—
- Intel Source:
- NSA / Secureworks
- Intel Name:
- Chinese_APT_Group_BRONZE_SILHOUETTE_Targeting_US_Government_and_Defense_Organizations
- Date of Scan:
- 2023-05-30
- Impact:
- MEDIUM
- Summary:
- SecureWorks researchers have discovered a cluster of activity of interest associated with a People’s Republic of China (PRC) state-sponsored cyber actor, also known as Volt Typhoon. Private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide.
—
- Intel Source:
- Cyble
- Intel Name:
- Obsidian_ORB_Ransomware_Demanding_Payment_With_Gift_Cards
- Date of Scan:
- 2023-05-30
- Impact:
- LOW
- Summary:
- Cyble researchers have come across a new and unique ransomware strain named Obsidian ORB. Extensive analysis has revealed compelling evidence that suggests a significant correlation between Obsidian ORB Ransomware and the underlying source code of the notorious Chaos ransomware.
Source:
https://blog.cyble.com/2023/05/25/obsidian-orb-ransomware-demands-gift-cards-as-payment/
—
- Intel Source:
- Cyble
- Intel Name:
- Ducktail_Malware_targets_a_high_profile_accounts
- Date of Scan:
- 2023-05-30
- Impact:
- LOW
- Summary:
- Recently Cyble researchers recently discovered Ducktail malware that targets specifically Marketing and HR professionals. The malware is designed to extract browser cookies and take advantage of social media sessions to steal sensitive information from the victim’s Social Media account. The malware operation purpose is to gain control of Social Media Business accounts with adequate access privileges. TAs then use their acquired access to conduct advertisements for their financial gain.
—
- Intel Source:
- Cyble
- Intel Name:
- The_Invicta_Stealer_Spreading
- Date of Scan:
- 2023-05-30
- Impact:
- LOW
- Summary:
- Cyble researcher Lab team discovered a new stealer called Invicta Stealer. The developer who is in charge of this malware is heavy involved on social media platforms, utilizing them to promote their information stealer and its lethal capabilities.
Source:
https://blog.cyble.com/2023/05/25/invicta-stealer-spreading-through-phony-godaddy-refund-invoices/
—
- Intel Source:
- CADO Security
- Intel Name:
- Legion_Malware_Targeting_SSH_Servers_and_AWS_Credentials
- Date of Scan:
- 2023-05-29
- Impact:
- LOW
- Summary:
- CADO security researchers have identified an updated version of the commodity malware called Legion comes with expanded features to compromise SSH servers and Amazon Web Services (AWS) credentials associated with DynamoDB and CloudWatch.
Source:
https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/
—
- Intel Source:
- Sentinelone
- Intel Name:
- Hackers_Targeting_Users_of_Portuguese_Financial_Institutions
- Date of Scan:
- 2023-05-29
- Impact:
- MEDIUM
- Summary:
- SentinelOne researchers have observed a campaign targeting users of Portuguese financial institutions conducted by a Brazilian threat group. The attackers can steal credentials and exfiltrate users’ data and personal information, which can be leveraged for malicious activities beyond financial gain.
—
- Intel Source:
- Trustwave
- Intel Name:
- Phishing_Delivering_via_Encrypted_Messages
- Date of Scan:
- 2023-05-28
- Impact:
- MEDIUM
- Summary:
- Trustwave researchers have observed phishing attacks that use a combination of compromised Microsoft 365 accounts and .rpmsg encrypted emails to deliver the phishing message.
—
- Intel Source:
- Zscaler
- Intel Name:
- The_Technical_Examination_of_Pikabot
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- Researchers from Zscaler have identified a new malware trojan named Pikabot which emerged in early 2023 that consists of two components a loader and a core module.
Source:
https://www.zscaler.com/blogs/security-research/technical-analysis-pikabot
—
- Intel Source:
- Cyble
- Intel Name:
- Over_200_Corporate_Victims_Hit_by_New_Ransomware_Wave
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- Cyble Research and Intelligence Labs (CRIL) discovered the increasing adoption of double extortion by ransomware groups is an alarming trend. We are witnessing a surge in ransomware attacks that not only encrypt valuable corporate data but also involve the threat of public exposure unless the attackers’ demands are fulfilled.
Source:
https://blog.cyble.com/2023/05/23/new-ransomware-wave-engulfs-over-200-corporate-victims/
—
- Intel Source:
- Sentilone
- Intel Name:
- Ongoing_Kimsuky_Campaign_Utilizing_Custom_Reconnaissance_Toolkit
- Date of Scan:
- 2023-05-27
- Impact:
- MEDIUM
- Summary:
- SentinelLabs have tracking a targeted campaign against information services, as well as organizations supporting human rights activists and defectors in relation to North Korea. The campaign focuses on file reconnaissance, and exfiltrating system and hardware information, laying the groundwork for subsequent precision attacks.
Source:
https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/
—
- Intel Source:
- Mandiant
- Intel Name:
- COSMICENERGY_new_OT_Malware_related_to_Russia
- Date of Scan:
- 2023-05-27
- Impact:
- MEDIUM
- Summary:
- Mandiant discovered a new operational technology (OT) / industrial control system (ICS) malware, which was recognized as COSMICENERGY, uploaded by threat actor in Russia. The malware is capable of to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia.
Source:
https://www.mandiant.com/resources/blog/cosmicenergy-ot-malware-russian-response
—
- Intel Source:
- ClearSky
- Intel Name:
- Israeli_Logistics_Industry_targeted_by_hackers
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- ClearSky Cyber Security reserachers has discovered a watering hole attack on at least eight Israeli websites. The attack most likely was orchestrated by a nation-state actor from Iran, with some attribution to Tortoiseshell (also called TA456 or Imperial Kitten). The Infected sites collect preliminary user information through a script.
—
- Intel Source:
- Microsoft, CISA
- Intel Name:
- Volt_Typhoon_stealthy_activity
- Date of Scan:
- 2023-05-27
- Impact:
- HIGH
- Summary:
- Microsoft has discovered sneaky and malicious activity that targets on credential access and network system discovery attacking critical infrastructure organizations in the United States. The attack is carried out by Volt Typhoon, a state-sponsored actor based in China that focuses on espionage and information stealing. Microsoft is sure that this Volt Typhoon campaign is targeting development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.
—
- Intel Source:
- Cluster25
- Intel Name:
- Return_of_BlackByte_Ransomware_with_New_Technology_Version
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- Cluster25 Threat Intel Team have identified that BlackByte is a Ransomware-as-a-Service group that is known for the use of the homonymous malware that is constantly updated and spread in different variants. The team used the above function in a IDAPython script that allowed to retrieve all invocations to the functions responsible for the dynamic loading of the APIs in order to continue with the static analysis of the malware.
Source:
https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt
—
- Intel Source:
- ClearSky
- Intel Name:
- Israeli_Logistics_Industry_attacked_by_hackers
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- ClearSky Cyber Security reserachers has discovered a watering hole attack on at least eight Israeli websites. The attack most likely was orchestrated by a nation-state actor from Iran, with some attribution to Tortoiseshell (also called TA456 or Imperial Kitten). The Infected sites collect preliminary user information through a script. W
—
- Intel Source:
- Cofense
- Intel Name:
- Resurgence_of_Vacation_Request_Phishing_Emails_in_Summer_Time_Scams
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- Cofense researchers have observed a phishing campaign where the threat actor sent an email to a user that claimed to be from the HR Department’ and provided the user with a link to submit their annual leave requests.
Source:
https://cofense.com/blog/summer-time-scams-the-return-of-vacation-request-phishing-emails/
—
- Intel Source:
- Cyble
- Intel Name:
- Cyber_Crime_Forum_Offers_DDoS_As_A_Service_by_Russian_Hacktivists
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- Cyble Research and Intelligence Labs (CRIL) has made a significant discovery on a cybercrime forum – a newly identified malware strain called “MDBotnet.” Our analysis suggests that this malware is believed to originate from a Threat Actor (TA) linked to Russia.
Source:
https://blog.cyble.com/2023/05/23/new-mdbotnet-unleashes-ddos-attacks/
—
- Intel Source:
- ASEC
- Intel Name:
- Link_Found_Between_Korean_VPN_Installations_and_MeshAgent_Infections
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- AhnLab Security Emergency response Center (ASEC) has previously covered the case where SparkRAT was distributed contained within a Korean VPN’s installer in the post, “SparkRAT Being Distributed Within a Korean VPN Installer”[1]. This VPN was commonly installed by Chinese users who required better access to the Internet, and the problem was addressed after the blog post was uploaded.
—
- Intel Source:
- Checkpoint
- Intel Name:
- Agrius_threat_actor_attacks_against_Israel
- Date of Scan:
- 2023-05-27
- Impact:
- MEDIUM
- Summary:
- A threat actor Agrius who is believed Iranian keep trying to attack against Israeli targets, hiding destructive impact of ransomware attacks.Recently the group deployed Moneybird, a new ransomware written in C++. Despite calling themselves as a new group name– Moneybird, this is yet another Agrius alias.
—
- Intel Source:
- Securelist
- Intel Name:
- Diving_Deep_into_GoldenJackal_APT_Group
- Date of Scan:
- 2023-05-26
- Impact:
- LOW
- Summary:
- Securelist researchers have monitored the GoldenJackal APT Group since mid-2020 and have observed a constant level of activity that indicates a capable and stealthy actor. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo, and JackalScreenWatcher.
Source:
https://securelist.com/goldenjackal-apt-group/109677/
—
- Intel Source:
- ASEC
- Intel Name:
- Lazarus_Group_Targeting_Windows_IIS_Web_Servers
- Date of Scan:
- 2023-05-26
- Impact:
- LOW
- Summary:
- ASEC researchers have identified that the Lazarus group is known to receive support on a national scale, carrying out attacks against Windows IIS web servers.
—
- Intel Source:
- ASEC
- Intel Name:
- StrelaStealer_Malware_Targeting_Spanish_Users
- Date of Scan:
- 2023-05-26
- Impact:
- LOW
- Summary:
- ASEC researchers have observed that the StrelaStealer Infostealer is distributed to Spanish users. It was initially discovered around November 2022 and distributed as an attachment to spam emails.
—
- Intel Source:
- CERT-UA
- Intel Name:
- Espionage_Activity_UAC_0063
- Date of Scan:
- 2023-05-26
- Impact:
- LOW
- Summary:
- CERT-UA researchers have observed that on 04/18/2023 and 04/20/2023, e-mails were sent to the department’s e-mail address from the official mailbox of the Embassy of Tajikistan in Ukraine (probably as a result of the latter being compromised), the first of which contained an attachment in the form of a document with a macro, and the second – reference to the same document.
—
- Intel Source:
- Sekoia
- Intel Name:
- Raccoon_and_Vidar_Stealers_Spreading_Fake_Cracked_Software
- Date of Scan:
- 2023-05-26
- Impact:
- MEDIUM
- Summary:
- Sekoia researchers have identified the infection chain that is using about a hundred fake cracked software catalog websites that redirect to several links before downloading the payload hosted on file share platforms, such as GitHub.
—
- Intel Source:
- Checkpoint
- Intel Name:
- Distribution_of_DarkCloud_Infostealer_Through_Spam_Emails_Detected
- Date of Scan:
- 2023-05-26
- Impact:
- LOW
- Summary:
- Checkpoint researchers have identified that malware developers strive to create new threats that can bypass the defenses of antivirus products. “Packing” and “crypting” services are specifically designed to resist analysis. GuLoader is one of the most prominent services cybercriminals use to evade antivirus detection.
Source:
https://research.checkpoint.com/2023/cloud-based-malware-delivery-the-evolution-of-guloader/
—
- Intel Source:
- ASEC
- Intel Name:
- Distribution_of_DarkCloud_Infostealer_Through_Spam_Emails
- Date of Scan:
- 2023-05-26
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered the DarkCloud malware is distributed via spam email. It is an Infostealer that steals account credentials saved on infected systems, and the threat actor installed ClipBanker alongside DarkCloud.
—
- Intel Source:
- Fortinet
- Intel Name:
- Middle_East_Targeted_by_New_Kernel_Driver_Exploit
- Date of Scan:
- 2023-05-24
- Impact:
- LOW
- Summary:
- Fortinet researchers have discovered suspicious executables that make use of open-source tools and frameworks. One of the things that we keep an eye out for is tools that use the Donut project. Donut is a position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters.
Source:
https://www.fortinet.com/blog/threat-research/wintapix-kernal-driver-middle-east-countries
—
- Intel Source:
- TrendMicro
- Intel Name:
- New_Signed_Kernel_Driver_Deployed_BlackCat_Ransomware
- Date of Scan:
- 2023-05-22
- Impact:
- MEDIUM
- Summary:
- TrendMicro researchers have analyzed the BlackCat ransomware incident that occurred in February 2023, where they observed a new capability, mainly used for the defense evasion phase, that overlaps with the earlier malicious drivers disclosed by the three vendors.
—
- Intel Source:
- Wordfence
- Intel Name:
- Hackers_Targeting_Vulnerable_WordPress_Elementor_plugin_Versions
- Date of Scan:
- 2023-05-22
- Impact:
- LOW
- Summary:
- Wordfence researchers have identified Several versions of the WordPress plugin Essential Addons for Elementor impacted by the now-addressed critical CVE-2023-32243 vulnerability are being actively scanned and targeted by threat actors following the release of proof-of-concept exploit.
—
- Intel Source:
- Esentire
- Intel Name:
- BatLoader_Campaign_Impersonates_ChatGPT_and_Midjourney_to_Deliver_Redline_Stealer
- Date of Scan:
- 2023-05-22
- Impact:
- LOW
- Summary:
- Esentire researchers have observed threat actors are using BatLoader in the form of MSIX Windows App Installer files to deliver the Redline Stealer.
Source:
https://www.esentire.com/blog/batloader-impersonates-midjourney-chatgpt-in-drive-by-cyberattacks
—
- Intel Source:
- DFIR Report
- Intel Name:
- IcedID_Macro_Ends_in_Nokoyawa_Ransomware
- Date of Scan:
- 2023-05-22
- Impact:
- LOW
- Summary:
- Researchers from DFIR Report have identified an incident taking place during Q4 of 2022 consisting of threat actors targeting Italian organizations with Excel maldocs that deploy IcedID. The threat actors deploying such a campaign may hope to target organizations who have not updated their Microsoft Office deployments after the newly released patches to block macros on documents downloaded from the internet.
Source:
https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/
—
- Intel Source:
- Cyble
- Intel Name:
- AndoryuBot_s_DDOS_wild_behavior
- Date of Scan:
- 2023-05-19
- Impact:
- LOW
- Summary:
- The Cyble group observed active exploitation of CVE-2023-25717 and deployment of AndoryuBot. This incident indicates that Threat Actors are actively looking for vulnerable Ruckus assets for exploitation purposes. AndoryuBot is a new Botnet malware sold on Telegram on a subscription basis. The deployment of such malware by TAs allows them to orchestrate large-scale DDoS attacks, which can overwhelm targeted servers and infrastructure by flooding them with a massive volume of traffic.
Source:
https://blog.cyble.com/2023/05/17/andoryubots-ddos-rampage/
—
- Intel Source:
- Sophos
- Intel Name:
- Brute_Ratel_remains_rare_and_targeted
- Date of Scan:
- 2023-05-19
- Impact:
- LOW
- Summary:
- The commercial attack tool’s use by threat actors has faded after an initial flurry, while Cobalt Strike remains the go-to post-exploitation tool for many.
Source:
https://news.sophos.com/en-us/2023/05/18/the-phantom-menace-brute-ratel-remains-rare-and-targeted/
—
- Intel Source:
- Bushidotoken
- Intel Name:
- Distributing_DarkCrystal_RAT_by_fake_Desktop_Authenticator_App
- Date of Scan:
- 2023-05-19
- Impact:
- LOW
- Summary:
- The Bushitoken reseracher recently discovered an threat actor campaign that is using fake websites to distribute malware. It seems like this TTP to be on the rise. A suspected Russia-based threat actor tried to duplicate the website of a legitimate open-source desktop app called Steam Desktop Authenticator which is simply a convenient desktop version of the mobile authenticator app.
Source:
https://blog.bushidotoken.net/2023/05/fake-steam-desktop-authenticator-app.html
—
- Intel Source:
- Reversing Labs
- Intel Name:
- TurkoRat_found_hiding_in_the_npm_package
- Date of Scan:
- 2023-05-19
- Impact:
- LOW
- Summary:
- ReversingLabs researchers found two malicious packages that contained TurkoRat, an open source infostealer that lurked on npm for two months before being detected.
Source:
https://www.reversinglabs.com/blog/rats-found-hiding-in-the-npm-attic
—
- Intel Source:
- Cyble
- Intel Name:
- CapCut_s_Video_to_Deliver_Multiple_Stealers
- Date of Scan:
- 2023-05-19
- Impact:
- LOW
- Summary:
- Cyble Researchers recently discovered a couple of phishing websites disguised as video editing software. These ffake sites lure users into downloading and executing various types of malware families such as stealers, RAT, etc. In these campaigns, Threat Actors targeted the CapCut video editing tool, a product of ByteDance, the same parent company that owns TikTok.
Source:
https://blog.cyble.com/2023/05/19/capcut-users-under-fire/
—
- Intel Source:
- Wordfence
- Intel Name:
- The_exploitation_of_critical_vulnerability_CVE_2023_32243
- Date of Scan:
- 2023-05-18
- Impact:
- HIGH
- Summary:
- Recently, Essential Addons for Elementor, a WordPress plugin had a released a patch for a critical vulnerability which is capable for any unauthenticated user to reset arbitrary user passwords, including user accounts with administrative-level access. This vulnerability was discovered and responsibly disclosed by security researcher Rafie Muhammed.
—
- Intel Source:
- Team Cymru
- Intel Name:
- The_analysis_of_QakBot_Infrastructure
- Date of Scan:
- 2023-05-18
- Impact:
- MEDIUM
- Summary:
- Team Cymru shared their research about their analysis of QakBot is full of various hypotheses being identified and tested. Their key findings are QakBot C2 servers are not separated by affiliate ID, QakBot C2 servers from older configurations continue to communicate with upstream C2 servers months after being used in campaigns and Identification of three upstream C2 servers located in Russia, two of which behave similarly based on network telemetry patterns and the geolocations of the bot C2s communicating with them.
Source:
https://www.team-cymru.com/post/visualizing-qakbot-infrastructure
—
- Intel Source:
- Cyble
- Intel Name:
- BlackSuit_Ransomware_ragets_VMware_ESXi_servers
- Date of Scan:
- 2023-05-18
- Impact:
- HIGH
- Summary:
- Cyble researchers from Labs observed an increase in the number of ransomware groups such as Cylance and Royal ransomware. The widespread use of Linux makes it an appealing target for ransomware groups, as a single attack can potentially compromise numerous systems.
Source:
https://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/
—
- Intel Source:
- CISA
- Intel Name:
- Joint_Cybersecurity_Advisory_on_BianLian_Ransomware_Group
- Date of Scan:
- 2023-05-18
- Impact:
- MEDIUM
- Summary:
- The FBI, CISA and Australian Cyber Security Centre (ACSC) released the joint Cybersecurity Advisory to disseminate known BianLian ransomware and data extortion group IOCs and TTPs identified through FBI and ACSC investigations back in March 2023. BianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022. They have also targeted Australian critical infrastructure sectors in addition to professional services and property development.
Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a
—
- Intel Source:
- ASEC
- Intel Name:
- The_Korean_VPN_installer_is_being_used_to_distribute_SparkRAT
- Date of Scan:
- 2023-05-18
- Impact:
- MEDIUM
- Summary:
- AhnLab Security Emergency response Center (ASEC) has recently discovered SparkRAT being distributed within the installer of a certain VPN program. SparkRAT is a Remote Administration Tool (RAT) developed with GoLang. When installed on a user’s system, it can perform a variety of malicious behaviors, such as executing commands remotely, controlling files and processes, downloading additional payloads, and collecting information from the infected system like by taking screenshots.
—
- Intel Source:
- Cofense
- Intel Name:
- The_attackers_used_email_security_providers_for_spreading_phishing_attacks
- Date of Scan:
- 2023-05-18
- Impact:
- LOW
- Summary:
- Threat actors more often send malicious URLs within HTML attachments, which makes it more challenging for Secure Email gateways (SEGs) to block them. The Phishing Defence Centre did their analyses on a phishing campaign impersonating email security provider to trap recipients into providing their user credentials via malicious HTML attachment.
—
- Intel Source:
- Fortinet
- Intel Name:
- Malicious_Python_Packages_via_Supply_Chain_Attacks
- Date of Scan:
- 2023-05-17
- Impact:
- MEDIUM
- Summary:
- The FortiGuard Labs team discovered over 30 new zero-day attacks in PyPI packages (Python Package Index). These were found between late March and late April by monitoring an open-source ecosystem.
—
- Intel Source:
- TrendMicro
- Intel Name:
- New_8220_Gang_Strategies
- Date of Scan:
- 2023-05-17
- Impact:
- MEDIUM
- Summary:
- Reserachers documentedon the gang’s recent activities of 8220 Gang who has been active in recent months. Researchers shared in their article aboutk observed attack exploiting the Oracle WebLogic vulnerability CVE-2017-3506 captured by one of our honeypots. This vulnerability, with a CVSS score of 7.4, impacts the WLS Security Component of Oracle WebLogic, and when exploited can enable attackers to execute arbitrary commands through an HTTP request remotely with a specifically crafted XML document.
Source:
https://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html
—
- Intel Source:
- TrendMicro
- Intel Name:
- The_Water_Orthrus_s_New_Campaigns
- Date of Scan:
- 2023-05-17
- Impact:
- MEDIUM
- Summary:
- TrendMicro researchers have been monitoring the activities of a threat actor named Water Orthrus, which spreaded CopperStealer malware via pay-per-install (PPI) networks. In March 2023, we observed two campaigns delivering new malware that we named CopperStealth and CopperPhish. Both malware have characteristics that are close to those of CopperStealer and are likely developed by the same author, leading the researchers believe that these campaigns are likely Water Orthrus’ new activities.
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Uncovering_RedStinger_new
- Date of Scan:
- 2023-05-17
- Impact:
- MEDIUM
- Summary:
- During the conflict between Russia and Ukraine began last year, there is a not only political conflict, there is no surprise that the cybersecurity landscape between these two countries has also been tense. The former reseracher from Malwarebytes Threat Intelligence Team discovered a new interesting bait that targeted the Eastern Ukraine region and reported that finding to the public and tracked this actor as Red Stinger. These findings remained private for a while, but Kaspersky recently shared information about the same actor (who it called Bad Magic).
Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger
—
- Intel Source:
- Symantec
- Intel Name:
- The_Lancefly_APT_group_using_Merdoor_backdoor
- Date of Scan:
- 2023-05-17
- Impact:
- MEDIUM
- Summary:
- The Lancefly (APT) group is attacking and target organizations in South and Southeast Asiausing with a custom-written backdoor. Lancefly’s custom malware is named Merdoor, is a powerful backdoor that existed since 2018. The recent targets lately are based in South and Southeast Asia, attacking areas including government, aviation, education, and telecoms. Symantec researchers observed that activity also appeared to be highly targeted, with only a small number of machines infected.
—
- Intel Source:
- Fortinet
- Intel Name:
- Maori_Ransomware
- Date of Scan:
- 2023-05-16
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs recently came across a new ransomware variant called Maori. Like other ransomware variants, it encrypts files on victims’ machines to extort money. Interestingly, this variant is designed to run on Linux architecture and is coded in Go, which is somewhat rare and increases the analysis difficulty
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-maori?&web_view=true
—
- Intel Source:
- Securonix
- Intel Name:
- Ongoing_Phishing_Campaign_uses_Meme_Filled_Code_to_Drop_XWorm_Payloads
- Date of Scan:
- 2023-05-16
- Impact:
- MEDIUM
- Summary:
- Last couple months was observed an interesting and ongoing attack campaign which was identified and tracked by the Securonix Threat Research team. The attack campaign (tracked by Securonix as MEME#4CHAN) was leveraging rather unusual meme-filled PowerShell code, followed by a heavily obfuscated XWorm payload to infect its victims. Securonix dived into this campaign by taking an in-depth technical analysis.
Source:
https://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/
—
- Intel Source:
- Cyble
- Intel Name:
- A_new_ransomware_variant_Rancoz
- Date of Scan:
- 2023-05-16
- Impact:
- LOW
- Summary:
- This month Cyble researchers onserved a ransomware variant called Rancoz, that was identified by a researcher @siri_urz. During the investigation, it has been observed that this ransomware is similar and overlaps with the Vice Society ransomware.
Source:
https://blog.cyble.com/2023/05/11/dissecting-rancoz-ransomware/
—
- Intel Source:
- ASEC
- Intel Name:
- LokiLocker_Ransomware_Distributed_in_Korea
- Date of Scan:
- 2023-05-16
- Impact:
- MEDIUM
- Summary:
- AhnLab Security Emergency response Center(ASEC) has confirmed the distribution of the LokiLocker ransomware in Korea. This ransomware is almost identical to the BlackBit ransomware and their common traits
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Eastern_European_APT_Cyber_Operations_Undetected_Since_2020
- Date of Scan:
- 2023-05-16
- Impact:
- LOW
- Summary:
- Malwarebytes researchers have discovered a new interesting lure that targeted the Eastern Ukraine region and reported that finding to the public. Moreover, we started tracking the actor behind it, which we internally codenamed Red Stinger.
Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger
—
- Intel Source:
- Cyble
- Intel Name:
- An_In_Depth_Look_at_Akira_Ransomware
- Date of Scan:
- 2023-05-16
- Impact:
- MEDIUM
- Summary:
- Cyble researchers have come across a Reddit post about a new ransomware variant named “Akira”, actively targeting numerous organizations and exposing their sensitive data. To increase the chances of payment from victims, Akira ransomware exfiltrates and encrypts their data using a double-extortion technique. The attackers then threaten to sell or leak the stolen data on the dark web if the ransom is not paid for decrypting the data.
Source:
https://blog.cyble.com/2023/05/10/unraveling-akira-ransomware/
—
- Intel Source:
- Malware Bytes
- Intel Name:
- The_Aurora_stealer_via_Invalid_Printer_loader
- Date of Scan:
- 2023-05-16
- Impact:
- LOW
- Summary:
- Malware Bytes Lab shared their discovery about this malicious campaing and its connections to other attacks. They discovered that a threat actor was using malicious ads to redirect users to what looks like a Windows security update. The scheme looked very legit ans very much resembled what you’d expect from Microsoft. That fake security update was using a newly identified loader that at the time of the campaign was oblivious to malware sandboxes and bypassed practically all antivirus engines. Malware Bytes Lab tool patched that loader and identified its actual payload as Aurora stealer.
—
- Intel Source:
- Deep Instinct Blog
- Intel Name:
- A_new_undetected_variant_of_Linux_Backdoor_BPFDoor
- Date of Scan:
- 2023-05-15
- Impact:
- MEDIUM
- Summary:
- BPFdoor is a Linux-specific, low-profile, passive backdoor intended to maintain a persistent, long-term foothold in already-breached networks and environments and functions primarily to ensure an attacker can re-enter an infected system over an extended period of time, post-compromise.
Source:
https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
—
- Intel Source:
- CISA
- Intel Name:
- Exploitation_of_CVE_2023_27350
- Date of Scan:
- 2023-05-14
- Impact:
- LOW
- Summary:
- The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-27350. This vulnerability occurs in certain versions of PaperCut NG and PaperCut MF and enables an unauthenticated actor to execute malicious code remotely without credentials.
Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a
—
- Intel Source:
- Mcafee
- Intel Name:
- Analysis_of_a_evasive_Shellcode
- Date of Scan:
- 2023-05-14
- Impact:
- LOW
- Summary:
- McAfee researchers have observed a NSIS-based installers delivered via E-mail as malspam that use plugin libraries to execute the GU shellcode on the victim system
—
- Intel Source:
- Sentinelone
- Intel Name:
- Threat_Actors_Build_ESXi_Lockers_Using_Leaked_Babuk_Code
- Date of Scan:
- 2023-05-13
- Impact:
- MEDIUM
- Summary:
- SentinelLabs researchers have identified unexpected connections between ESXi ransomware families, exposing likely relationships between Babuk and more illustrious operations like Conti and REvil.
—
- Intel Source:
- Dragos
- Intel Name:
- A_cybercriminal_group_attempted_an_extortion_scheme_against_Dragos
- Date of Scan:
- 2023-05-13
- Impact:
- LOW
- Summary:
- Last week, an known hacker group tried and didn’t have a success at an extortion scheme against Dragos. Nothing was breached at Dragos systems, including anything related to the Dragos Platform. Dragos has shared what happened during a recent incident of failed extortion scheme against them – Dragos. The cybercriminal group attempted to compromise Drago’s information resources. The criminal group got access by compromising the personal email address of a new sales employee prior to their start date, and subsequently used their personal information to impersonate the Dragos employee and accomplish initial steps in the employee onboarding process.
Source:
https://www.dragos.com/blog/deconstructing-a-cybersecurity-event/
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Statistics_May_1_7th_2023
- Date of Scan:
- 2023-05-13
- Impact:
- LOW
- Summary:
- ASEC lab researchers continiusly monitor phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post shares the cases of distribution of phishing emails during the week from April 9th, 2023 to April 15st, 2023 and provide statistical information on each type.
—
- Intel Source:
- ASEC
- Intel Name:
- CLR_SqlShell_malware_Attack_MS_SQL_Servers
- Date of Scan:
- 2023-05-12
- Impact:
- MEDIUM
- Summary:
- ASEC analyzed the CLR SqlShell malware that is being used to target MS-SQL servers. Similar to WebShell, which can be installed on web servers, SqlShell is a malware strain that supports various features after being installed on an MS-SQL server, such as executing commands from threat actors and carrying out all sorts of malicious behavior.
—
- Intel Source:
- Mcafee
- Intel Name:
- The_Examination_of_Highly_Evasive_Shellcode_Based_Loader
- Date of Scan:
- 2023-05-12
- Impact:
- LOW
- Summary:
- McAfee researchers have deeply analyzed the GULoader campaigns and found, a rise in NSIS-based installers delivered via E-mail as malspam that use plugin libraries to execute the GU shellcode on the victim system.
—
- Intel Source:
- Bitdefender
- Intel Name:
- DownEx_Espionage_activity_in_Central_Asia
- Date of Scan:
- 2023-05-12
- Impact:
- MEDIUM
- Summary:
- Last year Bitdefender Labs reserchers observed an attack on foreign government institutions in Kazakhstan. During the analyses, it was disovered that this was a highly targeted attack to get an access to exfiltrate data. Bitdefender Labs reserchers did moitored for awhile it and the region for other similar attacks. Recently they detected another attack in Afghanistan and collected additional samples and observations.
—
- Intel Source:
- Fortinet
- Intel Name:
- An_Expansion_of_RapperBot_DDoS_Botnet_into_Cryptojacking
- Date of Scan:
- 2023-05-12
- Impact:
- LOW
- Summary:
- FortiGate researchers have analyzed new samples of the RapperBot campaign active since January 2023. The threat actors have started venturing into cryptojacking, specifically for Intel x64 machines. Initially, they deployed and executed a separate Monero cryptominer alongside the usual RapperBot binary. But in late January 2023, they combined both functionalities into a single bot.
Source:
https://www.fortinet.com/blog/threat-research/rapperbot-ddos-botnet-expands-into-cryptojacking
—
- Intel Source:
- Cert-PL
- Intel Name:
- Malspam_Campaign_Delivering_PowerDash
- Date of Scan:
- 2023-05-12
- Impact:
- LOW
- Summary:
- CERT-PL researchers have observed a malspam campaign delivering previously unseen PowerShell malware. They also dubbed this malware family as “PowerDash” because of the “/dash” path on C2 server, used as a gateway for bots.
—
- Intel Source:
- Abnormal
- Intel Name:
- Taking_a_Closer_Look_at_Israel_Based_BEC_Attacks
- Date of Scan:
- 2023-05-10
- Impact:
- HIGH
- Summary:
- Researchers from Abnormal Security have discovered that an Israel-based threat group has conducted 350 BEC campaigns since February 2021, with email attacks targeting employees from 61 countries across six continents.
