—
- Intel Source:
- Group-IB
- Intel Name:
- A_0ktapus_Phishing_Campaign
- Date of Scan:
- 2022-08-25
- Impact:
- LOW
- Summary:
- Researchers from Group-IB Threat Intelligence Team have detected 169 unique domains involved in the 0ktapus phishing campaign. While analyzing the phishing sites, they found an image that is legitimately used by sites leveraging Okta authentication, being used by the phishing kit.
The_Deep_examination_of_Wiper_Malware
LOW
+
—
- Intel Source:
- Crowdstrike
- Intel Name:
- The_Deep_examination_of_Wiper_Malware
- Date of Scan:
- 2022-08-25
- Impact:
- LOW
- Summary:
- Researchers from CrowdStrikes Research Team have identified how threat actors use legitimate third-party drivers to bypass the visibility and detection capabilities of security mechanisms and solutions.
Threat_Actors_Leveraging_Compromised_Microsoft_Dynamics_365_Voice_Account_for_Phishing_Attack
LOW
+
—
- Intel Source:
- Cofense
- Intel Name:
- Threat_Actors_Leveraging_Compromised_Microsoft_Dynamics_365_Voice_Account_for_Phishing_Attack
- Date of Scan:
- 2022-08-25
- Impact:
- LOW
- Summary:
- Researchers from Cofense have identified a widespread campaign where threat actors use a compromised Dynamics 365 Customer Voice business account and a link posing as a survey to steal Microsoft 365 credentials.
Diving_Deep_into_Qbot_Malware
LOW
+
—
- Intel Source:
- Trellix
- Intel Name:
- Diving_Deep_into_Qbot_Malware
- Date of Scan:
- 2022-08-25
- Impact:
- LOW
- Summary:
- Researchers from the Trellix SecOps team have observed an uptick in the Qbot malware infections in recent months. It is an active threat for over 14 years and continues to evolve, adopting new infection vectors to evade detection mechanisms.
The_active_exploitation_of_multiple_vulnerabilities_and_Exposures_against_Zimbra_Collaboration_Suite
LOW
+
—
- Intel Source:
- CISA
- Intel Name:
- The_active_exploitation_of_multiple_vulnerabilities_and_Exposures_against_Zimbra_Collaboration_Suite
- Date of Scan:
- 2022-08-24
- Impact:
- LOW
- Summary:
- CISA and MS-ISAC researchers have identified cyber threat actors targeting unpatched Zimbra Collaboration Suite instances in both government and private sector networks.
PiratedSoftwareDownloadSitesDeliveringInfoStealerMalware
LOW
+
—
- Intel Source:
- Zscaler
- Intel Name:
- PiratedSoftwareDownloadSitesDeliveringInfoStealerMalware
- Date of Scan:
- 2022-08-24
- Impact:
- LOW
- Summary:
- Researchers from Zscaler Threat Labs have discovered multiple ongoing threat campaigns distributing info-stealer malware by targeting victims trying to download pirated software applications.
BitRAT_and_XMRig_CoinMiner_Leveraging_Windows_License_Verification_Tool
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- BitRAT_and_XMRig_CoinMiner_Leveraging_Windows_License_Verification_Tool
- Date of Scan:
- 2022-08-24
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered the distribution of BitRAT and XMRig CoinMiner disguised as a Windows license verification tool.
Pirated_Software_Download_Sites_Delivering_InfoStealer_Malware
LOW
+
—
- Intel Source:
- Zscaler
- Intel Name:
- Pirated_Software_Download_Sites_Delivering_InfoStealer_Malware
- Date of Scan:
- 2022-08-24
- Impact:
- LOW
- Summary:
- Researchers from Zscaler Threat Labs have discovered multiple ongoing threat campaigns distributing info-stealer malware by targeting victims trying to download pirated software applications.
AsyncRAT_Being_Distributed_in_Fileless_Form
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- AsyncRAT_Being_Distributed_in_Fileless_Form
- Date of Scan:
- 2022-08-24
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered malicious AsyncRAT codes that are being distributed in fileless form. It is executed in fileless form through multiple script files and is thought to be distributed as a compressed file attachment in emails.
Iranian_hackers_Leveraging_New_Tool_to_Steal_Email_From_Victims
LOW
+
—
- Intel Source:
- Google blog
- Intel Name:
- Iranian_hackers_Leveraging_New_Tool_to_Steal_Email_From_Victims
- Date of Scan:
- 2022-08-23
- Impact:
- LOW
- Summary:
- Researchers from Google Threat Analysis Group have observed New Iranian APT data extraction tool called HYPERSCRAPE. It is written in .NET for Windows PCs and is designed to run on the attacker's machine.
XCSSET_Malware_updated_with_latest_version
LOW
+
—
- Intel Source:
- SentinelOne
- Intel Name:
- XCSSET_Malware_updated_with_latest_version
- Date of Scan:
- 2022-08-23
- Impact:
- LOW
- Summary:
- Researchers from SentinelOne have reviewed the changes made to the latest versions of XCSSET malware and reveal some of the contexts in which these threat actors operate.
MalspamusedbyattackerstodeliverAgentTeslaRAT
LOW
+
—
- Intel Source:
- MalwareBytes
- Intel Name:
- MalspamusedbyattackerstodeliverAgentTeslaRAT
- Date of Scan:
- 2022-08-23
- Impact:
- LOW
- Summary:
- Malwarebytes Threat Intelligence researchers have identified spam emails containing images and CHM files. Upon clicking, It's calling PowerShell commands and started executing AgentTesla through RegAsm.exe.
Trends_in_Ukrainian_Domain_attacks
LOW
+
—
- Intel Source:
- Wordsfence
- Intel Name:
- Trends_in_Ukrainian_Domain_attacks
- Date of Scan:
- 2022-08-23
- Impact:
- LOW
- Summary:
- Researchers from Wordfence have identified 16 attack types that triggered more than 85 different firewall rules across protected websites with Ukrainian top-level domains.
IBAN_clipper_malware_targeting_Windows_operating_systems
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- IBAN_clipper_malware_targeting_Windows_operating_systems
- Date of Scan:
- 2022-08-23
- Impact:
- LOW
- Summary:
- Researchers from Cyble Labs have highlighted an International Bank Account Number (IBAN) Clipper Malware after identifying a Threat Actor on a cybercrime forum offering monthly subscription-based services of clipper malware targeting Windows operating systems.
Astaroth_Guildma_malware_pushed_by_malspam
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Astaroth_Guildma_malware_pushed_by_malspam
- Date of Scan:
- 2022-08-23
- Impact:
- LOW
- Summary:
- Researchers from SANS have observed an Astaroth (Guildma) malware infection generated from a malicious Boleto-themed email pretending to be from Grupo Solução & CIA. Boleto is a payment method used in Brazil, while Grupo Solução & CIA is Brazil-based company.
A_Detailed_Analysis_of_PivNoxy_and_Chinoxy_malware
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- A_Detailed_Analysis_of_PivNoxy_and_Chinoxy_malware
- Date of Scan:
- 2022-08-23
- Impact:
- MEDIUM
- Summary:
- Researchers from Fortinet have identified an attack against the telecommunication agency in South Asia that began with a simple email that initially appeared to be a standard malicious spam email message. However, the attached Word document was weaponized using a malicious tool, Royal Road, and is equipped with an exploit for an Equation Editor vulnerability (CVE-2018-0798).
A_malicious_use_of_Tox_protocol_for_coinminers
LOW
+
—
- Intel Source:
- Uptycs
- Intel Name:
- A_malicious_use_of_Tox_protocol_for_coinminers
- Date of Scan:
- 2022-08-23
- Impact:
- LOW
- Summary:
- Researchers from Uptycs have examined malware samples that do not do anything explicitly malicious, but they feel that it might be part of a coinminer campaign. Additionally, they are observing it for the first time where Tox protocol is used to run scripts onto the machine.
XWorm_RAT_with_Ransomware_and_HNVC_attack_capabilities
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- XWorm_RAT_with_Ransomware_and_HNVC_attack_capabilities
- Date of Scan:
- 2022-08-22
- Impact:
- LOW
- Summary:
- Researchers from Cyble labs have discovered a dark web post where a malware developer was advertising a powerful Windows RAT and its redirecting to the website of malware developer, where multiple malicious tools are being sold.
A_malicious_JavaScript_injection_affecting_WordPress_websites
LOW
+
—
- Intel Source:
- Sucuri
- Intel Name:
- A_malicious_JavaScript_injection_affecting_WordPress_websites
- Date of Scan:
- 2022-08-22
- Impact:
- LOW
- Summary:
- A recent spike in JavaScript injections targeting WordPress sites has resulted in fake DDoS prevent prompts which takes victims to download remote access trojan malware was observed and analyzed by Sucuri reserachers
FIN7_rewrite_JSSLoader_malware_with_expanded_capabilities
MEDIUM
+
—
- Intel Source:
- MalwareBytes
- Intel Name:
- FIN7_rewrite_JSSLoader_malware_with_expanded_capabilities
- Date of Scan:
- 2022-08-22
- Impact:
- MEDIUM
- Summary:
- Researchers at Malwarebytes has identified a malspamcampaign in late June that they attribute to the FIN7 APT group. FIN7 has rewritten JSSLoader malware with expanded capabilities as well as new functions that include data exfiltration.
SocGholish_JavaScript_Malware_Back_into_Action
LOW
+
—
- Intel Source:
- Sucuri
- Intel Name:
- SocGholish_JavaScript_Malware_Back_into_Action
- Date of Scan:
- 2022-08-22
- Impact:
- LOW
- Summary:
- Researchers from Sucuri have analysed the SocGholish JavaScript Malware and they are outlining the injections and URLs used in the website malware portion of the SocGholish attack outside of the NDSW/NDSX campaign.
New_BianLian_Ransomware_Targeting_Multiple_Industries
MEDIUM
+
—
- Intel Source:
- Cyble
- Intel Name:
- New_BianLian_Ransomware_Targeting_Multiple_Industries
- Date of Scan:
- 2022-08-22
- Impact:
- MEDIUM
- Summary:
- Researchers from Cyble have observed that malware written in the programming language “Go” has recently been popular among Threat Actors. Also, during their daily threat hunting exercise, they came across a Twitter post about a ransomware variant written in Go named BianLian.
Grandoreiro_Banking_Malware_Targeting_Spanish_and_Mexican_Organizations
LOW
+
—
- Intel Source:
- Zscaler
- Intel Name:
- Grandoreiro_Banking_Malware_Targeting_Spanish_and_Mexican_Organizations
- Date of Scan:
- 2022-08-22
- Impact:
- LOW
- Summary:
- Researchers from Zscaler ThreatLabs have observed a Grandoreiro banking malware campaign. In this campaign, the threat actors impersonate government officials from the Attorney General's Office of Mexico City and from the Public Ministry in the form of spear-phishing emails in order to lure victims to download and execute 'Grandoreiro,' a prolific banking trojan.
ATMZOW_JS_Sniffer_Campaign_Connected_to_Hancitor_Malware
MEDIUM
+
—
- Intel Source:
- Group-IB
- Intel Name:
- ATMZOW_JS_Sniffer_Campaign_Connected_to_Hancitor_Malware
- Date of Scan:
- 2022-08-21
- Impact:
- MEDIUM
- Summary:
- Researchers from Group-IB have identified the connection between ATMZOW JS sniffer campaign and Hancitor malware downloader were both operated by the same threat actor. They have collected information about ATMZOW’s recent activity and found ties with a phishing campaign targeting clients of a US bank based on the same JS obfuscation technique.
APT41_targeted13entitiesinU.S,_Taiwan,_India,_Vietnam_and_China
MEDIUM
+
—
- Intel Source:
- Group-IB
- Intel Name:
- APT41_targeted13entitiesinU.S,_Taiwan,_India,_Vietnam_and_China
- Date of Scan:
- 2022-08-21
- Impact:
- MEDIUM
- Summary:
- GroupIB has been monitoring APT41 activities since 2021 and generated report which documents about their target across 13 organizations geographically spanning across the U.S, Taiwan, India, Vietnam, and China.
TA558_Targets_Hospitality_and_Travel_firms
MEDIUM
+
—
- Intel Source:
- ProofPoint
- Intel Name:
- TA558_Targets_Hospitality_and_Travel_firms
- Date of Scan:
- 2022-08-20
- Impact:
- MEDIUM
- Summary:
- Researchers at ProofPoint has monitoring activities of threat actor TA558 since 2018, and in 2022 the actor has still targeting hospitality, travel and related industries based in Latin America, North America, and western Europe. Moreover currently TA558 has shifted tactics to URLs and container files to distribute malware.
Reemergence_of_Raccoon_Infostealer_Malware_with_New_TTPS
LOW
+
—
- Intel Source:
- SocInvestigations
- Intel Name:
- Reemergence_of_Raccoon_Infostealer_Malware_with_New_TTPS
- Date of Scan:
- 2022-08-19
- Impact:
- LOW
- Summary:
- SocInvestigation researchers found new TTPs of Raccoon Infostealer Malware. It is an info stealer type malware available as malware-as-a-service on underground forums and this is a robust stealer that allows the stealing of data such as passwords, cookies, and autofill data from browsers.
Diving_Deep_into_DarkTortilla_Malware
LOW
+
—
- Intel Source:
- Secureworks
- Intel Name:
- Diving_Deep_into_DarkTortilla_Malware
- Date of Scan:
- 2022-08-19
- Impact:
- LOW
- Summary:
- Researchers from Secureworks Counter Threat Unit have found long-term threat DarkTortilla crypter is still evolving. It usually delivers information stealers and remote access trojans (RATs) like AgentTesla, AsyncRat, NanoCore, and RedLine, though some samples have been seen delivering such targeted payloads as Cobalt Strike and Metasploit.
Malicious_PyPi_packages_turn_Discord_into_info_stealing_malware
LOW
+
—
- Intel Source:
- Securelist
- Intel Name:
- Malicious_PyPi_packages_turn_Discord_into_info_stealing_malware
- Date of Scan:
- 2022-08-19
- Impact:
- LOW
- Summary:
- Researchers from Kaspersky have analyzed two PyPi packages that contain info-stealing malware and also modify the Discord client as well. The stealers in those packages focus on collecting account credentials from cryptocurrency wallets, Steam, and Minecraft, while an injected script monitors for inputs like email addresses, passwords, and billing information.
Attackers_Leveraging_Bumblebee_Loader
LOW
+
—
- Intel Source:
- Cybereason
- Intel Name:
- Attackers_Leveraging_Bumblebee_Loader
- Date of Scan:
- 2022-08-19
- Impact:
- LOW
- Summary:
- Cybereason GSOC team have analyzed a case that involved a Bumblebee Loader infection and its operators conduct intensive reconnaissance activities and redirect the output of executed commands to files for exfiltration.
Lazarus_Group_Targeting_Job_Seekers_with-macOS_Malware
LOW
+
—
- Intel Source:
- ESET
- Intel Name:
- Lazarus_Group_Targeting_Job_Seekers_with-macOS_Malware
- Date of Scan:
- 2022-08-19
- Impact:
- LOW
- Summary:
- Slovak cybersecurity firm ESET have identified the North Korea-backed Lazarus Group targeting job seekers with malware capable of executing on Apple Macs with Intel and M1 chipsets.
Detailed_Analysis_of_Follina_Vulnerability
LOW
+
—
- Intel Source:
- VirusTotal
- Intel Name:
- Detailed_Analysis_of_Follina_Vulnerability
- Date of Scan:
- 2022-08-19
- Impact:
- LOW
- Summary:
- VirusTotal cyber threat hunting team deeply analyzed the Follina vulnerability and provided a high-level overview of all observed attacks with a focus on the ones that took place before the 0-day was publicly disclosed and practical recommendations on how to monitor and hunt Follina samples.
Newly_Active_Malicious_Scanner_IPs
LOW
+
—
- Intel Source:
- Securonix
- Intel Name:
- Newly_Active_Malicious_Scanner_IPs
- Date of Scan:
- 2022-08-19
- Impact:
- LOW
- Summary:
- Internal scan, No git required
Cyber_Weapons_Used_in_the_Ukraine_Russia_War
MEDIUM
+
—
- Intel Source:
- Trustwave
- Intel Name:
- Cyber_Weapons_Used_in_the_Ukraine_Russia_War
- Date of Scan:
- 2022-08-18
- Impact:
- MEDIUM
- Summary:
- Cyberattacks leveraging malware are an important part of modern hybrid war strategy While conventional warfare is conducted on the battlefield and limited by several factors, cyber warfare continues in cyber space, offering the chance to infiltrate and damage targets far behind the frontlines
Iranian_Threat_Actor_UNC3890_targets_Israeli_entities
MEDIUM
+
—
- Intel Source:
- Mandiant
- Intel Name:
- Iranian_Threat_Actor_UNC3890_targets_Israeli_entities
- Date of Scan:
- 2022-08-18
- Impact:
- MEDIUM
- Summary:
- Mandiant researchers found a cyber espionage campaign targeting Israeli entities and organizations of various sectors, including government, shipping, energy and healthcare via social engineering lures and a potential watering hole. The attack have been attributed to UNC3890.
A_new_variant_of_NJRAT
LOW
+
—
- Intel Source:
- Esentire
- Intel Name:
- A_new_variant_of_NJRAT
- Date of Scan:
- 2022-08-18
- Impact:
- LOW
- Summary:
- Esentire Cyber Threat Hunting team have discovered a new variant of NJRAT which is capable of logging keystrokes, viewing the victim’s camera, and remotely controlling the system.
Python_s_Top_Packages_attack
LOW
+
—
- Intel Source:
- CheckMarx
- Intel Name:
- Python_s_Top_Packages_attack
- Date of Scan:
- 2022-08-18
- Impact:
- LOW
- Summary:
- Researchers from Checkmarx security have detected a large-scale attack on the Python ecosystem with multi-stage persistent malware. A PyPi user account published a dozen malicious Typosquatting packages under the names of popular projects with slight permutation.
Diving_deep_into_RedAlphas_cyber_espionage_activity
LOW
+
—
- Intel Source:
- Recorded Future
- Intel Name:
- Diving_deep_into_RedAlphas_cyber_espionage_activity
- Date of Scan:
- 2022-08-17
- Impact:
- LOW
- Summary:
- Researchers from Recordedfuture have analyzed multiple campaigns conducted by the Chinese state-sponsored threat activity group RedAlpha. It is very likely sought to gain access to email accounts and other online communications of targeted individuals and organizations.
Surge_in_attack_through_malicious_Browser_Extension
LOW
+
—
- Intel Source:
- Securelist
- Intel Name:
- Surge_in_attack_through_malicious_Browser_Extension
- Date of Scan:
- 2022-08-17
- Impact:
- LOW
- Summary:
- Securelist analysts documented their findings about multiple Browser Extensions which have been targeting atleast 1.31 million users. The most prevalent threat is a family of adware called WebSearch, which masquerade as PDF viewers.
Trend_Micro_Research_on_Cloud_based_Cryptocurrency_mining
MEDIUM
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- Trend_Micro_Research_on_Cloud_based_Cryptocurrency_mining
- Date of Scan:
- 2022-08-17
- Impact:
- MEDIUM
- Summary:
- TrendMicro in their research document shared their concerns about the impact on organization who running cloud instances and that potential victims of malicious cryptocurrency mining could be from any country or sector, making cloud-based cryptocurrency-mining attacks a global concern for companies.
UAC_0010_Armageddon_leveraging_GammaLoad_and_GammaSteel_malwares
LOW
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- UAC_0010_Armageddon_leveraging_GammaLoad_and_GammaSteel_malwares
- Date of Scan:
- 2022-08-16
- Impact:
- LOW
- Summary:
- CERT-UA has tracked an attack since the first half of 2022, where the distribution of HTM-droppers via email leads to delivery of GammaLoad.PS1 malware and later delivers GammaSteel.PS1.
Phishing_campaign_by_Russian_Threat_Actor_SEABORGIUM
MEDIUM
+
—
- Intel Source:
- Microsoft
- Intel Name:
- Phishing_campaign_by_Russian_Threat_Actor_SEABORGIUM
- Date of Scan:
- 2022-08-16
- Impact:
- MEDIUM
- Summary:
- MSTIC disrupted SEABORGIUM threat actor campaign which belongs to Russia. Its campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft.
Russian_hackers_targeting_Ukraine_with_default_Word_template_hijacker
MEDIUM
+
—
- Intel Source:
- Symantec
- Intel Name:
- Russian_hackers_targeting_Ukraine_with_default_Word_template_hijacker
- Date of Scan:
- 2022-08-16
- Impact:
- MEDIUM
- Summary:
- Researchers from Symantec have observed campaigns that show phishing messages carrying a self-extracting 7-Zip archive that fetches an XML file from an “xsph.ru” subdomain associated with Gamaredon since May 2022.
Typhon_Stealer_being_spread_through_Phishing_sites
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Typhon_Stealer_being_spread_through_Phishing_sites
- Date of Scan:
- 2022-08-16
- Impact:
- LOW
- Summary:
- Cyble researchers analyzed a sample url which hosts a Windows executable payload. This Windows executable is a variant of Typhon stealer malware delivered via a crafted .lnk file.
PyPI_Package_Drops_Fileless_Cryptominer_to_Linux_Systems
LOW
+
—
- Intel Source:
- Sonatype
- Intel Name:
- PyPI_Package_Drops_Fileless_Cryptominer_to_Linux_Systems
- Date of Scan:
- 2022-08-16
- Impact:
- LOW
- Summary:
- Researchers from Sonatype have identified a 'secretslib' PyPI package that means 'secrets matching and verification made easy'. On a closer inspection though, the package covertly runs cryptominers on the Linux machine in-memory, a technique largely employed by fileless malware and crypters.
A_chat_application_MiMi_compromised_by_Iron_Tiger_malware
MEDIUM
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- A_chat_application_MiMi_compromised_by_Iron_Tiger_malware
- Date of Scan:
- 2022-08-15
- Impact:
- MEDIUM
- Summary:
- Researchers from TrendMcro discovered a server hosting the malicious samples who compromised chat application Mimi. This sample malware family a HyperBro used by Iron Tiger, an advanced persistent threat (APT) group that has been performing cyberespionage for almost a decade and now targeting Windows and Mac OS.
The_observation_of_Conti_Group_activity_used_by_Russian_threat_actors
MEDIUM
+
—
- Intel Source:
- Weixin
- Intel Name:
- The_observation_of_Conti_Group_activity_used_by_Russian_threat_actors
- Date of Scan:
- 2022-08-15
- Impact:
- MEDIUM
- Summary:
- Qi Anxin Threat Intelligence Center has been tracking on Russian-speaking threat actors and observed that Conti Group used Exchange vulnerabilities to target companies have a label "rich".
MikuBot_spies_on_Victims_using_hidden_VNC
MEDIUM
+
—
- Intel Source:
- Cyble
- Intel Name:
- MikuBot_spies_on_Victims_using_hidden_VNC
- Date of Scan:
- 2022-08-15
- Impact:
- MEDIUM
- Summary:
- Researchers at Cyble Research Labs has identified a new malware called 'MikuBot', which Threat Actor was advertising in cybercrime forums. The bot steals sensitive data and runs hiddden VNC sessions, that allow threat actors to remotely access the target's system.
A_new_deployment_of_CopperStealer_s_distributing_malware
MEDIUM
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- A_new_deployment_of_CopperStealer_s_distributing_malware
- Date of Scan:
- 2022-08-15
- Impact:
- MEDIUM
- Summary:
- TrendMicro shared their analyses with a public on the a new development of CopperStealer distributing malware by abusing browser stealer, adware browser extension, or remote desktop.
A_distribution_of_Monero_CoinMiner_by_Webhards
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- A_distribution_of_Monero_CoinMiner_by_Webhards
- Date of Scan:
- 2022-08-12
- Impact:
- LOW
- Summary:
- The ASEC analysis team has discovered that Monero CoinMiner, also known as XMRig, is being distributed via file-sharing websites such as Korean webhards and torrents.
Zeppelin_Ransomware
MEDIUM
+
—
- Intel Source:
- CISA
- Intel Name:
- Zeppelin_Ransomware
- Date of Scan:
- 2022-08-12
- Impact:
- MEDIUM
- Summary:
- Cyble researchers found an updated Onyx ransomware which is based on Chaos ransomware and that ransomware renamed its leak site from “ONYX NEWS” to “VSOP NEWS.”
A_new_upgrade_on_the_activity_of_APT_C_35_or_DoNot_Team
MEDIUM
+
—
- Intel Source:
- Morphisec
- Intel Name:
- A_new_upgrade_on_the_activity_of_APT_C_35_or_DoNot_Team
- Date of Scan:
- 2022-08-12
- Impact:
- MEDIUM
- Summary:
- Researchers at Morphisec Labs has monitored the activity of DoNot Team/APT-C-35, where the group updates a new module to its Windows framework.
Onyx_Ransomware_s_Recent_Operations
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Onyx_Ransomware_s_Recent_Operations
- Date of Scan:
- 2022-08-12
- Impact:
- LOW
- Summary:
- Cyble researchers found an updated Onyx ransomware which is based on Chaos ransomware and that ransomware renamed its leak site from “ONYX NEWS” to “VSOP NEWS.”
Tropical_Scorpius_deploys_ROMCOM_RAT_in_Cuba_Ransomware_operations
MEDIUM
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Tropical_Scorpius_deploys_ROMCOM_RAT_in_Cuba_Ransomware_operations
- Date of Scan:
- 2022-08-11
- Impact:
- MEDIUM
- Summary:
- A threat actor Tropical Scorpius dubbed by PaloAlto researchers have changed their TTPs and is also said to be associated with Cuba ransomware operations.
DeathStalker's_VileRAT_continue_target_Foreign_and_Crypto_Exchanges
MEDIUM
+
—
- Intel Source:
- Securelist
- Intel Name:
- DeathStalker's_VileRAT_continue_target_Foreign_and_Crypto_Exchanges
- Date of Scan:
- 2022-08-11
- Impact:
- MEDIUM
- Summary:
- Securelist has shared that the threat actor known as DeathStalker has continued to target and disrupt foreign and cryptocurrency exchanges around the world throughout 2022 using the VileRAT malware. Since late 2021, the infection technique has changed a little bit, but the initial infection vector is still a malicious message is sent to targets via email. In July 2022, Securelist also noticed that the attackers leveraged chatbots that are embedded in targeted companies’ public websites to send malicious DOCX to their targets.
