2023-05-30
Chinese_APT_Group_BRONZE_SILHOUETTE_Targeting_US_Government_and_Defense_Organizations
MEDIUM
+

Intel Source:
NSA / Secureworks
Intel Name:
Chinese_APT_Group_BRONZE_SILHOUETTE_Targeting_US_Government_and_Defense_Organizations
Date of Scan:
2023-05-30
Impact:
MEDIUM
Summary:
SecureWorks researchers have discovered a cluster of activity of interest associated with a People’s Republic of China (PRC) state-sponsored cyber actor, also known as Volt Typhoon. Private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide.


Source:
https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF

2023-05-30
Obsidian_ORB_Ransomware_Demanding_Payment_With_Gift_Cards
LOW
+

Intel Source:
Cyble
Intel Name:
Obsidian_ORB_Ransomware_Demanding_Payment_With_Gift_Cards
Date of Scan:
2023-05-30
Impact:
LOW
Summary:
Cyble researchers have come across a new and unique ransomware strain named Obsidian ORB. Extensive analysis has revealed compelling evidence that suggests a significant correlation between Obsidian ORB Ransomware and the underlying source code of the notorious Chaos ransomware.


Source:
https://blog.cyble.com/2023/05/25/obsidian-orb-ransomware-demands-gift-cards-as-payment/

2023-05-30
Ducktail_Malware_targets_a_high_profile_accounts
LOW
+

Intel Source:
Cyble
Intel Name:
Ducktail_Malware_targets_a_high_profile_accounts
Date of Scan:
2023-05-30
Impact:
LOW
Summary:
Recently Cyble researchers recently discovered Ducktail malware that targets specifically Marketing and HR professionals. The malware is designed to extract browser cookies and take advantage of social media sessions to steal sensitive information from the victim’s Social Media account. The malware operation purpose is to gain control of Social Media Business accounts with adequate access privileges. TAs then use their acquired access to conduct advertisements for their financial gain.


Source:
https://blog.cyble.com/2023/05/17/ducktail-malware-focuses-on-targeting-hr-and-marketing-professionals/

2023-05-30
The_Invicta_Stealer_Spreading
LOW
+

Intel Source:
Cyble
Intel Name:
The_Invicta_Stealer_Spreading
Date of Scan:
2023-05-30
Impact:
LOW
Summary:
Cyble researcher Lab team discovered a new stealer called Invicta Stealer. The developer who is in charge of this malware is heavy involved on social media platforms, utilizing them to promote their information stealer and its lethal capabilities.


Source:
https://blog.cyble.com/2023/05/25/invicta-stealer-spreading-through-phony-godaddy-refund-invoices/

2023-05-29
Legion_Malware_Targeting_SSH_Servers_and_AWS_Credentials
LOW
+

Intel Source:
CADO Security
Intel Name:
Legion_Malware_Targeting_SSH_Servers_and_AWS_Credentials
Date of Scan:
2023-05-29
Impact:
LOW
Summary:
CADO security researchers have identified an updated version of the commodity malware called Legion comes with expanded features to compromise SSH servers and Amazon Web Services (AWS) credentials associated with DynamoDB and CloudWatch.


Source:
https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/

2023-05-29
Hackers_Targeting_Users_of_Portuguese_Financial_Institutions
MEDIUM
+

Intel Source:
Sentinelone
Intel Name:
Hackers_Targeting_Users_of_Portuguese_Financial_Institutions
Date of Scan:
2023-05-29
Impact:
MEDIUM
Summary:
SentinelOne researchers have observed a campaign targeting users of Portuguese financial institutions conducted by a Brazilian threat group. The attackers can steal credentials and exfiltrate users’ data and personal information, which can be leveraged for malicious activities beyond financial gain.


Source:
https://www.sentinelone.com/labs/operation-magalenha-long-running-campaign-pursues-portuguese-credentials-and-pii/

2023-05-28
Phishing_Delivering_via_Encrypted_Messages
MEDIUM
+

Intel Source:
Trustwave
Intel Name:
Phishing_Delivering_via_Encrypted_Messages
Date of Scan:
2023-05-28
Impact:
MEDIUM
Summary:
Trustwave researchers have observed phishing attacks that use a combination of compromised Microsoft 365 accounts and .rpmsg encrypted emails to deliver the phishing message.


Source:
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/microsoft-encrypted-restricted-permission-messages-deliver-phishing/

2023-05-27
The_Technical_Examination_of_Pikabot
LOW
+

Intel Source:
Zscaler
Intel Name:
The_Technical_Examination_of_Pikabot
Date of Scan:
2023-05-27
Impact:
LOW
Summary:
Researchers from Zscaler have identified a new malware trojan named Pikabot which emerged in early 2023 that consists of two components a loader and a core module.


Source:
https://www.zscaler.com/blogs/security-research/technical-analysis-pikabot

2023-05-27
Over_200_Corporate_Victims_Hit_by_New_Ransomware_Wave
LOW
+

Intel Source:
Cyble
Intel Name:
Over_200_Corporate_Victims_Hit_by_New_Ransomware_Wave
Date of Scan:
2023-05-27
Impact:
LOW
Summary:
Cyble Research and Intelligence Labs (CRIL) discovered the increasing adoption of double extortion by ransomware groups is an alarming trend. We are witnessing a surge in ransomware attacks that not only encrypt valuable corporate data but also involve the threat of public exposure unless the attackers’ demands are fulfilled.


Source:
https://blog.cyble.com/2023/05/23/new-ransomware-wave-engulfs-over-200-corporate-victims/

2023-05-27
Ongoing_Kimsuky_Campaign_Utilizing_Custom_Reconnaissance_Toolkit
MEDIUM
+

Intel Source:
Sentilone
Intel Name:
Ongoing_Kimsuky_Campaign_Utilizing_Custom_Reconnaissance_Toolkit
Date of Scan:
2023-05-27
Impact:
MEDIUM
Summary:
SentinelLabs have tracking a targeted campaign against information services, as well as organizations supporting human rights activists and defectors in relation to North Korea. The campaign focuses on file reconnaissance, and exfiltrating system and hardware information, laying the groundwork for subsequent precision attacks.


Source:
https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/

2023-05-27
COSMICENERGY_new_OT_Malware_related_to_Russia
MEDIUM
+

Intel Source:
Mandiant
Intel Name:
COSMICENERGY_new_OT_Malware_related_to_Russia
Date of Scan:
2023-05-27
Impact:
MEDIUM
Summary:
Mandiant discovered a new operational technology (OT) / industrial control system (ICS) malware, which was recognized as COSMICENERGY, uploaded by threat actor in Russia. The malware is capable of to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia.


Source:
https://www.mandiant.com/resources/blog/cosmicenergy-ot-malware-russian-response

2023-05-27
Israeli_Logistics_Industry_targeted_by_hackers
LOW
+

Intel Source:
ClearSky
Intel Name:
Israeli_Logistics_Industry_targeted_by_hackers
Date of Scan:
2023-05-27
Impact:
LOW
Summary:
ClearSky Cyber Security reserachers has discovered a watering hole attack on at least eight Israeli websites. The attack most likely was orchestrated by a nation-state actor from Iran, with some attribution to Tortoiseshell (also called TA456 or Imperial Kitten). The Infected sites collect preliminary user information through a script.


Source:
https://www.clearskysec.com/fata-morgana/

2023-05-27
Volt_Typhoon_stealthy_activity
HIGH
+

Intel Source:
Microsoft, CISA
Intel Name:
Volt_Typhoon_stealthy_activity
Date of Scan:
2023-05-27
Impact:
HIGH
Summary:
Microsoft has discovered sneaky and malicious activity that targets on credential access and network system discovery attacking critical infrastructure organizations in the United States. The attack is carried out by Volt Typhoon, a state-sponsored actor based in China that focuses on espionage and information stealing. Microsoft is sure that this Volt Typhoon campaign is targeting development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.


Source:
https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/

2023-05-27
Return_of_BlackByte_Ransomware_with_New_Technology_Version
LOW
+

Intel Source:
Cluster25
Intel Name:
Return_of_BlackByte_Ransomware_with_New_Technology_Version
Date of Scan:
2023-05-27
Impact:
LOW
Summary:
Cluster25 Threat Intel Team have identified that BlackByte is a Ransomware-as-a-Service group that is known for the use of the homonymous malware that is constantly updated and spread in different variants. The team used the above function in a IDAPython script that allowed to retrieve all invocations to the functions responsible for the dynamic loading of the APIs in order to continue with the static analysis of the malware.


Source:
https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt

2023-05-27
Israeli_Logistics_Industry_attacked_by_hackers
LOW
+

Intel Source:
ClearSky
Intel Name:
Israeli_Logistics_Industry_attacked_by_hackers
Date of Scan:
2023-05-27
Impact:
LOW
Summary:
ClearSky Cyber Security reserachers has discovered a watering hole attack on at least eight Israeli websites. The attack most likely was orchestrated by a nation-state actor from Iran, with some attribution to Tortoiseshell (also called TA456 or Imperial Kitten). The Infected sites collect preliminary user information through a script. W


Source:
https://www.clearskysec.com/fata-morgana/

2023-05-27
Resurgence_of_Vacation_Request_Phishing_Emails_in_Summer_Time_Scams
LOW
+

Intel Source:
Cofense
Intel Name:
Resurgence_of_Vacation_Request_Phishing_Emails_in_Summer_Time_Scams
Date of Scan:
2023-05-27
Impact:
LOW
Summary:
Cofense researchers have observed a phishing campaign where the threat actor sent an email to a user that claimed to be from the HR Department’ and provided the user with a link to submit their annual leave requests.


Source:
https://cofense.com/blog/summer-time-scams-the-return-of-vacation-request-phishing-emails/

2023-05-27
Cyber_Crime_Forum_Offers_DDoS_As_A_Service_by_Russian_Hacktivists
LOW
+

Intel Source:
Cyble
Intel Name:
Cyber_Crime_Forum_Offers_DDoS_As_A_Service_by_Russian_Hacktivists
Date of Scan:
2023-05-27
Impact:
LOW
Summary:
Cyble Research and Intelligence Labs (CRIL) has made a significant discovery on a cybercrime forum – a newly identified malware strain called “MDBotnet.” Our analysis suggests that this malware is believed to originate from a Threat Actor (TA) linked to Russia.


Source:
https://blog.cyble.com/2023/05/23/new-mdbotnet-unleashes-ddos-attacks/

2023-05-27
Link_Found_Between_Korean_VPN_Installations_and_MeshAgent_Infections
LOW
+

Intel Source:
ASEC
Intel Name:
Link_Found_Between_Korean_VPN_Installations_and_MeshAgent_Infections
Date of Scan:
2023-05-27
Impact:
LOW
Summary:
AhnLab Security Emergency response Center (ASEC) has previously covered the case where SparkRAT was distributed contained within a Korean VPN’s installer in the post, “SparkRAT Being Distributed Within a Korean VPN Installer”[1]. This VPN was commonly installed by Chinese users who required better access to the Internet, and the problem was addressed after the blog post was uploaded.


Source:
https://asec.ahnlab.com/en/53267/

2023-05-27
Agrius_threat_actor_attacks_against_Israel
MEDIUM
+

Intel Source:
Checkpoint
Intel Name:
Agrius_threat_actor_attacks_against_Israel
Date of Scan:
2023-05-27
Impact:
MEDIUM
Summary:
A threat actor Agrius who is believed Iranian keep trying to attack against Israeli targets, hiding destructive impact of ransomware attacks.Recently the group deployed Moneybird, a new ransomware written in C++. Despite calling themselves as a new group name– Moneybird, this is yet another Agrius alias.


Source:
https://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/

2023-05-26
Diving_Deep_into_GoldenJackal_APT_Group
LOW
+

Intel Source:
Securelist
Intel Name:
Diving_Deep_into_GoldenJackal_APT_Group
Date of Scan:
2023-05-26
Impact:
LOW
Summary:
Securelist researchers have monitored the GoldenJackal APT Group since mid-2020 and have observed a constant level of activity that indicates a capable and stealthy actor. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo, and JackalScreenWatcher.


Source:
https://securelist.com/goldenjackal-apt-group/109677/

2023-05-26
Lazarus_Group_Targeting_Windows_IIS_Web_Servers
LOW
+

Intel Source:
ASEC
Intel Name:
Lazarus_Group_Targeting_Windows_IIS_Web_Servers
Date of Scan:
2023-05-26
Impact:
LOW
Summary:
ASEC researchers have identified that the Lazarus group is known to receive support on a national scale, carrying out attacks against Windows IIS web servers.


Source:
https://asec.ahnlab.com/en/53132/

2023-05-26
StrelaStealer_Malware_Targeting_Spanish_Users
LOW
+

Intel Source:
ASEC
Intel Name:
StrelaStealer_Malware_Targeting_Spanish_Users
Date of Scan:
2023-05-26
Impact:
LOW
Summary:
ASEC researchers have observed that the StrelaStealer Infostealer is distributed to Spanish users. It was initially discovered around November 2022 and distributed as an attachment to spam emails.


Source:
https://asec.ahnlab.com/en/53158/

2023-05-26
Espionage_Activity_UAC_0063
LOW
+

Intel Source:
CERT-UA
Intel Name:
Espionage_Activity_UAC_0063
Date of Scan:
2023-05-26
Impact:
LOW
Summary:
CERT-UA researchers have observed that on 04/18/2023 and 04/20/2023, e-mails were sent to the department’s e-mail address from the official mailbox of the Embassy of Tajikistan in Ukraine (probably as a result of the latter being compromised), the first of which contained an attachment in the form of a document with a macro, and the second – reference to the same document.


Source:
https://cert.gov.ua/article/4697016

2023-05-26
Raccoon_and_Vidar_Stealers_Spreading_Fake_Cracked_Software
MEDIUM
+

Intel Source:
Sekoia
Intel Name:
Raccoon_and_Vidar_Stealers_Spreading_Fake_Cracked_Software
Date of Scan:
2023-05-26
Impact:
MEDIUM
Summary:
Sekoia researchers have identified the infection chain that is using about a hundred fake cracked software catalog websites that redirect to several links before downloading the payload hosted on file share platforms, such as GitHub.


Source:
https://blog.sekoia.io/unveiling-of-a-large-resilient-infrastructure-distributing-information-stealers/

2023-05-26
Distribution_of_DarkCloud_Infostealer_Through_Spam_Emails_Detected
LOW
+

Intel Source:
Checkpoint
Intel Name:
Distribution_of_DarkCloud_Infostealer_Through_Spam_Emails_Detected
Date of Scan:
2023-05-26
Impact:
LOW
Summary:
Checkpoint researchers have identified that malware developers strive to create new threats that can bypass the defenses of antivirus products. “Packing” and “crypting” services are specifically designed to resist analysis. GuLoader is one of the most prominent services cybercriminals use to evade antivirus detection.


Source:
https://research.checkpoint.com/2023/cloud-based-malware-delivery-the-evolution-of-guloader/

2023-05-26
Distribution_of_DarkCloud_Infostealer_Through_Spam_Emails
LOW
+

Intel Source:
ASEC
Intel Name:
Distribution_of_DarkCloud_Infostealer_Through_Spam_Emails
Date of Scan:
2023-05-26
Impact:
LOW
Summary:
ASEC researchers have discovered the DarkCloud malware is distributed via spam email. It is an Infostealer that steals account credentials saved on infected systems, and the threat actor installed ClipBanker alongside DarkCloud.


Source:
https://asec.ahnlab.com/en/53128/

2023-05-24
Middle_East_Targeted_by_New_Kernel_Driver_Exploit
LOW
+

Intel Source:
Fortinet
Intel Name:
Middle_East_Targeted_by_New_Kernel_Driver_Exploit
Date of Scan:
2023-05-24
Impact:
LOW
Summary:
Fortinet researchers have discovered suspicious executables that make use of open-source tools and frameworks. One of the things that we keep an eye out for is tools that use the Donut project. Donut is a position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters.


Source:
https://www.fortinet.com/blog/threat-research/wintapix-kernal-driver-middle-east-countries

2023-05-22
New_Signed_Kernel_Driver_Deployed_BlackCat_Ransomware
MEDIUM
+

Intel Source:
TrendMicro
Intel Name:
New_Signed_Kernel_Driver_Deployed_BlackCat_Ransomware
Date of Scan:
2023-05-22
Impact:
MEDIUM
Summary:
TrendMicro researchers have analyzed the BlackCat ransomware incident that occurred in February 2023, where they observed a new capability, mainly used for the defense evasion phase, that overlaps with the earlier malicious drivers disclosed by the three vendors.


Source:
https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html

2023-05-22
Hackers_Targeting_Vulnerable_WordPress_Elementor_plugin_Versions
LOW
+

Intel Source:
Wordfence
Intel Name:
Hackers_Targeting_Vulnerable_WordPress_Elementor_plugin_Versions
Date of Scan:
2023-05-22
Impact:
LOW
Summary:
Wordfence researchers have identified Several versions of the WordPress plugin Essential Addons for Elementor impacted by the now-addressed critical CVE-2023-32243 vulnerability are being actively scanned and targeted by threat actors following the release of proof-of-concept exploit.


Source:
https://www.wordfence.com/blog/2023/05/psa-attackers-actively-exploiting-critical-vulnerability-in-essential-addons-for-elementor/

2023-05-22
BatLoader_Campaign_Impersonates_ChatGPT_and_Midjourney_to_Deliver_Redline_Stealer
LOW
+

Intel Source:
Esentire
Intel Name:
BatLoader_Campaign_Impersonates_ChatGPT_and_Midjourney_to_Deliver_Redline_Stealer
Date of Scan:
2023-05-22
Impact:
LOW
Summary:
Esentire researchers have observed threat actors are using BatLoader in the form of MSIX Windows App Installer files to deliver the Redline Stealer.


Source:
https://www.esentire.com/blog/batloader-impersonates-midjourney-chatgpt-in-drive-by-cyberattacks

2023-05-22
IcedID_Macro_Ends_in_Nokoyawa_Ransomware
LOW
+

Intel Source:
DFIR Report
Intel Name:
IcedID_Macro_Ends_in_Nokoyawa_Ransomware
Date of Scan:
2023-05-22
Impact:
LOW
Summary:
Researchers from DFIR Report have identified an incident taking place during Q4 of 2022 consisting of threat actors targeting Italian organizations with Excel maldocs that deploy IcedID. The threat actors deploying such a campaign may hope to target organizations who have not updated their Microsoft Office deployments after the newly released patches to block macros on documents downloaded from the internet.


Source:
https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/

2023-05-19
AndoryuBot_s_DDOS_wild_behavior
LOW
+

Intel Source:
Cyble
Intel Name:
AndoryuBot_s_DDOS_wild_behavior
Date of Scan:
2023-05-19
Impact:
LOW
Summary:
The Cyble group observed active exploitation of CVE-2023-25717 and deployment of AndoryuBot. This incident indicates that Threat Actors are actively looking for vulnerable Ruckus assets for exploitation purposes. AndoryuBot is a new Botnet malware sold on Telegram on a subscription basis. The deployment of such malware by TAs allows them to orchestrate large-scale DDoS attacks, which can overwhelm targeted servers and infrastructure by flooding them with a massive volume of traffic.


Source:
https://blog.cyble.com/2023/05/17/andoryubots-ddos-rampage/

2023-05-19
Brute_Ratel_remains_rare_and_targeted
LOW
+

Intel Source:
Sophos
Intel Name:
Brute_Ratel_remains_rare_and_targeted
Date of Scan:
2023-05-19
Impact:
LOW
Summary:
The commercial attack tool’s use by threat actors has faded after an initial flurry, while Cobalt Strike remains the go-to post-exploitation tool for many.


Source:
https://news.sophos.com/en-us/2023/05/18/the-phantom-menace-brute-ratel-remains-rare-and-targeted/

2023-05-19
Distributing_DarkCrystal_RAT_by_fake_Desktop_Authenticator_App
LOW
+

Intel Source:
Bushidotoken
Intel Name:
Distributing_DarkCrystal_RAT_by_fake_Desktop_Authenticator_App
Date of Scan:
2023-05-19
Impact:
LOW
Summary:
The Bushitoken reseracher recently discovered an threat actor campaign that is using fake websites to distribute malware. It seems like this TTP to be on the rise. A suspected Russia-based threat actor tried to duplicate the website of a legitimate open-source desktop app called Steam Desktop Authenticator which is simply a convenient desktop version of the mobile authenticator app.


Source:
https://blog.bushidotoken.net/2023/05/fake-steam-desktop-authenticator-app.html

2023-05-19
TurkoRat_found_hiding_in_the_npm_package
LOW
+

Intel Source:
Reversing Labs
Intel Name:
TurkoRat_found_hiding_in_the_npm_package
Date of Scan:
2023-05-19
Impact:
LOW
Summary:
ReversingLabs researchers found two malicious packages that contained TurkoRat, an open source infostealer that lurked on npm for two months before being detected.


Source:
https://www.reversinglabs.com/blog/rats-found-hiding-in-the-npm-attic

2023-05-19
CapCut_s_Video_to_Deliver_Multiple_Stealers
LOW
+

Intel Source:
Cyble
Intel Name:
CapCut_s_Video_to_Deliver_Multiple_Stealers
Date of Scan:
2023-05-19
Impact:
LOW
Summary:
Cyble Researchers recently discovered a couple of phishing websites disguised as video editing software. These ffake sites lure users into downloading and executing various types of malware families such as stealers, RAT, etc. In these campaigns, Threat Actors targeted the CapCut video editing tool, a product of ByteDance, the same parent company that owns TikTok.


Source:
https://blog.cyble.com/2023/05/19/capcut-users-under-fire/

2023-05-18
The_exploitation_of_critical_vulnerability_CVE_2023_32243
HIGH
+

Intel Source:
Wordfence
Intel Name:
The_exploitation_of_critical_vulnerability_CVE_2023_32243
Date of Scan:
2023-05-18
Impact:
HIGH
Summary:
Recently, Essential Addons for Elementor, a WordPress plugin had a released a patch for a critical vulnerability which is capable for any unauthenticated user to reset arbitrary user passwords, including user accounts with administrative-level access. This vulnerability was discovered and responsibly disclosed by security researcher Rafie Muhammed.


Source:
https://www.wordfence.com/blog/2023/05/psa-attackers-actively-exploiting-critical-vulnerability-in-essential-addons-for-elementor/

2023-05-18
The_analysis_of_QakBot_Infrastructure
MEDIUM
+

Intel Source:
Team Cymru
Intel Name:
The_analysis_of_QakBot_Infrastructure
Date of Scan:
2023-05-18
Impact:
MEDIUM
Summary:
Team Cymru shared their research about their analysis of QakBot is full of various hypotheses being identified and tested. Their key findings are QakBot C2 servers are not separated by affiliate ID, QakBot C2 servers from older configurations continue to communicate with upstream C2 servers months after being used in campaigns and Identification of three upstream C2 servers located in Russia, two of which behave similarly based on network telemetry patterns and the geolocations of the bot C2s communicating with them.


Source:
https://www.team-cymru.com/post/visualizing-qakbot-infrastructure

2023-05-18
BlackSuit_Ransomware_ragets_VMware_ESXi_servers
HIGH
+

Intel Source:
Cyble
Intel Name:
BlackSuit_Ransomware_ragets_VMware_ESXi_servers
Date of Scan:
2023-05-18
Impact:
HIGH
Summary:
Cyble researchers from Labs observed an increase in the number of ransomware groups such as Cylance and Royal ransomware. The widespread use of Linux makes it an appealing target for ransomware groups, as a single attack can potentially compromise numerous systems.


Source:
https://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/

2023-05-18
Joint_Cybersecurity_Advisory_on_BianLian_Ransomware_Group
MEDIUM
+

Intel Source:
CISA
Intel Name:
Joint_Cybersecurity_Advisory_on_BianLian_Ransomware_Group
Date of Scan:
2023-05-18
Impact:
MEDIUM
Summary:
The FBI, CISA and Australian Cyber Security Centre (ACSC) released the joint Cybersecurity Advisory to disseminate known BianLian ransomware and data extortion group IOCs and TTPs identified through FBI and ACSC investigations back in March 2023. BianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022. They have also targeted Australian critical infrastructure sectors in addition to professional services and property development.


Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a

2023-05-18
The_Korean_VPN_installer_is_being_used_to_distribute_SparkRAT
MEDIUM
+

Intel Source:
ASEC
Intel Name:
The_Korean_VPN_installer_is_being_used_to_distribute_SparkRAT
Date of Scan:
2023-05-18
Impact:
MEDIUM
Summary:
AhnLab Security Emergency response Center (ASEC) has recently discovered SparkRAT being distributed within the installer of a certain VPN program. SparkRAT is a Remote Administration Tool (RAT) developed with GoLang. When installed on a user’s system, it can perform a variety of malicious behaviors, such as executing commands remotely, controlling files and processes, downloading additional payloads, and collecting information from the infected system like by taking screenshots.


Source:
https://asec.ahnlab.com/en/52899/

2023-05-18
The_attackers_used_email_security_providers_for_spreading_phishing_attacks
LOW
+

Intel Source:
Cofense
Intel Name:
The_attackers_used_email_security_providers_for_spreading_phishing_attacks
Date of Scan:
2023-05-18
Impact:
LOW
Summary:
Threat actors more often send malicious URLs within HTML attachments, which makes it more challenging for Secure Email gateways (SEGs) to block them. The Phishing Defence Centre did their analyses on a phishing campaign impersonating email security provider to trap recipients into providing their user credentials via malicious HTML attachment.


Source:
https://cofense.com/blog/threat-actors-impersonate-email-security-providers-to-steal-user-credentials/

2023-05-17
Malicious_Python_Packages_via_Supply_Chain_Attacks
MEDIUM
+

Intel Source:
Fortinet
Intel Name:
Malicious_Python_Packages_via_Supply_Chain_Attacks
Date of Scan:
2023-05-17
Impact:
MEDIUM
Summary:
The FortiGuard Labs team discovered over 30 new zero-day attacks in PyPI packages (Python Package Index). These were found between late March and late April by monitoring an open-source ecosystem.


Source:
https://www.fortinet.com/blog/threat-research/more-supply-chain-attacks-via-malicious-python-packages?&web_view=true

2023-05-17
New_8220_Gang_Strategies
MEDIUM
+

Intel Source:
TrendMicro
Intel Name:
New_8220_Gang_Strategies
Date of Scan:
2023-05-17
Impact:
MEDIUM
Summary:
Reserachers documentedon the gang’s recent activities of 8220 Gang who has been active in recent months. Researchers shared in their article aboutk observed attack exploiting the Oracle WebLogic vulnerability CVE-2017-3506 captured by one of our honeypots. This vulnerability, with a CVSS score of 7.4, impacts the WLS Security Component of Oracle WebLogic, and when exploited can enable attackers to execute arbitrary commands through an HTTP request remotely with a specifically crafted XML document.


Source:
https://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html

2023-05-17
The_Water_Orthrus_s_New_Campaigns
MEDIUM
+

Intel Source:
TrendMicro
Intel Name:
The_Water_Orthrus_s_New_Campaigns
Date of Scan:
2023-05-17
Impact:
MEDIUM
Summary:
TrendMicro researchers have been monitoring the activities of a threat actor named Water Orthrus, which spreaded CopperStealer malware via pay-per-install (PPI) networks. In March 2023, we observed two campaigns delivering new malware that we named CopperStealth and CopperPhish. Both malware have characteristics that are close to those of CopperStealer and are likely developed by the same author, leading the researchers believe that these campaigns are likely Water Orthrus’ new activities.


Source:
https://www.trendmicro.com/en_us/research/23/e/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules.html?&web_view=true

2023-05-17
Uncovering_RedStinger_new
MEDIUM
+

Intel Source:
Malwarebytes
Intel Name:
Uncovering_RedStinger_new
Date of Scan:
2023-05-17
Impact:
MEDIUM
Summary:
During the conflict between Russia and Ukraine began last year, there is a not only political conflict, there is no surprise that the cybersecurity landscape between these two countries has also been tense. The former reseracher from Malwarebytes Threat Intelligence Team discovered a new interesting bait that targeted the Eastern Ukraine region and reported that finding to the public and tracked this actor as Red Stinger. These findings remained private for a while, but Kaspersky recently shared information about the same actor (who it called Bad Magic).


Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger

2023-05-17
The_Lancefly_APT_group_using_Merdoor_backdoor
MEDIUM
+

Intel Source:
Symantec
Intel Name:
The_Lancefly_APT_group_using_Merdoor_backdoor
Date of Scan:
2023-05-17
Impact:
MEDIUM
Summary:
The Lancefly (APT) group is attacking and target organizations in South and Southeast Asiausing with a custom-written backdoor. Lancefly’s custom malware is named Merdoor, is a powerful backdoor that existed since 2018. The recent targets lately are based in South and Southeast Asia, attacking areas including government, aviation, education, and telecoms. Symantec researchers observed that activity also appeared to be highly targeted, with only a small number of machines infected.


Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor?web_view=true

2023-05-16
Maori_Ransomware
MEDIUM
+

Intel Source:
Fortinet
Intel Name:
Maori_Ransomware
Date of Scan:
2023-05-16
Impact:
MEDIUM
Summary:
FortiGuard Labs recently came across a new ransomware variant called Maori. Like other ransomware variants, it encrypts files on victims’ machines to extort money. Interestingly, this variant is designed to run on Linux architecture and is coded in Go, which is somewhat rare and increases the analysis difficulty


Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-maori?&web_view=true

2023-05-16
Ongoing_Phishing_Campaign_uses_Meme_Filled_Code_to_Drop_XWorm_Payloads
MEDIUM
+

Intel Source:
Securonix
Intel Name:
Ongoing_Phishing_Campaign_uses_Meme_Filled_Code_to_Drop_XWorm_Payloads
Date of Scan:
2023-05-16
Impact:
MEDIUM
Summary:
Last couple months was observed an interesting and ongoing attack campaign which was identified and tracked by the Securonix Threat Research team. The attack campaign (tracked by Securonix as MEME#4CHAN) was leveraging rather unusual meme-filled PowerShell code, followed by a heavily obfuscated XWorm payload to infect its victims. Securonix dived into this campaign by taking an in-depth technical analysis.


Source:
https://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/

2023-05-16
A_new_ransomware_variant_Rancoz
LOW
+

Intel Source:
Cyble
Intel Name:
A_new_ransomware_variant_Rancoz
Date of Scan:
2023-05-16
Impact:
LOW
Summary:
This month Cyble researchers onserved a ransomware variant called Rancoz, that was identified by a researcher @siri_urz. During the investigation, it has been observed that this ransomware is similar and overlaps with the Vice Society ransomware.


Source:
https://blog.cyble.com/2023/05/11/dissecting-rancoz-ransomware/

2023-05-16
LokiLocker_Ransomware_Distributed_in_Korea
MEDIUM
+

Intel Source:
ASEC
Intel Name:
LokiLocker_Ransomware_Distributed_in_Korea
Date of Scan:
2023-05-16
Impact:
MEDIUM
Summary:
AhnLab Security Emergency response Center(ASEC) has confirmed the distribution of the LokiLocker ransomware in Korea. This ransomware is almost identical to the BlackBit ransomware and their common traits


Source:
https://asec.ahnlab.com/en/52570/

2023-05-16
Eastern_European_APT_Cyber_Operations_Undetected_Since_2020
LOW
+

Intel Source:
Malwarebytes
Intel Name:
Eastern_European_APT_Cyber_Operations_Undetected_Since_2020
Date of Scan:
2023-05-16
Impact:
LOW
Summary:
Malwarebytes researchers have discovered a new interesting lure that targeted the Eastern Ukraine region and reported that finding to the public. Moreover, we started tracking the actor behind it, which we internally codenamed Red Stinger.


Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger

2023-05-16
An_In_Depth_Look_at_Akira_Ransomware
MEDIUM
+

Intel Source:
Cyble
Intel Name:
An_In_Depth_Look_at_Akira_Ransomware
Date of Scan:
2023-05-16
Impact:
MEDIUM
Summary:
Cyble researchers have come across a Reddit post about a new ransomware variant named “Akira”, actively targeting numerous organizations and exposing their sensitive data. To increase the chances of payment from victims, Akira ransomware exfiltrates and encrypts their data using a double-extortion technique. The attackers then threaten to sell or leak the stolen data on the dark web if the ransom is not paid for decrypting the data.


Source:
https://blog.cyble.com/2023/05/10/unraveling-akira-ransomware/

2023-05-16
The_Aurora_stealer_via_Invalid_Printer_loader
LOW
+

Intel Source:
Malware Bytes
Intel Name:
The_Aurora_stealer_via_Invalid_Printer_loader
Date of Scan:
2023-05-16
Impact:
LOW
Summary:
Malware Bytes Lab shared their discovery about this malicious campaing and its connections to other attacks. They discovered that a threat actor was using malicious ads to redirect users to what looks like a Windows security update. The scheme looked very legit ans very much resembled what you’d expect from Microsoft. That fake security update was using a newly identified loader that at the time of the campaign was oblivious to malware sandboxes and bypassed practically all antivirus engines. Malware Bytes Lab tool patched that loader and identified its actual payload as Aurora stealer.


Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/05/fake-system-update-drops-new-highly-evasive-loader

2023-05-15
A_new_undetected_variant_of_Linux_Backdoor_BPFDoor
MEDIUM
+

Intel Source:
Deep Instinct Blog
Intel Name:
A_new_undetected_variant_of_Linux_Backdoor_BPFDoor
Date of Scan:
2023-05-15
Impact:
MEDIUM
Summary:
BPFdoor is a Linux-specific, low-profile, passive backdoor intended to maintain a persistent, long-term foothold in already-breached networks and environments and functions primarily to ensure an attacker can re-enter an infected system over an extended period of time, post-compromise.


Source:
https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game

2023-05-14
Exploitation_of_CVE_2023_27350
LOW
+

Intel Source:
CISA
Intel Name:
Exploitation_of_CVE_2023_27350
Date of Scan:
2023-05-14
Impact:
LOW
Summary:
The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-27350. This vulnerability occurs in certain versions of PaperCut NG and PaperCut MF and enables an unauthenticated actor to execute malicious code remotely without credentials.


Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a

2023-05-14
Analysis_of_a_evasive_Shellcode
LOW
+

Intel Source:
Mcafee
Intel Name:
Analysis_of_a_evasive_Shellcode
Date of Scan:
2023-05-14
Impact:
LOW
Summary:
McAfee researchers have observed a NSIS-based installers delivered via E-mail as malspam that use plugin libraries to execute the GU shellcode on the victim system


Source:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/guloader-campaigns-a-deep-dive-analysis-of-a-highly-evasive-shellcode-based-loader/?&web_view=true

2023-05-13
Threat_Actors_Build_ESXi_Lockers_Using_Leaked_Babuk_Code
MEDIUM
+

Intel Source:
Sentinelone
Intel Name:
Threat_Actors_Build_ESXi_Lockers_Using_Leaked_Babuk_Code
Date of Scan:
2023-05-13
Impact:
MEDIUM
Summary:
SentinelLabs researchers have identified unexpected connections between ESXi ransomware families, exposing likely relationships between Babuk and more illustrious operations like Conti and REvil.


Source:
https://www.sentinelone.com/labs/hypervisor-ransomware-multiple-threat-actor-groups-hop-on-leaked-babuk-code-to-build-esxi-lockers/

2023-05-13
A_cybercriminal_group_attempted_an_extortion_scheme_against_Dragos
LOW
+

Intel Source:
Dragos
Intel Name:
A_cybercriminal_group_attempted_an_extortion_scheme_against_Dragos
Date of Scan:
2023-05-13
Impact:
LOW
Summary:
Last week, an known hacker group tried and didn’t have a success at an extortion scheme against Dragos. Nothing was breached at Dragos systems, including anything related to the Dragos Platform. Dragos has shared what happened during a recent incident of failed extortion scheme against them – Dragos. The cybercriminal group attempted to compromise Drago’s information resources. The criminal group got access by compromising the personal email address of a new sales employee prior to their start date, and subsequently used their personal information to impersonate the Dragos employee and accomplish initial steps in the employee onboarding process.


Source:
https://www.dragos.com/blog/deconstructing-a-cybersecurity-event/

2023-05-13
ASEC_Weekly_Statistics_May_1_7th_2023
LOW
+

Intel Source:
ASEC
Intel Name:
ASEC_Weekly_Statistics_May_1_7th_2023
Date of Scan:
2023-05-13
Impact:
LOW
Summary:
ASEC lab researchers continiusly monitor phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post shares the cases of distribution of phishing emails during the week from April 9th, 2023 to April 15st, 2023 and provide statistical information on each type.


Source:
https://asec.ahnlab.com/en/52488/

2023-05-12
CLR_SqlShell_malware_Attack_MS_SQL_Servers
MEDIUM
+

Intel Source:
ASEC
Intel Name:
CLR_SqlShell_malware_Attack_MS_SQL_Servers
Date of Scan:
2023-05-12
Impact:
MEDIUM
Summary:
ASEC analyzed the CLR SqlShell malware that is being used to target MS-SQL servers. Similar to WebShell, which can be installed on web servers, SqlShell is a malware strain that supports various features after being installed on an MS-SQL server, such as executing commands from threat actors and carrying out all sorts of malicious behavior.


Source:
https://asec.ahnlab.com/en/52479/

2023-05-12
The_Examination_of_Highly_Evasive_Shellcode_Based_Loader
LOW
+

Intel Source:
Mcafee
Intel Name:
The_Examination_of_Highly_Evasive_Shellcode_Based_Loader
Date of Scan:
2023-05-12
Impact:
LOW
Summary:
McAfee researchers have deeply analyzed the GULoader campaigns and found, a rise in NSIS-based installers delivered via E-mail as malspam that use plugin libraries to execute the GU shellcode on the victim system.


Source:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/guloader-campaigns-a-deep-dive-analysis-of-a-highly-evasive-shellcode-based-loader/

2023-05-12
DownEx_Espionage_activity_in_Central_Asia
MEDIUM
+

Intel Source:
Bitdefender
Intel Name:
DownEx_Espionage_activity_in_Central_Asia
Date of Scan:
2023-05-12
Impact:
MEDIUM
Summary:
Last year Bitdefender Labs reserchers observed an attack on foreign government institutions in Kazakhstan. During the analyses, it was disovered that this was a highly targeted attack to get an access to exfiltrate data. Bitdefender Labs reserchers did moitored for awhile it and the region for other similar attacks. Recently they detected another attack in Afghanistan and collected additional samples and observations.


Source:
https://www.bitdefender.com/blog/businessinsights/deep-dive-into-downex-espionage-operation-in-central-asia/

2023-05-12
An_Expansion_of_RapperBot_DDoS_Botnet_into_Cryptojacking
LOW
+

Intel Source:
Fortinet
Intel Name:
An_Expansion_of_RapperBot_DDoS_Botnet_into_Cryptojacking
Date of Scan:
2023-05-12
Impact:
LOW
Summary:
FortiGate researchers have analyzed new samples of the RapperBot campaign active since January 2023. The threat actors have started venturing into cryptojacking, specifically for Intel x64 machines. Initially, they deployed and executed a separate Monero cryptominer alongside the usual RapperBot binary. But in late January 2023, they combined both functionalities into a single bot.


Source:
https://www.fortinet.com/blog/threat-research/rapperbot-ddos-botnet-expands-into-cryptojacking

2023-05-12
Malspam_Campaign_Delivering_PowerDash
LOW
+

Intel Source:
Cert-PL
Intel Name:
Malspam_Campaign_Delivering_PowerDash
Date of Scan:
2023-05-12
Impact:
LOW
Summary:
CERT-PL researchers have observed a malspam campaign delivering previously unseen PowerShell malware. They also dubbed this malware family as “PowerDash” because of the “/dash” path on C2 server, used as a gateway for bots.


Source:
https://cert.pl/en/posts/2023/05/powerdash-malspam/

2023-05-10
Taking_a_Closer_Look_at_Israel_Based_BEC_Attacks
HIGH
+

Intel Source:
Abnormal
Intel Name:
Taking_a_Closer_Look_at_Israel_Based_BEC_Attacks
Date of Scan:
2023-05-10
Impact:
HIGH
Summary:
Researchers from Abnormal Security have discovered that an Israel-based threat group has conducted 350 BEC campaigns since February 2021, with email attacks targeting employees from 61 countries across six continents.


Source:
https://cdn2.assets-servd.host/gifted-zorilla/production/files/Exploring-the-Rise-of-Israel-Based-BEC-Attacks.pdf

2023-05-10
MitM_Phishing_Growing_and_Using_Real_Login_Process_to_Steal_Credentials
LOW
+

Intel Source:
Cofense
Intel Name:
MitM_Phishing_Growing_and_Using_Real_Login_Process_to_Steal_Credentials
Date of Scan:
2023-05-10
Impact:
LOW
Summary:
Cofense researchers have observed Man-in-the-middle attacks are increasing rapidly and identified a 35% increase in volume reaching inboxes between Q1 2022 and Q1 2023, 94% of MitM credential phishing attacks reaching inboxes targeted O365 authentication, and 89% of campaigns used at least one URL redirect, and 55% used two or more.


Source:
https://cofense.com/blog/cofense-intelligence-strategic-analysis-2/

2023-05-10
Royal_Ransomware_Expands_to_Target_Linux_and_VMware_ESXi
MEDIUM
+

Intel Source:
PaloAlto
Intel Name:
Royal_Ransomware_Expands_to_Target_Linux_and_VMware_ESXi
Date of Scan:
2023-05-10
Impact:
MEDIUM
Summary:
PaloAlto researchers have observed that the Royal ransomware group has recently launched a variant of its encryptor malware built in the form of executable and linkable format (ELF) binary. Also, they started using the BatLoader dropper and SEO poisoning for initial access.


Source:
https://unit42.paloaltonetworks.com/royal-ransomware/

2023-05-09
SideWinder_Using_Server_Based_Polymorphism_Technique
LOW
+

Intel Source:
Blackberry
Intel Name:
SideWinder_Using_Server_Based_Polymorphism_Technique
Date of Scan:
2023-05-09
Impact:
LOW
Summary:
BlackBerry researchers have observed that APT Group SideWinder is accused of deploying a backdoor in attacks directed against Pakistan government organizations as part of a campaign that commenced in late November 2022.


Source:
https://blogs.blackberry.com/en/2023/05/sidewinder-uses-server-side-polymorphism-to-target-pakistan

2023-05-09
AndoryuBot_Targeting_Ruckus_Wireless_Admin_Remote_Code_Execution_Vulnerability
LOW
+

Intel Source:
Fortinet
Intel Name:
AndoryuBot_Targeting_Ruckus_Wireless_Admin_Remote_Code_Execution_Vulnerability
Date of Scan:
2023-05-09
Impact:
LOW
Summary:
FortiGate researchers have observed a unique botnet based on the SOCKS protocol distributed through the Ruckus vulnerability (CVE-2023-25717). It contains DDoS attack modules for different protocols and communicates with its command-and-control server using SOCKS5 proxies.


Source:
https://www.fortinet.com/blog/threat-research/andoryubot-new-botnet-campaign-targets-ruckus-wireless-admin-remote-code-execution-vulnerability-cve-2023-25717?&web_view=true

2023-05-09
IRCTC_fake_apps
LOW
+

Intel Source:
Quickheal
Intel Name:
IRCTC_fake_apps
Date of Scan:
2023-05-09
Impact:
LOW
Summary:
Quickheal analysts went through the recent advisory published by the Indian Railway Catering and Tourism Corporation (IRCTC), about the IRCTC fakeapps. The Fake IRCTC app pretends like it is real IRCTC app but is in reality a full-fledged spyware that spies on victims with ease.


Source:
https://blogs.quickheal.com/beware-fake-applications-are-disguised-as-legitimate-ones/

2023-05-09
Microsoft_Phish_Redirects_Victims_to_Catering_Voice_Recording
LOW
+

Intel Source:
Cofense
Intel Name:
Microsoft_Phish_Redirects_Victims_to_Catering_Voice_Recording
Date of Scan:
2023-05-09
Impact:
LOW
Summary:
Cofense researchers have observed credential phishing campaigns that use a novel deception technique, luring unsuspecting users into a false sense of security after they’ve given away their Microsoft login information.


Source:
https://cofense.com/blog/the-art-of-deception-microsoft-phish-redirects-victims-to-a-catering-voice-recording/

2023-05-08
New_Web_Injection_Toolkit_DrIBAN_Targeting_Italian_Corporate_Banking_Clients
MEDIUM
+

Intel Source:
Cleafy
Intel Name:
New_Web_Injection_Toolkit_DrIBAN_Targeting_Italian_Corporate_Banking_Clients
Date of Scan:
2023-05-08
Impact:
MEDIUM
Summary:
Researchers from Cleafy have observed that Italian corporate banking clients are the target of an ongoing financial fraud campaign that has been leveraging a new web-inject toolkit called drIBAN since at least 2019.


Source:
https://www.cleafy.com/cleafy-labs/uncovering-driban-fraud-operations-chapter1

2023-05-08
SmokeLoader_and_RoarBAT_Malware_Attacks_Against_Ukraine
MEDIUM
+

Intel Source:
CERT-UA
Intel Name:
SmokeLoader_and_RoarBAT_Malware_Attacks_Against_Ukraine
Date of Scan:
2023-05-08
Impact:
MEDIUM
Summary:
CERT-UA researchers have identified an ongoing phishing campaign with invoice-themed lures being used to distribute the SmokeLoader malware in the form of a polyglot file.


Source:
https://cert.gov.ua/article/4555802

2023-05-08
New_MultiStage_Attack_and_Malware_Distribution_of_Amadey
LOW
+

Intel Source:
Mcafee
Intel Name:
New_MultiStage_Attack_and_Malware_Distribution_of_Amadey
Date of Scan:
2023-05-08
Impact:
LOW
Summary:
McAfee Labs researchers have identified an increase in Wextract.exe samples, that drop a malware payload at multiple stages.


Source:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/deconstructing-amadeys-latest-multi-stage-attack-and-malware-distribution/

2023-05-08
RecordBreaker_Stealer_Distributed_by_YouTube_Accounts
LOW
+

Intel Source:
ASEC
Intel Name:
RecordBreaker_Stealer_Distributed_by_YouTube_Accounts
Date of Scan:
2023-05-08
Impact:
LOW
Summary:
ASEC analyzed and confirmed the distribution of RecordBreaker through a YouTube account and possibly hacked recently. RecordBreaker is a new Infostealer version of Raccoon Stealer. It tries to pretend itself as a software installer and similar to CryptBot, RedLine, and Vidar. AhnLab Security Emergency response Center (ASEC) has confirmed the distribution of RecordBreaker through a YouTube account that is assumed to have been recently hacked.


Source:
https://asec.ahnlab.com/en/52072/

2023-05-08
An_Increase_in_SHTML_Phishing_Attacks
MEDIUM
+

Intel Source:
Mcafee
Intel Name:
An_Increase_in_SHTML_Phishing_Attacks
Date of Scan:
2023-05-08
Impact:
MEDIUM
Summary:
McAfee researchers have observed a new wave of phishing attacks. In this wave, the attacker has been abusing server-parsed HTML (SHTML) files. The SHTML files are commonly associated with web servers redirecting users to malicious, credential-stealing websites or displaying phishing forms locally within the browser to harvest user-sensitive information.


Source:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shtml-phishing-attack-with-blurred-image/

2023-05-08
SideCopy_Group_Delivering_Malware_via_Phishing_Emails
LOW
+

Intel Source:
Fortinet
Intel Name:
SideCopy_Group_Delivering_Malware_via_Phishing_Emails
Date of Scan:
2023-05-08
Impact:
LOW
Summary:
FortiGate researchers have identified one file that referenced an Indian state military research organization and an in-development nuclear missile. The file is meant to deploy malware with characteristics matching the APT group SideCopy with activities dating back to at least 2019, this group has aligned its targeting with the goals and objectives of the Pakistani government.


Source:
https://www.fortinet.com/blog/threat-research/clean-rooms-nuclear-missiles-and-sidecopy

2023-05-08
US_Job_Services_Leaks_Customer_Data
LOW
+

Intel Source:
KrebsonSecurity
Intel Name:
US_Job_Services_Leaks_Customer_Data
Date of Scan:
2023-05-08
Impact:
LOW
Summary:
Researchers from KrebsonSecurity have identified a huge tranche of full credit card records exposed online, and that at first glance the domain names involved appeared to be affiliated with the United States Postal Service.


Source:
https://krebsonsecurity.com/2023/05/promising-jobs-at-the-u-s-postal-service-us-job-services-leaks-customer-data/?replytocom=583725

2023-05-08
Phishing_Sites_Spreading_RAT_Called_DarkWatchMan
LOW
+

Intel Source:
Cyble
Intel Name:
Phishing_Sites_Spreading_RAT_Called_DarkWatchMan
Date of Scan:
2023-05-08
Impact:
LOW
Summary:
Cyble researchers have identified a phishing website that imitated a renowned Russian website, CryptoPro CSP. TAs is using this website to distribute DarkWatchman malware.


Source:
https://blog.cyble.com/2023/05/05/sophisticated-darkwatchman-rat-spreads-through-phishing-sites/

2023-05-07
Multiple_Malware_Targeting_Business_Users
LOW
+

Intel Source:
Meta
Intel Name:
Multiple_Malware_Targeting_Business_Users
Date of Scan:
2023-05-07
Impact:
LOW
Summary:
Researchers from Meta have analyzed the persistent malware campaigns targeting businesses across the internet, including threat indicators to help raise the industry’s collective defenses across the internet.


Source:
https://engineering.fb.com/2023/05/03/security/malware-nodestealer-ducktail/

2023-05-07
New_KEKW_Malware_Variant_Detected_in_PyPI_Packages
LOW
+

Intel Source:
Cyble
Intel Name:
New_KEKW_Malware_Variant_Detected_in_PyPI_Packages
Date of Scan:
2023-05-07
Impact:
LOW
Summary:
Cyble researchers have uncovered multiple malicious Python .whl (Wheel) files that are found to be distributing a new malware named ‘KEKW’. KEKW malware can steal sensitive information from infected systems, as well as perform clipper activities which can lead to the hijacking of cryptocurrency transactions.


Source:
https://blog.cyble.com/2023/05/03/new-kekw-malware-variant-identified-in-pypi-package-distribution/

2023-05-07
Mustang_Panda_New_Campaign_Against_Australia
LOW
+

Intel Source:
Lab52
Intel Name:
Mustang_Panda_New_Campaign_Against_Australia
Date of Scan:
2023-05-07
Impact:
LOW
Summary:
Lab52 researchers have found a zip file named Biography of Senator the Hon Don Farrell.zip. Hon Don Farrell is the current Australian Secretary of State for Trade and Tourism, indicating a targeted campaign against Australia.


Source:
https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/

2023-05-07
The_Analysis_of_CrossLock_Ransomware
LOW
+

Intel Source:
Netscope
Intel Name:
The_Analysis_of_CrossLock_Ransomware
Date of Scan:
2023-05-07
Impact:
LOW
Summary:
Netskope researchers have identified a new ransomware named CrossLock. It emerged in April 2023, targeting a large digital certifier company in Brazil. This ransomware was written in Go, which has also been adopted by other ransomware groups, including Hive, due to the cross-platform capabilities offered by the language.


Source:
https://www.netskope.com/blog/netskope-threat-coverage-crosslock-ransomware

2023-05-07
DLL_sideloading_Attacks_Gain_New_Air_With_a_Doubled_Dragon_Breath
LOW
+

Intel Source:
Sophos
Intel Name:
DLL_sideloading_Attacks_Gain_New_Air_With_a_Doubled_Dragon_Breath
Date of Scan:
2023-05-07
Impact:
LOW
Summary:
Sophos researchers have spotted malicious DLL sideloading activity that builds on the classic sideloading scenario but adds complexity and layers to its execution.


Source:
https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/

2023-05-06
The_Second_Variant_of_Atomic_Stealer_macOS_Malware
LOW
+

Intel Source:
Sentilone
Intel Name:
The_Second_Variant_of_Atomic_Stealer_macOS_Malware
Date of Scan:
2023-05-06
Impact:
LOW
Summary:
The threat actor, however, has been busy looking for other ways to target macOS users with a different version of Atomic Stealer. In this post, we take a closer look at how Atomic Stealer works and describe a previously unreported second variant. We also provide a comprehensive list of indicators to aid threat hunters and security teams defending macOS endpoints.


Source:
https://www.sentinelone.com/blog/atomic-stealer-threat-actor-spawns-second-variant-of-macos-malware-sold-on-telegram/

2023-05-06
BlackBit_Ransomware
MEDIUM
+

Intel Source:
Cyble
Intel Name:
BlackBit_Ransomware
Date of Scan:
2023-05-06
Impact:
MEDIUM
Summary:
AhnLab shared their analyses about BlackBit ransomware is being distributed in Korea. BlackBit Ransomware is a LokiLocker ransomware variant that based on the RaaS model. The source code of the BlackBit shows the ransomware is a copy of the LokiLocker with some new changes such as icons, name, color scheme. BlackBit ransomware is a sophisticated one with multipleseveral capabilities to establish persistence, defense evasion, and impair recovery.


Source:
https://blog.cyble.com/2023/05/03/blackbit-ransomware-a-threat-from-the-shadows-of-lokilocker/

2023-05-06
Raspberry_Robin_USB_malware_campaign
LOW
+

Intel Source:
Bushidotoken
Intel Name:
Raspberry_Robin_USB_malware_campaign
Date of Scan:
2023-05-06
Impact:
LOW
Summary:
Bushidotoken blog shares the technical details about this malware and analyses how it runs, works, the commands it runs, the processes it uses, and in this case how C2 communications look like.


Source:
https://blog.bushidotoken.net/2023/05/raspberry-robin-global-usb-malware.html

2023-05-06
Infostealer_Embedded_in_a_Word_Document
LOW
+

Intel Source:
ISC.SANS
Intel Name:
Infostealer_Embedded_in_a_Word_Document
Date of Scan:
2023-05-06
Impact:
LOW
Summary:
Researchers from SANS have analyzed a malicious document which is an embedded object.


Source:
https://isc.sans.edu/diary/Infostealer+Embedded+in+a+Word+Document/29810/

2023-05-06
Kimsuky_New_Global_Campaign
MEDIUM
+

Intel Source:
Sentilone
Intel Name:
Kimsuky_New_Global_Campaign
Date of Scan:
2023-05-06
Impact:
MEDIUM
Summary:
SentinelLabs has observed ongoing attacks from Kimsuky, a North Korean state-sponsored APT that has a long history of targeting organizations across Asia, North America, and Europe. Ongoing campaigns use a new malware component called ReconShark, which is actively delivered to specifically attacked individuals through spear-phishing emails, OneDrive links leading to document downloads, and the execution of malicious macros. ReconShark operates as a reconnaissance tool with unique execution instructions and server communication methods. Recent activity has been linked to a broader set of skills are attributed to North Korea.


Source:
https://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/

2023-05-05
Malware_IcedID_information_stealer_configuration_analyses
LOW
+

Intel Source:
PaloAlto
Intel Name:
Malware_IcedID_information_stealer_configuration_analyses
Date of Scan:
2023-05-05
Impact:
LOW
Summary:
Palo Alto researchers shared an example of an IcedID malware (information stealer) configuration, how it was obfuscated and how they extracted it. It was one IcedID binary and how its configurations are encrypted.


Source:
https://unit42.paloaltonetworks.com/teasing-secrets-malware-configuration-parsing/

2023-05-05
Destructive_cyberattack_UAC_0165_on_the_public_sector_of_Ukraine_using_RoarBat
MEDIUM
+

Intel Source:
CERT-UA
Intel Name:
Destructive_cyberattack_UAC_0165_on_the_public_sector_of_Ukraine_using_RoarBat
Date of Scan:
2023-05-05
Impact:
MEDIUM
Summary:
Upon receiving information about interference in the information and communication system (ICS) of one of the state organizations of Ukraine, measures to investigate a cyber attack were initiated. It was found that the performance of electronic computing machines (server equipment, automated user workstations, data storage systems) was impaired as a result of the destructive influence carried out using the appropriate software.


Source:
https://cert.gov.ua/article/4501891

2023-05-05
Vidar_Infostealer_targeted_a_Polish_Healthcare_Industry
LOW
+

Intel Source:
Eclecticiq
Intel Name:
Vidar_Infostealer_targeted_a_Polish_Healthcare_Industry
Date of Scan:
2023-05-05
Impact:
LOW
Summary:
EclecticIQ researchers has observed a spearphishing email targeting the healthcare industry in Poland. The spoofed email looked like as real sent from a Polish government entity and contained a infectips Microsoft Excel XLL attachment that can download and execute Vidar Infostealer malware.


Source:
https://blog.eclecticiq.com/polish-healthcare-industry-targeted-by-vidar-infostealer-likely-linked-to-djvu-ransomware

2023-05-04
North_Korean_Group_ScarCruft_Deploying_RokRAT_Malware
LOW
+

Intel Source:
Checkpoint
Intel Name:
North_Korean_Group_ScarCruft_Deploying_RokRAT_Malware
Date of Scan:
2023-05-04
Impact:
LOW
Summary:
Checkpoint researchers have identified that the North Korean threat actor known as ScarCruft started experimenting with oversized LNK files as a delivery route for RokRAT malware as early as July 2022, the same month Microsoft began blocking macros across Office documents by default.


Source:
https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/

2023-05-04
The_Investigation_of_BRAINSTORM_and_RILIDE
LOW
+

Intel Source:
Mandiant
Intel Name:
The_Investigation_of_BRAINSTORM_and_RILIDE
Date of Scan:
2023-05-04
Impact:
LOW
Summary:
Mandiant researchers have identified BRAINSTORM, a rust-based dropper, which ultimately led to RILIDE, a chromium-based extension first publicly reported by SpiderLabs. After careful investigation identified that the email and cryptocurrency theft ecosystem of RILIDE is larger than reported.


Source:
https://www.mandiant.com/resources/blog/lnk-between-browsers

2023-05-04
Earth_Longzhi_is_Back_With_New_Technique
LOW
+

Intel Source:
TrendMicro
Intel Name:
Earth_Longzhi_is_Back_With_New_Technique
Date of Scan:
2023-05-04
Impact:
LOW
Summary:
TrendMicro researchers have discovered a new campaign by Earth Longzhi that is targeting organizations based in Taiwan, Thailand, the Philippines, and Fiji. The recent campaign follows months of dormancy, abuses a Windows Defender executable to perform DLL sideloading while also exploiting a vulnerable driver, zamguard64.sys, to disable security products installed on the hosts via a bring-your-own-vulnerable-driver (BYOVD) attack.


Source:
https://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html

2023-05-03
Internet_Threats_Are_Impersonating_Common_Industries_via_Phishing_Attacks_Web_Skimmer_Analysis_and_Many_More
LOW
+

Intel Source:
PaloAlto
Intel Name:
Internet_Threats_Are_Impersonating_Common_Industries_via_Phishing_Attacks_Web_Skimmer_Analysis_and_Many_More
Date of Scan:
2023-05-03
Impact:
LOW
Summary:
PaloAlto researchers have observed the internet threat landscape and analyzed malicious URL distribution, geolocation, category analysis, and statistics describing attempted malware attacks. Also, this includes industry sectors being targeted for spoofing in phishing pages, as well as downloaded malware statistics, injected JavaScript malware analysis, and malicious DNS analysis.


Source:
https://unit42.paloaltonetworks.com/internet-threats-late-2022/

2023-05-03
CoinMiner_Distributing_to_Linux_SSH_Servers
LOW
+

Intel Source:
ASEC
Intel Name:
CoinMiner_Distributing_to_Linux_SSH_Servers
Date of Scan:
2023-05-03
Impact:
LOW
Summary:
ASEC researchers have discovered XMRig CoinMiner being installed on poorly managed Linux SSH servers. The attacks have been happening with a distinct pattern since 2022, they involve the usage of malware developed with Shell Script Compiler when installing the XMRig, as well as the creation of a backdoor SSH account.


Source:
https://asec.ahnlab.com/en/51908/

2023-05-03
Diving_Deep_into_BlackByte_Ransomware
LOW
+

Intel Source:
SocRadar
Intel Name:
Diving_Deep_into_BlackByte_Ransomware
Date of Scan:
2023-05-03
Impact:
LOW
Summary:
Researchers from SOCRadar have analyzed the BlackByte ransomware. It is a Ransomware operation that began targeting corporate victims worldwide in July 2021. The first findings regarding the group emerged after victims sought help decrypting their files.


Source:
https://socradar.io/dark-web-profile-blackbyte-ransomware/

2023-05-03
Russian_APT_Hacked_Tajikistani_Carrier_to_Spy_on_Government_and_Public_Services
MEDIUM
+

Intel Source:
Prodaft
Intel Name:
Russian_APT_Hacked_Tajikistani_Carrier_to_Spy_on_Government_and_Public_Services
Date of Scan:
2023-05-03
Impact:
MEDIUM
Summary:
Researchers from Prodaft have observed a Russian espionage group tracked as Nomadic Octopus spying on Tajikistan’s high-ranking government officials, public service infrastructures, and telecoms services, likely by infiltrating a mobile phone carrier.


Source:
https://www.prodaft.com/m/reports/PAPERBUG_TLPWHITE-1.pdf

2023-05-03
Malware_Families_Leveraging_AresLoader_for_Distribution
LOW
+

Intel Source:
Cyble
Intel Name:
Malware_Families_Leveraging_AresLoader_for_Distribution
Date of Scan:
2023-05-03
Impact:
LOW
Summary:
Cyble researchers have observed a new loader called AresLoader that is used to spread several types of malware families. It is a loader malware written in the C programming language that first emerged in cybercrime forums and Telegram channels in 2022.


Source:
https://blog.cyble.com/2023/04/28/citrix-users-at-risk-aresloader-spreading-through-disguised-gitlab-repo/

2023-05-01
The_Overview_of_UNIZA_Ransomware
LOW
+

Intel Source:
Fortinet
Intel Name:
The_Overview_of_UNIZA_Ransomware
Date of Scan:
2023-05-01
Impact:
LOW
Summary:
Fortinet researchers have discovered a new ransomware variant called UNIZA. Like other ransomware variants. It uses the Command Prompt (cmd.exe) window to display its ransom message, and interestingly, it does not append the filename of the files it encrypts, making it more difficult to determine which files have been impacted.


Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-uniza-coverage

2023-05-01
The_Unstoppable_Malverposting_Continues
LOW
+

Intel Source:
Guardio
Intel Name:
The_Unstoppable_Malverposting_Continues
Date of Scan:
2023-05-01
Impact:
LOW
Summary:
In this post Gardio vresearchers shared the huge numbers of IOC detections of Malverposting, and also very detailed analyses of this one campaign using adult-rated click bates delivering sophisticated malware — making it even harder for detection, and too easy to mass propagate.


Source:
https://labs.guard.io/malverposting-with-over-500k-estimated-infections-facebook-ads-fuel-this-evolving-stealer-54b03d24b349

2023-05-01
Ransomware_Family_Rapture_is_Similar_to_Paradise
MEDIUM
+

Intel Source:
TrendMicro
Intel Name:
Ransomware_Family_Rapture_is_Similar_to_Paradise
Date of Scan:
2023-05-01
Impact:
MEDIUM
Summary:
TrendMicro researchers have observed a type of ransomware targeting its victims via a minimalistic approach with tools that leave only a minimal footprint behind. The findings revealed many of the preparations made by the perpetrators and how quickly they managed to carry out the ransomware attack.


Source:
https://www.trendmicro.com/en_us/research/23/d/rapture-a-ransomware-family-with-similarities-to-paradise.html

2023-05-01
Threat_Actors_Leveraging_SEO_Poisoning
LOW
+

Intel Source:
Trellix
Intel Name:
Threat_Actors_Leveraging_SEO_Poisoning
Date of Scan:
2023-05-01
Impact:
LOW
Summary:
Trellix researchers have identified that hackers continue to innovate their techniques to infect victims, with SEO poisoning being one of the recent trends.


Source:
https://www.trellix.com/en-us/about/newsroom/stories/research/no-more-macros-better-watch-your-search-results.html

2023-05-01
A_malicious_Mitiga_document
LOW
+

Intel Source:
Mitiga
Intel Name:
A_malicious_Mitiga_document
Date of Scan:
2023-05-01
Impact:
LOW
Summary:
Last January, an attacker uploaded a malicious .docx file to Virus Total. He used several of Mitiga’s publicly available branding elements which included logo, fonts and colors, to lend credibility to the document.


Source:
https://www.mitiga.io/blog/mitiga-advisory-virus-total

2023-05-01
ASEC_Weekly_Phishing_Email_analyses_April_9_15th_2023
LOW
+

Intel Name:
ASEC_Weekly_Phishing_Email_analyses_April_9_15th_2023
Date of Scan:
2023-05-01
Impact:
LOW
Summary:
ASEC lab researchers continiusly monitor phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post shares the cases of distribution of phishing emails during the week from April 9th, 2023 to April 15st, 2023 and provide statistical information on each type.


Source:
https://asec.ahnlab.com/en/51821/

2023-05-01
New_LOBSHOT_Malware_Deploying_Via_Google_Ads
LOW
+

Intel Source:
Elastic
Intel Name:
New_LOBSHOT_Malware_Deploying_Via_Google_Ads
Date of Scan:
2023-05-01
Impact:
LOW
Summary:
Researchers from Elastic Security Labs have observed one malware family called LOBSHOT. It continues to collect victims while remaining undetected. Also, the infrastructure belongs to TA505, the well-known cybercriminal group associated with Dridex, Locky, and Necurs campaigns.


Source:
https://www.elastic.co/security-labs/elastic-security-labs-discovers-lobshot-malware

2023-05-01
ASEC_Weekly_Malware_Statistics
LOW
+

Intel Source:
ASEC
Intel Name:
ASEC_Weekly_Malware_Statistics
Date of Scan:
2023-05-01
Impact:
LOW
Summary:
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from November 21st, 2022 (Monday) to November 27th (Sunday).


Source:
https://asec.ahnlab.com/en/43255/

2023-04-30
An_Ongoing_Magecart_Campaign
LOW
+

Intel Source:
Malwarebytes
Intel Name:
An_Ongoing_Magecart_Campaign
Date of Scan:
2023-04-30
Impact:
LOW
Summary:
Malwarebytes researchers have identified an ongoing Magecart campaign that is leveraging realistic-looking fake payment screens to capture sensitive data entered by unsuspecting users.


Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/04/kritec-art

2023-04-30
Hackers_From_APT28_Group_Distributing_Emails_With_Instructions_on_Updating_OS
MEDIUM
+

Intel Source:
CERT-UA
Intel Name:
Hackers_From_APT28_Group_Distributing_Emails_With_Instructions_on_Updating_OS
Date of Scan:
2023-04-30
Impact:
MEDIUM
Summary:
CERT-UA researchers have observed the distribution of emails with subject “Windows Update”, allegedly sent on behalf of system administrators of departments. At the same time, senders’ email addresses created on the @outlook.com public service can be formed using the real name and initials of the employee.


Source:
https://cert.gov.ua/article/4492467

2023-04-27
RTM_Locker_Ransomware_as_a_Service_Now_Suits_Linux_Architecture
LOW
+

Intel Source:
Uptycs
Intel Name:
RTM_Locker_Ransomware_as_a_Service_Now_Suits_Linux_Architecture
Date of Scan:
2023-04-27
Impact:
LOW
Summary:
Uptycs researchers have discovered a new ransomware binary attributed to the RTM group, a known ransomware-as-a-service (RaaS) provider. This is the first time the group has created a Linux binary. Its locker ransomware infects Linux, NAS, and ESXi hosts and appears to be inspired by Babuk ransomware’s leaked source code.