—
- Intel Source:
- Cofense
- Intel Name:
- MitM_Phishing_Growing_and_Using_Real_Login_Process_to_Steal_Credentials
- Date of Scan:
- 2023-05-10
- Impact:
- LOW
- Summary:
- Cofense researchers have observed Man-in-the-middle attacks are increasing rapidly and identified a 35% increase in volume reaching inboxes between Q1 2022 and Q1 2023, 94% of MitM credential phishing attacks reaching inboxes targeted O365 authentication, and 89% of campaigns used at least one URL redirect, and 55% used two or more.
Source:
https://cofense.com/blog/cofense-intelligence-strategic-analysis-2/
—
- Intel Source:
- PaloAlto
- Intel Name:
- Royal_Ransomware_Expands_to_Target_Linux_and_VMware_ESXi
- Date of Scan:
- 2023-05-10
- Impact:
- MEDIUM
- Summary:
- PaloAlto researchers have observed that the Royal ransomware group has recently launched a variant of its encryptor malware built in the form of executable and linkable format (ELF) binary. Also, they started using the BatLoader dropper and SEO poisoning for initial access.
Source:
https://unit42.paloaltonetworks.com/royal-ransomware/
—
- Intel Source:
- Blackberry
- Intel Name:
- SideWinder_Using_Server_Based_Polymorphism_Technique
- Date of Scan:
- 2023-05-09
- Impact:
- LOW
- Summary:
- BlackBerry researchers have observed that APT Group SideWinder is accused of deploying a backdoor in attacks directed against Pakistan government organizations as part of a campaign that commenced in late November 2022.
Source:
https://blogs.blackberry.com/en/2023/05/sidewinder-uses-server-side-polymorphism-to-target-pakistan
—
- Intel Source:
- Fortinet
- Intel Name:
- AndoryuBot_Targeting_Ruckus_Wireless_Admin_Remote_Code_Execution_Vulnerability
- Date of Scan:
- 2023-05-09
- Impact:
- LOW
- Summary:
- FortiGate researchers have observed a unique botnet based on the SOCKS protocol distributed through the Ruckus vulnerability (CVE-2023-25717). It contains DDoS attack modules for different protocols and communicates with its command-and-control server using SOCKS5 proxies.
—
- Intel Source:
- Quickheal
- Intel Name:
- IRCTC_fake_apps
- Date of Scan:
- 2023-05-09
- Impact:
- LOW
- Summary:
- Quickheal analysts went through the recent advisory published by the Indian Railway Catering and Tourism Corporation (IRCTC), about the IRCTC fakeapps. The Fake IRCTC app pretends like it is real IRCTC app but is in reality a full-fledged spyware that spies on victims with ease.
Source:
https://blogs.quickheal.com/beware-fake-applications-are-disguised-as-legitimate-ones/
—
- Intel Source:
- Cofense
- Intel Name:
- Microsoft_Phish_Redirects_Victims_to_Catering_Voice_Recording
- Date of Scan:
- 2023-05-09
- Impact:
- LOW
- Summary:
- Cofense researchers have observed credential phishing campaigns that use a novel deception technique, luring unsuspecting users into a false sense of security after they’ve given away their Microsoft login information.
—
- Intel Source:
- Cleafy
- Intel Name:
- New_Web_Injection_Toolkit_DrIBAN_Targeting_Italian_Corporate_Banking_Clients
- Date of Scan:
- 2023-05-08
- Impact:
- MEDIUM
- Summary:
- Researchers from Cleafy have observed that Italian corporate banking clients are the target of an ongoing financial fraud campaign that has been leveraging a new web-inject toolkit called drIBAN since at least 2019.
Source:
https://www.cleafy.com/cleafy-labs/uncovering-driban-fraud-operations-chapter1
—
- Intel Source:
- CERT-UA
- Intel Name:
- SmokeLoader_and_RoarBAT_Malware_Attacks_Against_Ukraine
- Date of Scan:
- 2023-05-08
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have identified an ongoing phishing campaign with invoice-themed lures being used to distribute the SmokeLoader malware in the form of a polyglot file.
—
- Intel Source:
- Mcafee
- Intel Name:
- New_MultiStage_Attack_and_Malware_Distribution_of_Amadey
- Date of Scan:
- 2023-05-08
- Impact:
- LOW
- Summary:
- McAfee Labs researchers have identified an increase in Wextract.exe samples, that drop a malware payload at multiple stages.
—
- Intel Source:
- ASEC
- Intel Name:
- RecordBreaker_Stealer_Distributed_by_YouTube_Accounts
- Date of Scan:
- 2023-05-08
- Impact:
- LOW
- Summary:
- ASEC analyzed and confirmed the distribution of RecordBreaker through a YouTube account and possibly hacked recently. RecordBreaker is a new Infostealer version of Raccoon Stealer. It tries to pretend itself as a software installer and similar to CryptBot, RedLine, and Vidar. AhnLab Security Emergency response Center (ASEC) has confirmed the distribution of RecordBreaker through a YouTube account that is assumed to have been recently hacked.
—
- Intel Source:
- Mcafee
- Intel Name:
- An_Increase_in_SHTML_Phishing_Attacks
- Date of Scan:
- 2023-05-08
- Impact:
- MEDIUM
- Summary:
- McAfee researchers have observed a new wave of phishing attacks. In this wave, the attacker has been abusing server-parsed HTML (SHTML) files. The SHTML files are commonly associated with web servers redirecting users to malicious, credential-stealing websites or displaying phishing forms locally within the browser to harvest user-sensitive information.
Source:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shtml-phishing-attack-with-blurred-image/
—
- Intel Source:
- Fortinet
- Intel Name:
- SideCopy_Group_Delivering_Malware_via_Phishing_Emails
- Date of Scan:
- 2023-05-08
- Impact:
- LOW
- Summary:
- FortiGate researchers have identified one file that referenced an Indian state military research organization and an in-development nuclear missile. The file is meant to deploy malware with characteristics matching the APT group SideCopy with activities dating back to at least 2019, this group has aligned its targeting with the goals and objectives of the Pakistani government.
Source:
https://www.fortinet.com/blog/threat-research/clean-rooms-nuclear-missiles-and-sidecopy
—
- Intel Source:
- KrebsonSecurity
- Intel Name:
- US_Job_Services_Leaks_Customer_Data
- Date of Scan:
- 2023-05-08
- Impact:
- LOW
- Summary:
- Researchers from KrebsonSecurity have identified a huge tranche of full credit card records exposed online, and that at first glance the domain names involved appeared to be affiliated with the United States Postal Service.
—
- Intel Source:
- Cyble
- Intel Name:
- Phishing_Sites_Spreading_RAT_Called_DarkWatchMan
- Date of Scan:
- 2023-05-08
- Impact:
- LOW
- Summary:
- Cyble researchers have identified a phishing website that imitated a renowned Russian website, CryptoPro CSP. TAs is using this website to distribute DarkWatchman malware.
Source:
https://blog.cyble.com/2023/05/05/sophisticated-darkwatchman-rat-spreads-through-phishing-sites/
—
- Intel Source:
- Meta
- Intel Name:
- Multiple_Malware_Targeting_Business_Users
- Date of Scan:
- 2023-05-07
- Impact:
- LOW
- Summary:
- Researchers from Meta have analyzed the persistent malware campaigns targeting businesses across the internet, including threat indicators to help raise the industry’s collective defenses across the internet.
Source:
https://engineering.fb.com/2023/05/03/security/malware-nodestealer-ducktail/
—
- Intel Source:
- Cyble
- Intel Name:
- New_KEKW_Malware_Variant_Detected_in_PyPI_Packages
- Date of Scan:
- 2023-05-07
- Impact:
- LOW
- Summary:
- Cyble researchers have uncovered multiple malicious Python .whl (Wheel) files that are found to be distributing a new malware named ‘KEKW’. KEKW malware can steal sensitive information from infected systems, as well as perform clipper activities which can lead to the hijacking of cryptocurrency transactions.
Source:
https://blog.cyble.com/2023/05/03/new-kekw-malware-variant-identified-in-pypi-package-distribution/
—
- Intel Source:
- Lab52
- Intel Name:
- Mustang_Panda_New_Campaign_Against_Australia
- Date of Scan:
- 2023-05-07
- Impact:
- LOW
- Summary:
- Lab52 researchers have found a zip file named Biography of Senator the Hon Don Farrell.zip. Hon Don Farrell is the current Australian Secretary of State for Trade and Tourism, indicating a targeted campaign against Australia.
Source:
https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/
—
- Intel Source:
- Netscope
- Intel Name:
- The_Analysis_of_CrossLock_Ransomware
- Date of Scan:
- 2023-05-07
- Impact:
- LOW
- Summary:
- Netskope researchers have identified a new ransomware named CrossLock. It emerged in April 2023, targeting a large digital certifier company in Brazil. This ransomware was written in Go, which has also been adopted by other ransomware groups, including Hive, due to the cross-platform capabilities offered by the language.
Source:
https://www.netskope.com/blog/netskope-threat-coverage-crosslock-ransomware
—
- Intel Source:
- Sophos
- Intel Name:
- DLL_sideloading_Attacks_Gain_New_Air_With_a_Doubled_Dragon_Breath
- Date of Scan:
- 2023-05-07
- Impact:
- LOW
- Summary:
- Sophos researchers have spotted malicious DLL sideloading activity that builds on the classic sideloading scenario but adds complexity and layers to its execution.
Source:
https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/
—
- Intel Source:
- Sentilone
- Intel Name:
- The_Second_Variant_of_Atomic_Stealer_macOS_Malware
- Date of Scan:
- 2023-05-06
- Impact:
- LOW
- Summary:
- The threat actor, however, has been busy looking for other ways to target macOS users with a different version of Atomic Stealer. In this post, we take a closer look at how Atomic Stealer works and describe a previously unreported second variant. We also provide a comprehensive list of indicators to aid threat hunters and security teams defending macOS endpoints.
—
- Intel Source:
- Cyble
- Intel Name:
- BlackBit_Ransomware
- Date of Scan:
- 2023-05-06
- Impact:
- MEDIUM
- Summary:
- AhnLab shared their analyses about BlackBit ransomware is being distributed in Korea. BlackBit Ransomware is a LokiLocker ransomware variant that based on the RaaS model. The source code of the BlackBit shows the ransomware is a copy of the LokiLocker with some new changes such as icons, name, color scheme. BlackBit ransomware is a sophisticated one with multipleseveral capabilities to establish persistence, defense evasion, and impair recovery.
Source:
https://blog.cyble.com/2023/05/03/blackbit-ransomware-a-threat-from-the-shadows-of-lokilocker/
—
- Intel Source:
- Bushidotoken
- Intel Name:
- Raspberry_Robin_USB_malware_campaign
- Date of Scan:
- 2023-05-06
- Impact:
- LOW
- Summary:
- Bushidotoken blog shares the technical details about this malware and analyses how it runs, works, the commands it runs, the processes it uses, and in this case how C2 communications look like.
Source:
https://blog.bushidotoken.net/2023/05/raspberry-robin-global-usb-malware.html
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Infostealer_Embedded_in_a_Word_Document
- Date of Scan:
- 2023-05-06
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed a malicious document which is an embedded object.
Source:
https://isc.sans.edu/diary/Infostealer+Embedded+in+a+Word+Document/29810/
—
- Intel Source:
- Sentilone
- Intel Name:
- Kimsuky_New_Global_Campaign
- Date of Scan:
- 2023-05-06
- Impact:
- MEDIUM
- Summary:
- SentinelLabs has observed ongoing attacks from Kimsuky, a North Korean state-sponsored APT that has a long history of targeting organizations across Asia, North America, and Europe. Ongoing campaigns use a new malware component called ReconShark, which is actively delivered to specifically attacked individuals through spear-phishing emails, OneDrive links leading to document downloads, and the execution of malicious macros. ReconShark operates as a reconnaissance tool with unique execution instructions and server communication methods. Recent activity has been linked to a broader set of skills are attributed to North Korea.
Source:
https://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/
—
- Intel Source:
- PaloAlto
- Intel Name:
- Malware_IcedID_information_stealer_configuration_analyses
- Date of Scan:
- 2023-05-05
- Impact:
- LOW
- Summary:
- Palo Alto researchers shared an example of an IcedID malware (information stealer) configuration, how it was obfuscated and how they extracted it. It was one IcedID binary and how its configurations are encrypted.
Source:
https://unit42.paloaltonetworks.com/teasing-secrets-malware-configuration-parsing/
—
- Intel Source:
- CERT-UA
- Intel Name:
- Destructive_cyberattack_UAC_0165_on_the_public_sector_of_Ukraine_using_RoarBat
- Date of Scan:
- 2023-05-05
- Impact:
- MEDIUM
- Summary:
- Upon receiving information about interference in the information and communication system (ICS) of one of the state organizations of Ukraine, measures to investigate a cyber attack were initiated. It was found that the performance of electronic computing machines (server equipment, automated user workstations, data storage systems) was impaired as a result of the destructive influence carried out using the appropriate software.
—
- Intel Source:
- Eclecticiq
- Intel Name:
- Vidar_Infostealer_targeted_a_Polish_Healthcare_Industry
- Date of Scan:
- 2023-05-05
- Impact:
- LOW
- Summary:
- EclecticIQ researchers has observed a spearphishing email targeting the healthcare industry in Poland. The spoofed email looked like as real sent from a Polish government entity and contained a infectips Microsoft Excel XLL attachment that can download and execute Vidar Infostealer malware.
—
- Intel Source:
- Checkpoint
- Intel Name:
- North_Korean_Group_ScarCruft_Deploying_RokRAT_Malware
- Date of Scan:
- 2023-05-04
- Impact:
- LOW
- Summary:
- Checkpoint researchers have identified that the North Korean threat actor known as ScarCruft started experimenting with oversized LNK files as a delivery route for RokRAT malware as early as July 2022, the same month Microsoft began blocking macros across Office documents by default.
Source:
https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/
—
- Intel Source:
- Mandiant
- Intel Name:
- The_Investigation_of_BRAINSTORM_and_RILIDE
- Date of Scan:
- 2023-05-04
- Impact:
- LOW
- Summary:
- Mandiant researchers have identified BRAINSTORM, a rust-based dropper, which ultimately led to RILIDE, a chromium-based extension first publicly reported by SpiderLabs. After careful investigation identified that the email and cryptocurrency theft ecosystem of RILIDE is larger than reported.
Source:
https://www.mandiant.com/resources/blog/lnk-between-browsers
—
- Intel Source:
- TrendMicro
- Intel Name:
- Earth_Longzhi_is_Back_With_New_Technique
- Date of Scan:
- 2023-05-04
- Impact:
- LOW
- Summary:
- TrendMicro researchers have discovered a new campaign by Earth Longzhi that is targeting organizations based in Taiwan, Thailand, the Philippines, and Fiji. The recent campaign follows months of dormancy, abuses a Windows Defender executable to perform DLL sideloading while also exploiting a vulnerable driver, zamguard64.sys, to disable security products installed on the hosts via a bring-your-own-vulnerable-driver (BYOVD) attack.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Internet_Threats_Are_Impersonating_Common_Industries_via_Phishing_Attacks_Web_Skimmer_Analysis_and_Many_More
- Date of Scan:
- 2023-05-03
- Impact:
- LOW
- Summary:
- PaloAlto researchers have observed the internet threat landscape and analyzed malicious URL distribution, geolocation, category analysis, and statistics describing attempted malware attacks. Also, this includes industry sectors being targeted for spoofing in phishing pages, as well as downloaded malware statistics, injected JavaScript malware analysis, and malicious DNS analysis.
Source:
https://unit42.paloaltonetworks.com/internet-threats-late-2022/
—
- Intel Source:
- ASEC
- Intel Name:
- CoinMiner_Distributing_to_Linux_SSH_Servers
- Date of Scan:
- 2023-05-03
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered XMRig CoinMiner being installed on poorly managed Linux SSH servers. The attacks have been happening with a distinct pattern since 2022, they involve the usage of malware developed with Shell Script Compiler when installing the XMRig, as well as the creation of a backdoor SSH account.
—
- Intel Source:
- SocRadar
- Intel Name:
- Diving_Deep_into_BlackByte_Ransomware
- Date of Scan:
- 2023-05-03
- Impact:
- LOW
- Summary:
- Researchers from SOCRadar have analyzed the BlackByte ransomware. It is a Ransomware operation that began targeting corporate victims worldwide in July 2021. The first findings regarding the group emerged after victims sought help decrypting their files.
Source:
https://socradar.io/dark-web-profile-blackbyte-ransomware/
—
- Intel Source:
- Prodaft
- Intel Name:
- Russian_APT_Hacked_Tajikistani_Carrier_to_Spy_on_Government_and_Public_Services
- Date of Scan:
- 2023-05-03
- Impact:
- MEDIUM
- Summary:
- Researchers from Prodaft have observed a Russian espionage group tracked as Nomadic Octopus spying on Tajikistan’s high-ranking government officials, public service infrastructures, and telecoms services, likely by infiltrating a mobile phone carrier.
Source:
https://www.prodaft.com/m/reports/PAPERBUG_TLPWHITE-1.pdf
—
- Intel Source:
- Cyble
- Intel Name:
- Malware_Families_Leveraging_AresLoader_for_Distribution
- Date of Scan:
- 2023-05-03
- Impact:
- LOW
- Summary:
- Cyble researchers have observed a new loader called AresLoader that is used to spread several types of malware families. It is a loader malware written in the C programming language that first emerged in cybercrime forums and Telegram channels in 2022.
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Overview_of_UNIZA_Ransomware
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- Fortinet researchers have discovered a new ransomware variant called UNIZA. Like other ransomware variants. It uses the Command Prompt (cmd.exe) window to display its ransom message, and interestingly, it does not append the filename of the files it encrypts, making it more difficult to determine which files have been impacted.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-uniza-coverage
—
- Intel Source:
- Guardio
- Intel Name:
- The_Unstoppable_Malverposting_Continues
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- In this post Gardio vresearchers shared the huge numbers of IOC detections of Malverposting, and also very detailed analyses of this one campaign using adult-rated click bates delivering sophisticated malware — making it even harder for detection, and too easy to mass propagate.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Ransomware_Family_Rapture_is_Similar_to_Paradise
- Date of Scan:
- 2023-05-01
- Impact:
- MEDIUM
- Summary:
- TrendMicro researchers have observed a type of ransomware targeting its victims via a minimalistic approach with tools that leave only a minimal footprint behind. The findings revealed many of the preparations made by the perpetrators and how quickly they managed to carry out the ransomware attack.
—
- Intel Source:
- Trellix
- Intel Name:
- Threat_Actors_Leveraging_SEO_Poisoning
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- Trellix researchers have identified that hackers continue to innovate their techniques to infect victims, with SEO poisoning being one of the recent trends.
—
- Intel Source:
- Mitiga
- Intel Name:
- A_malicious_Mitiga_document
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- Last January, an attacker uploaded a malicious .docx file to Virus Total. He used several of Mitiga’s publicly available branding elements which included logo, fonts and colors, to lend credibility to the document.
Source:
https://www.mitiga.io/blog/mitiga-advisory-virus-total
—
- Intel Name:
- ASEC_Weekly_Phishing_Email_analyses_April_9_15th_2023
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- ASEC lab researchers continiusly monitor phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post shares the cases of distribution of phishing emails during the week from April 9th, 2023 to April 15st, 2023 and provide statistical information on each type.
—
- Intel Source:
- Elastic
- Intel Name:
- New_LOBSHOT_Malware_Deploying_Via_Google_Ads
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- Researchers from Elastic Security Labs have observed one malware family called LOBSHOT. It continues to collect victims while remaining undetected. Also, the infrastructure belongs to TA505, the well-known cybercriminal group associated with Dridex, Locky, and Necurs campaigns.
Source:
https://www.elastic.co/security-labs/elastic-security-labs-discovers-lobshot-malware
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_Statistics
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from November 21st, 2022 (Monday) to November 27th (Sunday).
—
- Intel Source:
- Malwarebytes
- Intel Name:
- An_Ongoing_Magecart_Campaign
- Date of Scan:
- 2023-04-30
- Impact:
- LOW
- Summary:
- Malwarebytes researchers have identified an ongoing Magecart campaign that is leveraging realistic-looking fake payment screens to capture sensitive data entered by unsuspecting users.
Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/04/kritec-art
—
- Intel Source:
- CERT-UA
- Intel Name:
- Hackers_From_APT28_Group_Distributing_Emails_With_Instructions_on_Updating_OS
- Date of Scan:
- 2023-04-30
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have observed the distribution of emails with subject “Windows Update”, allegedly sent on behalf of system administrators of departments. At the same time, senders’ email addresses created on the @outlook.com public service can be formed using the real name and initials of the employee.
—
- Intel Source:
- Uptycs
- Intel Name:
- RTM_Locker_Ransomware_as_a_Service_Now_Suits_Linux_Architecture
- Date of Scan:
- 2023-04-27
- Impact:
- LOW
- Summary:
- Uptycs researchers have discovered a new ransomware binary attributed to the RTM group, a known ransomware-as-a-service (RaaS) provider. This is the first time the group has created a Linux binary. Its locker ransomware infects Linux, NAS, and ESXi hosts and appears to be inspired by Babuk ransomware’s leaked source code.
Source:
https://www.uptycs.com/blog/rtm-locker-ransomware-as-a-service-raas-linux
—
- Intel Source:
- PaloAlto
- Intel Name:
- PingPull_Malware_is_Updated_by_Chinese_Alloy_Taurus
- Date of Scan:
- 2023-04-27
- Impact:
- LOW
- Summary:
- Unit 42 researchers have identified a new variant of PingPull malware used by Alloy Taurus actors designed to target Linux systems. While following the infrastructure leveraged by the actor for this PingPull variant, we also identified their use of another backdoor we track as Sword2033.
—
- Intel Source:
- TrendMicro
- Intel Name:
- TrafficStealer_Abusing_Open_Container_APIs
- Date of Scan:
- 2023-04-27
- Impact:
- LOW
- Summary:
- Researchers from TrendMicro have discovered a different type of attack, a piece of software that leverages Docker containers to generate money through monetized traffic. Although the piece of software itself appears to be legitimate, it likely has compromised components that result in monitoring as a potentially unwanted application.
—
- Intel Source:
- Bitdefender
- Intel Name:
- The_BellaCiao_Malware_of_Iran
- Date of Scan:
- 2023-04-27
- Impact:
- MEDIUM
- Summary:
- BitDefender researchers have observed the modernization of Charming Kitten’s tactics, techniques, and procedures, including a new, previously unseen malware. This malware is tailored to suit individual targets and exhibits a higher level of complexity, evidenced by a unique communication approach with its command-and-control (C2) infrastructure.
Source:
https://businessinsights.bitdefender.com/unpacking-bellaciao-a-closer-look-at-irans-latest-malware
—
- Intel Source:
- Cyble
- Intel Name:
- Hackers_Selling_New_Atomic_macOS_Stealer_on_Telegram
- Date of Scan:
- 2023-04-27
- Impact:
- LOW
- Summary:
- Cyble Researchers have discovered a Telegram channel advertising a new information-stealing malware called Atomic macOS Stealer (AMOS). The malware is specifically designed to target macOS and can steal sensitive information from the victim’s machine.
Source:
https://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/
—
- Intel Source:
- Aqua
- Intel Name:
- The_Exploiting_of_Kubernetes_RBAC_by_attackers
- Date of Scan:
- 2023-04-27
- Impact:
- LOW
- Summary:
- Aqua researchers have observed new evidence that attackers are exploiting Kubernetes (K8s) Role-Based Access Control (RBAC) in the wild to create backdoors. The attackers also tried to lunch a DaemonSets to take control and seize resources of the K8s clusters they attack. Aqua analyses suspects that this campaign is actively targeting at least 60 clusters in the wild.
Source:
https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters
—
- Intel Source:
- Welivesecurity
- Intel Name:
- APT_Group_Panda_Delivering_Malware_via_Software_Updates
- Date of Scan:
- 2023-04-27
- Impact:
- HIGH
- Summary:
- ESET researchers discovered a new campaign by the APT group known as Evasive Panda targeting an international NGO in China with malware delivered through updates of popular Chinese software.
—
- Intel Source:
- Cyble
- Intel Name:
- PaperCut_actively_exploited_in_the_Wild
- Date of Scan:
- 2023-04-27
- Impact:
- MEDIUM
- Summary:
- Earlier this month, PaperCut shared a Security alert stating, they have an evidence that unpatched servers are being exploited in the wild. Russian Hacker Suspected Exploiting the PaperCut Vulnerability. The advisories provided by vendors shared insights into the two CVEs – CVE-2023-27350 (Severity: Critical) & CVE-2023-27351(Severity: High). Cyble researchers shared their details for the same in their post.
Source:
https://blog.cyble.com/2023/04/25/print-management-software-papercut-actively-exploited-in-the-wild/
—
- Intel Source:
- Sekoia
- Intel Name:
- Raccoon_and_Vidar_Stealers_Spreading_Fake_Cracked_new
- Date of Scan:
- 2023-04-27
- Impact:
- MEDIUM
- Summary:
- Sekoia researchers have identified the infection chain that is using about a hundred fake cracked software catalog websites that redirect to several links before downloading the payload hosted on file share platforms, such as GitHub.
—
- Intel Source:
- ASEC
- Intel Name:
- Tonto_Team_Using_Anti_Malware_Related_Files_for_DLL_Side_Loading
- Date of Scan:
- 2023-04-26
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified the Tonto Team threat group is targeting mainly Asian countries and has been distributing Bisonal malware
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Phishing_Attack_Increasing_in_Singapore_for_Tax_Portal
- Date of Scan:
- 2023-04-26
- Impact:
- LOW
- Summary:
- Researchers from SANS have identified an IRAS phishing website that looks legitimate, this website asks users to input their Singapore Personal Access (Singpass) credentials to access government and private services (such as banking) in Singapore.
Source:
https://isc.sans.edu/diary/Strolling+through+Cyberspace+and+Hunting+for+Phishing+Sites/29780/
—
- Intel Source:
- ASEC
- Intel Name:
- RokRAT_Malware_Distributing_Through_LNK_Files
- Date of Scan:
- 2023-04-26
- Impact:
- LOW
- Summary:
- ASEC researchers have observed that the RedEyes threat group (also known as APT37, ScarCruft), which distributed CHM Malware Disguised as Security Email from a Korean Financial Company last month, has also recently distributed the RokRAT malware through LNK files.
—
- Intel Source:
- Infoblox
- Intel Name:
- Finding_Decoy_Dog_Toolkit_via_Anomalous_DNS_Traffic
- Date of Scan:
- 2023-04-26
- Impact:
- LOW
- Summary:
- Researchers from Infoblox have identified a new malware toolkit named Decoy Dog, that has been discovered that allows attackers to avoid standard detection techniques and target enterprises. It uses DNS query dribbling and strategic domain aging techniques to bypass security checks.
—
- Intel Source:
- Zero Day Initiative (ZDI)
- Intel Name:
- New_the_Mirai_botnet_exploit
- Date of Scan:
- 2023-04-26
- Impact:
- MEDIUM
- Summary:
- The Zero Day Initiative threat-hunting team discovered recently new exploit attempts in Eastern Europe showing that the Mirai botnet has updated its version to CVE-2023-1389, known as ZDI-CAN-19557/ZDI-23-451. This malicious activity in the TP-Link Archer AX21 Wi-Fi router was originally disclosed to ZDI during the Pwn2Own Toronto event, where it was used by Team Viettel in their LAN-side entry against the TP-Link device and by Qrious Security in their WAN-side entry.
—
- Intel Source:
- Checkpoint
- Intel Name:
- New_Findings_of_Educated_Manticore
- Date of Scan:
- 2023-04-25
- Impact:
- MEDIUM
- Summary:
- Researchers from Checkpoint have revealed new findings of an activity cluster closely related to Phosphorus. It presents a new and improved infection chain leading to the deployment of a new version of PowerLess. This implant is attributed to Phosphorus in the past, an Iran-affiliated threat group operating in the Middle East and North America.
—
- Intel Source:
- Securelist
- Intel Name:
- The_Analysis_of_Tomiris_Group
- Date of Scan:
- 2023-04-25
- Impact:
- LOW
- Summary:
- Securelist researchers have continued to track Tomiris as a separate threat actor over three new attack campaigns between 2021 and 2023 and it is targeting government and diplomatic entities in the CIS.
Source:
https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/
—
- Intel Source:
- ReversingLabs
- Intel Name:
- Repurposing_Package_Name_on_PyPI_to_Push_Malware
- Date of Scan:
- 2023-04-25
- Impact:
- LOW
- Summary:
- Researchers from Reversing Labs have observed that a malicious package on the Python Package Index (PyPI) named termcolour, a three-stage downloader published in multiple versions.
Source:
https://www.reversinglabs.com/blog/package-names-repurposed-to-push-malware-on-pypi
—
- Intel Source:
- Cofense
- Intel Name:
- After_15_Years_release_Open_Source_Gh0st_RAT_still_Haunting_Inboxes
- Date of Scan:
- 2023-04-25
- Impact:
- LOW
- Summary:
- Cofense Intelligence Unit discovered Gh0st RAT, old open-source RAT, that is targeting a healthcare organization. Gh0st RAT was created by a Chinese hacking group named C. The public release of Gh0st RAT source code made it easy for threat actors to manipulate victims. Their information-stealing capabilities: taking full control of the infected machine, recording keystrokes in real time with offline logging available, accessing live web cam feeds including microphone recording, downloading files remotely, remote shutdown and reboot, disabling user input
Source:
https://cofense.com/blog/open-source-gh0st-rat-still-haunting-inboxes-15-years-after-release/
—
- Intel Source:
- Securonix Threat Labs
- Intel Name:
- New_OCX_HARVESTER_Attack_Campaign_Using_Modernized_More_Eggs_Suite
- Date of Scan:
- 2023-04-24
- Impact:
- MEDIUM
- Summary:
- Securonix Threat Labs researchers have observed a new attack campaign tracked as OCX#HARVESTER. Some of the malicious payloads leveraged as part of the attack campaign observed appear to be related to the More_eggs malicious payloads reported earlier.
—
- Intel Source:
- Huntress
- Intel Name:
- Zero_Day_Vulnerabilities_in_PaperCut_Print_Management_Software
- Date of Scan:
- 2023-04-24
- Impact:
- LOW
- Summary:
- Researchers from Huntress have tracked the exploitation of zero-day vulnerabilities against PaperCut MF/NG which allow for unauthenticated remote code execution due to an authentication bypass.
Source:
https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software
—
- Intel Source:
- TrendMicro
- Intel Name:
- ViperSoftX_Encryption_Updates
- Date of Scan:
- 2023-04-24
- Impact:
- LOW
- Summary:
- TrendMicro researchers have observed cryptocurrency and information stealer ViperSoftX evading initial loader detection and making its lure more believable by making the initial package loader via cracks, keygens, activators, and packers non-malicious.
Source:
https://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html
—
- Intel Source:
- Symantec
- Intel Name:
- X_Trader_Supply_Chain_Attack_Affecting_Critical_Infrastructure_Organizations_in_US_and_Europe
- Date of Scan:
- 2023-04-24
- Impact:
- MEDIUM
- Summary:
- Researchers from Symantec have identified that North Korean-linked operations affected more organizations beyond 3CX, including two critical infrastructure organizations in the energy sector.
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain
—
- Intel Source:
- Cyble
- Intel Name:
- The_QakBot_Malware_Continues_to_Evolve
- Date of Scan:
- 2023-04-24
- Impact:
- LOW
- Summary:
- Cyble Research Intelligence Labs have observed that several malware families, such as AsyncRAT, QuasarRAT, DCRAT, etc., have been found using OneNote attachments as part of their tactics. In February 2023, the well-known malware, Qakbot, started using OneNote attachments in their spam campaigns.
Source:
https://blog.cyble.com/2023/04/21/qakbot-malware-continues-to-morph/
—
- Intel Source:
- Jamf
- Intel Name:
- BlueNoroff_APT_Group_Targeting_macOS_With_RustBucket_Malware
- Date of Scan:
- 2023-04-24
- Impact:
- LOW
- Summary:
- Jamf Threat Labs have discovered a macOS malware family that communicates with command and control (C2) servers to download and execute various payloads. They track and protect against this malware family under the name ‘RustBucket’ and suspect it to be attributed to a North Korean, state-sponsored threat actor.