Emotet_re-introduction_SMB_spreader_module
LOW
+
—
- Intel Source:
- Bitsight
- Intel Name:
- Emotet_re-introduction_SMB_spreader_module
- Date of Scan:
- 2022-08-11
- Impact:
- LOW
- Summary:
- Researchers at Bitsight has observed the Emotet botnets version Epoch4 delivering a new module to the infected systems that turned out to be a credit card stealer targeting Google Chrome. Later, they found that Emotet version Epoch4 also re-introduced the SMB spreader module.
BlueSky_Ransomware_targets_Windows_hosts_and_utilizes_multithreading
MEDIUM
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- BlueSky_Ransomware_targets_Windows_hosts_and_utilizes_multithreading
- Date of Scan:
- 2022-08-11
- Impact:
- MEDIUM
- Summary:
- Researchers at Palo Alto has analysed code samples of BlueSky Ranswomware, which they found to be connected with Conti Ransomware Group. The multithreaded structure of BlueSky code similarities with Conti V3. Moreover, BlueSky also closely resembles algorithm for file encryption with Babuk Ransomware too.
AiTM_attack_targets_Gmail_Enterprise_users
MEDIUM
+
—
- Intel Source:
- Zscaler
- Intel Name:
- AiTM_attack_targets_Gmail_Enterprise_users
- Date of Scan:
- 2022-08-11
- Impact:
- MEDIUM
- Summary:
- Zscaler researchers followed upon their last findings about AiTM phishing campaign againts the Microsoft email services and found that same campaign has been targeting enterprise users of Gmail.
Raspberry_Robin_tries_to_remain_undetected
MEDIUM
+
—
- Intel Source:
- Cisco
- Intel Name:
- Raspberry_Robin_tries_to_remain_undetected
- Date of Scan:
- 2022-08-11
- Impact:
- MEDIUM
- Summary:
- Researchers at Cisco has analysed a distingushed pattern of msiexec.exe usage across different endpoints. As they drilled down to individual assets, they found traces of Raspberry Robin malware.
Yanluowang ransomware gang targets Cisco
MEDIUM
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Yanluowang ransomware gang targets Cisco
- Date of Scan:
- 2022-08-11
- Impact:
- MEDIUM
- Summary:
- Cisco Talos has analyzed a recent attack on Cisco by Yanluowang ransomware group which breached its corporate network in late May. The attackers could only harvest and steal non-sensitive data from a Box folder linked to a compromised employee's account.
LogoKit_returns_leveraging_Open_Redirect_Vulnerabilities
LOW
+
—
- Intel Source:
- Resecurity
- Intel Name:
- LogoKit_returns_leveraging_Open_Redirect_Vulnerabilities
- Date of Scan:
- 2022-08-10
- Impact:
- LOW
- Summary:
- Researchers at Resecurity has discovered that threat actors leveraging Open Redirect Vulnerabilities popular in online services and apps to bypass spam filters to ultimately deliver phishing content.
Korean_speaking_APT_deploys_DTrack_and_Maui_Ransomware
MEDIUM
+
—
- Intel Source:
- Securelist
- Intel Name:
- Korean_speaking_APT_deploys_DTrack_and_Maui_Ransomware
- Date of Scan:
- 2022-08-10
- Impact:
- MEDIUM
- Summary:
- Researchers from SecureList were able to attribute Maui ransomware attack to korean speaking APT group called Andriel. They also found out that before deploying the ransomware they deployed a variant of DTrack malware.
SmokeLoader_malware_drops_zgRAT_by_exploiting_old_flaws
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- SmokeLoader_malware_drops_zgRAT_by_exploiting_old_flaws
- Date of Scan:
- 2022-08-10
- Impact:
- MEDIUM
- Summary:
- Researchers at FortiGuard Labs has analysed a recent instance of SmokeLoader, where the malware exploiting five years old CVE-2017-0199 and CVE-2017-11882. This malware sample drops zgRAT, a rare payload compared to previously delivers by SmokeLoader.
IcedID_or_Bokbot_infection_led_to_Cobalt_Strike
MEDIUM
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- IcedID_or_Bokbot_infection_led_to_Cobalt_Strike
- Date of Scan:
- 2022-08-10
- Impact:
- MEDIUM
- Summary:
- Securonix Threat Labs has monitored OSINT sources and identified a new infection of IcedID delivering CobaltStrike.
BumbleBee_malware_found_its_way_to_Domain_Admin
MEDIUM
+
—
- Intel Source:
- DFIR Report
- Intel Name:
- BumbleBee_malware_found_its_way_to_Domain_Admin
- Date of Scan:
- 2022-08-09
- Impact:
- MEDIUM
- Summary:
- DFIR Report researchers analyzed an intrusion which involved BumbleBee as the initial access vector. The intrusion began with a password protected zipped ISO file.
Chinese_APT_group_targets_Asia_and_Eastern_Europe
MEDIUM
+
—
- Intel Source:
- Kaspersky
- Intel Name:
- Chinese_APT_group_targets_Asia_and_Eastern_Europe
- Date of Scan:
- 2022-08-09
- Impact:
- MEDIUM
- Summary:
- Kaspersky reseacrhers found series of attacks targeting organizations in Asia and Eastern Europe. These attacks have been attributed to Chinese APT group TA428.
Drilling_down_into_SharpEx_browser_extension_malware
LOW
+
—
- Intel Source:
- Walmart
- Intel Name:
- Drilling_down_into_SharpEx_browser_extension_malware
- Date of Scan:
- 2022-08-09
- Impact:
- LOW
- Summary:
- Walmart researchers further drilled down on analyzing a browser extension dubbed SharpExt used by north korean threat actor Kimsuky. The goal of the extension is to steal emails and attachments from the victims.
Orchard_Botnet_used_to_generate_malicious_domains
LOW
+
—
- Intel Source:
- Netlab 360
- Intel Name:
- Orchard_Botnet_used_to_generate_malicious_domains
- Date of Scan:
- 2022-08-09
- Impact:
- LOW
- Summary:
- Researchers from Qihoo 360's Netlab security team came across a new botnet named Orchard which was using Bitcoin creator Satoshi Nakamoto's account transaction information to generate malicious domain names to conceal its command-and-control (C2) infrastructure.
Four_CATAPULT_SPIDER_Challenges
LOW
+
—
- Intel Source:
- Crowdstrike
- Intel Name:
- Four_CATAPULT_SPIDER_Challenges
- Date of Scan:
- 2022-08-08
- Impact:
- LOW
- Summary:
- Crowdstrike has published a blog describing about intended approach to solvE the challenges of the eCrime track. The participants in the Adversary Quest analyzed new activity by CATAPULT SPIDER.
GwisinLocker_Ransomware_Targets_Linux_Based_Systems
LOW
+
—
- Intel Source:
- ReversingLabs
- Intel Name:
- GwisinLocker_Ransomware_Targets_Linux_Based_Systems
- Date of Scan:
- 2022-08-08
- Impact:
- LOW
- Summary:
- A new ransomware family called 'GwisinLocker' has emerged targeting South Korean healthcare, industrial, and pharmaceutical companies with Windows and Linux encryptors.
Two_cyber_espionage_operations_by_Bitter_APT_and_APT36
MEDIUM
+
—
- Intel Source:
- Meta
- Intel Name:
- Two_cyber_espionage_operations_by_Bitter_APT_and_APT36
- Date of Scan:
- 2022-08-08
- Impact:
- MEDIUM
- Summary:
- Researchers at Meta has published a Quarter Threat report where they took action on two cyber espionage operations in South Asia, both the operations was linked to Biter APT and APT36 respectively. Researchers has also shared new and notewrothy TTPs for both the actors.
APT31_targets_Russian_companies
MEDIUM
+
—
- Intel Source:
- PTSecurity
- Intel Name:
- APT31_targets_Russian_companies
- Date of Scan:
- 2022-08-08
- Impact:
- MEDIUM
- Summary:
- PT Expert Security Center analysts found an attack targeting Russian media and energy companies. These attacks have been attributed to APT31.
Bumblebee_malware_activity_distributed_through_Projector_Libra
MEDIUM
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Bumblebee_malware_activity_distributed_through_Projector_Libra
- Date of Scan:
- 2022-08-05
- Impact:
- MEDIUM
- Summary:
- Researchers from PaloAlto have identified Bumblebee malware distributing through Projector Libra. It is a criminal group that uses file sharing services to distribute malware after direct email correspondence with a potential victim.
A_new_IoT_malware_family_called_RapperBot
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- A_new_IoT_malware_family_called_RapperBot
- Date of Scan:
- 2022-08-05
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs has identified a new family of IoT malware that uses code derived from the Mirai network to gain access to SSH servers and maintain persistence on a victim device after it is removed.
Threat_Actor_leverages_Confluence_Bug_to_Deploy_Ljl_Backdoor
MEDIUM
+
—
- Intel Source:
- Deepwatch
- Intel Name:
- Threat_Actor_leverages_Confluence_Bug_to_Deploy_Ljl_Backdoor
- Date of Scan:
- 2022-08-05
- Impact:
- MEDIUM
- Summary:
- A novel backdoor called Ljl discovered by Deepwatch Adversary Tactics and Intelligence Team. The evidence indicates that the threat actor executed malicious commands with a parent process of tomcat9.exe in Atlassian's Confluence directory," the company said. "After the initial compromise, the threat actor ran various commands to enumerate the local system, network, and Active Directory environment."
Malware_disguised_as_Legitimate_Software
LOW
+
—
- Intel Source:
- VirusTotal
- Intel Name:
- Malware_disguised_as_Legitimate_Software
- Date of Scan:
- 2022-08-04
- Impact:
- LOW
- Summary:
- Researchers from VirusTotal have analyzed malware samples and found 1,816 samples since January 2020 that masqueraded as legitimate software by packaging the malware in installers for other popular software such as Google Chrome, Malwarebytes, Zoom, Brave, Mozilla Firefox, and Proton VPN.
LOLI_Stealer_A_new_Golang_Based_InfoStealer
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- LOLI_Stealer_A_new_Golang_Based_InfoStealer
- Date of Scan:
- 2022-08-04
- Impact:
- LOW
- Summary:
- Cyble researchers came across a new golang based infostealer dubbed LOLI stealer. This stealer was being sold via Maas Model.
Malware_campaigns_leveraging_"Dark Utilities"_platform
LOW
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Malware_campaigns_leveraging_"Dark Utilities"_platform
- Date of Scan:
- 2022-08-04
- Impact:
- LOW
- Summary:
- Researchers at Cisco Talos has identified a C2-as-a-service (C2aaS) platform known as "Dark Utilities" offering a variety of services such as remote system access, DDoS capabilities and cryptocurrency mining. The payloads provided by the platform support Windows, Linux and Python-based implementations.
Russian_organizations_attacked_with_new_Woody_RAT_malware
LOW
+
—
- Intel Source:
- MalwareBytes
- Intel Name:
- Russian_organizations_attacked_with_new_Woody_RAT_malware
- Date of Scan:
- 2022-08-04
- Impact:
- LOW
- Summary:
- Researchers from Malwarebytes Threat Intelligence team have identified a new Remote Access Trojan called Woody Rat that allows them to control and steal information from compromised devices remotely.
A_distribution_of_malicious_Word_files_with_North_Korea_related_materials
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- A_distribution_of_malicious_Word_files_with_North_Korea_related_materials
- Date of Scan:
- 2022-08-04
- Impact:
- LOW
- Summary:
- The ASEC analysis team has discovered another distribution of malicious Word files with North Korea-related materials. The malicious Word files are distributed in various names most likely through the email and with a file related to a specific webinar and accesses C2 through mshta.
IcedID_leveraging_PrivateLoader
LOW
+
—
- Intel Source:
- Walmart
- Intel Name:
- IcedID_leveraging_PrivateLoader
- Date of Scan:
- 2022-08-04
- Impact:
- LOW
- Summary:
- Researcchers from Walmart have analysed PrivateLoader is continue to function as an effective loading service and recently leveraging the use of SmokeLoader for their loads.
New_campaign_by_Iranian_Threat_Actor
MEDIUM
+
—
- Intel Source:
- Mandiant
- Intel Name:
- New_campaign_by_Iranian_Threat_Actor
- Date of Scan:
- 2022-08-04
- Impact:
- MEDIUM
- Summary:
- Researchers from Mandiant identified politically motivated disruptive attack against Albanian government organizations. Usage of ROADSWEEP ransomware and CHIMNEYSWEEP backdoor was also noted by the researchers.
Deep_Analysis_of_Bumblebee_Malware
LOW
+
—
- Intel Source:
- Cloudsek
- Intel Name:
- Deep_Analysis_of_Bumblebee_Malware
- Date of Scan:
- 2022-08-04
- Impact:
- LOW
- Summary:
- Researchers from CloadSEK did a deep analysis of the Bumblebee malware loader where the adversaries push ISO files through compromised email chains, known as thread hijacked emails, to deploy the Bumblebee loader.
Robin_Banks_PhaaS_Targeting_Citibank_Customers
LOW
+
—
- Intel Source:
- Iornnet
- Intel Name:
- Robin_Banks_PhaaS_Targeting_Citibank_Customers
- Date of Scan:
- 2022-08-03
- Impact:
- LOW
- Summary:
- Researchers from IronNet have identified Phishing-as-a-Service platform Robin Banks selling ready to use phishing kits to cybercriminals. The kits are used to obtain financial details of victims living in the U.S, the U.K, Canada, and Australia.
Manjusaka_Offensive_Framework
MEDIUM
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Manjusaka_Offensive_Framework
- Date of Scan:
- 2022-08-02
- Impact:
- MEDIUM
- Summary:
- Researchers at Cisco Talos has discovered a new attack framework called Manjusaka. This framework is advertised as reproduction of Cobalt Strike framework. Moreover, implants for the malware are written in Rust language for Windows and Linux.
Analysis_on_Industrial_Spy_Ransomware
MEDIUM
+
—
- Intel Source:
- Zscaler
- Intel Name:
- Analysis_on_Industrial_Spy_Ransomware
- Date of Scan:
- 2022-08-02
- Impact:
- MEDIUM
- Summary:
- Zscaler published their technical analyses on the Industrial Spy ransomware group that emerged in April 2022 that started by ransoming stolen data and more recently has combined these attacks with ransomware.The threat group exfiltrates and sells data on their dark web marketplace, but does not always encrypt a victim’s files. Also they utilizes a combination of RSA and 3DES to encrypt files.
Mars_Stealer_distributing_via_fake_wallet_site
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Mars_Stealer_distributing_via_fake_wallet_site
- Date of Scan:
- 2022-08-02
- Impact:
- LOW
- Summary:
- Cyble Research Labs due to their research, discovered Mars stealer and the threat actors behind Mars stealer are adopting sophisticated phishing attacks to distribute Mars Stealer and gather user credentials, system information, and other sensitive data.
A_Deep_Dive_Analysis_of_RedLine_Stealer_Malware
LOW
+
—
- Intel Source:
- Security Scorecard
- Intel Name:
- A_Deep_Dive_Analysis_of_RedLine_Stealer_Malware
- Date of Scan:
- 2022-08-02
- Impact:
- LOW
- Summary:
- Researchers have recently done an in-depth investigation on RedLine Stealer which is distributing cracked games, applications, and services.
Emotet_Downloader_Leveraging_Regsvr32_tool
LOW
+
—
- Intel Source:
- EclecticIQ
- Intel Name:
- Emotet_Downloader_Leveraging_Regsvr32_tool
- Date of Scan:
- 2022-08-02
- Impact:
- LOW
- Summary:
- Researchers from EclecticIQ have observed Emotet downloader distributing via the Regsvr32 tool for execution.
LockBit_Ransomware_Leveraging_Windows Defender_to_load_Cobalt_Strike_Payload
MEDIUM
+
—
- Intel Source:
- SentinelOne
- Intel Name:
- LockBit_Ransomware_Leveraging_Windows Defender_to_load_Cobalt_Strike_Payload
- Date of Scan:
- 2022-08-02
- Impact:
- MEDIUM
- Summary:
- Researchers from SentinelOne have recently investigated the LockBit Ransomware and found that threat actor is abusing the Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads.
An_updated_variant_of_SolidBit_ransomware_new_targets
LOW
+
—
- Intel Source:
- Trendmicro
- Intel Name:
- An_updated_variant_of_SolidBit_ransomware_new_targets
- Date of Scan:
- 2022-08-02
- Impact:
- LOW
- Summary:
- Threndmicro published the technical analysis of a new SolidBit variant that is a threat to different applications to lure gamers and social media users. SolidBit has been suspected of being a LockBit ransomware copycat. Also, this ransomware group appears to be planning to expand its operations through these fraudulent apps and its recruitment of ransomware-as-a-service affiliates.
An_increasing_number_of_phishing_emails_containing_IPFS_URLs
LOW
+
—
- Intel Source:
- Trustwave
- Intel Name:
- An_increasing_number_of_phishing_emails_containing_IPFS_URLs
- Date of Scan:
- 2022-08-01
- Impact:
- LOW
- Summary:
- Trustwave noticed an increasing number of phishing emails containing IPFS URLs as their payload. Also they have observed more than 3,000 emails containing phishing URLs that have utilized IPFS for the past 90 days and it is evident that IPFS is increasingly becoming a popular platform for phishing websites.
Green_Stone_sample_attributed_to_Iran
LOW
+
—
- Intel Source:
- Inquest
- Intel Name:
- Green_Stone_sample_attributed_to_Iran
- Date of Scan:
- 2022-08-01
- Impact:
- LOW
- Summary:
- Inquest discovered a maliciuos sample that was uploaded from Iran. The document is a contract for the supply of services to an energy company from southern Iran «Tavangoostar Niro va Gashtavar Jonob». The document also contains a link to this energy company. www.tavangyl.com. Analysts named it Green Stone since this family of malicious documents containing executable files was not previously known.
Phishing_Attacks_Increase_Using_Decentralized_IPFS_Network
LOW
+
—
- Intel Source:
- SpiderLabs
- Intel Name:
- Phishing_Attacks_Increase_Using_Decentralized_IPFS_Network
- Date of Scan:
- 2022-08-01
- Impact:
- LOW
- Summary:
- Researchers from SpiderLab have identified that the decentralized file system solution 'IPFS' is becoming the new place for hosting phishing sites. Also, they identified no less than 3,000 emails containing IPFS phishing URLs as an attack vector in the last three months.
Multiple_APT_Groups_Leveraging_Quasar_RAT
MEDIUM
+
—
- Intel Source:
- Qualys
- Intel Name:
- Multiple_APT_Groups_Leveraging_Quasar_RAT
- Date of Scan:
- 2022-08-01
- Impact:
- MEDIUM
- Summary:
- Researchers from Qualys have analyzed the Quasar RAT which is widely leveraged by multiple threat actor groups targeting government and private organizations in Southeast Asia and other geographies.
A new_malicious_campaign_LofyLife
LOW
+
—
- Intel Source:
- Securelist
- Intel Name:
- A new_malicious_campaign_LofyLife
- Date of Scan:
- 2022-08-01
- Impact:
- LOW
- Summary:
- The Kaspersky has discovered a new threat in the open-source software repository “LofyLife” - a malicious campaign to steal tokens and bank card data.
Attackers_Leveraging_New_Phishing_Techniques
LOW
+
—
- Intel Source:
- Cofense
- Intel Name:
- Attackers_Leveraging_New_Phishing_Techniques
- Date of Scan:
- 2022-08-01
- Impact:
- LOW
- Summary:
- Researchers from the Phishing Defense Center of Cofense have observed a huge variety of phishing techniques. In this, some of the techniques are quite unique in methods of getting the end user to interact with the message.
Diving_Deep_into_BPFDoor_Malware
LOW
+
—
- Intel Source:
- Qualys
- Intel Name:
- Diving_Deep_into_BPFDoor_Malware
- Date of Scan:
- 2022-08-01
- Impact:
- LOW
- Summary:
- Researchers from the Phishing Defense Center of Cofense have observed a huge variety of phishing techniques. In this, some of the techniques are quite unique in methods of getting the end user to interact with the message.
The_new_discovered_Follina_exploit_used by_attackers_again
MEDIUM
+
—
- Intel Source:
- ReversingLabs
- Intel Name:
- The_new_discovered_Follina_exploit_used by_attackers_again
- Date of Scan:
- 2022-07-29
- Impact:
- MEDIUM
- Summary:
- ReversingLabs analyzed three malicious payloads circulating online that have been linked to use of the newly discovered Follina exploit in Microsoft’s Support Diagnostic Tool (MSDT).
WebAssembly_frequently_used_for_cryptomining
LOW
+
—
- Intel Source:
- Sucuri
- Intel Name:
- WebAssembly_frequently_used_for_cryptomining
- Date of Scan:
- 2022-07-29
- Impact:
- LOW
- Summary:
- Sucuri recently contacted by a their client who noticed that their computer slowed down to a crawl every time they navigated to their own WordPress website. A cursory review of their site files revealed the following snippet of code injected into one of their theme files.
An_Excel_Infection_Chain
LOW
+
—
- Intel Source:
- Inquest
- Intel Name:
- An_Excel_Infection_Chain
- Date of Scan:
- 2022-07-29
- Impact:
- LOW
- Summary:
- Inquest researcher discovered that th threat actor make user tempt trying to enable content in Excel in order to run whatever surprise they have hidden inside.
Analysis_on_Symbiote_Malware
LOW
+
—
- Intel Source:
- Cybergeeks
- Intel Name:
- Analysis_on_Symbiote_Malware
- Date of Scan:
- 2022-07-29
- Impact:
- LOW
- Summary:
- The malware’s purpose is to steal credentials from the SSH and SCP processes by hooking the libc read function.
North_Korean_threat_actor_SharpTongue
LOW
+
—
- Intel Source:
- Volexity
- Intel Name:
- North_Korean_threat_actor_SharpTongue
- Date of Scan:
- 2022-07-29
- Impact:
- LOW
- Summary:
- Volexity discovered a new MAIL-THEFT malware "SHARPEXT" that believed has been used by a thret actor SharpTongue. This actor is believed to be North Korean in origin and is often publicly referred to under the name Kimsuky.
A_Korean_Web_Portal_Page_Daum_using_for_Spreading_Phishing_Emails
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- A_Korean_Web_Portal_Page_Daum_using_for_Spreading_Phishing_Emails
- Date of Scan:
- 2022-07-28
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered the distribution of phishing emails impersonating a Korean Web Portal Page (Daum) and attackers using attachments to redirect the user to a phishing webpage.
KnotWeed_targets_UK_Austria_with_SubZero_malware
MEDIUM
+
—
- Intel Source:
- Microsoft
- Intel Name:
- KnotWeed_targets_UK_Austria_with_SubZero_malware
- Date of Scan:
- 2022-07-28
- Impact:
- MEDIUM
- Summary:
- MSTIC identified a private threat actor who is Austria based and dubbed KnotWeed have been targeting law firms, banks, and strategic consultancies in Austria, the United Kingdom, and Panama with SubZero malware.
Threat_Actors_leveraging_Microsoft_Applications_via_DLL_SideLoading
MEDIUM
+
—
- Intel Source:
- Cyble, SocInvestigations
- Intel Name:
- Threat_Actors_leveraging_Microsoft_Applications_via_DLL_SideLoading
- Date of Scan:
- 2022-07-28
- Impact:
- MEDIUM
- Summary:
- Researchers from Cyble and SOCInvestigation have identified the DLL (Dynamic-Link Library) sideloading technique leveraged by Threat Actors to spread payloads to users using legitimate applications which load malicious DLL files that spoof legitimate ones.
Gootkit_Loaders_Updated_TTPs_of_Cobalt Strike
LOW
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- Gootkit_Loaders_Updated_TTPs_of_Cobalt Strike
- Date of Scan:
- 2022-07-28
- Impact:
- LOW
- Summary:
- Researchers from Trend Micro have identified the new tactics of Gootkit Loader. It is used for fileless techniques to drop Cobalt Strike and other malicious payloads.
UAC_0100_Group_leveraging_phishing_sites to_target_Ukrainian_Banks
LOW
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- UAC_0100_Group_leveraging_phishing_sites to_target_Ukrainian_Banks
- Date of Scan:
- 2022-07-27
- Impact:
- LOW
- Summary:
- CERT-UA has discovered an online fraud using phishing sites with the subject line of "aid from the Red Cross" which is targeting popular Ukrainian banks.
UAC_0041_Group_distributing_Formbook_and_Snake_Keylogger
LOW
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- UAC_0041_Group_distributing_Formbook_and_Snake_Keylogger
- Date of Scan:
- 2022-07-27
- Impact:
- LOW
- Summary:
- CERT-UA has analysed a phishing email which contains an attachment of malicious document related to Final payment. The document contains an EXE file classified as the RelicRace .NET downloader, the activation of which running of payload.
Gootloader_expands_its_payload_to_deliver_IcedID_malware
LOW
+
—
- Intel Source:
- Esentire
- Intel Name:
- Gootloader_expands_its_payload_to_deliver_IcedID_malware
- Date of Scan:
- 2022-07-27
- Impact:
- LOW
- Summary:
- eSentire’s Threat Response Unit (TRU) team has recently observed multiple Gootloader infections. One notable Gootloader incident delivered an IcedID loader. The malware targets domain joined machines. The infection starts with the user visiting the infected website with a lure to download a ZIP file.
Diving_Deep_into_Hive_Ransomware
MEDIUM
+
—
- Intel Source:
- Yoroi ZLab
- Intel Name:
- Diving_Deep_into_Hive_Ransomware
- Date of Scan:
- 2022-07-27
- Impact:
- MEDIUM
- Summary:
- Researchers from Yoroi ZLab deep dives into Hive Ransomware and identified it as a most sophisticated active threat. Also, they are tracking this infamous threat actor and observing any modification in its technique to provide a guideline.
Similarities_between_LockBit_3_0_and_BlackMatter_ransomware
MEDIUM
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- Similarities_between_LockBit_3_0_and_BlackMatter_ransomware
- Date of Scan:
- 2022-07-27
- Impact:
- MEDIUM
- Summary:
- Researchers from TrendMicro found similarities between New version of LockBit and Blackmatter ransomware. LockBit's extensive similarities to BlackMatter come from overlaps in the privilege escalation and harvesting routines used to identify APIs.