Source:
https://www.uptycs.com/blog/rtm-locker-ransomware-as-a-service-raas-linux

2023-04-27
PingPull_Malware_is_Updated_by_Chinese_Alloy_Taurus
LOW
+

Intel Source:
PaloAlto
Intel Name:
PingPull_Malware_is_Updated_by_Chinese_Alloy_Taurus
Date of Scan:
2023-04-27
Impact:
LOW
Summary:
Unit 42 researchers have identified a new variant of PingPull malware used by Alloy Taurus actors designed to target Linux systems. While following the infrastructure leveraged by the actor for this PingPull variant, we also identified their use of another backdoor we track as Sword2033.


Source:
https://unit42.paloaltonetworks.com/alloy-taurus/

2023-04-27
TrafficStealer_Abusing_Open_Container_APIs
LOW
+

Intel Source:
TrendMicro
Intel Name:
TrafficStealer_Abusing_Open_Container_APIs
Date of Scan:
2023-04-27
Impact:
LOW
Summary:
Researchers from TrendMicro have discovered a different type of attack, a piece of software that leverages Docker containers to generate money through monetized traffic. Although the piece of software itself appears to be legitimate, it likely has compromised components that result in monitoring as a potentially unwanted application.


Source:
https://www.trendmicro.com/en_us/research/23/d/attackers-use-containers-for-profit-via-trafficstealer.html

2023-04-27
The_BellaCiao_Malware_of_Iran
MEDIUM
+

Intel Source:
Bitdefender
Intel Name:
The_BellaCiao_Malware_of_Iran
Date of Scan:
2023-04-27
Impact:
MEDIUM
Summary:
BitDefender researchers have observed the modernization of Charming Kitten’s tactics, techniques, and procedures, including a new, previously unseen malware. This malware is tailored to suit individual targets and exhibits a higher level of complexity, evidenced by a unique communication approach with its command-and-control (C2) infrastructure.


Source:
https://businessinsights.bitdefender.com/unpacking-bellaciao-a-closer-look-at-irans-latest-malware

2023-04-27
Hackers_Selling_New_Atomic_macOS_Stealer_on_Telegram
LOW
+

Intel Source:
Cyble
Intel Name:
Hackers_Selling_New_Atomic_macOS_Stealer_on_Telegram
Date of Scan:
2023-04-27
Impact:
LOW
Summary:
Cyble Researchers have discovered a Telegram channel advertising a new information-stealing malware called Atomic macOS Stealer (AMOS). The malware is specifically designed to target macOS and can steal sensitive information from the victim’s machine.


Source:
https://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/

2023-04-27
The_Exploiting_of_Kubernetes_RBAC_by_attackers
LOW
+

Intel Source:
Aqua
Intel Name:
The_Exploiting_of_Kubernetes_RBAC_by_attackers
Date of Scan:
2023-04-27
Impact:
LOW
Summary:
Aqua researchers have observed new evidence that attackers are exploiting Kubernetes (K8s) Role-Based Access Control (RBAC) in the wild to create backdoors. The attackers also tried to lunch a DaemonSets to take control and seize resources of the K8s clusters they attack. Aqua analyses suspects that this campaign is actively targeting at least 60 clusters in the wild.


Source:
https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters

2023-04-27
APT_Group_Panda_Delivering_Malware_via_Software_Updates
HIGH
+

Intel Source:
Welivesecurity
Intel Name:
APT_Group_Panda_Delivering_Malware_via_Software_Updates
Date of Scan:
2023-04-27
Impact:
HIGH
Summary:
ESET researchers discovered a new campaign by the APT group known as Evasive Panda targeting an international NGO in China with malware delivered through updates of popular Chinese software.


Source:
https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/

2023-04-27
PaperCut_actively_exploited_in_the_Wild
MEDIUM
+

Intel Source:
Cyble
Intel Name:
PaperCut_actively_exploited_in_the_Wild
Date of Scan:
2023-04-27
Impact:
MEDIUM
Summary:
Earlier this month, PaperCut shared a Security alert stating, they have an evidence that unpatched servers are being exploited in the wild. Russian Hacker Suspected Exploiting the PaperCut Vulnerability. The advisories provided by vendors shared insights into the two CVEs – CVE-2023-27350 (Severity: Critical) & CVE-2023-27351(Severity: High). Cyble researchers shared their details for the same in their post.


Source:
https://blog.cyble.com/2023/04/25/print-management-software-papercut-actively-exploited-in-the-wild/

2023-04-27
Raccoon_and_Vidar_Stealers_Spreading_Fake_Cracked_new
MEDIUM
+

Intel Source:
Sekoia
Intel Name:
Raccoon_and_Vidar_Stealers_Spreading_Fake_Cracked_new
Date of Scan:
2023-04-27
Impact:
MEDIUM
Summary:
Sekoia researchers have identified the infection chain that is using about a hundred fake cracked software catalog websites that redirect to several links before downloading the payload hosted on file share platforms, such as GitHub.


Source:
https://blog.sekoia.io/unveiling-of-a-large-resilient-infrastructure-distributing-information-stealers/

2023-04-26
Tonto_Team_Using_Anti_Malware_Related_Files_for_DLL_Side_Loading
LOW
+

Intel Source:
ASEC
Intel Name:
Tonto_Team_Using_Anti_Malware_Related_Files_for_DLL_Side_Loading
Date of Scan:
2023-04-26
Impact:
LOW
Summary:
Researchers from ASEC have identified the Tonto Team threat group is targeting mainly Asian countries and has been distributing Bisonal malware


Source:
https://asec.ahnlab.com/en/51746/

2023-04-26
Phishing_Attack_Increasing_in_Singapore_for_Tax_Portal
LOW
+

Intel Source:
ISC.SANS
Intel Name:
Phishing_Attack_Increasing_in_Singapore_for_Tax_Portal
Date of Scan:
2023-04-26
Impact:
LOW
Summary:
Researchers from SANS have identified an IRAS phishing website that looks legitimate, this website asks users to input their Singapore Personal Access (Singpass) credentials to access government and private services (such as banking) in Singapore.


Source:
https://isc.sans.edu/diary/Strolling+through+Cyberspace+and+Hunting+for+Phishing+Sites/29780/

2023-04-26
RokRAT_Malware_Distributing_Through_LNK_Files
LOW
+

Intel Source:
ASEC
Intel Name:
RokRAT_Malware_Distributing_Through_LNK_Files
Date of Scan:
2023-04-26
Impact:
LOW
Summary:
ASEC researchers have observed that the RedEyes threat group (also known as APT37, ScarCruft), which distributed CHM Malware Disguised as Security Email from a Korean Financial Company last month, has also recently distributed the RokRAT malware through LNK files.


Source:
https://asec.ahnlab.com/en/51751/

2023-04-26
Finding_Decoy_Dog_Toolkit_via_Anomalous_DNS_Traffic
LOW
+

Intel Source:
Infoblox
Intel Name:
Finding_Decoy_Dog_Toolkit_via_Anomalous_DNS_Traffic
Date of Scan:
2023-04-26
Impact:
LOW
Summary:
Researchers from Infoblox have identified a new malware toolkit named Decoy Dog, that has been discovered that allows attackers to avoid standard detection techniques and target enterprises. It uses DNS query dribbling and strategic domain aging techniques to bypass security checks.


Source:
https://blogs.infoblox.com/cyber-threat-intelligence/cyber-threat-advisory/dog-hunt-finding-decoy-dog-toolkit-via-anomalous-dns-traffic/

2023-04-26
New_the_Mirai_botnet_exploit
MEDIUM
+

Intel Source:
Zero Day Initiative (ZDI)
Intel Name:
New_the_Mirai_botnet_exploit
Date of Scan:
2023-04-26
Impact:
MEDIUM
Summary:
The Zero Day Initiative threat-hunting team discovered recently new exploit attempts in Eastern Europe showing that the Mirai botnet has updated its version to CVE-2023-1389, known as ZDI-CAN-19557/ZDI-23-451. This malicious activity in the TP-Link Archer AX21 Wi-Fi router was originally disclosed to ZDI during the Pwn2Own Toronto event, where it was used by Team Viettel in their LAN-side entry against the TP-Link device and by Qrious Security in their WAN-side entry.


Source:
https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal

2023-04-25
New_Findings_of_Educated_Manticore
MEDIUM
+

Intel Source:
Checkpoint
Intel Name:
New_Findings_of_Educated_Manticore
Date of Scan:
2023-04-25
Impact:
MEDIUM
Summary:
Researchers from Checkpoint have revealed new findings of an activity cluster closely related to Phosphorus. It presents a new and improved infection chain leading to the deployment of a new version of PowerLess. This implant is attributed to Phosphorus in the past, an Iran-affiliated threat group operating in the Middle East and North America.


Source:
https://research.checkpoint.com/2023/educated-manticore-iran-aligned-threat-actor-targeting-israel-via-improved-arsenal-of-tools/

2023-04-25
The_Analysis_of_Tomiris_Group
LOW
+

Intel Source:
Securelist
Intel Name:
The_Analysis_of_Tomiris_Group
Date of Scan:
2023-04-25
Impact:
LOW
Summary:
Securelist researchers have continued to track Tomiris as a separate threat actor over three new attack campaigns between 2021 and 2023 and it is targeting government and diplomatic entities in the CIS.


Source:
https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/

2023-04-25
Repurposing_Package_Name_on_PyPI_to_Push_Malware
LOW
+

Intel Source:
ReversingLabs
Intel Name:
Repurposing_Package_Name_on_PyPI_to_Push_Malware
Date of Scan:
2023-04-25
Impact:
LOW
Summary:
Researchers from Reversing Labs have observed that a malicious package on the Python Package Index (PyPI) named termcolour, a three-stage downloader published in multiple versions.


Source:
https://www.reversinglabs.com/blog/package-names-repurposed-to-push-malware-on-pypi

2023-04-25
After_15_Years_release_Open_Source_Gh0st_RAT_still_Haunting_Inboxes
LOW
+

Intel Source:
Cofense
Intel Name:
After_15_Years_release_Open_Source_Gh0st_RAT_still_Haunting_Inboxes
Date of Scan:
2023-04-25
Impact:
LOW
Summary:
Cofense Intelligence Unit discovered Gh0st RAT, old open-source RAT, that is targeting a healthcare organization. Gh0st RAT was created by a Chinese hacking group named C. The public release of Gh0st RAT source code made it easy for threat actors to manipulate victims. Their information-stealing capabilities: taking full control of the infected machine, recording keystrokes in real time with offline logging available, accessing live web cam feeds including microphone recording, downloading files remotely, remote shutdown and reboot, disabling user input


Source:
https://cofense.com/blog/open-source-gh0st-rat-still-haunting-inboxes-15-years-after-release/

2023-04-24
New_OCX_HARVESTER_Attack_Campaign_Using_Modernized_More_Eggs_Suite
MEDIUM
+

Intel Source:
Securonix Threat Labs
Intel Name:
New_OCX_HARVESTER_Attack_Campaign_Using_Modernized_More_Eggs_Suite
Date of Scan:
2023-04-24
Impact:
MEDIUM
Summary:
Securonix Threat Labs researchers have observed a new attack campaign tracked as OCX#HARVESTER. Some of the malicious payloads leveraged as part of the attack campaign observed appear to be related to the More_eggs malicious payloads reported earlier.


Source:
https://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/

2023-04-24
Zero_Day_Vulnerabilities_in_PaperCut_Print_Management_Software
LOW
+

Intel Source:
Huntress
Intel Name:
Zero_Day_Vulnerabilities_in_PaperCut_Print_Management_Software
Date of Scan:
2023-04-24
Impact:
LOW
Summary:
Researchers from Huntress have tracked the exploitation of zero-day vulnerabilities against PaperCut MF/NG which allow for unauthenticated remote code execution due to an authentication bypass.


Source:
https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software

2023-04-24
ViperSoftX_Encryption_Updates
LOW
+

Intel Source:
TrendMicro
Intel Name:
ViperSoftX_Encryption_Updates
Date of Scan:
2023-04-24
Impact:
LOW
Summary:
TrendMicro researchers have observed cryptocurrency and information stealer ViperSoftX evading initial loader detection and making its lure more believable by making the initial package loader via cracks, keygens, activators, and packers non-malicious.


Source:
https://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html

2023-04-24
X_Trader_Supply_Chain_Attack_Affecting_Critical_Infrastructure_Organizations_in_US_and_Europe
MEDIUM
+

Intel Source:
Symantec
Intel Name:
X_Trader_Supply_Chain_Attack_Affecting_Critical_Infrastructure_Organizations_in_US_and_Europe
Date of Scan:
2023-04-24
Impact:
MEDIUM
Summary:
Researchers from Symantec have identified that North Korean-linked operations affected more organizations beyond 3CX, including two critical infrastructure organizations in the energy sector.


Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain

2023-04-24
The_QakBot_Malware_Continues_to_Evolve
LOW
+

Intel Source:
Cyble
Intel Name:
The_QakBot_Malware_Continues_to_Evolve
Date of Scan:
2023-04-24
Impact:
LOW
Summary:
Cyble Research Intelligence Labs have observed that several malware families, such as AsyncRAT, QuasarRAT, DCRAT, etc., have been found using OneNote attachments as part of their tactics. In February 2023, the well-known malware, Qakbot, started using OneNote attachments in their spam campaigns.


Source:
https://blog.cyble.com/2023/04/21/qakbot-malware-continues-to-morph/

2023-04-24
BlueNoroff_APT_Group_Targeting_macOS_With_RustBucket_Malware
LOW
+

Intel Source:
Jamf
Intel Name:
BlueNoroff_APT_Group_Targeting_macOS_With_RustBucket_Malware
Date of Scan:
2023-04-24
Impact:
LOW
Summary:
Jamf Threat Labs have discovered a macOS malware family that communicates with command and control (C2) servers to download and execute various payloads. They track and protect against this malware family under the name ‘RustBucket’ and suspect it to be attributed to a North Korean, state-sponsored threat actor.


Source:
https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/

2023-04-22
Two_New_QakBot_C2_Servers_Detected
LOW
+

Intel Source:
Sophos
Intel Name:
Two_New_QakBot_C2_Servers_Detected
Date of Scan:
2023-04-22
Impact:
LOW
Summary:
Sophos researchers have detected two new QakBot servers that have not yet been publicly identified. These servers are used by threat actors to manage and control QakBot infections, a banking trojan that has been active since 2008 and primarily targets financial institutions and their customers.


Source:
https://news.sophos.com/en-us/2023/04/20/new-qakbot-c2-servers-detected-with-sophos-ndr/

2023-04-22
Scams_Involving_ChatGPT_Are_on_the_Rise
LOW
+

Intel Source:
PaloAlto
Intel Name:
Scams_Involving_ChatGPT_Are_on_the_Rise
Date of Scan:
2023-04-22
Impact:
LOW
Summary:
Unit42 researchers have monitored the newly registered domains and squatting domains related to ChatGPT, as it is one of the fastest-growing consumer applications in history. The dark side of this popularity is that ChatGPT is also attracting the attention of scammers seeking to benefit from using wording and domain names that appear related to the site.


Source:
https://unit42.paloaltonetworks.com/chatgpt-scam-attacks-increasing/

2023-04-22
The_Examination_of_EvilExtractor_Tool
MEDIUM
+

Intel Source:
Fortinet
Intel Name:
The_Examination_of_EvilExtractor_Tool
Date of Scan:
2023-04-22
Impact:
MEDIUM
Summary:
FortiGuard Labs researchers have analyzed the EvilExtractor tool which is an attack tool designed to target Windows operating systems and extract data and files from endpoint devices. Also, observed this malware in a phishing email campaign on 30 March.


Source:
https://www.fortinet.com/blog/threat-research/evil-extractor-all-in-one-stealer

2023-04-22
Lazarus_Hackers_Pushing_Linux_Malware_via_Fake_Job_Offers
MEDIUM
+

Intel Source:
Welivesecurity
Intel Name:
Lazarus_Hackers_Pushing_Linux_Malware_via_Fake_Job_Offers
Date of Scan:
2023-04-22
Impact:
MEDIUM
Summary:
Researchers from Welivesecurity identified a new Lazarus campaign considered part of “Operation DreamJob” has been discovered targeting Linux users with malware for the first time.


Source:
https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/

2023-04-21
Daggerfly_APT_Group_Targeting_Telecoms_Company_in_Africa
LOW
+

Intel Source:
Symantec
Intel Name:
Daggerfly_APT_Group_Targeting_Telecoms_Company_in_Africa
Date of Scan:
2023-04-21
Impact:
LOW
Summary:
Researchers from Symantec have identified that Telecommunication services providers in Africa are the target of a new campaign orchestrated by a China-linked threat actor at least since November 2022.


Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt-attacks-telecoms-africa-mgbot

2023-04-21
Hackers_Using_Abandoned_WordPress_Plugins_to_Backdoor_Websites
LOW
+

Intel Source:
Sucuri
Intel Name:
Hackers_Using_Abandoned_WordPress_Plugins_to_Backdoor_Websites
Date of Scan:
2023-04-21
Impact:
LOW
Summary:
Sucuri researchers have identified that attackers are using Eval PHP, an outdated legitimate WordPress plugin, to compromise websites by injecting stealthy backdoors.


Source:
https://blog.sucuri.net/2023/04/massive-abuse-of-abandoned-evalphp-wordpress-plugin.html

2023-04-21
EDR_Killer_AuKill_Exploiting_Process_Explorer_Drivers
MEDIUM
+

Intel Source:
Sophos
Intel Name:
EDR_Killer_AuKill_Exploiting_Process_Explorer_Drivers
Date of Scan:
2023-04-21
Impact:
MEDIUM
Summary:
Sophos researchers have investigated multiple incidents where attackers attempted to disable EDR clients with a new defense evasion tool dubbed AuKill. The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system.


Source:
https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/

2023-04-21
SideCopy_Attack_Chain_Deploying_AllaKore_RAT
LOW
+

Intel Source:
Team-Cymru
Intel Name:
SideCopy_Attack_Chain_Deploying_AllaKore_RAT
Date of Scan:
2023-04-21
Impact:
LOW
Summary:
Researchers from Team-Cymru have analyzed the SideCopy group and discovered the SideCopy attack chain used to deploy AllaKore RAT. It is an open-source remote access tool that has been modified for the purposes of SideCopy operations and is commonly observed in their intrusions.


Source:
https://www.team-cymru.com/post/allakore-d-the-sidecopy-train

2023-04-21
Bumblebee_Malware_Distributing_Via_Trojanized_Installer_Downloads
MEDIUM
+

Intel Source:
Secureworks
Intel Name:
Bumblebee_Malware_Distributing_Via_Trojanized_Installer_Downloads
Date of Scan:
2023-04-21
Impact:
MEDIUM
Summary:
https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads


Source:
https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads

2023-04-21
Distribution_of_the_BlackBit_ransomware
LOW
+

Intel Source:
ASEC
Intel Name:
Distribution_of_the_BlackBit_ransomware
Date of Scan:
2023-04-21
Impact:
LOW
Summary:
AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of the BlackBit ransomware disguised as svchost.exe during the team’s monitoring. According to the ASEC’s internal infrastructure, the BlackBit ransomware has been continuously distributed


Source:
https://asec.ahnlab.com/en/51497/

2023-04-21
Russian_Hackers_Conducting_Phishing_Attacks_in_Ukraine
LOW
+

Intel Source:
Google Blog
Intel Name:
Russian_Hackers_Conducting_Phishing_Attacks_in_Ukraine
Date of Scan:
2023-04-21
Impact:
LOW
Summary:
Google Threat Analysis researchers have observed that Russian government-backed phishing campaigns targeted users in Ukraine the most, with the country accounting for over 60% of observed Russian targeting.


Source:
https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/

2023-04-21
Belarus_Linked_Hacking_Group_Targeting_Poland_With_New_Disinformation_Campaign
MEDIUM
+

Intel Source:
CSIRT-MON
Intel Name:
Belarus_Linked_Hacking_Group_Targeting_Poland_With_New_Disinformation_Campaign
Date of Scan:
2023-04-21
Impact:
MEDIUM
Summary:
CSIRT-MON researchers have issued a warning Wednesday about a recent disinformation campaign that has been traced back to the Belarusian hacking group known as Ghostwriter.


Source:
https://csirt-mon.wp.mil.pl/pl/articles/6-aktualnosci/dezinformacja-o-rekrutacji-do-litpolukrbrig/

2023-04-21
Play_Ransomware_Group_Using_New_Custom_Data_Gathering_Tools
MEDIUM
+

Intel Source:
Symantec
Intel Name:
Play_Ransomware_Group_Using_New_Custom_Data_Gathering_Tools
Date of Scan:
2023-04-21
Impact:
MEDIUM
Summary:
Symantec researchers have identified that the Play ransomware group is using two new, custom-developed tools that allow it to enumerate all users and computers on a compromised network, and copy files from the Volume Shadow Copy Service (VSS) that are normally locked by the operating system.


Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/play-ransomware-volume-shadow-copy

2023-04-21
Hackers_Promptly_Adopting_Web3_IPFS_Technology
LOW
+

Intel Source:
PaloAlto
Intel Name:
Hackers_Promptly_Adopting_Web3_IPFS_Technology
Date of Scan:
2023-04-21
Impact:
LOW
Summary:
PaloAlto researchers have observed several types of cyberthreats using InterPlanetary File System (aka IPFS), including phishing, credential theft, command and control (C2) communications, and malicious payload distribution. Also, observed a significant jump in IPFS-related traffic at the beginning of 2022.


Source:
https://unit42.paloaltonetworks.com/ipfs-used-maliciously/

2023-04-21
USB_Based_FlowCloud_Malware_Attacks
LOW
+

Intel Source:
NTT Security
Intel Name:
USB_Based_FlowCloud_Malware_Attacks
Date of Scan:
2023-04-21
Impact:
LOW
Summary:
Researchers from NTT security have observed several companies have been infected with FlowCloud. It is known as malware used by an attack group called TA410 and has been observed since around 2019.


Source:
https://insight-jp.nttsecurity.com/post/102id0t/usbflowcloud

2023-04-21
New_Attack_Chain_Uncovered_From_Blind_Eagle_Cyber_Espionage_Group
LOW
+

Intel Source:
Threatmon
Intel Name:
New_Attack_Chain_Uncovered_From_Blind_Eagle_Cyber_Espionage_Group
Date of Scan:
2023-04-21
Impact:
LOW
Summary:
Researchers from Threatmon have observed that the cyber espionage actor tracked as Blind Eagle has been linked to a new multi-stage attack chain that leads to the deployment of the NjRAT remote access trojan on compromised systems.


Source:
https://threatmon.io/apt-blind-eagles-malware-arsenal-technical-analysis/

2023-04-20
Hackers_From_Pakistan_Using_Linux_Malware_Poseidon_to_Target_Indian_Government_Agencies
MEDIUM
+

Intel Source:
Uptycs
Intel Name:
Hackers_From_Pakistan_Using_Linux_Malware_Poseidon_to_Target_Indian_Government_Agencies
Date of Scan:
2023-04-20
Impact:
MEDIUM
Summary:
Researchers from Uptycs have identified a Pakistan-based advanced persistent threat actor known as Transparent Tribe using a two-factor authentication (2FA) tool used by Indian government agencies as a ruse to deliver a new Linux backdoor called Poseidon.


Source:
https://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware

2023-04-20
Phishing_Campaign_Targeting_EPOS_Net_Customers
LOW
+

Intel Source:
LOW
Intel Name:
Phishing_Campaign_Targeting_EPOS_Net_Customers
Date of Scan:
2023-04-20
Impact:
LOW
Summary:
Cofense Phishing Defense Center have observed a sophisticated phishing campaign targeting EPOS Net customers, a large Japanese credit card company. The campaign is notable for its meticulously crafted emails and cloned website, as well as its use of official customer service numbers to establish an illusion of legitimacy.


Source:
https://cofense.com/blog/double-trouble-unmasking-the-epos-net-phishing-scheme-that-turns-trust-against-you/

2023-04-20
Google_Ads_Abuse_and_Spear_Phishing_Campaigns_Impersonating_Spains_Tax_Agency
LOW
+

Intel Source:
Blackberry
Intel Name:
Google_Ads_Abuse_and_Spear_Phishing_Campaigns_Impersonating_Spains_Tax_Agency
Date of Scan:
2023-04-20
Impact:
LOW
Summary:
Researchers from BlackBerry have observed two parallel malicious campaigns that use the same infrastructure but have different purposes. The first campaign is related to a malvertising Google Ads Platform and the second campaign is related to a massive spear-phishing campaign targeting large organizations based in Spain. The campaign impersonated Spain’s tax agency, with the goal of harvesting the email credentials of companies in Spain.


Source:
https://blogs.blackberry.com/en/2023/04/massive-spear-phishing-campaign-impersonating-spain-tax-agency

2023-04-20
New_Strain_of_Ransomware_Named_CrossLock
LOW
+

Intel Source:
Cyble
Intel Name:
New_Strain_of_Ransomware_Named_CrossLock
Date of Scan:
2023-04-20
Impact:
LOW
Summary:
Cyble researchers have discovered a new strain of ransomware called CrossLock, which is written in the programming language “Go”. It employs the double-extortion technique to increase the likelihood of payment from its victims and this technique involves encrypting the victim’s data as well as exfiltrating it from their system.


Source:
https://blog.cyble.com/2023/04/18/crosslock-ransomware-emerges-new-golang-based-malware-on-the-horizon/

2023-04-19
A_New_Backdoor_Called_Devopt
LOW
+

Intel Source:
Zscaler
Intel Name:
A_New_Backdoor_Called_Devopt
Date of Scan:
2023-04-19
Impact:
LOW
Summary:
Zscaler ThreatLabz researchers have identified a new backdoor called ‘Devopt’. It utilizes hard-coded names for persistence and offers several functionalities, including keylogging, stealing browser credentials, clipper, and more. Multiple versions of the backdoor have surfaced in just the last few days, indicating that it is still in development.


Source:
https://www.zscaler.com/blogs/security-research/introducing-devopt-multifunctional-backdoor-arsenal

2023-04-19
Attacking_High_Value_Targets_With_Mint_Sandstorm
MEDIUM
+

Intel Source:
Microsoft
Intel Name:
Attacking_High_Value_Targets_With_Mint_Sandstorm
Date of Scan:
2023-04-19
Impact:
MEDIUM
Summary:
Microsoft researchers have observed a mature subgroup of Mint Sandstorm, an Iranian nation-state actor previously tracked as PHOSPHORUS, refining its tactics, techniques, and procedures (TTPs). Specifically, this subset has rapidly weaponized N-day vulnerabilities in common enterprise applications and conducted highly-targeted phishing campaigns to quickly and successfully access environments of interest.


Source:
https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/

2023-04-19
The_Critical_Component_of_Aurora_Stealer_Attack_Delivery_Chain
LOW
+

Intel Source:
Morphisec
Intel Name:
The_Critical_Component_of_Aurora_Stealer_Attack_Delivery_Chain
Date of Scan:
2023-04-19
Impact:
LOW
Summary:
Morphisec researchers have observed the component that makes Aurora’s delivery stealthy and dangerous is a highly evasive loader named “in2al5d p3in4er.” It is compiled with Embarcadero RAD Studio and targets endpoint workstations using advanced anti-VM (virtual machine) techniques.


Source:
https://blog.morphisec.com/in2al5d-p3in4er

2023-04-18
Hackers_From_Iran_Leveraging_SimpleHelp_Remote_Support_Software_for_Persistent_Access
MEDIUM
+

Intel Source:
Group-IB
Intel Name:
Hackers_From_Iran_Leveraging_SimpleHelp_Remote_Support_Software_for_Persistent_Access
Date of Scan:
2023-04-18
Impact:
MEDIUM
Summary:
Researchers from Group-IB have identified that the Iranian threat actor known as MuddyWater is continuing its time-tested tradition of relying on legitimate remote administration tools to commandeer targeted systems.


Source:
https://www.group-ib.com/blog/muddywater-infrastructure/

2023-04-18
The_Examination_of_BabLock_Ransomware
LOW
+

Intel Source:
TrendMicro
Intel Name:
The_Examination_of_BabLock_Ransomware
Date of Scan:
2023-04-18
Impact:
LOW
Summary:
TrendMicro researchers have analyzed stealthy and expeditious ransomware called BabLock (aka Rorschach). It has recently been making waves due to its sophisticated and fast-moving attack chain that uses subtle yet effective techniques.


Source:
https://www.trendmicro.com/en_us/research/23/d/an-analysis-of-the-bablock-ransomware.html

2023-04-18
Gamaredon_Groups_Automated_Spear_Phishing_Campaigns_Revealed_by_Exposed_Web_Panel
MEDIUM
+

Intel Source:
Eclecticiq
Intel Name:
Gamaredon_Groups_Automated_Spear_Phishing_Campaigns_Revealed_by_Exposed_Web_Panel
Date of Scan:
2023-04-18
Impact:
MEDIUM
Summary:
EclecticIQ researchers have identified a spear phishing campaign targeting Ukrainian government entities like the Foreign Intelligence Service of Ukraine (SZRU) and the Security Service of Ukraine (SSU), likely conducted by APT group Gamaredon.


Source:
https://blog.eclecticiq.com/exposed-web-panel-reveals-gamaredon-groups-automated-spear-phishing-campaigns

2023-04-18
The_Activities_of_Tick_Group
LOW
+

Intel Source:
ASEC
Intel Name:
The_Activities_of_Tick_Group
Date of Scan:
2023-04-18
Impact:
LOW
Summary:
Researchers from ASEC have continued to track Tick group activities as it is targeting government agencies, the military, and various industries in Korea and Japan for over a decade.


Source:
https://asec.ahnlab.com/en/51340/

2023-04-18
QBot_Banker_Delivering_Via_Business_Correspondence
LOW
+

Intel Source:
Securelist
Intel Name:
QBot_Banker_Delivering_Via_Business_Correspondence
Date of Scan:
2023-04-18
Impact:
LOW
Summary:
Securelist researchers have observed a significant increase in attacks that use banking Trojans of the QBot family. The malware is delivered through e-mail letters written in different languages — variations of them were coming in English, German, Italian, and French. The messages were based on real business letters the attackers had gotten access to, which afforded them the opportunity to join the correspondence thread with messages of their own.


Source:
https://securelist.com/qbot-banker-business-correspondence/109535/

2023-04-18
Trigona_Ransomware_Attacking_MS_SQL_Servers
MEDIUM
+

Intel Source:
ASEC
Intel Name:
Trigona_Ransomware_Attacking_MS_SQL_Servers
Date of Scan:
2023-04-18
Impact:
MEDIUM
Summary:
ASEC researchers have discovered the Trigona ransomware is installed on poorly managed MS-SQL servers and typical attacks include brute force attacks and dictionary attacks to systems where account credentials are poorly being managed.


Source:
https://asec.ahnlab.com/en/51343/

2023-04-17
The_Analysis_of_Trigona_Ransomware
LOW
+

Intel Source:
ZScaler
Intel Name:
The_Analysis_of_Trigona_Ransomware
Date of Scan:
2023-04-17
Impact:
LOW
Summary:
Zscaler researchers have analyzed the Trigona ransomware. It is written in the Delphi programming language that has been active since at least June 2022.


Source:
https://www.zscaler.com/blogs/security-research/technical-analysis-trigona-ransomware

2023-04-17
An_Overview_of_Tax_Scammers
MEDIUM
+

Intel Source:
Fortinet
Intel Name:
An_Overview_of_Tax_Scammers
Date of Scan:
2023-04-17
Impact:
MEDIUM
Summary:
Fortinet researchers have analyzed a few examples of malware that take advantage of tax season. Attackers make every attempt to scam taxpayers for financial gain and data exfiltration for future attacks.


Source:
https://www.fortinet.com/blog/threat-research/tax-scammers-at-large

2023-04-17
Threat_Actors_From_Conti_and_FIN7_Collaborate_With_Domino_Backdoor
MEDIUM
+

Intel Source:
IBM Security Intelligence
Intel Name:
Threat_Actors_From_Conti_and_FIN7_Collaborate_With_Domino_Backdoor
Date of Scan:
2023-04-17
Impact:
MEDIUM
Summary:
Researchers from IBM security have discovered a new malware family called Domino that is created by developers associated with the cybercriminal group that X-Force tracks as ITG14, also known as FIN7.


Source:
https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor/

2023-04-17
Zaraza_Bot_Credential_Stealer_Targeting_Browser_Passwords
LOW
+

Intel Source:
Uptycs
Intel Name:
Zaraza_Bot_Credential_Stealer_Targeting_Browser_Passwords
Date of Scan:
2023-04-17
Impact:
LOW
Summary:
Researchers from Uptycs team have identified a new variant of credential stealing malware, dubbed Zaraza bot, which is using telegram as its command and control and It is the Russian word for infection.


Source:
https://www.uptycs.com/blog/zaraza-bot-credential-password-stealer

2023-04-17
LockBit_Encryptor_Targeting_macOS_System
MEDIUM
+

Intel Source:
Malware Hunter
Intel Name:
LockBit_Encryptor_Targeting_macOS_System
Date of Scan:
2023-04-17
Impact:
MEDIUM
Summary:
Researchers from Malware Hunter team have warned that the LockBit ransomware gang has developed encryptors to target macOS devices.


Source:
https://twitter.com/malwrhunterteam/status/1647384505550876675

2023-04-17
Fraudulent_Campaign_Using_Fake_Google_Chrome_Error_to_Spread_Malware
LOW
+

Intel Source:
NTT Security
Intel Name:
Fraudulent_Campaign_Using_Fake_Google_Chrome_Error_to_Spread_Malware
Date of Scan:
2023-04-17
Impact:
LOW
Summary:
Researchers from NTT security have observed an attack campaign distributing malware from a web page disguised as a Google Chrome error message since around November 2022. It has become active since around February 2023, and the attacks have been confirmed in a very wide area, so close attention is required.


Source:
https://insight-jp.nttsecurity.com/post/102icvb/attack-campaign-that-uses-fake-google-chrome-error-to-distribute-malware-from-com

2023-04-16
Bitter_Group_CHM_malware_distribution
LOW
+

Intel Source:
Ciberdefensa
Intel Name:
Bitter_Group_CHM_malware_distribution
Date of Scan:
2023-04-16
Impact:
LOW
Summary:
The Bitter group has been distributing CHM malware to certain Chinese organizations through compressed email attachments with filenames such as “Project Plan 2023.chm”. When executed, the CHM files display content related to Chinese and Russian organizations and activate a malicious script that executes additional malware.