Source:
https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/
—
- Intel Source:
- Sophos
- Intel Name:
- Two_New_QakBot_C2_Servers_Detected
- Date of Scan:
- 2023-04-22
- Impact:
- LOW
- Summary:
- Sophos researchers have detected two new QakBot servers that have not yet been publicly identified. These servers are used by threat actors to manage and control QakBot infections, a banking trojan that has been active since 2008 and primarily targets financial institutions and their customers.
Source:
https://news.sophos.com/en-us/2023/04/20/new-qakbot-c2-servers-detected-with-sophos-ndr/
—
- Intel Source:
- PaloAlto
- Intel Name:
- Scams_Involving_ChatGPT_Are_on_the_Rise
- Date of Scan:
- 2023-04-22
- Impact:
- LOW
- Summary:
- Unit42 researchers have monitored the newly registered domains and squatting domains related to ChatGPT, as it is one of the fastest-growing consumer applications in history. The dark side of this popularity is that ChatGPT is also attracting the attention of scammers seeking to benefit from using wording and domain names that appear related to the site.
Source:
https://unit42.paloaltonetworks.com/chatgpt-scam-attacks-increasing/
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Examination_of_EvilExtractor_Tool
- Date of Scan:
- 2023-04-22
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs researchers have analyzed the EvilExtractor tool which is an attack tool designed to target Windows operating systems and extract data and files from endpoint devices. Also, observed this malware in a phishing email campaign on 30 March.
Source:
https://www.fortinet.com/blog/threat-research/evil-extractor-all-in-one-stealer
—
- Intel Source:
- Welivesecurity
- Intel Name:
- Lazarus_Hackers_Pushing_Linux_Malware_via_Fake_Job_Offers
- Date of Scan:
- 2023-04-22
- Impact:
- MEDIUM
- Summary:
- Researchers from Welivesecurity identified a new Lazarus campaign considered part of “Operation DreamJob” has been discovered targeting Linux users with malware for the first time.
—
- Intel Source:
- Symantec
- Intel Name:
- Daggerfly_APT_Group_Targeting_Telecoms_Company_in_Africa
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- Researchers from Symantec have identified that Telecommunication services providers in Africa are the target of a new campaign orchestrated by a China-linked threat actor at least since November 2022.
—
- Intel Source:
- Sucuri
- Intel Name:
- Hackers_Using_Abandoned_WordPress_Plugins_to_Backdoor_Websites
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- Sucuri researchers have identified that attackers are using Eval PHP, an outdated legitimate WordPress plugin, to compromise websites by injecting stealthy backdoors.
Source:
https://blog.sucuri.net/2023/04/massive-abuse-of-abandoned-evalphp-wordpress-plugin.html
—
- Intel Source:
- Sophos
- Intel Name:
- EDR_Killer_AuKill_Exploiting_Process_Explorer_Drivers
- Date of Scan:
- 2023-04-21
- Impact:
- MEDIUM
- Summary:
- Sophos researchers have investigated multiple incidents where attackers attempted to disable EDR clients with a new defense evasion tool dubbed AuKill. The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system.
Source:
https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/
—
- Intel Source:
- Team-Cymru
- Intel Name:
- SideCopy_Attack_Chain_Deploying_AllaKore_RAT
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- Researchers from Team-Cymru have analyzed the SideCopy group and discovered the SideCopy attack chain used to deploy AllaKore RAT. It is an open-source remote access tool that has been modified for the purposes of SideCopy operations and is commonly observed in their intrusions.
Source:
https://www.team-cymru.com/post/allakore-d-the-sidecopy-train
—
- Intel Source:
- Secureworks
- Intel Name:
- Bumblebee_Malware_Distributing_Via_Trojanized_Installer_Downloads
- Date of Scan:
- 2023-04-21
- Impact:
- MEDIUM
- Summary:
- https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads
Source:
https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads
—
- Intel Source:
- ASEC
- Intel Name:
- Distribution_of_the_BlackBit_ransomware
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of the BlackBit ransomware disguised as svchost.exe during the team’s monitoring. According to the ASEC’s internal infrastructure, the BlackBit ransomware has been continuously distributed
—
- Intel Source:
- Google Blog
- Intel Name:
- Russian_Hackers_Conducting_Phishing_Attacks_in_Ukraine
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- Google Threat Analysis researchers have observed that Russian government-backed phishing campaigns targeted users in Ukraine the most, with the country accounting for over 60% of observed Russian targeting.
Source:
https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/
—
- Intel Source:
- CSIRT-MON
- Intel Name:
- Belarus_Linked_Hacking_Group_Targeting_Poland_With_New_Disinformation_Campaign
- Date of Scan:
- 2023-04-21
- Impact:
- MEDIUM
- Summary:
- CSIRT-MON researchers have issued a warning Wednesday about a recent disinformation campaign that has been traced back to the Belarusian hacking group known as Ghostwriter.
Source:
https://csirt-mon.wp.mil.pl/pl/articles/6-aktualnosci/dezinformacja-o-rekrutacji-do-litpolukrbrig/
—
- Intel Source:
- Symantec
- Intel Name:
- Play_Ransomware_Group_Using_New_Custom_Data_Gathering_Tools
- Date of Scan:
- 2023-04-21
- Impact:
- MEDIUM
- Summary:
- Symantec researchers have identified that the Play ransomware group is using two new, custom-developed tools that allow it to enumerate all users and computers on a compromised network, and copy files from the Volume Shadow Copy Service (VSS) that are normally locked by the operating system.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Hackers_Promptly_Adopting_Web3_IPFS_Technology
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- PaloAlto researchers have observed several types of cyberthreats using InterPlanetary File System (aka IPFS), including phishing, credential theft, command and control (C2) communications, and malicious payload distribution. Also, observed a significant jump in IPFS-related traffic at the beginning of 2022.
Source:
https://unit42.paloaltonetworks.com/ipfs-used-maliciously/
—
- Intel Source:
- NTT Security
- Intel Name:
- USB_Based_FlowCloud_Malware_Attacks
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- Researchers from NTT security have observed several companies have been infected with FlowCloud. It is known as malware used by an attack group called TA410 and has been observed since around 2019.
Source:
https://insight-jp.nttsecurity.com/post/102id0t/usbflowcloud
—
- Intel Source:
- Threatmon
- Intel Name:
- New_Attack_Chain_Uncovered_From_Blind_Eagle_Cyber_Espionage_Group
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- Researchers from Threatmon have observed that the cyber espionage actor tracked as Blind Eagle has been linked to a new multi-stage attack chain that leads to the deployment of the NjRAT remote access trojan on compromised systems.
Source:
https://threatmon.io/apt-blind-eagles-malware-arsenal-technical-analysis/
—
- Intel Source:
- Uptycs
- Intel Name:
- Hackers_From_Pakistan_Using_Linux_Malware_Poseidon_to_Target_Indian_Government_Agencies
- Date of Scan:
- 2023-04-20
- Impact:
- MEDIUM
- Summary:
- Researchers from Uptycs have identified a Pakistan-based advanced persistent threat actor known as Transparent Tribe using a two-factor authentication (2FA) tool used by Indian government agencies as a ruse to deliver a new Linux backdoor called Poseidon.
Source:
https://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware
—
- Intel Source:
- LOW
- Intel Name:
- Phishing_Campaign_Targeting_EPOS_Net_Customers
- Date of Scan:
- 2023-04-20
- Impact:
- LOW
- Summary:
- Cofense Phishing Defense Center have observed a sophisticated phishing campaign targeting EPOS Net customers, a large Japanese credit card company. The campaign is notable for its meticulously crafted emails and cloned website, as well as its use of official customer service numbers to establish an illusion of legitimacy.
—
- Intel Source:
- Blackberry
- Intel Name:
- Google_Ads_Abuse_and_Spear_Phishing_Campaigns_Impersonating_Spains_Tax_Agency
- Date of Scan:
- 2023-04-20
- Impact:
- LOW
- Summary:
- Researchers from BlackBerry have observed two parallel malicious campaigns that use the same infrastructure but have different purposes. The first campaign is related to a malvertising Google Ads Platform and the second campaign is related to a massive spear-phishing campaign targeting large organizations based in Spain. The campaign impersonated Spain’s tax agency, with the goal of harvesting the email credentials of companies in Spain.
—
- Intel Source:
- Cyble
- Intel Name:
- New_Strain_of_Ransomware_Named_CrossLock
- Date of Scan:
- 2023-04-20
- Impact:
- LOW
- Summary:
- Cyble researchers have discovered a new strain of ransomware called CrossLock, which is written in the programming language “Go”. It employs the double-extortion technique to increase the likelihood of payment from its victims and this technique involves encrypting the victim’s data as well as exfiltrating it from their system.
—
- Intel Source:
- Zscaler
- Intel Name:
- A_New_Backdoor_Called_Devopt
- Date of Scan:
- 2023-04-19
- Impact:
- LOW
- Summary:
- Zscaler ThreatLabz researchers have identified a new backdoor called ‘Devopt’. It utilizes hard-coded names for persistence and offers several functionalities, including keylogging, stealing browser credentials, clipper, and more. Multiple versions of the backdoor have surfaced in just the last few days, indicating that it is still in development.
Source:
https://www.zscaler.com/blogs/security-research/introducing-devopt-multifunctional-backdoor-arsenal
—
- Intel Source:
- Microsoft
- Intel Name:
- Attacking_High_Value_Targets_With_Mint_Sandstorm
- Date of Scan:
- 2023-04-19
- Impact:
- MEDIUM
- Summary:
- Microsoft researchers have observed a mature subgroup of Mint Sandstorm, an Iranian nation-state actor previously tracked as PHOSPHORUS, refining its tactics, techniques, and procedures (TTPs). Specifically, this subset has rapidly weaponized N-day vulnerabilities in common enterprise applications and conducted highly-targeted phishing campaigns to quickly and successfully access environments of interest.
—
- Intel Source:
- Morphisec
- Intel Name:
- The_Critical_Component_of_Aurora_Stealer_Attack_Delivery_Chain
- Date of Scan:
- 2023-04-19
- Impact:
- LOW
- Summary:
- Morphisec researchers have observed the component that makes Aurora’s delivery stealthy and dangerous is a highly evasive loader named “in2al5d p3in4er.” It is compiled with Embarcadero RAD Studio and targets endpoint workstations using advanced anti-VM (virtual machine) techniques.
—
- Intel Source:
- Group-IB
- Intel Name:
- Hackers_From_Iran_Leveraging_SimpleHelp_Remote_Support_Software_for_Persistent_Access
- Date of Scan:
- 2023-04-18
- Impact:
- MEDIUM
- Summary:
- Researchers from Group-IB have identified that the Iranian threat actor known as MuddyWater is continuing its time-tested tradition of relying on legitimate remote administration tools to commandeer targeted systems.
Source:
https://www.group-ib.com/blog/muddywater-infrastructure/
—
- Intel Source:
- TrendMicro
- Intel Name:
- The_Examination_of_BabLock_Ransomware
- Date of Scan:
- 2023-04-18
- Impact:
- LOW
- Summary:
- TrendMicro researchers have analyzed stealthy and expeditious ransomware called BabLock (aka Rorschach). It has recently been making waves due to its sophisticated and fast-moving attack chain that uses subtle yet effective techniques.
Source:
https://www.trendmicro.com/en_us/research/23/d/an-analysis-of-the-bablock-ransomware.html
—
- Intel Source:
- Eclecticiq
- Intel Name:
- Gamaredon_Groups_Automated_Spear_Phishing_Campaigns_Revealed_by_Exposed_Web_Panel
- Date of Scan:
- 2023-04-18
- Impact:
- MEDIUM
- Summary:
- EclecticIQ researchers have identified a spear phishing campaign targeting Ukrainian government entities like the Foreign Intelligence Service of Ukraine (SZRU) and the Security Service of Ukraine (SSU), likely conducted by APT group Gamaredon.
—
- Intel Source:
- ASEC
- Intel Name:
- The_Activities_of_Tick_Group
- Date of Scan:
- 2023-04-18
- Impact:
- LOW
- Summary:
- Researchers from ASEC have continued to track Tick group activities as it is targeting government agencies, the military, and various industries in Korea and Japan for over a decade.
—
- Intel Source:
- Securelist
- Intel Name:
- QBot_Banker_Delivering_Via_Business_Correspondence
- Date of Scan:
- 2023-04-18
- Impact:
- LOW
- Summary:
- Securelist researchers have observed a significant increase in attacks that use banking Trojans of the QBot family. The malware is delivered through e-mail letters written in different languages — variations of them were coming in English, German, Italian, and French. The messages were based on real business letters the attackers had gotten access to, which afforded them the opportunity to join the correspondence thread with messages of their own.
Source:
https://securelist.com/qbot-banker-business-correspondence/109535/
—
- Intel Source:
- ASEC
- Intel Name:
- Trigona_Ransomware_Attacking_MS_SQL_Servers
- Date of Scan:
- 2023-04-18
- Impact:
- MEDIUM
- Summary:
- ASEC researchers have discovered the Trigona ransomware is installed on poorly managed MS-SQL servers and typical attacks include brute force attacks and dictionary attacks to systems where account credentials are poorly being managed.
—
- Intel Source:
- ZScaler
- Intel Name:
- The_Analysis_of_Trigona_Ransomware
- Date of Scan:
- 2023-04-17
- Impact:
- LOW
- Summary:
- Zscaler researchers have analyzed the Trigona ransomware. It is written in the Delphi programming language that has been active since at least June 2022.
Source:
https://www.zscaler.com/blogs/security-research/technical-analysis-trigona-ransomware
—
- Intel Source:
- Fortinet
- Intel Name:
- An_Overview_of_Tax_Scammers
- Date of Scan:
- 2023-04-17
- Impact:
- MEDIUM
- Summary:
- Fortinet researchers have analyzed a few examples of malware that take advantage of tax season. Attackers make every attempt to scam taxpayers for financial gain and data exfiltration for future attacks.
Source:
https://www.fortinet.com/blog/threat-research/tax-scammers-at-large
—
- Intel Source:
- IBM Security Intelligence
- Intel Name:
- Threat_Actors_From_Conti_and_FIN7_Collaborate_With_Domino_Backdoor
- Date of Scan:
- 2023-04-17
- Impact:
- MEDIUM
- Summary:
- Researchers from IBM security have discovered a new malware family called Domino that is created by developers associated with the cybercriminal group that X-Force tracks as ITG14, also known as FIN7.
Source:
https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor/
—
- Intel Source:
- Uptycs
- Intel Name:
- Zaraza_Bot_Credential_Stealer_Targeting_Browser_Passwords
- Date of Scan:
- 2023-04-17
- Impact:
- LOW
- Summary:
- Researchers from Uptycs team have identified a new variant of credential stealing malware, dubbed Zaraza bot, which is using telegram as its command and control and It is the Russian word for infection.
Source:
https://www.uptycs.com/blog/zaraza-bot-credential-password-stealer
—
- Intel Source:
- Malware Hunter
- Intel Name:
- LockBit_Encryptor_Targeting_macOS_System
- Date of Scan:
- 2023-04-17
- Impact:
- MEDIUM
- Summary:
- Researchers from Malware Hunter team have warned that the LockBit ransomware gang has developed encryptors to target macOS devices.
Source:
https://twitter.com/malwrhunterteam/status/1647384505550876675
—
- Intel Source:
- NTT Security
- Intel Name:
- Fraudulent_Campaign_Using_Fake_Google_Chrome_Error_to_Spread_Malware
- Date of Scan:
- 2023-04-17
- Impact:
- LOW
- Summary:
- Researchers from NTT security have observed an attack campaign distributing malware from a web page disguised as a Google Chrome error message since around November 2022. It has become active since around February 2023, and the attacks have been confirmed in a very wide area, so close attention is required.
—
- Intel Source:
- Ciberdefensa
- Intel Name:
- Bitter_Group_CHM_malware_distribution
- Date of Scan:
- 2023-04-16
- Impact:
- LOW
- Summary:
- The Bitter group has been distributing CHM malware to certain Chinese organizations through compressed email attachments with filenames such as “Project Plan 2023.chm”. When executed, the CHM files display content related to Chinese and Russian organizations and activate a malicious script that executes additional malware.
—
- Intel Source:
- Yoroi
- Intel Name:
- Money_Ransomware
- Date of Scan:
- 2023-04-16
- Impact:
- LOW
- Summary:
- The article discusses the Money Ransomware group, which utilizes a double extortion model by encrypting data and exfiltrating sensitive information, threatening to publish the data unless a ransom is paid.
Source:
https://yoroi.company/research/money-ransomware-the-latest-double-extortion-group/?&web_view=true
—
- Intel Source:
- Trellix
- Intel Name:
- The_Activity_of_Emerging_Cybercriminal_Group_Named_Read_The_Manual_RTM_Locker
- Date of Scan:
- 2023-04-15
- Impact:
- LOW
- Summary:
- Researchers from Trellix have detailed the tactics, techniques, and procedures of an emerging cybercriminal gang called ‘Read The Manual RTM Locker. The group provides a ransomware-as-a-service (RaaS) and provides its malicious code to a network of affiliates by imposing strict rules.
—
- Intel Source:
- Microsoft
- Intel Name:
- Threat_Actors_Try_to_Wreak_Havoc_on_Tax_Day
- Date of Scan:
- 2023-04-15
- Impact:
- MEDIUM
- Summary:
- Microsoft researchers have observed phishing attacks targeting accounting and tax return preparation firms to deliver the Remcos remote access trojan (RAT) and compromise target networks beginning in February of this year.
—
- Intel Source:
- Sophos
- Intel Name:
- Malware_Attacks_on_Tax_Firms
- Date of Scan:
- 2023-04-15
- Impact:
- LOW
- Summary:
- Sophos researchers have observed that a threat actor is targeting Financial accountant firms and CPAs with an attack that combines social engineering with a novel exploit against Windows computers to deliver malware called GuLoader.
Source:
https://news.sophos.com/en-us/2023/04/13/tax-firms-targeted-by-precision-malware-attacks/
—
- Intel Source:
- Sentinelone
- Intel Name:
- APT36_Group_Targeting_Indian_Education_Sector
- Date of Scan:
- 2023-04-14
- Impact:
- MEDIUM
- Summary:
- Researchers from SentinelOne have identified a cluster of malicious Office documents that distribute Crimson RAT, used by the APT36 group (also known as Transparent Tribe) targeting the education sector.
—
- Intel Source:
- CERT-PL
- Intel Name:
- Russian_Hackers_Targeting_NATO_and_EU
- Date of Scan:
- 2023-04-14
- Impact:
- MEDIUM
- Summary:
- Researchers from The Military Counterintelligence Service and the CERT Polska team have observed a widespread espionage campaign linked to Russian intelligence services and targeting NATO and EU.
Source:
https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services
—
- Intel Source:
- ASEC
- Intel Name:
- Bitter_Group_Distributing_CHM_Malware_to_Chinese_Organizations
- Date of Scan:
- 2023-04-14
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified multiple circumstances of the group distributing CHM malware to certain Chinese organizations. The files used in the recent attack are distributed as attachments to emails as compressed files. The compressed files contain a CHM file with different filenames.
—
- Intel Source:
- CADO
- Intel Name:
- New_Legion_Hacktool_Stealing_Credentials_From_Misconfigured_Sites
- Date of Scan:
- 2023-04-14
- Impact:
- MEDIUM
- Summary:
- CADO Security researchers have identified a new Python-based credential harvester and SMTP hijacking tool named ‘Legion’ that is being sold on Telegram that targets online email services for phishing and spam attacks.
Source:
https://www.cadosecurity.com/legion-an-aws-credential-harvester-and-smtp-hijacker/
—
- Intel Source:
- Netscope
- Intel Name:
- DigitalOceans_Tech_Support_Scam_Shifts_to_StackPaths_CDN
- Date of Scan:
- 2023-04-13
- Impact:
- MEDIUM
- Summary:
- Netskope researchers have identified that attackers previously abusing DigitalOcean to host a tech support scam have expanded the operation, now abusing StackPath CDN to distribute the scam, and are likely to start abusing additional cloud services to deliver the scam in the near future.
Source:
https://www.netskope.com/pt/blog/tech-support-scam-pivots-from-digitalocean-to-stackpath-cdn
—
- Intel Source:
- Tehtris
- Intel Name:
- Color1337_Cryptojacking_Campaign_Targeting_Linux_Machines
- Date of Scan:
- 2023-04-13
- Impact:
- LOW
- Summary:
- Researchers from Tehtris have identified a cryptojacking campaign, believed to have originated from Romania, and targeting Linux machines. This campaign, dubbed Color1337, leverages a botnet to mine Monero and the botnet can propagate itself to other machines across the network.
Source:
https://tehtris.com/en/blog/linux-focus-on-a-cryptomining-attack-dubbed-color1337
—
- Intel Source:
- Esentire
- Intel Name:
- GuLoader_Targeting_the_Financial_Sector_Using_a_Taxthemed_Phishing_Lure
- Date of Scan:
- 2023-04-13
- Impact:
- MEDIUM
- Summary:
- Researchers from Esentire have observed GuLoader targeting the financial sector via the phishing email using a tax-themed lure. The phishing email contains a shared link to Adobe Acrobat, where the user can download the password-protected ZIP archive.
—
- Intel Source:
- Esentire
- Intel Name:
- Raise_in_Qakbot_Malware_Incidents
- Date of Scan:
- 2023-04-13
- Impact:
- LOW
- Summary:
- Researchers from Esentire have observed a significant increase in Qakbot incidents impacting various industries.
Source:
https://www.esentire.com/security-advisories/increase-in-observations-of-qakbot-malware
—
- Intel Source:
- ASEC
- Intel Name:
- Qakbot_Distributing_via_Email_Hijacking
- Date of Scan:
- 2023-04-13
- Impact:
- LOW
- Summary:
- ASEC Lab researchers have identified circumstances of Qakbot malware is distributing via malicious PDF files attached to forwarded or replies to existing emails.
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_Analyses_April_03rd_April_09th_2023
- Date of Scan:
- 2023-04-13
- Impact:
- LOW
- Summary:
- ASEC researchers have analyzed the malware and found backdoor ranked top with 61.1%, followed by Infostealer with 20.8%, downloader with 16.9%, and ransomware with 1.1%.
—
- Intel Source:
- Securinfra
- Intel Name:
- Chinese_Hacking_Group_Targeting_European_Governments_and_Businesses
- Date of Scan:
- 2023-04-13
- Impact:
- HIGH
- Summary:
- Researchers from Securinfra have observed that Chinese APT groups are targeting European governments and businesses. Recently, European Union Agency for Cybersecurity (ENISA) and CERT-EU warned about malicious activities against EU governments and businesses attributed to Chinese Advanced Persistent Threat (APT) groups.
—
- Intel Source:
- Securelist
- Intel Name:
- Attacks_With_Nokoyawa_Ransomware_Using_ZeroDay_Vulnerabilities_in_Windows
- Date of Scan:
- 2023-04-12
- Impact:
- MEDIUM
- Summary:
- Securelist researchers have analyzed the CVE-2023-28252 zero-day vulnerability in Common Log File System (CLFS).
Source:
https://securelist.com/nokoyawa-ransomware-attacks-with-windows-zero-day/109483/
—
- Intel Source:
- Securelist
- Intel Name:
- The_Development_and_Refinement_of_DeathNote_Campaign_TTPs
- Date of Scan:
- 2023-04-12
- Impact:
- MEDIUM
- Summary:
- Researchers from Securelist have focused on an active cluster that is dubbed DeathNote because the malware responsible for downloading additional payloads is named Dn.dll or Dn64.dll. This threat is also known as Operation DreamJob or NukeSped.
Source:
https://securelist.com/the-lazarus-group-deathnote-campaign/109490/
—
- Intel Source:
- Sygnia
- Intel Name:
- The_Attack_Flow_of_RagnarLocker_Ransomware
- Date of Scan:
- 2023-04-12
- Impact:
- LOW
- Summary:
- Researchers from Sygnia have analyzed the attack flow of RagnarLocker ransomware. It is both the name of a ransomware strain and of a criminal group that develops and operates it. Their data leakage blog appeared in April 2020, but although they’re an experienced group, RagnarLocker never made it to the top 10 ransomware strains.
Source:
https://blog.sygnia.co/threat-actor-spotlight-ragnarlocker-ransomware
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Recent_Activity_of_IcedID
- Date of Scan:
- 2023-04-12
- Impact:
- LOW
- Summary:
- Researchers from SANS have observed that IcedID (Bokbot) is distributing through thread-hijacked emails with PDF attachments. The PDF files have links that redirect to Google Firebase Storage URLs hosting password-protected zip archives and the password for the downloaded zip archive is shown in the PDF file.
—
- Intel Source:
- ISC. SANS
- Intel Name:
- The_textwrap_wrap_function
- Date of Scan:
- 2023-04-12
- Impact:
- LOW
- Summary:
- Didier Stevens, Senior handler from Microsoft MVP discovered that the textwrap.wrap function he used in diary entry “String Obfuscation: Character Pair Reversal” does not always group characters as he expected. He released an update of his python-per-line.py tool, including a Reverse function. And also some simple brute-forcing.
Source:
https://isc.sans.edu/diary/Extra+String+Obfuscation+Character+Pair+Reversal/29656
—
- Intel Source:
- Checkpoint
- Intel Name:
- The_discovery_of_three_vulnerabilities_in_the_Microsoft_Message_Queuing_service_MSMQ
- Date of Scan:
- 2023-04-12
- Impact:
- HIGH
- Summary:
- Check Point reserachers recently observed three new vulnerabilities in the “Microsoft Message Queuing” service, known as MSMQ. These vulnerabilities were disclosed to Microsoft and patched in the April Patch Tuesday update. The most severe of these, dubbed QueueJumper by CPR (CVE-2023-21554), is a critical vulnerability that could allow unauthorized attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe.
—
- Intel Source:
- NTT Security
- Intel Name:
- An_attack_campaign_distributing_malware_disguised_as_a_Google_Chrome
- Date of Scan:
- 2023-04-12
- Impact:
- LOW
- Summary:
- Since around November 2022, SOC has been observing an attack campaign distributing malware from a web page disguised as a Google Chrome error screen. It became active from around February 2023, and malware downloads have been confirmed in a very wide range, so it is necessary to be careful. This article provides an overview of the attack campaign and the malware.
Source:
https://insight-jp.nttsecurity.com/post/102ic6o/webgoogle-chrome
—
- Intel Source:
- JFrog
- Intel Name:
- Analyzing_Impala_Stealer
- Date of Scan:
- 2023-04-12
- Impact:
- LOW
- Summary:
- Reserachers from JFrog provided a detailed analysis of a malicious payload named “Impala Stealer”, a custom crypto stealer which was used as the payload for the NuGet malicious packages campaign. The sophisticated campaign targeted .NET developers via NuGet malicious packages, and the JFrog Security team was able to detect and report it as part of their regular activity of exposing supply chain attacks.
Source:
https://jfrog.com/blog/impala-stealer-malicious-nuget-package-payload/
—
- Intel Source:
- Fortinet
- Intel Name:
- Malicious_Document_From_Ukraines_Energoatom_Delivering_Havoc_Demon_Backdoor
- Date of Scan:
- 2023-04-12
- Impact:
- LOW
- Summary:
- FortiGuard Labs researchers have identified a malicious spoofed document pretending to be from the Ukrainian company, Energoatom, a state-owned enterprise that operates Ukraine’s nuclear power plants.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- The_Analysis_of_Malicious_HTA_File
- Date of Scan:
- 2023-04-12
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed the malicious HTA file.
Source:
https://isc.sans.edu/diary/Another+Malicious+HTA+File+Analysis+Part+2/29676/
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Phishing_Email_analyses_March_26_April_1_2023
- Date of Scan:
- 2023-04-11
- Impact:
- LOW
- Summary:
- ASEC lab researchers continiusly monitor phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post shares the cases of distribution of phishing emails during the week from March 26th, 2023 to April 1st, 2023 and provide statistical information on each type.
—
- Intel Source:
- Securelist
- Intel Name:
- Gopuram_backdoor_deployed_through_3CX_supply_chain_attack
- Date of Scan:
- 2023-04-11
- Impact:
- MEDIUM
- Summary:
- On March 29, Crowdstrike posted their report about a supply chain attack conducted via 3CXDesktopApp. They analyzed the attack and shared their findings. They observed few victims compromised with Gopuram, but the number of infections began to increase in March 2023. As it turned out, the increase was directly related to the 3CX supply chain attack.
Source:
https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/
—
- Intel Source:
- Trustwave
- Intel Name:
- A_new_strain_of_malware_Rilide_targets_Chromium_based_browsers
- Date of Scan:
- 2023-04-11
- Impact:
- LOW
- Summary:
- Trustwave SpiderLabs observed a new strain of malware that was named as Rilide and targets Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera. Rilide malware is pretending as a legitimate Google Drive extension and lets threat actors to carry out a big range of malicious activities, including monitoring browsing history, taking screenshots, and injecting malicious scripts to withdraw funds from various cryptocurrency exchanges.
—
- Intel Source:
- PaloAlto
- Intel Name:
- The_CryptoClippy_malware_campaign_targets_Portuguese_speakers
- Date of Scan:
- 2023-04-11
- Impact:
- LOW
- Summary:
- Unit 42 recently observed a malware campaign targeting Portuguese speakers and redirect cryptocurrency from legitimate users’ wallets and controlled by threat actors. The campaign uses a malware known as a cryptocurrency clipper, which monitors the victim’s clipboard for signs that a cryptocurrency wallet address is being copied.
Source:
https://unit42.paloaltonetworks.com/crypto-clipper-targets-portuguese-speakers/
—
- Intel Source:
- Cyfirma
- Intel Name:
- The_Deep_Analysis_Report_on_SarinLocker_Ransomware
- Date of Scan:
- 2023-04-11
- Impact:
- LOW
- Summary:
- Cyfirma researchers have deeply analyzed a new ransomware called SarinLocker. The group has started a ransomware affiliate program that provides attackers with ransomware and affiliate software to manage victims.
Source:
https://www.cyfirma.com/outofband/sarinlocker-ransomware/
—
- Intel Source:
- Checkmarx
- Intel Name:
- Hackers_Flooding_NPM_With_Fake_Packages_Causing_DoS_Attack
- Date of Scan:
- 2023-04-11
- Impact:
- LOW
- Summary:
- Researchers from Checkmarx security have identified that hackers flooding the npm open source package repository for Node.js with bogus packages that briefly even resulted in a denial-of-service (DoS) attack.
—
- Intel Source:
- Sucuri
- Intel Name:
- WordPress_Infection_Campaign_Leveraging_Recently_Discovered_Theme_and_Plugin_Vulnerabilities
- Date of Scan:
- 2023-04-10
- Impact:
- LOW
- Summary:
- Researchers from Sucuri have tracked a massive WordPress infection campaign since 2017. Typically, they refer to it as an ongoing long lasting massive WordPress infection campaign that leverages all known and recently discovered theme and plugin vulnerabilities.
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Phishing_Email_analyses_March_19_25th_2023
- Date of Scan:
- 2023-04-10
- Impact:
- LOW
- Summary:
- ASEC lab researchers continiusly monitor phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post shares the cases of distribution of phishing emails during the week from March 19th, 2023 to March 25th, 2023 and provide statistical information on each type.
—
- Intel Source:
- Cyble
- Intel Name:
- New_Ransomware_Group_Named_Money_Message
- Date of Scan:
- 2023-04-10
- Impact:
- LOW
- Summary:
- Cyble researchers have discovered a new ransomware group named Money Message. It can encrypt network shares and targets both Windows and Linux operating systems.
Source:
https://blog.cyble.com/2023/04/06/demystifying-money-message-ransomware/\
—
- Intel Source:
- Microsoft
- Intel Name:
- Ransomware_Based_Attacks_Carried_Out_by_Iranian_Hackers
- Date of Scan:
- 2023-04-10
- Impact:
- MEDIUM
- Summary:
- Microsoft researchers have identified the Iranian nation-state group known as MuddyWater has been observed carrying out destructive attacks on hybrid environments under the guise of a ransomware operation.
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_statistics_March_27_April_2_2023
- Date of Scan:
- 2023-04-06
- Impact:
- LOW
- Summary:
- ASEC lab researchers continiusly monitor malware threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post lists weekly statistics collected from March 27th, 2023 (Monday) to April 2nd, 2023 (Sunday).