Analysis_of_SSH_Honeypot_Data_with_PowerBI
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Analysis_of_SSH_Honeypot_Data_with_PowerBI
- Date of Scan:
- 2022-07-27
- Impact:
- LOW
- Summary:
- The reseracher from ISC Sans providing some analysis of SSH Honeypot Data experimenting for a while with Microsoft PowerBI (1) using honeypot data, parsing it into comma delimited (CSV).
IcedID_malware_leveraging_Cobalt_Strike_and_Dark_VNC
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- IcedID_malware_leveraging_Cobalt_Strike_and_Dark_VNC
- Date of Scan:
- 2022-07-27
- Impact:
- LOW
- Summary:
- The researcher from ISC SANS provides an analysis of IcedID malware which is using Dark VNC activity and Cobalt Strike.
UAC_0010_Group_leveraging_GammaLoad_PS1_v2_malware_to_target_Ukraine
LOW
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- UAC_0010_Group_leveraging_GammaLoad_PS1_v2_malware_to_target_Ukraine
- Date of Scan:
- 2022-07-27
- Impact:
- LOW
- Summary:
- CERT-UA has analysed a phishing email which contains an attachment of malicious document related to National Academy of Security of Ukraine. The document contains an HTM dropper, the activation of which will lead to the creation of RAR archive file and further LNK file, running of LNK file lead to the download and execution of the HTA file.
IIS_extensions_persistently_used_as_Exchange_backdoors
LOW
+
—
- Intel Source:
- Microsoft
- Intel Name:
- IIS_extensions_persistently_used_as_Exchange_backdoors
- Date of Scan:
- 2022-07-27
- Impact:
- LOW
- Summary:
- Microsoft says attackers increasingly use malicious Internet Information Services (IIS) web server extensions to backdoor unpatched Exchange servers as they have lower detection rates compared to web shells.
New_tool_by_Charming_Kitten_and_its_OPSEC_errors
MEDIUM
+
—
- Intel Source:
- PWC
- Intel Name:
- New_tool_by_Charming_Kitten_and_its_OPSEC_errors
- Date of Scan:
- 2022-07-26
- Impact:
- MEDIUM
- Summary:
- PWC researchers analyzed activity of Yellow Garuda threat actor aka Charming Kitten and found that they have come up with new tools and also their operational security errors.
The_Source_Code_of_Luca_Stealer_Malware_Leaked
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- The_Source_Code_of_Luca_Stealer_Malware_Leaked
- Date of Scan:
- 2022-07-26
- Impact:
- LOW
- Summary:
- The Cyble Threat Hunting team recently discovered an unknown Rust-based stealer, which is known as Luca Stealer, and the source code of this stealer was leaked on a popular cybercrime forum for free on July 3, 2022.
The_Source_Code_of_Luca_Stealer_Malware_Leaked
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- The_Source_Code_of_Luca_Stealer_Malware_Leaked
- Date of Scan:
- 2022-07-26
- Impact:
- LOW
- Summary:
- The Cyble Threat Hunting team recently discovered an unknown Rust-based stealer, which is known as Luca Stealer, and the source code of this stealer was leaked on a popular cybercrime forum for free on July 3, 2022.
Attacks_against_a_pair_of_vulnerabilities_in_Microsoft_SQL
LOW
+
—
- Intel Source:
- Sophos
- Intel Name:
- Attacks_against_a_pair_of_vulnerabilities_in_Microsoft_SQL
- Date of Scan:
- 2022-07-26
- Impact:
- LOW
- Summary:
- Sophos Managed Threat Response (MTR) and Sophos Rapid Response had been investigating the attacks against Microsoft SQL Server installations. Sophos observed that threat group targeting externally exposed and unpatched SQL servers and during their initial investigations into this threat group, they saw them leveraging malware infrastructure impersonating a download site for KMSAuto, a non-malicious software utility used for evading Windows license key activations.
A_New_CosmicStrand_UEFI_Firmware_Rootkit
LOW
+
—
- Intel Source:
- Securelist
- Intel Name:
- A_New_CosmicStrand_UEFI_Firmware_Rootkit
- Date of Scan:
- 2022-07-26
- Impact:
- LOW
- Summary:
- A sophisticated UEFI firmware rootkit has been developed by an unknown Chinese-speaking threat actor, according to security firm Kaspersky. The rootkit is located in the firmware images of Gigabyte or ASUS motherboards, and Kaspersky noticed that all these images are related to designs using the H81 chipset.
Dot_PLAY_Ransomware
MEDIUM
+
—
- Intel Source:
- NoLogs NoBreach
- Intel Name:
- Dot_PLAY_Ransomware
- Date of Scan:
- 2022-07-25
- Impact:
- MEDIUM
- Summary:
- A Threat Researcher has identified new ransomware variant during an IR engagement, which is called as .PLAY ransomware. Researcher confirms the initial access was exploitation of Fortigate Firewall vulnerabilities over Fortigate SSL-VPN, after initial access threat actors achieved privilege escalation and ransomware deployment in less than 24 hours. Moreover, No C2 traffic or tooling was detected. All actions were carried out over the VPN and through RDP.
Attackers_targeting_unpatched_Atlassian_Confluence_Servers
MEDIUM
+
—
- Intel Source:
- ASEC
- Intel Name:
- Attackers_targeting_unpatched_Atlassian_Confluence_Servers
- Date of Scan:
- 2022-07-25
- Impact:
- MEDIUM
- Summary:
- Researchers from ASEC have analyzed that attackers are targeting vulnerable servers which are not patched. They are using RCE vulnerabilities and if successful, an attacker can install WebShell or malware to gain control of the infected system.
Magniber_Ransomware_started_using_Windows_installer_package_file
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Magniber_Ransomware_started_using_Windows_installer_package_file
- Date of Scan:
- 2022-07-25
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified Magniber Ransomware that started using a Windows installer package file (.msi) instead of IE browser vulnerability for its distribution.
Candiru_Spyware_exploiting_Chrome_Zero_days_in_Middle_East
LOW
+
—
- Intel Source:
- Avast
- Intel Name:
- Candiru_Spyware_exploiting_Chrome_Zero_days_in_Middle_East
- Date of Scan:
- 2022-07-25
- Impact:
- LOW
- Summary:
- Avast researchers discovered a zero-day vulnerability in Google Chrome but now its fixed. The vulnerability was weaponized by an Israeli spyware company and used in attacks targeting journalists in the Middle East.
Costa_Rican_Government_hacked_by_Conti_Ransomware
LOW
+
—
- Intel Source:
- AdvIntel
- Intel Name:
- Costa_Rican_Government_hacked_by_Conti_Ransomware
- Date of Scan:
- 2022-07-25
- Impact:
- LOW
- Summary:
- ADVIntel researchers uncovered how Conti ransomware hacked and encrypted the Costa Rican government. The Russian hacker steps from an initial foothold to exfiltrating 672GB of data on April 15.
North_Korean_linked_APT37_group_attack_with_Konni_RAT_malware
MEDIUM
+
—
- Intel Source:
- Securonix
- Intel Name:
- North_Korean_linked_APT37_group_attack_with_Konni_RAT_malware
- Date of Scan:
- 2022-07-25
- Impact:
- MEDIUM
- Summary:
- Securonix Threat Labs is investigating a new attack campaign exploiting high-value targets, including North Korea, which could be linked to a North Korean cyber-espionage group (APT37).
Qakbot_continue_with_New_Techniques
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Qakbot_continue_with_New_Techniques
- Date of Scan:
- 2022-07-25
- Impact:
- LOW
- Summary:
- Researchers from Cyble Lab came across Twitter post in which a user shared new IOCs related to the well known Qakbot malware.
IcedID_malware_sperading_through_ISO_files
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- IcedID_malware_sperading_through_ISO_files
- Date of Scan:
- 2022-07-25
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified that IcedID banking malware distributing with the help of ISO Files. They discovered two methods, the First is by the help of Bubblebee malware and the second is with script files and cmd command.
GoMet_2_0_backdoor_attacks_Ukraine
MEDIUM
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- GoMet_2_0_backdoor_attacks_Ukraine
- Date of Scan:
- 2022-07-24
- Impact:
- MEDIUM
- Summary:
- Cisco Talos has discovered a modified piece of malware targeting Ukraine and confirmed that the malware is a slightly modified version of the open-source backdoor named “GoMet2".
A_malvertising_chain_abusing_Google_s_ad_network
LOW
+
—
- Intel Source:
- MalwareBytes
- Intel Name:
- A_malvertising_chain_abusing_Google_s_ad_network
- Date of Scan:
- 2022-07-24
- Impact:
- LOW
- Summary:
- Malwarebytes researchers uncovered a malvertising chain abusing Google’s ad network to redirect visitors to an infrastructure of tech support scams. Unsuspecting users searching for popular keywords will click an advert and their browser will get hijacked with fake warnings urging them to call rogue Microsoft agents for support.
CNMF_Discloses_Malware_in_Ukraine
MEDIUM
+
—
- Intel Source:
- Mandiant
- Intel Name:
- CNMF_Discloses_Malware_in_Ukraine
- Date of Scan:
- 2022-07-22
- Impact:
- MEDIUM
- Summary:
- Mandiant shared in their blog a new malicious activity targeting Ukrainian entities during the ongoing conflict.They higlighted the operations of suspected UNC1151 and suspected UNC2589 by sending phishing with malicious documents leading to malware infection chains.
Lighting_Framework_A_new_Linux_centric_malware
MEDIUM
+
—
- Intel Source:
- Intezer
- Intel Name:
- Lighting_Framework_A_new_Linux_centric_malware
- Date of Scan:
- 2022-07-22
- Impact:
- MEDIUM
- Summary:
- Researchers at Intezers have detected a new undetected Swiss Army Knife-like Linux malware called Lightning Framework.
LockBit_3_0_updated_with_new_techniques
MEDIUM
+
—
- Intel Source:
- Sentinelone
- Intel Name:
- LockBit_3_0_updated_with_new_techniques
- Date of Scan:
- 2022-07-22
- Impact:
- MEDIUM
- Summary:
- Researchers at SentinelLab have detected the new techniques and features of LockBit 3.0. They are updating their encryption routines and adding several new features.
Magniber_Ransomware_changing_its_Injection_Method
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Magniber_Ransomware_changing_its_Injection_Method
- Date of Scan:
- 2022-07-22
- Impact:
- LOW
- Summary:
- ASEC researchers constantly monitoring Magniber ransomware and found recently it is changing injection methods and started distributing as a Windows installer package file (.msi) on Edge and Chrome browsers.
TA4563_leverages_EvilNum_malware_to_target_European_financial_entities
MEDIUM
+
—
- Intel Source:
- ProofPoint
- Intel Name:
- TA4563_leverages_EvilNum_malware_to_target_European_financial_entities
- Date of Scan:
- 2022-07-22
- Impact:
- MEDIUM
- Summary:
- ProofPoint researchers tracked threat actor which they named TA4563 have been leveraging EvilNum malware to target European financial and investment entities.
SmokeLoader_malware_leveraging_Amadey_Bot
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- SmokeLoader_malware_leveraging_Amadey_Bot
- Date of Scan:
- 2022-07-21
- Impact:
- LOW
- Summary:
- ASEC researchers discovered that Amadey Bot is being installed by SmokeLoader. Amadey Bot is capable of stealing information and installing additional malware by receiving commands from the attacker. Where SmokeLoader is used to install additional malware strains as a downloader.
A_new_variant_of_QakBot
LOW
+
—
- Intel Source:
- Fortinet
- Intel Name:
- A_new_variant_of_QakBot
- Date of Scan:
- 2022-07-21
- Impact:
- LOW
- Summary:
- Fortinet’s researchers observered a phishing email as part of a phishing campaign spreading a new variant of QakBot.
Redeemer_Ransomware_released_new_version_Redeemer_2_0
MEDIUM
+
—
- Intel Source:
- Cyble
- Intel Name:
- Redeemer_Ransomware_released_new_version_Redeemer_2_0
- Date of Scan:
- 2022-07-21
- Impact:
- MEDIUM
- Summary:
- Researchers at Cyble has identified the latest version of Redeemer ransomware on darkweb cybercrime forums. The author of Redeemer ransomware released new version with updated features.
CloudMensis_spyware_targets_MacOS_systems
LOW
+
—
- Intel Source:
- WeLivesecurity
- Intel Name:
- CloudMensis_spyware_targets_MacOS_systems
- Date of Scan:
- 2022-07-21
- Impact:
- LOW
- Summary:
- Researchers from ESET discovered a previously undetected macOS backdoor, tracked as CloudMensis, that targets macOS systems and exclusively uses public cloud storage services as C2.
Analysis_of_NukeSped_Malware
LOW
+
—
- Intel Source:
- Cyfirma
- Intel Name:
- Analysis_of_NukeSped_Malware
- Date of Scan:
- 2022-07-21
- Impact:
- LOW
- Summary:
- Researchers at Cyfirma analyzed NukeSped Malware. The malware is associated with North Korean #APT Group Lazarus which is known to target US, South Korea, Japan and Asia Pacific countries.
PyAutoGUI_lets_your_Python_scripts_control_the_mouse_and_keyboard
LOW
+
—
- Intel Source:
- ISC SANS
- Intel Name:
- PyAutoGUI_lets_your_Python_scripts_control_the_mouse_and_keyboard
- Date of Scan:
- 2022-07-21
- Impact:
- LOW
- Summary:
- PyAutoGUI lets malicious Python scripts control the mouse and keyboard to automate interactions with other applications
Threat_actors_leveraging_AgentTesla_to_target_Ukraine_state_bodies
LOW
+
—
- Intel Source:
- Cert-UA
- Intel Name:
- Threat_actors_leveraging_AgentTesla_to_target_Ukraine_state_bodies
- Date of Scan:
- 2022-07-21
- Impact:
- LOW
- Summary:
- CERT-UA discovered the file "Report_050722_4.ppt", which contains a thumbnail image that mentions the operational command "South". In the case of opening the document and activating the macro, the latter will ensure the creation of the files "gksg023ig.lnk" and "sgegkseg23mjl.exe", as well as the execution of the LNK file using rundll32.exe, which in turn will lead to the launch of the mentioned EXE file.
Continued_cyber_activity_in_Eastern_Europe
MEDIUM
+
—
- Intel Source:
- Google blog
- Intel Name:
- Continued_cyber_activity_in_Eastern_Europe
- Date of Scan:
- 2022-07-21
- Impact:
- MEDIUM
- Summary:
- Google’s Threat Analysis Group (TAG) continues to closely monitor Russian APT activity outside of Ukraine. TAG has disrupted coordinated influence operations from several actors including the Internet Research Agency and a Russian consulting firm, Turla, COLDRIVER, Ghostwriter/UNC1151 groups and The Follina vulnerability.
WatchDog_Adds_Steganography_in_Cryptojacking_Operations
LOW
+
—
- Intel Source:
- Lacework
- Intel Name:
- WatchDog_Adds_Steganography_in_Cryptojacking_Operations
- Date of Scan:
- 2022-07-20
- Impact:
- LOW
- Summary:
- Reserachers from Lacework reported about WatchDog’s cryptojacking campaign has adopted the unique steganography technique for malware propagation and other objectives. The XMRig miner was disguised as an image and hosted on compromised cloud storage (Alibaba Object Storage Service).
Industrial_Espionage_Operation_explained
MEDIUM
+
—
- Intel Source:
- BitDefender
- Intel Name:
- Industrial_Espionage_Operation_explained
- Date of Scan:
- 2022-07-20
- Impact:
- MEDIUM
- Summary:
- Researchers from BitDefender analyzed an incident which was an industrial Espionage operation. In this attack the attacker managed to compromise a Patient Zero computer and used it to establish a secondary access avenue through a web shell planted on the company’s Exchange Server.
Open_Document_malware_targets_Latin_American_Hotels
LOW
+
—
- Intel Source:
- HP Wolf Security
- Intel Name:
- Open_Document_malware_targets_Latin_American_Hotels
- Date of Scan:
- 2022-07-20
- Impact:
- LOW
- Summary:
- Researchers from HP Wolf Security analyzed a stealthy malware campaign which uses OpenDocument text (.odt) files to distribute malware. The campaign targets the hotel industry in Latin America.
8220_Gang_Massively_Expands_Cloud_Botnet
MEDIUM
+
—
- Intel Source:
- Sentinelone
- Intel Name:
- 8220_Gang_Massively_Expands_Cloud_Botnet
- Date of Scan:
- 2022-07-20
- Impact:
- MEDIUM
- Summary:
- Over the last month a crimeware group best known as 8220 Gang has expanded their botnet to roughly 30,000 hosts globally through the use of Linux and common cloud application vulnerabilities and poorly secured configurations.
A_continued_exploitation of Log4Shell in VMware Horizon Systems
MEDIUM
+
—
- Intel Source:
- CISA
- Intel Name:
- A_continued_exploitation of Log4Shell in VMware Horizon Systems
- Date of Scan:
- 2022-07-19
- Impact:
- MEDIUM
- Summary:
- CISA has updated the Cybersecurity Advisory AA22-174A: Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon, originally released June 23, 2022. The advisory now includes updated IOCs provided in Malware Analysis Report (MAR)-10382580-2.
APT29_Group_leveraging_Online_Storage_Services
MEDIUM
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- APT29_Group_leveraging_Online_Storage_Services
- Date of Scan:
- 2022-07-19
- Impact:
- MEDIUM
- Summary:
- PaloAlto researchers noticed that Russian SVR hackers using Google Drive and Dropbox to evade detection. APT29 has adopted this new tactic in recent campaigns targeting Western diplomatic missions and foreign embassies worldwide.
Attackers_leveraging_tools_to_generate_LNK_Files_to_deliver_payload
LOW
+
—
- Intel Source:
- Resecurity
- Intel Name:
- Attackers_leveraging_tools_to_generate_LNK_Files_to_deliver_payload
- Date of Scan:
- 2022-07-19
- Impact:
- LOW
- Summary:
- Threat Hunters from Resecurity have detected popular tools used by cybercriminals. Attackers are actively leveraging tools allowing them to generate malicious shortcut files (.LNK files) for payload delivery.
Pegasus_Spyware_Used_Against_Thailand_s_Pro_Democracy_Movement
LOW
+
—
- Intel Source:
- Citizen Lab
- Intel Name:
- Pegasus_Spyware_Used_Against_Thailand_s_Pro_Democracy_Movement
- Date of Scan:
- 2022-07-19
- Impact:
- LOW
- Summary:
- Citizen Lab discovered an extensive espionage campaign targeting Thai pro-democracy protesters, and activists calling for reforms to the monarchy
Lazarus_Forged_Analysis_Report_on_Ecommerce_Component_Attack_Activities
MEDIUM
+
—
- Intel Source:
- Weixin
- Intel Name:
- Lazarus_Forged_Analysis_Report_on_Ecommerce_Component_Attack_Activities
- Date of Scan:
- 2022-07-19
- Impact:
- MEDIUM
- Summary:
- The APT-C-26 (Lazarus) organization has a clear purpose of this attack. It continue the attack activity disguised itself as an Alibaba-related component to attack. The payload component is related to the NukeSped family.
Elastix_VoIP_systems_hacked_in_massive_campaign
LOW
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Elastix_VoIP_systems_hacked_in_massive_campaign
- Date of Scan:
- 2022-07-18
- Impact:
- LOW
- Summary:
- Recently, Palo Alto Unit 42 observed another operation that targets the Elastix system used in Digium phones. The attacker implants a web shell to exfiltrate data by downloading and executing additional payloads inside the target's Digium phone software (a FreePBX module written in PHP)
Phishing_campaign_involving_Emotet
LOW
+
—
- Intel Source:
- Cyfirma
- Intel Name:
- Phishing_campaign_involving_Emotet
- Date of Scan:
- 2022-07-18
- Impact:
- LOW
- Summary:
- Cyfirma researchers noticed multiple phishing campaigns involving Emotet which is dropped through a n Excel 4.0 (.xls) file as attachment.
The_Maha_grass_group_attack_activity_against_Pakistan
LOW
+
—
- Intel Source:
- Qianxin Blog
- Intel Name:
- The_Maha_grass_group_attack_activity_against_Pakistan
- Date of Scan:
- 2022-07-16
- Impact:
- LOW
- Summary:
- Recenty the Red Raindrop team of Qi'anxin Threat Intelligence Center observed several attack samples of the organization in daily threat hunting. In this attack, the attacker uses a vulnerable RTF file to carry out a spear poking attack.
The_Newly_Emerged_BlueSky_Ransomware
MEDIUM
+
—
- Intel Source:
- Cloudsek
- Intel Name:
- The_Newly_Emerged_BlueSky_Ransomware
- Date of Scan:
- 2022-07-16
- Impact:
- MEDIUM
- Summary:
- CloudSEK discovered a financially motivated ransomware group, dubbed BlueSky, speculated to be connected to the Conti ransomware group.
Sudden_Increase_In_Attacks_On_Modern_WPBakery_Page_Builder_Addons_Vulnerability
LOW
+
—
- Intel Source:
- Wordsfence
- Intel Name:
- Sudden_Increase_In_Attacks_On_Modern_WPBakery_Page_Builder_Addons_Vulnerability
- Date of Scan:
- 2022-07-16
- Impact:
- LOW
- Summary:
- The Wordfence Threat Intelligence team has been observed a spike in the attack attempts targeting Kaswara Modern WPBakery Page Builder Addons. This ongoing campaign is aiming to take advantage of an arbitrary file upload vulnerability, tracked as CVE-2021-24284, which has been previously disclosed and has not been patched on the now closed plugin.
Indian_APT_group_Confucius_targets_Pakistan_government_and_military_institutions
LOW
+
—
- Intel Source:
- Antiy Group
- Intel Name:
- Indian_APT_group_Confucius_targets_Pakistan_government_and_military_institutions
- Date of Scan:
- 2022-07-15
- Impact:
- LOW
- Summary:
- Antity group researcher published their findings on Indian APT Confucius campaigns targeting the Pakistani government and military institutions.
UAC_0100_group_leveraging_Online_Fraud_to_target_Ukraine
LOW
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- UAC_0100_group_leveraging_Online_Fraud_to_target_Ukraine
- Date of Scan:
- 2022-07-15
- Impact:
- LOW
- Summary:
- CERT-UA has discovered fraudulent pages on the Facebook containing links to "Unified Compensation Center for the Return of Unpaid Funds". The fraudulent pages suggesting users to provide personal information and make payments, which is harvesting payment card information.
ApolloRat_Malware_compiled_using_Nuitka
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- ApolloRat_Malware_compiled_using_Nuitka
- Date of Scan:
- 2022-07-15
- Impact:
- LOW
- Summary:
- Cyble Researcher team has discovered a new RAT dubbed ApolloRAT.it is written in Python and uses Discord as its Command and Control (C&C) Server.
New_campaign_ongoing_by_Transparent_Tribe_APT_group
LOW
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- New_campaign_ongoing_by_Transparent_Tribe_APT_group
- Date of Scan:
- 2022-07-15
- Impact:
- LOW
- Summary:
- Researchers at Cisco Talos has discovered a malicious campaign targeting students of universities and colleges in India. it is also suggests that the APT is actively expanding its network of victims to include civilian users.
Everest_Ransomware_new_TTPs_and_relation_to_Black_Byte
MEDIUM
+
—
- Intel Source:
- NCC Group
- Intel Name:
- Everest_Ransomware_new_TTPs_and_relation_to_Black_Byte
- Date of Scan:
- 2022-07-15
- Impact:
- MEDIUM
- Summary:
- Researchers at NCC Group analysed an Everest ransomware file, which they assess with medium confidence that Everest ransomware is related to Black-Byte. And documented new TTPs employed by the Everest Ransomware group.
North_Korean_threat_actors_uses_H0lyGh0st_ransomware
MEDIUM
+
—
- Intel Source:
- Microsoft
- Intel Name:
- North_Korean_threat_actors_uses_H0lyGh0st_ransomware
- Date of Scan:
- 2022-07-15
- Impact:
- MEDIUM
- Summary:
- Microsoft threat intelligence center tracked a threat group DEV-0530 who is using H0lyGh0st ransomware to target small and midsize businesses.
NorthKorean_Threat_actors_uses_Maui_Ransomware
MEDIUM
+
—
- Intel Source:
- CISA
- Intel Name:
- NorthKorean_Threat_actors_uses_Maui_Ransomware
- Date of Scan:
- 2022-07-07
- Impact:
- MEDIUM
- Summary:
- A joint CSA has been released by FBI,CISA and DOT about Maui ransomware being used by North Korean threat actors to target Healthcare and Public Health Sector.
Threat_Actors_abusing_Red_teaming_tools
MEDIUM
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Threat_Actors_abusing_Red_teaming_tools
- Date of Scan:
- 2022-07-07
- Impact:
- MEDIUM
- Summary:
- Unit 42 PaloAlto recently hunted and discovered the new samples that match known advanced persistent threat (APT) patterns and tactics. These samples evaluated and raised an obvious detection concerns. The sample contained a malicious payload associated with Brute Ratel C4 (BRc4), the newest red-teaming and adversarial attack simulation tool to hit the market.
NoMercy_Stealer_Rapidly_Evolving_Into_Clipper_Malware
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- NoMercy_Stealer_Rapidly_Evolving_Into_Clipper_Malware
- Date of Scan:
- 2022-07-07
- Impact:
- LOW
- Summary:
- Threat Hunters by exercising discovered, a new stealer named “NoMercy”. The investigation indicated that the stealer is a very crude and simple information stealer in its initial stages and TAs behind this are actively modifying the stealer and adding additional capabilities.
A_cryptomining_campaign_targets_Linux_servers
LOW
+
—
- Intel Source:
- Security Affairs
- Intel Name:
- A_cryptomining_campaign_targets_Linux_servers
- Date of Scan:
- 2022-07-07
- Impact:
- LOW
- Summary:
- Microsoft Security Intelligence experts are warning of a long-running campaign conducted by a cloud threat actor group, tracked as 8220, that is now targeting Linux servers to install crypto miners.
Orbit_Malware_targeting_Linux_goes_undetected
LOW
+
—
- Intel Source:
- Intezer
- Intel Name:
- Orbit_Malware_targeting_Linux_goes_undetected
- Date of Scan:
- 2022-07-07
- Impact:
- LOW
- Summary:
- Intezer researchers provided technical analysis of a new and fully undetected malware dubbed “Orbit” that is targeting Linux systems. This malware implements advanced evasion techniques and gains persistence on the machine by hooking key functions, provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands.