Source:
https://ciberdefensa.cat/archivos/10456

2023-04-16
Money_Ransomware
LOW
+

Intel Source:
Yoroi
Intel Name:
Money_Ransomware
Date of Scan:
2023-04-16
Impact:
LOW
Summary:
The article discusses the Money Ransomware group, which utilizes a double extortion model by encrypting data and exfiltrating sensitive information, threatening to publish the data unless a ransom is paid.


Source:
https://yoroi.company/research/money-ransomware-the-latest-double-extortion-group/?&web_view=true

2023-04-15
The_Activity_of_Emerging_Cybercriminal_Group_Named_Read_The_Manual_RTM_Locker
LOW
+

Intel Source:
Trellix
Intel Name:
The_Activity_of_Emerging_Cybercriminal_Group_Named_Read_The_Manual_RTM_Locker
Date of Scan:
2023-04-15
Impact:
LOW
Summary:
Researchers from Trellix have detailed the tactics, techniques, and procedures of an emerging cybercriminal gang called ‘Read The Manual RTM Locker. The group provides a ransomware-as-a-service (RaaS) and provides its malicious code to a network of affiliates by imposing strict rules.


Source:
https://www.trellix.com/en-us/about/newsroom/stories/research/read-the-manual-locker-a-private-raas-provider.html

2023-04-15
Threat_Actors_Try_to_Wreak_Havoc_on_Tax_Day
MEDIUM
+

Intel Source:
Microsoft
Intel Name:
Threat_Actors_Try_to_Wreak_Havoc_on_Tax_Day
Date of Scan:
2023-04-15
Impact:
MEDIUM
Summary:
Microsoft researchers have observed phishing attacks targeting accounting and tax return preparation firms to deliver the Remcos remote access trojan (RAT) and compromise target networks beginning in February of this year.


Source:
https://www.microsoft.com/en-us/security/blog/2023/04/13/threat-actors-strive-to-cause-tax-day-headaches/

2023-04-15
Malware_Attacks_on_Tax_Firms
LOW
+

Intel Source:
Sophos
Intel Name:
Malware_Attacks_on_Tax_Firms
Date of Scan:
2023-04-15
Impact:
LOW
Summary:
Sophos researchers have observed that a threat actor is targeting Financial accountant firms and CPAs with an attack that combines social engineering with a novel exploit against Windows computers to deliver malware called GuLoader.


Source:
https://news.sophos.com/en-us/2023/04/13/tax-firms-targeted-by-precision-malware-attacks/

2023-04-14
APT36_Group_Targeting_Indian_Education_Sector
MEDIUM
+

Intel Source:
Sentinelone
Intel Name:
APT36_Group_Targeting_Indian_Education_Sector
Date of Scan:
2023-04-14
Impact:
MEDIUM
Summary:
Researchers from SentinelOne have identified a cluster of malicious Office documents that distribute Crimson RAT, used by the APT36 group (also known as Transparent Tribe) targeting the education sector.


Source:
https://www.sentinelone.com/labs/transparent-tribe-apt36-pakistan-aligned-threat-actor-expands-interest-in-indian-education-sector/

2023-04-14
Russian_Hackers_Targeting_NATO_and_EU
MEDIUM
+

Intel Source:
CERT-PL
Intel Name:
Russian_Hackers_Targeting_NATO_and_EU
Date of Scan:
2023-04-14
Impact:
MEDIUM
Summary:
Researchers from The Military Counterintelligence Service and the CERT Polska team have observed a widespread espionage campaign linked to Russian intelligence services and targeting NATO and EU.


Source:
https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services

2023-04-14
Bitter_Group_Distributing_CHM_Malware_to_Chinese_Organizations
LOW
+

Intel Source:
ASEC
Intel Name:
Bitter_Group_Distributing_CHM_Malware_to_Chinese_Organizations
Date of Scan:
2023-04-14
Impact:
LOW
Summary:
Researchers from ASEC have identified multiple circumstances of the group distributing CHM malware to certain Chinese organizations. The files used in the recent attack are distributed as attachments to emails as compressed files. The compressed files contain a CHM file with different filenames.


Source:
https://asec.ahnlab.com/en/51043/

2023-04-14
New_Legion_Hacktool_Stealing_Credentials_From_Misconfigured_Sites
MEDIUM
+

Intel Source:
CADO
Intel Name:
New_Legion_Hacktool_Stealing_Credentials_From_Misconfigured_Sites
Date of Scan:
2023-04-14
Impact:
MEDIUM
Summary:
CADO Security researchers have identified a new Python-based credential harvester and SMTP hijacking tool named ‘Legion’ that is being sold on Telegram that targets online email services for phishing and spam attacks.


Source:
https://www.cadosecurity.com/legion-an-aws-credential-harvester-and-smtp-hijacker/

2023-04-13
DigitalOceans_Tech_Support_Scam_Shifts_to_StackPaths_CDN
MEDIUM
+

Intel Source:
Netscope
Intel Name:
DigitalOceans_Tech_Support_Scam_Shifts_to_StackPaths_CDN
Date of Scan:
2023-04-13
Impact:
MEDIUM
Summary:
Netskope researchers have identified that attackers previously abusing DigitalOcean to host a tech support scam have expanded the operation, now abusing StackPath CDN to distribute the scam, and are likely to start abusing additional cloud services to deliver the scam in the near future.


Source:
https://www.netskope.com/pt/blog/tech-support-scam-pivots-from-digitalocean-to-stackpath-cdn

2023-04-13
Color1337_Cryptojacking_Campaign_Targeting_Linux_Machines
LOW
+

Intel Source:
Tehtris
Intel Name:
Color1337_Cryptojacking_Campaign_Targeting_Linux_Machines
Date of Scan:
2023-04-13
Impact:
LOW
Summary:
Researchers from Tehtris have identified a cryptojacking campaign, believed to have originated from Romania, and targeting Linux machines. This campaign, dubbed Color1337, leverages a botnet to mine Monero and the botnet can propagate itself to other machines across the network.


Source:
https://tehtris.com/en/blog/linux-focus-on-a-cryptomining-attack-dubbed-color1337

2023-04-13
GuLoader_Targeting_the_Financial_Sector_Using_a_Taxthemed_Phishing_Lure
MEDIUM
+

Intel Source:
Esentire
Intel Name:
GuLoader_Targeting_the_Financial_Sector_Using_a_Taxthemed_Phishing_Lure
Date of Scan:
2023-04-13
Impact:
MEDIUM
Summary:
Researchers from Esentire have observed GuLoader targeting the financial sector via the phishing email using a tax-themed lure. The phishing email contains a shared link to Adobe Acrobat, where the user can download the password-protected ZIP archive.


Source:
https://www.esentire.com/blog/guloader-targeting-the-financial-sector-using-a-tax-themed-phishing-lure

2023-04-13
Raise_in_Qakbot_Malware_Incidents
LOW
+

Intel Source:
Esentire
Intel Name:
Raise_in_Qakbot_Malware_Incidents
Date of Scan:
2023-04-13
Impact:
LOW
Summary:
Researchers from Esentire have observed a significant increase in Qakbot incidents impacting various industries.


Source:
https://www.esentire.com/security-advisories/increase-in-observations-of-qakbot-malware

2023-04-13
Qakbot_Distributing_via_Email_Hijacking
LOW
+

Intel Source:
ASEC
Intel Name:
Qakbot_Distributing_via_Email_Hijacking
Date of Scan:
2023-04-13
Impact:
LOW
Summary:
ASEC Lab researchers have identified circumstances of Qakbot malware is distributing via malicious PDF files attached to forwarded or replies to existing emails.


Source:
https://asec.ahnlab.com/en/51282/

2023-04-13
ASEC_Weekly_Malware_Analyses_April_03rd_April_09th_2023
LOW
+

Intel Source:
ASEC
Intel Name:
ASEC_Weekly_Malware_Analyses_April_03rd_April_09th_2023
Date of Scan:
2023-04-13
Impact:
LOW
Summary:
ASEC researchers have analyzed the malware and found backdoor ranked top with 61.1%, followed by Infostealer with 20.8%, downloader with 16.9%, and ransomware with 1.1%.


Source:
https://asec.ahnlab.com/en/51274/

2023-04-13
Chinese_Hacking_Group_Targeting_European_Governments_and_Businesses
HIGH
+

Intel Source:
Securinfra
Intel Name:
Chinese_Hacking_Group_Targeting_European_Governments_and_Businesses
Date of Scan:
2023-04-13
Impact:
HIGH
Summary:
Researchers from Securinfra have observed that Chinese APT groups are targeting European governments and businesses. Recently, European Union Agency for Cybersecurity (ENISA) and CERT-EU warned about malicious activities against EU governments and businesses attributed to Chinese Advanced Persistent Threat (APT) groups.


Source:
https://www.secuinfra.com/en/news/beijing-calling-chinese-apts-are-targeting-european-governments-and-businesses/

2023-04-12
Attacks_With_Nokoyawa_Ransomware_Using_ZeroDay_Vulnerabilities_in_Windows
MEDIUM
+

Intel Source:
Securelist
Intel Name:
Attacks_With_Nokoyawa_Ransomware_Using_ZeroDay_Vulnerabilities_in_Windows
Date of Scan:
2023-04-12
Impact:
MEDIUM
Summary:
Securelist researchers have analyzed the CVE-2023-28252 zero-day vulnerability in Common Log File System (CLFS).


Source:
https://securelist.com/nokoyawa-ransomware-attacks-with-windows-zero-day/109483/

2023-04-12
The_Development_and_Refinement_of_DeathNote_Campaign_TTPs
MEDIUM
+

Intel Source:
Securelist
Intel Name:
The_Development_and_Refinement_of_DeathNote_Campaign_TTPs
Date of Scan:
2023-04-12
Impact:
MEDIUM
Summary:
Researchers from Securelist have focused on an active cluster that is dubbed DeathNote because the malware responsible for downloading additional payloads is named Dn.dll or Dn64.dll. This threat is also known as Operation DreamJob or NukeSped.


Source:
https://securelist.com/the-lazarus-group-deathnote-campaign/109490/

2023-04-12
The_Attack_Flow_of_RagnarLocker_Ransomware
LOW
+

Intel Source:
Sygnia
Intel Name:
The_Attack_Flow_of_RagnarLocker_Ransomware
Date of Scan:
2023-04-12
Impact:
LOW
Summary:
Researchers from Sygnia have analyzed the attack flow of RagnarLocker ransomware. It is both the name of a ransomware strain and of a criminal group that develops and operates it. Their data leakage blog appeared in April 2020, but although they’re an experienced group, RagnarLocker never made it to the top 10 ransomware strains.


Source:
https://blog.sygnia.co/threat-actor-spotlight-ragnarlocker-ransomware

2023-04-12
Recent_Activity_of_IcedID
LOW
+

Intel Source:
ISC.SANS
Intel Name:
Recent_Activity_of_IcedID
Date of Scan:
2023-04-12
Impact:
LOW
Summary:
Researchers from SANS have observed that IcedID (Bokbot) is distributing through thread-hijacked emails with PDF attachments. The PDF files have links that redirect to Google Firebase Storage URLs hosting password-protected zip archives and the password for the downloaded zip archive is shown in the PDF file.


Source:
https://isc.sans.edu/diary/rss/29740

2023-04-12
The_textwrap_wrap_function
LOW
+

Intel Source:
ISC. SANS
Intel Name:
The_textwrap_wrap_function
Date of Scan:
2023-04-12
Impact:
LOW
Summary:
Didier Stevens, Senior handler from Microsoft MVP discovered that the textwrap.wrap function he used in diary entry “String Obfuscation: Character Pair Reversal” does not always group characters as he expected. He released an update of his python-per-line.py tool, including a Reverse function. And also some simple brute-forcing.


Source:
https://isc.sans.edu/diary/Extra+String+Obfuscation+Character+Pair+Reversal/29656

2023-04-12
The_discovery_of_three_vulnerabilities_in_the_Microsoft_Message_Queuing_service_MSMQ
HIGH
+

Intel Source:
Checkpoint
Intel Name:
The_discovery_of_three_vulnerabilities_in_the_Microsoft_Message_Queuing_service_MSMQ
Date of Scan:
2023-04-12
Impact:
HIGH
Summary:
Check Point reserachers recently observed three new vulnerabilities in the “Microsoft Message Queuing” service, known as MSMQ. These vulnerabilities were disclosed to Microsoft and patched in the April Patch Tuesday update. The most severe of these, dubbed QueueJumper by CPR (CVE-2023-21554), is a critical vulnerability that could allow unauthorized attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe.


Source:
https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/

2023-04-12
An_attack_campaign_distributing_malware_disguised_as_a_Google_Chrome
LOW
+

Intel Source:
NTT Security
Intel Name:
An_attack_campaign_distributing_malware_disguised_as_a_Google_Chrome
Date of Scan:
2023-04-12
Impact:
LOW
Summary:
Since around November 2022, SOC has been observing an attack campaign distributing malware from a web page disguised as a Google Chrome error screen. It became active from around February 2023, and malware downloads have been confirmed in a very wide range, so it is necessary to be careful. This article provides an overview of the attack campaign and the malware.


Source:
https://insight-jp.nttsecurity.com/post/102ic6o/webgoogle-chrome

2023-04-12
Analyzing_Impala_Stealer
LOW
+

Intel Source:
JFrog
Intel Name:
Analyzing_Impala_Stealer
Date of Scan:
2023-04-12
Impact:
LOW
Summary:
Reserachers from JFrog provided a detailed analysis of a malicious payload named “Impala Stealer”, a custom crypto stealer which was used as the payload for the NuGet malicious packages campaign. The sophisticated campaign targeted .NET developers via NuGet malicious packages, and the JFrog Security team was able to detect and report it as part of their regular activity of exposing supply chain attacks.


Source:
https://jfrog.com/blog/impala-stealer-malicious-nuget-package-payload/

2023-04-12
Malicious_Document_From_Ukraines_Energoatom_Delivering_Havoc_Demon_Backdoor
LOW
+

Intel Source:
Fortinet
Intel Name:
Malicious_Document_From_Ukraines_Energoatom_Delivering_Havoc_Demon_Backdoor
Date of Scan:
2023-04-12
Impact:
LOW
Summary:
FortiGuard Labs researchers have identified a malicious spoofed document pretending to be from the Ukrainian company, Energoatom, a state-owned enterprise that operates Ukraine’s nuclear power plants.


Source:
https://www.fortinet.com/blog/threat-research/malware-disguised-as-document-ukraine-energoatom-delivers-havoc-demon-backdoor?&web_view=true

2023-04-12
The_Analysis_of_Malicious_HTA_File
LOW
+

Intel Source:
ISC.SANS
Intel Name:
The_Analysis_of_Malicious_HTA_File
Date of Scan:
2023-04-12
Impact:
LOW
Summary:
Researchers from SANS have analyzed the malicious HTA file.


Source:
https://isc.sans.edu/diary/Another+Malicious+HTA+File+Analysis+Part+2/29676/

2023-04-11
ASEC_Weekly_Phishing_Email_analyses_March_26_April_1_2023
LOW
+

Intel Source:
ASEC
Intel Name:
ASEC_Weekly_Phishing_Email_analyses_March_26_April_1_2023
Date of Scan:
2023-04-11
Impact:
LOW
Summary:
ASEC lab researchers continiusly monitor phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post shares the cases of distribution of phishing emails during the week from March 26th, 2023 to April 1st, 2023 and provide statistical information on each type.


Source:
https://asec.ahnlab.com/en/51222/

2023-04-11
Gopuram_backdoor_deployed_through_3CX_supply_chain_attack
MEDIUM
+

Intel Source:
Securelist
Intel Name:
Gopuram_backdoor_deployed_through_3CX_supply_chain_attack
Date of Scan:
2023-04-11
Impact:
MEDIUM
Summary:
On March 29, Crowdstrike posted their report about a supply chain attack conducted via 3CXDesktopApp. They analyzed the attack and shared their findings. They observed few victims compromised with Gopuram, but the number of infections began to increase in March 2023. As it turned out, the increase was directly related to the 3CX supply chain attack.


Source:
https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/

2023-04-11
A_new_strain_of_malware_Rilide_targets_Chromium_based_browsers
LOW
+

Intel Source:
Trustwave
Intel Name:
A_new_strain_of_malware_Rilide_targets_Chromium_based_browsers
Date of Scan:
2023-04-11
Impact:
LOW
Summary:
Trustwave SpiderLabs observed a new strain of malware that was named as Rilide and targets Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera. Rilide malware is pretending as a legitimate Google Drive extension and lets threat actors to carry out a big range of malicious activities, including monitoring browsing history, taking screenshots, and injecting malicious scripts to withdraw funds from various cryptocurrency exchanges.


Source:
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rilide-a-new-malicious-browser-extension-for-stealing-cryptocurrencies/

2023-04-11
The_CryptoClippy_malware_campaign_targets_Portuguese_speakers
LOW
+

Intel Source:
PaloAlto
Intel Name:
The_CryptoClippy_malware_campaign_targets_Portuguese_speakers
Date of Scan:
2023-04-11
Impact:
LOW
Summary:
Unit 42 recently observed a malware campaign targeting Portuguese speakers and redirect cryptocurrency from legitimate users’ wallets and controlled by threat actors. The campaign uses a malware known as a cryptocurrency clipper, which monitors the victim’s clipboard for signs that a cryptocurrency wallet address is being copied.


Source:
https://unit42.paloaltonetworks.com/crypto-clipper-targets-portuguese-speakers/

2023-04-11
The_Deep_Analysis_Report_on_SarinLocker_Ransomware
LOW
+

Intel Source:
Cyfirma
Intel Name:
The_Deep_Analysis_Report_on_SarinLocker_Ransomware
Date of Scan:
2023-04-11
Impact:
LOW
Summary:
Cyfirma researchers have deeply analyzed a new ransomware called SarinLocker. The group has started a ransomware affiliate program that provides attackers with ransomware and affiliate software to manage victims.


Source:
https://www.cyfirma.com/outofband/sarinlocker-ransomware/

2023-04-11
Hackers_Flooding_NPM_With_Fake_Packages_Causing_DoS_Attack
LOW
+

Intel Source:
Checkmarx
Intel Name:
Hackers_Flooding_NPM_With_Fake_Packages_Causing_DoS_Attack
Date of Scan:
2023-04-11
Impact:
LOW
Summary:
Researchers from Checkmarx security have identified that hackers flooding the npm open source package repository for Node.js with bogus packages that briefly even resulted in a denial-of-service (DoS) attack.


Source:
https://medium.com/checkmarx-security/who-broke-npm-malicious-packages-flood-leading-to-denial-of-service-77ac707ddbf1

2023-04-10
WordPress_Infection_Campaign_Leveraging_Recently_Discovered_Theme_and_Plugin_Vulnerabilities
LOW
+

Intel Source:
Sucuri
Intel Name:
WordPress_Infection_Campaign_Leveraging_Recently_Discovered_Theme_and_Plugin_Vulnerabilities
Date of Scan:
2023-04-10
Impact:
LOW
Summary:
Researchers from Sucuri have tracked a massive WordPress infection campaign since 2017. Typically, they refer to it as an ongoing long lasting massive WordPress infection campaign that leverages all known and recently discovered theme and plugin vulnerabilities.


Source:
https://blog.sucuri.net/2023/04/balada-injector-synopsis-of-a-massive-ongoing-wordpress-malware-campaign.html?web_view=true

2023-04-10
ASEC_Weekly_Phishing_Email_analyses_March_19_25th_2023
LOW
+

Intel Source:
ASEC
Intel Name:
ASEC_Weekly_Phishing_Email_analyses_March_19_25th_2023
Date of Scan:
2023-04-10
Impact:
LOW
Summary:
ASEC lab researchers continiusly monitor phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post shares the cases of distribution of phishing emails during the week from March 19th, 2023 to March 25th, 2023 and provide statistical information on each type.


Source:
https://asec.ahnlab.com/en/50789/

2023-04-10
New_Ransomware_Group_Named_Money_Message
LOW
+

Intel Source:
Cyble
Intel Name:
New_Ransomware_Group_Named_Money_Message
Date of Scan:
2023-04-10
Impact:
LOW
Summary:
Cyble researchers have discovered a new ransomware group named Money Message. It can encrypt network shares and targets both Windows and Linux operating systems.


Source:
https://blog.cyble.com/2023/04/06/demystifying-money-message-ransomware/\

2023-04-10
Ransomware_Based_Attacks_Carried_Out_by_Iranian_Hackers
MEDIUM
+

Intel Source:
Microsoft
Intel Name:
Ransomware_Based_Attacks_Carried_Out_by_Iranian_Hackers
Date of Scan:
2023-04-10
Impact:
MEDIUM
Summary:
Microsoft researchers have identified the Iranian nation-state group known as MuddyWater has been observed carrying out destructive attacks on hybrid environments under the guise of a ransomware operation.


Source:
https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/

2023-04-06
ASEC_Weekly_Malware_statistics_March_27_April_2_2023
LOW
+

Intel Source:
ASEC
Intel Name:
ASEC_Weekly_Malware_statistics_March_27_April_2_2023
Date of Scan:
2023-04-06
Impact:
LOW
Summary:
ASEC lab researchers continiusly monitor malware threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post lists weekly statistics collected from March 27th, 2023 (Monday) to April 2nd, 2023 (Sunday).


Source:
https://asec.ahnlab.com/en/50952/

2023-04-06
The_efile_com_analyses
LOW
+

Intel Source:
ISC. SANS
Intel Name:
The_efile_com_analyses
Date of Scan:
2023-04-06
Impact:
LOW
Summary:
Johannes B. Ullrich, Ph.D. , Dean of Research from SANS.edu analyzed the efile.com Malware “efail” which serving malicious ake “Browser Updates” to some of its users. Johannes B. Ulrich could retrieve some of the malware last evening before it was removed. The attack uses two main executables. The first one, “update.exe,” is a simple downloader downloading and executing the second part. The second part is a PHP script communicating with the command and control server. Its main function is to download and execute additional code as instructed to do so. During the installation, basic system information is sent to the attacker, and the backdoor is made persistent via scheduled/on-boot registry entries.


Source:
https://isc.sans.edu/diary/Analyzing+the+efilecom+Malware+efail/29712/#comments

2023-04-06
The_functions_of_Genesis_Market
LOW
+

Intel Source:
Trellix
Intel Name:
The_functions_of_Genesis_Market
Date of Scan:
2023-04-06
Impact:
LOW
Summary:
Trellix was approached by law enforcment asking for assistance with the analyses of Genesis Market. Trellix have analyzed and explained the function and operations of Genesis Market, as well as provided an analysis of malware samples that law enforcement shared with Trellix, advice and guidance to (potential) victims.


Source:
https://www.trellix.com/en-us/about/newsroom/stories/research/genesis-market-no-longer-feeds-the-evil-cookie-monster.html

2023-04-06
Royal_Ransom_analyses
LOW
+

Intel Source:
Trellix
Intel Name:
Royal_Ransom_analyses
Date of Scan:
2023-04-06
Impact:
LOW
Summary:
Trellix Advanced Cyber Services team within Trellix Professional Services provided updated incident response-related data.


Source:
https://www.trellix.com/en-us/about/newsroom/stories/research/a-royal-analysis-of-royal-ransom.html

2023-04-06
Emotet_Resumed_its_Spamming_Activities
LOW
+

Intel Source:
Trustwave
Intel Name:
Emotet_Resumed_its_Spamming_Activities
Date of Scan:
2023-04-06
Impact:
LOW
Summary:
Researchers from Trustwave SpiderLabs have saw Emotet switch focus to using OneNote attachments, which is a tactic also adopted by other malware groups in recent months. The analysis is intended to help the cybersecurity community better understand the wider obfuscation and padding tricks Emotet is using.


Source:
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/deobfuscating-the-recent-emotet-epoch-4-macro/

2023-04-05
New_Ransomware_Variants_Are_Dark_Power_and_PayME100USD
LOW
+

Intel Source:
Fortinet
Intel Name:
New_Ransomware_Variants_Are_Dark_Power_and_PayME100USD
Date of Scan:
2023-04-05
Impact:
LOW
Summary:
FortiGate Labs researchers have identified two new ransomware named Dark Power and PayME100USD. Dark Power ransomware launched in early February 2023 and this is a rare ransomware breed in that it was written in the Nim programming language. PayMe100USD ransomware written in Python that was discovered in March 2023 and the malware has basic functionality and performs ordinary ransomware activities.


Source:
https://www.fortinet.com/blog/threat-research/dark-power-and-payme100usd-ransomware?&web_view=true

2023-04-05
Typhon_Reborn_Stealer_Malware_Back_with_Advanced_Evasion_Techniques
LOW
+

Intel Source:
Talos
Intel Name:
Typhon_Reborn_Stealer_Malware_Back_with_Advanced_Evasion_Techniques
Date of Scan:
2023-04-05
Impact:
LOW
Summary:
Talos researchers have observed that the threat actor behind the information-stealing malware known as Typhon Reborn has resurfaced with an updated version (V2) that packs in improved capabilities to evade detection and resist analysis.


Source:
https://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/

2023-04-05
ALPHV_Ransomware_Affiliate_Targeting_Vulnerable_Backup_Installations_to_Gain_Initial_Access
MEDIUM
+

Intel Source:
Mandiant
Intel Name:
ALPHV_Ransomware_Affiliate_Targeting_Vulnerable_Backup_Installations_to_Gain_Initial_Access
Date of Scan:
2023-04-05
Impact:
MEDIUM
Summary:
Mandiant researchers have observed a new ALPHV (aka BlackCat ransomware) ransomware affiliate, tracked as UNC4466, targeting publicly exposed Veritas Backup Exec installations, vulnerable to CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878, for initial access to victim environments.


Source:
https://www.mandiant.com/resources/blog/alphv-ransomware-backup

2023-04-05
An_Attack_Against_Palestinian_Targets_Using_New_Weapons
LOW
+

Intel Source:
Symantec
Intel Name:
An_Attack_Against_Palestinian_Targets_Using_New_Weapons
Date of Scan:
2023-04-05
Impact:
LOW
Summary:
Researchers from Symantec have observed that the Mantis APT group (aka Arid Viper, Desert Falcon, APT-C-23), a threat actor believed to be operating out of the Palestinian territories, is continuing to mount attacks, deploying a refreshed toolset and going to great lengths to maintain a persistent presence on targeted networks.


Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks

2023-04-05
Proxyjacking_Scheme_Exploits_Log4j_Bug_to_Profit_From_Victim_IP_Addresses
LOW
+

Intel Source:
Sysdig
Intel Name:
Proxyjacking_Scheme_Exploits_Log4j_Bug_to_Profit_From_Victim_IP_Addresses
Date of Scan:
2023-04-05
Impact:
LOW
Summary:
Researchers from Sysdig have detected a new attack, dubbed proxyjacking, that leveraged the Log4j vulnerability for initial access. The attacker then sold the victim’s IP addresses to proxyware services for profit.


Source:
https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/

2023-04-05
Chinese_Hacking_Group_RedGolf_Targeting_Windows_and_Linux_Systems
MEDIUM
+

Intel Source:
Mandiant
Intel Name:
Chinese_Hacking_Group_RedGolf_Targeting_Windows_and_Linux_Systems
Date of Scan:
2023-04-05
Impact:
MEDIUM
Summary:
Mandiant researchers have identified a Chinese state-sponsored threat activity group tracked as RedGolf has been attributed to the use of a custom Windows and Linux backdoor called KEYPLUG.


Source:
https://www.mandiant.com/resources/blog/mobileiron-log4shell-exploitation

2023-04-05
Disney_Phishing_Scams
LOW
+

Intel Source:
Cyber War Zone
Intel Name:
Disney_Phishing_Scams
Date of Scan:
2023-04-05
Impact:
LOW
Summary:
Researchers from Cyber War Zone have identified the latest Disney-related phishing scams in 2023 and provide tips to protect from falling victim to these scams.


Source:
https://cyberwarzone.com/beware-of-disney-phishing-scams-in-2023/?web_view=true

2023-04-05
Arid_Viper_Hacking_Group_Using_Upgraded_Malware
LOW
+

Intel Source:
Symantec
Intel Name:
Arid_Viper_Hacking_Group_Using_Upgraded_Malware
Date of Scan:
2023-04-05
Impact:
LOW
Summary:
Researchers from Symantec have discovered the threat actor known as Arid Viper has been observed using refreshed variants of its malware toolkit in its attacks targeting Palestinian entities since September 2022.


Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord

2023-04-05
New_Ransomware_Rorschach_Targeting_US_Based_Company
MEDIUM
+

Intel Source:
Checkpoint
Intel Name:
New_Ransomware_Rorschach_Targeting_US_Based_Company
Date of Scan:
2023-04-05
Impact:
MEDIUM
Summary:
Checkpoint researchers have analyzed the Rorschach ransomware and revealed the emergence of a new ransomware strain in the crimeware landscape. Its developers implemented new anti-analysis and defense evasion techniques to avoid detection and make it more difficult for security software and researchers to analyze and mitigate its effects.


Source:
https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/

2023-04-04
Analyzing_Rhadamanthys_infostealer
LOW
+

Intel Source:
Checkpoint
Intel Name:
Analyzing_Rhadamanthys_infostealer
Date of Scan:
2023-04-04
Impact:
LOW
Summary:
Checkpoint reserachers provided the highlights of the Dark Web ‘buzz’ surrounding this malware. They shared insights which confirm that by the nature of how the malware is used, large orgs are also being subjected to incidental drive-by attacks that have a theoretical potential to escalate. Rhadamanthys is an advanced infostealer which debuted on the dark web in September of last year to a warm critical reception by cybercriminals.


Source:
https://research.checkpoint.com/2023/rhadamanthys-the-everything-bagel-infostealer/

2023-04-04
Vulnerability_in_WordPress_Elementor_Pro_Patched
LOW
+

Intel Source:
Sucuri
Intel Name:
Vulnerability_in_WordPress_Elementor_Pro_Patched
Date of Scan:
2023-04-04
Impact:
LOW
Summary:
Researchers from Sucuri have analyzed the WordPress Elementor Pro vulnerability that allows authenticated users to arbitrarily change wp_options values within the database via the AJAX action of Elementor Pro working in conjunction with WooCommerce.


Source:
https://blog.sucuri.net/2023/03/high-severity-vulnerability-in-wordpress-elementor-pro-patched.html

2023-04-04
New_European_APT_Group_Named_FusionCore
LOW
+

Intel Source:
Cyfirma
Intel Name:
New_European_APT_Group_Named_FusionCore
Date of Scan:
2023-04-04
Impact:
LOW
Summary:
Cyfirma researchers have identified a new European threat actor group known as FusionCore that is running Malware-as-a-service, along with the hacker-for-hire operation, they have a wide variety of tools and services that offered on their website, making it a one-stop-shop for threat actors looking to purchase cost-effective yet customizable malware.


Source:
https://www.cyfirma.com/outofband/the-rise-of-fusioncore-an-emerging-cybercrime-group-from-europe/

2023-04-04
IRS_Authorized_Tax_Return_Filing_Software_Caught_Serving_JS_Malware
LOW
+

Intel Source:
MalwareHunter, ISC.SANS
Intel Name:
IRS_Authorized_Tax_Return_Filing_Software_Caught_Serving_JS_Malware
Date of Scan:
2023-04-04
Impact:
LOW
Summary:
Researchers from MalwareHunter have observed the malicious JavaScript file that existed on eFile[.]com website for weeks. It is an IRS-authorized e-file software service provider used by many for filing their tax returns and has been caught serving JavaScript malware.


Source:
https://twitter.com/malwrhunterteam/status/1642988428080865281 https://isc.sans.edu/diary/Supply+Chain+Compromise+or+False+Positive+The+Intriguing+Case+of+efilecom+updated+confirmed+malicious+code/29708/

2023-04-04
The_distribution_of_Nevada_Ransomware_in_Korea
LOW
+

Intel Source:
ASEC
Intel Name:
The_distribution_of_Nevada_Ransomware_in_Korea
Date of Scan:
2023-04-04
Impact:
LOW
Summary:
ASEC have identified new cases of the Nevada ransomware while they did some internal monotoring. Nevada is a malware that adds the “.NEVADA” extension to the files it infects is its defining trait. After encrypting directories, it creates ransom notes with the filename “README.txt” in every directory. These notes contain a Tor browser link for ransom payments.


Source:
https://asec.ahnlab.com/en/50063/

2023-04-04
The_Malware_Sample_Analysis_of_Cl0p_Ransomware
LOW
+

Intel Source:
Cyble
Intel Name:
The_Malware_Sample_Analysis_of_Cl0p_Ransomware
Date of Scan:
2023-04-04
Impact:
LOW
Summary:
Cyble researchers have analyzed malware samples as an executable file with a Graphical User Interface (GUI), compiled using Microsoft Visual C/C++.


Source:
https://blog.cyble.com/2023/04/03/cl0p-ransomware-active-threat-plaguing-businesses-worldwide/

2023-04-03
New_Cylance_Ransomware_Targeting_Linux_and_Windows
LOW
+

Intel Source:
Fortinet
Intel Name:
New_Cylance_Ransomware_Targeting_Linux_and_Windows
Date of Scan:
2023-04-03
Impact:
LOW
Summary:
FortiGate Labs researchers have identified two new ransomware named Dark Power and PayME100USD. Dark Power ransomware launched in early February 2023 and this is a rare ransomware breed in that it was written in the Nim programming language. PayMe100USD ransomware written in Python that was discovered in March 2023 and the malware has basic functionality and performs ordinary ransomware activities.


Source:
https://www.fortinet.com/blog/threat-research/dark-power-and-payme100usd-ransomware?&web_view=true

2023-04-03
MalSpam_Delivering_Malicious_ISO
LOW
+

Intel Source:
DFIR Report
Intel Name:
MalSpam_Delivering_Malicious_ISO
Date of Scan:
2023-04-03
Impact:
LOW
Summary:
The DFIR report researchers have observed that IcedID continues to deliver malspam emails to facilitate a compromise, and covers the activity from a campaign in late September of 2022. Post-exploitation activities detail some familiar and some new techniques and tooling, which led to domain-wide ransomware.