—
- Intel Source:
- ISC. SANS
- Intel Name:
- The_efile_com_analyses
- Date of Scan:
- 2023-04-06
- Impact:
- LOW
- Summary:
- Johannes B. Ullrich, Ph.D. , Dean of Research from SANS.edu analyzed the efile.com Malware “efail” which serving malicious ake “Browser Updates” to some of its users. Johannes B. Ulrich could retrieve some of the malware last evening before it was removed. The attack uses two main executables. The first one, “update.exe,” is a simple downloader downloading and executing the second part. The second part is a PHP script communicating with the command and control server. Its main function is to download and execute additional code as instructed to do so. During the installation, basic system information is sent to the attacker, and the backdoor is made persistent via scheduled/on-boot registry entries.
Source:
https://isc.sans.edu/diary/Analyzing+the+efilecom+Malware+efail/29712/#comments
—
- Intel Source:
- Trellix
- Intel Name:
- The_functions_of_Genesis_Market
- Date of Scan:
- 2023-04-06
- Impact:
- LOW
- Summary:
- Trellix was approached by law enforcment asking for assistance with the analyses of Genesis Market. Trellix have analyzed and explained the function and operations of Genesis Market, as well as provided an analysis of malware samples that law enforcement shared with Trellix, advice and guidance to (potential) victims.
—
- Intel Source:
- Trellix
- Intel Name:
- Royal_Ransom_analyses
- Date of Scan:
- 2023-04-06
- Impact:
- LOW
- Summary:
- Trellix Advanced Cyber Services team within Trellix Professional Services provided updated incident response-related data.
Source:
https://www.trellix.com/en-us/about/newsroom/stories/research/a-royal-analysis-of-royal-ransom.html
—
- Intel Source:
- Trustwave
- Intel Name:
- Emotet_Resumed_its_Spamming_Activities
- Date of Scan:
- 2023-04-06
- Impact:
- LOW
- Summary:
- Researchers from Trustwave SpiderLabs have saw Emotet switch focus to using OneNote attachments, which is a tactic also adopted by other malware groups in recent months. The analysis is intended to help the cybersecurity community better understand the wider obfuscation and padding tricks Emotet is using.
—
- Intel Source:
- Fortinet
- Intel Name:
- New_Ransomware_Variants_Are_Dark_Power_and_PayME100USD
- Date of Scan:
- 2023-04-05
- Impact:
- LOW
- Summary:
- FortiGate Labs researchers have identified two new ransomware named Dark Power and PayME100USD. Dark Power ransomware launched in early February 2023 and this is a rare ransomware breed in that it was written in the Nim programming language. PayMe100USD ransomware written in Python that was discovered in March 2023 and the malware has basic functionality and performs ordinary ransomware activities.
Source:
https://www.fortinet.com/blog/threat-research/dark-power-and-payme100usd-ransomware?&web_view=true
—
- Intel Source:
- Talos
- Intel Name:
- Typhon_Reborn_Stealer_Malware_Back_with_Advanced_Evasion_Techniques
- Date of Scan:
- 2023-04-05
- Impact:
- LOW
- Summary:
- Talos researchers have observed that the threat actor behind the information-stealing malware known as Typhon Reborn has resurfaced with an updated version (V2) that packs in improved capabilities to evade detection and resist analysis.
Source:
https://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/
—
- Intel Source:
- Mandiant
- Intel Name:
- ALPHV_Ransomware_Affiliate_Targeting_Vulnerable_Backup_Installations_to_Gain_Initial_Access
- Date of Scan:
- 2023-04-05
- Impact:
- MEDIUM
- Summary:
- Mandiant researchers have observed a new ALPHV (aka BlackCat ransomware) ransomware affiliate, tracked as UNC4466, targeting publicly exposed Veritas Backup Exec installations, vulnerable to CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878, for initial access to victim environments.
Source:
https://www.mandiant.com/resources/blog/alphv-ransomware-backup
—
- Intel Source:
- Symantec
- Intel Name:
- An_Attack_Against_Palestinian_Targets_Using_New_Weapons
- Date of Scan:
- 2023-04-05
- Impact:
- LOW
- Summary:
- Researchers from Symantec have observed that the Mantis APT group (aka Arid Viper, Desert Falcon, APT-C-23), a threat actor believed to be operating out of the Palestinian territories, is continuing to mount attacks, deploying a refreshed toolset and going to great lengths to maintain a persistent presence on targeted networks.
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks
—
- Intel Source:
- Sysdig
- Intel Name:
- Proxyjacking_Scheme_Exploits_Log4j_Bug_to_Profit_From_Victim_IP_Addresses
- Date of Scan:
- 2023-04-05
- Impact:
- LOW
- Summary:
- Researchers from Sysdig have detected a new attack, dubbed proxyjacking, that leveraged the Log4j vulnerability for initial access. The attacker then sold the victim’s IP addresses to proxyware services for profit.
Source:
https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/
—
- Intel Source:
- Mandiant
- Intel Name:
- Chinese_Hacking_Group_RedGolf_Targeting_Windows_and_Linux_Systems
- Date of Scan:
- 2023-04-05
- Impact:
- MEDIUM
- Summary:
- Mandiant researchers have identified a Chinese state-sponsored threat activity group tracked as RedGolf has been attributed to the use of a custom Windows and Linux backdoor called KEYPLUG.
Source:
https://www.mandiant.com/resources/blog/mobileiron-log4shell-exploitation
—
- Intel Source:
- Cyber War Zone
- Intel Name:
- Disney_Phishing_Scams
- Date of Scan:
- 2023-04-05
- Impact:
- LOW
- Summary:
- Researchers from Cyber War Zone have identified the latest Disney-related phishing scams in 2023 and provide tips to protect from falling victim to these scams.
Source:
https://cyberwarzone.com/beware-of-disney-phishing-scams-in-2023/?web_view=true
—
- Intel Source:
- Symantec
- Intel Name:
- Arid_Viper_Hacking_Group_Using_Upgraded_Malware
- Date of Scan:
- 2023-04-05
- Impact:
- LOW
- Summary:
- Researchers from Symantec have discovered the threat actor known as Arid Viper has been observed using refreshed variants of its malware toolkit in its attacks targeting Palestinian entities since September 2022.
—
- Intel Source:
- Checkpoint
- Intel Name:
- New_Ransomware_Rorschach_Targeting_US_Based_Company
- Date of Scan:
- 2023-04-05
- Impact:
- MEDIUM
- Summary:
- Checkpoint researchers have analyzed the Rorschach ransomware and revealed the emergence of a new ransomware strain in the crimeware landscape. Its developers implemented new anti-analysis and defense evasion techniques to avoid detection and make it more difficult for security software and researchers to analyze and mitigate its effects.
Source:
https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/
—
- Intel Source:
- Checkpoint
- Intel Name:
- Analyzing_Rhadamanthys_infostealer
- Date of Scan:
- 2023-04-04
- Impact:
- LOW
- Summary:
- Checkpoint reserachers provided the highlights of the Dark Web ‘buzz’ surrounding this malware. They shared insights which confirm that by the nature of how the malware is used, large orgs are also being subjected to incidental drive-by attacks that have a theoretical potential to escalate. Rhadamanthys is an advanced infostealer which debuted on the dark web in September of last year to a warm critical reception by cybercriminals.
Source:
https://research.checkpoint.com/2023/rhadamanthys-the-everything-bagel-infostealer/
—
- Intel Source:
- Sucuri
- Intel Name:
- Vulnerability_in_WordPress_Elementor_Pro_Patched
- Date of Scan:
- 2023-04-04
- Impact:
- LOW
- Summary:
- Researchers from Sucuri have analyzed the WordPress Elementor Pro vulnerability that allows authenticated users to arbitrarily change wp_options values within the database via the AJAX action of Elementor Pro working in conjunction with WooCommerce.
Source:
https://blog.sucuri.net/2023/03/high-severity-vulnerability-in-wordpress-elementor-pro-patched.html
—
- Intel Source:
- Cyfirma
- Intel Name:
- New_European_APT_Group_Named_FusionCore
- Date of Scan:
- 2023-04-04
- Impact:
- LOW
- Summary:
- Cyfirma researchers have identified a new European threat actor group known as FusionCore that is running Malware-as-a-service, along with the hacker-for-hire operation, they have a wide variety of tools and services that offered on their website, making it a one-stop-shop for threat actors looking to purchase cost-effective yet customizable malware.
Source:
https://www.cyfirma.com/outofband/the-rise-of-fusioncore-an-emerging-cybercrime-group-from-europe/
—
- Intel Source:
- MalwareHunter, ISC.SANS
- Intel Name:
- IRS_Authorized_Tax_Return_Filing_Software_Caught_Serving_JS_Malware
- Date of Scan:
- 2023-04-04
- Impact:
- LOW
- Summary:
- Researchers from MalwareHunter have observed the malicious JavaScript file that existed on eFile[.]com website for weeks. It is an IRS-authorized e-file software service provider used by many for filing their tax returns and has been caught serving JavaScript malware.
—
- Intel Source:
- ASEC
- Intel Name:
- The_distribution_of_Nevada_Ransomware_in_Korea
- Date of Scan:
- 2023-04-04
- Impact:
- LOW
- Summary:
- ASEC have identified new cases of the Nevada ransomware while they did some internal monotoring. Nevada is a malware that adds the “.NEVADA” extension to the files it infects is its defining trait. After encrypting directories, it creates ransom notes with the filename “README.txt” in every directory. These notes contain a Tor browser link for ransom payments.
—
- Intel Source:
- Cyble
- Intel Name:
- The_Malware_Sample_Analysis_of_Cl0p_Ransomware
- Date of Scan:
- 2023-04-04
- Impact:
- LOW
- Summary:
- Cyble researchers have analyzed malware samples as an executable file with a Graphical User Interface (GUI), compiled using Microsoft Visual C/C++.
Source:
https://blog.cyble.com/2023/04/03/cl0p-ransomware-active-threat-plaguing-businesses-worldwide/
—
- Intel Source:
- Fortinet
- Intel Name:
- New_Cylance_Ransomware_Targeting_Linux_and_Windows
- Date of Scan:
- 2023-04-03
- Impact:
- LOW
- Summary:
- FortiGate Labs researchers have identified two new ransomware named Dark Power and PayME100USD. Dark Power ransomware launched in early February 2023 and this is a rare ransomware breed in that it was written in the Nim programming language. PayMe100USD ransomware written in Python that was discovered in March 2023 and the malware has basic functionality and performs ordinary ransomware activities.
Source:
https://www.fortinet.com/blog/threat-research/dark-power-and-payme100usd-ransomware?&web_view=true
—
- Intel Source:
- DFIR Report
- Intel Name:
- MalSpam_Delivering_Malicious_ISO
- Date of Scan:
- 2023-04-03
- Impact:
- LOW
- Summary:
- The DFIR report researchers have observed that IcedID continues to deliver malspam emails to facilitate a compromise, and covers the activity from a campaign in late September of 2022. Post-exploitation activities detail some familiar and some new techniques and tooling, which led to domain-wide ransomware.
Source:
https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/
—
- Intel Source:
- CERT-UA
- Intel Name:
- ICS_compromised_Due_to_Installition_of_Unlicensed_Microsoft_Office
- Date of Scan:
- 2023-04-03
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have identified unauthorized access to the information and communication system (ICS) of one of the utility companies. It is observed that the primary compromise of the computer took place on 19.01.2023 as a result of the installation of an unlicensed version of the software product Microsoft Office 2019.
—
- Intel Source:
- PaloAlto
- Intel Name:
- New_Variant_of_Xloader_Malware
- Date of Scan:
- 2023-04-03
- Impact:
- MEDIUM
- Summary:
- Researchers from PaloAlto have discovered a new ransomware named Cylance Ransomware which is targeting Windows and Linux systems.
Source:
https://twitter.com/Unit42_Intel/status/1641588431221342208
—
- Intel Source:
- ZScaler
- Intel Name:
- Money_Message_Ransomware_Targeting_Worldwide
- Date of Scan:
- 2023-04-03
- Impact:
- LOW
- Summary:
- Researchers from Zscaler have identified a new ransomware gang named ‘Money Message’ has appeared, targeting victims worldwide and demanding million-dollar ransoms not to leak data and release a decryptor.
Source:
https://twitter.com/Threatlabz/status/1641113991824158720
—
- Intel Source:
- ASEC
- Intel Name:
- New_Infostealer_LummaC2_Distributing_Under_the_Mask_of_Illegal_Cracks
- Date of Scan:
- 2023-04-01
- Impact:
- LOW
- Summary:
- ASEC researchers have identified a new Infostealer called LummaC2 that is distributing disguised as illegal programs such as cracks and keygens.
—
- Intel Source:
- ASEC
- Intel Name:
- Analyzing_CHM_Malware_Using_EDR
- Date of Scan:
- 2023-04-01
- Impact:
- LOW
- Summary:
- ASEC researchers have identified an APT attack case that has recently used CHM (Compiled HTML Help File). Threat actors are able to input malicious script codes in HTMLs with the inclusion of CHM and the inserted script is executing through hh.exe which is a default OS application.
—
- Intel Source:
- TrendMicro
- Intel Name:
- New_OpcJacker_Malware_Distributing_via_Fake_VPN_Malvertising
- Date of Scan:
- 2023-04-01
- Impact:
- LOW
- Summary:
- TrendMicro researchers have discovered a new malware, which we named OpcJacker that is distributing in the wild since the second half of 2022. Its main functions include keylogging, taking screenshots, stealing sensitive data from browsers, loading additional modules, and replacing cryptocurrency addresses in the clipboard for hijacking purposes.
—
- Intel Source:
- Quickheal
- Intel Name:
- The_Deep_Examination_of_Royal_Ransomware
- Date of Scan:
- 2023-04-01
- Impact:
- LOW
- Summary:
- QuickHeal researchers have deeply analyzed the Royal Ransomware. It was first observed in mid-2022 and it is a type of ransomware that encrypts all volumes including network shared drives.
Source:
https://blogs.quickheal.com/deep-dive-into-royal-ransomware/
—
- Intel Source:
- Splunk
- Intel Name:
- The_Detection_and_Defense_Technique_of_AsyncRAT
- Date of Scan:
- 2023-04-01
- Impact:
- LOW
- Summary:
- Splunk researchers have analyzed the AsyncRAT and provided the detection and defense technique. It is a popular malware commodity and tool and threat actors and adversaries use several interesting script loaders and spear phishing attachments to deliver AsyncRAT to targeted hosts or networks in different campaigns.
Source:
https://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html
—
- Intel Source:
- ASEC
- Intel Name:
- Emotet_Distributing_via_OneNote
- Date of Scan:
- 2023-04-01
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered the distribution of Emotet being distributed via OneNote. A spear-phishing email as below attached with a OneNote file prompts the reader to open the attachment which contains a malicious script file (JS file).
—
- Intel Source:
- Securonix Threat Labs
- Intel Name:
- New_TACTICAL_OCTOPUS_Attack_Campaign_Targeting_US_Entities
- Date of Scan:
- 2023-03-31
- Impact:
- MEDIUM
- Summary:
- Securonix Threat Labs researchers have observed that threat actors are ramping up tax-related phishing scams to US-based victims to infect systems with stealthy malware.
—
- Intel Source:
- Proofpoint
- Intel Name:
- New_APT_Group_TA473_Exploiting_Zimbra_Vulnerability
- Date of Scan:
- 2023-03-31
- Impact:
- MEDIUM
- Summary:
- Researchers from Proofpoint have observed a newly minted advanced persistent threat actor named TA473, exploiting Zimbra vulnerability CVE-2022-27926 to abuse publicly facing Zimbra hosted webmail portals. The goal of this activity is assessed to be gaining access to the emails of military, government, and diplomatic organizations across Europe involved in the Russia-Ukrainian War.
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_statistics_March_13_19th_2023
- Date of Scan:
- 2023-03-31
- Impact:
- LOW
- Summary:
- ASEC analysis team used the ASEC automatic analysis system RAPIT to categorize and respond to known malware. Their post covers weekly statistics collected from March 13th, 2023 to March 19th, 2023.
—
- Intel Source:
- Fortinet
- Intel Name:
- Hackers_Spreading_ShellBot_and_Moobot_Malware_on_Exploitable_Servers
- Date of Scan:
- 2023-03-31
- Impact:
- MEDIUM
- Summary:
- Researchers from FortiGuard Labs have observed several attacking bursts targeting Cacti and Realtek vulnerabilities in January and March of this year and then spreading ShellBot and Moobot malware.
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Phishing_Email_sample_analyses_Mar_4th_to_11th_2023
- Date of Scan:
- 2023-03-31
- Impact:
- LOW
- Summary:
- ASEC lab researchers continiusly monitor phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post shares the cases of distribution of phishing emails during the week from March 5th, 2023 to March 11th, 2023 and provide statistical information on each type.
—
- Intel Source:
- Security Intelligence
- Intel Name:
- Defensive_Considerations_for_Lazarus_FudModule
- Date of Scan:
- 2023-03-31
- Impact:
- LOW
- Summary:
- Security Intelligence analysts posted in their blog a focus on highlighting the capabilities for detection of the FudModule within the Lazarus sample analyzed by X-Force, as well as summary of a strategy of using telemetry stream health as a mode of detecting malware designed to impair defenses through ETW tampering.
—
- Intel Source:
- ASEC
- Intel Name:
- The_distribution_of_a_OneNote_malware_by_Kimsuky
- Date of Scan:
- 2023-03-30
- Impact:
- LOW
- Summary:
- ASEC has observed the distribution of a OneNote malware mimicking as a form rlinked to compensation. The confirmed file is pretending the same research center as the LNK-type malware mentioned earlier. Based on the identical malicious activity performed by the VBS files, the team came to a conclusion that the same actor the Kimsuky group is behind both incidents.
—
- Intel Source:
- Sentinelone
- Intel Name:
- Supply_Chain_Attack_on_3CX_Desktop_Apps_Threatens_Millions_at_Risk
- Date of Scan:
- 2023-03-30
- Impact:
- MEDIUM
- Summary:
- Researchers from SentinelOne have identified the trojanized 3CX desktop app is the first stage in a multi-stage attack chain that pulls ICO files appended with Base64 data from GitHub and ultimately leads to a third-stage info stealer DLL.
—
- Intel Source:
- ASEC
- Intel Name:
- ShellBot_Malware_distribution
- Date of Scan:
- 2023-03-30
- Impact:
- MEDIUM
- Summary:
- ASEC researchers has recently observed the ShellBot malware being installed on Linux SSH servers. ShellBot, aka PerlBot, is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server. ShellBot is an old malware that has been in steady use and is still being used today to launch attacks against Linux systems.
Source:
https://asec.ahnlab.com/en/49769/comment-page-2/#comments
—
- Intel Source:
- Sentinelone
- Intel Name:
- AlienFox_Toolkit_Stealing_Cloud_Service_Credentials
- Date of Scan:
- 2023-03-30
- Impact:
- HIGH
- Summary:
- SentinelOne researchers have identified a new modular toolkit called AlienFox which allows threat actors to scan for misconfigured servers to steal authentication secrets and credentials for cloud-based email services.
Source:
https://assets.sentinelone.com/sentinellabs22/s1_-sentinellabs_dis#page=1
—
- Intel Source:
- ASEC
- Intel Name:
- ChinaZ_DDoS_Bot_malware_distribution
- Date of Scan:
- 2023-03-30
- Impact:
- MEDIUM
- Summary:
- ASEC has observed the ChinaZ DDoS Bot malware that installed on Linux SSH servers. The ChinaZ group that was discovered in 2014 installs various DDoS bots on Windows and Linux systems. Major DDoS bots suspected that it was created by the ChinaZ threat group include XorDDoS, AESDDos, BillGates, and MrBlack.
—
- Intel Source:
- Exatrack
- Intel Name:
- New_Linux_Malware_Linked_With_Chinese_APT_Groups
- Date of Scan:
- 2023-03-29
- Impact:
- MEDIUM
- Summary:
- Exatrack researchers have discovered unknown Chinese state-sponsored hacking group has been linked to a novel piece of malware aimed at Linux servers dubbed Mélofée.
—
- Intel Source:
- Mandiant
- Intel Name:
- A_Deep_Dive_into_APT43
- Date of Scan:
- 2023-03-29
- Impact:
- MEDIUM
- Summary:
- Mandiant researchers have assessed with high confidence that APT43 is a moderately-sophisticated cyber operator that supports the interests of the North Korean regime. Campaigns attributed to APT43 include strategic intelligence collection aligned with Pyongyang’s geopolitical interests, credential harvesting, and social engineering to support espionage activities, and financially-motivated cybercrime to fund operations.
Source:
https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report
—
- Intel Source:
- ASEC
- Intel Name:
- Kimsuky_Group_Leveraging_Alternate_Data_Stream_to_Hide_Malware
- Date of Scan:
- 2023-03-29
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered that the Kimsuky group is using Alternate Data Stream (ADS) to hide their malware. This malware is an Infostealer that collects data by starting the VBScript included inside an HTML file. It can be characterized by its tendency to add the actual code between numerous dummy codes.
—
- Intel Source:
- BitSight
- Intel Name:
- Tofsee_Botnet_Engaging_With_Proxying_and_Mining
- Date of Scan:
- 2023-03-29
- Impact:
- LOW
- Summary:
- Researchers from BitSight have observed a 15-year-old modular spambot called Tofsee being distributed by PrivateLoader (ruzki), a notorious malware distribution service.
Source:
https://www.bitsight.com/blog/tofsee-botnet-proxying-and-mining
—
- Intel Source:
- Medium
- Intel Name:
- New_Threats_Delivering_Through_NullMixer_Malware
- Date of Scan:
- 2023-03-29
- Impact:
- LOW
- Summary:
- Researchers from Medium have identified that the NullMixer malware operation revealed Italy and France are the favorite European countries from the opportunistic attackers’ perspective. They obtained information and data regarding an ongoing malware operation hitting more than 8.000 targets within a few weeks, with a particular emphasis on North American, Italian, and French targets.
Source:
https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1
—
- Intel Source:
- Intezer
- Intel Name:
- Hackers_From_Biter_Group_Targeting_Chinese_Nuclear_Energy_Industry
- Date of Scan:
- 2023-03-29
- Impact:
- LOW
- Summary:
- Researchers from Intezer have observed a cyberespionage hacking group tracked as ‘Bitter APT’ is recently seen targeting the Chinese nuclear energy industry using phishing emails to infect devices with malware downloaders.
Source:
https://www.intezer.com/blog/research/phishing-campaign-targets-nuclear-energy-industry/
—
- Intel Source:
- Cyble
- Intel Name:
- A_new_Malware_as_a_Service_platform_Cinoshi
- Date of Scan:
- 2023-03-28
- Impact:
- LOW
- Summary:
- Cyble Researchers discovered a new Malware-as-a-Service (MaaS) platform “Cinoshi”. Cinoshi’s storehouse has of a stealer, botnet, clipper, and cryptominer. And now this MaaS platform is offering stealer and web panel for free, and such free services are rarely seen. The accesibility of this free malware services indicates that attackers no longer need technical expertise or resources to launch cyber-attacks.
Source:
https://blog.cyble.com/2023/03/23/cinoshi-project-and-the-dark-side-of-free-maas/
—
- Intel Source:
- AT&T
- Intel Name:
- BlackGuard_stealer_new_variant
- Date of Scan:
- 2023-03-28
- Impact:
- LOW
- Summary:
- AT&T Alien Labs researchers have observed a new variant of BlackGuard stealer in the wild, infecting using spear phishing attacks. BlackGuard steals user sensitive information from a wide range of applications and browsers, can hijack crypto wallets copied to clipboard and also try to propagate through removable media and shared devices.
—
- Intel Source:
- ZScaler
- Intel Name:
- DBatLoader_Targeting_European_Businesses_via_Phishing_Email
- Date of Scan:
- 2023-03-28
- Impact:
- LOW
- Summary:
- Researchers from Zscaler have identified a new campaign involving DBatLoader also known as ModiLoader that specifically targets manufacturing companies and various businesses in European countries via phishing emails.
—
- Intel Source:
- Microsoft
- Intel Name:
- The_Investigation_of_CVE_2023_23397
- Date of Scan:
- 2023-03-28
- Impact:
- HIGH
- Summary:
- Microsoft researchers have provided guidance on where organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397. A successful exploit of this vulnerability can result in unauthorized access to an organization’s environment by triggering a Net-NTLMv2 hash leak.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Earth_Preta_Cyberespionage_Campaign_Hits_Over_200
- Date of Scan:
- 2023-03-28
- Impact:
- LOW
- Summary:
- TrendMicro researchers have analyzed the active campaign delved into the structure, goals, and requirements of the organizations involved, and provided an opportunity to conduct wider intelligence analysis and insights in the development of effective countermeasures.
—
- Intel Source:
- Malwarebytes
- Intel Name:
- The_Hunter_obfuscator_used_by_Magecart_skimmer
- Date of Scan:
- 2023-03-28
- Impact:
- LOW
- Summary:
- Malwarebytes reserachers discovered and analyzed a Magecart skimmer that uses Hunter, a PHP Javascript obfuscator. During their investigation, they observed a number of domains all part of the same infrastructure with custom skimmers for several Magento stores.
Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/03/hunter-skimmer
—
- Intel Source:
- Sentinelone
- Intel Name:
- MacOS_Malware_Targeting_Data_Assets
- Date of Scan:
- 2023-03-27
- Impact:
- LOW
- Summary:
- SentinelOne researchers have observed that the data assets targeted by macOS malware in some of the most recent in-the-wild incidents in order to help defenders better protect the enterprise and hunt for signs of compromise.
—
- Intel Source:
- Proofpoint
- Intel Name:
- New_Era_of_IcedID
- Date of Scan:
- 2023-03-27
- Impact:
- MEDIUM
- Summary:
- Proofpoint researchers have observed three new distinct variants of the malware known as IcedID. Proofpoint called these ew variants as “Forked” and “Lite” IcedID , Standard IcedID Variant. IcedID is a malware originally classified as a banking malware and was first observed in 2017. It also performs as a loader for other malware, including ransomware. There are several key differences between initial and new ones. One key difference is the removal of banking functionality such as web injects and backconnect. Proofpoint researchers suspect the original operators behind Emotet are using an IcedID variant with different functionality.
—
- Intel Source:
- Uptycs
- Intel Name:
- New_macOS_based_Stealer_MacStealer_Malware
- Date of Scan:
- 2023-03-27
- Impact:
- LOW
- Summary:
- The Uptycs threat research team has observed aother macOS stealer “MacStealer”. The threat actor who is distributing MacStealer was discovered by the Uptycs threat intelligence team during their dark web hunting. The stealer can extract documents, cookies from a victim’s browser, and login information. It affects Catalina and subsequent macOS versions riding on Intel M1 and M2 CPUs.
Source:
https://www.uptycs.com/blog/macstealer-command-and-control-c2-malware
—
- Intel Source:
- Trellix
- Intel Name:
- A_new_ransomware_named_Dark_Power
- Date of Scan:
- 2023-03-27
- Impact:
- MEDIUM
- Summary:
- Researchers from Trellix have identified a new ransomware operation named ‘Dark Power’ that has appeared, and it has already listed its first victims on a dark web data leak site, threatening to publish the data if a ransom is not paid.
Source:
https://www.trellix.com/en-us/about/newsroom/stories/research/shining-light-on-dark-power.html
—
- Intel Source:
- ASEC
- Intel Name:
- MDS_Evasion_Feature_of_Anti_Sandboxes_That_Use_Pop_up_Windows
- Date of Scan:
- 2023-03-25
- Impact:
- LOW
- Summary:
- ASEC researchers have monitored various anti-sandbox tactics to evade sandboxes. The persistent anti-sandbox technique exploits the button form of the malicious IcedID Word files and the evasion feature of AhnLab’s MDS which is meant for detecting malicious behavior.
—
- Intel Source:
- ASEC
- Intel Name:
- Microsoft_Office_Outlook_Privilege_Escalation_Vulnerability
- Date of Scan:
- 2023-03-25
- Impact:
- HIGH
- Summary:
- Researchers from ASEC have analyzed the Microsoft vulnerability in Outlook for Windows that is being exploited to steal NTLM credentials.
—
- Intel Source:
- Sentinelone
- Intel Name:
- Chinese_Hackers_Targeting_Middle_East_Telecom_Providers
- Date of Scan:
- 2023-03-25
- Impact:
- LOW
- Summary:
- SentinelLabs researchers have observed the use of a well-maintained, versioned credential theft capability and a new dropper mechanism indicative of an ongoing development effort by a highly-motivated threat actor with specific tasking requirements.
Source:
https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/
—
- Intel Source:
- Inquest
- Intel Name:
- Exploring_New_Public_Cloud_File_Borne_Phishing_Attack
- Date of Scan:
- 2023-03-25
- Impact:
- LOW
- Summary:
- Researchers from InQuest Labs have analyzed a credential phishing attack discovered by a municipal government organization. The email arrived from a compromised sender account address. The sender organization in the observed samples is the municipality’s county health agency.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Earth_Preta_Changing_its_TTPs_to_Bypass_Security_Solutions
- Date of Scan:
- 2023-03-25
- Impact:
- LOW
- Summary:
- TrendMicro researchers have discovered Earth Preta delivering lure archives via spear-phishing emails and Google Drive links. After months of investigation, they identified that several undisclosed malware and interesting tools used for exfiltration purposes were used in this campaign.
Source:
https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html
—
- Intel Source:
- Malwarebytes
- Intel Name:
- New_Kritec_Magecart_Skimmer_Targeting_Magento_Stores
- Date of Scan:
- 2023-03-24
- Impact:
- LOW
- Summary:
- Malwarebytes researchers have identified instances of compromised stores having both skimmers loaded, which means double trouble for victims as their credit card information is stolen not just once but twice.
Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/03/new-kritec-skimmer
—
- Intel Source:
- Mandiant
- Intel Name:
- Diving_Deep_into_UNC961
- Date of Scan:
- 2023-03-24
- Impact:
- LOW
- Summary:
- Researchers from Mandiant have analyzed the details and timeline of each intrusion conducted by UNC961, along with detection opportunities and examples of how Managed Defense’s proactive threat hunting, investigation, and response routinely limits the impact on our customers’ business and prevents their reality from being desecrated.
Source:
https://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated
—
- Intel Source:
- Intel471
- Intel Name:
- AresLoader_Linked_With_Russian_APT_Group
- Date of Scan:
- 2023-03-24
- Impact:
- LOW
- Summary:
- Intel471 researchers have observed a new loader malware-as-a-service (MaaS) named AresLoader offered by threat actors with links to Russian hacktivism that is spotted recently in the wild.
Source:
https://intel471.com/blog/new-loader-on-the-bloc-aresloader
—
- Intel Source:
- CISA
- Intel Name:
- A_Detailed_Examination_of_LockBit_From_CISA_and_MS_ISAC
- Date of Scan:
- 2023-03-23
- Impact:
- MEDIUM
- Summary:
- Researchers from CISA and MS-ISAC have warned against the LockBit ransomware. This may involve developing a comprehensive restoration plan, employing robust passwords for all accounts, integrating anti-phishing measures, updating software and system versions, and segregating network components, among others.
Source:
https://www.cisa.gov/sites/default/files/2023-03/aa23-075a-stop-ransomware-lockbit.pdf
—
- Intel Source:
- Unit42
- Intel Name:
- The_Analysis_of_Hidden_Threats
- Date of Scan:
- 2023-03-23
- Impact:
- LOW
- Summary:
- Researchers from PaloAlto have discussed two important ways they have been able to tailor the analysis environment. Threats are continually evolving, and architecting analysis systems as more of a flexible, nicely abstracted software development kit instead of a stand-alone monolithic application is crucial.
Source:
https://unit42.paloaltonetworks.com/tailoring-sandbox-techniques/
—
- Intel Source:
- Cyfirma
- Intel Name:
- The_New_Ransomware_Named_ALC_Ransomware
- Date of Scan:
- 2023-03-23
- Impact:
- LOW
- Summary:
- CYFIRMA researchers have identified a new strain of malware, named ALC Ransomware, which masquerades as ransomware but is scareware. This malware does not encrypt files on the victim’s machine, but instead disables the task manager, locks the screen, and displays a ransom note.