Phishing_tax_scam_at_Canada
LOW
+
—
- Intel Source:
- Welivesecurity
- Intel Name:
- Phishing_tax_scam_at_Canada
- Date of Scan:
- 2022-07-07
- Impact:
- LOW
- Summary:
- Phishing scammers pose as Canadian tax agency before Canada Day
Malicious_NPM_Packages_Stealing_Data
LOW
+
—
- Intel Source:
- ReversingLabs
- Intel Name:
- Malicious_NPM_Packages_Stealing_Data
- Date of Scan:
- 2022-07-06
- Impact:
- LOW
- Summary:
- ReversingLabs researchers uncover malicious NMP packages stealing data as an evidence of a widespread software supply chain attack.
Cobalt_Strike_and_Meterpreter
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Cobalt_Strike_and_Meterpreter
- Date of Scan:
- 2022-07-06
- Impact:
- LOW
- Summary:
- Reserachers from ASEC analyzed the attack case that installs Cobalt Strike and Meterpreter in vulnerable MS-SQL servers to gain control. The attacker then installs AnyDesk to control the infected system in a remote desktop environment.
Bitter_APT_targets_Bangladesh
LOW
+
—
- Intel Source:
- SecuInfra
- Intel Name:
- Bitter_APT_targets_Bangladesh
- Date of Scan:
- 2022-07-06
- Impact:
- LOW
- Summary:
- Researchers from Secuinfra analyzed a attack by Bitter APT group who has targeted military organizations of Bangladesh.
Diving_deep_into_BumbleBee_Loader_updated_IOCs
MEDIUM
+
—
- Intel Source:
- Securonix
- Intel Name:
- Diving_deep_into_BumbleBee_Loader_updated_IOCs
- Date of Scan:
- 2022-07-06
- Impact:
- MEDIUM
- Summary:
- Securonix Threat Labs Threat Research Team has analysed a sample of BumbleBee, it appear to follow a similar delivery mechanism which we can use to detect the initial foothold of the loader. Currently, AV detection of the BumbleBee loader is very weak as vendors work to update their signatures and heuristic detections. But the main DLL payload of this loader is very much capable of evading EDR detection at the time of publication.
The_new_Hive_variant
MEDIUM
+
—
- Intel Source:
- Microsoft
- Intel Name:
- The_new_Hive_variant
- Date of Scan:
- 2022-07-06
- Impact:
- MEDIUM
- Summary:
- Microsoft Threat Intelligence Center discovered the new variant while analyzing detected Hive ransomware techniques for dropping .key files
DarkComet_RAT_returned_with_new_TTPs
LOW
+
—
- Intel Source:
- SocInvestigations
- Intel Name:
- DarkComet_RAT_returned_with_new_TTPs
- Date of Scan:
- 2022-07-06
- Impact:
- LOW
- Summary:
- Researchers from SocInvestigation documented about the new TTPs of DarkComet RAT and also its detection and response. Generally the Darkcomet is spread via Phishing campaign
Vsingle_Malware_used_by_Lazarus_Group
MEDIUM
+
—
- Intel Source:
- JPCERT
- Intel Name:
- Vsingle_Malware_used_by_Lazarus_Group
- Date of Scan:
- 2022-07-05
- Impact:
- MEDIUM
- Summary:
- Researchers from JPCERT detailed about VSingle malware used by the Lazarus group, which has been updated to retrieve C2 servers information from GitHub.
Xloader_Malware_returns_with_new_infection_technique
MEDIUM
+
—
- Intel Source:
- Cyble
- Intel Name:
- Xloader_Malware_returns_with_new_infection_technique
- Date of Scan:
- 2022-07-05
- Impact:
- MEDIUM
- Summary:
- Researchers at Cyble has analysed an infection chain of Xloader malware. The malware uses multiple file types such as PDF, XLSX, and RTF for its initial infection and execution. It is also designed to drop three modules in memory and execute the final payload using the Process-Hollowing technique.
MedusaLocker_Ransomware
MEDIUM
+
—
- Intel Source:
- CISA
- Intel Name:
- MedusaLocker_Ransomware
- Date of Scan:
- 2022-07-04
- Impact:
- MEDIUM
- Summary:
- In a joint advisory by CISA, FBI, Treasury, FinCEN to support the #StopRansomware camapign, providing information on MedusaLocker ransomware. Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol(RDP) to access victims’ networks
SessionManager_IIS_backdoor
MEDIUM
+
—
- Intel Source:
- SecureList
- Intel Name:
- SessionManager_IIS_backdoor
- Date of Scan:
- 2022-07-04
- Impact:
- MEDIUM
- Summary:
- Researchers at SecureList were investigating IIS backdoor called SessionManager since early 2022. SessionManager has been used against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East, starting from at least March 2021.
YTStealer_Malware
LOW
+
—
- Intel Source:
- Intezer
- Intel Name:
- YTStealer_Malware
- Date of Scan:
- 2022-07-04
- Impact:
- LOW
- Summary:
- YTStealer is a malware that aims to steal YouTube authentication cookies. As a stealing program, it acts like many other stealing programs.
GlowSand_Campaign
LOW
+
—
- Intel Source:
- Inquest
- Intel Name:
- GlowSand_Campaign
- Date of Scan:
- 2022-07-04
- Impact:
- LOW
- Summary:
- Researchers at Inquest has analysed Multistage malicious documnet masquerading as a Ukrainian military payroll document. The document was Obfuscated and geofenced to only infect UKraine systems.
PennyWise_Infostealer_leveraging_YouTube_to_infect_users
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- PennyWise_Infostealer_leveraging_YouTube_to_infect_users
- Date of Scan:
- 2022-07-01
- Impact:
- LOW
- Summary:
- Threat Hunters by exercising they discovered, a new stealer named “PennyWise”.The stealer appears to have been developed recently. The investigation indicated that the stealer is an emerging threat and the researchers witnessed multiple samples of this stealer active in the wild.
Countering_hack_for_hire_attacker_groups
LOW
+
—
- Intel Source:
- Google blog
- Intel Name:
- Countering_hack_for_hire_attacker_groups
- Date of Scan:
- 2022-07-01
- Impact:
- LOW
- Summary:
- Google's Threat Analysis Group (TAG) on Thursday released that they blocked as many as 36 malicious domains operated by hack-for-hire groups from India, Russia, and the U.A.E. It has been seen hack-for-hire groups target human rights and political activists, journalists, and other high-risk users around the world, putting their privacy, safety and security at risk.
New_ZuoRAT_malware_targets_SOHO_router
LOW
+
—
- Intel Source:
- Lumen blog
- Intel Name:
- New_ZuoRAT_malware_targets_SOHO_router
- Date of Scan:
- 2022-06-30
- Impact:
- LOW
- Summary:
- Black Lotus Labs, the threat intelligence arm of Lumen Technologies has identified and tracking the details of a new and sophisticated multistage remote access trojan (RAT) that leveraging infected SOHO routers to target predominantly North American and European networks of interest. This trojan grants the actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain an undetected foothold.
Raccoon_Stealer_v2
LOW
+
—
- Intel Source:
- Sekoia
- Intel Name:
- Raccoon_Stealer_v2
- Date of Scan:
- 2022-06-30
- Impact:
- LOW
- Summary:
- It was observed by reserachers this weekthey that cyber criminals using a new and improved version of the productive malware Raccoon Stealer that was barely three months after its authors announced they were quitting.
Emotet_still_abusing_Microsoft_Office_Macros
MEDIUM
+
—
- Intel Source:
- NetSkope
- Intel Name:
- Emotet_still_abusing_Microsoft_Office_Macros
- Date of Scan:
- 2022-06-30
- Impact:
- MEDIUM
- Summary:
- Researchers at Netskope Threat Labs has analysed campaign where Emotet is still being executed using malicious Mircosoft office documents. Despite the protection Microsoft released in 2022 to prevent the execution of Excel 4.0 (XLM) macros, this attack is still feasible against users who are using outdated versions of Office.
Black_Basta_Ransomware_gang_added_Qakbot_and_PrintNightmare_Exploit_to_their_Arsenal
MEDIUM
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- Black_Basta_Ransomware_gang_added_Qakbot_and_PrintNightmare_Exploit_to_their_Arsenal
- Date of Scan:
- 2022-06-30
- Impact:
- MEDIUM
- Summary:
- Researchers at Trend Micro identified Black Basta ransomware ransomware group that used the banking trojan QakBot as a means of entry and movement and took advantage of the PrintNightmare vulnerability to perform privileged file operations.
Ukraine_targeted_by_Dark_Crystal_RAT_or_DCRat
LOW
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Ukraine_targeted_by_Dark_Crystal_RAT_or_DCRat
- Date of Scan:
- 2022-06-29
- Impact:
- LOW
- Summary:
- Researchers at FortiGuard Labs came across another file that was likely used in the attack campaign described by CERT-UA. However, the date of the file submission to VirusTotal, and the location of the submission being Ukraine. The new file however is in Excel (xlsx) format and contains malicious macros instead of the docx format and exploitation of CVE-2022-30190 (Follina).
AstraLocker_2.0_Ransomware_distributed_from_Microsoft_Word_files
MEDIUM
+
—
- Intel Source:
- ReversingLabs
- Intel Name:
- AstraLocker_2.0_Ransomware_distributed_from_Microsoft_Word_files
- Date of Scan:
- 2022-06-29
- Impact:
- MEDIUM
- Summary:
- Researchers at ReversingLabs has discovered a new version of the AstraLocker ransomware (AstraLocker 2.0) that was being distributed directly from Microsoft Office files used as bait in phishing attacks.
ShadowPad_backdoor_and_MS_Exchange_bug_leveraged_to_attack_ICS
LOW
+
—
- Intel Source:
- Kaspersky ICS CERT
- Intel Name:
- ShadowPad_backdoor_and_MS_Exchange_bug_leveraged_to_attack_ICS
- Date of Scan:
- 2022-06-28
- Impact:
- LOW
- Summary:
- Researchers at Kaspersky ICS CERT has spotted a threat actor targeting organizations in the industrial, telecommunications, logistics and transport sectors in Pakistan, Afghanistan and Malaysia respectively exploiting Microsoft Exchange server vulnerability (CVE-2021-26855) and downloading Shadow backdoor.
Evilnum_APT_returns_with_new_Threat_and_TTPs
MEDIUM
+
—
- Intel Source:
- Zscaler
- Intel Name:
- Evilnum_APT_returns_with_new_Threat_and_TTPs
- Date of Scan:
- 2022-06-28
- Impact:
- MEDIUM
- Summary:
- Researchers from Zscaler have been tracking Evilnum APT group since starting of 2022 and have seen this time with a newer target list and TTPs.The main distribution vector used by this threat group was Windows Shortcut files (LNK) sent inside malicious archive files (ZIP) as email attachments in spear phishing emails to the victims.
Software_Cracks_Distributing_Recordbreaker_Stealer
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Software_Cracks_Distributing_Recordbreaker_Stealer
- Date of Scan:
- 2022-06-28
- Impact:
- LOW
- Summary:
- ASEC Research Team has analysed
Socgholish_initiated_through_Cobalt_Strike_payloads
LOW
+
—
- Intel Source:
- Esentire
- Intel Name:
- Socgholish_initiated_through_Cobalt_Strike_payloads
- Date of Scan:
- 2022-06-27
- Impact:
- LOW
- Summary:
- ESentire had an observation of drive-by threats such as Socgholish, Gootkit Loader and Solarmarker are on the rise. Both Socgholish and Gootkit Loader have been linked to follow-on attacks initiated through Cobalt Strike payloads.
Python_malicious_script_executing_a_keylogger
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Python_malicious_script_executing_a_keylogger
- Date of Scan:
- 2022-06-27
- Impact:
- LOW
- Summary:
- Researcher from ISC.SANS disovered a Python script that has some interesting features that can conduct social engineering attacks
DarkCrystal_RAT_malware_attacking_Ukraining_telecom_operators
LOW
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- DarkCrystal_RAT_malware_attacking_Ukraining_telecom_operators
- Date of Scan:
- 2022-06-27
- Impact:
- LOW
- Summary:
- CERT-UA received information about Crystal RAT attack that is aimed at operators and telecommunications providers of Ukraine. It was distributed by e-mails with the topic "Free primary legal aid" and the attachment "Algorithm of actions of members of the family of a missing serviceman LegalAid.rar".
BlackBastaRansomware
MEDIUM
+
—
- Intel Source:
- Cybereason
- Intel Name:
- BlackBastaRansomware
- Date of Scan:
- 2022-06-25
- Impact:
- MEDIUM
- Summary:
- Researchers from Cybereason analyzed the attack of BlackBasta ransomware and provided key details anbout its growth since inception
Conti_ArmAttack_Campaign
MEDIUM
+
—
- Intel Source:
- Group-IB
- Intel Name:
- Conti_ArmAttack_Campaign
- Date of Scan:
- 2022-06-24
- Impact:
- MEDIUM
- Summary:
- GroupIB researchers documented about CONTI ransomware new campaign dubbed as ARMattack. In this campaign they compromised at least more than 40 companies and it took 3 days for them to to that.
BRONZ_STARLIGHT_Ransomware_Operations_levearge_HUI_Loader
MEDIUM
+
—
- Intel Source:
- SecureWorks
- Intel Name:
- BRONZ_STARLIGHT_Ransomware_Operations_levearge_HUI_Loader
- Date of Scan:
- 2022-06-24
- Impact:
- MEDIUM
- Summary:
- Researchers at Secureworks CTU has observed a China-linked state-sponsored hacking group named Bronze Starlight deploying various ransomware families to hide the true intent of its attacks.
CALISTO_Russian_Threat_Actor_continues_its_credential_harvesting_campaign
MEDIUM
+
—
- Intel Source:
- Sekoia
- Intel Name:
- CALISTO_Russian_Threat_Actor_continues_its_credential_harvesting_campaign
- Date of Scan:
- 2022-06-24
- Impact:
- MEDIUM
- Summary:
- Sekoia Threat & Detection Research Team has followed GoogleTAG team finding on russian threat actor CALISTO, and identified a phishing campaign where CALISTO uses Evilginx on its VPS to capture the victim’s credentials. This well known open source tool creates an SSL reverse proxy between the victim and a legitimate website to capture web credentials, 2FA tokens.
New_malware_associated_with_Iranian_SiameseKitten_Group_or_Lyceum
MEDIUM
+
—
- Intel Source:
- ClearSky
- Intel Name:
- New_malware_associated_with_Iranian_SiameseKitten_Group_or_Lyceum
- Date of Scan:
- 2022-06-24
- Impact:
- MEDIUM
- Summary:
- Researchers at ClearSky security has discovered a new malware linked with Lyceum group. The is downloaded from a domain registered on June 6th, and it communicates with a previously unknown command and control server whose IP address is adjacent to that of the domain.
LockBit_Ransomware_being_distributed_using_Copyright_related_Emails
MEDIUM
+
—
- Intel Source:
- ASEC
- Intel Name:
- LockBit_Ransomware_being_distributed_using_Copyright_related_Emails
- Date of Scan:
- 2022-06-24
- Impact:
- MEDIUM
- Summary:
- ASEC Research team has discovered the distribution of LockBit ransomware using phishing e-mail, and disguising itself as copyright claims e-mail. The phishing e-mail has a compressed file as an attachment that contains another compressed file inside.
Log4Shell_exploits_still_being_used_to_hack_VMware_servers
MEDIUM
+
—
- Intel Source:
- CISA
- Intel Name:
- Log4Shell_exploits_still_being_used_to_hack_VMware_servers
- Date of Scan:
- 2022-06-24
- Impact:
- MEDIUM
- Summary:
- CISA warned today that threat actors, including state-backed hacking groups, are still targeting VMware Horizon and Unified Access Gateway (UAG) servers using the Log4Shell (CVE-2021-44228) remote code execution vulnerability.
Chinese_Threat_actors_targets_Russian_Government_Agencies
LOW
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- Chinese_Threat_actors_targets_Russian_Government_Agencies
- Date of Scan:
- 2022-06-23
- Impact:
- LOW
- Summary:
- CERT UA researchers discovered malicious files which have been used to exploit vulnerabilities in MS Office. This attack has been linked to Chinese threat actors.
AA_distribution_Qakbot_with_DarkVNC_and_Cobalt Strike
MEDIUM
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- AA_distribution_Qakbot_with_DarkVNC_and_Cobalt Strike
- Date of Scan:
- 2022-06-23
- Impact:
- MEDIUM
- Summary:
- Securonix Threat Intelligence unit has identified a new wave of QBOT infection further delivering DarkVNC and Cobalt Strike.
Keona_Clipper_Leverages_Telegram_For_Anonymity
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Keona_Clipper_Leverages_Telegram_For_Anonymity
- Date of Scan:
- 2022-06-23
- Impact:
- LOW
- Summary:
- Cyble researchers found a post advertising a new clipper malware, namely “Keona Clipper.” The Keona clipper is unique and anonymous software wrapped in a Telegram bot with stealth and anonymity. Additionally, the malware disguises itself as a system file and sends victim details to a Telegram bot.
RIG_Exploit_campaign_rapidly_modified_Raccoon_malware_with_Dridex
LOW
+
—
- Intel Source:
- BitDefender
- Intel Name:
- RIG_Exploit_campaign_rapidly_modified_Raccoon_malware_with_Dridex
- Date of Scan:
- 2022-06-22
- Impact:
- LOW
- Summary:
- Bitdefender researchers discovered a new RIG Exploit Kit campaign have rapidly adapted by replacing Raccoon malware with Dridex to make the most of the ongoing campaign.
Rise_of_LNK_Malware
MEDIUM
+
—
- Intel Source:
- McAfee
- Intel Name:
- Rise_of_LNK_Malware
- Date of Scan:
- 2022-06-22
- Impact:
- MEDIUM
- Summary:
- Researchers at McAfee Labs has identified three campiagns, where attackers abusing the windows shortcut LNK files and made them to be extremely dangerous to the common users. LNK files are being used to deliver malware such as Emotet, Qakbot, and IcedID.
Malicious_PowerShell_attack_in_Cryptocurrency_Browser_Extensions
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Malicious_PowerShell_attack_in_Cryptocurrency_Browser_Extensions
- Date of Scan:
- 2022-06-22
- Impact:
- LOW
- Summary:
- Researchers from SANS found a malicious powerShell script targeting cryptocurrency browser apps or extensions.
Tropic_Trooper_APT_new_TTPs
MEDIUM
+
—
- Intel Source:
- Checkpoint
- Intel Name:
- Tropic_Trooper_APT_new_TTPs
- Date of Scan:
- 2022-06-22
- Impact:
- MEDIUM
- Summary:
- Check Point researchers shared findings of the infection chain which includes a previously undescribed loader (dubbed “Nimbda”) written in Nim language on a group / activity cluster with ties to Tropic Trooper:
China_Linked_ToddyCat_APT_Pioneers_Novel_Spyware
MEDIUM
+
—
- Intel Source:
- Kaspersky
- Intel Name:
- China_Linked_ToddyCat_APT_Pioneers_Novel_Spyware
- Date of Scan:
- 2022-06-22
- Impact:
- MEDIUM
- Summary:
- Researchers from Kaspersky found APT group dubbed ToddyCat has been targeting Microsoft Exchange servers throughout Asia and Europe for more than a year. Also, they found a previously unknown passive backdoor they named Samurai and new trojan malware dubbed Ninja Trojan.
MuddyWater’s_new_campagin_targetting_Middle_East
MEDIUM
+
—
- Intel Source:
- Lab52
- Intel Name:
- MuddyWater’s_new_campagin_targetting_Middle_East
- Date of Scan:
- 2022-06-22
- Impact:
- MEDIUM
- Summary:
- MuddyWater threat group, allegedly sponsored by the Iranian government and linked to the Iranian revolutionary guard, has mantained a “long-term” infection campaign targeting Middle East countries. Researchers from Lab52 found recent samples and discovered that attackers might modify its functionality in a later stage, based on the obtained information from the infected host or, at least, use it to download and drop the next infection stage.
Quantum Software Possibly Linked to Lazarus APT group
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Quantum Software Possibly Linked to Lazarus APT group
- Date of Scan:
- 2022-06-22
- Impact:
- LOW
- Summary:
- Researchers from Cyble came across a post from a threat actor on deep web forum advertising about Quantum Software a LNK file based builder and it has possible links with Lazarus APT group.
Avos_Ransomware_adds_new_Arsenal
MEDIUM
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Avos_Ransomware_adds_new_Arsenal
- Date of Scan:
- 2022-06-21
- Impact:
- MEDIUM
- Summary:
- Researchers from Cisco Talos found a month long AvosLocker ransomware campaign in which the threat actors have leveraged Cobalt Strike, Sliver and multiple commercial network scanners.
Cybercriminals_levearging_Azure_Front_Door_service_in_Phishing_attacks
LOW
+
—
- Intel Source:
- Resecurity
- Intel Name:
- Cybercriminals_levearging_Azure_Front_Door_service_in_Phishing_attacks
- Date of Scan:
- 2022-06-21
- Impact:
- LOW
- Summary:
- Researchers at Resecurity has identified a phishing campaign delivered via Azure Front Door (AFD) service by Microsoft. This attack allows the bad actors to trick users and spread phishing content to intercept credentials from business applications and e-mail accounts.
APT28_levarging_CredoMap_Malware_to-target_Ukraine
LOW
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- APT28_levarging_CredoMap_Malware_to-target_Ukraine
- Date of Scan:
- 2022-06-21
- Impact:
- LOW
- Summary:
- CERT-UA has analysed a phishing email which contains an attachment of malicious document related to Nuclear Terrorism, after opening to it will leads to downloading an HTML file and executing JavaScript code (CVE-2022-30190), it will further download and launch the CredoMap malware.
UAC_0098_targeting_Ukraine_Critical_Infrastructure_facilities
LOW
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- UAC_0098_targeting_Ukraine_Critical_Infrastructure_facilities
- Date of Scan:
- 2022-06-21
- Impact:
- LOW
- Summary:
- CERT-UA has analysed an phishing email contains an attached malicious documents which open an HTML file and execute JavaScript code (CVE-2022-30190), it further download and run the malicious program Cobalt Strike Beacon.
Voicemail_themed_Phishing_attacks_targeting_industries_in_US
MEDIUM
+
—
- Intel Source:
- Zscaler
- Intel Name:
- Voicemail_themed_Phishing_attacks_targeting_industries_in_US
- Date of Scan:
- 2022-06-20
- Impact:
- MEDIUM
- Summary:
- Researchers from Zscalar ThreatLabz has identified and monitoring the activities of a threat actor which targets users in various US-based organizations with malicious voicemail-notification-themed emails in an attempt to steal their Office365 and Outlook credentials.
Client_side_Magecart_attacks_still_around_but_more_covert
MEDIUM
+
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Client_side_Magecart_attacks_still_around_but_more_covert
- Date of Scan:
- 2022-06-20
- Impact:
- MEDIUM
- Summary:
- Malwarebytes reseraches are saying that Magecart client-side attacks are still around and there are some changes took place in the threat landscape. Newly reported domains linked with ‘anti-VM’ skimmer. One thing known is that if the Magecart threat actors decided to switch their operations exclusively server-side then the majority of companies would lose visibility overnight.
BlackGuard_Infostealer
LOW
+
—
- Intel Source:
- CyberInt
- Intel Name:
- BlackGuard_Infostealer
- Date of Scan:
- 2022-06-20
- Impact:
- LOW
- Summary:
- Researchers at CyberInt discovered campaigns abusing gaming forums and Discord channels to distribute BlackGuard, along with a new data exfiltration technique using Telegram.
Malspam_pushes_Matanbuchus_malware
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Malspam_pushes_Matanbuchus_malware
- Date of Scan:
- 2022-06-17
- Impact:
- LOW
- Summary:
- Researchers from SANS found a malicious campaign pushing Matanbuchus malware which lead to Cobalt Strike.
New_Version_of_Raccon_Stealer
LOW
+
—
- Intel Source:
- S2W INC
- Intel Name:
- New_Version_of_Raccon_Stealer
- Date of Scan:
- 2022-06-17
- Impact:
- LOW
- Summary:
- Researchers from S2W Inc shared details around the new version of Raccoon Stealer and its operator who made announcement on the dark web forum “Exploit”, stating that after three and a half months of being temporarily suspended, V2 of the stealer is operational.
Cerber2021_Ransomware_Back_In_Action
MEDIUM
+
—
- Intel Source:
- Cyble
- Intel Name:
- Cerber2021_Ransomware_Back_In_Action
- Date of Scan:
- 2022-06-17
- Impact:
- MEDIUM
- Summary:
- Cyble Research Labs has analysed a smaple of Cerber2021 ransomware, which suggests that threat actors exploit recently patched/unpatched Atlasian vulnerabilities to deliver the ransomware.
Malicious_HWP_Files_distributed_through_PC_messengers
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Malicious_HWP_Files_distributed_through_PC_messengers
- Date of Scan:
- 2022-06-17
- Impact:
- LOW
- Summary:
- ASEC Research team has discovered the active distribution of APT files that are exploiting a feature of HWP files and targeting South-Korean users since long.
CopperStealer_Malware_infecting_via_websites_hosting_fake_software
MEDIUM
+
—
- Intel Source:
- Trendmicro
- Intel Name:
- CopperStealer_Malware_infecting_via_websites_hosting_fake_software
- Date of Scan:
- 2022-06-17
- Impact:
- MEDIUM
- Summary:
- Trendmicro noticed a new version of CopperStealer with the infection vector starts with a website offering fake cracks and 2 stages of the attack: cryptor and dropper.
New_IceLoader_malware_3_0
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- New_IceLoader_malware_3_0
- Date of Scan:
- 2022-06-17
- Impact:
- MEDIUM
- Summary:
- While hunting for new malware families written in the Nim programming language, FortiGuard Labs discovered a loader malware with the strings “ICE_X” and “v3.0”. A loader is a type of malware that is intended for downloading and executing additional payloads provided by a threat actor to further their malicious objectives.
QBot_returns_with_new_TTPs
LOW
+
—
- Intel Source:
- SocInvestigations
- Intel Name:
- QBot_returns_with_new_TTPs
- Date of Scan:
- 2022-06-16
- Impact:
- LOW
- Summary:
- Socinvestigation detection and response analysts detected a banking trojan malware QBOT coming back with new TTPS: distribution via XLSB, and via XLTM.