Source:
https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/

2023-04-03
ICS_compromised_Due_to_Installition_of_Unlicensed_Microsoft_Office
MEDIUM
+

Intel Source:
CERT-UA
Intel Name:
ICS_compromised_Due_to_Installition_of_Unlicensed_Microsoft_Office
Date of Scan:
2023-04-03
Impact:
MEDIUM
Summary:
CERT-UA researchers have identified unauthorized access to the information and communication system (ICS) of one of the utility companies. It is observed that the primary compromise of the computer took place on 19.01.2023 as a result of the installation of an unlicensed version of the software product Microsoft Office 2019.


Source:
https://cert.gov.ua/article/4279195

2023-04-03
New_Variant_of_Xloader_Malware
MEDIUM
+

Intel Source:
PaloAlto
Intel Name:
New_Variant_of_Xloader_Malware
Date of Scan:
2023-04-03
Impact:
MEDIUM
Summary:
Researchers from PaloAlto have discovered a new ransomware named Cylance Ransomware which is targeting Windows and Linux systems.


Source:
https://twitter.com/Unit42_Intel/status/1641588431221342208

2023-04-03
Money_Message_Ransomware_Targeting_Worldwide
LOW
+

Intel Source:
ZScaler
Intel Name:
Money_Message_Ransomware_Targeting_Worldwide
Date of Scan:
2023-04-03
Impact:
LOW
Summary:
Researchers from Zscaler have identified a new ransomware gang named ‘Money Message’ has appeared, targeting victims worldwide and demanding million-dollar ransoms not to leak data and release a decryptor.


Source:
https://twitter.com/Threatlabz/status/1641113991824158720

2023-04-01
New_Infostealer_LummaC2_Distributing_Under_the_Mask_of_Illegal_Cracks
LOW
+

Intel Source:
ASEC
Intel Name:
New_Infostealer_LummaC2_Distributing_Under_the_Mask_of_Illegal_Cracks
Date of Scan:
2023-04-01
Impact:
LOW
Summary:
ASEC researchers have identified a new Infostealer called LummaC2 that is distributing disguised as illegal programs such as cracks and keygens.


Source:
https://asec.ahnlab.com/en/50594/

2023-04-01
Analyzing_CHM_Malware_Using_EDR
LOW
+

Intel Source:
ASEC
Intel Name:
Analyzing_CHM_Malware_Using_EDR
Date of Scan:
2023-04-01
Impact:
LOW
Summary:
ASEC researchers have identified an APT attack case that has recently used CHM (Compiled HTML Help File). Threat actors are able to input malicious script codes in HTMLs with the inclusion of CHM and the inserted script is executing through hh.exe which is a default OS application.


Source:
https://asec.ahnlab.com/en/50580/

2023-04-01
New_OpcJacker_Malware_Distributing_via_Fake_VPN_Malvertising
LOW
+

Intel Source:
TrendMicro
Intel Name:
New_OpcJacker_Malware_Distributing_via_Fake_VPN_Malvertising
Date of Scan:
2023-04-01
Impact:
LOW
Summary:
TrendMicro researchers have discovered a new malware, which we named OpcJacker that is distributing in the wild since the second half of 2022. Its main functions include keylogging, taking screenshots, stealing sensitive data from browsers, loading additional modules, and replacing cryptocurrency addresses in the clipboard for hijacking purposes.


Source:
https://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html

2023-04-01
The_Deep_Examination_of_Royal_Ransomware
LOW
+

Intel Source:
Quickheal
Intel Name:
The_Deep_Examination_of_Royal_Ransomware
Date of Scan:
2023-04-01
Impact:
LOW
Summary:
QuickHeal researchers have deeply analyzed the Royal Ransomware. It was first observed in mid-2022 and it is a type of ransomware that encrypts all volumes including network shared drives.


Source:
https://blogs.quickheal.com/deep-dive-into-royal-ransomware/

2023-04-01
The_Detection_and_Defense_Technique_of_AsyncRAT
LOW
+

Intel Source:
Splunk
Intel Name:
The_Detection_and_Defense_Technique_of_AsyncRAT
Date of Scan:
2023-04-01
Impact:
LOW
Summary:
Splunk researchers have analyzed the AsyncRAT and provided the detection and defense technique. It is a popular malware commodity and tool and threat actors and adversaries use several interesting script loaders and spear phishing attachments to deliver AsyncRAT to targeted hosts or networks in different campaigns.


Source:
https://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html

2023-04-01
Emotet_Distributing_via_OneNote
LOW
+

Intel Source:
ASEC
Intel Name:
Emotet_Distributing_via_OneNote
Date of Scan:
2023-04-01
Impact:
LOW
Summary:
Researchers from ASEC have discovered the distribution of Emotet being distributed via OneNote. A spear-phishing email as below attached with a OneNote file prompts the reader to open the attachment which contains a malicious script file (JS file).


Source:
https://asec.ahnlab.com/en/50564/

2023-03-31
New_TACTICAL_OCTOPUS_Attack_Campaign_Targeting_US_Entities
MEDIUM
+

Intel Source:
Securonix Threat Labs
Intel Name:
New_TACTICAL_OCTOPUS_Attack_Campaign_Targeting_US_Entities
Date of Scan:
2023-03-31
Impact:
MEDIUM
Summary:
Securonix Threat Labs researchers have observed that threat actors are ramping up tax-related phishing scams to US-based victims to infect systems with stealthy malware.


Source:
https://www.securonix.com/blog/new-tacticaloctopus-attack-campaign-targets-us-entities-with-malware-bundled-in-tax-themed-documents/

2023-03-31
New_APT_Group_TA473_Exploiting_Zimbra_Vulnerability
MEDIUM
+

Intel Source:
Proofpoint
Intel Name:
New_APT_Group_TA473_Exploiting_Zimbra_Vulnerability
Date of Scan:
2023-03-31
Impact:
MEDIUM
Summary:
Researchers from Proofpoint have observed a newly minted advanced persistent threat actor named TA473, exploiting Zimbra vulnerability CVE-2022-27926 to abuse publicly facing Zimbra hosted webmail portals. The goal of this activity is assessed to be gaining access to the emails of military, government, and diplomatic organizations across Europe involved in the Russia-Ukrainian War.


Source:
https://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability

2023-03-31
ASEC_Weekly_Malware_statistics_March_13_19th_2023
LOW
+

Intel Source:
ASEC
Intel Name:
ASEC_Weekly_Malware_statistics_March_13_19th_2023
Date of Scan:
2023-03-31
Impact:
LOW
Summary:
ASEC analysis team used the ASEC automatic analysis system RAPIT to categorize and respond to known malware. Their post covers weekly statistics collected from March 13th, 2023 to March 19th, 2023.


Source:
https://asec.ahnlab.com/en/50173/

2023-03-31
Hackers_Spreading_ShellBot_and_Moobot_Malware_on_Exploitable_Servers
MEDIUM
+

Intel Source:
Fortinet
Intel Name:
Hackers_Spreading_ShellBot_and_Moobot_Malware_on_Exploitable_Servers
Date of Scan:
2023-03-31
Impact:
MEDIUM
Summary:
Researchers from FortiGuard Labs have observed several attacking bursts targeting Cacti and Realtek vulnerabilities in January and March of this year and then spreading ShellBot and Moobot malware.


Source:
https://www.fortinet.com/blog/threat-research/moobot-strikes-again-targeting-cacti-and-realtek-vulnerabilities?&web_view=true

2023-03-31
ASEC_Weekly_Phishing_Email_sample_analyses_Mar_4th_to_11th_2023
LOW
+

Intel Source:
ASEC
Intel Name:
ASEC_Weekly_Phishing_Email_sample_analyses_Mar_4th_to_11th_2023
Date of Scan:
2023-03-31
Impact:
LOW
Summary:
ASEC lab researchers continiusly monitor phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post shares the cases of distribution of phishing emails during the week from March 5th, 2023 to March 11th, 2023 and provide statistical information on each type.


Source:
https://asec.ahnlab.com/en/49839/

2023-03-31
Defensive_Considerations_for_Lazarus_FudModule
LOW
+

Intel Source:
Security Intelligence
Intel Name:
Defensive_Considerations_for_Lazarus_FudModule
Date of Scan:
2023-03-31
Impact:
LOW
Summary:
Security Intelligence analysts posted in their blog a focus on highlighting the capabilities for detection of the FudModule within the Lazarus sample analyzed by X-Force, as well as summary of a strategy of using telemetry stream health as a mode of detecting malware designed to impair defenses through ETW tampering.


Source:
https://securityintelligence.com/posts/defensive-considerations-lazarus-fudmodule/?c=Threat%20Research

2023-03-30
The_distribution_of_a_OneNote_malware_by_Kimsuky
LOW
+

Intel Source:
ASEC
Intel Name:
The_distribution_of_a_OneNote_malware_by_Kimsuky
Date of Scan:
2023-03-30
Impact:
LOW
Summary:
ASEC has observed the distribution of a OneNote malware mimicking as a form rlinked to compensation. The confirmed file is pretending the same research center as the LNK-type malware mentioned earlier. Based on the identical malicious activity performed by the VBS files, the team came to a conclusion that the same actor the Kimsuky group is behind both incidents.


Source:
https://asec.ahnlab.com/en/50303/

2023-03-30
Supply_Chain_Attack_on_3CX_Desktop_Apps_Threatens_Millions_at_Risk
MEDIUM
+

Intel Source:
Sentinelone
Intel Name:
Supply_Chain_Attack_on_3CX_Desktop_Apps_Threatens_Millions_at_Risk
Date of Scan:
2023-03-30
Impact:
MEDIUM
Summary:
Researchers from SentinelOne have identified the trojanized 3CX desktop app is the first stage in a multi-stage attack chain that pulls ICO files appended with Base64 data from GitHub and ultimately leads to a third-stage info stealer DLL.


Source:
https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/

2023-03-30
ShellBot_Malware_distribution
MEDIUM
+

Intel Source:
ASEC
Intel Name:
ShellBot_Malware_distribution
Date of Scan:
2023-03-30
Impact:
MEDIUM
Summary:
ASEC researchers has recently observed the ShellBot malware being installed on Linux SSH servers. ShellBot, aka PerlBot, is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server. ShellBot is an old malware that has been in steady use and is still being used today to launch attacks against Linux systems.


Source:
https://asec.ahnlab.com/en/49769/comment-page-2/#comments

2023-03-30
AlienFox_Toolkit_Stealing_Cloud_Service_Credentials
HIGH
+

Intel Source:
Sentinelone
Intel Name:
AlienFox_Toolkit_Stealing_Cloud_Service_Credentials
Date of Scan:
2023-03-30
Impact:
HIGH
Summary:
SentinelOne researchers have identified a new modular toolkit called AlienFox which allows threat actors to scan for misconfigured servers to steal authentication secrets and credentials for cloud-based email services.


Source:
https://assets.sentinelone.com/sentinellabs22/s1_-sentinellabs_dis#page=1

2023-03-30
ChinaZ_DDoS_Bot_malware_distribution
MEDIUM
+

Intel Source:
ASEC
Intel Name:
ChinaZ_DDoS_Bot_malware_distribution
Date of Scan:
2023-03-30
Impact:
MEDIUM
Summary:
ASEC has observed the ChinaZ DDoS Bot malware that installed on Linux SSH servers. The ChinaZ group that was discovered in 2014 installs various DDoS bots on Windows and Linux systems. Major DDoS bots suspected that it was created by the ChinaZ threat group include XorDDoS, AESDDos, BillGates, and MrBlack.


Source:
https://asec.ahnlab.com/en/50316/

2023-03-29
New_Linux_Malware_Linked_With_Chinese_APT_Groups
MEDIUM
+

Intel Source:
Exatrack
Intel Name:
New_Linux_Malware_Linked_With_Chinese_APT_Groups
Date of Scan:
2023-03-29
Impact:
MEDIUM
Summary:
Exatrack researchers have discovered unknown Chinese state-sponsored hacking group has been linked to a novel piece of malware aimed at Linux servers dubbed Mélofée.


Source:
https://blog.exatrack.com/melofee/

2023-03-29
A_Deep_Dive_into_APT43
MEDIUM
+

Intel Source:
Mandiant
Intel Name:
A_Deep_Dive_into_APT43
Date of Scan:
2023-03-29
Impact:
MEDIUM
Summary:
Mandiant researchers have assessed with high confidence that APT43 is a moderately-sophisticated cyber operator that supports the interests of the North Korean regime. Campaigns attributed to APT43 include strategic intelligence collection aligned with Pyongyang’s geopolitical interests, credential harvesting, and social engineering to support espionage activities, and financially-motivated cybercrime to fund operations.


Source:
https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

2023-03-29
Kimsuky_Group_Leveraging_Alternate_Data_Stream_to_Hide_Malware
LOW
+

Intel Source:
ASEC
Intel Name:
Kimsuky_Group_Leveraging_Alternate_Data_Stream_to_Hide_Malware
Date of Scan:
2023-03-29
Impact:
LOW
Summary:
Researchers from ASEC have discovered that the Kimsuky group is using Alternate Data Stream (ADS) to hide their malware. This malware is an Infostealer that collects data by starting the VBScript included inside an HTML file. It can be characterized by its tendency to add the actual code between numerous dummy codes.


Source:
https://asec.ahnlab.com/en/50625/

2023-03-29
Tofsee_Botnet_Engaging_With_Proxying_and_Mining
LOW
+

Intel Source:
BitSight
Intel Name:
Tofsee_Botnet_Engaging_With_Proxying_and_Mining
Date of Scan:
2023-03-29
Impact:
LOW
Summary:
Researchers from BitSight have observed a 15-year-old modular spambot called Tofsee being distributed by PrivateLoader (ruzki), a notorious malware distribution service.


Source:
https://www.bitsight.com/blog/tofsee-botnet-proxying-and-mining

2023-03-29
New_Threats_Delivering_Through_NullMixer_Malware
LOW
+

Intel Source:
Medium
Intel Name:
New_Threats_Delivering_Through_NullMixer_Malware
Date of Scan:
2023-03-29
Impact:
LOW
Summary:
Researchers from Medium have identified that the NullMixer malware operation revealed Italy and France are the favorite European countries from the opportunistic attackers’ perspective. They obtained information and data regarding an ongoing malware operation hitting more than 8.000 targets within a few weeks, with a particular emphasis on North American, Italian, and French targets.


Source:
https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1

2023-03-29
Hackers_From_Biter_Group_Targeting_Chinese_Nuclear_Energy_Industry
LOW
+

Intel Source:
Intezer
Intel Name:
Hackers_From_Biter_Group_Targeting_Chinese_Nuclear_Energy_Industry
Date of Scan:
2023-03-29
Impact:
LOW
Summary:
Researchers from Intezer have observed a cyberespionage hacking group tracked as ‘Bitter APT’ is recently seen targeting the Chinese nuclear energy industry using phishing emails to infect devices with malware downloaders.


Source:
https://www.intezer.com/blog/research/phishing-campaign-targets-nuclear-energy-industry/

2023-03-28
A_new_Malware_as_a_Service_platform_Cinoshi
LOW
+

Intel Source:
Cyble
Intel Name:
A_new_Malware_as_a_Service_platform_Cinoshi
Date of Scan:
2023-03-28
Impact:
LOW
Summary:
Cyble Researchers discovered a new Malware-as-a-Service (MaaS) platform “Cinoshi”. Cinoshi’s storehouse has of a stealer, botnet, clipper, and cryptominer. And now this MaaS platform is offering stealer and web panel for free, and such free services are rarely seen. The accesibility of this free malware services indicates that attackers no longer need technical expertise or resources to launch cyber-attacks.


Source:
https://blog.cyble.com/2023/03/23/cinoshi-project-and-the-dark-side-of-free-maas/

2023-03-28
BlackGuard_stealer_new_variant
LOW
+

Intel Source:
AT&T
Intel Name:
BlackGuard_stealer_new_variant
Date of Scan:
2023-03-28
Impact:
LOW
Summary:
AT&T Alien Labs researchers have observed a new variant of BlackGuard stealer in the wild, infecting using spear phishing attacks. BlackGuard steals user sensitive information from a wide range of applications and browsers, can hijack crypto wallets copied to clipboard and also try to propagate through removable media and shared devices.


Source:
https://cybersecurity.att.com/blogs/labs-research/blackguard-stealer-extends-its-capabilities-in-new-variant

2023-03-28
DBatLoader_Targeting_European_Businesses_via_Phishing_Email
LOW
+

Intel Source:
ZScaler
Intel Name:
DBatLoader_Targeting_European_Businesses_via_Phishing_Email
Date of Scan:
2023-03-28
Impact:
LOW
Summary:
Researchers from Zscaler have identified a new campaign involving DBatLoader also known as ModiLoader that specifically targets manufacturing companies and various businesses in European countries via phishing emails.


Source:
https://www.zscaler.com/blogs/security-research/dbatloader-actively-distributing-malwares-targeting-european-businesses

2023-03-28
The_Investigation_of_CVE_2023_23397
HIGH
+

Intel Source:
Microsoft
Intel Name:
The_Investigation_of_CVE_2023_23397
Date of Scan:
2023-03-28
Impact:
HIGH
Summary:
Microsoft researchers have provided guidance on where organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397. A successful exploit of this vulnerability can result in unauthorized access to an organization’s environment by triggering a Net-NTLMv2 hash leak.


Source:
https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/

2023-03-28
Earth_Preta_Cyberespionage_Campaign_Hits_Over_200
LOW
+

Intel Source:
TrendMicro
Intel Name:
Earth_Preta_Cyberespionage_Campaign_Hits_Over_200
Date of Scan:
2023-03-28
Impact:
LOW
Summary:
TrendMicro researchers have analyzed the active campaign delved into the structure, goals, and requirements of the organizations involved, and provided an opportunity to conduct wider intelligence analysis and insights in the development of effective countermeasures.


Source:
https://www.trendmicro.com/en_us/research/23/c/earth-preta-cyberespionage-campaign-hits-over-200.html

2023-03-28
The_Hunter_obfuscator_used_by_Magecart_skimmer
LOW
+

Intel Source:
Malwarebytes
Intel Name:
The_Hunter_obfuscator_used_by_Magecart_skimmer
Date of Scan:
2023-03-28
Impact:
LOW
Summary:
Malwarebytes reserachers discovered and analyzed a Magecart skimmer that uses Hunter, a PHP Javascript obfuscator. During their investigation, they observed a number of domains all part of the same infrastructure with custom skimmers for several Magento stores.


Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/03/hunter-skimmer

2023-03-27
MacOS_Malware_Targeting_Data_Assets
LOW
+

Intel Source:
Sentinelone
Intel Name:
MacOS_Malware_Targeting_Data_Assets
Date of Scan:
2023-03-27
Impact:
LOW
Summary:
SentinelOne researchers have observed that the data assets targeted by macOS malware in some of the most recent in-the-wild incidents in order to help defenders better protect the enterprise and hunt for signs of compromise.


Source:
https://www.sentinelone.com/blog/session-cookies-keychains-ssh-keys-and-more-7-kinds-of-data-malware-steals-from-macos-users/

2023-03-27
New_Era_of_IcedID
MEDIUM
+

Intel Source:
Proofpoint
Intel Name:
New_Era_of_IcedID
Date of Scan:
2023-03-27
Impact:
MEDIUM
Summary:
Proofpoint researchers have observed three new distinct variants of the malware known as IcedID. Proofpoint called these ew variants as “Forked” and “Lite” IcedID , Standard IcedID Variant. IcedID is a malware originally classified as a banking malware and was first observed in 2017. It also performs as a loader for other malware, including ransomware. There are several key differences between initial and new ones. One key difference is the removal of banking functionality such as web injects and backconnect. Proofpoint researchers suspect the original operators behind Emotet are using an IcedID variant with different functionality.


Source:
https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid?utm_source=social_organic&utm_social_network=twitter&utm_campaign=threat_research&utm_post_id=f0afcf84-fcda-487f-9e48-d05eabdbf03d

2023-03-27
New_macOS_based_Stealer_MacStealer_Malware
LOW
+

Intel Source:
Uptycs
Intel Name:
New_macOS_based_Stealer_MacStealer_Malware
Date of Scan:
2023-03-27
Impact:
LOW
Summary:
The Uptycs threat research team has observed aother macOS stealer “MacStealer”. The threat actor who is distributing MacStealer was discovered by the Uptycs threat intelligence team during their dark web hunting. The stealer can extract documents, cookies from a victim’s browser, and login information. It affects Catalina and subsequent macOS versions riding on Intel M1 and M2 CPUs.


Source:
https://www.uptycs.com/blog/macstealer-command-and-control-c2-malware

2023-03-27
A_new_ransomware_named_Dark_Power
MEDIUM
+

Intel Source:
Trellix
Intel Name:
A_new_ransomware_named_Dark_Power
Date of Scan:
2023-03-27
Impact:
MEDIUM
Summary:
Researchers from Trellix have identified a new ransomware operation named ‘Dark Power’ that has appeared, and it has already listed its first victims on a dark web data leak site, threatening to publish the data if a ransom is not paid.


Source:
https://www.trellix.com/en-us/about/newsroom/stories/research/shining-light-on-dark-power.html

2023-03-25
MDS_Evasion_Feature_of_Anti_Sandboxes_That_Use_Pop_up_Windows
LOW
+

Intel Source:
ASEC
Intel Name:
MDS_Evasion_Feature_of_Anti_Sandboxes_That_Use_Pop_up_Windows
Date of Scan:
2023-03-25
Impact:
LOW
Summary:
ASEC researchers have monitored various anti-sandbox tactics to evade sandboxes. The persistent anti-sandbox technique exploits the button form of the malicious IcedID Word files and the evasion feature of AhnLab’s MDS which is meant for detecting malicious behavior.


Source:
https://asec.ahnlab.com/en/50198/

2023-03-25
Microsoft_Office_Outlook_Privilege_Escalation_Vulnerability
HIGH
+

Intel Source:
ASEC
Intel Name:
Microsoft_Office_Outlook_Privilege_Escalation_Vulnerability
Date of Scan:
2023-03-25
Impact:
HIGH
Summary:
Researchers from ASEC have analyzed the Microsoft vulnerability in Outlook for Windows that is being exploited to steal NTLM credentials.


Source:
https://asec.ahnlab.com/en/50218/

2023-03-25
Chinese_Hackers_Targeting_Middle_East_Telecom_Providers
LOW
+

Intel Source:
Sentinelone
Intel Name:
Chinese_Hackers_Targeting_Middle_East_Telecom_Providers
Date of Scan:
2023-03-25
Impact:
LOW
Summary:
SentinelLabs researchers have observed the use of a well-maintained, versioned credential theft capability and a new dropper mechanism indicative of an ongoing development effort by a highly-motivated threat actor with specific tasking requirements.


Source:
https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/

2023-03-25
Exploring_New_Public_Cloud_File_Borne_Phishing_Attack
LOW
+

Intel Source:
Inquest
Intel Name:
Exploring_New_Public_Cloud_File_Borne_Phishing_Attack
Date of Scan:
2023-03-25
Impact:
LOW
Summary:
Researchers from InQuest Labs have analyzed a credential phishing attack discovered by a municipal government organization. The email arrived from a compromised sender account address. The sender organization in the observed samples is the municipality’s county health agency.


Source:
https://inquest.net/blog/2023/03/22/credential-caution-exploring-new-public-cloud-file-borne-phishing-attack

2023-03-25
Earth_Preta_Changing_its_TTPs_to_Bypass_Security_Solutions
LOW
+

Intel Source:
TrendMicro
Intel Name:
Earth_Preta_Changing_its_TTPs_to_Bypass_Security_Solutions
Date of Scan:
2023-03-25
Impact:
LOW
Summary:
TrendMicro researchers have discovered Earth Preta delivering lure archives via spear-phishing emails and Google Drive links. After months of investigation, they identified that several undisclosed malware and interesting tools used for exfiltration purposes were used in this campaign.


Source:
https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html

2023-03-24
New_Kritec_Magecart_Skimmer_Targeting_Magento_Stores
LOW
+

Intel Source:
Malwarebytes
Intel Name:
New_Kritec_Magecart_Skimmer_Targeting_Magento_Stores
Date of Scan:
2023-03-24
Impact:
LOW
Summary:
Malwarebytes researchers have identified instances of compromised stores having both skimmers loaded, which means double trouble for victims as their credit card information is stolen not just once but twice.


Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/03/new-kritec-skimmer

2023-03-24
Diving_Deep_into_UNC961
LOW
+

Intel Source:
Mandiant
Intel Name:
Diving_Deep_into_UNC961
Date of Scan:
2023-03-24
Impact:
LOW
Summary:
Researchers from Mandiant have analyzed the details and timeline of each intrusion conducted by UNC961, along with detection opportunities and examples of how Managed Defense’s proactive threat hunting, investigation, and response routinely limits the impact on our customers’ business and prevents their reality from being desecrated.


Source:
https://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated

2023-03-24
AresLoader_Linked_With_Russian_APT_Group
LOW
+

Intel Source:
Intel471
Intel Name:
AresLoader_Linked_With_Russian_APT_Group
Date of Scan:
2023-03-24
Impact:
LOW
Summary:
Intel471 researchers have observed a new loader malware-as-a-service (MaaS) named AresLoader offered by threat actors with links to Russian hacktivism that is spotted recently in the wild.


Source:
https://intel471.com/blog/new-loader-on-the-bloc-aresloader

2023-03-23
A_Detailed_Examination_of_LockBit_From_CISA_and_MS_ISAC
MEDIUM
+

Intel Source:
CISA
Intel Name:
A_Detailed_Examination_of_LockBit_From_CISA_and_MS_ISAC
Date of Scan:
2023-03-23
Impact:
MEDIUM
Summary:
Researchers from CISA and MS-ISAC have warned against the LockBit ransomware. This may involve developing a comprehensive restoration plan, employing robust passwords for all accounts, integrating anti-phishing measures, updating software and system versions, and segregating network components, among others.


Source:
https://www.cisa.gov/sites/default/files/2023-03/aa23-075a-stop-ransomware-lockbit.pdf

2023-03-23
The_Analysis_of_Hidden_Threats
LOW
+

Intel Source:
Unit42
Intel Name:
The_Analysis_of_Hidden_Threats
Date of Scan:
2023-03-23
Impact:
LOW
Summary:
Researchers from PaloAlto have discussed two important ways they have been able to tailor the analysis environment. Threats are continually evolving, and architecting analysis systems as more of a flexible, nicely abstracted software development kit instead of a stand-alone monolithic application is crucial.


Source:
https://unit42.paloaltonetworks.com/tailoring-sandbox-techniques/

2023-03-23
The_New_Ransomware_Named_ALC_Ransomware
LOW
+

Intel Source:
Cyfirma
Intel Name:
The_New_Ransomware_Named_ALC_Ransomware
Date of Scan:
2023-03-23
Impact:
LOW
Summary:
CYFIRMA researchers have identified a new strain of malware, named ALC Ransomware, which masquerades as ransomware but is scareware. This malware does not encrypt files on the victim’s machine, but instead disables the task manager, locks the screen, and displays a ransom note.


Source:
https://www.cyfirma.com/outofband/alc-scareware-pretends-to-be-a-ransomware/

2023-03-23
Emotet_Malware_Spreading_via_OneNote_Attachments_to_Deliver_Payloads
LOW
+

Intel Source:
Cyble
Intel Name:
Emotet_Malware_Spreading_via_OneNote_Attachments_to_Deliver_Payloads
Date of Scan:
2023-03-23
Impact:
LOW
Summary:
Cyble researchers have closely monitored the Emotet campaign and identified that is again spreading malicious emails and infecting devices globally by rebuilding its network.


Source:
https://blog.cyble.com/2023/03/17/recent-emotet-spam-campaign-utilizing-new-tactics/

2023-03-23
An_Emerging_Ransomware_Strain_Named_Trigona_Ransomware
LOW
+

Intel Source:
Unit 42
Intel Name:
An_Emerging_Ransomware_Strain_Named_Trigona_Ransomware
Date of Scan:
2023-03-23
Impact:
LOW
Summary:
PaloAlto researchers have identified two new Trigona ransom notes in January 2023 and two in February 2023. Trigona’s ransom notes are unique; rather than the usual text file, they are instead presented in an HTML Application with embedded JavaScript containing unique computer IDs (CID) and victim IDs (VID).


Source:
https://unit42.paloaltonetworks.com/trigona-ransomware-update/

2023-03-23
SideCopy_APT_group_targets_India_goverment_organization
LOW
+

Intel Source:
Cyble
Intel Name:
SideCopy_APT_group_targets_India_goverment_organization
Date of Scan:
2023-03-23
Impact:
LOW
Summary:
Recently, Cyble researchers discovered a Twitter post of an ongoing campaign by SideCopy APT against the “Defence Research and Development Organisation” of the Indian government. DRDO is a government agency tasked with researching and developing advanced technologies for use by the Indian Armed Forces.


Source:
https://blog.cyble.com/2023/03/21/notorious-sidecopy-apt-group-sets-sights-on-indias-drdo/

2023-03-22
Microsoft_OneNote_Attachments_used_by_QakBot_eCrime_Campaign
LOW
+

Intel Source:
CrowdStrike
Intel Name:
Microsoft_OneNote_Attachments_used_by_QakBot_eCrime_Campaign
Date of Scan:
2023-03-22
Impact:
LOW
Summary:
https://www.crowdstrike.com/blog/qakbot-ecrime-campaign-leverages-microsoft-onenote-for-distribution/


Source:
https://www.crowdstrike.com/blog/qakbot-ecrime-campaign-leverages-microsoft-onenote-for-distribution/

2023-03-22
The_Examination_of_the_Attack_Vectors_of_APT37
LOW
+

Intel Source:
ZScaler
Intel Name:
The_Examination_of_the_Attack_Vectors_of_APT37
Date of Scan:
2023-03-22
Impact:
LOW
Summary:
Researchers from Zscaler have analyzed the APT37 and found it is a threat actor heavily focused on targeting entities in South Korea. It is constantly updating its tactics, techniques, and procedures as is evident from the multiple file types used in the initial stages by it. The themes used by this threat actor range from geopolitics, current events, and education to finance and insurance.


Source:
https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37

2023-03-22
Observed_Exploitation_of_Adobe_ColdFusion
LOW
+

Intel Source:
Rapid7
Intel Name:
Observed_Exploitation_of_Adobe_ColdFusion
Date of Scan:
2023-03-22
Impact:
LOW
Summary:
Rapid7’s Threat Intell team has observed active exploitation of Adobe ColdFusion in multiple customer environments.


Source:
https://www.rapid7.com/blog/post/2023/03/21/etr-rapid7-observed-exploitation-of-adobe-coldfusion/

2023-03-22
New_ShellBot_DDoS_Malware_Targeting_Poorly_Managed_Linux_Servers
LOW
+

Intel Source:
ASEC
Intel Name:
New_ShellBot_DDoS_Malware_Targeting_Poorly_Managed_Linux_Servers
Date of Scan:
2023-03-22
Impact:
LOW
Summary:
ASEC researchers have observed that poorly managed Linux SSH servers are being targeted as part of a new campaign that deploys different variants of malware called ShellBot. ShellBot, also known as PerlBot, is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server.


Source:
https://asec.ahnlab.com/en/49769/

2023-03-21
Hackers_targeting_DotNET_Developers_With_Malicious_NuGet_Packages
LOW
+

Intel Source:
JFrog
Intel Name:
Hackers_targeting_DotNET_Developers_With_Malicious_NuGet_Packages
Date of Scan:
2023-03-21
Impact:
LOW
Summary:
Researchers from JFrog have identified that threat actors are targeting and infecting .NET developers with cryptocurrency stealers delivered through the NuGet repository and impersonating multiple legitimate packages via typosquatting.


Source:
https://jfrog.com/blog/attackers-are-starting-to-target-net-developers-with-malicious-code-nuget-packages/

2023-03-21
The_Analysis_of_FudModule_within_the_Lazarus
LOW
+

Intel Source:
IBM Security Intelligence
Intel Name:
The_Analysis_of_FudModule_within_the_Lazarus
Date of Scan:
2023-03-21
Impact:
LOW
Summary:
Researchers from IBM Security Intelligence have analyzed the FudModule within the Lazarus sample, as well as highlighted a strategy of using telemetry stream health as a mode of detecting malware designed to impair defenses through ETW tampering.


Source:
https://securityintelligence.com/posts/defensive-considerations-lazarus-fudmodule/

2023-03-21
A_New_APT_Discovered_in_the_Area_of_Russo_Ukrainian_Conflict
LOW
+

Intel Source:
Securelist
Intel Name:
A_New_APT_Discovered_in_the_Area_of_Russo_Ukrainian_Conflict
Date of Scan:
2023-03-21
Impact:
LOW
Summary:
Securelist researchers have identified a new APT group but yet not found any direct links between the samples and data used in this campaign and any previously known actors. However, the campaign is still active, and the investigation continues.


Source:
https://securelist.com/bad-magic-apt/109087/

2023-03-20
Chinese_Hackers_Suspected_of_Launching_Fortinet_Zero_day_Attacks
MEDIUM
+

Intel Source:
Mandiant
Intel Name:
Chinese_Hackers_Suspected_of_Launching_Fortinet_Zero_day_Attacks
Date of Scan:
2023-03-20
Impact:
MEDIUM
Summary:
Mandiant researchers have discovered that a suspected Chinese hacking group has been linked to a series of attacks on government organizations exploiting a Fortinet zero-day vulnerability (CVE-2022-41328) to deploy malware.


Source:
https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem

2023-03-20
Hackers_From_China_and_Russia_using_SILKLOADER_Malware_to_Avoid_Detection
LOW
+

Intel Source:
WithSecure
Intel Name:
Hackers_From_China_and_Russia_using_SILKLOADER_Malware_to_Avoid_Detection
Date of Scan:
2023-03-20
Impact:
LOW
Summary:
Researchers from WithSecure Labs have investigated and found an interesting Cobalt Strike beacon loader that leverages DLL side-loading, which they are tracking as SILKLOADER. By taking a closer look at the loader, it is identified several activity clusters leveraging this loader within the Russian as well as Chinese cybercriminal ecosystems.