Source:
https://www.cyfirma.com/outofband/alc-scareware-pretends-to-be-a-ransomware/
—
- Intel Source:
- Cyble
- Intel Name:
- Emotet_Malware_Spreading_via_OneNote_Attachments_to_Deliver_Payloads
- Date of Scan:
- 2023-03-23
- Impact:
- LOW
- Summary:
- Cyble researchers have closely monitored the Emotet campaign and identified that is again spreading malicious emails and infecting devices globally by rebuilding its network.
Source:
https://blog.cyble.com/2023/03/17/recent-emotet-spam-campaign-utilizing-new-tactics/
—
- Intel Source:
- Unit 42
- Intel Name:
- An_Emerging_Ransomware_Strain_Named_Trigona_Ransomware
- Date of Scan:
- 2023-03-23
- Impact:
- LOW
- Summary:
- PaloAlto researchers have identified two new Trigona ransom notes in January 2023 and two in February 2023. Trigona’s ransom notes are unique; rather than the usual text file, they are instead presented in an HTML Application with embedded JavaScript containing unique computer IDs (CID) and victim IDs (VID).
Source:
https://unit42.paloaltonetworks.com/trigona-ransomware-update/
—
- Intel Source:
- Cyble
- Intel Name:
- SideCopy_APT_group_targets_India_goverment_organization
- Date of Scan:
- 2023-03-23
- Impact:
- LOW
- Summary:
- Recently, Cyble researchers discovered a Twitter post of an ongoing campaign by SideCopy APT against the “Defence Research and Development Organisation” of the Indian government. DRDO is a government agency tasked with researching and developing advanced technologies for use by the Indian Armed Forces.
Source:
https://blog.cyble.com/2023/03/21/notorious-sidecopy-apt-group-sets-sights-on-indias-drdo/
—
- Intel Source:
- CrowdStrike
- Intel Name:
- Microsoft_OneNote_Attachments_used_by_QakBot_eCrime_Campaign
- Date of Scan:
- 2023-03-22
- Impact:
- LOW
- Summary:
- https://www.crowdstrike.com/blog/qakbot-ecrime-campaign-leverages-microsoft-onenote-for-distribution/
—
- Intel Source:
- ZScaler
- Intel Name:
- The_Examination_of_the_Attack_Vectors_of_APT37
- Date of Scan:
- 2023-03-22
- Impact:
- LOW
- Summary:
- Researchers from Zscaler have analyzed the APT37 and found it is a threat actor heavily focused on targeting entities in South Korea. It is constantly updating its tactics, techniques, and procedures as is evident from the multiple file types used in the initial stages by it. The themes used by this threat actor range from geopolitics, current events, and education to finance and insurance.
Source:
https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
—
- Intel Source:
- Rapid7
- Intel Name:
- Observed_Exploitation_of_Adobe_ColdFusion
- Date of Scan:
- 2023-03-22
- Impact:
- LOW
- Summary:
- Rapid7’s Threat Intell team has observed active exploitation of Adobe ColdFusion in multiple customer environments.
Source:
https://www.rapid7.com/blog/post/2023/03/21/etr-rapid7-observed-exploitation-of-adobe-coldfusion/
—
- Intel Source:
- ASEC
- Intel Name:
- New_ShellBot_DDoS_Malware_Targeting_Poorly_Managed_Linux_Servers
- Date of Scan:
- 2023-03-22
- Impact:
- LOW
- Summary:
- ASEC researchers have observed that poorly managed Linux SSH servers are being targeted as part of a new campaign that deploys different variants of malware called ShellBot. ShellBot, also known as PerlBot, is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server.
—
- Intel Source:
- JFrog
- Intel Name:
- Hackers_targeting_DotNET_Developers_With_Malicious_NuGet_Packages
- Date of Scan:
- 2023-03-21
- Impact:
- LOW
- Summary:
- Researchers from JFrog have identified that threat actors are targeting and infecting .NET developers with cryptocurrency stealers delivered through the NuGet repository and impersonating multiple legitimate packages via typosquatting.
—
- Intel Source:
- IBM Security Intelligence
- Intel Name:
- The_Analysis_of_FudModule_within_the_Lazarus
- Date of Scan:
- 2023-03-21
- Impact:
- LOW
- Summary:
- Researchers from IBM Security Intelligence have analyzed the FudModule within the Lazarus sample, as well as highlighted a strategy of using telemetry stream health as a mode of detecting malware designed to impair defenses through ETW tampering.
Source:
https://securityintelligence.com/posts/defensive-considerations-lazarus-fudmodule/
—
- Intel Source:
- Securelist
- Intel Name:
- A_New_APT_Discovered_in_the_Area_of_Russo_Ukrainian_Conflict
- Date of Scan:
- 2023-03-21
- Impact:
- LOW
- Summary:
- Securelist researchers have identified a new APT group but yet not found any direct links between the samples and data used in this campaign and any previously known actors. However, the campaign is still active, and the investigation continues.
—
- Intel Source:
- Mandiant
- Intel Name:
- Chinese_Hackers_Suspected_of_Launching_Fortinet_Zero_day_Attacks
- Date of Scan:
- 2023-03-20
- Impact:
- MEDIUM
- Summary:
- Mandiant researchers have discovered that a suspected Chinese hacking group has been linked to a series of attacks on government organizations exploiting a Fortinet zero-day vulnerability (CVE-2022-41328) to deploy malware.
Source:
https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem
—
- Intel Source:
- WithSecure
- Intel Name:
- Hackers_From_China_and_Russia_using_SILKLOADER_Malware_to_Avoid_Detection
- Date of Scan:
- 2023-03-20
- Impact:
- LOW
- Summary:
- Researchers from WithSecure Labs have investigated and found an interesting Cobalt Strike beacon loader that leverages DLL side-loading, which they are tracking as SILKLOADER. By taking a closer look at the loader, it is identified several activity clusters leveraging this loader within the Russian as well as Chinese cybercriminal ecosystems.
Source:
https://labs.withsecure.com/content/dam/labs/docs/withsecure-silkloader.pdf
—
- Intel Source:
- Checkpoint
- Intel Name:
- In_depth_Analysis_of_DotRunpeX_Injector
- Date of Scan:
- 2023-03-20
- Impact:
- LOW
- Summary:
- Researchers from Checkpoint have analyzed the dotRunpeX injector and its relation to the older version and the Investigation shows that dotRunpeX is used in the wild to deliver numerous known malware families.
—
- Intel Source:
- Akamai
- Intel Name:
- Diving_Deep_into_Go_Based_Threat
- Date of Scan:
- 2023-03-20
- Impact:
- LOW
- Summary:
- Researchers from Akamai have discovered a new botnet named HinataBot at the start of the year, they caught it on their HTTP and SSH honeypots and saw exploiting old flaws such as CVE-2014-8361 and CVE-2017-17215.
Source:
https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet
—
- Intel Source:
- Uptycs
- Intel Name:
- A_New_InfoStealer_Named_HookSpoofer
- Date of Scan:
- 2023-03-20
- Impact:
- LOW
- Summary:
- Uptycs researchers have discovered a new Infostealer with keylogging and clipper capabilities named HookSpoofer spreading by multiple bundlers. A bundler is a collection of two or more files combined together in a single package.
Source:
https://www.uptycs.com/blog/threat-research-hookspoofer
—
- Intel Source:
- Redacted
- Intel Name:
- BIanLian_Ransomware_Gang_Turns_to_Data_Extortion
- Date of Scan:
- 2023-03-20
- Impact:
- LOW
- Summary:
- Redacted researchers have identified the BianLian ransomware group has shifted its focus from encrypting its victims’ files to only exfiltrating data found on compromised networks and using them for extortion.
Source:
https://redacted.com/blog/bianlian-ransomware-gang-continues-to-evolve/
—
- Intel Source:
- G Data Blog
- Intel Name:
- ChatGPT_Rising_Activities_in_Cybercrime_World
- Date of Scan:
- 2023-03-18
- Impact:
- MEDIUM
- Summary:
- Researchers from G DATA have observed that cyberthreat actors capitalize on prominent social events’ latest technology buzzwords to launch their attacks. And the curtain raiser for 2023 that made the headlines was the clamor and viral use of a very human-sounding, artificial technology chatbot named, ChatGPT.
Source:
https://www.gdatasoftware.com/blog/2023/03/37716-chatgpt-evil-twin
—
- Intel Source:
- Lab52
- Intel Name:
- APT_C_36_Linked_With_Campaigns
- Date of Scan:
- 2023-03-18
- Impact:
- LOW
- Summary:
- Researchers from Lab52 have observed the APT-C-36 group has many similarities in terms of tactics, techniques, and procedures (TTPs) with the group Hagga / Aggah.
Source:
https://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/
—
- Intel Source:
- Sentinelone
- Intel Name:
- The_Investigation_of_Winter_Vivern_APT_Activity
- Date of Scan:
- 2023-03-18
- Impact:
- LOW
- Summary:
- SentinelOne researchers have analyzed Winter Vivern Advanced Persistent Threat (APT) activity, leveraging observations made by The Polish CBZC and Ukraine CERT and uncovered a previously unknown set of espionage campaigns and targeting activities conducted by this threat actor.
Source:
https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/
—
- Intel Source:
- Sophos
- Intel Name:
- The_Popularity_of_ProxyNotShell_Continues_to_Grow
- Date of Scan:
- 2023-03-18
- Impact:
- LOW
- Summary:
- Researchers from Sophos have observed that ProxyNotShell vulnerability continues to make waves as November 2022 fixes fail to contain the SSRF tactic.
Source:
https://news.sophos.com/en-us/2023/03/15/observing-owassrf-exchange-exploitation-still/
—
- Intel Source:
- Talos
- Intel Name:
- Hackers_From_YoroTrooper_Group_Targeting_CIS_Energy_Orgs_and_EU_Embassies
- Date of Scan:
- 2023-03-17
- Impact:
- MEDIUM
- Summary:
- Cisco Talos researchers have identified a new threat actor named ‘YoroTrooper’ has been running cyber-espionage campaigns since at least June 2022, targeting government and energy organizations in Commonwealth of Independent States (CIS) countries.
Source:
https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/
—
- Intel Source:
- ASEC
- Intel Name:
- Mallox_Ransomware_Distributing_in_Korea
- Date of Scan:
- 2023-03-16
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered the distribution of the Mallox ransomware which targets vulnerable MS-SQL servers.
—
- Intel Source:
- CISA
- Intel Name:
- Telerik_Vulnerability_in_US_Government_IIS_Server
- Date of Scan:
- 2023-03-16
- Impact:
- MEDIUM
- Summary:
- The CISA, FBI, and MS-ISAC released a joint Cybersecurity Advisory. This joint CSA provides IT infrastructure defenders with TTPs, IOCs, and detection, protection methods against similar, successful CVE-2019-18935 exploitation.
—
- Intel Source:
- Cyble
- Intel Name:
- Hackers_Exploiting_SVB_Collapse_Scenario
- Date of Scan:
- 2023-03-16
- Impact:
- LOW
- Summary:
- Cyble researchers have identified several suspicious websites that have emerged in the wake of the Silicon Valley Bank (SVB) collapse.
Source:
https://blog.cyble.com/2023/03/14/svb-collapse-triggers-heightened-cybersecurity-concerns/
—
- Intel Source:
- Blackberry
- Intel Name:
- Russian_Threat_Group_NOBELIUM_Targeting_Western_Countries
- Date of Scan:
- 2023-03-16
- Impact:
- MEDIUM
- Summary:
- Researchers from Blackberry have observed a new campaign targeting European Union countries, specifically, its diplomatic entities and systems transmitting sensitive information about the region’s politics, aiding Ukrainian citizens fleeing the country, and providing help to the government of Ukraine.
Source:
https://blogs.blackberry.com/en/2023/03/nobelium-targets-eu-governments-assisting-ukraine
—
- Intel Source:
- Google Blog
- Intel Name:
- Microsoft_SmartScreen_Bypassed_by_Magniber_Ransomware_Actors
- Date of Scan:
- 2023-03-16
- Impact:
- LOW
- Summary:
- Researchers from Google threat analysis group have discovered the usage of an unpatched security bypass in Microsoft’s SmartScreen security feature, which financially motivated actors are using to deliver the Magniber ransomware without any security warnings. The attackers are delivering MSI files signed with an invalid but specially crafted Authenticode signature.
—
- Intel Source:
- Microsoft
- Intel Name:
- Large_Scale_Phishing_Campaigns_are_Powered_by_DEV_1101_AiTM_Phishing_Kit
- Date of Scan:
- 2023-03-16
- Impact:
- MEDIUM
- Summary:
- Researchers from Microsoft have identified an open-source adversary-in-the-middle (AiTM) phishing kit that has found a number of takers in the cybercrime world for its ability to orchestrate attacks at scale. It is tracking the threat actor behind the development of the kit under its emerging moniker DEV-1101.
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Examination_of_FG_IR_22_369
- Date of Scan:
- 2023-03-16
- Impact:
- HIGH
- Summary:
- FortiGate researchers have identified that government entities and large organizations are targeted by an unknown threat actor by exploiting a security flaw in Fortinet FortiOS software to result in data loss and OS and file corruption.
Source:
https://www.fortinet.com/blog/psirt-blogs/fg-ir-22-369-psirt-analysis
—
- Intel Source:
- Welivesecurity
- Intel Name:
- APT_Group_Tick_Targeting_Data_Loss_Prevention_Company
- Date of Scan:
- 2023-03-16
- Impact:
- MEDIUM
- Summary:
- ESET researchers have discovered a campaign by APT group Tick. The attackers compromising the DLP company’s internal update servers to deliver malware inside the software developer’s network, and trojanizing installers of legitimate tools using by the company, which eventually result in the execution of malware on the computers of the company’s customers.
—
- Intel Source:
- Juniper
- Intel Name:
- A_Look_at_Dark_Side_of_Email_Traffic
- Date of Scan:
- 2023-03-16
- Impact:
- LOW
- Summary:
- Researchers from Juniper have analyzed the dark side of email traffic, uncovering some of the latest malware threats, tactics, and trends that can potentially undermine the systems.
Source:
https://blogs.juniper.net/en-us/threat-research/uncovering-the-dark-side-of-email-traffic
—
- Intel Source:
- Sentinelone
- Intel Name:
- Diving_Deep_into_CatB_Ransomware
- Date of Scan:
- 2023-03-16
- Impact:
- LOW
- Summary:
- SentinelOne researchers have analyzed the CatB ransomware and its abuse of the legitimate MSDTC service, describing its evasion tactics, encryption behavior, and its attempts to steal credentials and browser data.
Source:
https://www.sentinelone.com/blog/decrypting-catb-ransomware-analyzing-their-latest-attack-methods/
—
- Intel Source:
- Cyble
- Intel Name:
- The_MedusaLocker_Ransomware_is_Revealed
- Date of Scan:
- 2023-03-16
- Impact:
- LOW
- Summary:
- Researchers from Cyble have unmasked the MedusaLocker ransomware. It’s known to target Hospital and Healthcare industries, but additionally, the gang also targets industries such as Education and Government organizations.
Source:
https://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/
—
- Intel Source:
- ASEC
- Intel Name:
- A_CHM_malware_by_the_Kimsuky_group
- Date of Scan:
- 2023-03-15
- Impact:
- LOW
- Summary:
- ASEC has discovered a new CHM malware created by the Kimsuky group. This malware type is the same that the reserqachers mnetioned earlier in their posts on the malware distributed by the Kimsuky group, its goal being the exfiltration of user information.
—
- Intel Source:
- Netscope
- Intel Name:
- Increasingly_Abusing_of_DigitalOcean_by_attackers
- Date of Scan:
- 2023-03-15
- Impact:
- LOW
- Summary:
- Netskope Threat Labs observed increased traffic in malicious web pages hosted on DigitalOcean in the last couple months. This new campaigns scam mimics Windows Defender and tries to deceive users into believing that their computer is infected. The purpose of this scam is to involve victims into a scam “help line”. The attackers try to involve the remotely access of the victim’s computer to either install malware or request payment to infect the victims.
Source:
https://www.netskope.com/blog/attackers-increasingly-abusing-digitalocean-to-host-scams-and-phishing
—
- Intel Source:
- Mandiant
- Intel Name:
- North_Korea_s_UNC2970_TTPs_Part_1_and_2
- Date of Scan:
- 2023-03-15
- Impact:
- MEDIUM
- Summary:
- During our investigation, Mandiant researchers discovered most of the original compromised hosts, targeted by UNC2970. Mandiant Managed Defense discovered as well that this group is targeting a U.S.-based technology company
Source:
https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970
https://www.mandiant.com/resources/blog/lightshift-and-lightshow
—
- Intel Source:
- Cofense
- Intel Name:
- Emotet_resumes_sending_malicious_emails
- Date of Scan:
- 2023-03-14
- Impact:
- LOW
- Summary:
- Researchers from Confense have discovered that after several months of inactivity, the Emotet botnet resumed email activity this morning at 8:00am EST. The malicious emails seem to be replying to already existing email chains, with the addition of an attached .zip file. The .zip files are not password protected. The themes of the attached files include finances and invoices.
Source:
https://cofense.com/blog/emotet-sending-malicious-emails-after-three-month-hiatus/
—
- Intel Source:
- MetaBase Q
- Intel Name:
- The_new_ATM_Malware_FiXS
- Date of Scan:
- 2023-03-14
- Impact:
- LOW
- Summary:
- FiXs is a new ATM malware that steals data from ATMs and infects computers. Metabase Q has been tracking and monitoring the rise of ATM malware that takes advantage of physical and digital components of the ATM.
—
- Intel Source:
- Talos
- Intel Name:
- New_capabilities_of_Prometei_botnet
- Date of Scan:
- 2023-03-14
- Impact:
- MEDIUM
- Summary:
- Researchers from Talos have observed Prometei with the updated infrastructure components and capabilities. The botnet operators updated certain submodules of the execution chain to automate processes and challenge forensic analysis methods. The threat actors are trying actively spreading improved Linux versions of the Prometei bot, v3. Also researchers have observed a new functionality, which includes an additional C2 domain generating algorithm (DGA), a self-updating mechanism, and a bundled version of the Apache Webserver with a web shell. This bot is possible influenced by the war in Ukraine.
Source:
https://blog.talosintelligence.com/prometei-botnet-improves/
—
- Intel Source:
- Mandiant
- Intel Name:
- Chinese_Hacker_Running_Malware_on_Unpatched_SMA
- Date of Scan:
- 2023-03-13
- Impact:
- LOW
- Summary:
- Mandiant researchers have identified a suspected Chinese campaign that involves maintaining long-term persistence by running malware on an unpatched SonicWall Secure Mobile Access (SMA) appliance. The malware has the functionality to steal user credentials, provide shell access, and persist through firmware upgrades. Currently tracks this actor as UNC4540.
Source:
https://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall
—
- Intel Source:
- ISC.SANS
- Intel Name:
- AsynRAT_Trojan_Distributing_via_Bill_Payment_Email
- Date of Scan:
- 2023-03-13
- Impact:
- LOW
- Summary:
- Researchers from SANS have observed the mail server quarantined this file FautraPago392023.gz. After executing (gunzip) the file, there was no .exe extension associated with this file. The source and destination addresses are both blank without an actual email address.
Source:
https://isc.sans.edu/diary/AsynRAT+Trojan+Bill+Payment+Pago+de+la+factura/29626/
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Overview_of_a_Mirai_Payload_Generator
- Date of Scan:
- 2023-03-13
- Impact:
- LOW
- Summary:
- Researchers from SANS have observed that still honeypot is hit by hundreds of Mirai requests every day. Upon analysis, they found a Python script that generates a Mirai payload and deploys networking services to serve it via FTP, HTTP, and TFTP.
Source:
https://isc.sans.edu/diary/Overview+of+a+Mirai+Payload+Generator/29624/
—
- Intel Source:
- PaloAlto
- Intel Name:
- New_GoBruteforcer_Malware_Targeting_phpMyAdmin_MySQL_FTP_and_Postgres
- Date of Scan:
- 2023-03-13
- Impact:
- MEDIUM
- Summary:
- PaloAlto researchers have identified a newly discovered Golang-based botnet malware scan for and infect web servers running phpMyAdmin, MySQL, FTP, and Postgres services.
Source:
https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/?web_view=true
—
- Intel Source:
- ASEC
- Intel Name:
- Netcat_Malware_Targeting_MS_SQL_Servers
- Date of Scan:
- 2023-03-13
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered the distribution of the Netcat malware targeting poorly managed MS-SQL servers. Netcat is a utility that allows users to send and receive data from specific destinations on a network connected by the TCP/UDP protocol.
—
- Intel Source:
- Esentire
- Intel Name:
- BATLOADER_Malware_Leveraging_Google_Ads
- Date of Scan:
- 2023-03-13
- Impact:
- MEDIUM
- Summary:
- Esentire researchers have discovered the malware downloader known as BATLOADER that is abusing Google Ads to deliver secondary payloads like Vidar Stealer and Ursnif. The malicious ads are used to spoof a wide range of legitimate apps and services such as Adobe, OpenAPI’s ChatGPT, Spotify, Tableau, and Zoom.
—
- Intel Source:
- Cofense
- Intel Name:
- New_Phishing_Scam_Using_Fake_SBA_Grants
- Date of Scan:
- 2023-03-13
- Impact:
- LOW
- Summary:
- Researchers from Cofense have observed that a phishing campaign attempting to impersonate the US Small Business Administration (SBA), offering these grants in the hopes someone unfortunate will provide their credentials.
Source:
https://cofense.com/blog/fake-small-business-administration-sba-grant-used-in-new-phishing-scam/
—
- Intel Source:
- ASEC
- Intel Name:
- PlugX_Malware_Exploits_Remote_Desktop_Software_Flaws
- Date of Scan:
- 2023-03-11
- Impact:
- MEDIUM
- Summary:
- Researchers from ASEC have discovered security vulnerabilities in remote desktop programs such as Sunlogin and AweSun are being exploited by threat actors to deploy the PlugX malware.
—
- Intel Source:
- Cyble
- Intel Name:
- Chaos_Ransomware_Shadow_is_Cast_by_BlackSnake_Ransomware
- Date of Scan:
- 2023-03-11
- Impact:
- LOW
- Summary:
- Cyble Labs researchers have discovered a ransomware variant that not only encrypts victims’ files but also steals their Discord tokens.
Source:
https://blog.cyble.com/2023/03/09/blacksnake-ransomware-emerges-from-chaos-ransomwares-shadow/
—
- Intel Source:
- Securelist
- Intel Name:
- The_Use_of_Search_Engines_For_Malvertising
- Date of Scan:
- 2023-03-10
- Impact:
- LOW
- Summary:
- Researchers from Securelist have observed an increase in the number of malicious campaigns that use Google Advertising as a means of distributing and delivering malware. At least two different stealers, Rhadamanthys and RedLine, are abusing the search engine promotion plan in order to deliver malicious payloads to victims’ machines.
Source:
https://securelist.com/malvertising-through-search-engines/108996/
—
- Intel Source:
- Sentinelone
- Intel Name:
- IceFire_Ransomware_Exploiting_IBM_Aspera_Faspex
- Date of Scan:
- 2023-03-10
- Impact:
- MEDIUM
- Summary:
- SentinelOne researchers have identified a Windows-based ransomware strain known as IceFire has expanded its focus to target Linux enterprise networks belonging to several media and entertainment sector organizations across the world.
Source:
https://www.sentinelone.com/labs/icefire-ransomware-returns-now-targeting-linux-enterprise-networks/
—
- Intel Source:
- Fortinet
- Intel Name:
- New_ScrubCrypt_Crypter_Targeting_Oracle_WebLogic
- Date of Scan:
- 2023-03-10
- Impact:
- MEDIUM
- Summary:
- Fortinet Lab researchers have observed the attack chain commences with the successful exploitation of susceptible Oracle WebLogic servers to download a PowerShell script that contains ScrubCrypt.
Source:
https://www.fortinet.com/blog/threat-research/old-cyber-gang-uses-new-crypter-scrubcrypt
—
- Intel Source:
- Cofense
- Intel Name:
- Increasing_Phishing_Campaigns_During_Tax_Season
- Date of Scan:
- 2023-03-09
- Impact:
- LOW
- Summary:
- Researchers from Cofense have identified threat actors attempting to use tax season to target recipients with a potential refund and using the Adobe filesharing service to deliver the phishing.
Source:
https://cofense.com/blog/tax-season-phishing-campaigns-are-ramping-up/
—
- Intel Source:
- Trustwave
- Intel Name:
- OneNote_Misused_by_Cybercriminals
- Date of Scan:
- 2023-03-09
- Impact:
- LOW
- Summary:
- Researchers from Trustwave have analyzed the activity of cybercriminals as to how they are abusing OneNote.
—
- Intel Source:
- ZScaler
- Intel Name:
- Analysis_of_Nevada_Ransomware_and_Compares_With_Nokoyawa_Ransomware
- Date of Scan:
- 2023-03-09
- Impact:
- LOW
- Summary:
- Zscaler ThreatLab have identified the significant code similarities between Nevada and Nokoyawa ransomware including debug strings, command-line arguments, and encryption algorithms.
Source:
https://www.zscaler.com/blogs/security-research/nevada-ransomware-yet-another-nokayawa-variant
—
- Intel Source:
- Volexity
- Intel Name:
- Analysis_of_Memory_For_Detecting_EDR_Nullifying_Malware
- Date of Scan:
- 2023-03-09
- Impact:
- LOW
- Summary:
- Volexity researchers have examined the technique of attacking endpoint detection and response (EDR) and antivirus (AV) software could reliably be detected through memory analysis.
Source:
https://www.volexity.com/blog/2023/03/07/using-memory-analysis-to-detect-edr-nullifying-malware/
—
- Intel Source:
- Checkpoint
- Intel Name:
- Chinese_Cyber_Attack_Against_Southeast_Asian_Government_Entities
- Date of Scan:
- 2023-03-08
- Impact:
- HIGH
- Summary:
- Researchers from Checkpoint have analyzed the TTPs and the tools used in the espionage campaign against Southeast Asian government entities. The initial infection stages of this campaign use TTPs and tools consistent with Sharp Panda activity.
—
- Intel Source:
- Fortinet
- Intel Name:
- In_Depth_Analysis_of_Sirattacker_and_ALC_Ransomware
- Date of Scan:
- 2023-03-08
- Impact:
- MEDIUM
- Summary:
- FortiGate Lab researchers have gathered data on ransomware variants of interest that have been gaining traction within their datasets and the OSINT community. They analyzed the Sirattacker and ALC ransomware which is targeting Microsoft Windows users.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-sirattacker-acl?&web_view=true
—
- Intel Source:
- Cyware
- Intel Name:
- PyPI_package_delivers_malicious_Colour_Blind_RAT
- Date of Scan:
- 2023-03-08
- Impact:
- LOW
- Summary:
- Researchers from cyware have identified a malicious PyPI package that delivers a fully-featured information stealer and remote access trojan dubbed Colour-Blind.
Source:
https://cyware.com/news/malicious-pypi-package-delivers-colour-blind-rat-1c24f4e6/?web_view=true
—
- Intel Source:
- ASEC
- Intel Name:
- GlobeImposter_Ransomware_Installed_Using_RDP
- Date of Scan:
- 2023-03-08
- Impact:
- LOW
- Summary:
- ASEC has recently discovered the active distribution of the GlobeImposter ransomware. This attack is being carried out by the threat actors behind MedusaLocker.
—
- Intel Source:
- Trellix
- Intel Name:
- Qakbot_evolves_to_OneNote_Malware_Distribution
- Date of Scan:
- 2023-03-08
- Impact:
- MEDIUM
- Summary:
- Researchers from Trellix have discovered Qakbot (aka QBot, QuakBot, and Pinkslipbot) is a sophisticated piece of malware, there has been an upsurge in the number of Qakbot campaigns using a novel delivery technique: OneNote documents for malware distribution
—
- Intel Source:
- PaloAlto
- Intel Name:
- LokiBot_Distributing_via_Phishing_Emails
- Date of Scan:
- 2023-03-07
- Impact:
- LOW
- Summary:
- PaloAlto researchers have uncovered a malware distribution campaign that is delivering the LokiBot information stealer via business email compromise (BEC) phishing emails. This malware is designed to steal sensitive information from victims’ systems, such as passwords and banking information, as well as other sensitive data.
Source:
https://unit42.paloaltonetworks.com/lokibot-spike-analysis/
—
- Intel Source:
- Bitdefender
- Intel Name:
- Phishing_Campaign_Using_Copycat_ChatGPT_Platform
- Date of Scan:
- 2023-03-07
- Impact:
- MEDIUM
- Summary:
- Researchers from BitDefender Labs have identified the success of the viral AI tool has also attracted the attention of fraudsters who use the technology to conduct highly sophisticated investment scams against unwary internet users.
—
- Intel Source:
- PRODAFT
- Intel Name:
- In_Depth_Analysis_of_RIG_Exploit_Kit
- Date of Scan:
- 2023-03-07
- Impact:
- LOW
- Summary:
- Researchers from Prodaft have analyzed the RIG Exploit Kit. It is malware being operated as a MaaS subscription model and is enjoying the most glorious duration of its lifetime in terms of successful attacks.
Source:
https://www.prodaft.com/resource/detail/rig-rig-exploit-kit-depth-analysis
—
- Intel Source:
- Lumen
- Intel Name:
- New_HiatusRAT_Malware_Targeting_Business_Grade_Routers
- Date of Scan:
- 2023-03-07
- Impact:
- MEDIUM
- Summary:
- Lumen researchers have observed malware that is targeting business-grade routers to covertly spy on victims in Latin America, Europe, and North America at least since July 2022.
Source:
https://blog.lumen.com/new-hiatusrat-router-malware-covertly-spies-on-victims/
—
- Intel Source:
- Trellix
- Intel Name:
- Phishing_Campaign_Targeting_Job_Seekers_and_Employers
- Date of Scan:
- 2023-03-07
- Impact:
- LOW
- Summary:
- Researchers from Trellix have discovered threat actors are exploiting the ongoing economic downturn by using job-themed phishing and malware campaigns to target job seekers and employers to steal sensitive information and hack company recruiters.
—
- Intel Source:
- ASEC
- Intel Name:
- The_Analysis_of_Lazarus_Group
- Date of Scan:
- 2023-03-07
- Impact:
- LOW
- Summary:
- ASEC researchers have identified that Lazarus group’s malware strains have been found in various Korean companies related to national defense, satellites, software, media press, etc. Hence, they pursued and analyzed the Lazarus threat group’s activities and related malware.
—
- Intel Source:
- Nviso
- Intel Name:
- OneNote_Embedded_File_Abuse
- Date of Scan:
- 2023-03-07
- Impact:
- LOW
- Summary:
- Researchers from Nviso have observed the OneNote feature that is being abused during these phishing campaigns is hiding embedded files behind pictures which entices the user to click the picture. If the picture is clicked, it will execute the file hidden beneath.
Source:
https://blog.nviso.eu/2023/02/27/onenote-embedded-file-abuse/
—
- Intel Source:
- Fortinet
- Intel Name:
- MyDoom_Worm_Distributing_via_Phishing_Email
- Date of Scan:
- 2023-03-06
- Impact:
- LOW
- Summary:
- Researchers from Fortinet have identified a phishing campaign using the MyDoom worm. It was first discovered back in 2004 and it has seen some updates and modifications since its introduction.
—
- Intel Source:
- Malwarebytes
- Intel Name:
- RIG_Exploit_Kit_Targeting_Internet_Explorer_Users
- Date of Scan:
- 2023-03-06
- Impact:
- LOW
- Summary:
- Malwarebytes researchers have identified that Internet Explorer (IE) is still being exploited by exploit kits like the RIG exploit kit (EK).
—
- Intel Source:
- ZScaler
- Intel Name:
- OneNote_Documents_Distributing_Malware
- Date of Scan:
- 2023-03-06
- Impact:
- LOW
- Summary:
- Zscaler researchers have observed threat actors are increasingly using Microsoft OneNote documents to deliver malware via phishing emails.
Source:
https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
—
- Intel Source:
- Cyble
- Intel Name:
- WhiteSnake_Stealer_Targeting_Windows_and_Linux_Users
- Date of Scan:
- 2023-03-06
- Impact:
- LOW
- Summary:
- Cyble researchers have discovered a new malware strain called “WhiteSnake” Stealer. This stealer is available in versions designed for both Windows and Linux. It is capable of gathering a range of sensitive information, including passwords, cookies, credit card numbers, screenshots, and other personal or financial data.