New_Redline_InfoStealer_campaign
LOW
+
—
- Intel Source:
- Qualys
- Intel Name:
- New_Redline_InfoStealer_campaign
- Date of Scan:
- 2022-06-16
- Impact:
- LOW
- Summary:
- Qualys researchers found a new Redline InfoStealer campaign which spreads via fake cracked software hosted on Discord’s content delivery network.
Houdini_RAT_leveraging_JavaScript_Dropper
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Houdini_RAT_leveraging_JavaScript_Dropper
- Date of Scan:
- 2022-06-16
- Impact:
- LOW
- Summary:
- Houdini leveraging a phishing email with a ZIP archive that contains a JavaScript file called “New-Order.js
Confluence_exploits_leveraged_to_drop_ransomware_payloads
MEDIUM
+
—
- Intel Source:
- Sophos
- Intel Name:
- Confluence_exploits_leveraged_to_drop_ransomware_payloads
- Date of Scan:
- 2022-06-16
- Impact:
- MEDIUM
- Summary:
- Researchers at Sophos Labs has identified attackers are leveraging Confluence exploits against Windows vulnerable servers and dropping Cerber Ransomware and also pushing down Cobalt Strike shellcode, running PowerShell commands.
Monkeypox_phishing_outbreak
LOW
+
—
- Intel Source:
- Cofense
- Intel Name:
- Monkeypox_phishing_outbreak
- Date of Scan:
- 2022-06-16
- Impact:
- LOW
- Summary:
- Cofense's Phishing Defence Center has seen attempts to deceive enterprise staff with a series of monkeypox themed phishing emails. As this rare infection spreads around the globe and gains media attention, attackers are likely to continue tweaking their tactics.
Zero_Day_Sophos_Firewall_Exploitation_and_an_Insidious_Breach_by_DriftingCloud_threat_actor
MEDIUM
+
—
- Intel Source:
- Volexity
- Intel Name:
- Zero_Day_Sophos_Firewall_Exploitation_and_an_Insidious_Breach_by_DriftingCloud_threat_actor
- Date of Scan:
- 2022-06-16
- Impact:
- MEDIUM
- Summary:
- Volexity observesed a backdoored Shophos Firewall attack. This particular attack leveraged a zero-day exploit to compromise the customer's firewall. Also it was observed the attacker implement an interesting webshell backdoor, create a secondary form of persistence, and ultimately launch attacks against the customer's staff. These attacks aimed to further breach cloud-hosted web servers hosting the organization's public-facing websites.
Saitama_backdoor_using_DNS_tunneling
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Saitama_backdoor_using_DNS_tunneling
- Date of Scan:
- 2022-06-15
- Impact:
- LOW
- Summary:
- Researchers identified Saitama backdoor was used in a phishing e-mail that targeted a government official from Jordan’s foreign ministry in an attack attributed to the Iranian group APT34.
Old Telerik vulnerability exploitation delivering cryptominer and CobaltStrike infections
LOW
+
—
- Intel Source:
- Sophos
- Intel Name:
- Old Telerik vulnerability exploitation delivering cryptominer and CobaltStrike infections
- Date of Scan:
- 2022-06-15
- Impact:
- LOW
- Summary:
- Researchers from Sophos discovered an exploitation of a three-year old vulnerability (CVE-2019-18935) in the Telerik UI web application framework to take control of web servers, installing Cobalt Strike beacons in the form of a DLL payload) to disk, then used the beacon to execute encoded PowerShell commands, which downloaded more malwares by an unknown threat actor.
Potential_attack_vector_using_Follina_Vulnerability
MEDIUM
+
—
- Intel Source:
- Qualys
- Intel Name:
- Potential_attack_vector_using_Follina_Vulnerability
- Date of Scan:
- 2022-06-15
- Impact:
- MEDIUM
- Summary:
- Qualys researchers has examined a potential attack vector as well as technical details of Follina vulnerability.
Old_Telerik_vulnerability_exploitation_delivering_cryptominer_and_CobaltStrike_infections
LOW
+
—
- Intel Source:
- Sophos
- Intel Name:
- Old_Telerik_vulnerability_exploitation_delivering_cryptominer_and_CobaltStrike_infections
- Date of Scan:
- 2022-06-15
- Impact:
- LOW
- Summary:
- Researchers from Sophos discovered an exploitation of a three-year old vulnerability (CVE-2019-18935) in the Telerik UI web application framework to take control of web servers, installing Cobalt Strike beacons in the form of a DLL payload) to disk, then used the beacon to execute encoded PowerShell commands, which downloaded more malwares by an unknown threat actor.
Panchan_Botnet_targeting_Linux_servers
MEDIUM
+
—
- Intel Source:
- Akamai
- Intel Name:
- Panchan_Botnet_targeting_Linux_servers
- Date of Scan:
- 2022-06-15
- Impact:
- MEDIUM
- Summary:
- Researchers at Akamai has discovered Panchan, a new peer-to-peer botnet and SSH worm and has been actively breaching Linux servers. Panchan is written in Golang, and utilizes its built-in concurrency features to maximize spreadability and execute malware modules.
Hydra_Android_Distributed_Via_Play_Store
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Hydra_Android_Distributed_Via_Play_Store
- Date of Scan:
- 2022-06-15
- Impact:
- LOW
- Summary:
- During the routine threat hunting exercise, Cyble Research Labs came across a Twitter Post wherein the researcher mentioned an Android malware variant published on the Play Store. The variant in question acts as a Hostile Downloader and downloads the Hydra Banking Trojan.
The_IP2Scam_tech_support_campaign_scammers
LOW
+
—
- Intel Source:
- Malwarebytes
- Intel Name:
- The_IP2Scam_tech_support_campaign_scammers
- Date of Scan:
- 2022-06-14
- Impact:
- LOW
- Summary:
- Malwarebytes break down what they call the IP2Scam tech support scheme, by going back in time to track previously used infrastructure
ChromeLoader_adware_halted_from_broadcasting_by_Jamf_Protect
MEDIUM
+
—
- Intel Source:
- Jamf
- Intel Name:
- ChromeLoader_adware_halted_from_broadcasting_by_Jamf_Protect
- Date of Scan:
- 2022-06-14
- Impact:
- MEDIUM
- Summary:
- CrowdStrike researchers tracked an adware campaign that injects ads into Chrome and Safari browsers on macOS. Victims are tricked into opening a DMG file and running a shell script which masquerades as a legitimate installer application.
PureCrypter_dropping_RATs_and_InfoStealer
LOW
+
—
- Intel Source:
- Zscaler
- Intel Name:
- PureCrypter_dropping_RATs_and_InfoStealer
- Date of Scan:
- 2022-06-14
- Impact:
- LOW
- Summary:
- Zscalers researchers documented workings of a fully-featured malware loader dubbed PureCrypter that's being purchased by cyber criminals to deliver remote access trojans (RATs) and information stealers.
Purple_Fox_malware_analysis
LOW
+
—
- Intel Source:
- Esentire
- Intel Name:
- Purple_Fox_malware_analysis
- Date of Scan:
- 2022-06-14
- Impact:
- LOW
- Summary:
- eSentire’s Threat Response Unit (TRU) team recently observed multiple Purple Fox infections. The malware targets vulnerable versions of Internet Explorer (IE). The infection starts with the execution of a malicious script via mshta.exe, a utility that runs Microsoft HTML Applications (HTA) files.
How_SeaFlower_installs_backdoors_in_iOS_Android_web3_wallets
MEDIUM
+
—
- Intel Source:
- Confiant
- Intel Name:
- How_SeaFlower_installs_backdoors_in_iOS_Android_web3_wallets
- Date of Scan:
- 2022-06-14
- Impact:
- MEDIUM
- Summary:
- Confiant believes SeaFlower is the most technically sophisticated threat targeting web3 users, right after the infamous Lazarus Group
New_Linux_Rootkit_Syslogk
LOW
+
—
- Intel Source:
- Avast
- Intel Name:
- New_Linux_Rootkit_Syslogk
- Date of Scan:
- 2022-06-14
- Impact:
- LOW
- Summary:
- Researchers from Avast spotted a new Linux rootkit, dubbed ‘Syslogk,’ that uses specially crafted “magic packets” to activate a dormant backdoor on the device.
Iranian_phishing_campaign_linked_to_Phosphorous_APT_group
LOW
+
—
- Intel Source:
- Checkpoint
- Intel Name:
- Iranian_phishing_campaign_linked_to_Phosphorous_APT_group
- Date of Scan:
- 2022-06-14
- Impact:
- LOW
Chinese_APT_GALLIUM_levarges_PingPull_RAT_in_Cyberespionage_Campaigns
MEDIUM
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Chinese_APT_GALLIUM_levarges_PingPull_RAT_in_Cyberespionage_Campaigns
- Date of Scan:
- 2022-06-13
- Impact:
- MEDIUM
- Summary:
- Unit 42 recently identified a new, difficult-to-detect remote access trojan named PingPull being used by GALLIUM, an advanced persistent threat (APT) group.
HelloXD_ransomware_and_links_with_x4k_threat_actor
LOW
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- HelloXD_ransomware_and_links_with_x4k_threat_actor
- Date of Scan:
- 2022-06-13
- Impact:
- LOW
- Summary:
- Researchers from PaloAlto noticed in increased activity of Hello XD ransomware, whose operators are now deploying an upgraded sample featuring stronger encryption.
UAC_0113_Sandworm_Group_targeting_media_organisations_in_Ukraine
LOW
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- UAC_0113_Sandworm_Group_targeting_media_organisations_in_Ukraine
- Date of Scan:
- 2022-06-13
- Impact:
- LOW
- Summary:
- CERT-UA has analysed an phishing email targeting media organizations of Ukraine which has the topic "LIST of links to interactive maps" and a document attached with same name. The malicious document is delivering malicious CrescentImp malware. CERT-UA has tracked this activity with medium confidence to UAC-0113, which is associated with the Sandworm Group.
Crypto_Miners_Leveraging_Atlassian_Zero_Day_Vulnerability
MEDIUM
+
—
- Intel Source:
- Checkpoint
- Intel Name:
- Crypto_Miners_Leveraging_Atlassian_Zero_Day_Vulnerability
- Date of Scan:
- 2022-06-13
- Impact:
- MEDIUM
- Summary:
- Checkpoint Labs has uncovered an unauthenticated attacker who can use this vulnerability to execute arbitrary code on the target server by placing a malicious payload in the URI.
Symbiote_malware_detected_in_Linux
LOW
+
—
- Intel Source:
- BlackBerry
- Intel Name:
- Symbiote_malware_detected_in_Linux
- Date of Scan:
- 2022-06-10
- Impact:
- LOW
- Summary:
- Researchers have identified the Symbiote malware with an impact to harvest credentials and providing remote access for the threat actor.
Credit_card_skimmer_evades_Virtual_Machines
LOW
+
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Credit_card_skimmer_evades_Virtual_Machines
- Date of Scan:
- 2022-06-10
- Impact:
- LOW
- Summary:
- In this blog post Malwarebyres Labs show how a Magecart threat actor distributing a digital skimmer is avoiding researchers and possibly sandboxes by ensuring users are running genuine computers and not virtual ones
Lyceum_NET_DNS_Backdoor
MEDIUM
+
—
- Intel Source:
- ZScaler
- Intel Name:
- Lyceum_NET_DNS_Backdoor
- Date of Scan:
- 2022-06-10
- Impact:
- MEDIUM
- Summary:
- The Iranian Lycaeum APT hacking group uses a new .NET-based DNS backdoor to conduct attacks on companies in the energy and telecommunication sectors
Malvertising_campaign_leads_to_fake_Firefox_update
LOW
+
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Malvertising_campaign_leads_to_fake_Firefox_update
- Date of Scan:
- 2022-06-09
- Impact:
- LOW
- Summary:
- Researchers from MalwareBytes came across a malvertising campaign leading to a fake Firefox update.
State_Backed_Hackers_Exploit_Microsoft _Follina'_Bug_to_Target_Entities_in_Europe_and_U.S
MEDIUM
+
—
- Intel Source:
- The Hacker News
- Intel Name:
- State_Backed_Hackers_Exploit_Microsoft _Follina'_Bug_to_Target_Entities_in_Europe_and_U.S
- Date of Scan:
- 2022-06-09
- Impact:
- MEDIUM
- Summary:
- A suspected state-aligned threat actor has been attributed to a new set of attacks exploiting the Microsoft Office "Follina" vulnerability to target government entities in Europe and the U.S.
Kinsing_&_Dark_IoT_botnet_among_threats_targeting_CVE_2022_26134
MEDIUM
+
—
- Intel Source:
- Lacework blog
- Intel Name:
- Kinsing_&_Dark_IoT_botnet_among_threats_targeting_CVE_2022_26134
- Date of Scan:
- 2022-06-09
- Impact:
- MEDIUM
- Summary:
- Details regarding the recent Confluence OGNL (CVE-2022-26134) exploit were released to the public on June 3rd 2022 with Lacework seeing multiple attacks in the wild from both uncategorized and named threats. As of yesterday Lacework have observed active exploitation by known Cloud threat malware families such as Kinsing, “Hezb”, and the Dark.IoT botnet and provides a current inventory of top threats seen exploiting this latest Confluence vulnerability.
TA570_exploiting_Follina_to_deliver_Qbot_Malware
MEDIUM
+
—
- Intel Source:
- ISC.SANS HelpNet Security
- Intel Name:
- TA570_exploiting_Follina_to_deliver_Qbot_Malware
- Date of Scan:
- 2022-06-09
- Impact:
- MEDIUM
- Summary:
- Researchers at ISC.SANS and HelpNet has identified a malicious DLL files used for Qakbot infections contain a tag indicating their specific distribution channel. This wave of malicious spam ultimately provided two separate methods of Qakbot infection. The first method is one also used by other threat actors, where a disk image contains a Windows shortcut that runs a malicious hidden DLL. The second method is a Word docx file using a CVE-2022-30190 (Follina) exploit.
Aoqin_Dragon_Chinese_linked_APT_spying_for_10 years
MEDIUM
+
—
- Intel Source:
- SentinelOne
- Intel Name:
- Aoqin_Dragon_Chinese_linked_APT_spying_for_10 years
- Date of Scan:
- 2022-06-09
- Impact:
- MEDIUM
- Summary:
- SentinelLabs has uncovered a cluster of activity primarily targeting organizations in Southeast Asia and Australia. The threat actor’s primary focus is espionage and relates to targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. This activity ttracked as ‘Aoqin Dragon’. Attacks attributable to Aoqin Dragon typically drop one of two backdoors, Mongall and a modified version of the open source Heyoka project.
Fake_cracked_software_spreading_Crypto_Stealing_malware
LOW
+
—
- Intel Source:
- Avast
- Intel Name:
- Fake_cracked_software_spreading_Crypto_Stealing_malware
- Date of Scan:
- 2022-06-08
- Impact:
- LOW
- Summary:
- Users who download cracked software risk sensitive personal data being stolen by hackers.
Operation_Tejas
LOW
+
—
- Intel Source:
- Qi Anxin Threat Intelligence Center
- Intel Name:
- Operation_Tejas
- Date of Scan:
- 2022-06-08
- Impact:
- LOW
- Summary:
- Qi Anxin Threat Intelligence Center once published the article "Operation Magichm: A Brief Talk on the Manlinghua Organization's CHM File Delivery and Follow-up Operations" in 2021 . In addition to the new attack methods and samples used in the latest attack in April, this Intel Center also provides an overview of the recent phishing activities of the Maya Elephant (APT-Q-41) and the basics of the Diamondback (APT-Q-39) this year.
Spam_Campaign_targeting_victims_with_SVCReady_Malware
MEDIUM
+
—
- Intel Source:
- HP Wolf Security
- Intel Name:
- Spam_Campaign_targeting_victims_with_SVCReady_Malware
- Date of Scan:
- 2022-06-08
- Impact:
- MEDIUM
- Summary:
- Researchers at HP Wolf Security has identified new malicious spam campaigns spreading a previously unknown malware family called 'SVCReady'. The malware is notable for the unusual way it is delivered to target PCs using shellcode hidden in the properties of Microsoft Office documents.
Black_Basta_Ransomware_leverage_QBot_for_lateral_movement
MEDIUM
+
—
- Intel Source:
- NCC Group
- Intel Name:
- Black_Basta_Ransomware_leverage_QBot_for_lateral_movement
- Date of Scan:
- 2022-06-08
- Impact:
- MEDIUM
- Summary:
- Researchers at NCC Group spotted a new partnership between the Black Basta ransomware group and the QBot malware operation.
Bumblebee_Loader_on_the_rise
MEDIUM
+
—
- Intel Source:
- Cyble blog
- Intel Name:
- Bumblebee_Loader_on_the_rise
- Date of Scan:
- 2022-06-08
- Impact:
- MEDIUM
- Summary:
- In March 2022, a new malware named “Bumblebee” was discovered and reportedly distributed via spam campaigns. Researchers identified that Bumblebee is a replacement for BazarLoader malware, which has delivered Conti Ransomware in the past. Bumblebee acts as a downloader and delivers known attack frameworks and open-source tools such as Cobalt Strike, Shellcode, Sliver, Meterpreter. Plus downloads other types of malware such as ransomware, trojans, etc. Cyble intelligence indicates that the incidents of Bumblebee infection are on the rise.
Cuba_Ransomware_Group_new_variant
LOW
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- Cuba_Ransomware_Group_new_variant
- Date of Scan:
- 2022-06-08
- Impact:
- LOW
- Summary:
- Researchers at Trend Micro identified that the malware authors seem to be pushing some updates to the current binary of a new variant.
Popping_Eagle_Malware
MEDIUM
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Popping_Eagle_Malware
- Date of Scan:
- 2022-06-07
- Impact:
- MEDIUM
- Summary:
- Researchers at Palo Alto has identified an unknown piece of malware dubbed as Popping Eagle, its activity includes performing a specially crafted DLL hijacking attack. Researchers also observed the attacker following DLL hijacking by performing several network scans and lateral movement steps.
Black_Basta_Ransomware_targeting_ESXi_servers
MEDIUM
+
—
- Intel Source:
- NCC Group
- Intel Name:
- Black_Basta_Ransomware_targeting_ESXi_servers
- Date of Scan:
- 2022-06-07
- Impact:
- MEDIUM
- Summary:
- Black Basta is the latest ransomware gang to add support for encrypting VMware ESXi virtual machines (VMs) running on enterprise Linux servers.
WatchDog_Evolves_With_a_New_Multi-Stage_Cryptojacking_Attack
MEDIUM
+
—
- Intel Source:
- Cadosecurity
- Intel Name:
- WatchDog_Evolves_With_a_New_Multi-Stage_Cryptojacking_Attack
- Date of Scan:
- 2022-06-07
- Impact:
- MEDIUM
- Summary:
- Cado Labs’ honeypot infrastructure was recently compromised by a complex and multi-stage cryptojacking attack
Exploitation_of_ManageEngine_SupportCenter_Plus
LOW
+
—
- Intel Source:
- DFIR Report
- Intel Name:
- Exploitation_of_ManageEngine_SupportCenter_Plus
- Date of Scan:
- 2022-06-07
- Impact:
- LOW
- Summary:
- DFIR observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus. The threat actor, discovered files on the server and dumped credentials using a web shell, moved laterally to key servers using Plink and RDP and exfiltrated sensitive information using the web shell and RDP.
Mindware_Ransomware
MEDIUM
+
—
- Intel Source:
- SentinelOne
- Intel Name:
- Mindware_Ransomware
- Date of Scan:
- 2022-06-07
- Impact:
- MEDIUM
- Summary:
- Researchers at SentinelOne has analysed Mindware Ransomware and its similarities with SFile Ransomware, and provided technical indicators.
Spam_Email_Contains_BitRat_Malware
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Spam_Email_Contains_BitRat_Malware
- Date of Scan:
- 2022-06-07
- Impact:
- LOW
- Summary:
- Researchers at ISC.SANS has analysed a Zipped Email attachment which contains a very large ISO/EXE file, after executing the file in sandbox. It started communicating with BitRat C2 site.
YourCyanide_Ransomware_Propagates_With_PasteBin_Discord_Microsoft_Links
LOW
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- YourCyanide_Ransomware_Propagates_With_PasteBin_Discord_Microsoft_Links
- Date of Scan:
- 2022-06-06
- Impact:
- LOW
- Summary:
- The Trend Micro Threat Hunting team recently analyzed a series of CMD-based ransomware variants with a number capabilities such as stealing user information, bypassing remote desktop connections, and propagating through email and physical drives.
Travel_Themed_attacks_surges_by_multiple_RATs
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Travel_Themed_attacks_surges_by_multiple_RATs
- Date of Scan:
- 2022-06-06
- Impact:
- MEDIUM
- Summary:
- Multiple rat campaigns have been noted by researchers from Fortinet who are using travel themed lure to targets travel seekers victims. Those rats include Asyncrat, Netwire Rat, Quasar RAT.
WinDealer_malware_shows_extremely_sophisticated_network_abilities
LOW
+
—
- Intel Source:
- SecureList
- Intel Name:
- WinDealer_malware_shows_extremely_sophisticated_network_abilities
- Date of Scan:
- 2022-06-06
- Impact:
- LOW
- Summary:
- Researchers have discovered that the malware known as WinDealer, spread by Chinese-speaking Advanced Persistent Threat (APT) actor LuoYu, has the ability to perform intrusions through a man-on-the-side attack.
Clipminer_Botnet
LOW
+
—
- Intel Source:
- Symantec
- Intel Name:
- Clipminer_Botnet
- Date of Scan:
- 2022-06-06
- Impact:
- LOW
- Summary:
- Threat analysts have discovered a large operation of a new cryptocurrency mining malware called Clipminer that brought its operators at least $1.7 million from transaction hijacking.
Jasmin_ransomware_tool_rebranded_as_GoodWill_ransomware
MEDIUM
+
—
- Intel Source:
- NetSkope
- Intel Name:
- Jasmin_ransomware_tool_rebranded_as_GoodWill_ransomware
- Date of Scan:
- 2022-06-06
- Impact:
- MEDIUM
- Summary:
- Researchers at Netskope Threat Labs has analysed few GoodWill ransomware samples and found that this threat is 100% based on an open-source ransomware named Jasmin, which is a red team tool that can be used to simulate real ransomware attacks.
DeadBolt_Ransomware
MEDIUM
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- DeadBolt_Ransomware
- Date of Scan:
- 2022-06-06
- Impact:
- MEDIUM
- Summary:
- The DeadBolt ransomware kicked off 2022 with a slew of attacks that targeted internet-facing Network-Attached Storage (NAS) devices.
Jasmin_ransomware_tool_rebranded_as_GoodWill_ransomware
MEDIUM
+
—
- Intel Source:
- NetSkope
- Intel Name:
- Jasmin_ransomware_tool_rebranded_as_GoodWill_ransomware
- Date of Scan:
- 2022-06-06
- Impact:
- MEDIUM
- Summary:
- Researchers at Netskope Threat Labs has analysed few GoodWill ransomware samples and found that this threat is 100% based on an open-source ransomware named Jasmin, which is a red team tool that can be used to simulate real ransomware attacks.
Massive_NDSW_NDSX_Malware_Campaign
MEDIUM
+
—
- Intel Source:
- Sucuri
- Intel Name:
- Massive_NDSW_NDSX_Malware_Campaign
- Date of Scan:
- 2022-06-05
- Impact:
- MEDIUM
- Summary:
- Researchers at Sucuri has been tracking a campaign since Feb 2019, which they name as ndsw/ndsx malware campaign. The malware consists of several layers: the first of which prominently features the ndsw variable within JavaScript injections, the second of which leverages the ndsx variable in the payload.
POLONIUM_targeting_Israeli_organizations
LOW
+
—
- Intel Source:
- Microsoft
- Intel Name:
- POLONIUM_targeting_Israeli_organizations
- Date of Scan:
- 2022-06-03
- Impact:
- LOW
- Summary:
- POLONIUM has targeted and may compromised more than 20 organizations based in Israel and one intergovernmental organization with operations in Lebanon over the past three months.
Zero_Day_Exploitation_of_Atlassian_Confluence
HIGH
+
—
- Intel Source:
- Volexity
- Intel Name:
- Zero_Day_Exploitation_of_Atlassian_Confluence
- Date of Scan:
- 2022-06-03
- Impact:
- HIGH
- Summary:
- Hackers are actively exploiting a new Atlassian Confluence zero-day vulnerability tracked as CVE-2022-26134 to install web shells, with no fix available at this time.
UNC216_ Shifts_to_LOCKBIT_to_Evade_Sanctions
MEDIUM
+
—
- Intel Source:
- Mandiant
- Intel Name:
- UNC216_ Shifts_to_LOCKBIT_to_Evade_Sanctions
- Date of Scan:
- 2022-06-03
- Impact:
- MEDIUM
- Summary:
- Mandiant has investigated multiple LOCKBIT ransomware intrusions attributed to UNC2165, a financially motivated threat cluster that shares numerous overlaps with the threat group publicly reported as "Evil Corp.
Cobalt_Strike_Beacon_and_other_vulnerabilities_leveraged_to_target_Ukraine_government_bodies
LOW
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- Cobalt_Strike_Beacon_and_other_vulnerabilities_leveraged_to_target_Ukraine_government_bodies
- Date of Scan:
- 2022-06-03
- Impact:
- LOW
- Summary:
- CERT-UA has analysed an phishing email targeting Ukraine government bodies, it contains a file named "changes in wages with accruals.docx". The file contains a link to HTML external object, the execution of which, after exploiting vulnerabilities CVE-2021-40444 and CVE-2022-30190 and later damage the system with Cobalt Strike.
AsyncRAT_targeting_Colombian_Organisations
LOW
+
—
- Intel Source:
- Jstnk
- Intel Name:
- AsyncRAT_targeting_Colombian_Organisations
- Date of Scan:
- 2022-06-03
- Impact:
- LOW
- Summary:
- Researcher Jose Luis Sánchez Martínez have analysed campaigns related to AsyncRAT targeting Colombia, where there are some modifications in TTPs.
Follina_zero-day_vulnerability_in_Microsoft_Office_getting_exploited
HIGH
+
—
- Intel Source:
- ISC.SANS Cisco Talos Recorded Future Fortinet
- Intel Name:
- Follina_zero-day_vulnerability_in_Microsoft_Office_getting_exploited
- Date of Scan:
- 2022-06-02
- Impact:
- HIGH
- Summary:
- A recently discovered zero-day vulnerability CVE-2022-30190 in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. It is also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft Word or via an RTF file. The vulnerability has been widely exploited in the wild by threat actors and some of them have been attributed to Chinese threat actor.