Source:
https://labs.withsecure.com/content/dam/labs/docs/withsecure-silkloader.pdf

2023-03-20
In_depth_Analysis_of_DotRunpeX_Injector
LOW
+

Intel Source:
Checkpoint
Intel Name:
In_depth_Analysis_of_DotRunpeX_Injector
Date of Scan:
2023-03-20
Impact:
LOW
Summary:
Researchers from Checkpoint have analyzed the dotRunpeX injector and its relation to the older version and the Investigation shows that dotRunpeX is used in the wild to deliver numerous known malware families.


Source:
https://research.checkpoint.com/2023/dotrunpex-demystifying-new-virtualized-net-injector-used-in-the-wild/

2023-03-20
Diving_Deep_into_Go_Based_Threat
LOW
+

Intel Source:
Akamai
Intel Name:
Diving_Deep_into_Go_Based_Threat
Date of Scan:
2023-03-20
Impact:
LOW
Summary:
Researchers from Akamai have discovered a new botnet named HinataBot at the start of the year, they caught it on their HTTP and SSH honeypots and saw exploiting old flaws such as CVE-2014-8361 and CVE-2017-17215.


Source:
https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet

2023-03-20
A_New_InfoStealer_Named_HookSpoofer
LOW
+

Intel Source:
Uptycs
Intel Name:
A_New_InfoStealer_Named_HookSpoofer
Date of Scan:
2023-03-20
Impact:
LOW
Summary:
Uptycs researchers have discovered a new Infostealer with keylogging and clipper capabilities named HookSpoofer spreading by multiple bundlers. A bundler is a collection of two or more files combined together in a single package.


Source:
https://www.uptycs.com/blog/threat-research-hookspoofer

2023-03-20
BIanLian_Ransomware_Gang_Turns_to_Data_Extortion
LOW
+

Intel Source:
Redacted
Intel Name:
BIanLian_Ransomware_Gang_Turns_to_Data_Extortion
Date of Scan:
2023-03-20
Impact:
LOW
Summary:
Redacted researchers have identified the BianLian ransomware group has shifted its focus from encrypting its victims’ files to only exfiltrating data found on compromised networks and using them for extortion.


Source:
https://redacted.com/blog/bianlian-ransomware-gang-continues-to-evolve/

2023-03-18
ChatGPT_Rising_Activities_in_Cybercrime_World
MEDIUM
+

Intel Source:
G Data Blog
Intel Name:
ChatGPT_Rising_Activities_in_Cybercrime_World
Date of Scan:
2023-03-18
Impact:
MEDIUM
Summary:
Researchers from G DATA have observed that cyberthreat actors capitalize on prominent social events’ latest technology buzzwords to launch their attacks. And the curtain raiser for 2023 that made the headlines was the clamor and viral use of a very human-sounding, artificial technology chatbot named, ChatGPT.


Source:
https://www.gdatasoftware.com/blog/2023/03/37716-chatgpt-evil-twin

2023-03-18
APT_C_36_Linked_With_Campaigns
LOW
+

Intel Source:
Lab52
Intel Name:
APT_C_36_Linked_With_Campaigns
Date of Scan:
2023-03-18
Impact:
LOW
Summary:
Researchers from Lab52 have observed the APT-C-36 group has many similarities in terms of tactics, techniques, and procedures (TTPs) with the group Hagga / Aggah.


Source:
https://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/

2023-03-18
The_Investigation_of_Winter_Vivern_APT_Activity
LOW
+

Intel Source:
Sentinelone
Intel Name:
The_Investigation_of_Winter_Vivern_APT_Activity
Date of Scan:
2023-03-18
Impact:
LOW
Summary:
SentinelOne researchers have analyzed Winter Vivern Advanced Persistent Threat (APT) activity, leveraging observations made by The Polish CBZC and Ukraine CERT and uncovered a previously unknown set of espionage campaigns and targeting activities conducted by this threat actor.


Source:
https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/

2023-03-18
The_Popularity_of_ProxyNotShell_Continues_to_Grow
LOW
+

Intel Source:
Sophos
Intel Name:
The_Popularity_of_ProxyNotShell_Continues_to_Grow
Date of Scan:
2023-03-18
Impact:
LOW
Summary:
Researchers from Sophos have observed that ProxyNotShell vulnerability continues to make waves as November 2022 fixes fail to contain the SSRF tactic.


Source:
https://news.sophos.com/en-us/2023/03/15/observing-owassrf-exchange-exploitation-still/

2023-03-17
Hackers_From_YoroTrooper_Group_Targeting_CIS_Energy_Orgs_and_EU_Embassies
MEDIUM
+

Intel Source:
Talos
Intel Name:
Hackers_From_YoroTrooper_Group_Targeting_CIS_Energy_Orgs_and_EU_Embassies
Date of Scan:
2023-03-17
Impact:
MEDIUM
Summary:
Cisco Talos researchers have identified a new threat actor named ‘YoroTrooper’ has been running cyber-espionage campaigns since at least June 2022, targeting government and energy organizations in Commonwealth of Independent States (CIS) countries.


Source:
https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/

2023-03-16
Mallox_Ransomware_Distributing_in_Korea
LOW
+

Intel Source:
ASEC
Intel Name:
Mallox_Ransomware_Distributing_in_Korea
Date of Scan:
2023-03-16
Impact:
LOW
Summary:
ASEC researchers have discovered the distribution of the Mallox ransomware which targets vulnerable MS-SQL servers.


Source:
https://asec.ahnlab.com/en/49366/

2023-03-16
Telerik_Vulnerability_in_US_Government_IIS_Server
MEDIUM
+

Intel Source:
CISA
Intel Name:
Telerik_Vulnerability_in_US_Government_IIS_Server
Date of Scan:
2023-03-16
Impact:
MEDIUM
Summary:
The CISA, FBI, and MS-ISAC released a joint Cybersecurity Advisory. This joint CSA provides IT infrastructure defenders with TTPs, IOCs, and detection, protection methods against similar, successful CVE-2019-18935 exploitation.


Source:
https://www.cisa.gov/news-events/cybersecurity-advisories?search_api_fulltext=&sort_by=field_release_date&page=1

2023-03-16
Hackers_Exploiting_SVB_Collapse_Scenario
LOW
+

Intel Source:
Cyble
Intel Name:
Hackers_Exploiting_SVB_Collapse_Scenario
Date of Scan:
2023-03-16
Impact:
LOW
Summary:
Cyble researchers have identified several suspicious websites that have emerged in the wake of the Silicon Valley Bank (SVB) collapse.


Source:
https://blog.cyble.com/2023/03/14/svb-collapse-triggers-heightened-cybersecurity-concerns/

2023-03-16
Russian_Threat_Group_NOBELIUM_Targeting_Western_Countries
MEDIUM
+

Intel Source:
Blackberry
Intel Name:
Russian_Threat_Group_NOBELIUM_Targeting_Western_Countries
Date of Scan:
2023-03-16
Impact:
MEDIUM
Summary:
Researchers from Blackberry have observed a new campaign targeting European Union countries, specifically, its diplomatic entities and systems transmitting sensitive information about the region’s politics, aiding Ukrainian citizens fleeing the country, and providing help to the government of Ukraine.


Source:
https://blogs.blackberry.com/en/2023/03/nobelium-targets-eu-governments-assisting-ukraine

2023-03-16
Microsoft_SmartScreen_Bypassed_by_Magniber_Ransomware_Actors
LOW
+

Intel Source:
Google Blog
Intel Name:
Microsoft_SmartScreen_Bypassed_by_Magniber_Ransomware_Actors
Date of Scan:
2023-03-16
Impact:
LOW
Summary:
Researchers from Google threat analysis group have discovered the usage of an unpatched security bypass in Microsoft’s SmartScreen security feature, which financially motivated actors are using to deliver the Magniber ransomware without any security warnings. The attackers are delivering MSI files signed with an invalid but specially crafted Authenticode signature.


Source:
https://blog.google/threat-analysis-group/magniber-ransomware-actors-used-a-variant-of-microsoft-smartscreen-bypass/

2023-03-16
Large_Scale_Phishing_Campaigns_are_Powered_by_DEV_1101_AiTM_Phishing_Kit
MEDIUM
+

Intel Source:
Microsoft
Intel Name:
Large_Scale_Phishing_Campaigns_are_Powered_by_DEV_1101_AiTM_Phishing_Kit
Date of Scan:
2023-03-16
Impact:
MEDIUM
Summary:
Researchers from Microsoft have identified an open-source adversary-in-the-middle (AiTM) phishing kit that has found a number of takers in the cybercrime world for its ability to orchestrate attacks at scale. It is tracking the threat actor behind the development of the kit under its emerging moniker DEV-1101.


Source:
https://www.microsoft.com/en-us/security/blog/2023/03/13/dev-1101-enables-high-volume-aitm-campaigns-with-open-source-phishing-kit/

2023-03-16
The_Examination_of_FG_IR_22_369
HIGH
+

Intel Source:
Fortinet
Intel Name:
The_Examination_of_FG_IR_22_369
Date of Scan:
2023-03-16
Impact:
HIGH
Summary:
FortiGate researchers have identified that government entities and large organizations are targeted by an unknown threat actor by exploiting a security flaw in Fortinet FortiOS software to result in data loss and OS and file corruption.


Source:
https://www.fortinet.com/blog/psirt-blogs/fg-ir-22-369-psirt-analysis

2023-03-16
APT_Group_Tick_Targeting_Data_Loss_Prevention_Company
MEDIUM
+

Intel Source:
Welivesecurity
Intel Name:
APT_Group_Tick_Targeting_Data_Loss_Prevention_Company
Date of Scan:
2023-03-16
Impact:
MEDIUM
Summary:
ESET researchers have discovered a campaign by APT group Tick. The attackers compromising the DLP company’s internal update servers to deliver malware inside the software developer’s network, and trojanizing installers of legitimate tools using by the company, which eventually result in the execution of malware on the computers of the company’s customers.


Source:
https://www.welivesecurity.com/2023/03/14/slow-ticking-time-bomb-tick-apt-group-dlp-software-developer-east-asia/

2023-03-16
A_Look_at_Dark_Side_of_Email_Traffic
LOW
+

Intel Source:
Juniper
Intel Name:
A_Look_at_Dark_Side_of_Email_Traffic
Date of Scan:
2023-03-16
Impact:
LOW
Summary:
Researchers from Juniper have analyzed the dark side of email traffic, uncovering some of the latest malware threats, tactics, and trends that can potentially undermine the systems.


Source:
https://blogs.juniper.net/en-us/threat-research/uncovering-the-dark-side-of-email-traffic

2023-03-16
Diving_Deep_into_CatB_Ransomware
LOW
+

Intel Source:
Sentinelone
Intel Name:
Diving_Deep_into_CatB_Ransomware
Date of Scan:
2023-03-16
Impact:
LOW
Summary:
SentinelOne researchers have analyzed the CatB ransomware and its abuse of the legitimate MSDTC service, describing its evasion tactics, encryption behavior, and its attempts to steal credentials and browser data.


Source:
https://www.sentinelone.com/blog/decrypting-catb-ransomware-analyzing-their-latest-attack-methods/

2023-03-16
The_MedusaLocker_Ransomware_is_Revealed
LOW
+

Intel Source:
Cyble
Intel Name:
The_MedusaLocker_Ransomware_is_Revealed
Date of Scan:
2023-03-16
Impact:
LOW
Summary:
Researchers from Cyble have unmasked the MedusaLocker ransomware. It’s known to target Hospital and Healthcare industries, but additionally, the gang also targets industries such as Education and Government organizations.


Source:
https://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/

2023-03-15
A_CHM_malware_by_the_Kimsuky_group
LOW
+

Intel Source:
ASEC
Intel Name:
A_CHM_malware_by_the_Kimsuky_group
Date of Scan:
2023-03-15
Impact:
LOW
Summary:
ASEC has discovered a new CHM malware created by the Kimsuky group. This malware type is the same that the reserqachers mnetioned earlier in their posts on the malware distributed by the Kimsuky group, its goal being the exfiltration of user information.


Source:
https://asec.ahnlab.com/en/49295/

2023-03-15
Increasingly_Abusing_of_DigitalOcean_by_attackers
LOW
+

Intel Source:
Netscope
Intel Name:
Increasingly_Abusing_of_DigitalOcean_by_attackers
Date of Scan:
2023-03-15
Impact:
LOW
Summary:
Netskope Threat Labs observed increased traffic in malicious web pages hosted on DigitalOcean in the last couple months. This new campaigns scam mimics Windows Defender and tries to deceive users into believing that their computer is infected. The purpose of this scam is to involve victims into a scam “help line”. The attackers try to involve the remotely access of the victim’s computer to either install malware or request payment to infect the victims.


Source:
https://www.netskope.com/blog/attackers-increasingly-abusing-digitalocean-to-host-scams-and-phishing

2023-03-15
North_Korea_s_UNC2970_TTPs_Part_1_and_2
MEDIUM
+

Intel Source:
Mandiant
Intel Name:
North_Korea_s_UNC2970_TTPs_Part_1_and_2
Date of Scan:
2023-03-15
Impact:
MEDIUM
Summary:
During our investigation, Mandiant researchers discovered most of the original compromised hosts, targeted by UNC2970. Mandiant Managed Defense discovered as well that this group is targeting a U.S.-based technology company


Source:
https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970
https://www.mandiant.com/resources/blog/lightshift-and-lightshow

2023-03-14
Emotet_resumes_sending_malicious_emails
LOW
+

Intel Source:
Cofense
Intel Name:
Emotet_resumes_sending_malicious_emails
Date of Scan:
2023-03-14
Impact:
LOW
Summary:
Researchers from Confense have discovered that after several months of inactivity, the Emotet botnet resumed email activity this morning at 8:00am EST. The malicious emails seem to be replying to already existing email chains, with the addition of an attached .zip file. The .zip files are not password protected. The themes of the attached files include finances and invoices.


Source:
https://cofense.com/blog/emotet-sending-malicious-emails-after-three-month-hiatus/

2023-03-14
The_new_ATM_Malware_FiXS
LOW
+

Intel Source:
MetaBase Q
Intel Name:
The_new_ATM_Malware_FiXS
Date of Scan:
2023-03-14
Impact:
LOW
Summary:
FiXs is a new ATM malware that steals data from ATMs and infects computers. Metabase Q has been tracking and monitoring the rise of ATM malware that takes advantage of physical and digital components of the ATM.


Source:
https://www.metabaseq.com/fixs-atms-malware/

2023-03-14
New_capabilities_of_Prometei_botnet
MEDIUM
+

Intel Source:
Talos
Intel Name:
New_capabilities_of_Prometei_botnet
Date of Scan:
2023-03-14
Impact:
MEDIUM
Summary:
Researchers from Talos have observed Prometei with the updated infrastructure components and capabilities. The botnet operators updated certain submodules of the execution chain to automate processes and challenge forensic analysis methods. The threat actors are trying actively spreading improved Linux versions of the Prometei bot, v3. Also researchers have observed a new functionality, which includes an additional C2 domain generating algorithm (DGA), a self-updating mechanism, and a bundled version of the Apache Webserver with a web shell. This bot is possible influenced by the war in Ukraine.


Source:
https://blog.talosintelligence.com/prometei-botnet-improves/

2023-03-13
Chinese_Hacker_Running_Malware_on_Unpatched_SMA
LOW
+

Intel Source:
Mandiant
Intel Name:
Chinese_Hacker_Running_Malware_on_Unpatched_SMA
Date of Scan:
2023-03-13
Impact:
LOW
Summary:
Mandiant researchers have identified a suspected Chinese campaign that involves maintaining long-term persistence by running malware on an unpatched SonicWall Secure Mobile Access (SMA) appliance. The malware has the functionality to steal user credentials, provide shell access, and persist through firmware upgrades. Currently tracks this actor as UNC4540.


Source:
https://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall

2023-03-13
AsynRAT_Trojan_Distributing_via_Bill_Payment_Email
LOW
+

Intel Source:
ISC.SANS
Intel Name:
AsynRAT_Trojan_Distributing_via_Bill_Payment_Email
Date of Scan:
2023-03-13
Impact:
LOW
Summary:
Researchers from SANS have observed the mail server quarantined this file FautraPago392023.gz. After executing (gunzip) the file, there was no .exe extension associated with this file. The source and destination addresses are both blank without an actual email address.


Source:
https://isc.sans.edu/diary/AsynRAT+Trojan+Bill+Payment+Pago+de+la+factura/29626/

2023-03-13
Overview_of_a_Mirai_Payload_Generator
LOW
+

Intel Source:
ISC.SANS
Intel Name:
Overview_of_a_Mirai_Payload_Generator
Date of Scan:
2023-03-13
Impact:
LOW
Summary:
Researchers from SANS have observed that still honeypot is hit by hundreds of Mirai requests every day. Upon analysis, they found a Python script that generates a Mirai payload and deploys networking services to serve it via FTP, HTTP, and TFTP.


Source:
https://isc.sans.edu/diary/Overview+of+a+Mirai+Payload+Generator/29624/

2023-03-13
New_GoBruteforcer_Malware_Targeting_phpMyAdmin_MySQL_FTP_and_Postgres
MEDIUM
+

Intel Source:
PaloAlto
Intel Name:
New_GoBruteforcer_Malware_Targeting_phpMyAdmin_MySQL_FTP_and_Postgres
Date of Scan:
2023-03-13
Impact:
MEDIUM
Summary:
PaloAlto researchers have identified a newly discovered Golang-based botnet malware scan for and infect web servers running phpMyAdmin, MySQL, FTP, and Postgres services.


Source:
https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/?web_view=true

2023-03-13
Netcat_Malware_Targeting_MS_SQL_Servers
LOW
+

Intel Source:
ASEC
Intel Name:
Netcat_Malware_Targeting_MS_SQL_Servers
Date of Scan:
2023-03-13
Impact:
LOW
Summary:
Researchers from ASEC have discovered the distribution of the Netcat malware targeting poorly managed MS-SQL servers. Netcat is a utility that allows users to send and receive data from specific destinations on a network connected by the TCP/UDP protocol.


Source:
https://asec.ahnlab.com/en/49249/

2023-03-13
BATLOADER_Malware_Leveraging_Google_Ads
MEDIUM
+

Intel Source:
Esentire
Intel Name:
BATLOADER_Malware_Leveraging_Google_Ads
Date of Scan:
2023-03-13
Impact:
MEDIUM
Summary:
Esentire researchers have discovered the malware downloader known as BATLOADER that is abusing Google Ads to deliver secondary payloads like Vidar Stealer and Ursnif. The malicious ads are used to spoof a wide range of legitimate apps and services such as Adobe, OpenAPI’s ChatGPT, Spotify, Tableau, and Zoom.


Source:
https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif

2023-03-13
New_Phishing_Scam_Using_Fake_SBA_Grants
LOW
+

Intel Source:
Cofense
Intel Name:
New_Phishing_Scam_Using_Fake_SBA_Grants
Date of Scan:
2023-03-13
Impact:
LOW
Summary:
Researchers from Cofense have observed that a phishing campaign attempting to impersonate the US Small Business Administration (SBA), offering these grants in the hopes someone unfortunate will provide their credentials.


Source:
https://cofense.com/blog/fake-small-business-administration-sba-grant-used-in-new-phishing-scam/

2023-03-11
PlugX_Malware_Exploits_Remote_Desktop_Software_Flaws
MEDIUM
+

Intel Source:
ASEC
Intel Name:
PlugX_Malware_Exploits_Remote_Desktop_Software_Flaws
Date of Scan:
2023-03-11
Impact:
MEDIUM
Summary:
Researchers from ASEC have discovered security vulnerabilities in remote desktop programs such as Sunlogin and AweSun are being exploited by threat actors to deploy the PlugX malware.


Source:
https://asec.ahnlab.com/en/49097/

2023-03-11
Chaos_Ransomware_Shadow_is_Cast_by_BlackSnake_Ransomware
LOW
+

Intel Source:
Cyble
Intel Name:
Chaos_Ransomware_Shadow_is_Cast_by_BlackSnake_Ransomware
Date of Scan:
2023-03-11
Impact:
LOW
Summary:
Cyble Labs researchers have discovered a ransomware variant that not only encrypts victims’ files but also steals their Discord tokens.


Source:
https://blog.cyble.com/2023/03/09/blacksnake-ransomware-emerges-from-chaos-ransomwares-shadow/

2023-03-10
The_Use_of_Search_Engines_For_Malvertising
LOW
+

Intel Source:
Securelist
Intel Name:
The_Use_of_Search_Engines_For_Malvertising
Date of Scan:
2023-03-10
Impact:
LOW
Summary:
Researchers from Securelist have observed an increase in the number of malicious campaigns that use Google Advertising as a means of distributing and delivering malware. At least two different stealers, Rhadamanthys and RedLine, are abusing the search engine promotion plan in order to deliver malicious payloads to victims’ machines.


Source:
https://securelist.com/malvertising-through-search-engines/108996/

2023-03-10
IceFire_Ransomware_Exploiting_IBM_Aspera_Faspex
MEDIUM
+

Intel Source:
Sentinelone
Intel Name:
IceFire_Ransomware_Exploiting_IBM_Aspera_Faspex
Date of Scan:
2023-03-10
Impact:
MEDIUM
Summary:
SentinelOne researchers have identified a Windows-based ransomware strain known as IceFire has expanded its focus to target Linux enterprise networks belonging to several media and entertainment sector organizations across the world.


Source:
https://www.sentinelone.com/labs/icefire-ransomware-returns-now-targeting-linux-enterprise-networks/

2023-03-10
New_ScrubCrypt_Crypter_Targeting_Oracle_WebLogic
MEDIUM
+

Intel Source:
Fortinet
Intel Name:
New_ScrubCrypt_Crypter_Targeting_Oracle_WebLogic
Date of Scan:
2023-03-10
Impact:
MEDIUM
Summary:
Fortinet Lab researchers have observed the attack chain commences with the successful exploitation of susceptible Oracle WebLogic servers to download a PowerShell script that contains ScrubCrypt.


Source:
https://www.fortinet.com/blog/threat-research/old-cyber-gang-uses-new-crypter-scrubcrypt

2023-03-09
Increasing_Phishing_Campaigns_During_Tax_Season
LOW
+

Intel Source:
Cofense
Intel Name:
Increasing_Phishing_Campaigns_During_Tax_Season
Date of Scan:
2023-03-09
Impact:
LOW
Summary:
Researchers from Cofense have identified threat actors attempting to use tax season to target recipients with a potential refund and using the Adobe filesharing service to deliver the phishing.


Source:
https://cofense.com/blog/tax-season-phishing-campaigns-are-ramping-up/

2023-03-09
OneNote_Misused_by_Cybercriminals
LOW
+

Intel Source:
Trustwave
Intel Name:
OneNote_Misused_by_Cybercriminals
Date of Scan:
2023-03-09
Impact:
LOW
Summary:
Researchers from Trustwave have analyzed the activity of cybercriminals as to how they are abusing OneNote.


Source:
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-1/ https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-2/

2023-03-09
Analysis_of_Nevada_Ransomware_and_Compares_With_Nokoyawa_Ransomware
LOW
+

Intel Source:
ZScaler
Intel Name:
Analysis_of_Nevada_Ransomware_and_Compares_With_Nokoyawa_Ransomware
Date of Scan:
2023-03-09
Impact:
LOW
Summary:
Zscaler ThreatLab have identified the significant code similarities between Nevada and Nokoyawa ransomware including debug strings, command-line arguments, and encryption algorithms.


Source:
https://www.zscaler.com/blogs/security-research/nevada-ransomware-yet-another-nokayawa-variant

2023-03-09
Analysis_of_Memory_For_Detecting_EDR_Nullifying_Malware
LOW
+

Intel Source:
Volexity
Intel Name:
Analysis_of_Memory_For_Detecting_EDR_Nullifying_Malware
Date of Scan:
2023-03-09
Impact:
LOW
Summary:
Volexity researchers have examined the technique of attacking endpoint detection and response (EDR) and antivirus (AV) software could reliably be detected through memory analysis.


Source:
https://www.volexity.com/blog/2023/03/07/using-memory-analysis-to-detect-edr-nullifying-malware/

2023-03-08
Chinese_Cyber_Attack_Against_Southeast_Asian_Government_Entities
HIGH
+

Intel Source:
Checkpoint
Intel Name:
Chinese_Cyber_Attack_Against_Southeast_Asian_Government_Entities
Date of Scan:
2023-03-08
Impact:
HIGH
Summary:
Researchers from Checkpoint have analyzed the TTPs and the tools used in the espionage campaign against Southeast Asian government entities. The initial infection stages of this campaign use TTPs and tools consistent with Sharp Panda activity.


Source:
https://research.checkpoint.com/2023/pandas-with-a-soul-chinese-espionage-attacks-against-southeast-asian-government-entities/

2023-03-08
In_Depth_Analysis_of_Sirattacker_and_ALC_Ransomware
MEDIUM
+

Intel Source:
Fortinet
Intel Name:
In_Depth_Analysis_of_Sirattacker_and_ALC_Ransomware
Date of Scan:
2023-03-08
Impact:
MEDIUM
Summary:
FortiGate Lab researchers have gathered data on ransomware variants of interest that have been gaining traction within their datasets and the OSINT community. They analyzed the Sirattacker and ALC ransomware which is targeting Microsoft Windows users.


Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-sirattacker-acl?&web_view=true

2023-03-08
PyPI_package_delivers_malicious_Colour_Blind_RAT
LOW
+

Intel Source:
Cyware
Intel Name:
PyPI_package_delivers_malicious_Colour_Blind_RAT
Date of Scan:
2023-03-08
Impact:
LOW
Summary:
Researchers from cyware have identified a malicious PyPI package that delivers a fully-featured information stealer and remote access trojan dubbed Colour-Blind.


Source:
https://cyware.com/news/malicious-pypi-package-delivers-colour-blind-rat-1c24f4e6/?web_view=true

2023-03-08
GlobeImposter_Ransomware_Installed_Using_RDP
LOW
+

Intel Source:
ASEC
Intel Name:
GlobeImposter_Ransomware_Installed_Using_RDP
Date of Scan:
2023-03-08
Impact:
LOW
Summary:
ASEC has recently discovered the active distribution of the GlobeImposter ransomware. This attack is being carried out by the threat actors behind MedusaLocker.


Source:
https://asec.ahnlab.com/en/48940/

2023-03-08
Qakbot_evolves_to_OneNote_Malware_Distribution
MEDIUM
+

Intel Source:
Trellix
Intel Name:
Qakbot_evolves_to_OneNote_Malware_Distribution
Date of Scan:
2023-03-08
Impact:
MEDIUM
Summary:
Researchers from Trellix have discovered Qakbot (aka QBot, QuakBot, and Pinkslipbot) is a sophisticated piece of malware, there has been an upsurge in the number of Qakbot campaigns using a novel delivery technique: OneNote documents for malware distribution


Source:
https://www.trellix.com/en-us/about/newsroom/stories/research/qakbot-evolves-to-onenote-malware-distribution.html

2023-03-07
LokiBot_Distributing_via_Phishing_Emails
LOW
+

Intel Source:
PaloAlto
Intel Name:
LokiBot_Distributing_via_Phishing_Emails
Date of Scan:
2023-03-07
Impact:
LOW
Summary:
PaloAlto researchers have uncovered a malware distribution campaign that is delivering the LokiBot information stealer via business email compromise (BEC) phishing emails. This malware is designed to steal sensitive information from victims’ systems, such as passwords and banking information, as well as other sensitive data.


Source:
https://unit42.paloaltonetworks.com/lokibot-spike-analysis/

2023-03-07
Phishing_Campaign_Using_Copycat_ChatGPT_Platform
MEDIUM
+

Intel Source:
Bitdefender
Intel Name:
Phishing_Campaign_Using_Copycat_ChatGPT_Platform
Date of Scan:
2023-03-07
Impact:
MEDIUM
Summary:
Researchers from BitDefender Labs have identified the success of the viral AI tool has also attracted the attention of fraudsters who use the technology to conduct highly sophisticated investment scams against unwary internet users.


Source:
https://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-warns-of-fresh-phishing-campaign-that-uses-copycat-chatgpt-platform-to-swindle-eager-investors/

2023-03-07
In_Depth_Analysis_of_RIG_Exploit_Kit
LOW
+

Intel Source:
PRODAFT
Intel Name:
In_Depth_Analysis_of_RIG_Exploit_Kit
Date of Scan:
2023-03-07
Impact:
LOW
Summary:
Researchers from Prodaft have analyzed the RIG Exploit Kit. It is malware being operated as a MaaS subscription model and is enjoying the most glorious duration of its lifetime in terms of successful attacks.


Source:
https://www.prodaft.com/resource/detail/rig-rig-exploit-kit-depth-analysis

2023-03-07
New_HiatusRAT_Malware_Targeting_Business_Grade_Routers
MEDIUM
+

Intel Source:
Lumen
Intel Name:
New_HiatusRAT_Malware_Targeting_Business_Grade_Routers
Date of Scan:
2023-03-07
Impact:
MEDIUM
Summary:
Lumen researchers have observed malware that is targeting business-grade routers to covertly spy on victims in Latin America, Europe, and North America at least since July 2022.


Source:
https://blog.lumen.com/new-hiatusrat-router-malware-covertly-spies-on-victims/

2023-03-07
Phishing_Campaign_Targeting_Job_Seekers_and_Employers
LOW
+

Intel Source:
Trellix
Intel Name:
Phishing_Campaign_Targeting_Job_Seekers_and_Employers
Date of Scan:
2023-03-07
Impact:
LOW
Summary:
Researchers from Trellix have discovered threat actors are exploiting the ongoing economic downturn by using job-themed phishing and malware campaigns to target job seekers and employers to steal sensitive information and hack company recruiters.


Source:
https://www.trellix.com/en-us/about/newsroom/stories/research/cybercrime-takes-advantage-of-2023-recession-with-job-themed-scams.html

2023-03-07
The_Analysis_of_Lazarus_Group
LOW
+

Intel Source:
ASEC
Intel Name:
The_Analysis_of_Lazarus_Group
Date of Scan:
2023-03-07
Impact:
LOW
Summary:
ASEC researchers have identified that Lazarus group’s malware strains have been found in various Korean companies related to national defense, satellites, software, media press, etc. Hence, they pursued and analyzed the Lazarus threat group’s activities and related malware.


Source:
https://asec.ahnlab.com/en/48810/

2023-03-07
OneNote_Embedded_File_Abuse
LOW
+

Intel Source:
Nviso
Intel Name:
OneNote_Embedded_File_Abuse
Date of Scan:
2023-03-07
Impact:
LOW
Summary:
Researchers from Nviso have observed the OneNote feature that is being abused during these phishing campaigns is hiding embedded files behind pictures which entices the user to click the picture. If the picture is clicked, it will execute the file hidden beneath.


Source:
https://blog.nviso.eu/2023/02/27/onenote-embedded-file-abuse/

2023-03-06
MyDoom_Worm_Distributing_via_Phishing_Email
LOW
+

Intel Source:
Fortinet
Intel Name:
MyDoom_Worm_Distributing_via_Phishing_Email
Date of Scan:
2023-03-06
Impact:
LOW
Summary:
Researchers from Fortinet have identified a phishing campaign using the MyDoom worm. It was first discovered back in 2004 and it has seen some updates and modifications since its introduction.


Source:
https://www.fortinet.com/blog/threat-research/just-because-its-old-doesnt-mean-you-throw-it-away-including-malware

2023-03-06
RIG_Exploit_Kit_Targeting_Internet_Explorer_Users
LOW
+

Intel Source:
Malwarebytes
Intel Name:
RIG_Exploit_Kit_Targeting_Internet_Explorer_Users
Date of Scan:
2023-03-06
Impact:
LOW
Summary:
Malwarebytes researchers have identified that Internet Explorer (IE) is still being exploited by exploit kits like the RIG exploit kit (EK).


Source:
https://www.malwarebytes.com/blog/news/2023/03/internet-explorer-users-still-targeted-by-rig-exploit-kit

2023-03-06
OneNote_Documents_Distributing_Malware
LOW
+

Intel Source:
ZScaler
Intel Name:
OneNote_Documents_Distributing_Malware
Date of Scan:
2023-03-06
Impact:
LOW
Summary:
Zscaler researchers have observed threat actors are increasingly using Microsoft OneNote documents to deliver malware via phishing emails.


Source:
https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution

2023-03-06
WhiteSnake_Stealer_Targeting_Windows_and_Linux_Users
LOW
+

Intel Source:
Cyble
Intel Name:
WhiteSnake_Stealer_Targeting_Windows_and_Linux_Users
Date of Scan:
2023-03-06
Impact:
LOW
Summary:
Cyble researchers have discovered a new malware strain called “WhiteSnake” Stealer. This stealer is available in versions designed for both Windows and Linux. It is capable of gathering a range of sensitive information, including passwords, cookies, credit card numbers, screenshots, and other personal or financial data.


Source:
https://blog.cyble.com/2023/02/24/new-whitesnake-stealer-offered-for-sale-via-maas-model/

2023-03-06
Hackers_From_China_Using_Custom_Backdoor_to_Evade_Detection
LOW
+

Intel Source:
Welivesecurity
Intel Name:
Hackers_From_China_Using_Custom_Backdoor_to_Evade_Detection
Date of Scan:
2023-03-06
Impact:
LOW
Summary:
Researchers from Welivesecurity have identified the Chinese cyber espionage hacking group Mustang Panda is deploying a new custom backdoor named ‘MQsTTang’ in attacks starting this year.


Source:
https://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/

2023-03-06
Spear_Phishing_Campaign_Targeting_Hospitality_Industry_Using_RedLine_Stealer
LOW
+

Intel Source:
TrendMicro
Intel Name:
Spear_Phishing_Campaign_Targeting_Hospitality_Industry_Using_RedLine_Stealer
Date of Scan:
2023-03-06
Impact:
LOW
Summary:
Researchers from TrendMicro have identified RedLine Stealer’s evasive spear-phishing campaign that targeting the hospitality industry.