Source:
https://blog.cyble.com/2023/02/24/new-whitesnake-stealer-offered-for-sale-via-maas-model/
—
- Intel Source:
- Welivesecurity
- Intel Name:
- Hackers_From_China_Using_Custom_Backdoor_to_Evade_Detection
- Date of Scan:
- 2023-03-06
- Impact:
- LOW
- Summary:
- Researchers from Welivesecurity have identified the Chinese cyber espionage hacking group Mustang Panda is deploying a new custom backdoor named ‘MQsTTang’ in attacks starting this year.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Spear_Phishing_Campaign_Targeting_Hospitality_Industry_Using_RedLine_Stealer
- Date of Scan:
- 2023-03-06
- Impact:
- LOW
- Summary:
- Researchers from TrendMicro have identified RedLine Stealer’s evasive spear-phishing campaign that targeting the hospitality industry.
—
- Intel Source:
- Sysdig
- Intel Name:
- Hackers_From_SCARLETEEL_Using_Advanced_Cloud_Skills_to_Steal_Source_Code_and_Data
- Date of Scan:
- 2023-03-06
- Impact:
- MEDIUM
- Summary:
- Sysdig researchers have discovered a sophisticated cloud operation in a customer environment, dubbed SCARLETEEL, that resulted in stolen proprietary data. The attacker exploited a containerized workload and then leveraged it to perform privilege escalation into an AWS account in order to steal proprietary software and credentials.
Source:
https://sysdig.com/blog/cloud-breach-terraform-data-theft/
—
- Intel Source:
- Cyble
- Intel Name:
- LockBit_Ransomware_Attack_on_Indian_Companies
- Date of Scan:
- 2023-03-06
- Impact:
- LOW
- Summary:
- Cyble researchers have observed the LockBit ransomware group that claimed to have compromised the networks of an Indian investment company, Infrastructure Leasing & Financial Services Limited (IL&FS), on February 28, 2023.
Source:
https://blog.cyble.com/2023/03/01/ransomware-attack-on-ilfs/
—
- Intel Source:
- CISA
- Intel Name:
- The_New_TTPs_of_Royal_ransomware
- Date of Scan:
- 2023-03-06
- Impact:
- MEDIUM
- Summary:
- The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released the joint CSA to disseminate known Royal ransomware IOCs and TTPs identified through FBI threat response activities as recently as January 2023.
Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a
—
- Intel Source:
- Cyfirma
- Intel Name:
- The_Examination_of_EXFILTRATION_22
- Date of Scan:
- 2023-03-04
- Impact:
- LOW
- Summary:
- Researchers from Cyfirma have provided an analysis of a new post of exploitation framework called EXFILTRATOR-22 a.k.a. EX-22.
Source:
https://www.cyfirma.com/outofband/exfiltrator-22-an-emerging-post-exploitation-framework/
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Deep_Investigation_of_LockBit_Ransomware_Campaign
- Date of Scan:
- 2023-03-04
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs researchers have observed a new LockBit ransomware campaign last December and January using a combination of techniques effective against AV and EDR solutions and analyzed the infection chain and Tactics, Techniques, and Procedures (TTPs) of this campaign.
Source:
https://www.fortinet.com/blog/threat-research/emerging-lockbit-campaign?&web_view=true
—
- Intel Source:
- Talos
- Intel Name:
- The_deployment_of_New_MortalKombat_Ransomware_and_Laplas_Clipper_Malware_threats
- Date of Scan:
- 2023-03-04
- Impact:
- MEDIUM
- Summary:
- Since last December, Cisco Talos team has has been observing a new actor who used 2 new threats MortalKombat ransomware and a GO variant of the Laplas Clipper malware, to steal cryptocurrency from victims. Also Talos researchers have seen the actor browsing the internet for victim machines with a malicious exposed remote desktop protocol (RDP) port 3389, using one of their download servers that run an RDP crawler and also download MortalKombat ransomware. After the reserachers analyzed something common in the code, class name, and registry key strings, they think that that the MortalKombat ransomware belongs to the Xorist family.
Source:
https://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats/
—
- Intel Source:
- Welivesecurity
- Intel Name:
- BlackLotus_Malware_Capable_of_Bypassing_Secure_Boot
- Date of Scan:
- 2023-03-03
- Impact:
- MEDIUM
- Summary:
- Researchers from Welivesecurity have identified that a stealthy Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus has becomes the first UEFI bootkit malware to bypass secure boot on Windows 11.
Source:
https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
—
- Intel Source:
- Blackberry
- Intel Name:
- Hackers_From_Blind_Eagle_Targeting_Organizations_in_Colombia_and_Ecuador
- Date of Scan:
- 2023-03-01
- Impact:
- LOW
- Summary:
- BlackBerry researchers have identified a new campaign where the threat actor impersonated a Colombian government tax agency to target key industries in Colombia, including health, financial, law enforcement, immigration, and an agency in charge of peace negotiation in the country.
Source:
https://blogs.blackberry.com/en/2023/02/blind-eagle-apt-c-36-targets-colombia
—
- Intel Source:
- Proofpoint
- Intel Name:
- Diving_Deep_into_TA_69_and_its_SocGholish_Payload
- Date of Scan:
- 2023-03-01
- Impact:
- LOW
- Summary:
- Researchers from Proofpoint have observed changes in the tactics, techniques, and procedures (TTPs) employed by TA569. Changes include an increase in the number of injection varieties, as well as payloads deviating from the standard SocGholish “Fake Update” JavaScript packages.
Source:
https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond
—
- Intel Source:
- Inquest
- Intel Name:
- Threat_Actors_Using_Microsoft_OneNote_for_Malicious_Campaigns
- Date of Scan:
- 2023-03-01
- Impact:
- LOW
- Summary:
- Researchers from Inquest have observed OneNote show that it has been featured in delivery chains for a number of malware threats and distributing multiple groups.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- BB17_Distribution_Qakbot_Activity
- Date of Scan:
- 2023-03-01
- Impact:
- LOW
- Summary:
- Researchers from SANS have identified an infection with a URL that is found on VirusTotal after pivoting on a search for BB17-tagged distribution URLs for Qakbot.
—
- Intel Source:
- ZScaler
- Intel Name:
- Snip3_Crypter_is_Back_With_New_TTPs
- Date of Scan:
- 2023-03-01
- Impact:
- LOW
- Summary:
- Researchers from Zscaler have identified the use of the crypter with new TTPs deploying RAT families including DcRAT and QuasarRAT targeting victims across multiple industry verticals such as healthcare, energy and utilities, and manufacturing via spear phishing emails with subject lines related to “tax statements” in order to lure victims into execution.
Source:
https://www.zscaler.com/blogs/security-research/snip3-crypter-reveals-new-ttps-over-time
—
- Intel Source:
- Symantec
- Intel Name:
- Hackers_From_Blackfly_Group_Targeting_Materials_Technology
- Date of Scan:
- 2023-03-01
- Impact:
- LOW
- Summary:
- Symantec researchers have identified the Blackfly espionage group (aka APT41, Winnti Group, Bronze Atlas) has continued to mount attacks against targets in Asia and recently targeted two subsidiaries of an Asian conglomerate, both of which operate in the materials and composites sector, suggesting that the group may be attempting to steal intellectual property.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Iron_Tiger_Group_Targeting_Linux_Through_SysUpdate
- Date of Scan:
- 2023-03-01
- Impact:
- MEDIUM
- Summary:
- Researchers from TrendMicro have identified that hackers from Iron Tiger updated SysUpdate, one of their custom malware families, to include new features and add malware infection support for the Linux platform.
Source:
https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
—
- Intel Source:
- CERT-UA
- Intel Name:
- Cyber_attacks_on_the_Ukrainian_state_organizations
- Date of Scan:
- 2023-02-28
- Impact:
- MEDIUM
- Summary:
- Researchers from CERT-UA have investigated the violation of the integrity and availability of the web resources of a number of state organizations.
—
- Intel Source:
- Cyble
- Intel Name:
- ChatGPT_Based_Phishing_Attacks
- Date of Scan:
- 2023-02-28
- Impact:
- MEDIUM
- Summary:
- Cyble researchers have detected several phishing websites that are being promoted through a fraudulent OpenAI social media page to spread various types of malware. Furthermore, several phishing sites are impersonating ChatGPT to steal credit card information.
Source:
https://blog.cyble.com/2023/02/22/the-growing-threat-of-chatgpt-based-phishing-attacks/
—
- Intel Source:
- ASEC
- Intel Name:
- Malicious_Emails_Impersonating_Shipping_Companies
- Date of Scan:
- 2023-02-28
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered malicious emails impersonating shipping companies being distributed in Korea. These emails prompt users to open the attached file with the subject ‘Submitting import clearance info’.
—
- Intel Source:
- TrendMicro
- Intel Name:
- The_Investigation_of_PlugX_Trojan
- Date of Scan:
- 2023-02-28
- Impact:
- LOW
- Summary:
- TrendMicro researchers have discovered a file called x32dbg.exe is used to sideload a malicious DLL they identified as a variant of PlugX.
—
- Intel Source:
- Cofense
- Intel Name:
- Hackers_Abusing_Atlassian
- Date of Scan:
- 2023-02-28
- Impact:
- LOW
- Summary:
- Cofense researchers have observed a phishing campaign, under the guise of a payment remittance, taking advantage of custom URLs from Atlassian to redirect users to their phish.
Source:
https://cofense.com/blog/threat-actors-abuse-atlassian-bypass-multiple-secure-email-gateways-segs/
—
- Intel Source:
- Team Cymru
- Intel Name:
- Chile_IP_Address_Connecting_to_IcedID_BackConnect_C2_Servers
- Date of Scan:
- 2023-02-28
- Impact:
- LOW
- Summary:
- Researchers from Team-Cymru have identified an IP address geolocation to Chile that is used to access various elements of the IcedID infrastructure.
Source:
https://www.team-cymru.com/post/from-chile-with-malware
—
- Intel Source:
- ISC.SANS
- Intel Name:
- URL_Files_and_WebDAV_Using_For_IcedID_Infection
- Date of Scan:
- 2023-02-28
- Impact:
- LOW
- Summary:
- Researchers from SANS have observed that IcedID distribution patterns occasionally change and identified a distribution pattern using .url files and WebDAV traffic for an IcedID infection.
Source:
https://isc.sans.edu/diary/URL+files+and+WebDAV+used+for+IcedID+Bokbot+infection/29578/
—
- Intel Source:
- ASEC
- Intel Name:
- Magniber_Ransomware_is_Back_With_New_Technique
- Date of Scan:
- 2023-02-28
- Impact:
- LOW
- Summary:
- ASEC researchers have identified that Magniber ransomware is distributed as a Windows installer package file (.msi) in Edge and Chrome browsers.
—
- Intel Source:
- Sonatypa
- Intel Name:
- PyPI_Malicious_Packages_Dropping_Windows_Trojan_via_Dropbox
- Date of Scan:
- 2023-02-28
- Impact:
- LOW
- Summary:
- Researchers from Sonatype have observed hundreds of packages getting published and removed in batches on the PyPI registry. These packages, despite containing contextual terms like “libs,” “nvidiapaypalsuper,” and so on, are named quite arbitrarily.
—
- Intel Source:
- Cyble
- Intel Name:
- Analysis_of_FortiNAC_Vulnerability_CVE_2022_39952
- Date of Scan:
- 2023-02-28
- Impact:
- LOW
- Summary:
- Cyble researchers have analyzed the vulnerability affecting multiple versions of FortiNAC. The affected product is widely used in mid to large-size enterprises involving state and private entities.
—
- Intel Source:
- WeliveSecurity
- Intel Name:
- Lazarus_Group_Using_New_WinorDLL64_Backdoor
- Date of Scan:
- 2023-02-27
- Impact:
- MEDIUM
- Summary:
- Welivesecurity researchers have observed one of the payloads of the Wslink downloader that was discovered back in 2021. That payload WinorDLL64 based on its filename WinorDLL64.dll. Wslink, which had the filename WinorLoaderDLL64.dll, is a loader for Windows binaries that and runs as a server and executes received modules in memory.
Source:
https://www.welivesecurity.com/2023/02/23/winordll64-backdoor-vast-lazarus-arsenal/
—
- Intel Source:
- Crowdstrike & Jamf
- Intel Name:
- I2Pminer_Variant_Targeting_MacOS
- Date of Scan:
- 2023-02-27
- Impact:
- LOW
- Summary:
- CrowdStrike and Jamf researchers have analyzed a macOS-targeted mineware campaign that utilized malicious application bundles to deliver open source XMRig cryptomining software and Invisible Internet Protocol (I2P) network tooling.
—
- Intel Source:
- Symantec
- Intel Name:
- New_Hacking_Group_Clasiopa_Targeting_Materials_Research
- Date of Scan:
- 2023-02-27
- Impact:
- MEDIUM
- Summary:
- Symantec researchers have identified that an unknown threat actor targeting Materials research organizations in Asia with a distinct set of tools.
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clasiopa-materials-research
—
- Intel Source:
- Bitdefender
- Intel Name:
- Hackers_Targeting_Multiple_ManageEngine_Products
- Date of Scan:
- 2023-02-27
- Impact:
- MEDIUM
- Summary:
-
Researchers from BitDefender have observed that multiple threat actors opportunistically weaponized a now-patched critical security vulnerability impacting several Zoho ManageEngine products since January 20, 2023.
Additional Blog link: https://www.bitdefender.com/blog/labs/weaponizing-pocs-a-targeted-attack-using-cve-2022-47966/
Source:
https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966
—
- Intel Source:
- Checkmarx
- Intel Name:
- NPM_Packages_Distributing_Phishing_Links
- Date of Scan:
- 2023-02-24
- Impact:
- LOW
- Summary:
- Checkmarx researchers have investigated and uncovered a recurring attack method, in which cyber attackers utilize spamming techniques to flood the open-source ecosystem with packages that include links to phishing campaigns in their README.md files.
Source:
https://checkmarx.com/blog/how-npm-packages-were-used-to-spread-phishing-links/
—
- Intel Source:
- Sentinelone
- Intel Name:
- The_Investigation_of_8220_Gang_Cloud_Threat
- Date of Scan:
- 2023-02-23
- Impact:
- LOW
- Summary:
- SentinelOne researchers have analyzed the 8220 gang cloud threat as the group has again switched to new infrastructure and samples.
—
- Intel Source:
- Reversing Labs
- Intel Name:
- PyPI_Packages_Mimicking_Popular_Libraries
- Date of Scan:
- 2023-02-23
- Impact:
- LOW
- Summary:
- Reversing Labs researchers are warning of “imposter packages” mimicking popular libraries available on the Python Package Index (PyPI) repository. The 41 malicious PyPI packages have been found to pose as typosquatted variants of legitimate modules such as HTTP, AIOHTTP, requests, urllib, and urllib3.
Source:
https://www.reversinglabs.com/blog/beware-impostor-http-libraries-lurk-on-pypi
—
- Intel Source:
- Zscaler
- Intel Name:
- Techniques_Analysis_of_Rhadamanthys_information_stealer
- Date of Scan:
- 2023-02-23
- Impact:
- LOW
- Summary:
- Zscaler researchers have analyzed Rhadamanthys, an information stealer. The malware implements complex anti-analysis techniques by using a public open source library. It is written in C++ and being distributed mostly via malicious Google advertisements. The malware is designed to steal credentials from web browsers, VPN clients, email clients and chat clients as well as cryptocurrency wallets.
—
- Intel Source:
- ASEC
- Intel Name:
- Lazarus_Group_Leveraging_Anti_Forensic_Techniques
- Date of Scan:
- 2023-02-23
- Impact:
- LOW
- Summary:
- ASEC researchers have shared the anti-forensic traces and details found in the systems that were infiltrated by the Lazarus group.
—
- Intel Source:
- Varonis
- Intel Name:
- The_New_Version_of_HardBit_2_0_Ransomware
- Date of Scan:
- 2023-02-23
- Impact:
- LOW
- Summary:
- Researchers from Varonis have identified the new version of HardBit ransomware which is HardBit 2.0 and it is still under development and features unique capabilities.
—
- Intel Source:
- ASEC
- Intel Name:
- Hackers_Targeting_Innorix_Agent_Vulnerable_Versions
- Date of Scan:
- 2023-02-23
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered the distribution of malware targeting users with vulnerable versions of Innorix Agent and the collected malware is a backdoor that attempts to connect to a C&C server.
—
- Intel Source:
- Mawarebytes
- Intel Name:
- Credit_Card_Skimmers_Targeting_Ecommerce_Platforms
- Date of Scan:
- 2023-02-23
- Impact:
- LOW
- Summary:
- Researchers from Malwarebytes have observed credit card skimmers targeting e-commerce platforms such as Magento and WordPress/WooCommerce.
—
- Intel Source:
- Sucuri
- Intel Name:
- Attackers_Leveraging_Cron_Jobs_to_Infect_Websites
- Date of Scan:
- 2023-02-23
- Impact:
- LOW
- Summary:
- Sucuri researchers have observed attackers using malicious corn jobs quite frequently to reinfect websites. Recently, they have seen a distinctive new wave of these infections.
Source:
https://blog.sucuri.net/2023/02/attackers-abuse-cron-jobs-to-reinfect-websites.html
—
- Intel Source:
- Sekoia
- Intel Name:
- A_New_InfoStealer_Stealc
- Date of Scan:
- 2023-02-23
- Impact:
- LOW
- Summary:
- Sekoia researchers have identified a new info stealer while routine Dark Web monitoring. The information stealer is advertised as Stealc by its alleged developer, going by the handle Plymouth. Also, the threat actor presents Stealc as a fully featured and ready-to-use stealer, whose development relied on Vidar, Raccoon, Mars, and Redline stealers.
—
- Intel Source:
- Cyble
- Intel Name:
- The_Examination_of_DarkCloud_Stealer
- Date of Scan:
- 2023-02-22
- Impact:
- LOW
- Summary:
- Cyble researchers have observed an increase in the prevalence of DarkCloud Stealer, with Threat Actors employing various spam campaigns to disseminate this malware worldwide.
Source:
https://blog.cyble.com/2023/02/20/decoding-the-inner-workings-of-darkcloud-stealer/
—
- Intel Source:
- TrendMicro
- Intel Name:
- Expansion_of_attackes_on_Linux_ESXi_Servers_by_Royal_ransomware
- Date of Scan:
- 2023-02-22
- Impact:
- MEDIUM
- Summary:
- TrendMicro analysts analayzed that since last year that ransomware groups will would increasingly target Linux servers and embedded systems in the coming years after detecting a double-digit year-on-year (YoY) increase in attacks on these systems. Royal ransomware is a new variant targeting Linux systems emerged and TrendMicro shared their technical analysis on this variant in their blog.
—
- Intel Source:
- Symantec
- Intel Name:
- A_new_threat_group_Hydrochasma_targets_organizations_in_Asia
- Date of Scan:
- 2023-02-22
- Impact:
- LOW
- Summary:
- Researchers from Symantec have observed a new threat group Hydrochasma attacking shipping companies and medical laboratories in Asia. Hydrochasma has not been linked to any previously identified group, but appears to have a possible interest in industries that may be involved in COVID-19-related treatments or vaccines. And possible infection vector used by Hydrochasma was a phishing email.
—
- Intel Source:
- ASEC
- Intel Name:
- HWP_Malware_Using_the_Steganography_Technique
- Date of Scan:
- 2023-02-22
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered that the RedEyes threat group is distributing malware by exploiting the HWP EPS (Encapsulated PostScript) vulnerability (CVE-2017-8291).
—
- Intel Source:
- Quickheal
- Intel Name:
- Raccoon_Stealer_V2_Using_Microsoft_Add_Ins_to_Delivering_Malware
- Date of Scan:
- 2023-02-22
- Impact:
- MEDIUM
- Summary:
- Researchers from QuickHeal have identified that Microsoft Add-Ins can present a potential threat vector for malware like Raccoon Stealer V2. These types of malware are designed to steal sensitive information from infected systems and use Microsoft Add-Ins as a means of delivering the malware to target systems.
Source:
https://blogs.quickheal.com/your-office-document-is-at-risk-xll-a-new-attack-vector/
—
- Intel Source:
- Esentire
- Intel Name:
- Analysis_of_Icarus_Stealer
- Date of Scan:
- 2023-02-22
- Impact:
- LOW
- Summary:
- Esentire researchers have analyzed the Icarus stealer malware into the technical details of how the malware operates and security recommendations to protect the organization from being exploited.
Source:
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-icarus-stealer
—
- Intel Source:
- ThreatMon
- Intel Name:
- ReverseRAT_Backdoor_Targeting_Indian_Government_Agencies
- Date of Scan:
- 2023-02-22
- Impact:
- MEDIUM
- Summary:
- Researchers from ThreatMon have observed a spear-phishing campaign targeting Indian government entities that aim to deploy an updated version of a backdoor called ReverseRAT.
Source:
https://threatmon.io/apt-sidecopy-targeting-indian-government-entities/
—
- Intel Source:
- SecuronixThreatLabs
- Intel Name:
- STL_Investigation_222
- Date of Scan:
- 2023-02-22
- Impact:
- LOW
- Summary:
- Indicators of Compromise related to a Securonix Threat Labs investigation
—
- Intel Source:
- Securityscorecard
- Intel Name:
- VMWare_ESXi_Vulnerability_targeted_by_ESXiArgs_Ransomware
- Date of Scan:
- 2023-02-22
- Impact:
- MEDIUM
- Summary:
- After warning of a widespread ransomware campaign exploiting CVE-2021-21974, a VMWare ESXi vulnerability, The SecurityScorecard Threat Research Team started their analyses about this new campaign in response to the advisories and they discovered possible communication between target IP addresses and infrastructure involved in the exploitation of this vulnerability.
—
- Intel Source:
- Cyble
- Intel Name:
- Qakbot_Distributing_via_OneNote
- Date of Scan:
- 2023-02-22
- Impact:
- LOW
- Summary:
- Cyble researchers have identified multiple distribution methods for the widely known banking trojan Qakbot and these methods include using malspam with OneNote attachments, malspam with zip files containing WSF, and others.
—
- Intel Source:
- SocInvestigation
- Intel Name:
- Return_of_Redline_Stealer
- Date of Scan:
- 2023-02-22
- Impact:
- LOW
- Summary:
- SOC Investigation reserachers discussed in their blog the Redline Stealer malware, the background, its capabilities, and its impact, the basic steps of the malware outlines.
Source:
https://www.socinvestigation.com/redline-stealer-returns-with-new-ttps-detection-response/
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Deep_Examination_of_CatB_Ransomware
- Date of Scan:
- 2023-02-21
- Impact:
- LOW
- Summary:
- Fortinet researchers have analyzed the CatB ransomware. It is a reasonably new entrant to the ransomware field, with samples only dating back to December 2022.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-catb-ransomware
—
- Intel Source:
- TrendMicro
- Intel Name:
- Royal_Ransomware_Targeting_Linux_ESXi_Servers
- Date of Scan:
- 2023-02-21
- Impact:
- MEDIUM
- Summary:
- TrendMicro researchers have observed that Royal ransomware expanding its targets by increasingly developing Linux-based versions.
—
- Intel Source:
- SecurityScoreCard
- Intel Name:
- BlackCat_Ransomware_Group_Targeting_Healthcare_Service_Provider
- Date of Scan:
- 2023-02-20
- Impact:
- LOW
- Summary:
- Security ScoreCard researchers have observed BlackCat ransomware group adding an entry for an electronic health record (EHR) vendor to its extortion site.
—
- Intel Source:
- Eclecticiq
- Intel Name:
- Hackers_Targeting_Security_Service_of_Ukraine_and_NATO_Allies
- Date of Scan:
- 2023-02-20
- Impact:
- LOW
- Summary:
- EclecticIQ researchers have observed multiple weaponized phishing emails probably targeting the Security Service of Ukraine (SSU), NATO allies like Latvia, and private companies such as Culver Aviation.
—
- Intel Source:
- Sucuri
- Intel Name:
- The_Dangers_of_Installing_Nulled_WordPress_Themes_and_Plugins
- Date of Scan:
- 2023-02-20
- Impact:
- LOW
- Summary:
- Researchers from Sucuri have identified installing nulled themes or plugins on the website is not only participating in software theft but can also introduce serious risks including malware, SEO spam, and website backdoors.
Source:
https://blog.sucuri.net/2023/02/the-dangers-of-installing-nulled-wordpress-themes-and-plugins.html
—
- Intel Source:
- Malwarebytes
- Intel Name:
- WordPress_Sites_Backdoored_With_Ad_Fraud_Plugin
- Date of Scan:
- 2023-02-20
- Impact:
- LOW
- Summary:
- Malwarebytes researchers have identified around 50 WordPress blogs that have been backdoored with a plugin called fuser-master.
—
- Intel Source:
- Sentilone
- Intel Name:
- A_new_threat_cluster_WIP26
- Date of Scan:
- 2023-02-19
- Impact:
- MEDIUM
- Summary:
- SentinelLabs has observed a threat activity tracked as WIP26. This threat actor has been targeting telecommunication companies in the Middle East. WIP26 is known by abusing of public Cloud infrastructure – Microsoft 365 Mail, Microsoft Azure, Google Firebase, and Dropbox – for malware delivery, data exfiltration, and C2 purposes.
—
- Intel Source:
- Yoroi
- Intel Name:
- From_Targeting_Attacks_to_widespread_Usage_of_Brute_Ratel
- Date of Scan:
- 2023-02-18
- Impact:
- LOW
- Summary:
- Researchers from Yoroi have identified and tracked security threats that involve actively searching for and analyzing potential security breaches or anomalies in an organization’s systems and networks.
—
- Intel Source:
- ASEC
- Intel Name:
- Analysis_of_distribution_sites_of_Magniber_ransomware_using_EDR
- Date of Scan:
- 2023-02-18
- Impact:
- LOW
- Summary:
- ASEC researchers have identified that Magniber ransomware distribution is continued and tracking the distribution site URL through a different method.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Earth_Kitsune_Delivering_New_WhiskerSpy_Backdoor
- Date of Scan:
- 2023-02-18
- Impact:
- LOW
- Summary:
- TrendMicro researchers have discovered a new backdoor which they have attributed to the APT group known as Earth Kitsune. Since 2019, Earth Kitsune has been distributing variants of self-developed backdoors to targets, primarily individuals who are interested in North Korea.
Source:
https://www.trendmicro.com/en_us/research/23/b/earth-kitsune-delivers-new-whiskerspy-backdoor.html
—
- Intel Source:
- Blackberry
- Intel Name:
- DarkBit_Ransomware_Targeting_Israel
- Date of Scan:
- 2023-02-18
- Impact:
- MEDIUM
- Summary:
- BlackBerry researchers have identified a new ransomware strain dubbed “DarkBit” that has recently appeared on the threat landscape after targeting one of Israel’s top research universities, Technion – Israel Institute of Technology (IIT).
Source:
https://blogs.blackberry.com/en/2023/02/darkbit-ransomware-targets-israel
—
- Intel Source:
- PaloAlto
- Intel Name:
- Mirai_Variant_V3G4_Targeting_IoT_Devices
- Date of Scan:
- 2023-02-17
- Impact:
- LOW
- Summary:
- Researchers from PaloAlto have observed a Mirai variant called V3G4, is leveraging several vulnerabilities to spread itself. Once the vulnerable devices are compromised, they will be fully controlled by attackers and become a part of the botnet.
Source:
https://unit42.paloaltonetworks.com/mirai-variant-v3g4/
—
- Intel Source:
- ASEC
- Intel Name:
- Hackers_From_RedEyes_Using_New_Malware_to_Steal_Data
- Date of Scan:
- 2023-02-17
- Impact:
- LOW
- Summary:
- ASEC researchers have identified that the APT37 threat group using a new evasive ‘M2RAT’ malware and steganography to target individuals for intelligence collection.
—
- Intel Source:
- Sentinelone
- Intel Name:
- The_Analysis_of_TZW_Ransomware
- Date of Scan:
- 2023-02-17
- Impact:
- LOW
- Summary:
- SentinelOne researchers have deeply analyzed the TZW ransomware. Also, observed TZW ransomware linked to a known malware family called GlobeImposter (sometimes referred to as LOLNEK or LOLKEK).
—
- Intel Source:
- Symantec
- Intel Name:
- New_Malware_Abusing_Microsoft_IIS_Feature_to_Establish_Backdoor
- Date of Scan:
- 2023-02-17
- Impact:
- MEDIUM
- Summary:
- Researchers from Symantec have observed a new malware that abuses a feature of Microsoft’s Internet Information Services (IIS) to deploy a backdoor onto targeted systems.
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/frebniis-malware-iis
—
- Intel Source:
- Morphisec
- Intel Name:
- Malware_Campaign_Delivering_ProxyShellMiner_to_Windows_Endpoints
- Date of Scan:
- 2023-02-17
- Impact:
- MEDIUM
- Summary:
- Morphisec researchers have identified a highly evasive malware campaign delivering ProxyShellMiner to Windows endpoints. ProxyShellMiner exploits the ProxyShell vulnerabilities CVE-2021-34473 and CVE-2021-34523 in Windows Exchange servers for initial access and compromise of an organization to deliver crypto miners.
—
- Intel Source:
- Trellix
- Intel Name:
- ESXiArgs_Ransomware_Leveraging_Two_Year_Old_Vulnerability
- Date of Scan:
- 2023-02-17
- Impact:
- LOW
- Summary:
- Trellix researchers have identified that Global ESXiArgs ransomware is attacking the back of a two-year-old vulnerability. The vulnerability ransomware actors targeted is CVE-2021-21974 and allows an attacker to exploit the OpenSLP protocol if the affected server is exposed to the internet.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Earth_Yako_Group_is_Back
- Date of Scan:
- 2023-02-17
- Impact:
- LOW
- Summary:
- Researchers from TrendMicro have investigated several incidents and observed the intrusion set introduced new tools and malware within a short period of time, frequently changing and expanding its attack targets. Security researchers believe that Earth Yako is still active and will keep targeting more organizations soon.
—
- Intel Source:
- Lookout
- Intel Name:
- Dark_Caracal_APT_Back_with_New_Version_of_Bandook_Spyware
- Date of Scan:
- 2023-02-17
- Impact:
- MEDIUM
- Summary:
- Researchers from Lookout have discovered that the Dark Caracal APT is currently using a new version of Bandook spyware to target Windows systems.
Source:
https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf
—
- Intel Source:
- Welivesecurity
- Intel Name:
- Trojanized_Installers_Targeting_Southeast_and_East_Asia
- Date of Scan:
- 2023-02-17
- Impact:
- LOW
- Summary:
- ESET researchers have identified a campaign using trojanized installers to deliver the FatalRAT malware, distributing via malicious websites linked in ads that appear in Google search results.
Source:
https://www.welivesecurity.com/2023/02/16/these-arent-apps-youre-looking-for-fake-installers/
—
- Intel Source:
- SecurityScoreCard
- Intel Name:
- US_Public_Housing_Authority_ransomware_attack
- Date of Scan:
- 2023-02-16
- Impact:
- LOW
- Summary:
- U.S. Public Housing Authority has announced a disruption, but has not elaborated on the nature of the event. The LockBit ransomware group, which has made false claims in the past, took responsibility for the incident.
—
- Intel Source:
- ASEC
- Intel Name:
- Malware_Targeting_Security_Related_Workers
- Date of Scan:
- 2023-02-16
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered that the malware is distributed to broadcasting and ordinary companies as well as those in the security-related field.
—
- Intel Source:
- ASEC
- Intel Name:
- Paradise_Ransomware_Distributing_Through_AweSun_Vulnerability_Exploitation
- Date of Scan:
- 2023-02-16
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered the distribution of Paradise ransomware and the threat actors are suspected to be utilizing vulnerability exploitation of the Chinese remote control program AweSun.
—
- Intel Source:
- ZScaler
- Intel Name:
- A_new_Havoc_campaign_targeting_a_Government_organization
- Date of Scan:
- 2023-02-16
- Impact:
- LOW
- Summary:
- Zscaler ThreatLabz research team observed a new campaign called Havoc which is targeting a Government organization.The threat actors have been using a new Command & Control (C2) framework named Havoc. The team provoded the technical analysis and overview of recently discovered attack campaign targeting government organization using Havoc and reveals how it can be leveraged by the threat actors in various campaigns.