Yashma_Ransomware_Report_CYFIRMA
MEDIUM
+
—
- Intel Source:
- Cyfirma
- Intel Name:
- Yashma_Ransomware_Report_CYFIRMA
- Date of Scan:
- 2022-06-02
- Impact:
- MEDIUM
- Summary:
- Yashma is a new ransomware seen in the wild since May 2022. This ransomware is the rebranded version of an earlier ransomware named Chaos.
NSIS_Installer_Malware_Included_with_Various_Malicious_Files
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- NSIS_Installer_Malware_Included_with_Various_Malicious_Files
- Date of Scan:
- 2022-06-02
- Impact:
- LOW
- Summary:
- The ASEC analysis team recently discovered attackers distributing multiple malicious files with NSIS installers.
BITB_attack_impersonating_Indian_government_website
LOW
+
—
- Intel Source:
- Zscaler
- Intel Name:
- BITB_attack_impersonating_Indian_government_website
- Date of Scan:
- 2022-06-02
- Impact:
- LOW
- Summary:
- Zscaler ThreatLabz team recently observed a new Browser-in-the Browser (BITB) attack impersonating an Indian government website to deliver a sextortion demand with the threat of releasing sensitive information about victims if they refuse to pay.
Karakurt_Data_Extortion_Group
MEDIUM
+
—
- Intel Source:
- CISA
- Intel Name:
- Karakurt_Data_Extortion_Group
- Date of Scan:
- 2022-06-01
- Impact:
- MEDIUM
- Summary:
- Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom. Known ransom demands have ranged from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim.
WSO2_Vulnerability_exploited_to_install_Linux_compatible_CobaltStrike_Beacons
MEDIUM
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- WSO2_Vulnerability_exploited_to_install_Linux_compatible_CobaltStrike_Beacons
- Date of Scan:
- 2022-05-31
- Impact:
- MEDIUM
- Summary:
- Researchers at TrendMicro has observed attackers are exploiting WSO2 vulnerability and intiating a outbound connection with malicious Cobalt Strike callback destination and command and control (C&C) server ipaddress.
APTC53_or_Gamaredon_new_DDoS_Attack_mission
MEDIUM
+
—
- Intel Source:
- 360 Threat Intelligence Center
- Intel Name:
- APTC53_or_Gamaredon_new_DDoS_Attack_mission
- Date of Scan:
- 2022-05-31
- Impact:
- MEDIUM
- Summary:
- 360 Security Brain has detected more frequent network attacks related to the APT-C-53/Gamaredon Group. The Group began to release the open source DDoS Trojan program " LOIC " to carry out DDoS attacks.
EnemyBot_targeting_Content_Management_System_servers_and_Android_devices
MEDIUM
+
—
- Intel Source:
- AT&T Alien Labs
- Intel Name:
- EnemyBot_targeting_Content_Management_System_servers_and_Android_devices
- Date of Scan:
- 2022-05-31
- Impact:
- MEDIUM
- Summary:
- Researchers at AT&T Alien Labs has identified that EnemyBot is expanding its capabilities, exploiting vulnerabilities of 2022, and now targeting IoT devices, web servers, Android devices and content management system (CMS) servers.
XLoader_Botnet_new_C&C_Infrastructure
MEDIUM
+
—
- Intel Source:
- Checkpoint
- Intel Name:
- XLoader_Botnet_new_C&C_Infrastructure
- Date of Scan:
- 2022-05-31
- Impact:
- MEDIUM
- Summary:
- Researchers at Checkpoint Research has identified the real C&C servers among thousands of legitimate domains used by Xloader Botnet.
CVE_2022_30190_Microsoft_Support_Diagnostic_Tool_(MSDT)_RCE_Vulnerability
MEDIUM
+
—
- Intel Source:
- Cyble
- Intel Name:
- CVE_2022_30190_Microsoft_Support_Diagnostic_Tool_(MSDT)_RCE_Vulnerability
- Date of Scan:
- 2022-05-31
- Impact:
- MEDIUM
- Summary:
- Recently, Microsoft discussed a new Zero-Day vulnerability (CVE-2022-30190) that affects Microsoft Support Diagnostic Tool (MSDT) and allows the attackers to execute arbitrary code by exploiting it.
XXL_Malware_distributed_through_Email
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- XXL_Malware_distributed_through_Email
- Date of Scan:
- 2022-05-30
- Impact:
- LOW
- Summary:
- XXL Malware distributed through Email
Phishing_campaign_delivering_AveMariaRAT_BitRAT_PandoraHVNC_Part_II
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Phishing_campaign_delivering_AveMariaRAT_BitRAT_PandoraHVNC_Part_II
- Date of Scan:
- 2022-05-30
- Impact:
- MEDIUM
- Summary:
- Researchers at Fortinet's FortiGaurd Labs has shared part-2 of the analysis where a phishing campaign delivering three fileless malware onto a victim’s device. Once executed, Malware are able to steal sensitive information from that device. It is majorly affecting Microsoft Windows platform users.
Magniber_ransomware_targeting_Windows11_users
MEDIUM
+
—
- Intel Source:
- 360 Total Security
- Intel Name:
- Magniber_ransomware_targeting_Windows11_users
- Date of Scan:
- 2022-05-28
- Impact:
- MEDIUM
- Summary:
- Researchers at 360 Total Security has detected a new attack on Windows11 users, where Magniber ransomware disguised as a Windows 10 upgrade patch package and spread widely.
Grandoreiro_Banking_Malware
MEDIUM
+
—
- Intel Source:
- Trustwave
- Intel Name:
- Grandoreiro_Banking_Malware
- Date of Scan:
- 2022-05-27
- Impact:
- MEDIUM
- Summary:
- Researchers from Trustwave SpiderLabs have identified Grandoreiro malware campaign targeting bank users from Brazil, Spain, and Mexico. The campaign exploits the tax season in target countries by sending out tax-themed phishing emails.
GoodWill_Ransomware
MEDIUM
+
—
- Intel Source:
- CloudSEK
- Intel Name:
- GoodWill_Ransomware
- Date of Scan:
- 2022-05-27
- Impact:
- MEDIUM
- Summary:
- Researchers at CloudSEK has analysed GoodWill ransomware group activity, which forces victims to donate to the poor and provides financial assistance to patients in need.
Analysis_of_Black_Basta_Ransomware
MEDIUM
+
—
- Intel Source:
- IBM Security X-Force
- Intel Name:
- Analysis_of_Black_Basta_Ransomware
- Date of Scan:
- 2022-05-27
- Impact:
- MEDIUM
- Summary:
- Researchers from IBM documented technical analysis of Black Basta ransomware and provided with IoC. Black Basta first appeared in April 2022.
Tandem_Espionage_Campaign
LOW
+
—
- Intel Source:
- Inquest
- Intel Name:
- Tandem_Espionage_Campaign
- Date of Scan:
- 2022-05-27
- Impact:
- LOW
- Summary:
- Researcher Dmitry Melikov at Inquest has discovered an interesting campaign distributing malicious documents. Which used the download chain as well as legitimate payload hosting services.
Mirai_malware_variants_doubled_for_Intel_powered_Linux_systems
MEDIUM
+
—
- Intel Source:
- CrowdStrike
- Intel Name:
- Mirai_malware_variants_doubled_for_Intel_powered_Linux_systems
- Date of Scan:
- 2022-05-26
- Impact:
- MEDIUM
- Summary:
- Crowdstrike research said, Mirai malware variants compiled for Intel-powered Linux systems double (101%) in Q1 2022 compared to Q1 2021.
Threat_actors_using_Browser_automation_framework
LOW
+
—
- Intel Source:
- TeamCymru
- Intel Name:
- Threat_actors_using_Browser_automation_framework
- Date of Scan:
- 2022-05-26
- Impact:
- LOW
- Summary:
- Researchers from Team Cymru have noticed and alerted about a free-to-use browser automation framework that's being increasingly used by threat actors as part of their attack campaigns.
Deep_Analysis_on_new_version_of_Mars_Stealer_Malware
LOW
+
—
- Intel Source:
- XJunior
- Intel Name:
- Deep_Analysis_on_new_version_of_Mars_Stealer_Malware
- Date of Scan:
- 2022-05-26
- Impact:
- LOW
- Summary:
- Security Researcher Mohamed Ashraf has analysed a new version (V8) of Mars Stealer Malware. Researchers has identified anti-analysis technique, diffrent encryption algoithm, new anti debug technique, external dlls are in one zip file
SocGholish_Campaigns_and_Initial_Access_Kit
MEDIUM
+
—
- Intel Source:
- WalMart
- Intel Name:
- SocGholish_Campaigns_and_Initial_Access_Kit
- Date of Scan:
- 2022-05-26
- Impact:
- MEDIUM
- Summary:
- Researchers from WalMart found that SocGholish have been one of the prominent Initial Access vector for threat actors and have also partnered with Evil Corp.
TURLA_new_phishing_based_reconnaissance_campaign
LOW
+
—
- Intel Source:
- Sekoia
- Intel Name:
- TURLA_new_phishing_based_reconnaissance_campaign
- Date of Scan:
- 2022-05-26
- Impact:
- LOW
- Summary:
- Sekoia Threat & Detection Team have exposed a reconnaissance and espionage campaign from the Turla intrusion set against the Baltic Defense College, the Austrian Economic Chamber which has a role in government decision-making such as economic sanctions and NATO’s eLearning platform JDAL pointing Russian Intelligence interest for defense sector in Eastern Europe.
Deep_Analysis_on_new_version_of_Mars_Stealer_Malware
LOW
+
—
- Intel Source:
- XJunior
- Intel Name:
- Deep_Analysis_on_new_version_of_Mars_Stealer_Malware
- Date of Scan:
- 2022-05-26
- Impact:
- LOW
- Summary:
- Security Researcher Mohamed Ashraf has analysed a new version (V8) of Mars Stealer Malware. Researchers has identified anti-analysis technique, diffrent encryption algoithm, new anti debug technique, external dlls are in one zip file
New_variant_of_Nokoyawa_Ransomware
Medium
+
—
- Intel Source:
- Fortinet
- Intel Name:
- New_variant_of_Nokoyawa_Ransomware
- Date of Scan:
- 2022-05-25
- Impact:
- Medium
- Summary:
- Researchers at Fortinet has discovered Nokoyawa Ransomware is a new variant of the Nemty ransomware that has been improving itself.
Yashma_Latest_version_of_Chaos_Ransomware
Medium
+
—
- Intel Source:
- BlackBerry
- Intel Name:
- Yashma_Latest_version_of_Chaos_Ransomware
- Date of Scan:
- 2022-05-25
- Impact:
- Medium
- Summary:
- BlackBerry research and intelligence team have discovered details of the latest version of the Chaos ransomware line, dubbed Yashma. Though Chaos ransomware builder has only been in the wild for a year Yashma claims to be the sixth version (v6.0) of this malware.
Spoofed_Purchase_Order_drops_GuLoader_Malware
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Spoofed_Purchase_Order_drops_GuLoader_Malware
- Date of Scan:
- 2022-05-25
- Impact:
- MEDIUM
- Summary:
- Researchers at Fortinet has analysed a phishing email purporting to be a purchase order by an oil provider in Saudi Arabia, the partial PDF file image displayed in the body of the email was actually a link to an ISO file hosted in the cloud that contained an executable for GuLoader.
Web_Skimmers_mimicking_Google_Analytics_and_Meta_Pixel_Code
MEDIUM
+
—
- Intel Source:
- Microsoft
- Intel Name:
- Web_Skimmers_mimicking_Google_Analytics_and_Meta_Pixel_Code
- Date of Scan:
- 2022-05-25
- Impact:
- MEDIUM
- Summary:
- Threat actors behind web skimming campaigns are leveraging malicious JavaScript code that mimics Google Analytics and Meta Pixel scripts in an attempt to sidestep detection.
Threat_Actor_leverage_Fake_Proof_Of_Concept_to_deliver_CobaltStrike
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Threat_Actor_leverage_Fake_Proof_Of_Concept_to_deliver_CobaltStrike
- Date of Scan:
- 2022-05-25
- Impact:
- LOW
- Summary:
- A threat actor targeted security researchers with fake Windows proof-of-concept exploits that infected devices with the Cobalt Strike backdoor.
Unknown_APT_group_targeted_Russia_repeatedly
Low
+
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Unknown_APT_group_targeted_Russia_repeatedly
- Date of Scan:
- 2022-05-25
- Impact:
- Low
- Summary:
- Researchers from MalwareBytes Threat Intelligence Team discovered campaigns by unknown threat actors targeting Russia. The APT group has launched at least four campaigns since late February.
PDF_delivering_Snake_Keylogger_Malware
Medium
+
—
- Intel Source:
- HP Wolf Security
- Intel Name:
- PDF_delivering_Snake_Keylogger_Malware
- Date of Scan:
- 2022-05-24
- Impact:
- Medium
- Summary:
- HP Wolf Security Researchers have discovered a recent malware distribution campaign using PDF attachments to smuggle malicious Word documents that infect users with malware.
Twisted_Panda_Espionage_Operation
Medium
+
—
- Intel Source:
- Checkpoint
- Intel Name:
- Twisted_Panda_Espionage_Operation
- Date of Scan:
- 2022-05-24
- Impact:
- Medium
- Summary:
- Check Point Research team have details a targeted campaign that has been using sanctions-related baits to attack Russian defense institutes, part of the Rostec Corporation. The investigation shows that this campaign is part of a larger Chinese espionage operation that has been ongoing against Russian-related entities for several months.
PDF_delivering_Snake_Keylogger_Malware
Medium
+
—
- Intel Source:
- HP Wolf Security
- Intel Name:
- PDF_delivering_Snake_Keylogger_Malware
- Date of Scan:
- 2022-05-24
- Impact:
- Medium
- Summary:
- HP Wolf Security Researchers have discovered a recent malware distribution campaign using PDF attachments to smuggle malicious Word documents that infect users with malware.
New_pymafka_malicious_package_drops_CobaltStrike_on_macOS_Windows_Linux
Low
+
—
- Intel Source:
- Sonatype
- Intel Name:
- New_pymafka_malicious_package_drops_CobaltStrike_on_macOS_Windows_Linux
- Date of Scan:
- 2022-05-24
- Impact:
- Low
- Summary:
- Sonatype's automated malware detection bots have discovered malicious Python package 'pymafka' in the PyPI registry. PyMafka drops Cobalt Strike on Windows, macOS . The package, 'pymafka' may sound identical to the popular PyKafka. The package appears to typosquat a legitimate popular library PyKafka, a programmer-friendly Apache Kafka client for Python.
Hackers_utilize_SwissTransfer_to_deploy_Phishing_Scam
Low
+
—
- Intel Source:
- Confense
- Intel Name:
- Hackers_utilize_SwissTransfer_to_deploy_Phishing_Scam
- Date of Scan:
- 2022-05-24
- Impact:
- Low
- Summary:
- Recently the Cofense Phishing Defence Center noticed a number of emails utilising the SwissTransfer service to achieve successful phishes against recipients. An attack vector is file sharing services such as WeTransfer, Microsoft OneDrive and Dropbox have been utilized to spread files containing anything from scams to malware leading to ransomware.
XorDdos_targeting_Linux_devices
Medium
+
—
- Intel Source:
- Microsoft
- Intel Name:
- XorDdos_targeting_Linux_devices
- Date of Scan:
- 2022-05-23
- Impact:
- Medium
- Summary:
- Microsoft researchers saw and 254% increase in activity of a stealthy and modular malware which is used to hack into Linux devices and build a DDoS botnet. The malware is called XorDDoS.
Emotet getting distributed through Link Files
Low
+
—
- Intel Source:
- ASEC
- Intel Name:
- Emotet getting distributed through Link Files
- Date of Scan:
- 2022-05-23
- Impact:
- Low
- Summary:
- ASEC researchers recently discovered Emotet getting distributed through various files including Link Files.
Vidar_Malware_distributed_through_fake_Windows11_downloads
Low
+
—
- Intel Source:
- Zscaler
- Intel Name:
- Vidar_Malware_distributed_through_fake_Windows11_downloads
- Date of Scan:
- 2022-05-23
- Impact:
- Low
- Summary:
- Researchers from Zscalers came across fraudulent domains masquerading as Microsoft's Windows 11 download portal which are attempting to trick users into deploying trojanized installation files to infect systems with the Vidar information stealer malware.
Supply_Chain_Attack_targets_GitLab_CI_Pipelines
Medium
+
—
- Intel Source:
- SentinelOne
- Intel Name:
- Supply_Chain_Attack_targets_GitLab_CI_Pipelines
- Date of Scan:
- 2022-05-23
- Impact:
- Medium
- Summary:
- Researchers from SentinelLabs identified a software chain supply attack targeting Rust developers with malware aimed directly at infecting GitLab Continuous Integration (CI) pipelines. The campaign has been dubbed as CrateDepression.
Chinese_Threat_group_Space_Pirates_targets_Russian_Aerospace_Firms
Medium
+
—
- Intel Source:
- PtSecurity
- Intel Name:
- Chinese_Threat_group_Space_Pirates_targets_Russian_Aerospace_Firms
- Date of Scan:
- 2022-05-20
- Impact:
- Medium
- Summary:
- Analysts at Positive Technologies came across a previously unknown Chinese hacking group known as 'Space Pirates' targets enterprises in the Russian aerospace industry with phishing emails to install novel malware on their systems. They have dubbed the threat actor Space Pirates.
BumbleBee_Malware_getting_delivered_via_TransferXL_Urls
Low
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- BumbleBee_Malware_getting_delivered_via_TransferXL_Urls
- Date of Scan:
- 2022-05-20
- Impact:
- Low
- Summary:
- Researchers at ISC.SANS were able to relate Bumblebee malware with EXOTIC LILY threat actor, as they saw usage of active TransferXL URLs delivering ISO files for Bumblebee malware.
All_about_ITG23_Crypters
Medium
+
—
- Intel Source:
- Security Intelligence
- Intel Name:
- All_about_ITG23_Crypters
- Date of Scan:
- 2022-05-20
- Impact:
- Medium
- Summary:
- IBM X-Force researchers analyzed thirteen crypters that have all been used with malware built or operated by ITG23 internal teams or third-party distributors — including Trickbot, BazarLoader, Conti, and Colibri.
Threat_Actors_exploiting_VMware_vulnerability
Medium
+
—
- Intel Source:
- CISA
- Intel Name:
- Threat_Actors_exploiting_VMware_vulnerability
- Date of Scan:
- 2022-05-20
- Impact:
- Medium
- Summary:
- CISA released an advisory to warn organizations about threat actors exploiting unpatched VMware vulnerabilities. These vulnerabilities affect certain versions of VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.
Latest_APT_C_24_SideWinder_Rattlesnake_attack_activity
Medium
+
—
- Intel Source:
- WeiXin
- Intel Name:
- Latest_APT_C_24_SideWinder_Rattlesnake_attack_activity
- Date of Scan:
- 2022-05-20
- Impact:
- Medium
- Summary:
- Researchers from 360 Threat Intelligence Center came across an attack activity launched by APT-C-24/Sidewinder in which the threat actor has come up with New TTP.
Lazarus_Group_Exploiting_Log4Shell_Vulnerability
Medium
+
—
- Intel Source:
- Asec
- Intel Name:
- Lazarus_Group_Exploiting_Log4Shell_Vulnerability
- Date of Scan:
- 2022-05-20
- Impact:
- Medium
- Summary:
- Researchers from ASEC discovered Lazarus group distributing NukeSped by exploiting Log4Shell vulnerability. The threat actor used the log4j vulnerability on VMware Horizon products that were not applied with the security patch.
Emotet_The_journey
Medium
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Emotet_The_journey
- Date of Scan:
- 2022-05-19
- Impact:
- Medium
- Summary:
- Researchers from Palo Alto Networks documented the background on Emotet, its activity since november 2021 and ending with January 2022.
Threat Actors targets US Business Online Checkout Page
Medium
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Threat Actors targets US Business Online Checkout Page
- Date of Scan:
- 2022-05-19
- Impact:
- Medium
- Summary:
- Researchers from Palo Alto Networks documented the background on Emotet, its activity since november 2021 and ending with January 2022.
VMware_Bugs_Abused_to_Deliver_Mirai
Medium
+
—
- Intel Source:
- Barracuda
- Intel Name:
- VMware_Bugs_Abused_to_Deliver_Mirai
- Date of Scan:
- 2022-05-19
- Impact:
- Medium
- Summary:
- Researchers from Barracuda discovered that attempts were made to exploit the recent vulnerabilities CVE-2022-22954 and CVE-2022-22960. Mirai was getting delivered by abusing the VMware Bug.
Operation RestyLink targeting Japenese Firms
Medium
+
—
- Intel Source:
- NTT Security
- Intel Name:
- Operation RestyLink targeting Japenese Firms
- Date of Scan:
- 2022-05-18
- Impact:
- Medium
- Summary:
- Researchers from NTT security observed APT campaign targeting Japanese companies starting from mid of April 2022. The initial attack vector in this campaign was spear phishing email.
Wizard_Spider_Group_In_Depth_Analysis
Medium
+
—
- Intel Source:
- Prodaft
- Intel Name:
- Wizard_Spider_Group_In_Depth_Analysis
- Date of Scan:
- 2022-05-18
- Impact:
- Medium
- Summary:
- Researchers from PRODAFT published the results of an investigation into Wizard Spider, believed to either be or be associated with the Grim Spider and Lunar Spider hacking groups.
Chaos_Ransomware_stands_with_Russia
Medium
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Chaos_Ransomware_stands_with_Russia
- Date of Scan:
- 2022-05-18
- Impact:
- Medium
- Summary:
- FortiGuard Labs came across a variant of the Chaos ransomware that appears to side with Russia. This variant of the ransomware have been leveraginhg Russia Ukraine conflict.
Uncovering_Kingminer_Botnet_Attack
Low
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- Uncovering_Kingminer_Botnet_Attack
- Date of Scan:
- 2022-05-18
- Impact:
- Low
- Summary:
- Researchers from Trend Micro details about the TTPs of the Kinginer Botnet. In 2020 threat actors deployed Kingminer to target SQL servers for cryptocurrency mining.
RansomEXX_and_its_TTPs
Medium
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- RansomEXX_and_its_TTPs
- Date of Scan:
- 2022-05-18
- Impact:
- Medium
- Summary:
- Researchers from TrendMicro sheds light on the Tactics and Techniques of ransomware variant called RansomEXX which have been active since 2020.
X_Cart_Skimmer_with_DOM_based_Obfuscation
Low
+
—
- Intel Source:
- Sucuri
- Intel Name:
- X_Cart_Skimmer_with_DOM_based_Obfuscation
- Date of Scan:
- 2022-05-18
- Impact:
- Low
- Summary:
- Security researcher from Sucuri worked on an infected X-Cart website and found two interesting credit card stealers there — one skimmer located server-side, the other client-side.
Malicious_HTML_Help_File_Delivering_Agent_Tesla
Low
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Malicious_HTML_Help_File_Delivering_Agent_Tesla
- Date of Scan:
- 2022-05-17
- Impact:
- Low
- Summary:
- Unit 42 researchers observed an attack utilizing malicious compiled HTML help files for the initial delivery. The method was used to deliver Agent Tesla.
UpdateAgent_Returns_with_New_macOS_Malware_Dropper
Low
+
—
- Intel Source:
- Jamf
- Intel Name:
- UpdateAgent_Returns_with_New_macOS_Malware_Dropper
- Date of Scan:
- 2022-05-17
- Impact:
- Low
- Summary:
- Researchers from Jamf Threat Labs came across a new variant of the macOS malware tracked as UpdateAgent. The malware relies on the AWS infrastructure to host its various payloads and perform its infection status updates to the server.
Custom_PowerShell_RAT_targets_Germans
Low
+
—
- Intel Source:
- MalwareBytes
- Intel Name:
- Custom_PowerShell_RAT_targets_Germans
- Date of Scan:
- 2022-05-17
- Impact:
- Low
- Summary:
- Researchers from MalwareBytes came across a new campaign that plays on concerns by trying to lure Germans with a promise of updates on the current threat situation in Ukraine and later infecting the victims with RAT.
UN_social_program_themed_online_fraud
Medium
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- UN_social_program_themed_online_fraud
- Date of Scan:
- 2022-05-17
- Impact:
- Medium
- Summary:
- CERT-UA researchers recently responded to discovery of fraudulent page on facebook that mimics the resource of the TV channel "TSN".
Analysis_of_the_HUI_Loader
Low
+
—
- Intel Source:
- JPCERT
- Intel Name:
- Analysis_of_the_HUI_Loader
- Date of Scan:
- 2022-05-17
- Impact:
- Low
- Summary:
- JPCERT researchers shared their analysis of the HUI Loader which has been used by multiple attack groups since around 2015, also the malware have been used by APT10.
Onyx_Ransomware
Low
+
—
- Intel Source:
- Cyfirma
- Intel Name:
- Onyx_Ransomware
- Date of Scan:
- 2022-05-17
- Impact:
- Low
- Summary:
- Researchers from Cyfirma analyzed samples of a new ransomware called Onyx which was first seen in April 2022. This ransomware encrypts files and then modifies their filenames by appending the .ampkcz extension.
Telegram_used_to_spread_Eternity_Malware
Low
+
—
- Intel Source:
- Cyble
- Intel Name:
- Telegram_used_to_spread_Eternity_Malware
- Date of Scan:
- 2022-05-16
- Impact:
- Low
- Summary:
- Researchers from Cyble came across a new malware service, dubbed the Eternity Project by the threat actors behind it, allows cybercriminals to target potential victims with a customized threat offering based on individual modules.
From_0_Day_to_Mirai
High
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- From_0_Day_to_Mirai
- Date of Scan:
- 2022-05-16
- Impact:
- High
- Summary:
- Researchers at ISC.SANS found attacks exploiting the recent high severity vulnerability in F5 products and were able to attribute the attacks to Mirai.
APT29_Abusing_Legitimate_Software_For_Targeted_Operations_In_Europe
Medium
+
—
- Intel Source:
- Cluster25
- Intel Name:
- APT29_Abusing_Legitimate_Software_For_Targeted_Operations_In_Europe
- Date of Scan:
- 2022-05-16
- Impact:
- Medium
- Summary:
- Cluster25 researchers analyzed several spear-phishing campaigns linked to APT29 that involve the usage of a side-loaded DLL through signed software (like Adobe suite) and legitimate webservices (like Dropbox) as communication vector for Command and Control (C&C).