Source:
https://www.trendmicro.com/en_us/research/23/c/managed-xdr-exposes-spear-phishing-campaign-targeting-hospitalit.html

2023-03-06
Hackers_From_SCARLETEEL_Using_Advanced_Cloud_Skills_to_Steal_Source_Code_and_Data
MEDIUM
+

Intel Source:
Sysdig
Intel Name:
Hackers_From_SCARLETEEL_Using_Advanced_Cloud_Skills_to_Steal_Source_Code_and_Data
Date of Scan:
2023-03-06
Impact:
MEDIUM
Summary:
Sysdig researchers have discovered a sophisticated cloud operation in a customer environment, dubbed SCARLETEEL, that resulted in stolen proprietary data. The attacker exploited a containerized workload and then leveraged it to perform privilege escalation into an AWS account in order to steal proprietary software and credentials.


Source:
https://sysdig.com/blog/cloud-breach-terraform-data-theft/

2023-03-06
LockBit_Ransomware_Attack_on_Indian_Companies
LOW
+

Intel Source:
Cyble
Intel Name:
LockBit_Ransomware_Attack_on_Indian_Companies
Date of Scan:
2023-03-06
Impact:
LOW
Summary:
Cyble researchers have observed the LockBit ransomware group that claimed to have compromised the networks of an Indian investment company, Infrastructure Leasing & Financial Services Limited (IL&FS), on February 28, 2023.


Source:
https://blog.cyble.com/2023/03/01/ransomware-attack-on-ilfs/

2023-03-06
The_New_TTPs_of_Royal_ransomware
MEDIUM
+

Intel Source:
CISA
Intel Name:
The_New_TTPs_of_Royal_ransomware
Date of Scan:
2023-03-06
Impact:
MEDIUM
Summary:
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released the joint CSA to disseminate known Royal ransomware IOCs and TTPs identified through FBI threat response activities as recently as January 2023.


Source:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a

2023-03-04
The_Examination_of_EXFILTRATION_22
LOW
+

Intel Source:
Cyfirma
Intel Name:
The_Examination_of_EXFILTRATION_22
Date of Scan:
2023-03-04
Impact:
LOW
Summary:
Researchers from Cyfirma have provided an analysis of a new post of exploitation framework called EXFILTRATOR-22 a.k.a. EX-22.


Source:
https://www.cyfirma.com/outofband/exfiltrator-22-an-emerging-post-exploitation-framework/

2023-03-04
The_Deep_Investigation_of_LockBit_Ransomware_Campaign
MEDIUM
+

Intel Source:
Fortinet
Intel Name:
The_Deep_Investigation_of_LockBit_Ransomware_Campaign
Date of Scan:
2023-03-04
Impact:
MEDIUM
Summary:
FortiGuard Labs researchers have observed a new LockBit ransomware campaign last December and January using a combination of techniques effective against AV and EDR solutions and analyzed the infection chain and Tactics, Techniques, and Procedures (TTPs) of this campaign.


Source:
https://www.fortinet.com/blog/threat-research/emerging-lockbit-campaign?&web_view=true

2023-03-04
The_deployment_of_New_MortalKombat_Ransomware_and_Laplas_Clipper_Malware_threats
MEDIUM
+

Intel Source:
Talos
Intel Name:
The_deployment_of_New_MortalKombat_Ransomware_and_Laplas_Clipper_Malware_threats
Date of Scan:
2023-03-04
Impact:
MEDIUM
Summary:
Since last December, Cisco Talos team has has been observing a new actor who used 2 new threats MortalKombat ransomware and a GO variant of the Laplas Clipper malware, to steal cryptocurrency from victims. Also Talos researchers have seen the actor browsing the internet for victim machines with a malicious exposed remote desktop protocol (RDP) port 3389, using one of their download servers that run an RDP crawler and also download MortalKombat ransomware. After the reserachers analyzed something common in the code, class name, and registry key strings, they think that that the MortalKombat ransomware belongs to the Xorist family.


Source:
https://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats/

2023-03-03
BlackLotus_Malware_Capable_of_Bypassing_Secure_Boot
MEDIUM
+

Intel Source:
Welivesecurity
Intel Name:
BlackLotus_Malware_Capable_of_Bypassing_Secure_Boot
Date of Scan:
2023-03-03
Impact:
MEDIUM
Summary:
Researchers from Welivesecurity have identified that a stealthy Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus has becomes the first UEFI bootkit malware to bypass secure boot on Windows 11.


Source:
https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/

2023-03-01
Hackers_From_Blind_Eagle_Targeting_Organizations_in_Colombia_and_Ecuador
LOW
+

Intel Source:
Blackberry
Intel Name:
Hackers_From_Blind_Eagle_Targeting_Organizations_in_Colombia_and_Ecuador
Date of Scan:
2023-03-01
Impact:
LOW
Summary:
BlackBerry researchers have identified a new campaign where the threat actor impersonated a Colombian government tax agency to target key industries in Colombia, including health, financial, law enforcement, immigration, and an agency in charge of peace negotiation in the country.


Source:
https://blogs.blackberry.com/en/2023/02/blind-eagle-apt-c-36-targets-colombia

2023-03-01
Diving_Deep_into_TA_69_and_its_SocGholish_Payload
LOW
+

Intel Source:
Proofpoint
Intel Name:
Diving_Deep_into_TA_69_and_its_SocGholish_Payload
Date of Scan:
2023-03-01
Impact:
LOW
Summary:
Researchers from Proofpoint have observed changes in the tactics, techniques, and procedures (TTPs) employed by TA569. Changes include an increase in the number of injection varieties, as well as payloads deviating from the standard SocGholish “Fake Update” JavaScript packages.


Source:
https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond

2023-03-01
Threat_Actors_Using_Microsoft_OneNote_for_Malicious_Campaigns
LOW
+

Intel Source:
Inquest
Intel Name:
Threat_Actors_Using_Microsoft_OneNote_for_Malicious_Campaigns
Date of Scan:
2023-03-01
Impact:
LOW
Summary:
Researchers from Inquest have observed OneNote show that it has been featured in delivery chains for a number of malware threats and distributing multiple groups.


Source:
https://inquest.net/blog/2023/02/27/youve-got-malware-rise-threat-actors-using-microsoft-onenote-malicious-campaigns

2023-03-01
BB17_Distribution_Qakbot_Activity
LOW
+

Intel Source:
ISC.SANS
Intel Name:
BB17_Distribution_Qakbot_Activity
Date of Scan:
2023-03-01
Impact:
LOW
Summary:
Researchers from SANS have identified an infection with a URL that is found on VirusTotal after pivoting on a search for BB17-tagged distribution URLs for Qakbot.


Source:
https://isc.sans.edu/diary/rss/29592

2023-03-01
Snip3_Crypter_is_Back_With_New_TTPs
LOW
+

Intel Source:
ZScaler
Intel Name:
Snip3_Crypter_is_Back_With_New_TTPs
Date of Scan:
2023-03-01
Impact:
LOW
Summary:
Researchers from Zscaler have identified the use of the crypter with new TTPs deploying RAT families including DcRAT and QuasarRAT targeting victims across multiple industry verticals such as healthcare, energy and utilities, and manufacturing via spear phishing emails with subject lines related to “tax statements” in order to lure victims into execution.


Source:
https://www.zscaler.com/blogs/security-research/snip3-crypter-reveals-new-ttps-over-time

2023-03-01
Hackers_From_Blackfly_Group_Targeting_Materials_Technology
LOW
+

Intel Source:
Symantec
Intel Name:
Hackers_From_Blackfly_Group_Targeting_Materials_Technology
Date of Scan:
2023-03-01
Impact:
LOW
Summary:
Symantec researchers have identified the Blackfly espionage group (aka APT41, Winnti Group, Bronze Atlas) has continued to mount attacks against targets in Asia and recently targeted two subsidiaries of an Asian conglomerate, both of which operate in the materials and composites sector, suggesting that the group may be attempting to steal intellectual property.


Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackfly-espionage-materials

2023-03-01
Iron_Tiger_Group_Targeting_Linux_Through_SysUpdate
MEDIUM
+

Intel Source:
TrendMicro
Intel Name:
Iron_Tiger_Group_Targeting_Linux_Through_SysUpdate
Date of Scan:
2023-03-01
Impact:
MEDIUM
Summary:
Researchers from TrendMicro have identified that hackers from Iron Tiger updated SysUpdate, one of their custom malware families, to include new features and add malware infection support for the Linux platform.


Source:
https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html

2023-02-28
Cyber_attacks_on_the_Ukrainian_state_organizations
MEDIUM
+

Intel Source:
CERT-UA
Intel Name:
Cyber_attacks_on_the_Ukrainian_state_organizations
Date of Scan:
2023-02-28
Impact:
MEDIUM
Summary:
Researchers from CERT-UA have investigated the violation of the integrity and availability of the web resources of a number of state organizations.


Source:
https://cert.gov.ua/article/3947787

2023-02-28
ChatGPT_Based_Phishing_Attacks
MEDIUM
+

Intel Source:
Cyble
Intel Name:
ChatGPT_Based_Phishing_Attacks
Date of Scan:
2023-02-28
Impact:
MEDIUM
Summary:
Cyble researchers have detected several phishing websites that are being promoted through a fraudulent OpenAI social media page to spread various types of malware. Furthermore, several phishing sites are impersonating ChatGPT to steal credit card information.


Source:
https://blog.cyble.com/2023/02/22/the-growing-threat-of-chatgpt-based-phishing-attacks/

2023-02-28
Malicious_Emails_Impersonating_Shipping_Companies
LOW
+

Intel Source:
ASEC
Intel Name:
Malicious_Emails_Impersonating_Shipping_Companies
Date of Scan:
2023-02-28
Impact:
LOW
Summary:
Researchers from ASEC have discovered malicious emails impersonating shipping companies being distributed in Korea. These emails prompt users to open the attached file with the subject ‘Submitting import clearance info’.


Source:
https://asec.ahnlab.com/en/48304/

2023-02-28
The_Investigation_of_PlugX_Trojan
LOW
+

Intel Source:
TrendMicro
Intel Name:
The_Investigation_of_PlugX_Trojan
Date of Scan:
2023-02-28
Impact:
LOW
Summary:
TrendMicro researchers have discovered a file called x32dbg.exe is used to sideload a malicious DLL they identified as a variant of PlugX.


Source:
https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html

2023-02-28
Hackers_Abusing_Atlassian
LOW
+

Intel Source:
Cofense
Intel Name:
Hackers_Abusing_Atlassian
Date of Scan:
2023-02-28
Impact:
LOW
Summary:
Cofense researchers have observed a phishing campaign, under the guise of a payment remittance, taking advantage of custom URLs from Atlassian to redirect users to their phish.


Source:
https://cofense.com/blog/threat-actors-abuse-atlassian-bypass-multiple-secure-email-gateways-segs/

2023-02-28
Chile_IP_Address_Connecting_to_IcedID_BackConnect_C2_Servers
LOW
+

Intel Source:
Team Cymru
Intel Name:
Chile_IP_Address_Connecting_to_IcedID_BackConnect_C2_Servers
Date of Scan:
2023-02-28
Impact:
LOW
Summary:
Researchers from Team-Cymru have identified an IP address geolocation to Chile that is used to access various elements of the IcedID infrastructure.


Source:
https://www.team-cymru.com/post/from-chile-with-malware

2023-02-28
URL_Files_and_WebDAV_Using_For_IcedID_Infection
LOW
+

Intel Source:
ISC.SANS
Intel Name:
URL_Files_and_WebDAV_Using_For_IcedID_Infection
Date of Scan:
2023-02-28
Impact:
LOW
Summary:
Researchers from SANS have observed that IcedID distribution patterns occasionally change and identified a distribution pattern using .url files and WebDAV traffic for an IcedID infection.


Source:
https://isc.sans.edu/diary/URL+files+and+WebDAV+used+for+IcedID+Bokbot+infection/29578/

2023-02-28
Magniber_Ransomware_is_Back_With_New_Technique
LOW
+

Intel Source:
ASEC
Intel Name:
Magniber_Ransomware_is_Back_With_New_Technique
Date of Scan:
2023-02-28
Impact:
LOW
Summary:
ASEC researchers have identified that Magniber ransomware is distributed as a Windows installer package file (.msi) in Edge and Chrome browsers.


Source:
https://asec.ahnlab.com/en/48312/

2023-02-28
PyPI_Malicious_Packages_Dropping_Windows_Trojan_via_Dropbox
LOW
+

Intel Source:
Sonatypa
Intel Name:
PyPI_Malicious_Packages_Dropping_Windows_Trojan_via_Dropbox
Date of Scan:
2023-02-28
Impact:
LOW
Summary:
Researchers from Sonatype have observed hundreds of packages getting published and removed in batches on the PyPI registry. These packages, despite containing contextual terms like “libs,” “nvidiapaypalsuper,” and so on, are named quite arbitrarily.


Source:
https://blog.sonatype.com/attacker-floods-pypi-with-450-malicious-packages-that-drop-windows-trojan-via-dropbox

2023-02-28
Analysis_of_FortiNAC_Vulnerability_CVE_2022_39952
LOW
+

Intel Source:
Cyble
Intel Name:
Analysis_of_FortiNAC_Vulnerability_CVE_2022_39952
Date of Scan:
2023-02-28
Impact:
LOW
Summary:
Cyble researchers have analyzed the vulnerability affecting multiple versions of FortiNAC. The affected product is widely used in mid to large-size enterprises involving state and private entities.


Source:
https://blog.cyble.com/2023/02/27/critical-vulnerability-in-fortinac-cve-2022-39952-exposes-multiple-organizations-to-cyberattacks/

2023-02-27
Lazarus_Group_Using_New_WinorDLL64_Backdoor
MEDIUM
+

Intel Source:
WeliveSecurity
Intel Name:
Lazarus_Group_Using_New_WinorDLL64_Backdoor
Date of Scan:
2023-02-27
Impact:
MEDIUM
Summary:
Welivesecurity researchers have observed one of the payloads of the Wslink downloader that was discovered back in 2021. That payload WinorDLL64 based on its filename WinorDLL64.dll. Wslink, which had the filename WinorLoaderDLL64.dll, is a loader for Windows binaries that and runs as a server and executes received modules in memory.


Source:
https://www.welivesecurity.com/2023/02/23/winordll64-backdoor-vast-lazarus-arsenal/

2023-02-27
I2Pminer_Variant_Targeting_MacOS
LOW
+

Intel Source:
Crowdstrike & Jamf
Intel Name:
I2Pminer_Variant_Targeting_MacOS
Date of Scan:
2023-02-27
Impact:
LOW
Summary:
CrowdStrike and Jamf researchers have analyzed a macOS-targeted mineware campaign that utilized malicious application bundles to deliver open source XMRig cryptomining software and Invisible Internet Protocol (I2P) network tooling.


Source:
https://www.crowdstrike.com/blog/i2pminer-macos-mineware-analysis/ https://www.jamf.com/blog/cryptojacking-macos-malware-discovered-by-jamf-threat-labs/

2023-02-27
New_Hacking_Group_Clasiopa_Targeting_Materials_Research
MEDIUM
+

Intel Source:
Symantec
Intel Name:
New_Hacking_Group_Clasiopa_Targeting_Materials_Research
Date of Scan:
2023-02-27
Impact:
MEDIUM
Summary:
Symantec researchers have identified that an unknown threat actor targeting Materials research organizations in Asia with a distinct set of tools.


Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clasiopa-materials-research

2023-02-27
Hackers_Targeting_Multiple_ManageEngine_Products
MEDIUM
+

Intel Source:
Bitdefender
Intel Name:
Hackers_Targeting_Multiple_ManageEngine_Products
Date of Scan:
2023-02-27
Impact:
MEDIUM
Summary:
Researchers from BitDefender have observed that multiple threat actors opportunistically weaponized a now-patched critical security vulnerability impacting several Zoho ManageEngine products since January 20, 2023.
Additional Blog link: https://www.bitdefender.com/blog/labs/weaponizing-pocs-a-targeted-attack-using-cve-2022-47966/


Source:
https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966

2023-02-24
NPM_Packages_Distributing_Phishing_Links
LOW
+

Intel Source:
Checkmarx
Intel Name:
NPM_Packages_Distributing_Phishing_Links
Date of Scan:
2023-02-24
Impact:
LOW
Summary:
Checkmarx researchers have investigated and uncovered a recurring attack method, in which cyber attackers utilize spamming techniques to flood the open-source ecosystem with packages that include links to phishing campaigns in their README.md files.


Source:
https://checkmarx.com/blog/how-npm-packages-were-used-to-spread-phishing-links/

2023-02-23
The_Investigation_of_8220_Gang_Cloud_Threat
LOW
+

Intel Source:
Sentinelone
Intel Name:
The_Investigation_of_8220_Gang_Cloud_Threat
Date of Scan:
2023-02-23
Impact:
LOW
Summary:
SentinelOne researchers have analyzed the 8220 gang cloud threat as the group has again switched to new infrastructure and samples.


Source:
https://www.sentinelone.com/blog/soc-team-essentials-how-to-investigate-and-track-the-8220-gang-cloud-threat/

2023-02-23
PyPI_Packages_Mimicking_Popular_Libraries
LOW
+

Intel Source:
Reversing Labs
Intel Name:
PyPI_Packages_Mimicking_Popular_Libraries
Date of Scan:
2023-02-23
Impact:
LOW
Summary:
Reversing Labs researchers are warning of “imposter packages” mimicking popular libraries available on the Python Package Index (PyPI) repository. The 41 malicious PyPI packages have been found to pose as typosquatted variants of legitimate modules such as HTTP, AIOHTTP, requests, urllib, and urllib3.


Source:
https://www.reversinglabs.com/blog/beware-impostor-http-libraries-lurk-on-pypi

2023-02-23
Techniques_Analysis_of_Rhadamanthys_information_stealer
LOW
+

Intel Source:
Zscaler
Intel Name:
Techniques_Analysis_of_Rhadamanthys_information_stealer
Date of Scan:
2023-02-23
Impact:
LOW
Summary:
Zscaler researchers have analyzed Rhadamanthys, an information stealer. The malware implements complex anti-analysis techniques by using a public open source library. It is written in C++ and being distributed mostly via malicious Google advertisements. The malware is designed to steal credentials from web browsers, VPN clients, email clients and chat clients as well as cryptocurrency wallets.


Source:
https://www.zscaler.com/blogs/security-research/technical-analysis-rhadamanthys-obfuscation-techniques

2023-02-23
Lazarus_Group_Leveraging_Anti_Forensic_Techniques
LOW
+

Intel Source:
ASEC
Intel Name:
Lazarus_Group_Leveraging_Anti_Forensic_Techniques
Date of Scan:
2023-02-23
Impact:
LOW
Summary:
ASEC researchers have shared the anti-forensic traces and details found in the systems that were infiltrated by the Lazarus group.


Source:
https://asec.ahnlab.com/en/48223/

2023-02-23
The_New_Version_of_HardBit_2_0_Ransomware
LOW
+

Intel Source:
Varonis
Intel Name:
The_New_Version_of_HardBit_2_0_Ransomware
Date of Scan:
2023-02-23
Impact:
LOW
Summary:
Researchers from Varonis have identified the new version of HardBit ransomware which is HardBit 2.0 and it is still under development and features unique capabilities.


Source:
https://www.varonis.com/blog/hardbit-2.0-ransomware

2023-02-23
Hackers_Targeting_Innorix_Agent_Vulnerable_Versions
LOW
+

Intel Source:
ASEC
Intel Name:
Hackers_Targeting_Innorix_Agent_Vulnerable_Versions
Date of Scan:
2023-02-23
Impact:
LOW
Summary:
Researchers from ASEC have discovered the distribution of malware targeting users with vulnerable versions of Innorix Agent and the collected malware is a backdoor that attempts to connect to a C&C server.


Source:
https://asec.ahnlab.com/en/48198/

2023-02-23
Credit_Card_Skimmers_Targeting_Ecommerce_Platforms
LOW
+

Intel Source:
Mawarebytes
Intel Name:
Credit_Card_Skimmers_Targeting_Ecommerce_Platforms
Date of Scan:
2023-02-23
Impact:
LOW
Summary:
Researchers from Malwarebytes have observed credit card skimmers targeting e-commerce platforms such as Magento and WordPress/WooCommerce.


Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/02/multilingual-skimmer-fingerprints-users-via-cloudflare-endpoint-api

2023-02-23
Attackers_Leveraging_Cron_Jobs_to_Infect_Websites
LOW
+

Intel Source:
Sucuri
Intel Name:
Attackers_Leveraging_Cron_Jobs_to_Infect_Websites
Date of Scan:
2023-02-23
Impact:
LOW
Summary:
Sucuri researchers have observed attackers using malicious corn jobs quite frequently to reinfect websites. Recently, they have seen a distinctive new wave of these infections.


Source:
https://blog.sucuri.net/2023/02/attackers-abuse-cron-jobs-to-reinfect-websites.html

2023-02-23
A_New_InfoStealer_Stealc
LOW
+

Intel Source:
Sekoia
Intel Name:
A_New_InfoStealer_Stealc
Date of Scan:
2023-02-23
Impact:
LOW
Summary:
Sekoia researchers have identified a new info stealer while routine Dark Web monitoring. The information stealer is advertised as Stealc by its alleged developer, going by the handle Plymouth. Also, the threat actor presents Stealc as a fully featured and ready-to-use stealer, whose development relied on Vidar, Raccoon, Mars, and Redline stealers.


Source:
https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/

2023-02-22
The_Examination_of_DarkCloud_Stealer
LOW
+

Intel Source:
Cyble
Intel Name:
The_Examination_of_DarkCloud_Stealer
Date of Scan:
2023-02-22
Impact:
LOW
Summary:
Cyble researchers have observed an increase in the prevalence of DarkCloud Stealer, with Threat Actors employing various spam campaigns to disseminate this malware worldwide.


Source:
https://blog.cyble.com/2023/02/20/decoding-the-inner-workings-of-darkcloud-stealer/

2023-02-22
Expansion_of_attackes_on_Linux_ESXi_Servers_by_Royal_ransomware
MEDIUM
+

Intel Source:
TrendMicro
Intel Name:
Expansion_of_attackes_on_Linux_ESXi_Servers_by_Royal_ransomware
Date of Scan:
2023-02-22
Impact:
MEDIUM
Summary:
TrendMicro analysts analayzed that since last year that ransomware groups will would increasingly target Linux servers and embedded systems in the coming years after detecting a double-digit year-on-year (YoY) increase in attacks on these systems. Royal ransomware is a new variant targeting Linux systems emerged and TrendMicro shared their technical analysis on this variant in their blog.


Source:
https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html

2023-02-22
A_new_threat_group_Hydrochasma_targets_organizations_in_Asia
LOW
+

Intel Source:
Symantec
Intel Name:
A_new_threat_group_Hydrochasma_targets_organizations_in_Asia
Date of Scan:
2023-02-22
Impact:
LOW
Summary:
Researchers from Symantec have observed a new threat group Hydrochasma attacking shipping companies and medical laboratories in Asia. Hydrochasma has not been linked to any previously identified group, but appears to have a possible interest in industries that may be involved in COVID-19-related treatments or vaccines. And possible infection vector used by Hydrochasma was a phishing email.


Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/hydrochasma-asia-medical-shipping-intelligence-gathering

2023-02-22
HWP_Malware_Using_the_Steganography_Technique
LOW
+

Intel Source:
ASEC
Intel Name:
HWP_Malware_Using_the_Steganography_Technique
Date of Scan:
2023-02-22
Impact:
LOW
Summary:
ASEC researchers have discovered that the RedEyes threat group is distributing malware by exploiting the HWP EPS (Encapsulated PostScript) vulnerability (CVE-2017-8291).


Source:
https://asec.ahnlab.com/en/48063/

2023-02-22
Raccoon_Stealer_V2_Using_Microsoft_Add_Ins_to_Delivering_Malware
MEDIUM
+

Intel Source:
Quickheal
Intel Name:
Raccoon_Stealer_V2_Using_Microsoft_Add_Ins_to_Delivering_Malware
Date of Scan:
2023-02-22
Impact:
MEDIUM
Summary:
Researchers from QuickHeal have identified that Microsoft Add-Ins can present a potential threat vector for malware like Raccoon Stealer V2. These types of malware are designed to steal sensitive information from infected systems and use Microsoft Add-Ins as a means of delivering the malware to target systems.


Source:
https://blogs.quickheal.com/your-office-document-is-at-risk-xll-a-new-attack-vector/

2023-02-22
Analysis_of_Icarus_Stealer
LOW
+

Intel Source:
Esentire
Intel Name:
Analysis_of_Icarus_Stealer
Date of Scan:
2023-02-22
Impact:
LOW
Summary:
Esentire researchers have analyzed the Icarus stealer malware into the technical details of how the malware operates and security recommendations to protect the organization from being exploited.


Source:
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-icarus-stealer

2023-02-22
ReverseRAT_Backdoor_Targeting_Indian_Government_Agencies
MEDIUM
+

Intel Source:
ThreatMon
Intel Name:
ReverseRAT_Backdoor_Targeting_Indian_Government_Agencies
Date of Scan:
2023-02-22
Impact:
MEDIUM
Summary:
Researchers from ThreatMon have observed a spear-phishing campaign targeting Indian government entities that aim to deploy an updated version of a backdoor called ReverseRAT.


Source:
https://threatmon.io/apt-sidecopy-targeting-indian-government-entities/

2023-02-22
STL_Investigation_222
LOW
+

Intel Source:
SecuronixThreatLabs
Intel Name:
STL_Investigation_222
Date of Scan:
2023-02-22
Impact:
LOW
Summary:
Indicators of Compromise related to a Securonix Threat Labs investigation


Source:
http://www.SecuronixThreatLabs.com

2023-02-22
VMWare_ESXi_Vulnerability_targeted_by_ESXiArgs_Ransomware
MEDIUM
+

Intel Source:
Securityscorecard
Intel Name:
VMWare_ESXi_Vulnerability_targeted_by_ESXiArgs_Ransomware
Date of Scan:
2023-02-22
Impact:
MEDIUM
Summary:
After warning of a widespread ransomware campaign exploiting CVE-2021-21974, a VMWare ESXi vulnerability, The SecurityScorecard Threat Research Team started their analyses about this new campaign in response to the advisories and they discovered possible communication between target IP addresses and infrastructure involved in the exploitation of this vulnerability.


Source:
https://securityscorecard.com/research/esxiargs-ransomware-campaign-targets-vmware-esxi-vulnerability/

2023-02-22
Qakbot_Distributing_via_OneNote
LOW
+

Intel Source:
Cyble
Intel Name:
Qakbot_Distributing_via_OneNote
Date of Scan:
2023-02-22
Impact:
LOW
Summary:
Cyble researchers have identified multiple distribution methods for the widely known banking trojan Qakbot and these methods include using malspam with OneNote attachments, malspam with zip files containing WSF, and others.


Source:
https://blog.cyble.com/2023/02/17/the-many-faces-of-qakbot-malware-a-look-at-its-diverse-distribution-methods/

2023-02-22
Return_of_Redline_Stealer
LOW
+

Intel Source:
SocInvestigation
Intel Name:
Return_of_Redline_Stealer
Date of Scan:
2023-02-22
Impact:
LOW
Summary:
SOC Investigation reserachers discussed in their blog the Redline Stealer malware, the background, its capabilities, and its impact, the basic steps of the malware outlines.


Source:
https://www.socinvestigation.com/redline-stealer-returns-with-new-ttps-detection-response/

2023-02-21
The_Deep_Examination_of_CatB_Ransomware
LOW
+

Intel Source:
Fortinet
Intel Name:
The_Deep_Examination_of_CatB_Ransomware
Date of Scan:
2023-02-21
Impact:
LOW
Summary:
Fortinet researchers have analyzed the CatB ransomware. It is a reasonably new entrant to the ransomware field, with samples only dating back to December 2022.


Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-catb-ransomware

2023-02-21
Royal_Ransomware_Targeting_Linux_ESXi_Servers
MEDIUM
+

Intel Source:
TrendMicro
Intel Name:
Royal_Ransomware_Targeting_Linux_ESXi_Servers
Date of Scan:
2023-02-21
Impact:
MEDIUM
Summary:
TrendMicro researchers have observed that Royal ransomware expanding its targets by increasingly developing Linux-based versions.


Source:
https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html

2023-02-20
BlackCat_Ransomware_Group_Targeting_Healthcare_Service_Provider
LOW
+

Intel Source:
SecurityScoreCard
Intel Name:
BlackCat_Ransomware_Group_Targeting_Healthcare_Service_Provider
Date of Scan:
2023-02-20
Impact:
LOW
Summary:
Security ScoreCard researchers have observed BlackCat ransomware group adding an entry for an electronic health record (EHR) vendor to its extortion site.


Source:
https://securityscorecard.com/research/blackcat-ransomware-group-claims-attack-on-healthcare-service-provider/

2023-02-20
Hackers_Targeting_Security_Service_of_Ukraine_and_NATO_Allies
LOW
+

Intel Source:
Eclecticiq
Intel Name:
Hackers_Targeting_Security_Service_of_Ukraine_and_NATO_Allies
Date of Scan:
2023-02-20
Impact:
LOW
Summary:
EclecticIQ researchers have observed multiple weaponized phishing emails probably targeting the Security Service of Ukraine (SSU), NATO allies like Latvia, and private companies such as Culver Aviation.


Source:
https://blog.eclecticiq.com/three-cases-of-cyber-attacks-on-the-security-service-of-ukraine-and-nato-allies-likely-by-russian-state-sponsored-gamaredon

2023-02-20
The_Dangers_of_Installing_Nulled_WordPress_Themes_and_Plugins
LOW
+

Intel Source:
Sucuri
Intel Name:
The_Dangers_of_Installing_Nulled_WordPress_Themes_and_Plugins
Date of Scan:
2023-02-20
Impact:
LOW
Summary:
Researchers from Sucuri have identified installing nulled themes or plugins on the website is not only participating in software theft but can also introduce serious risks including malware, SEO spam, and website backdoors.


Source:
https://blog.sucuri.net/2023/02/the-dangers-of-installing-nulled-wordpress-themes-and-plugins.html

2023-02-20
WordPress_Sites_Backdoored_With_Ad_Fraud_Plugin
LOW
+

Intel Source:
Malwarebytes
Intel Name:
WordPress_Sites_Backdoored_With_Ad_Fraud_Plugin
Date of Scan:
2023-02-20
Impact:
LOW
Summary:
Malwarebytes researchers have identified around 50 WordPress blogs that have been backdoored with a plugin called fuser-master.


Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/02/wordpress-sites-backdoored-with-ad-fraud-plugin

2023-02-19
A_new_threat_cluster_WIP26
MEDIUM
+

Intel Source:
Sentilone
Intel Name:
A_new_threat_cluster_WIP26
Date of Scan:
2023-02-19
Impact:
MEDIUM
Summary:
SentinelLabs has observed a threat activity tracked as WIP26. This threat actor has been targeting telecommunication companies in the Middle East. WIP26 is known by abusing of public Cloud infrastructure – Microsoft 365 Mail, Microsoft Azure, Google Firebase, and Dropbox – for malware delivery, data exfiltration, and C2 purposes.


Source:
https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/

2023-02-18
From_Targeting_Attacks_to_widespread_Usage_of_Brute_Ratel
LOW
+

Intel Source:
Yoroi
Intel Name:
From_Targeting_Attacks_to_widespread_Usage_of_Brute_Ratel
Date of Scan:
2023-02-18
Impact:
LOW
Summary:
Researchers from Yoroi have identified and tracked security threats that involve actively searching for and analyzing potential security breaches or anomalies in an organization’s systems and networks.


Source:
https://yoroi.company/research/hunting-cyber-evil-ratels-from-the-targeted-attacks-to-the-widespread-usage-of-brute-ratel/?&web_view=true

2023-02-18
Analysis_of_distribution_sites_of_Magniber_ransomware_using_EDR
LOW
+

Intel Source:
ASEC
Intel Name:
Analysis_of_distribution_sites_of_Magniber_ransomware_using_EDR
Date of Scan:
2023-02-18
Impact:
LOW
Summary:
ASEC researchers have identified that Magniber ransomware distribution is continued and tracking the distribution site URL through a different method.


Source:
https://asec.ahnlab.com/en/47909/

2023-02-18
Earth_Kitsune_Delivering_New_WhiskerSpy_Backdoor
LOW
+

Intel Source:
TrendMicro
Intel Name:
Earth_Kitsune_Delivering_New_WhiskerSpy_Backdoor
Date of Scan:
2023-02-18
Impact:
LOW
Summary:
TrendMicro researchers have discovered a new backdoor which they have attributed to the APT group known as Earth Kitsune. Since 2019, Earth Kitsune has been distributing variants of self-developed backdoors to targets, primarily individuals who are interested in North Korea.


Source:
https://www.trendmicro.com/en_us/research/23/b/earth-kitsune-delivers-new-whiskerspy-backdoor.html

2023-02-18
DarkBit_Ransomware_Targeting_Israel
MEDIUM
+

Intel Source:
Blackberry
Intel Name:
DarkBit_Ransomware_Targeting_Israel
Date of Scan:
2023-02-18
Impact:
MEDIUM
Summary:
BlackBerry researchers have identified a new ransomware strain dubbed “DarkBit” that has recently appeared on the threat landscape after targeting one of Israel’s top research universities, Technion – Israel Institute of Technology (IIT).


Source:
https://blogs.blackberry.com/en/2023/02/darkbit-ransomware-targets-israel

2023-02-17
Mirai_Variant_V3G4_Targeting_IoT_Devices
LOW
+

Intel Source:
PaloAlto
Intel Name:
Mirai_Variant_V3G4_Targeting_IoT_Devices
Date of Scan:
2023-02-17
Impact:
LOW
Summary:
Researchers from PaloAlto have observed a Mirai variant called V3G4, is leveraging several vulnerabilities to spread itself. Once the vulnerable devices are compromised, they will be fully controlled by attackers and become a part of the botnet.