Source:
https://www.zscaler.com/blogs/security-research/havoc-across-cyberspace
—
- Intel Source:
- Cyble
- Intel Name:
- Diving_Deep_into_DarkBit_Ransomware
- Date of Scan:
- 2023-02-16
- Impact:
- LOW
- Summary:
- Cyble researchers have recently detected a sample of the DarkBit ransomware and analyzed its details.
Source:
https://blog.cyble.com/2023/02/15/uncovering-the-dark-side-of-darkbit-ransomware/
—
- Intel Source:
- ASEC
- Intel Name:
- LockBit_2_0_Ransomware_is_Back
- Date of Scan:
- 2023-02-16
- Impact:
- MEDIUM
- Summary:
- ASEC researchers have identified that Lockbit 2.0 is being distributed in a MalPE format instead of the NSIS format.
—
- Intel Source:
- DOCGuard
- Intel Name:
- Microsoft_OneNote_Sample_Targeting_Cisco_VPN
- Date of Scan:
- 2023-02-16
- Impact:
- LOW
- Summary:
- Researchers from DOCGuard have identified that the Microsoft OneNote sample targeting Cisco VPN users bypasses all the antiviruses.
Source:
https://twitter.com/doc_guard/status/1625872935595507713
—
- Intel Source:
- ASEC
- Intel Name:
- Qakbot_Malware_Distributing_via_OneNote
- Date of Scan:
- 2023-02-15
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified that Qakbot stopped using MS Office Macro, their past distribution method, and instead started to use OneNote to execute their malware.
—
- Intel Source:
- BitDefender
- Intel Name:
- A_Deep_Investigation_of_VMware_ESXi_Servers_Vulnerability
- Date of Scan:
- 2023-02-15
- Impact:
- LOW
- Summary:
- BitDefender researchers have investigated the VMware ESXi servers vulnerability which was targeted by Opportunistic Threat Actors and advised users to patch it immediately.
—
- Intel Source:
- Cyble
- Intel Name:
- Turkish_Earthquake_Leads_to_Fake_Donation_Schemes
- Date of Scan:
- 2023-02-15
- Impact:
- MEDIUM
- Summary:
- Researchers from Cyble have discovered various domains and IP addresses hosting websites that claim to be collecting funds to aid those affected by the earthquake in Turkey and Syria.
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Tofsee_Malware
- Date of Scan:
- 2023-02-15
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Tofsee Malware. It has been around since 2016. Once installed on a compromised computer, it can be used to send spam emails and gather user data.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alerts-tofsee-malware-active-iocs
—
- Intel Source:
- Minerva Labs
- Intel Name:
- New_Malware_That_Can_Fly_Under_the_Radar
- Date of Scan:
- 2023-02-15
- Impact:
- LOW
- Summary:
- Researchers from Minerva Labs have identified a new piece of evasive malware dubbed Beep that’s designed to fly under the radar and drop additional payloads onto a compromised host.
Source:
https://minerva-labs.com/blog/beepin-out-of-the-sandbox-analyzing-a-new-extremely-evasive-malware/
—
- Intel Source:
- ASEC
- Intel Name:
- Pybot_DDoS_Distributing_With_Illegal_Software
- Date of Scan:
- 2023-02-15
- Impact:
- LOW
- Summary:
- ASEC researchers have monitoring malware that is being distributed through illegal software like software cracks or serial keygens and recently discovered Pybot DDoS being distributed with illegal software.
—
- Intel Source:
- BitSight
- Intel Name:
- Diving_Deep_into_Mylobot
- Date of Scan:
- 2023-02-14
- Impact:
- LOW
- Summary:
- BitSight researchers have analyzed the Mylobot malware and focused on its main capability, which is transforming the infected system into a proxy.
Source:
https://www.bitsight.com/blog/mylobot-investigating-proxy-botnet
—
- Intel Source:
- CERT-UA
- Intel Name:
- Hackers_Targeting_Ukraine_Using_Remote_Utility_Program
- Date of Scan:
- 2023-02-14
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have identified a cyber attack on organizations and institutions in Ukraine using the Remote Utilities program.
—
- Intel Source:
- Group-IB
- Intel Name:
- Hackers_From_ChinaTargeting_GroupIB_Cybersecurity_Firm
- Date of Scan:
- 2023-02-14
- Impact:
- MEDIUM
- Summary:
- Group-IB researchers have identified that an APT group known as Tonto Team has tried targeting the Singapore-based Group-IB cybersecurity firm for the second time.
—
- Intel Source:
- ASEC
- Intel Name:
- Hackers_From_Dalbit_Group_Targeting_Vulnerable_Korean_Company_Servers
- Date of Scan:
- 2023-02-13
- Impact:
- LOW
- Summary:
- ASEC researchers have identified that the Chinese threat actor group named Dalbit (m00nlight) is targeting vulnerable Korean company servers. Also, this group uses publicly available tools, from the WebShell used in the early stages to the ransomware used at the end.
—
- Intel Source:
- Reversing Labs
- Intel Name:
- Malicious_Npm_Package_Using_Typosquatting_to_Download_Malware
- Date of Scan:
- 2023-02-13
- Impact:
- LOW
- Summary:
- Reversing Labs researchers have observed a package called “aabquerys” is spotted on the open-source JavaScript npm repository using typosquatting techniques to enable the download of malicious components.
Source:
https://www.reversinglabs.com/blog/open-source-malware-sows-havoc-on-supply-chain
—
- Intel Source:
- ASEC
- Intel Name:
- Website_posing_as_Naver_login_page
- Date of Scan:
- 2023-02-13
- Impact:
- LOW
- Summary:
- ASEC researchers have observed a situation where a fake Kakao login page is used to steal the account credentials of certain individuals.
—
- Intel Source:
- Huntress
- Intel Name:
- The_Clop_Ransomware_Claims_to_Have_Breached_130_Organizations
- Date of Scan:
- 2023-02-13
- Impact:
- MEDIUM
- Summary:
- Researchers from Huntress have identified that Clop ransomware gang claims to be behind recent attacks that exploited a zero-day vulnerability in the GoAnywhere MFT secure file transfer tool, saying they stole data from over 130 organizations.
Source:
https://www.huntress.com/blog/investigating-intrusions-from-intriguing-exploits
—
- Intel Source:
- Fortinet
- Intel Name:
- Supply_Chain_Attack_by_New_Malicious_Python_Package
- Date of Scan:
- 2023-02-13
- Impact:
- LOW
- Summary:
- FortiGate researchers have identified five malicious packages on the Python Package Index (PyPI), stealing passwords, Discord authentication cookies, and cryptocurrency wallets from unsuspecting developers.
—
- Intel Source:
- ASEC
- Intel Name:
- AsyncRAT_Leveraging_Windows_Help_File
- Date of Scan:
- 2023-02-13
- Impact:
- LOW
- Summary:
- ASEC researchers have identified that AsyncRAT is distributing as a Windows help file (*.chm).
—
- Intel Source:
- CISA
- Intel Name:
- DPRK_Malicious_Cyber_Activities
- Date of Scan:
- 2023-02-12
- Impact:
- MEDIUM
- Summary:
- This cybersecurity advisory provides an overview of Democratic People’s Republic of Korea (DPRK), state-sponsored ransomware and their TTPs and IOCs DPRK cyber actors used to gain access to and conduct ransomware attacks against Healthcare and Public Health (HPH) Sector organizations and other critical infrastructure sector entities, as well as DPRK cyber actors’ use of cryptocurrency to demand ransoms.
—
- Intel Source:
- Sentinelone
- Intel Name:
- Malicious_Google_Ads_Targeting_AWS_Login
- Date of Scan:
- 2023-02-10
- Impact:
- LOW
- Summary:
- SentinelOne researchers have identified a new phishing campaign targeting Amazon Web Services (AWS) logins is abusing Google ads to sneak phishing sites into Google Search to steal login credentials.
Source:
https://www.sentinelone.com/blog/cloud-credentials-phishing-malicious-google-ads-target-aws-logins/
—
- Intel Source:
- SpiderLabs Blog
- Intel Name:
- Hackers_Leveraging_HTML_Smuggling_to_Deliver_Malware
- Date of Scan:
- 2023-02-10
- Impact:
- LOW
- Summary:
- SpiderLabs researchers have analyzed some notable malware strains that have utilized HTML smuggling in their infection chain and provide a brief analysis of each malware.
—
- Intel Source:
- CISA
- Intel Name:
- Ransomware_Attac_on_Critical_Infrastructure_Funded_by_DPRK
- Date of Scan:
- 2023-02-10
- Impact:
- LOW
- Summary:
- CISA researchers have identified TTPs and IOCs DPRK cyber actors using to gain access to and conduct ransomware attacks against Healthcare and Public Health Sector organizations and other critical infrastructure sector entities, as well as DPRK cyber actors’ use of cryptocurrency to demand ransoms.
—
- Intel Source:
- Cybereason
- Intel Name:
- GootLoader_Leveraging_SEO_Poisoning_Techniques
- Date of Scan:
- 2023-02-09
- Impact:
- LOW
- Summary:
- Cybereason researchers have investigated an incident that involved new deployment methods of the GootLoader malware loader through heavily-obfuscated JavaScript files.
—
- Intel Source:
- Blackberry
- Intel Name:
- Hackers_From_NewsPenguin_Targeting_Pakistani_Entities
- Date of Scan:
- 2023-02-09
- Impact:
- LOW
- Summary:
- BlackBerry researchers have identified an unknown threat actor dubbed NewsPenguin has been linked to a phishing campaign targeting Pakistani entities by leveraging the upcoming international maritime expo as a lure.
—
- Intel Source:
- SecuInfra
- Intel Name:
- Analysis_of_ESXiArgs_Ransomware
- Date of Scan:
- 2023-02-09
- Impact:
- LOW
- Summary:
- In their post SecuInfrs analysts are analyzing the recent “ESXiArgs” Ransomware variant, which spread to a large number of outdated, internet-exposed ESXi Servers around the world.
Source:
https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/
—
- Intel Source:
- ASEC
- Intel Name:
- The_distribution_of_Quasar_RAT
- Date of Scan:
- 2023-02-09
- Impact:
- LOW
- Summary:
- The ASEC analysis team just discovered the Quasar RAT malware through the private Home Trading System (HTS). It is assumed that the victims did not install their HTS from an institutional financial company, but instead, they got HPlus HTS through an unsanctioned source or a disguised financial investment company. The malware, Quasar, is a RAT malware that allows threat actors to gain control over infected systems to either steal information or perform malicious behaviors.
—
- Intel Source:
- Sonatypa
- Intel Name:
- Malicious_aptX_Python_Package_Drops_Meterpreter_Shell
- Date of Scan:
- 2023-02-09
- Impact:
- LOW
- Summary:
- Researchers from Sonatype have identified malicious Python packages on the PyPI software registry that carry out a bunch of nefarious activities.
Source:
https://blog.sonatype.com/malicious-aptx-python-package-drops-meterpreter-shell-deletes-netstat
—
- Intel Source:
- Symantec
- Intel Name:
- New_Russian_Information_Stealing_Malware_Graphiron
- Date of Scan:
- 2023-02-09
- Impact:
- MEDIUM
- Summary:
- A new russian Nodaria group has installed a new malware threat that targets to steal a wide range of information from infected computers. The Nodaria espionage group (aka UAC-0056) is using a new piece of information stealing malware against targets in Ukraine. The malware (Infostealer.Graphiron) is written in Go language and is meant to collect a wide range of information from the infected computer, including system information, credentials, screenshots, and files.
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer
—
- Intel Source:
- ISC.SANS
- Intel Name:
- A_Backdoor_with_Smart_Screenshot_Capability
- Date of Scan:
- 2023-02-09
- Impact:
- LOW
- Summary:
- Researchers from SANS have identified that backdoors and trojans implemented screenshot capabilities to “see” what’s displayed on the victim’s computer and to take a screenshot in Python.
—
- Intel Source:
- NTT Security
- Intel Name:
- The_malware_attacks_distributed_by_SteelClove_group
- Date of Scan:
- 2023-02-09
- Impact:
- LOW
- Summary:
- NTT Security SOC team shared the latest tactics in attacks by SteelClover among the most recently observed cases of malware distribution via Google Ads. SteelClover is an attack group that has been active since 2019, and their purpose is money.
Source:
https://insight-jp.nttsecurity.com/post/102i7af/steelclovergoogle
—
- Intel Source:
- CERT-UA
- Intel Name:
- Hackers_Targeting_State_Bodies_of_Ukraine
- Date of Scan:
- 2023-02-08
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have identified mass distribution of e-mails and an attachment in the form of RAR- archive “court letter, information on debt.rar.”
—
- Intel Source:
- Cyble
- Intel Name:
- Ransomware_Attacks_Targeting_VMware_ESXi_Servers
- Date of Scan:
- 2023-02-08
- Impact:
- LOW
- Summary:
- Cyble researchers have identified a ransomware attack targeting VMware ESXi servers to deploy ESXi Args Ransomware.
Source:
https://blog.cyble.com/2023/02/06/massive-ransomware-attack-targets-vmware-esxi-servers/
—
- Intel Source:
- Equinix Threat Analysis Center
- Intel Name:
- Royal_Ransomware_Targeting_VMware_ESXi_Servers_in_Linux_Devices
- Date of Scan:
- 2023-02-08
- Impact:
- LOW
- Summary:
- Researchers from Equinix Threat Analysis Center (ETAC) have identified that Royal ransomware updating techniques for encrypting Linux devices and specially targeting VMware ESXi virtual machines.
Source:
https://twitter.com/BushidoToken/status/1621087221905514496
—
- Intel Source:
- TrendMicro
- Intel Name:
- Earth_Zhulong_Threat_Group_Targeting_Vietnam_Telecom_and_Media_Sector
- Date of Scan:
- 2023-02-08
- Impact:
- MEDIUM
- Summary:
- TrendMicro researchers have discovered a new hacking group that is targeting Vietnam’s telecom, technology, and media sectors. The group is dubbed as Earth Zhulong and it is related to the Chinese-linked hacking group 1937CN based on similar code in the custom shellcode loader and victimology.
Source:
https://www.trendmicro.com/en_us/research/23/b/earth-zhulong-familiar-patterns-target-vietnam.html
—
- Intel Source:
- ASEC
- Intel Name:
- Magniber_Ransomware_Distributing_Again_in_Korea
- Date of Scan:
- 2023-02-08
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered the redistribution of Magniber disguised as normal Windows Installers (MSI). The distributed Magniber files have MSI as their extensions, disguising themselves as Windows update files.
—
- Intel Source:
- Sentinelone
- Intel Name:
- Cl0p_Ransomware_Targets_Linux_Systems
- Date of Scan:
- 2023-02-08
- Impact:
- LOW
- Summary:
- Researchers from SentinelOne have observed the first ELF variant of Cl0p (also known as Clop) ransomware variant targeting Linux systems. The new variant is similar to the Windows variant, using the same encryption method and similar process logic.
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_samples_January_30th_to_February_5th_2023
- Date of Scan:
- 2023-02-08
- Impact:
- LOW
- Summary:
- The ASEC analysis team keeps monitoring a weekly malware collection samples for January 30 – February 5th, 2023. The top malwares for this week is SmokeLoader, BeamWinHTTP, Formbook, Quasar RAT and Redline.
—
- Intel Source:
- Proofpoint
- Intel Name:
- Newly_Threat_Actor_TA866_Distributing_Malware_via_Email
- Date of Scan:
- 2023-02-08
- Impact:
- MEDIUM
- Summary:
- Researchers from Proofpoint have observed a cluster of evolving financially motivated activity which they are referring to as “Screentime”. The attack chain starts with an email containing a malicious attachment or URL and leads to malware that Proofpoint dubbed WasabiSeed and Screenshotter.
—
- Intel Source:
- Zscaler
- Intel Name:
- Analysis_of_the_AveMaria_infostealer_attack_chain
- Date of Scan:
- 2023-02-07
- Impact:
- LOW
- Summary:
- Zscaler’s ThreatLabz research team monitors and tracks very close active threat campaigns. In their report they provided the seven case studies that follow provide an in-depth analysis of the AveMaria infostealer attack chain and how it has been shifting over the past six months.
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Trickbot_Malware
- Date of Scan:
- 2023-02-07
- Impact:
- MEDIUM
- Summary:
- Researchers from Rewterz have identified the active IOCs of Trickbot Malware. It is operating since 2016. It is primarily distributed through phishing campaigns and is known for its ability to steal sensitive information such as login credentials, financial information, and personal data.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-trickbot-malware-active-iocs-30
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Trigona_ransomware_variant
- Date of Scan:
- 2023-02-07
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs got together the report for the Trigona ransomware with the details and insights of this ransomware landscape protection against those variants.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-trigona-ransomware
—
- Intel Source:
- Cyble
- Intel Name:
- New_Medusa_Botnet_targeting_Linux_Users
- Date of Scan:
- 2023-02-07
- Impact:
- MEDIUM
- Summary:
- Cyble Research and Intelligence Labs has been monitoring on the actions of the MiraiBot and its behavior. A botnet capable of Performing DDoS, Ransomware, and Bruteforce Attacks.
Source:
https://blog.cyble.com/2023/02/03/new-medusa-botnet-emerging-via-mirai-botnet-targeting-linux-users/
—
- Intel Source:
- ASEC
- Intel Name:
- The_cases_of_threat_actors_using_Sliver_malware
- Date of Scan:
- 2023-02-07
- Impact:
- LOW
- Summary:
- This ASEC blog is desctibing recent cases of threat actors using Sliver in addition to Cobalt Strike and Metasploit. The ASEC (AhnLab Security Emergency response Center) analysis team keeps eye on the attacks against systems with either unpatched vulnerabilities or misconfigured settings. A recently discovered a Sliver backdoor being installed through what is presumed to be vulnerability exploitation on certain software.
—
- Intel Source:
- ASEC
- Intel Name:
- Hackers_backdoor_Windows_Devices_in_Sliver_and_BYOVD_Attacks
- Date of Scan:
- 2023-02-07
- Impact:
- LOW
- Summary:
- ASEC researchers have identified a new hacking campaign that exploits Sunlogin flaws to deploy the Sliver post-exploitation toolkit and launch Windows Bring Your Own Vulnerable Driver (BYOVD) attacks to disable security software.
—
- Intel Source:
- Diff Report
- Intel Name:
- Observed_intrusion_used_AutoHotkey_to_launch_a_keylogger
- Date of Scan:
- 2023-02-07
- Impact:
- LOW
- Summary:
- The Diff team observed a compromise that used with a Word document containing a malicious VBA macro, which established persistence and communication to a command and control server (C2). During the initial discovery and user enumeration, the threat actor used AutoHotkey to launch a keylogger.
Source:
https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/
—
- Intel Source:
- Deep Instinct
- Intel Name:
- Hackers_Leveraging_Microsoft_Visual_Studio_Add_Ins_to_Push_Malware
- Date of Scan:
- 2023-02-06
- Impact:
- LOW
- Summary:
- Deep Instinct researchers have observed that hackers start using Microsoft Visual Studio Tools for Office (VSTO) more often as method to achieve persistence and execute code on a target machine via malicious Office add-ins.
Source:
https://www.deepinstinct.com/blog/no-macro-no-worries-vsto-being-weaponized-by-threat-actors
—
- Intel Source:
- Fortinet
- Intel Name:
- Supply_Chain_Attack_by_New_Malicious_Python_Package_web3_essential
- Date of Scan:
- 2023-02-06
- Impact:
- MEDIUM
- Summary:
- FortiGate researchers have discovered another new 0-day attack in a PyPI package (Python Package Index) called web3-essential. The package includes malicious code in its setup.py installation script that downloads and runs an executable file as a part of its installation.
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_samples_January_23_29th_2023
- Date of Scan:
- 2023-02-06
- Impact:
- LOW
- Summary:
- The ASEC analysis team keep monitoring weekly malware collection samples for January 23-29th, 2023. The top malwares for this week is SmokeLoader, BeamWinHTTP, Formbook, AgentTesla and SnakeKeylogger.
—
- Intel Source:
- Security Joes
- Intel Name:
- The_Gambling_Industry_is_targeted_by_Ice_Breaker_Operation
- Date of Scan:
- 2023-02-06
- Impact:
- LOW
- Summary:
- In September of last year, Security Joes IRT was informed about an incident with an attempt of social engineering an online customer service platform. Due to custom-built rules and extensive employee awareness training, Security Joes IRT was able to push back these threats. Recently they tracked a new threat actor as Ice Breaker APT. Although research is still ongoing, the team is sharing this article to reveal the attacker’s Modus Operandi, attack chain, ways to mitigate the threat and supported IOCs, TTPs and Yara.
—
- Intel Source:
- Cyble
- Intel Name:
- New_BATLoader_Spreading_RATs_and_Stealers
- Date of Scan:
- 2023-02-05
- Impact:
- LOW
- Summary:
- Cyble researchers have observed a novel type of BAT loader is used to distribute a range of RAT and Stealer malware families. This loader employs an innovative method to deliver the malicious payload to the user system.
Source:
https://blog.cyble.com/2023/02/02/new-batloader-disseminates-rats-and-stealers/
—
- Intel Source:
- Quickheal
- Intel Name:
- The_Details_Examination_of_Malware_Technique
- Date of Scan:
- 2023-02-05
- Impact:
- LOW
- Summary:
- QuickHeal researchers have observed crucial steps in the attack chain, like, how is the malware able to achieve administrative privileges to perform changes in the system.
—
- Intel Source:
- Sentinelone
- Intel Name:
- DotNET_Malware_Loaders_aka_MalVirt_Distributing_Through_Malvertising_Attack
- Date of Scan:
- 2023-02-04
- Impact:
- LOW
- Summary:
- SentinelOne researchers have observed a cluster of virtualized .NET malware loaders distributing through malvertising attacks and the loader dubbed MalVirt, uses obfuscated virtualization for anti-analysis and evasion along with the Windows Process Explorer driver for terminating processes.
Source:
https://www.sentinelone.com/labs/malvirt-net-virtualization-thrives-in-malvertising-attacks/
—
- Intel Source:
- Cyble
- Intel Name:
- Qakbot_Rising_with_New_Strategies
- Date of Scan:
- 2023-02-04
- Impact:
- LOW
- Summary:
- Cyble researchers have identified that threat actors leveraging Microsoft OneNote to infect users.
Source:
https://blog.cyble.com/2023/02/01/qakbots-evolution-continues-with-new-strategies/
—
- Intel Source:
- WithSecure
- Intel Name:
- Hackers_From_Korea_Exploiting_Unpatched_Zimbra_Devices
- Date of Scan:
- 2023-02-04
- Impact:
- LOW
- Summary:
- Researchers from WithSecurity have identified a new intelligence-gathering campaign linked to the prolific North Korean state-sponsored Lazarus Group leveraged known security flaws in unpatched Zimbra devices to compromise victim systems.
—
- Intel Source:
- Eclecticiq
- Intel Name:
- Mustang_Panda_APT_Group_Targeting_Europe_With_Spearphishing_Campaign
- Date of Scan:
- 2023-02-04
- Impact:
- LOW
- Summary:
- EclecticIQ researchers have identified that the Mustang Panda APT group started targeting Europe with a new spearphishing campaign using a customized variant of the PlugX backdoor.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Hackers_From_APT34_Targeting_The_Middle_East
- Date of Scan:
- 2023-02-03
- Impact:
- LOW
- Summary:
- TrendMicro researchers have identified a suspicious executable that was dropped and executed on multiple machines. Upon investigation, It is inked with APT34, and the main goal is to steal users’ credentials. Even in case of a password reset or change, the malware is capable of sending the new credentials to the threat actors.
Source:
https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html
—
- Intel Source:
- Aqua Blog
- Intel Name:
- HeadCrab_Malware_Compromising_Redis_Servers
- Date of Scan:
- 2023-02-03
- Impact:
- LOW
- Summary:
- Aqua security researchers have identified that around 1,200 Redis database servers worldwide have been corralled into a botnet using an elusive and severe threat dubbed HeadCrab since early September 2021.
Source:
https://blog.aquasec.com/headcrab-attacks-servers-worldwide-with-novel-state-of-art-redis-malware
—
- Intel Source:
- ASEC
- Intel Name:
- Malicious_LNK_File_Disguising_as_a_Normal_HWP_Document
- Date of Scan:
- 2023-02-03
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered the distribution of a malicious LNK file disguised as a normal HWP document, Along with a text file impersonating the National Tax Service.
—
- Intel Source:
- Checkmarx
- Intel Name:
- The_track_of_tactics_of_the_threat_actor_PYTA27
- Date of Scan:
- 2023-02-02
- Impact:
- LOW
- Summary:
- The Checkmarx threat reserachers analyzed In this blog the tactics of one attacker who has been distributing their packages for at least four months and shows no signs of stopping. This actor is tracked as PYTA27.
Source:
https://checkmarx.com/blog/evolution-of-a-software-supply-chain-attacker/
—
- Intel Source:
- CERT-UA
- Intel Name:
- The_Ministry_of_Foreign_Affairs_official_of_Ukraine_Web_Resource_Imitated
- Date of Scan:
- 2023-02-02
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have discovered a web page imitating the official web resource of the Ministry of Foreign Affairs of Ukraine, which offers to download software for the detection of infected computers.
—
- Intel Source:
- Cyble
- Intel Name:
- Remote_Desktop_Files_targeted_by_evasive_malware
- Date of Scan:
- 2023-02-02
- Impact:
- MEDIUM
- Summary:
- Cyble Research and Intelligence Labs (CRIL) discovered a new malware named ‘Vector Stealer’, which can steal .rdp files. By stealing these RDP files it can enableThreat Actors to do RDP hijacking as these files have details about the RDP session, including information needed for remote access.
Source:
https://blog.cyble.com/2023/02/01/vector-stealer-a-gateway-for-rdp-hijacking/
—
- Intel Source:
- ASEC
- Intel Name:
- CoinMiners_Mining_Ethereum_Classic_Coins_attack_cases
- Date of Scan:
- 2023-02-02
- Impact:
- LOW
- Summary:
- The ASEC analysis team is observing CoinMiners that are targeting Korean and overseas users. The ASEC analysis team studied cases of various types of CoinMiner attacks over multiple blog posts in the past. They shared information to introduce the recently discovered malware that mine Ethereum Classic coins.
—
- Intel Source:
- Rapid7
- Intel Name:
- The_spread_of_Redline_Infostealer_Malware
- Date of Scan:
- 2023-02-02
- Impact:
- MEDIUM
- Summary:
- Recently, Rapid7 discovered the activity of malicious actors using OneNote files to deliver malicious code. Rapid 7 found a specific technique that used OneNote files containing batch scripts, which upon execution started an instance of a renamed PowerShell process to decrypt and execute a base64 encoded binary.
—
- Intel Source:
- PRODAFT
- Intel Name:
- Active_IOCs_of_LockBit_Green
- Date of Scan:
- 2023-02-02
- Impact:
- MEDIUM
- Summary:
- Researchers from Prodaft have identified that the LockBit ransomware team made a so-called “LockBit Green” version of their ransomware available.
—
- Intel Source:
- Proofpoint
- Intel Name:
- Microsoft_OneNote_Documents_Delivering_Malware_via_Email
- Date of Scan:
- 2023-02-02
- Impact:
- MEDIUM
- Summary:
- Proofpoint researchers have identified an increase in threat actor use of OneNote documents to deliver malware via email to unsuspecting end-users in December 2022 and January 2023.
—
- Intel Source:
- PaloAlto
- Intel Name:
- GuLoader_Encrypted_With_NSIS_Crypter
- Date of Scan:
- 2023-02-02
- Impact:
- LOW
- Summary:
- In their post post, the Unit 42 researchers discussed a machine learning pipeline and analyses of one GuLoader downloader that has been encrypted with an Nullsoft Scriptable Install System (NSIS) crypter. NSIS is an open source system to create Windows installers.
Source:
https://unit42.paloaltonetworks.com/malware-detection-accuracy/
—
- Intel Source:
- Welivesecurity
- Intel Name:
- NikoWiper_Malware_Targeting_Ukraine_Energy_Sector
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- ESET researchers have analyzed the activities of selected APT groups and identified the Russia-affiliated Sandworm using another wiper malware strain dubbed NikoWiper as part of an attack that took place in October 2022 targeting an energy sector company in Ukraine.
Source:
https://www.welivesecurity.com/wp-content/uploads/2023/01/eset_apt_activity_report_t32022.pdf
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Analysis_of_Cryptojacks_System_to_Mine_for_Monero_Crypto
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- Fortinet researchers have analyzed the crypto miner software that is delivering via the Excel document and executing it on the victim device.
—
- Intel Source:
- Inky
- Intel Name:
- An_ongoing_phishing_campaign_that_impersonates_Southwest_Airlines
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- Last December, INKY observed and detected an ongoing phishing campaign that impersonates Southwest Airlines. Phishing emails are being sent from newly created domains, set up explicitly for these attacks.
Source:
https://www.inky.com/en/blog/fresh-phish-southwests-flying-phish-takes-off-with-your-credentials
—
- Intel Source:
- Quickheal
- Intel Name:
- LockBit_s_new_Black_variant_attack
- Date of Scan:
- 2023-02-01
- Impact:
- MEDIUM
- Summary:
- The Quickheak team investigated and analyzed about the LockBit’s new Black variant attack. They have determined that the new LockBit 3.0 variant has a high infection vector and attack chain exhibiting substantial anti-forensic activity. This variant showed that is capable of clearing the event logs, killing multiple tasks, and deleting services simultaneously. It also can obtain initial access to the victim’s network via SMB brute forcing from various IPs.
Source:
https://blogs.quickheal.com/uncovering-lockbit-blacks-attack-chain-and-anti-forensic-activity/
—
- Intel Source:
- Secureworks
- Intel Name:
- The_Similarities_Between_Abraham_s_Ax_and_Moses_Staff_Group
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- Researchers from SecureWorks have analyzed the similarities between the Moses Staff hacktivist group persona that emerged in September 2021 and the Abraham’s Ax persona that emerged in November 2022.
Source:
https://www.secureworks.com/blog/abrahams-ax-likely-linked-to-moses-staff
—
- Intel Source:
- Resecurity
- Intel Name:
- New_Version_of_Nevada_Ransomware
- Date of Scan:
- 2023-02-01
- Impact:
- MEDIUM
- Summary:
- Resecurity researchers have identified a new version of Nevada Ransomware which recently emerged on the Dark Web right before the start of 2023. The actors behind this new project have an affiliate platform first introduced on the RAMP underground community, which is known for initial access brokers (IABs) and other cybercriminal actors and ransomware groups.
Source:
https://resecurity.com/blog/article/nevada-ransomware-waiting-for-the-next-dark-web-jackpot
—
- Intel Source:
- ASEC
- Intel Name:
- An_Email_Specific_Phishing_Page
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- ASEC researchers have identified multiple phishing emails that are distributed with a changing icon to reflect the mail account service entered by the user and send a warning that their account will be shut down, prompting them to click the ‘Reactivate Now’ link if they need their account kept active.
—
- Intel Source:
- Checkpoint
- Intel Name:
- Malware_Packer_TrickGate_Using_by_Several_Malware_to_Evade_Detection
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- Researchers from Checkpoint have identified a shellcode-based packer dubbed TrickGate has been successfully operating without attracting notice for over six years, while enabling threat actors to deploy a wide range of malware such as TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze, and REvil over the years.
—
- Intel Source:
- ASEC
- Intel Name:
- TZW_Ransomware_Distributing_in_Korea
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered the distribution of the TZW ransomware, which encrypts files before adding the “TZW” file extension to the original extension.
—
- Intel Source:
- ASEC
- Intel Name:
- Phishing_Emails_Circulating_With_Requests_for_Product_Quotation
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified phishing emails with content related to requests for product quotations. These phishing emails are all disguised to seem as if they were sent by a manager with a high position, such as the team leader or department director of production companies or foundries, and were also .html and .htm attachments.
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Google_Ads_Targeting_Password_Manager
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- Researchers from Malwarebytes have identified a new malvertising campaign that makes use of Google Ads to target users looking for password managers.