KurayStealer_Malware
Low
+
—
- Intel Source:
- Uptycs
- Intel Name:
- KurayStealer_Malware
- Date of Scan:
- 2022-05-16
- Impact:
- Low
- Summary:
- Researchers at Uptycs came across a new malware builder dubbed as KurayStealer that has password stealing and screenshot capabilities.The malware harvests the passwords and screenshots and sends them to the attackers’ Discord channel via webhooks.
Novel IceApple Post-Exploitation Framework
Low
+
—
- Intel Source:
- CrowdStrike
- Intel Name:
- Novel IceApple Post-Exploitation Framework
- Date of Scan:
- 2022-05-16
- Impact:
- Low
- Summary:
- Researchers from CrowdStrike found New ‘post-exploitation’ threat getting deployed on Microsoft Exchange servers. The threat has been dubbed as IceApple.
Quantum_Locker_Ransomware
Medium
+
—
- Intel Source:
- Cybereason
- Intel Name:
- Quantum_Locker_Ransomware
- Date of Scan:
- 2022-05-16
- Impact:
- Medium
- Summary:
- Researchers at Cybereason analyzed Quantum Locker ransomware and demonstrated its detection and prevention. The initial infection method used by the operators is infamous malware called IceID.
APT34_targets_Jordan_Government_using_new_Saitama_backdoor
Medium
+
—
- Intel Source:
- MalwareBytes
- Intel Name:
- APT34_targets_Jordan_Government_using_new_Saitama_backdoor
- Date of Scan:
- 2022-05-13
- Impact:
- Medium
- Summary:
- Researchers at Malwarebytes have discovered a malicious email targeting a government official at Jordan’s foreign ministry and researchers identified a suspicious message on April 26. It contained a malicious Excel document that delivered Saitama - a new hacking tool used to provide a backdoor into systems. Malwarebytes attributed the email to a threat group commonly known as APT34.
RedLine_Stealer_Campaign_spread_via_Github_hosted_payload
Medium
+
—
- Intel Source:
- NetSkope
- Intel Name:
- RedLine_Stealer_Campaign_spread_via_Github_hosted_payload
- Date of Scan:
- 2022-05-13
- Impact:
- Medium
- Summary:
- Researchers at NetSpoke Threat Labs has discovered a new RedLine Stealer campaign spread on YouTube, using a fake bot to buy Mystery Box NFT from Binance. The video description leads the victim to download the fake bot which is hosted on GitHub.
Iranian_threat_actor_COBALT_MIRAGE_conducting_Ransomware_operations_in_US
Medium
+
—
- Intel Source:
- SecureWorks
- Intel Name:
- Iranian_threat_actor_COBALT_MIRAGE_conducting_Ransomware_operations_in_US
- Date of Scan:
- 2022-05-13
- Impact:
- Medium
- Summary:
- SecureWorks Counter Threat Unit has analysed REvil ransomware samples and this has resumed operations of GOLD SOUTHFIELD. The identification of multiple samples containing different modifications and the lack of an official new version indicate that REvil is under active development.
Phishing_campaign_delivering_AveMariaRAT_BitRAT_PandoraHVNC
Low
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Phishing_campaign_delivering_AveMariaRAT_BitRAT_PandoraHVNC
- Date of Scan:
- 2022-05-13
- Impact:
- Low
- Summary:
- Researchers at Fortinet's FortiGaurd Labs has analysed a phishing campaign that was delivering three fileless malware onto a victim’s device. Once executed, Malware are able to steal sensitive information from that device. It is majorly affecting Microsoft Windows platform users.
UAC_0010_Armageddon_leveraging_GammaLoad_PS1_v2_malware
Medium
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- UAC_0010_Armageddon_leveraging_GammaLoad_PS1_v2_malware
- Date of Scan:
- 2022-05-13
- Impact:
- Medium
- Summary:
- CERT-UA has analysed a phishing campaign with a subject as "On revenge in Kherson!" and containing an attachment in the form of a file "Plan Kherson.htm". The campaign is using a malicious program GammaLoad.PS1_v2 and attributed to a group called UAC-0010 (Armageddon).
Bitter APT expands its target list
Medium
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Bitter APT expands its target list
- Date of Scan:
- 2022-05-12
- Impact:
- Medium
- Summary:
- An espionage-focused threat actor(Bitter APT) known for targeting China, Pakistan, and Saudi Arabia has included Bangladeshi government organizations as part of an ongoing campaign.
Nerbian_RAT_targeting_firms_in_Italy_Spain_and_UK
Low
+
—
- Intel Source:
- Proofpoint
- Intel Name:
- Nerbian_RAT_targeting_firms_in_Italy_Spain_and_UK
- Date of Scan:
- 2022-05-12
- Impact:
- Low
- Summary:
- Proofpoint researchers found previously undocumented remote access trojan (RAT) called Nerbian RAT written in the Go programming language has been spotted disproportionately targeting entities in Italy, Spain, and the U.K.
Malicious_NPM_Packages_targets_German_Companies
Low
+
—
- Intel Source:
- JFrog
- Intel Name:
- Malicious_NPM_Packages_targets_German_Companies
- Date of Scan:
- 2022-05-12
- Impact:
- Low
- Summary:
- Researchers from Jfrog have discovered a number of malicious packages in the NPM registry specifically targeting a number of prominent companies based in Germany to carry out supply chain attacks.
TA578_distributing_Bumblebee_malware
Medium
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- TA578_distributing_Bumblebee_malware
- Date of Scan:
- 2022-05-12
- Impact:
- Medium
- Summary:
- Researchers at ISC.SANS has analysed a campaign where threat actor TA578 leveraging thread-hijacked emails to push ISO files for Bumblebee malware. These threat-hijacked emails either have links to storage.googleapis.com URLs similar to those used in the Contact Forms campaign.
Critical_F5_BIG_IP_Vulnerability_New_IoCs
High
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Critical_F5_BIG_IP_Vulnerability_New_IoCs
- Date of Scan:
- 2022-05-12
- Impact:
- High
- Summary:
- Researchers from PaloAlto have also released few indicators of compromise and their view on Critical F5 BIG-IP Vulnerability.
New_Wave_of_Ursnif_Malware
High
+
—
- Intel Source:
- Qualys
- Intel Name:
- New_Wave_of_Ursnif_Malware
- Date of Scan:
- 2022-05-11
- Impact:
- High
- Summary:
- Researchers at Qualys has discovered and analysed few phishing emails with a macro embedded XLS attachment or a zip attachment containing an HTA file initiated the infection chain. This targeted attack researchers attributed to Ursnif malware which is one of the most widespread banking trojans.
Different_elements_of_Cobalt_Strike
Medium
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Different_elements_of_Cobalt_Strike
- Date of Scan:
- 2022-05-11
- Impact:
- Medium
- Summary:
- Palo Alto Unit42 researchers has analysed Cobalt Strike tool and gone through the encoding algorithm, describe definitions and differences of encoding types used in the Cobalt Strike framework, and cover some malicious attacks seen in the wild.
REvil_returns_reemergening_GOLD_SOUTHFIELD
High
+
—
- Intel Source:
- SecureWorks
- Intel Name:
- REvil_returns_reemergening_GOLD_SOUTHFIELD
- Date of Scan:
- 2022-05-11
- Impact:
- High
- Summary:
- SecureWorks Counter Threat Unit has analysed REvil ransomware samples and this has resumed operations of GOLD SOUTHFIELD. The identification of multiple samples containing different modifications and the lack of an official new version indicate that REvil is under active development.
German_Automakers_targeted_by_InfoStealer_campaign
Low
+
—
- Intel Source:
- checkpoint
- Intel Name:
- German_Automakers_targeted_by_InfoStealer_campaign
- Date of Scan:
- 2022-05-11
- Impact:
- Low
- Summary:
- Checkpoint researchers discovered A years-long phishing campaign has targeted German companies in the automotive industry, attempting to infect their systems with password-stealing malware.
Examining_BlackBasta_ransomware
Medium
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- Examining_BlackBasta_ransomware
- Date of Scan:
- 2022-05-11
- Impact:
- Medium
- Summary:
- TrendMicro researchers have examined the whole infection routine of Black Basta ransomware and its infection tactics.
Recent Emotet Maldoc Outbreak
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Recent Emotet Maldoc Outbreak
- Date of Scan:
- 2022-04-19
- Impact:
- MEDIUM
- Summary:
- Researchers at Fortinet has identified a recent Emotet outbreak is being spread through a variety of malicious Microsoft Office files or maldocs attached to phishing emails. Once a victim opens the attached document a VBA Macro or Excel 4.0 Macro is used to execute malicious code that downloads and runs the Emotet malware.
SunnyDay Ransomware
LOW
+
—
- Intel Source:
- Seguranca-Informatica
- Intel Name:
- SunnyDay Ransomware
- Date of Scan:
- 2022-04-19
- Impact:
- LOW
- Summary:
- Segurança-Informatica published an analysis of a recent sample of SunnyDay ransomware. As a result of the work some similarities between other ransomware samples such as Ever101 Medusa Locker Curator and Payment45 were found. According to the analysis “SunnyDay is a simple piece of ransomware based on the SALSA20 stream cipher”. SALSA20 is easy to recognize as it uses well-known values for its internal cryptographic operations.
Lazarus Group Targets Chemical Sector
MEDIUM
+
—
- Intel Source:
- Symantec
- Intel Name:
- Lazarus Group Targets Chemical Sector
- Date of Scan:
- 2022-04-19
- Impact:
- MEDIUM
- Summary:
- Researchers from Symantec have observed Lazarus group conducting an espionage campaign targeting organizations operating within the chemical sector. This campaign has been dubbed Operation Drem Job.
Coordinated disruption of Zloader operation
LOW
+
—
- Intel Source:
- Microsoft/ESET
- Intel Name:
- Coordinated disruption of Zloader operation
- Date of Scan:
- 2022-04-19
- Impact:
- LOW
- Summary:
- DCU unit from Microsoft have taken technical action against Zloader and have disrupted their operations.ZLoader is run by a global internet-based organized crime gang operating malware as a service that is designed to steal and extort money.
CVE_2022_24527_Seeder_Queries_14042022
MEDIUM
+
—
- Intel Source:
- STR
- Intel Name:
- CVE_2022_24527_Seeder_Queries_14042022
- Date of Scan:
- 2022-04-18
- Impact:
- MEDIUM
- Summary:
- This research is part of Securonix Threat Labs - Threat Research Team
XSS Vulnerability in Zimbra leveraged to target Ukraine Government
MEDIUM
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- XSS Vulnerability in Zimbra leveraged to target Ukraine Government
- Date of Scan:
- 2022-04-18
- Impact:
- MEDIUM
- Summary:
- CERT-UA has detected threat actors are targeting Ukrainian government agencies with new attacks exploiting Zimbra XSS Vulnerability (CVE-2018-6882). CERT-UA has attributed this campaign to UAC-0097 a currently unknown actor.
CVE_2022_22954_Seeder_Queries_14042022
MEDIUM
+
—
- Intel Source:
- STR
- Intel Name:
- CVE_2022_22954_Seeder_Queries_14042022
- Date of Scan:
- 2022-04-18
- Impact:
- MEDIUM
- Summary:
- This research is part of Securonix Threat Labs - Threat Research Team
Indepth analysis of PYSA Ransomware Group
MEDIUM
+
—
- Intel Source:
- Prodaft
- Intel Name:
- Indepth analysis of PYSA Ransomware Group
- Date of Scan:
- 2022-04-18
- Impact:
- MEDIUM
- Summary:
- Researchers at PRODAFT has identified and gained visibility into PYSA's ransomware infrastructure and analyzed its findings to gain insight into how the criminal operation works.
New File extensions added to BlackCat ransomware's arsenal
MEDIUM
+
—
- Intel Source:
- SecureList
- Intel Name:
- New File extensions added to BlackCat ransomware's arsenal
- Date of Scan:
- 2022-04-18
- Impact:
- MEDIUM
- Summary:
- Researchers at SecureList has analysed BlackCat Ransomware Group's activities since its inception. They are also comparing BlackCat TTPs with BlackMatter Group like a custom exflitration tool called 'Fendr' previously been used exclusively in BlackMatter ransomware activity.
Emotet Modules and Recent Attacks
MEDIUM
+
—
- Intel Source:
- SecureList
- Intel Name:
- Emotet Modules and Recent Attacks
- Date of Scan:
- 2022-04-18
- Impact:
- MEDIUM
- Summary:
- Researchers from Kaspersky were able to etrieve 10 of the 16 modules used by Emotet for Credential/Password/Account/E-mail stealing and spamming. Also the statistics on recent Emotet attacks were also shared.
BumbleBee Malware campaign
LOW
+
—
- Intel Source:
- Cynet
- Intel Name:
- BumbleBee Malware campaign
- Date of Scan:
- 2022-04-18
- Impact:
- LOW
- Summary:
- Researchers from Cynet Security found a new campaign which instead of using malicious office documents is using malicious ISO image files luring victims to execute the BumbleBee malware.
New Fodcha DDoS botnet
MEDIUM
+
—
- Intel Source:
- netlab360
- Intel Name:
- New Fodcha DDoS botnet
- Date of Scan:
- 2022-04-18
- Impact:
- MEDIUM
- Summary:
- Researchers at Qihoo 360's Network Security Research Lab has discovered a new DDoS botnet called 'Fodcha'. The Botnet has spread to over 62 000 devices between March 29 and April 10. The number of unique IP addresses linked to the botnet that researchers are tracking is10 000-strong Fodcha army of bots using Chinese IP addresses every day.
Malware Campaigns Targeting African Banking Sector
MEDIUM
+
—
- Intel Source:
- HP Wolf Security
- Intel Name:
- Malware Campaigns Targeting African Banking Sector
- Date of Scan:
- 2022-04-14
- Impact:
- MEDIUM
- Summary:
- Researchers from HP Wolf Security have been tracking the campaign since early 2022 an employee of an unnamed West African bank received an email purporting to be from a recruiter at another African bank with information about job opportunities. A cybercrime campaign targeting the African banking sector is leveraging phishing emails and HTML smuggling techniques to deploy malware.
Enemybot leveraged by Keksec group
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Enemybot leveraged by Keksec group
- Date of Scan:
- 2022-04-14
- Impact:
- MEDIUM
- Summary:
- Researchers at FortiGuard Labs have identified a new DDoS botnet called “Enemybot” and attributed it to a threat group called 'Keksec' that specializes in cryptomining and DDoS attacks. This botnet is mainly derived from Gafgyt’s source code but has been observed to borrow several modules from Mirai’s original source code.
OldGremlin Gang resumes attack with new methods
MEDIUM
+
—
- Intel Source:
- Group-IB
- Intel Name:
- OldGremlin Gang resumes attack with new methods
- Date of Scan:
- 2022-04-14
- Impact:
- MEDIUM
- Summary:
- Group-IB has uncovered new attacks tools and methods used by OldGremlin Ransomware Group. In spring 2020 Group was first identified by Group-IB researchers over the past two years OldGremlin has conducted 13 malicious email campaigns. Researchers also discovered two variants of TinyFluff malware an earlier one that is more complex and a newer simplified version that copies the script and the Node.js interpreter from its storage location.
Virus/XLS Xanpei Infecting Excel Files
MEDIUM
+
—
- Intel Source:
- ASEC
- Intel Name:
- Virus/XLS Xanpei Infecting Excel Files
- Date of Scan:
- 2022-04-14
- Impact:
- MEDIUM
- Summary:
- ASEC Research team have identified a constant distribution of malware strains that spread the infection when Excel file is opened. Upon opening the infected Excel file the file containing virus VBA code is dropped to Excel startup path. And when any Excel file is opened the malicious file dropped in Excel startup path is automatically executed to infect with virus and perform additional malicious behaviors.
ZingoStealer by Haskers Group
MEDIUM
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- ZingoStealer by Haskers Group
- Date of Scan:
- 2022-04-14
- Impact:
- MEDIUM
- Summary:
- Researchers at Cisco Talos has identified a new information stealer called 'ZingoStealer' that has been released for free by a threat actor known as 'Haskers Gang.' This information stealer first introduced to the wild in March 2022 is currently undergoing active development and multiple releases of new versions have been observed recently.
Critical Remote Code Execution Vulnerability in Windows RPC Runtime
HIGH
+
—
- Intel Source:
- Microsoft
- Intel Name:
- Critical Remote Code Execution Vulnerability in Windows RPC Runtime
- Date of Scan:
- 2022-04-14
- Impact:
- HIGH
- Summary:
- Microsoft’s April 2022 Patch Tuesday introduced patches to more than a hundred new vulnerabilities in various components. Three critical vulnerabilities were found and patched in Windows RPC (Remote Procedure Call) runtime: CVE-2022-24492 CVE-2022-24528 and CVE-2022-26809. By exploiting these vulnerabilities a remote unauthenticated attacker can execute code on the vulnerable machine with the privileges of the RPC service which depends on the process hosting the RPC runtime.
IcedID malware targeting Ukraine state bodies
MEDIUM
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- IcedID malware targeting Ukraine state bodies
- Date of Scan:
- 2022-04-14
- Impact:
- MEDIUM
- Summary:
- CERT-UA has issued a new heads-up that warns of an ongoing cyber-attack leveraging the infamous IcedID malware designed to compromise Ukrainian state bodies. The detected malware also dubbed as BankBot or BokBot is a banking Trojan primarily designed to target financial data and steal banking credentials.
EvilNominatus Ransomware
LOW
+
—
- Intel Source:
- ClearSky
- Intel Name:
- EvilNominatus Ransomware
- Date of Scan:
- 2022-04-12
- Impact:
- LOW
- Summary:
- Researchers at ClearSky has detected a malicious BAT file that was uploaded to VirusTotal from Iran. This file executes a ransomware that was associated with the EvilNominatus ransomware initially exposed at the end of 2021. Researchers believe that the ransomware’s developer is a young Iranian who bragged about its development on Twitter.
Tarrask - HAFNIUM APT defense evasion malware
MEDIUM
+
—
- Intel Source:
- Microsoft
- Intel Name:
- Tarrask - HAFNIUM APT defense evasion malware
- Date of Scan:
- 2022-04-12
- Impact:
- MEDIUM
- Summary:
- Microsoft Threat Intelligence Center has tracked the Chinese-backed Hafnium hacking group and identified that the group has been linked to a piece of a new malware that's used to maintain persistence on compromised Windows environments. MSTIC has dubbed the defense evasion malware 'Tarrask ' characterized it as a tool that creates 'hidden' scheduled tasks on the system.
NetSupport RAT_Seeder_Queries_08/04/2022
MEDIUM
+
—
- Intel Source:
- STR
- Intel Name:
- NetSupport RAT_Seeder_Queries_08/04/2022
- Date of Scan:
- 2022-04-12
- Impact:
- MEDIUM
- Summary:
- This research is part of Securonix Threat Labs - Threat Research Team
SystemBC Malware
MEDIUM
+
—
- Intel Source:
- ASEC
- Intel Name:
- SystemBC Malware
- Date of Scan:
- 2022-04-12
- Impact:
- MEDIUM
- Summary:
- ASEC Research team have identified a proxy malware called SystemBC that has been used by various attackers for the last few years. While it is recently distributed through SmokeLoader or Emotet this malware has steadily been used in various ransomware attacks in the past.
MoqHao Malware targeting European countries
LOW
+
—
- Intel Source:
- TeamCymru
- Intel Name:
- MoqHao Malware targeting European countries
- Date of Scan:
- 2022-04-12
- Impact:
- LOW
- Summary:
- Researchers at TeamCymru has examined the current target base of Roaming Mantis group where the group is levearging MoqHao malware to target European countries. MoqHao is generally used to target Android users often via an initial attack vector of smishing.
Bahamut group recent attacks
MEDIUM
+
—
- Intel Source:
- 360 Beacon Lab
- Intel Name:
- Bahamut group recent attacks
- Date of Scan:
- 2022-04-12
- Impact:
- MEDIUM
- Summary:
- Researcher at 360 Beacon Lab has identifed a suspected mobile terminal attack activity of Bahamut group. Bahamut is an advanced threat group targeting the Middle East and South Asia. Group mainly uses phishing websites fake news websites and social networking sites to attack.
New version of SolarMarker Malware
MEDIUM
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- New version of SolarMarker Malware
- Date of Scan:
- 2022-04-12
- Impact:
- MEDIUM
- Summary:
- A new version of SolarMarker a malware family known for its infostealing and backdoor capabilities has been identified by Palo Alto Networks and is believed to be active as of April 2022. This malware has been prevalent since September 2020 targeting U.S. organizations and part of the infrastructure is still active as of 2022 in addition to a new infrastructure that attackers have recently deployed.
Fake COVID-19 forms targeting companies
MEDIUM
+
—
- Intel Source:
- Cofense
- Intel Name:
- Fake COVID-19 forms targeting companies
- Date of Scan:
- 2022-04-12
- Impact:
- MEDIUM
- Summary:
- Cofense Phishing Defense Center has analysed a phishing campaign where threat actors impersonate companies to send out fake COVID-19 forms. CPDC team saw a phishing email masquerading as a general office wide email claiming someone in the building has been infected with COVID-19 and asking to review the company policy.
Sandworm Group (UAC-0082) targetiing Ukraine energy facilities using INDUSTROYER2 and CADDYWIPER
MEDIUM
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- Sandworm Group (UAC-0082) targetiing Ukraine energy facilities using INDUSTROYER2 and CADDYWIPER
- Date of Scan:
- 2022-04-12
- Impact:
- MEDIUM
- Summary:
- CERT-UA has taken urgent measures to respond to an information security incident related to a targeted attack on Ukraine's energy facility.
DPRK-Nexus threat actor spear-phishing campaign
LOW
+
—
- Intel Source:
- Cluster25
- Intel Name:
- DPRK-Nexus threat actor spear-phishing campaign
- Date of Scan:
- 2022-04-11
- Impact:
- LOW
- Summary:
- Researchers at Cluster25 has identified a recent activity that started in early days of April 2022 from a DPRK-nexus threat actor using spear-phishing emails containing korean-based malicious documents with different lures to compromise its victims.
Mirai Botnet exploiting Spring4Shell Vulnerability
MEDIUM
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- Mirai Botnet exploiting Spring4Shell Vulnerability
- Date of Scan:
- 2022-04-11
- Impact:
- MEDIUM
- Summary:
- Trend Micro Research team has confirmed on some earlier reports that the new Spring4Shell vulnerability has been exploited by the Mirai Botnet. The Mirai sample is downloaded to the ‘/tmp’ folder and executed after permission change to make them executable using ‘chmod’.
Multiple cyber espionage operations disrupted
MEDIUM
+
—
- Intel Source:
- Intel Name:
- Multiple cyber espionage operations disrupted
- Date of Scan:
- 2022-04-11
- Impact:
- MEDIUM
- Summary:
- Meta has shared their Adversarial Threat report in which they provide a broader view into the cyber threats Facebook observes in Iran Azerbaijan Ukraine Russia South America and the Philippines.
FFDroider Stealer Targeting Social Media Platforms
LOW
+
—
- Intel Source:
- Zscaler
- Intel Name:
- FFDroider Stealer Targeting Social Media Platforms
- Date of Scan:
- 2022-04-11
- Impact:
- LOW
- Summary:
- Researchers from Zscaler have discovered many new types of stealer malwares across different attack campaigns including a novel windows based malware creating a registry key dubbed FFDroider which is designed to send stolen credentials and cookies to C&C server.
Denonia Malware specifically targeting AWS Lambda
MEDIUM
+
—
- Intel Source:
- Cado security
- Intel Name:
- Denonia Malware specifically targeting AWS Lambda
- Date of Scan:
- 2022-04-11
- Impact:
- MEDIUM
- Summary:
- Researchers from Cado Security published their findings on a new malware called 'Denonia' variant that targets AWS Lambda. After further investigation the researchers found the sample was a 64-bit ELF executable. The malware also relies on third-party GitHub libraries including those for writing Lambda functions and retrieving data from Lambda invoke requests.
Operation Bearded Barbie
MEDIUM
+
—
- Intel Source:
- Cybereason
- Intel Name:
- Operation Bearded Barbie
- Date of Scan:
- 2022-04-08
- Impact:
- MEDIUM
- Summary:
- Researchers from Cyberreason discovered a new APT-C-23 campaign targeting a group of high-profile Israeli targets working for sensitive defense law enforcement and emergency services organizations. The investigation revealed that APT-C-23 has effectively upgraded its malware arsenal with new tools dubbed Barb(ie) Downloader and BarbWire Backdoor.
Parrot TDS takes over compromised websites
MEDIUM
+
—
- Intel Source:
- Avast
- Intel Name:
- Parrot TDS takes over compromised websites
- Date of Scan:
- 2022-04-08
- Impact:
- MEDIUM
- Summary:
- Avast researchers has published a report stating that a new traffic direction system (TDS) called Parrot has been spotted leveraging tens of thousands of compromised websites to launch further malicious campaigns. The TDS has infected various web servers hosting more than 16 500 websites ranging from adult content sites personal websites university sites and local government sites.
Remcos RAT phishing campaign
LOW
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Remcos RAT phishing campaign
- Date of Scan:
- 2022-04-08
- Impact:
- LOW
- Summary:
- Researchers from FortiGuard Labs share their analysis of the Remcos RAT being used by malicious actors to control victims’ devices delivered by a phishing campaign.
Chinese APT targets Indian Powegrid
MEDIUM
+
—
- Intel Source:
- Recorded Future
- Intel Name:
- Chinese APT targets Indian Powegrid
- Date of Scan:
- 2022-04-08
- Impact:
- MEDIUM
- Summary:
- Researchers from Recorded Future finds continued targeting of the Indian power grid by Chinese state-sponsored activity group - likely intended to enable information gathering surrounding critical infrastructure systems.
UAC-0010 group/Armageddon targeting Ukraine government
MEDIUM
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- UAC-0010 group/Armageddon targeting Ukraine government
- Date of Scan:
- 2022-04-08
- Impact:
- MEDIUM
- Summary:
- Ukraine’s Computer Emergency Response Team (CERT-UA) revealed on Monday a string of phishing emails that they’ve linked to a Russian state-sponsored actor called Armageddon. The attacks baited Ukrainian and Latvian government officials with information concerning the war between Ukraine and Russia.