—
- Intel Source:
- Esentire
- Intel Name:
- Changes_in_the_IcedID_malware_strategy
- Date of Scan:
- 2023-02-01
- Impact:
- MEDIUM
- Summary:
- Last December 2022, Esentire threat intel team observed IcedID infections that were traced to payloads downloaded by users from the Internet. This observation matched with a general uptick in successful IcedID infections in Q4 of 2022, which saw 35% percent of IcedID incidents for the period between January 2022 and January 2023. The observed IcedID infections have originated exclusively via drive-by attacks, specifically Google Search Ads targeting common applications.
Source:
https://www.esentire.com/blog/icedid-malware-shifts-its-delivery-strategy
—
- Intel Source:
- TrendMicro
- Intel Name:
- The_Magniber_ransomware_spotlight
- Date of Scan:
- 2023-01-31
- Impact:
- MEDIUM
- Summary:
- After it was originally discovered in 2017, Magniber came back in 2021. It is aiming some Asian countries and TrendMicro found out about the exploitation of new vulnerabilities for initial access, including CVE-2021-26411, CVE-2021-40444, and most notably the PrintNightmare vulnerability, CVE-2021-34527
Source:
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-magniber
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_samples_January_16_22nd_2023
- Date of Scan:
- 2023-01-31
- Impact:
- LOW
- Summary:
- The ASEC analysis team keep monitoring weekly malware collection samples for January 16-22nd, 2023. They shared their analyses of the cases of distribution of phishing emails during this week and provide statistical information on each type.
—
- Intel Source:
- Recorded Future
- Intel Name:
- Hackers_From_BlueBravo_Deploying_GraphicalNeutrino_Malware
- Date of Scan:
- 2023-01-31
- Impact:
- LOW
- Summary:
- Recorded Future researchers have identified the new malware used by BlueBravo threat group, which overlaps with Russian APT activity tracked as APT29 and NOBELIUM, which Western governments and researchers have linked to the Russian Foreign Intelligence Service (SVR).
Source:
https://www.recordedfuture.com/bluebravo-uses-ambassador-lure-deploy-graphicalneutrino-malware
—
- Intel Source:
- Mandiant
- Intel Name:
- Gootkit_Malware_Updating_With_New_Components_and_Obfuscations
- Date of Scan:
- 2023-01-30
- Impact:
- LOW
- Summary:
- Mandiant researchers have identified that the threat actors associated with the Gootkit malware have made notable changes to their toolset, adding new components and obfuscations to their infection chains.
Source:
https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations
—
- Intel Source:
- ESET
- Intel Name:
- Sandworm_APT_Targeting_Ukraine
- Date of Scan:
- 2023-01-30
- Impact:
- LOW
- Summary:
- ESET researchers have discovered a new Golang-based wiper, dubbed SwiftSlicer, that is used in attacks aimed at Ukraine. Also, they believe that the Russia-linked APT group Sandwork (aka BlackEnergy and TeleBots) is behind the wiper attacks.
—
- Intel Source:
- Sucuri
- Intel Name:
- Database_Injection_Attacks_Compromise_WordPress_Sites
- Date of Scan:
- 2023-01-30
- Impact:
- LOW
- Summary:
- Sucuri researchers have identified a massive campaign that infects over 4,500 WordPress websites as part of a long-running operation. According to GoDaddy-owned Sucuri, the infections involve the injection of obfuscated JavaScript hosted on a malicious domain that’s designed to redirect visitors to undesirable sites.
—
- Intel Source:
- Esentire
- Intel Name:
- The_Deep_Examination_of_Venom_Spider
- Date of Scan:
- 2023-01-30
- Impact:
- LOW
- Summary:
- Esentire researchers have discovered the real-world identity of the threat actor behind Golden Chickens malware-as-a-service, who goes by the online persona badbullzvenom.
Source:
https://www.esentire.com/web-native-pages/unmasking-venom-spider
—
- Intel Source:
- PaloAlto
- Intel Name:
- Realtek_SDK_Vulnerability_Attempting_to_Hack_IoT_Devices
- Date of Scan:
- 2023-01-30
- Impact:
- LOW
- Summary:
- Researchers from PaloAlto have observed the spike in exploitation attempts weaponizing a critical remote code execution flaw in Realtek Jungle SDK, the ongoing campaign is said to have recorded 134 million exploit attempts as of December 2022, with 97% of the attacks occurring in the past four months.
Source:
https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/#post-126726-_f37quwequ6r
—
- Intel Source:
- CERT-UA
- Intel Name:
- Hackers_From_Sandworm_Group_Targeting_News_Agencies
- Date of Scan:
- 2023-01-30
- Impact:
- LOW
- Summary:
- Researchers from CERT-UA have identified the five different data-wiping malware strains deploying on the network of the country’s national news agency (Ukrinform) on January 17th.
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_samples_January_8_14th_2023
- Date of Scan:
- 2023-01-28
- Impact:
- LOW
- Summary:
- The ASEC analysis team keep monitoring weekly malware collection samples for January 8-14th, 2023. They shared their analyses of thee cases of distribution of phishing emails during this week and provide statistical information on each type.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Mimic_Ransomware_Targeting_Russian_and_English_Speaking_Users
- Date of Scan:
- 2023-01-27
- Impact:
- LOW
- Summary:
- Researchers from TrendMicro have discovered a new ransomware that abuses the APIs of a legitimate tool called Everything, a Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for minimal resource usage.
—
- Intel Source:
- Cyble
- Intel Name:
- Titan_Stealer_Leveraging_GoLang
- Date of Scan:
- 2023-01-27
- Impact:
- LOW
- Summary:
- Cyble researchers have observed that threat actors use Golang for their information stealer malware. Additionally, it is spotted, Titan stealer using multiple Command and Control (C&C) infrastructures targeting new victims.
Source:
https://blog.cyble.com/2023/01/25/titan-stealer-the-growing-use-of-golang-among-threat-actors/
—
- Intel Source:
- CISA
- Intel Name:
- Cybercriminals_Leveraging_Legitimate_RMM_software
- Date of Scan:
- 2023-01-27
- Impact:
- MEDIUM
- Summary:
- CISA researchers have identified a widespread cyber campaign involving the malicious use of legitimate RMM software. Specifically, cyber-criminal actors send phishing emails to the target to download legitimate RMM software—ScreenConnect (now ConnectWise Control) and AnyDesk—which the actors use in a refund scam to steal money from victim bank accounts.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Chinese_PlugX_Malware_Hidden_in_USB_Devices
- Date of Scan:
- 2023-01-27
- Impact:
- MEDIUM
- Summary:
- Researchers from PaloAlto have discovered a similar variant of PlugX in VirusTotal that infects USB devices and copies all Adobe PDF and Microsoft Word files from the host. It places these copies in a hidden folder on the USB device that is created by the malware.
Source:
https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/
—
- Intel Source:
- IBM Security Intelligence
- Intel Name:
- Kronos_Malware_Increasing_its_Functionality
- Date of Scan:
- 2023-01-27
- Impact:
- LOW
- Summary:
- Researchers from IBM Security Intelligence have identified that Kronos Malware is back with new functionality. It is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims.
—
- Intel Source:
- Zscaler
- Intel Name:
- Hackers_Targeting_Tech_Layoff_Employees_With_Job_Scams
- Date of Scan:
- 2023-01-27
- Impact:
- MEDIUM
- Summary:
- Zscaler Threatlabz researchers have observed multiple suspicious job portals and surveys used by attackers to solicit information from job seekers under the guise of employment application forms. The attackers may advertise jobs online, sometimes setting up fake websites, or look for targets on social media to steal money and personal information.
—
- Intel Source:
- Trellix
- Intel Name:
- The_Deep_Examination_of_GuLoader
- Date of Scan:
- 2023-01-27
- Impact:
- LOW
- Summary:
- Trellix researchers have analyzed the multiple archive types used by threat actors to trick users into opening an email attachment and the progression of its distribution inside NSIS (Nullsoft Scriptable Install System) executable files by showing the obfuscation and string encryption updates through the year 2022.
Source:
https://www.trellix.com/en-us/about/newsroom/stories/research/guloader-the-nsis-vantage-point.html
—
- Intel Source:
- Blackberry
- Intel Name:
- New_Evasion_Methods_For_Emotet
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- BlackBerry researchers have observed that Emotet returns with new techniques. It is continued to steadily evolve, adding new techniques for evasion and increasing its likelihood of successful infections. It is also able to host an array of modules, each used for different aspects of information theft that report back to their command-and-control (C2) servers.
Source:
https://blogs.blackberry.com/en/2023/01/emotet-returns-with-new-methods-of-evasion
—
- Intel Source:
- Huntress
- Intel Name:
- The_ConnectWise_Control_vulnerabilities_and_exploitation
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- During the month of December, the Huntress team has caught the talks surrounding supposed ConnectWise Control vulnerabilities and possibly in-the-wild exploitation. The Huntress team has been in contact with both the ConnectWise CISO and security team and did their own research on it and explained their opinions in the details.
Source:
https://www.huntress.com/blog/clearing-the-air-overblown-claims-of-vulnerabilities-exploits-severity
—
- Intel Source:
- Proofpoint
- Intel Name:
- North_Korean_Hackers_Moving_With_Credential_Harvesting
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- Researchers from Proofpoint have identified a well known North Korean threat group for crypto heists has been attributed to a new wave of malicious email attacks as part of a “sprawling” credential harvesting activity targeting a number of industry verticals, marking a significant shift in its strategy.
Source:
https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds
—
- Intel Source:
- Bitdefender
- Intel Name:
- Hackers_Leveraging_ProxyNotShell_For_Attacks
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- BitDefender researchers have started observing an increase in attacks using ProxyNotShell/OWASSRF exploits chains to target on-premises Microsoft Exchange deployments.
Source:
https://businessinsights.bitdefender.com/technical-advisory-proxyhell-exploit-chains-in-the-wild
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_APT_Group_Gamaredon
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of APT Group Gamaredon. It is a Russia-backed advanced persistent threat (APT) that has been operating since at least 2013. The group is believed to be operating out of Ukraine, and is thought to be focused on targeting Ukrainian government and military organizations, as well as individuals and organizations in the energy sector.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-apt-group-gamaredon-active-iocs-31
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Remcos_RAT
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Remcos RAT. It is operating since 2016. This RAT was originally promoted as genuine software for remote control of Microsoft Windows from XP onwards, and is frequently found in phishing attempts due to its capacity to completely infect an afflicted machine.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-remcos-rat-active-iocs-86
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Raccoon_Infostealer
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Raccoon Infostealer. It gathers private data such as credit card numbers, cryptocurrency wallet addresses, login passwords, and browser information like cookies and history.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-raccoon-infostealer-active-iocs-39
—
- Intel Source:
- Cyble
- Intel Name:
- The_rised_concern_of_Amadey_Bot
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- Recently, Cyble Research and Intelligence Labs (CRIL) has observed a huge spike of Amadey bot samples. It proved that threat actors are actively using this bot to infect victims’ systems with another malware.
Source:
https://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/
—
- Intel Source:
- SocInvestigation
- Intel Name:
- Cybercriminals_Using_JQuery_to_Spread_Malware
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- Researchers from SocInvestigation have identified that the popular javascript library “JQuery” is used by hackers for distributing malware.
Source:
https://www.socinvestigation.com/malicious-jquery-javascript-threat-detection-incident-response/
—
- Intel Source:
- Rapid 7
- Intel Name:
- Critical_ManageEngine_Vulnerability_Observed
- Date of Scan:
- 2023-01-26
- Impact:
- MEDIUM
- Summary:
- Rapid7 is taking precausios steps from the vulnerability exploitation of CVE-2022-47966. Several of the affected products are extremely popular with organizations and attackers, including ADSelfService Plus and ServiceDesk Plus. Rapid7 provided a detailed analysis of CVE-2022-47966 in AttackerKB. Rapid7 vulnerability research team discovered during testing that some products may be more exploitable than others: ServiceDesk Plus and ADSelfService.
—
- Intel Source:
- Sentinelone
- Intel Name:
- Hackers_From_DragonSpark_Using_Golang_Malware_to_Avoid_Detection
- Date of Scan:
- 2023-01-26
- Impact:
- MEDIUM
- Summary:
- Researchers from SentinelOne have identified that companies in East Asia are being targeted by a Chinese-speaking threat actor named DragonSpark. The attacks are characterized by the use of the little-known open-source SparkRAT and malware that attempts to evade detection through Golang source code interpretation.
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Ursnif_Banking_Trojan_aka_Gozi
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Ursnif Banking Trojan aka Gozi. It is also known as Gozi and Dreambot has been around for more than 10 years. It gained popularity in 2015 when its source code was published on Github and since then the moderators have always tweaked some changes to make use of their arsenal according to their gains.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Vice_Society_Ransomware_Group_Targeting_Manufacturing_Companies
- Date of Scan:
- 2023-01-26
- Impact:
- MEDIUM
- Summary:
- TrendMicro researchers have highlighted the findings of Vice Society, which includes an end-to-end infection diagram.
—
- Intel Source:
- Esentire
- Intel Name:
- A_Deep_Examination_of_Raspberry_Robin
- Date of Scan:
- 2023-01-25
- Impact:
- LOW
- Summary:
- Esentire researchers have observed 11 cases of Raspberry Robin infections since May 2022 and analyzed them.
Source:
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-raspberry-robin
—
- Intel Source:
- Uptycs
- Intel Name:
- Titan_Stealer_Malware_Distributing_via_Telegram_Channel
- Date of Scan:
- 2023-01-25
- Impact:
- LOW
- Summary:
- Researchers from Uptycs have discovered a campaign involving the Titan Stealer malware, which is being marketed and sold by a threat actor (TA) through a Telegram channel for cybercrime purposes.
Source:
https://www.uptycs.com/blog/titan-stealer-telegram-malware-campaign
—
- Intel Source:
- Confiant
- Intel Name:
- Black_Friday_Day_Makes_Big_For_Malvertising
- Date of Scan:
- 2023-01-25
- Impact:
- LOW
- Summary:
- Confiant researchers have observed a cookie-stuffing campaign running across multiple programmatic ad platforms with a specific uptick in Q4 around Black Friday.
Source:
https://blog.confiant.com/malvertiser-makes-the-big-bucks-on-black-friday-637922cd5865
—
- Intel Source:
- Radware
- Intel Name:
- 8220_Gang_Targeting_Vulnerable_Cloud_Providers
- Date of Scan:
- 2023-01-24
- Impact:
- LOW
- Summary:
- Radware researchers have identified that the Chinese threat group a.k.a 8220 Gang is targeting cloud providers and poorly secured applications with a custom-built crypto miner and IRC bot.
—
- Intel Source:
- Human Blog
- Intel Name:
- Advertisement_Fraud_Scheme_VASTFLUX_Targeted_Over_11_Million_Devices
- Date of Scan:
- 2023-01-24
- Impact:
- LOW
- Summary:
- Researchers from HUMAN’s Satori Threat Intelligence team have identified a sophisticated ad fraud scheme, dubbed VASTFLUX, that targeted more than 11 million devices.
Source:
https://www.humansecurity.com/learn/blog/traffic-signals-the-vastflux-takedown
—
- Intel Source:
- Cyfirma
- Intel Name:
- Remcos_RAT_Deployment_by_GuLoader
- Date of Scan:
- 2023-01-24
- Impact:
- LOW
- Summary:
- CYFIRMA researchers have identified the distribution of a malicious PDF file through email. It redirects the user to a cloud-based platform where they are prompted to download a ZIP file.
Source:
https://www.cyfirma.com/outofband/guloader-deploying-remcos-rat/
—
- Intel Source:
- Analyst1
- Intel Name:
- Diving_Deep_into_LockBit_Ransomware
- Date of Scan:
- 2023-01-23
- Impact:
- MEDIUM
- Summary:
- Researchers from Analyst1 have analyzed the LockBit ransomware operations. It is one of the most notorious organized cybercrime syndicates that exists today.
—
- Intel Source:
- Sucuri
- Intel Name:
- Database_Infections_That_Compromise_Vulnerable_WordPress_Sites
- Date of Scan:
- 2023-01-20
- Impact:
- LOW
- Summary:
- Sucuri researchers have identified a database injection that has two different pieces of malware accomplishing two unrelated goals. The first injection redirects users to a spammy sports website and the second injection boosts authority of a spammy casino website within search engines.
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_samples_January_9_15th_2023
- Date of Scan:
- 2023-01-20
- Impact:
- LOW
- Summary:
- The ASEC analysis team keep monitoring weekly malware collection samples for January 9-15th, 2023. The top malwares for this week is SmokeLoader, BeamWinHTTP, Formbook, AgentTesla and Lokibot.
—
- Intel Source:
- Team Cymru
- Intel Name:
- The_Vidar_operators_expanding_their_infrastructure
- Date of Scan:
- 2023-01-20
- Impact:
- MEDIUM
- Summary:
- Team Cymru researchers analyzed on Darth Vidar infrastructure. Vidar operators appear to be expanding their infrastructure. Vidar is an info-stealer malware, which was first spotted in the wild in late 2018 by the security researcher Fumik0. The name itself (Vidar) is derived from a string found in the malware’s code. Vidar is considered to be a distinct fork of the Arkei malware family.
Source:
https://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure
—
- Intel Source:
- Fortinet
- Intel Name:
- New_CrySIS_or_Dharma_Ransomware_Variants
- Date of Scan:
- 2023-01-20
- Impact:
- MEDIUM
- Summary:
- Fortinet Labs researchers have analyzed the variants of the CrySIS/Dharma ransomware family.
—
- Intel Source:
- Mandiant
- Intel Name:
- Exploitation_of_FortiOS_Vulnerability_CVE_2022_42475
- Date of Scan:
- 2023-01-20
- Impact:
- HIGH
- Summary:
- Mandiant is monitoring a suspected China-nexus campaign that exploited a recently discovered vulnerability in Fortinet’s FortiOS SSL-VPN, CVE-2022-42475, as a zero-day. Mandiant discovered a new malware called “BOLDMOVE” during the investigation. They found a Windows variant of BOLDMOVE and a Linux variant, which is specifically designed to run on FortiGate Firewalls.
Source:
https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw
—
- Intel Source:
- Mandiant
- Intel Name:
- Fortinet_Firewall_Vulnerability_Exploited_by_New_Chinese_Malware
- Date of Scan:
- 2023-01-20
- Impact:
- MEDIUM
- Summary:
- Researchers from Mandiant have identified a China-nexus threat actor who exploited a recently patched vulnerability in Fortinet FortiOS SSL-VPN as a zero-day in attacks targeting a European government entity and a managed service provider (MSP) located in Africa.
Source:
https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Gh0st_RAT
- Date of Scan:
- 2023-01-19
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Gh0st RAT. It is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information and data. This type of malware enables cybercriminals to gain complete access to infected computers and attempt to hijack the user’s banking account.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-gh0st-rat-active-iocs-4
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Cybersecurity_incident_on_website_of_Liquor_Control_Board_of_Ontario
- Date of Scan:
- 2023-01-19
- Impact:
- LOW
- Summary:
- This month, the Liquor Control Board of Ontario (LCBO) shared the news about a cybersecurity incident, affecting online sales. The cybersecurity incident was a web skimmer, which is designed to retrieve customer payment information.
—
- Intel Source:
- Sentilone
- Intel Name:
- The_SEO_Poisoning_attack
- Date of Scan:
- 2023-01-19
- Impact:
- LOW
- Summary:
- A lot of researchers have observed increase in malicious search engine advertisements found in the wild – known as SEO Poisoning, which is malvertising (malicious advertising) activity. There is an increasing variety in the specifics of the malware delivery method, such as which searches produce the malicious advertisements and which malware being delivered.
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_STRRAT_Malware
- Date of Scan:
- 2023-01-19
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of STRRAT Malware. It is a Java-based Remote-Access Trojan (RAT) with a slew of malicious features, notably information theft and backdoor capabilities.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-strrat-malware-active-iocs-7
—
- Intel Source:
- Talos
- Intel Name:
- The_LNK_metadata_trail
- Date of Scan:
- 2023-01-19
- Impact:
- LOW
- Summary:
- Cisco Talos reserachers analyzed metadata in LNK files that lined to threat actors tactics techniques and procedures, to identify their activity. The researchers report shares their analyses on Qakbot and Gamaredon as examples.
Source:
https://blog.talosintelligence.com/following-the-lnk-metadata-trail/
—
- Intel Source:
- TrendMicro
- Intel Name:
- Batloader_Malware_Attacks_in_Q4_2022_Used_Obfuscated_JavaScript_Files_and_Legitimate_Tools
- Date of Scan:
- 2023-01-19
- Impact:
- LOW
- Summary:
- Researchers from TrendMicro have identified notable Batloader campaigns that they observed in the last quarter of 2022, including the abuse of custom action scripts from the Advanced Installer software and Windows Installer XML (WiX) toolset, the use of obfuscated JavaScript files as a first-stage payload, and the use of PyArmor tool to obfuscate Batloader Python scripts.
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_NJRAT
- Date of Scan:
- 2023-01-18
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of NJRAT. It is a Remote Access Trojan, which is found leveraging Pastebin to deliver a second-stage payload after initial infection.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-njrat-active-iocs-49
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Malicious_Google_Ads
- Date of Scan:
- 2023-01-18
- Impact:
- LOW
- Summary:
- Researchers from SANS have identified that Google ads are a common vector for malware distribution. These ads frequently lead to fake sites impersonating web pages for legitimate software.
—
- Intel Source:
- Cyfirma
- Intel Name:
- Abusing_Google_Ads_platform_by_various_campaigns
- Date of Scan:
- 2023-01-18
- Impact:
- LOW
- Summary:
- CYFIRMA researchers observed the campaigns closely and they provided preliminary analysis of a new RAT known as “VagusRAT” and its possible attribution to Iranian Threat actors. The VagusRAT is also delivered to the victims by exploiting Google Ads.
Source:
https://www.cyfirma.com/outofband/vagusrat-a-new-entrant-in-the-external-threat-landscape/
—
- Intel Source:
- PaloAlto
- Intel Name:
- Attacks_on_Iranian_Government_Entities_Through_Backdoor_Diplomacy
- Date of Scan:
- 2023-01-18
- Impact:
- MEDIUM
- Summary:
- PaloAlto researchers have identified that the threat actor known as Backdoor Diplomacy has been linked to a new wave of attacks targeting Iranian government entities between July and late December 2022.
—
- Intel Source:
- Sentilone
- Intel Name:
- The_observation_of_the_numerous_attacks_by_NetSupport_RAT_campaign
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- Researchers from ASEC reported on a NetSupport RAT campaign that uses a Pokemon as the social engineering lure. Threat actors is hosting a Pokemon-based NFT gameat the malicious sites offering both a fun and financially rewards.
—
- Intel Source:
- Avast
- Intel Name:
- Decryption_Tool_For_BianLian_Ransomware_Released_by_Avast
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- Avast researchers have released a free decryptor for the BianLian ransomware strain to help victims of the malware recover locked files without paying the hackers.
Source:
https://decoded.avast.io/threatresearch/decrypted-bianlian-ransomware/
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Bitter_APT_Group
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- The Rewterz analysts team did an analysis summary on Bitter APT Group. APT-17 group aka BITTER APT group has been recently active and targeting sectors in South Asia for information theft and espionage. This group has a history of targeting Energy, Engineering, and Government in South Asia.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-bitter-apt-group-active-iocs-22
—
- Intel Source:
- Sekoia
- Intel Name:
- Other_Threat_Actor_Can_Use_Raspberry_Robin
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- Sekoia researchers have identified that Raspberry Robin’s attack infrastructure, that possible for other threat actors to repurpose the infections for their own malicious activities which makes it an even more potent threat.
Source:
https://blog.sekoia.io/raspberry-robins-botnet-second-life/
—
- Intel Source:
- ASEC
- Intel Name:
- A_manuscript_Solicitation_Letter_was_disguised_by_malware
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- On January 8th, the ASEC analysis team discovered a document-type malware targeting workers in the security field. The obtained malware uses an external object within a Word document to execute an additional malicious macro.
—
- Intel Source:
- Perception-Point
- Intel Name:
- Exploitation_by_attackers_to_deliver_malware_with_Microsoft_Office_macros
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- The Perception-Point researchers discussed in their blog on similarity of Microsoft Office macros, which are widely exploited by attackers and used to delivering malware. They discussed the tactics of similarity based on real-world samples that was detected in the wild.
Source:
https://perception-point.io/blog/malicious-office-macros-detecting-similarity-in-the-wild-2/
—
- Intel Source:
- ASEC
- Intel Name:
- Document_Type_Malware_Targeting_Security_Field_Workers
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- ASEC researchers have observed document-type malware distributing and targeting workers in the security field. The obtained malware uses an external object within a Word document to execute an additional malicious macro.
—
- Intel Source:
- CircleCI
- Intel Name:
- A_Deep_Analysis_of_CircleCI_Security_Alert
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- Researchers from CircleCI have received an alert and analyzed the suspicious GitHub OAuth activity.
Source:
https://circleci.com/blog/jan-4-2023-incident-report/
—
- Intel Source:
- Fortinet
- Intel Name:
- Three_PyPI_Package_Spreading_Malware_to_Developer_Systems
- Date of Scan:
- 2023-01-17
- Impact:
- MEDIUM
- Summary:
- Fortinet researchers have identified that a threat actor named Lolip0p has uploaded three rogue packages to the Python Package Index (PyPI) repository that is designed to drop malware on compromised developer systems.
—
- Intel Source:
- ASEC
- Intel Name:
- Phishing_Email_Targeting_National_Tax_Service
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered that a phishing email impersonating the National Tax Service is distributing.
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Phishing_Email_Threats_analyses_January_1_7_2023
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- The ASEC analysis team keep monitoring phishing email threats with their automatic sample analysis system (RAPIT) and honeypot. Their post explained the samples of distribution of phishing emails during the week from January 1st, 2023 to January 7th, 2022. The most prevalent threat type was observed in phishing email attachments was FakePage, taking up 58%. FakePages are web pages where the threat actor has duplicated the screen layout, logo, and font of the real login pages or advertising pages, leading users to enter their account and password information.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Hackers_Using_Middle_Eastern_Geopolitical_Themed_to_Distribute_NjRAT
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- Researchers from TrendMicro have identified an active campaign that is using Middle Eastern geopolitical themes as a lure to target potential victims in the Middle East and Africa. In this campaign, Earth Bogle, the threat actor uses public cloud storage services such as files.fm and failiem.lv to host malware, while compromised web servers distribute NjRAT.
—
- Intel Source:
- Crep1x
- Intel Name:
- Vidar_Stealer_Attack_Campaign_impersonating_AnyDesk
- Date of Scan:
- 2023-01-15
- Impact:
- LOW
- Summary:
- Typosquatting attack campaign found in the wild impersonating multiple legitimate RMM tools and redirecting users to fake AnyDesk websites triggering Vidar Stealer Payload download through dropbox.
Source:
https://twitter.com/crep1x/status/1612199364805660673
—
- Intel Source:
- Cyble
- Intel Name:
- Rhadamanthys_Stealer_Leverages_Google_Ads_in_the_wild
- Date of Scan:
- 2023-01-14
- Impact:
- LOW
- Summary:
- Researchers from Cyble found a new malware strain, Rhadamanthys Stealer, leveraging Spam and Phishing campaigns through Google Ads and redirecting users to fake phishing websites of popular software. The Malware downloaded in the background of legitimate files or through obfuscated images steals sensitive information to further aid in unauthorized access.
Source:
https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/
—
- Intel Source:
- PaloAlto
- Intel Name:
- PurpleUrchin_Campaign_Bypass_CAPTCHA_and_Steals_Cloud_Platform_Resources
- Date of Scan:
- 2023-01-14
- Impact:
- LOW
- Summary:
- Researchers from PaloAlto have analyzed Automated Libra, the cloud threat actor group behind the freejacking campaign PurpleUrchin. Automated Libra is a South African-based freejacking group that primarily targets cloud platforms offering limited-time trials of cloud resources in order to perform their cryptomining operations.
Source:
https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/
—
- Intel Source:
- Esentire
- Intel Name:
- Gootloader_Malware_returns_with_revamped_infection_technique
- Date of Scan:
- 2023-01-14
- Impact:
- LOW
- Summary:
- Researchers from Esentire found Gootloader malware activity with a new infection technique, further leading to Cobalt Strike leveraging existing PowerShell process beaconed to various malicious domains. The attacker seems to be hands-on, dropping multiple payloads, including BloodHound and PsExec, while being persistent and targeting different areas for further compromise.
Source:
https://www.esentire.com/blog/gootloader-leads-to-cobalt-strike-and-hand-on-keyboard-activity
—
- Intel Source:
- Eclecticiq
- Intel Name:
- Unpatched_Vulnerability_to_Bypass_Windows_OS_Security_Feature
- Date of Scan:
- 2023-01-13
- Impact:
- MEDIUM
- Summary:
- EclecticIQ analysts researched on QakBot phishing campaigns who can turn it to a Zero-Day Vulnerability to evade Windows Mark of the Web (MoTW). QakBot may be able to increase its infection success rate as a result of the switch to a zero-day exploit.
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Deep_Investigation_of_FortiOS_Zero_Day_Attack
- Date of Scan:
- 2023-01-13
- Impact:
- LOW
- Summary:
- Researchers from Fortinet have analyzed the zero-day vulnerability in FortiOS SSL-VPN that Fortinet addressed last month was exploited by unknown actors in attacks targeting the government and other large organizations.
—
- Intel Source:
- Deep Instinct
- Intel Name:
- RAT_Malware_Campaign_Using_Polyglot_Files_to_Evade_Detection
- Date of Scan:
- 2023-01-13
- Impact:
- LOW
- Summary:
- Deep Instinct researchers have identified that operators of the StrRAT and Ratty remote access trojans (RAT) are running a new campaign using polyglot MSI/JAR and CAB/JAR files to evade detection from security tools.
Source:
https://www.deepinstinct.com/blog/malicious-jars-and-polyglot-files-who-do-you-think-you-jar
—
- Intel Source:
- Rapid7
- Intel Name:
- Research_on_HIVE_Ransomware_attacks
- Date of Scan:
- 2023-01-13
- Impact:
- MEDIUM
- Summary:
- Rapid7 monitors and research on the range of techniques that threat actors use to conduct malicious activity. Recently, Rapid7 observed a malicious activity performed by threat actor performing several known techniques for distributing ransomware across many systems within a victim’s environment. In addition to those techniques, the actor employed a number of previously unseen techniques designed to to drop the defenses of the victim, inhibit monitoring, disable networking and allow time for the ransomware to finish encrypting files.
Source:
https://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/
—
- Intel Source:
- ASEC
- Intel Name:
- Orcus_RAT_being_distributed_on_file_sharing_sites
- Date of Scan:
- 2023-01-13
- Impact:
- LOW
- Summary:
- The ASEC analysis team recently identified Orcus RAT being distributed on file-sharing sites disguised as a cracked version of Hangul Word Processor.
—
- Intel Source:
- Wordfence
- Intel Name:
- Spike_in_Holiday_Attacks_Targeting_Ancient_Vulnerabilities_and_Hidden_Webshells
- Date of Scan:
- 2023-01-13
- Impact:
- LOW
- Summary:
- Researchers from Wordfence have observed spikes in attack traffic over the Christmas and New Year holidays, which is specifically targeting the Downloads Manager plugin by Giulio Ganci.
—
- Intel Source:
- CrowdStrike
- Intel Name:
- Hackers_From_Scattered_Spider_Using_Old_Intel_Driver_to_Bypass_Security
- Date of Scan:
- 2023-01-12
- Impact:
- MEDIUM
- Summary:
- CrowdStrick researchers have identified a financially motivated threat actor named Scattered Spider and observed attempting to deploy Intel Ethernet diagnostics drivers in a BYOVD (Bring Your Own Vulnerable Driver) attack to evade detection from EDR (Endpoint Detection and Response) security products.
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Mirai_Botnet_aka_Katana
- Date of Scan:
- 2023-01-12
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Mirai Botnet aka Katana. Mirai is one of the first major botnets to target Linux-based vulnerable networking devices. It was discovered in August 2016 and its name means “future” in Japanese.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-mirai-botnet-aka-katana-active-iocs-4
—
- Intel Source:
- Avast
- Intel Name:
- The_Examine_of_NeedleDropper_Mal