UAC-0010 group/Armageddon targeting European Union institutions
MEDIUM
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- UAC-0010 group/Armageddon targeting European Union institutions
- Date of Scan:
- 2022-04-08
- Impact:
- MEDIUM
- Summary:
- Ukraine’s Computer Emergency Response Team (CERT-UA) revealed on Monday a string of phishing emails that they’ve linked to a Russian state-sponsored actor called Armageddon. The attacks baited Ukrainian and Latvian government officials with information concerning the war between Ukraine and Russia.
Scammers are Exploiting Ukraine Donations
LOW
+
—
- Intel Source:
- McAfee
- Intel Name:
- Scammers are Exploiting Ukraine Donations
- Date of Scan:
- 2022-04-07
- Impact:
- LOW
- Summary:
- McAfee Researchers has identified some malicious sites and emails used by attackers to lure netizens on cryptocurrency donation scam.
Evolution of FIN7 group
MEDIUM
+
—
- Intel Source:
- Mandiant
- Intel Name:
- Evolution of FIN7 group
- Date of Scan:
- 2022-04-07
- Impact:
- MEDIUM
- Summary:
- Mandiant published their research on the evolution of FIN7 from both historical and recent intrusions and describes the process of merging eight previously suspected UNC groups into FIN7. The researchers also highlighted notable shifts in FIN7 activity over time including their use of novel malware incorporation of new initial access vectors and shifts in monetization strategies.
Cicada/APT10 new espionage campaign
MEDIUM
+
—
- Intel Source:
- Symantec
- Intel Name:
- Cicada/APT10 new espionage campaign
- Date of Scan:
- 2022-04-07
- Impact:
- MEDIUM
- Summary:
- Researchers at Symantec has discovered an espionage campaign by Chinese APT group called APT10/Cicada. Victims identified in this campaign include government legal religious and non-governmental organizations (NGOs) in multiple countries around the world including in Europe Asia and North America.
New AsyncRAT campaign features 3LOSH crypter
MEDIUM
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- New AsyncRAT campaign features 3LOSH crypter
- Date of Scan:
- 2022-04-07
- Impact:
- MEDIUM
- Summary:
- Cisco Talos Intelligence Group discovered ongoing malware distribution campaigns are using ISO disk images to deliver AsyncRAT and other commodity malware to victims. They found that these campaigns appear to be linked to a new version of the 3LOSH crypter.
CaddyWiper Malware- New Analysis
MEDIUM
+
—
- Intel Source:
- Morphisec
- Intel Name:
- CaddyWiper Malware- New Analysis
- Date of Scan:
- 2022-04-07
- Impact:
- MEDIUM
- Summary:
- Researchers from Morphisec shares a new analysis on Caddywiper malware which has surfaced as the fourth destructive wiper attacking Ukrainian infrastructure. Caddywiper destroys user data partitions information from attached drives and has been spotted on several dozen systems in a limited number of organizations.
Windows MetaStealer Malware
MEDIUM
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Windows MetaStealer Malware
- Date of Scan:
- 2022-04-07
- Impact:
- MEDIUM
- Summary:
- Researchers at SANS has analysed 16 sampled of Excel files submitted to VirusTotal on 30-03-2022 these Excel files are distributed as Email attachments. Post-infection traffic triggers signatures for Win32/MetaStealer Related Activity.
Colibri Loader campaign delivering the Vidar Stealer
LOW
+
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Colibri Loader campaign delivering the Vidar Stealer
- Date of Scan:
- 2022-04-07
- Impact:
- LOW
- Summary:
- Researchers from MalwareBytes recently uncovered a new Colibri Loader campaign delivering the Vidar Stealer as final payload that uses a clever persistence technique that combines Task Scheduler and PowerShell.
BLISTER & SocGholish loaders delivering LockBit Ransomware
MEDIUM
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- BLISTER & SocGholish loaders delivering LockBit Ransomware
- Date of Scan:
- 2022-04-07
- Impact:
- MEDIUM
- Summary:
- Researchers from TrendMicro made a recent discovery in which BLISTER and SocGholish which are loaders and are known for evasion tactics were involved in a campaign which were used to deliver LockBit ransomware.
Malicious Word Documents Using MS Media Player
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Malicious Word Documents Using MS Media Player
- Date of Scan:
- 2022-04-07
- Impact:
- LOW
- Summary:
- ASEC Researchers has analysed a malicious word file that is also being distributed with text that impersonates AhnLab. The Word files downloaded another Word file containing malicious VBA macro via the external URL and run it. The downloaded word file used the Windows Media Player() function instead of AutoOpen() to automatically run the VBA macro.
New UAC-0056 Group activity
MEDIUM
+
—
- Intel Source:
- Malwarebytes
- Intel Name:
- New UAC-0056 Group activity
- Date of Scan:
- 2022-04-06
- Impact:
- MEDIUM
- Summary:
- Researchers from Intezer Labs shared that UAC-0056 (TA471 SaintBear UNC2589) have been launching targeted spear phishing campaigns using spoofed Ukrainian governmental email addresses to deliver the Elephant malware framework written in Go.
Stolen Image Evidence Campaign
MEDIUM
+
—
- Intel Source:
- DFIR Report
- Intel Name:
- Stolen Image Evidence Campaign
- Date of Scan:
- 2022-04-06
- Impact:
- MEDIUM
- Summary:
- Researchers at DFIR Report has identified a single Conti ransomware deployment from December that appears to be part of a larger campaign. The attack utilized IcedID a well known banking trojan was delivered via the 'Stolen Images Evidence' email campaign.
Mirai campaign updated its arsenal of exploits
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Mirai campaign updated its arsenal of exploits
- Date of Scan:
- 2022-04-06
- Impact:
- MEDIUM
- Summary:
- Researchers at Fortinet Labs has identified that the Beastmode Mirai-based DDoS campaign has aggressively updated its arsenal of exploits. Five new exploits were added within a month with three targeting various models of TOTOLINK routers.
Lazarus Group New Campaign
LOW
+
—
- Intel Source:
- SecureList
- Intel Name:
- Lazarus Group New Campaign
- Date of Scan:
- 2022-04-06
- Impact:
- LOW
- Summary:
- Researchers at SecureList has discovered a Trojanized DeFi application was used to deliver backdoor by Lazarus Group. The DeFi application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet but also implants a malicious file when executed.
New Rat campaign leverages Tax Season
LOW
+
—
- Intel Source:
- Cofense
- Intel Name:
- New Rat campaign leverages Tax Season
- Date of Scan:
- 2022-04-06
- Impact:
- LOW
- Summary:
- Cofense Phishing Defense Center team has discovered a tatic that spoofs the U.S. Internal Revenue Service (IRS) to download malware onto user systems. This campaign leverages Netsupport Manager a troubleshooting and screen control program as a malicious remote access trojan (RAT) the threat actor employs to remotely enter user systems.
VajraEleph (APT-Q-43) group New campaign
LOW
+
—
- Intel Source:
- Qianxin
- Intel Name:
- VajraEleph (APT-Q-43) group New campaign
- Date of Scan:
- 2022-04-05
- Impact:
- LOW
- Summary:
- The mobile security team of Qianxin Technology HK Co. Limited Virus Response Center identified the VajraEleph (APT-Q-43) group has been carrying out targeted military espionage intelligence activities against the Pakistani military.
Remcos Rat Phishing Campaign
MEDIUM
+
—
- Intel Source:
- Morphisec
- Intel Name:
- Remcos Rat Phishing Campaign
- Date of Scan:
- 2022-04-05
- Impact:
- MEDIUM
- Summary:
- Morphisec Labs has detected a new wave of Remcos RAT infections being spread through phishing emails masquerading as payment remittances sent from financial institutions.
New PlugX variant used by Chinese APT group
MEDIUM
+
—
- Intel Source:
- Trellix
- Intel Name:
- New PlugX variant used by Chinese APT group
- Date of Scan:
- 2022-04-04
- Impact:
- MEDIUM
- Summary:
- Researchers at Trellix has discovered a new variant of PlugX malware named 'Talisman'. The new variant follows usual execution process by abusing a signed and benign binary which loads a modified DLL to execute shellcode. The shellcode is used to decrypt the PlugX malware which then serves as a backdoor with plug-in capabilities.
State sponsored groups leveraging RU-UA conflict
MEDIUM
+
—
- Intel Source:
- Checkpoint
- Intel Name:
- State sponsored groups leveraging RU-UA conflict
- Date of Scan:
- 2022-04-04
- Impact:
- MEDIUM
- Summary:
- Researchers from CheckPoint provides an overview of several campaigns by different APT groups using the ongoing Russia-Ukraine war to increase the efficiency of their campaigns. They also discuss the victimology of these campaigns; the tactics used and provides technical analysis of the observed malicious payloads and malware specially crafted for this cyber-espionage.
BlackGuard - new infostealer malware
MEDIUM
+
—
- Intel Source:
- Zscaler
- Intel Name:
- BlackGuard - new infostealer malware
- Date of Scan:
- 2022-04-04
- Impact:
- MEDIUM
- Summary:
- The Zscaler ThreatLabz team came across BlackGuard a sophisticated stealer currently being advertised as malware-as-a-service with a monthly price of $200. Researcher share their analysis of the techniques the Blackguard stealer uses to steal information and evade detection using obfuscation as well as techniques used for anti-debugging.
Acid Rain wiper malware targets Viasat KA-SAT modems
MEDIUM
+
—
- Intel Source:
- SentinelOne
- Intel Name:
- Acid Rain wiper malware targets Viasat KA-SAT modems
- Date of Scan:
- 2022-04-04
- Impact:
- MEDIUM
- Summary:
- Sentinel Labs researchers a new modern wiper AcidRain which have beeb targeting Europe and on Viasat KA-SAT modems. This wiper is an ELF MIPS malware designed to wipe modems and routers.
Mars InfoStealer new operation
MEDIUM
+
—
- Intel Source:
- Morphisec
- Intel Name:
- Mars InfoStealer new operation
- Date of Scan:
- 2022-04-04
- Impact:
- MEDIUM
- Summary:
- Morphisec Labs team has analysed a campaign where the actor distributed Mars Stealer via cloned websites offering well-known software. Morphisec team has attributed this actor to a Russian national by looking at the screenshots and keyboard details from the extracted system.txt.
North Korea related files distributed via malicious VB Scripts
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- North Korea related files distributed via malicious VB Scripts
- Date of Scan:
- 2022-04-04
- Impact:
- LOW
- Summary:
- ASEC Researchers has analysed a phishing emails related to North Korea and a compressed file is attached. Referring to writing a resume induce execution of the attached file. A malicious VBS script file exists inside the compressed file.
Hive Ransomware leveraging IPfuscation Technique
MEDIUM
+
—
- Intel Source:
- SentinelOne
- Intel Name:
- Hive Ransomware leveraging IPfuscation Technique
- Date of Scan:
- 2022-04-04
- Impact:
- MEDIUM
- Summary:
- Researchers at SentinelOne have discovered a new obfuscation technique used by the Hive ransomware gang which involves IPv4 addresses and a series of conversions that eventually lead to downloading a Cobalt Strike beacon.
Deep Panda APT group exploiting Log4shell
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Deep Panda APT group exploiting Log4shell
- Date of Scan:
- 2022-04-01
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs detected an opportunistic campaign by the Chinese nation-state “Deep Panda” APT group exploiting the Log4Shell vulnerability in VMware Horizon servers belonging to the financial academic cosmetics and travel industries.
Spring4Shell Vulnerability
HIGH
+
—
- Intel Source:
- Securonix
- Intel Name:
- Spring4Shell Vulnerability
- Date of Scan:
- 2022-04-01
- Impact:
- HIGH
- Summary:
- Securonix Threat Research team has identified a currently unpatched zero-day vulnerability in Spring Core a widely used Java-based platform with cross platform support. Early details claim that the bug would allow full remote code execution (RCE) to affected systems.
Spoofed Invoice delivering IcedID Trojan
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Spoofed Invoice delivering IcedID Trojan
- Date of Scan:
- 2022-04-01
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs encountered spearphishing campaign targeting a fuel company in Kyiv Ukraine. The email contains an attached zip file which also contains a invoice file claiming to be from another fuel company. IcedID trojan drop via main.dll in windows registry.
Multiple APT groups targeting Eastern Europe
MEDIUM
+
—
- Intel Source:
- Intel Name:
- Multiple APT groups targeting Eastern Europe
- Date of Scan:
- 2022-03-31
- Impact:
- MEDIUM
- Summary:
- Google TAG researchers has tracked 3 APT groups targeting government military organisations in Ukraine Kazakhstan Mongolia and NATO forces in Eastern Europe. All 3 APT groups conducting phishing campaigns to against the targets.
Transparent Tribe targets Indian government and military
MEDIUM
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Transparent Tribe targets Indian government and military
- Date of Scan:
- 2022-03-31
- Impact:
- MEDIUM
- Summary:
- Cisco Talos researchers has identified a new campaign by Transparent Tribe targeting Indian government and military bodies. The Threat actor is leveraging CrimsonRAT for infecting the victims.
Verblecon - A New Malware Loader
LOW
+
—
- Intel Source:
- Symantec
- Intel Name:
- Verblecon - A New Malware Loader
- Date of Scan:
- 2022-03-31
- Impact:
- LOW
- Summary:
- Symantec researchers has identifed a malware named Trojan.Verblecon which has being leveraged in attacks that appear to have installing cryptocurrency miners on infected machines as their end goals. However the capabilities of this malware indicate that it could be highly dangerous if leveraged in ransomware or espionage campaigns.
Chromium Based Browser Vulnerability
MEDIUM
+
—
- Intel Source:
- Intel Name:
- Chromium Based Browser Vulnerability
- Date of Scan:
- 2022-03-31
- Impact:
- MEDIUM
- Summary:
- Google is urging users on Windows macOS and Linux to update Chrome builds to version 99.0.4844.84 following the discovery of a vulnerability that has an exploit in the wild.
Emotet New IoC and New Pattern
MEDIUM
+
—
- Intel Source:
- Cisco
- Intel Name:
- Emotet New IoC and New Pattern
- Date of Scan:
- 2022-03-30
- Impact:
- MEDIUM
- Summary:
- Cisco conducted research to find new Emotet IOCs and URL patterns related to this new wave in Emotet activity since it’s re-emergence in November 2021. Cisco researchers summarizes the Emotet (Geodo/Heodo) malware threat it’s lifecycle and typical detectable patterns.
Kimsuky distributing VB Script disguised as PDF Files
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Kimsuky distributing VB Script disguised as PDF Files
- Date of Scan:
- 2022-03-30
- Impact:
- LOW
- Summary:
- ASEC Researchers has identified an APT attacks by a group called Kimsuky using VB Script disguised as PDF files. Upon running the script file with the VBS extension the malware runs the innocuous PDF file that exists internally to trick the user into thinking that they opened an innocuous document file and uses a malicious DLL file to leak information.
BitRAT malware disguised as office Installer
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- BitRAT malware disguised as office Installer
- Date of Scan:
- 2022-03-30
- Impact:
- LOW
- Summary:
- ASEC REsearchers has analysed a BitRAT malware sample which is being distributed as office installer with different files. The malware is being distributed actively via file-sharing websites such as Korean webhards.
New Conversation Hijacking Campaign Delivering IcedID
MEDIUM
+
—
- Intel Source:
- Intezer
- Intel Name:
- New Conversation Hijacking Campaign Delivering IcedID
- Date of Scan:
- 2022-03-29
- Impact:
- MEDIUM
- Summary:
- Researcher from Intezer provides a technical analysis of a new campaign which initiates attacks with a phishing email that uses conversation hijacking to deliver the IcedID malware.
Purple Fox using New variant of FatalRat
MEDIUM
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- Purple Fox using New variant of FatalRat
- Date of Scan:
- 2022-03-29
- Impact:
- MEDIUM
- Summary:
- Trend Micro Research were tracking an threat actor named 'Purple Fox' and their activities. Researchers identified Purple Fox’s new arrival vector and the early access loaders we believe are associated with the intrusion set behind this botnet. The operators are updating their arsenal with new malware including a variant of the remote access trojan FatalRAT that they seem to be continuously upgrading.
Conti Ransomware new update
MEDIUM
+
—
- Intel Source:
- Zscaler
- Intel Name:
- Conti Ransomware new update
- Date of Scan:
- 2022-03-28
- Impact:
- MEDIUM
- Summary:
- Researchers at Zscaler ThreatLabz has been following Conti Ransomware group and identified an updated version of Conti ransomware as part of the global ransomware tracking efforts which includes improved file encryption introduced techniques to better evade security software and streamlined the ransom payment process.
Muhstik Gang targets Redis Servers
MEDIUM
+
—
- Intel Source:
- Juniper
- Intel Name:
- Muhstik Gang targets Redis Servers
- Date of Scan:
- 2022-03-28
- Impact:
- MEDIUM
- Summary:
- Researchers at Juniper Threat Labs has revealed an attack that targets Redis Servers using a recently disclosed vulnerability namely CVE-2022-0543. This vulnerability exists in some Redis Debian packages. The payload used is a variant of Muhstik bot that can be used to launch DDOS attacks.
JSSLoader RAT delivered through XLL Files
LOW
+
—
- Intel Source:
- Morphisec
- Intel Name:
- JSSLoader RAT delivered through XLL Files
- Date of Scan:
- 2022-03-25
- Impact:
- LOW
- Summary:
- Morphisec labs has discovered a new variant of JSSLoader RAT. JSSLoader is a small very capable .NET remote access trojan (RAT). Its capabilities include data exfiltration persistence auto-updating additional payload delivery and more. Moreover attacker are now using .XLL files to deliver and obfuscated version of JSSLoader.
Operation Dragon Castling
LOW
+
—
- Intel Source:
- Avast
- Intel Name:
- Operation Dragon Castling
- Date of Scan:
- 2022-03-25
- Impact:
- LOW
- Summary:
- Researchers from Avast found an APT campaign dubbed Operation Dragon Castling which has been targeting betting companies in Southeast Asian countries.The campaign has similarities with several old malware samples used by an unspecified Chinese-speaking APT group.
Chinese APT Scarab targets Ukraine
MEDIUM
+
—
- Intel Source:
- SentinelOne
- Intel Name:
- Chinese APT Scarab targets Ukraine
- Date of Scan:
- 2022-03-25
- Impact:
- MEDIUM
- Summary:
- Researchers at Sentinel Labs has further analysed the alert #4244 released by Ukrainian CERT on 22nd March 2022 which states about the malicious activity of UAC-0026 threat group. Sentinel team has confirmed UAC-0026 attribution with Chinese APT group called Scarab.
Tax Season and Refugee war scams delivering Emotet
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Tax Season and Refugee war scams delivering Emotet
- Date of Scan:
- 2022-03-25
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs Research team has anlaysed emails related to tax season and the Ukrainian conflict. The Phishing emails are attributed to an unfamous malware called 'Emotet' are affecting Windows platform and compromised machines are under the control of the threat actor further stole personally identifiable information (PII) credential theft monetary loss etc.
Crypto Phishing
LOW
+
—
- Intel Source:
- Confiant
- Intel Name:
- Crypto Phishing
- Date of Scan:
- 2022-03-24
- Impact:
- LOW
- Summary:
- Researcher at Confiant has looked at several chains that start with an ad and end with cryptocurrency theft usually via phishing.
Operation DreamJob and AppleJeus
MEDIUM
+
—
- Intel Source:
- Intel Name:
- Operation DreamJob and AppleJeus
- Date of Scan:
- 2022-03-24
- Impact:
- MEDIUM
- Summary:
- Researchers from google discovered two new North Korean backed threat actors exploiting a remote code execution vulnerability in Chrome CVE-2022-0609.hese groups' activity has been publicly tracked as Operation Dream Job and Operation AppleJeus. These campaigns have been targeting U.S based organizations.
Password stealer disguised as private Fortnite server
LOW
+
—
- Intel Source:
- Avast
- Intel Name:
- Password stealer disguised as private Fortnite server
- Date of Scan:
- 2022-03-24
- Impact:
- LOW
- Summary:
- Researchers at Avast have identified a password stealer malware disguised as private Fortnite server where users can meet for a private match and use skins for free. The malware is being heavily propagated on communications platform Discord.
Arid Viper using Arid Gopher malware
MEDIUM
+
—
- Intel Source:
- deepinstinct
- Intel Name:
- Arid Viper using Arid Gopher malware
- Date of Scan:
- 2022-03-24
- Impact:
- MEDIUM
- Summary:
- Researchers from Deep Instinct's Threat Research team discovered a never before seen Micropsia malware dubbed Arid Gropher and is attributed to Arid Viper.
Midas Ransomware - A Thanos Ransomware variant
LOW
+
—
- Intel Source:
- Zscaler
- Intel Name:
- Midas Ransomware - A Thanos Ransomware variant
- Date of Scan:
- 2022-03-24
- Impact:
- LOW
- Summary:
- Researchers at Zscaler has analysed variants of Thanos ransomware and identified the shifting of tactics by the ransomware in 2021. Thanos ransomware was first identified in Feb 2020 as a RaaS on darkweb. In 2021 Thanos source code got leaked after that lot of variants has been identified by the researchers. One of the latest variant is Midas.
Vidar Malware hidden in Microsoft Help file
MEDIUM
+
—
- Intel Source:
- Trustwave
- Intel Name:
- Vidar Malware hidden in Microsoft Help file
- Date of Scan:
- 2022-03-24
- Impact:
- MEDIUM
- Summary:
- Trustwave Spider Labs researchers has detected a vidar malware based phishing campaign that abuses Microsoft HTML help files. Vidar is Windows spyware and an information stealer available for purchase by cybercriminals. Vidar can harvest OS & user data online service and cryptocurrency account credentials and credit card information.
Conti Ransomware Affiliate Exposed
MEDIUM
+
—
- Intel Source:
- eSentire
- Intel Name:
- Conti Ransomware Affiliate Exposed
- Date of Scan:
- 2022-03-24
- Impact:
- MEDIUM
- Summary:
- Researchers at eSentire has been tracking the movements of Conti gang for over two years and now publishing new set of indicators which are currently being used by Conti affiliate. Researchers analysis also focus on the infrastructre used by the gang.
New variants of Arkei Stealer
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- New variants of Arkei Stealer
- Date of Scan:
- 2022-03-24
- Impact:
- LOW
- Summary:
- Researchers at SANS InfoSec Diary blog has analysed Vidar Oski and Mars stealer variants of Arkei Stealer malware. Researchers also found legitimate DLL files has been used by Vidar Oski and Mars variants which are hosted on the same C2 server.
Meris and TrickBot joined Hands
MEDIUM
+
—
- Intel Source:
- Avast
- Intel Name:
- Meris and TrickBot joined Hands
- Date of Scan:
- 2022-03-24
- Impact:
- MEDIUM
- Summary:
- As per Avast researchers Meris backdoor and Trickbot have joined hands. The botnet is known to exploit a known vulnerability in the Winbox component of MikroTik routers (CVE-2018-14847) enabling the attackers to gain unauthenticated remote administrative access to any affected device.
Mustang Panda deploying new Hodur Malware
MEDIUM
+
—
- Intel Source:
- WeLiveSecurity
- Intel Name:
- Mustang Panda deploying new Hodur Malware
- Date of Scan:
- 2022-03-23
- Impact:
- MEDIUM
- Summary:
- A new cyber espionage campaign has been discovered by researchers from ESET in which APT group Mustang Panda who is China linked was deploying Hodur malware. The victims are from east and southeast Asia.
DoubleZero Destructive Malware targets Ukrainian firms
MEDIUM
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- DoubleZero Destructive Malware targets Ukrainian firms
- Date of Scan:
- 2022-03-23
- Impact:
- MEDIUM
- Summary:
- On March 17 CERT-UA found presence of a destructive malware dubbed as DoubleZero targeting Ukrainian firms. The malware erases files and destroys certain registry branches on the infected machine.
Clipper malware disguised as AvD Crypto Stealer
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Clipper malware disguised as AvD Crypto Stealer
- Date of Scan:
- 2022-03-23
- Impact:
- LOW
- Summary:
- Researchers at Cyble has discovered a new malware dubbed as 'AvD crypto stealer' but it is does not function as crypto stealer. However it disguised variant of well-known clipper malware and it has capability of read and edit any text copied by vicitm.
Document-borne APT attack targeting Carbon emissions companies
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Document-borne APT attack targeting Carbon emissions companies
- Date of Scan:
- 2022-03-23
- Impact:
- LOW
- Summary:
- ASEC Team has analysed a malicious word document titled '**** Carbon Credit Institution.doc' which user downloaded thorugh a web browser. The team identified the malicious document from the logs collected by their Smart Defense tool. The malicious document comes with macro code and it is likely that its internal macro code runs wscript.ex.
Vermin (UAC-0020) targets Ukraine Govt using Spectr malware
MEDIUM
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- Vermin (UAC-0020) targets Ukraine Govt using Spectr malware
- Date of Scan:
- 2022-03-23
- Impact:
- MEDIUM
- Summary:
- On March 17 CERT-UA found an active spear phishing campaign delivering SPECTR malware. The campaign was initiated by Vermin aks UAC-0020 who are associated with Luhansk People’s Republic (LPR).
Phishing Campaign using QR code targets Ukraine
MEDIUM
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- Phishing Campaign using QR code targets Ukraine
- Date of Scan:
- 2022-03-23
- Impact:
- MEDIUM
- Summary:
- CERT UA discovered the distribution of e-mails that mimic messages from UKR.NET and contain a QR code encoding a URL created using one of the URL-shortener services and it was attributed with low confidence to APT28.
ClipBanker Malware disguised as Malware Creation Tool
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- ClipBanker Malware disguised as Malware Creation Tool
- Date of Scan:
- 2022-03-23
- Impact:
- LOW
- Summary:
- ASEC Team has indentified a ClipBanker malware which disguised as malware creation tool. ClipBanker malware monitors the clipbooard of the infected system and if the malware copies a string for a coin wallet address then changes its to the address designated by the attacker.
UAC-0026 targets Ukraine by HeaderTIP malware
MEDIUM
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- UAC-0026 targets Ukraine by HeaderTIP malware
- Date of Scan:
- 2022-03-23
- Impact:
- MEDIUM
- Summary:
- CERT UA identified yet another nefarious malware dubbed headerTip which leveraged to drop additional DLL files to the infected instance and this has been targeting the nfrastructure of Ukrainian state bodies and organizations across the country.