Source:
https://unit42.paloaltonetworks.com/mirai-variant-v3g4/

2023-02-17
Hackers_From_RedEyes_Using_New_Malware_to_Steal_Data
LOW
+

Intel Source:
ASEC
Intel Name:
Hackers_From_RedEyes_Using_New_Malware_to_Steal_Data
Date of Scan:
2023-02-17
Impact:
LOW
Summary:
ASEC researchers have identified that the APT37 threat group using a new evasive ‘M2RAT’ malware and steganography to target individuals for intelligence collection.


Source:
https://asec.ahnlab.com/ko/47622/

2023-02-17
The_Analysis_of_TZW_Ransomware
LOW
+

Intel Source:
Sentinelone
Intel Name:
The_Analysis_of_TZW_Ransomware
Date of Scan:
2023-02-17
Impact:
LOW
Summary:
SentinelOne researchers have deeply analyzed the TZW ransomware. Also, observed TZW ransomware linked to a known malware family called GlobeImposter (sometimes referred to as LOLNEK or LOLKEK).


Source:
https://www.sentinelone.com/blog/recent-tzw-campaigns-revealed-as-part-of-globeimposter-malware-family/

2023-02-17
New_Malware_Abusing_Microsoft_IIS_Feature_to_Establish_Backdoor
MEDIUM
+

Intel Source:
Symantec
Intel Name:
New_Malware_Abusing_Microsoft_IIS_Feature_to_Establish_Backdoor
Date of Scan:
2023-02-17
Impact:
MEDIUM
Summary:
Researchers from Symantec have observed a new malware that abuses a feature of Microsoft’s Internet Information Services (IIS) to deploy a backdoor onto targeted systems.


Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/frebniis-malware-iis

2023-02-17
Malware_Campaign_Delivering_ProxyShellMiner_to_Windows_Endpoints
MEDIUM
+

Intel Source:
Morphisec
Intel Name:
Malware_Campaign_Delivering_ProxyShellMiner_to_Windows_Endpoints
Date of Scan:
2023-02-17
Impact:
MEDIUM
Summary:
Morphisec researchers have identified a highly evasive malware campaign delivering ProxyShellMiner to Windows endpoints. ProxyShellMiner exploits the ProxyShell vulnerabilities CVE-2021-34473 and CVE-2021-34523 in Windows Exchange servers for initial access and compromise of an organization to deliver crypto miners.


Source:
https://blog.morphisec.com/proxyshellminer-campaign

2023-02-17
ESXiArgs_Ransomware_Leveraging_Two_Year_Old_Vulnerability
LOW
+

Intel Source:
Trellix
Intel Name:
ESXiArgs_Ransomware_Leveraging_Two_Year_Old_Vulnerability
Date of Scan:
2023-02-17
Impact:
LOW
Summary:
Trellix researchers have identified that Global ESXiArgs ransomware is attacking the back of a two-year-old vulnerability. The vulnerability ransomware actors targeted is CVE-2021-21974 and allows an attacker to exploit the OpenSLP protocol if the affected server is exposed to the internet.


Source:
https://www.trellix.com/en-us/about/newsroom/stories/research/global-esxiargs-ransomware-attack-on-the-back-of-a-two-year-old-vulnerability.html

2023-02-17
Earth_Yako_Group_is_Back
LOW
+

Intel Source:
TrendMicro
Intel Name:
Earth_Yako_Group_is_Back
Date of Scan:
2023-02-17
Impact:
LOW
Summary:
Researchers from TrendMicro have investigated several incidents and observed the intrusion set introduced new tools and malware within a short period of time, frequently changing and expanding its attack targets. Security researchers believe that Earth Yako is still active and will keep targeting more organizations soon.


Source:
https://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html

2023-02-17
Dark_Caracal_APT_Back_with_New_Version_of_Bandook_Spyware
MEDIUM
+

Intel Source:
Lookout
Intel Name:
Dark_Caracal_APT_Back_with_New_Version_of_Bandook_Spyware
Date of Scan:
2023-02-17
Impact:
MEDIUM
Summary:
Researchers from Lookout have discovered that the Dark Caracal APT is currently using a new version of Bandook spyware to target Windows systems.


Source:
https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf

2023-02-17
Trojanized_Installers_Targeting_Southeast_and_East_Asia
LOW
+

Intel Source:
Welivesecurity
Intel Name:
Trojanized_Installers_Targeting_Southeast_and_East_Asia
Date of Scan:
2023-02-17
Impact:
LOW
Summary:
ESET researchers have identified a campaign using trojanized installers to deliver the FatalRAT malware, distributing via malicious websites linked in ads that appear in Google search results.


Source:
https://www.welivesecurity.com/2023/02/16/these-arent-apps-youre-looking-for-fake-installers/

2023-02-16
US_Public_Housing_Authority_ransomware_attack
LOW
+

Intel Source:
SecurityScoreCard
Intel Name:
US_Public_Housing_Authority_ransomware_attack
Date of Scan:
2023-02-16
Impact:
LOW
Summary:
U.S. Public Housing Authority has announced a disruption, but has not elaborated on the nature of the event. The LockBit ransomware group, which has made false claims in the past, took responsibility for the incident.


Source:
https://securityscorecard.com/research/ransomware-attack-against-u-s-public-housing-authority-linked-to-previous-attacks/

2023-02-16
Malware_Targeting_Security_Related_Workers
LOW
+

Intel Source:
ASEC
Intel Name:
Malware_Targeting_Security_Related_Workers
Date of Scan:
2023-02-16
Impact:
LOW
Summary:
ASEC researchers have discovered that the malware is distributed to broadcasting and ordinary companies as well as those in the security-related field.


Source:
https://asec.ahnlab.com/en/47585/

2023-02-16
Paradise_Ransomware_Distributing_Through_AweSun_Vulnerability_Exploitation
LOW
+

Intel Source:
ASEC
Intel Name:
Paradise_Ransomware_Distributing_Through_AweSun_Vulnerability_Exploitation
Date of Scan:
2023-02-16
Impact:
LOW
Summary:
ASEC researchers have discovered the distribution of Paradise ransomware and the threat actors are suspected to be utilizing vulnerability exploitation of the Chinese remote control program AweSun.


Source:
https://asec.ahnlab.com/en/47590/

2023-02-16
A_new_Havoc_campaign_targeting_a_Government_organization
LOW
+

Intel Source:
ZScaler
Intel Name:
A_new_Havoc_campaign_targeting_a_Government_organization
Date of Scan:
2023-02-16
Impact:
LOW
Summary:
Zscaler ThreatLabz research team observed a new campaign called Havoc which is targeting a Government organization.The threat actors have been using a new Command & Control (C2) framework named Havoc. The team provoded the technical analysis and overview of recently discovered attack campaign targeting government organization using Havoc and reveals how it can be leveraged by the threat actors in various campaigns.


Source:
https://www.zscaler.com/blogs/security-research/havoc-across-cyberspace

2023-02-16
Diving_Deep_into_DarkBit_Ransomware
LOW
+

Intel Source:
Cyble
Intel Name:
Diving_Deep_into_DarkBit_Ransomware
Date of Scan:
2023-02-16
Impact:
LOW
Summary:
Cyble researchers have recently detected a sample of the DarkBit ransomware and analyzed its details.


Source:
https://blog.cyble.com/2023/02/15/uncovering-the-dark-side-of-darkbit-ransomware/

2023-02-16
LockBit_2_0_Ransomware_is_Back
MEDIUM
+

Intel Source:
ASEC
Intel Name:
LockBit_2_0_Ransomware_is_Back
Date of Scan:
2023-02-16
Impact:
MEDIUM
Summary:
ASEC researchers have identified that Lockbit 2.0 is being distributed in a MalPE format instead of the NSIS format.


Source:
https://asec.ahnlab.com/en/47739/

2023-02-16
Microsoft_OneNote_Sample_Targeting_Cisco_VPN
LOW
+

Intel Source:
DOCGuard
Intel Name:
Microsoft_OneNote_Sample_Targeting_Cisco_VPN
Date of Scan:
2023-02-16
Impact:
LOW
Summary:
Researchers from DOCGuard have identified that the Microsoft OneNote sample targeting Cisco VPN users bypasses all the antiviruses.


Source:
https://twitter.com/doc_guard/status/1625872935595507713

2023-02-15
Qakbot_Malware_Distributing_via_OneNote
LOW
+

Intel Source:
ASEC
Intel Name:
Qakbot_Malware_Distributing_via_OneNote
Date of Scan:
2023-02-15
Impact:
LOW
Summary:
Researchers from ASEC have identified that Qakbot stopped using MS Office Macro, their past distribution method, and instead started to use OneNote to execute their malware.


Source:
https://asec.ahnlab.com/en/47785/

2023-02-15
A_Deep_Investigation_of_VMware_ESXi_Servers_Vulnerability
LOW
+

Intel Source:
BitDefender
Intel Name:
A_Deep_Investigation_of_VMware_ESXi_Servers_Vulnerability
Date of Scan:
2023-02-15
Impact:
LOW
Summary:
BitDefender researchers have investigated the VMware ESXi servers vulnerability which was targeted by Opportunistic Threat Actors and advised users to patch it immediately.


Source:
https://businessinsights.bitdefender.com/technical-advisory-immediately-patch-your-vmware-esxi-servers-targeted-by-opportunistic-threat-actors

2023-02-15
Turkish_Earthquake_Leads_to_Fake_Donation_Schemes
MEDIUM
+

Intel Source:
Cyble
Intel Name:
Turkish_Earthquake_Leads_to_Fake_Donation_Schemes
Date of Scan:
2023-02-15
Impact:
MEDIUM
Summary:
Researchers from Cyble have discovered various domains and IP addresses hosting websites that claim to be collecting funds to aid those affected by the earthquake in Turkey and Syria.


Source:
https://blog.cyble.com/2023/02/13/increase-in-fake-donation-schemes-following-massive-earthquake-in-turkey/

2023-02-15
Active_IOCs_of_Tofsee_Malware
LOW
+

Intel Source:
Rewterz
Intel Name:
Active_IOCs_of_Tofsee_Malware
Date of Scan:
2023-02-15
Impact:
LOW
Summary:
Researchers from Rewterz have identified the active IOCs of Tofsee Malware. It has been around since 2016. Once installed on a compromised computer, it can be used to send spam emails and gather user data.


Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alerts-tofsee-malware-active-iocs

2023-02-15
New_Malware_That_Can_Fly_Under_the_Radar
LOW
+

Intel Source:
Minerva Labs
Intel Name:
New_Malware_That_Can_Fly_Under_the_Radar
Date of Scan:
2023-02-15
Impact:
LOW
Summary:
Researchers from Minerva Labs have identified a new piece of evasive malware dubbed Beep that’s designed to fly under the radar and drop additional payloads onto a compromised host.


Source:
https://minerva-labs.com/blog/beepin-out-of-the-sandbox-analyzing-a-new-extremely-evasive-malware/

2023-02-15
Pybot_DDoS_Distributing_With_Illegal_Software
LOW
+

Intel Source:
ASEC
Intel Name:
Pybot_DDoS_Distributing_With_Illegal_Software
Date of Scan:
2023-02-15
Impact:
LOW
Summary:
ASEC researchers have monitoring malware that is being distributed through illegal software like software cracks or serial keygens and recently discovered Pybot DDoS being distributed with illegal software.


Source:
https://asec.ahnlab.com/en/47789/

2023-02-14
Diving_Deep_into_Mylobot
LOW
+

Intel Source:
BitSight
Intel Name:
Diving_Deep_into_Mylobot
Date of Scan:
2023-02-14
Impact:
LOW
Summary:
BitSight researchers have analyzed the Mylobot malware and focused on its main capability, which is transforming the infected system into a proxy.


Source:
https://www.bitsight.com/blog/mylobot-investigating-proxy-botnet

2023-02-14
Hackers_Targeting_Ukraine_Using_Remote_Utility_Program
MEDIUM
+

Intel Source:
CERT-UA
Intel Name:
Hackers_Targeting_Ukraine_Using_Remote_Utility_Program
Date of Scan:
2023-02-14
Impact:
MEDIUM
Summary:
CERT-UA researchers have identified a cyber attack on organizations and institutions in Ukraine using the Remote Utilities program.


Source:
https://cert.gov.ua/article/3863542

2023-02-14
Hackers_From_ChinaTargeting_GroupIB_Cybersecurity_Firm
MEDIUM
+

Intel Source:
Group-IB
Intel Name:
Hackers_From_ChinaTargeting_GroupIB_Cybersecurity_Firm
Date of Scan:
2023-02-14
Impact:
MEDIUM
Summary:
Group-IB researchers have identified that an APT group known as Tonto Team has tried targeting the Singapore-based Group-IB cybersecurity firm for the second time.


Source:
https://www.group-ib.com/blog/tonto-team/

2023-02-13
Hackers_From_Dalbit_Group_Targeting_Vulnerable_Korean_Company_Servers
LOW
+

Intel Source:
ASEC
Intel Name:
Hackers_From_Dalbit_Group_Targeting_Vulnerable_Korean_Company_Servers
Date of Scan:
2023-02-13
Impact:
LOW
Summary:
ASEC researchers have identified that the Chinese threat actor group named Dalbit (m00nlight) is targeting vulnerable Korean company servers. Also, this group uses publicly available tools, from the WebShell used in the early stages to the ransomware used at the end.


Source:
https://asec.ahnlab.com/en/47455/

2023-02-13
Malicious_Npm_Package_Using_Typosquatting_to_Download_Malware
LOW
+

Intel Source:
Reversing Labs
Intel Name:
Malicious_Npm_Package_Using_Typosquatting_to_Download_Malware
Date of Scan:
2023-02-13
Impact:
LOW
Summary:
Reversing Labs researchers have observed a package called “aabquerys” is spotted on the open-source JavaScript npm repository using typosquatting techniques to enable the download of malicious components.


Source:
https://www.reversinglabs.com/blog/open-source-malware-sows-havoc-on-supply-chain

2023-02-13
Website_posing_as_Naver_login_page
LOW
+

Intel Source:
ASEC
Intel Name:
Website_posing_as_Naver_login_page
Date of Scan:
2023-02-13
Impact:
LOW
Summary:
ASEC researchers have observed a situation where a fake Kakao login page is used to steal the account credentials of certain individuals.


Source:
https://asec.ahnlab.com/en/47530/

2023-02-13
The_Clop_Ransomware_Claims_to_Have_Breached_130_Organizations
MEDIUM
+

Intel Source:
Huntress
Intel Name:
The_Clop_Ransomware_Claims_to_Have_Breached_130_Organizations
Date of Scan:
2023-02-13
Impact:
MEDIUM
Summary:
Researchers from Huntress have identified that Clop ransomware gang claims to be behind recent attacks that exploited a zero-day vulnerability in the GoAnywhere MFT secure file transfer tool, saying they stole data from over 130 organizations.


Source:
https://www.huntress.com/blog/investigating-intrusions-from-intriguing-exploits

2023-02-13
Supply_Chain_Attack_by_New_Malicious_Python_Package
LOW
+

Intel Source:
Fortinet
Intel Name:
Supply_Chain_Attack_by_New_Malicious_Python_Package
Date of Scan:
2023-02-13
Impact:
LOW
Summary:
FortiGate researchers have identified five malicious packages on the Python Package Index (PyPI), stealing passwords, Discord authentication cookies, and cryptocurrency wallets from unsuspecting developers.


Source:
https://www.fortinet.com/blog/threat-research/supply-chain-attack-via-new-malicious-python-packages-by-malware-author-core1337

2023-02-13
AsyncRAT_Leveraging_Windows_Help_File
LOW
+

Intel Source:
ASEC
Intel Name:
AsyncRAT_Leveraging_Windows_Help_File
Date of Scan:
2023-02-13
Impact:
LOW
Summary:
ASEC researchers have identified that AsyncRAT is distributing as a Windows help file (*.chm).


Source:
https://asec.ahnlab.com/en/47525/

2023-02-12
DPRK_Malicious_Cyber_Activities
MEDIUM
+

Intel Source:
CISA
Intel Name:
DPRK_Malicious_Cyber_Activities
Date of Scan:
2023-02-12
Impact:
MEDIUM
Summary:
This cybersecurity advisory provides an overview of Democratic People’s Republic of Korea (DPRK), state-sponsored ransomware and their TTPs and IOCs DPRK cyber actors used to gain access to and conduct ransomware attacks against Healthcare and Public Health (HPH) Sector organizations and other critical infrastructure sector entities, as well as DPRK cyber actors’ use of cryptocurrency to demand ransoms.


Source:
https://www.cisa.gov/uscert/ncas/alerts/aa23-040a

2023-02-10
Malicious_Google_Ads_Targeting_AWS_Login
LOW
+

Intel Source:
Sentinelone
Intel Name:
Malicious_Google_Ads_Targeting_AWS_Login
Date of Scan:
2023-02-10
Impact:
LOW
Summary:
SentinelOne researchers have identified a new phishing campaign targeting Amazon Web Services (AWS) logins is abusing Google ads to sneak phishing sites into Google Search to steal login credentials.


Source:
https://www.sentinelone.com/blog/cloud-credentials-phishing-malicious-google-ads-target-aws-logins/

2023-02-10
Hackers_Leveraging_HTML_Smuggling_to_Deliver_Malware
LOW
+

Intel Source:
SpiderLabs Blog
Intel Name:
Hackers_Leveraging_HTML_Smuggling_to_Deliver_Malware
Date of Scan:
2023-02-10
Impact:
LOW
Summary:
SpiderLabs researchers have analyzed some notable malware strains that have utilized HTML smuggling in their infection chain and provide a brief analysis of each malware.


Source:
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/html-smuggling-the-hidden-threat-in-your-inbox/

2023-02-10
Ransomware_Attac_on_Critical_Infrastructure_Funded_by_DPRK
LOW
+

Intel Source:
CISA
Intel Name:
Ransomware_Attac_on_Critical_Infrastructure_Funded_by_DPRK
Date of Scan:
2023-02-10
Impact:
LOW
Summary:
CISA researchers have identified TTPs and IOCs DPRK cyber actors using to gain access to and conduct ransomware attacks against Healthcare and Public Health Sector organizations and other critical infrastructure sector entities, as well as DPRK cyber actors’ use of cryptocurrency to demand ransoms.


Source:
https://www.cisa.gov/uscert/ncas/alerts/aa23-040a

2023-02-09
GootLoader_Leveraging_SEO_Poisoning_Techniques
LOW
+

Intel Source:
Cybereason
Intel Name:
GootLoader_Leveraging_SEO_Poisoning_Techniques
Date of Scan:
2023-02-09
Impact:
LOW
Summary:
Cybereason researchers have investigated an incident that involved new deployment methods of the GootLoader malware loader through heavily-obfuscated JavaScript files.


Source:
https://www.cybereason.com/blog/threat-alert-gootloader-seo-poisoning-and-large-payloads-leading-to-compromise https://www.cybereason.com/hubfs/THREAT%20ALERT%20GootLoader%20-%20Large%20payload%20leading%20to%20compromise%20(BLOG).pdf

2023-02-09
Hackers_From_NewsPenguin_Targeting_Pakistani_Entities
LOW
+

Intel Source:
Blackberry
Intel Name:
Hackers_From_NewsPenguin_Targeting_Pakistani_Entities
Date of Scan:
2023-02-09
Impact:
LOW
Summary:
BlackBerry researchers have identified an unknown threat actor dubbed NewsPenguin has been linked to a phishing campaign targeting Pakistani entities by leveraging the upcoming international maritime expo as a lure.


Source:
https://blogs.blackberry.com/en/2023/02/newspenguin-a-previously-unknown-threat-actor-targets-pakistan-with-advanced-espionage-tool

2023-02-09
Analysis_of_ESXiArgs_Ransomware
LOW
+

Intel Source:
SecuInfra
Intel Name:
Analysis_of_ESXiArgs_Ransomware
Date of Scan:
2023-02-09
Impact:
LOW
Summary:
In their post SecuInfrs analysts are analyzing the recent “ESXiArgs” Ransomware variant, which spread to a large number of outdated, internet-exposed ESXi Servers around the world.


Source:
https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/

2023-02-09
The_distribution_of_Quasar_RAT
LOW
+

Intel Source:
ASEC
Intel Name:
The_distribution_of_Quasar_RAT
Date of Scan:
2023-02-09
Impact:
LOW
Summary:
The ASEC analysis team just discovered the Quasar RAT malware through the private Home Trading System (HTS). It is assumed that the victims did not install their HTS from an institutional financial company, but instead, they got HPlus HTS through an unsanctioned source or a disguised financial investment company. The malware, Quasar, is a RAT malware that allows threat actors to gain control over infected systems to either steal information or perform malicious behaviors.


Source:
https://asec.ahnlab.com/en/47283/

2023-02-09
Malicious_aptX_Python_Package_Drops_Meterpreter_Shell
LOW
+

Intel Source:
Sonatypa
Intel Name:
Malicious_aptX_Python_Package_Drops_Meterpreter_Shell
Date of Scan:
2023-02-09
Impact:
LOW
Summary:
Researchers from Sonatype have identified malicious Python packages on the PyPI software registry that carry out a bunch of nefarious activities.


Source:
https://blog.sonatype.com/malicious-aptx-python-package-drops-meterpreter-shell-deletes-netstat

2023-02-09
New_Russian_Information_Stealing_Malware_Graphiron
MEDIUM
+

Intel Source:
Symantec
Intel Name:
New_Russian_Information_Stealing_Malware_Graphiron
Date of Scan:
2023-02-09
Impact:
MEDIUM
Summary:
A new russian Nodaria group has installed a new malware threat that targets to steal a wide range of information from infected computers. The Nodaria espionage group (aka UAC-0056) is using a new piece of information stealing malware against targets in Ukraine. The malware (Infostealer.Graphiron) is written in Go language and is meant to collect a wide range of information from the infected computer, including system information, credentials, screenshots, and files.


Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer

2023-02-09
A_Backdoor_with_Smart_Screenshot_Capability
LOW
+

Intel Source:
ISC.SANS
Intel Name:
A_Backdoor_with_Smart_Screenshot_Capability
Date of Scan:
2023-02-09
Impact:
LOW
Summary:
Researchers from SANS have identified that backdoors and trojans implemented screenshot capabilities to “see” what’s displayed on the victim’s computer and to take a screenshot in Python.


Source:
https://isc.sans.edu/diary/rss/29534

2023-02-09
The_malware_attacks_distributed_by_SteelClove_group
LOW
+

Intel Source:
NTT Security
Intel Name:
The_malware_attacks_distributed_by_SteelClove_group
Date of Scan:
2023-02-09
Impact:
LOW
Summary:
NTT Security SOC team shared the latest tactics in attacks by SteelClover among the most recently observed cases of malware distribution via Google Ads. SteelClover is an attack group that has been active since 2019, and their purpose is money.


Source:
https://insight-jp.nttsecurity.com/post/102i7af/steelclovergoogle

2023-02-08
Hackers_Targeting_State_Bodies_of_Ukraine
MEDIUM
+

Intel Source:
CERT-UA
Intel Name:
Hackers_Targeting_State_Bodies_of_Ukraine
Date of Scan:
2023-02-08
Impact:
MEDIUM
Summary:
CERT-UA researchers have identified mass distribution of e-mails and an attachment in the form of RAR- archive “court letter, information on debt.rar.”


Source:
https://cert.gov.ua/article/3804703

2023-02-08
Ransomware_Attacks_Targeting_VMware_ESXi_Servers
LOW
+

Intel Source:
Cyble
Intel Name:
Ransomware_Attacks_Targeting_VMware_ESXi_Servers
Date of Scan:
2023-02-08
Impact:
LOW
Summary:
Cyble researchers have identified a ransomware attack targeting VMware ESXi servers to deploy ESXi Args Ransomware.


Source:
https://blog.cyble.com/2023/02/06/massive-ransomware-attack-targets-vmware-esxi-servers/

2023-02-08
Royal_Ransomware_Targeting_VMware_ESXi_Servers_in_Linux_Devices
LOW
+

Intel Source:
Equinix Threat Analysis Center
Intel Name:
Royal_Ransomware_Targeting_VMware_ESXi_Servers_in_Linux_Devices
Date of Scan:
2023-02-08
Impact:
LOW
Summary:
Researchers from Equinix Threat Analysis Center (ETAC) have identified that Royal ransomware updating techniques for encrypting Linux devices and specially targeting VMware ESXi virtual machines.


Source:
https://twitter.com/BushidoToken/status/1621087221905514496

2023-02-08
Earth_Zhulong_Threat_Group_Targeting_Vietnam_Telecom_and_Media_Sector
MEDIUM
+

Intel Source:
TrendMicro
Intel Name:
Earth_Zhulong_Threat_Group_Targeting_Vietnam_Telecom_and_Media_Sector
Date of Scan:
2023-02-08
Impact:
MEDIUM
Summary:
TrendMicro researchers have discovered a new hacking group that is targeting Vietnam’s telecom, technology, and media sectors. The group is dubbed as Earth Zhulong and it is related to the Chinese-linked hacking group 1937CN based on similar code in the custom shellcode loader and victimology.


Source:
https://www.trendmicro.com/en_us/research/23/b/earth-zhulong-familiar-patterns-target-vietnam.html

2023-02-08
Magniber_Ransomware_Distributing_Again_in_Korea
LOW
+

Intel Source:
ASEC
Intel Name:
Magniber_Ransomware_Distributing_Again_in_Korea
Date of Scan:
2023-02-08
Impact:
LOW
Summary:
ASEC researchers have discovered the redistribution of Magniber disguised as normal Windows Installers (MSI). The distributed Magniber files have MSI as their extensions, disguising themselves as Windows update files.


Source:
https://asec.ahnlab.com/en/47287/

2023-02-08
Cl0p_Ransomware_Targets_Linux_Systems
LOW
+

Intel Source:
Sentinelone
Intel Name:
Cl0p_Ransomware_Targets_Linux_Systems
Date of Scan:
2023-02-08
Impact:
LOW
Summary:
Researchers from SentinelOne have observed the first ELF variant of Cl0p (also known as Clop) ransomware variant targeting Linux systems. The new variant is similar to the Windows variant, using the same encryption method and similar process logic.


Source:
https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/

2023-02-08
ASEC_Weekly_Malware_samples_January_30th_to_February_5th_2023
LOW
+

Intel Source:
ASEC
Intel Name:
ASEC_Weekly_Malware_samples_January_30th_to_February_5th_2023
Date of Scan:
2023-02-08
Impact:
LOW
Summary:
The ASEC analysis team keeps monitoring a weekly malware collection samples for January 30 – February 5th, 2023. The top malwares for this week is SmokeLoader, BeamWinHTTP, Formbook, Quasar RAT and Redline.


Source:
https://asec.ahnlab.com/en/47330/

2023-02-08
Newly_Threat_Actor_TA866_Distributing_Malware_via_Email
MEDIUM
+

Intel Source:
Proofpoint
Intel Name:
Newly_Threat_Actor_TA866_Distributing_Malware_via_Email
Date of Scan:
2023-02-08
Impact:
MEDIUM
Summary:
Researchers from Proofpoint have observed a cluster of evolving financially motivated activity which they are referring to as “Screentime”. The attack chain starts with an email containing a malicious attachment or URL and leads to malware that Proofpoint dubbed WasabiSeed and Screenshotter.


Source:
https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me

2023-02-07
Analysis_of_the_AveMaria_infostealer_attack_chain
LOW
+

Intel Source:
Zscaler
Intel Name:
Analysis_of_the_AveMaria_infostealer_attack_chain
Date of Scan:
2023-02-07
Impact:
LOW
Summary:
Zscaler’s ThreatLabz research team monitors and tracks very close active threat campaigns. In their report they provided the seven case studies that follow provide an in-depth analysis of the AveMaria infostealer attack chain and how it has been shifting over the past six months.


Source:
https://www.zscaler.com/blogs/security-research/dynamic-approaches-seen-avemarias-distribution-strategy

2023-02-07
Active_IOCs_of_Trickbot_Malware
MEDIUM
+

Intel Source:
Rewterz
Intel Name:
Active_IOCs_of_Trickbot_Malware
Date of Scan:
2023-02-07
Impact:
MEDIUM
Summary:
Researchers from Rewterz have identified the active IOCs of Trickbot Malware. It is operating since 2016. It is primarily distributed through phishing campaigns and is known for its ability to steal sensitive information such as login credentials, financial information, and personal data.


Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-trickbot-malware-active-iocs-30

2023-02-07
The_Trigona_ransomware_variant
MEDIUM
+

Intel Source:
Fortinet
Intel Name:
The_Trigona_ransomware_variant
Date of Scan:
2023-02-07
Impact:
MEDIUM
Summary:
FortiGuard Labs got together the report for the Trigona ransomware with the details and insights of this ransomware landscape protection against those variants.


Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-trigona-ransomware

2023-02-07
New_Medusa_Botnet_targeting_Linux_Users
MEDIUM
+

Intel Source:
Cyble
Intel Name:
New_Medusa_Botnet_targeting_Linux_Users
Date of Scan:
2023-02-07
Impact:
MEDIUM
Summary:
Cyble Research and Intelligence Labs has been monitoring on the actions of the MiraiBot and its behavior. A botnet capable of Performing DDoS, Ransomware, and Bruteforce Attacks.


Source:
https://blog.cyble.com/2023/02/03/new-medusa-botnet-emerging-via-mirai-botnet-targeting-linux-users/

2023-02-07
The_cases_of_threat_actors_using_Sliver_malware
LOW
+

Intel Source:
ASEC
Intel Name:
The_cases_of_threat_actors_using_Sliver_malware
Date of Scan:
2023-02-07
Impact:
LOW
Summary:
This ASEC blog is desctibing recent cases of threat actors using Sliver in addition to Cobalt Strike and Metasploit. The ASEC (AhnLab Security Emergency response Center) analysis team keeps eye on the attacks against systems with either unpatched vulnerabilities or misconfigured settings. A recently discovered a Sliver backdoor being installed through what is presumed to be vulnerability exploitation on certain software.


Source:
https://asec.ahnlab.com/en/47088/

2023-02-07
Hackers_backdoor_Windows_Devices_in_Sliver_and_BYOVD_Attacks
LOW
+

Intel Source:
ASEC
Intel Name:
Hackers_backdoor_Windows_Devices_in_Sliver_and_BYOVD_Attacks
Date of Scan:
2023-02-07
Impact:
LOW
Summary:
ASEC researchers have identified a new hacking campaign that exploits Sunlogin flaws to deploy the Sliver post-exploitation toolkit and launch Windows Bring Your Own Vulnerable Driver (BYOVD) attacks to disable security software.


Source:
https://asec.ahnlab.com/en/47088/

2023-02-07
Observed_intrusion_used_AutoHotkey_to_launch_a_keylogger
LOW
+

Intel Source:
Diff Report
Intel Name:
Observed_intrusion_used_AutoHotkey_to_launch_a_keylogger
Date of Scan:
2023-02-07
Impact:
LOW
Summary:
The Diff team observed a compromise that used with a Word document containing a malicious VBA macro, which established persistence and communication to a command and control server (C2). During the initial discovery and user enumeration, the threat actor used AutoHotkey to launch a keylogger.


Source:
https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/

2023-02-06
Hackers_Leveraging_Microsoft_Visual_Studio_Add_Ins_to_Push_Malware
LOW
+

Intel Source:
Deep Instinct
Intel Name:
Hackers_Leveraging_Microsoft_Visual_Studio_Add_Ins_to_Push_Malware
Date of Scan:
2023-02-06
Impact:
LOW
Summary:
Deep Instinct researchers have observed that hackers start using Microsoft Visual Studio Tools for Office (VSTO) more often as method to achieve persistence and execute code on a target machine via malicious Office add-ins.


Source:
https://www.deepinstinct.com/blog/no-macro-no-worries-vsto-being-weaponized-by-threat-actors

2023-02-06
Supply_Chain_Attack_by_New_Malicious_Python_Package_web3_essential
MEDIUM
+

Intel Source:
Fortinet
Intel Name:
Supply_Chain_Attack_by_New_Malicious_Python_Package_web3_essential
Date of Scan:
2023-02-06
Impact:
MEDIUM
Summary:
FortiGate researchers have discovered another new 0-day attack in a PyPI package (Python Package Index) called web3-essential. The package includes malicious code in its setup.py installation script that downloads and runs an executable file as a part of its installation.


Source:
https://www.fortinet.com/blog/threat-research/supply-chain-attack-by-new-malicious-python-package-web3-essential?&web_view=true

2023-02-06
ASEC_Weekly_Malware_samples_January_23_29th_2023
LOW
+

Intel Source:
ASEC
Intel Name:
ASEC_Weekly_Malware_samples_January_23_29th_2023
Date of Scan:
2023-02-06
Impact:
LOW
Summary:
The ASEC analysis team keep monitoring weekly malware collection samples for January 23-29th, 2023. The top malwares for this week is SmokeLoader, BeamWinHTTP, Formbook, AgentTesla and SnakeKeylogger.


Source:
https://asec.ahnlab.com/en/47011/

2023-02-06
The_Gambling_Industry_is_targeted_by_Ice_Breaker_Operation
LOW
+

Intel Source:
Security Joes
Intel Name:
The_Gambling_Industry_is_targeted_by_Ice_Breaker_Operation
Date of Scan:
2023-02-06
Impact:
LOW
Summary:
In September of last year, Security Joes IRT was informed about an incident with an attempt of social engineering an online customer service platform. Due to custom-built rules and extensive employee awareness training, Security Joes IRT was able to push back these threats. Recently they tracked a new threat actor as Ice Breaker APT. Although research is still ongoing, the team is sharing this article to reveal the attacker’s Modus Operandi, attack chain, ways to mitigate the threat and supported IOCs, TTPs and Yara.


Source:
https://www.securityjoes.com/post/operation-ice-breaker-targets-the-gam-bl-ing-industry-right-before-it-s-biggest-gathering

2023-02-05
New_BATLoader_Spreading_RATs_and_Stealers
LOW
+

Intel Source:
Cyble
Intel Name:
New_BATLoader_Spreading_RATs_and_Stealers
Date of Scan:
2023-02-05
Impact:
LOW
Summary:
Cyble researchers have observed a novel type of BAT loader is used to distribute a range of RAT and Stealer malware families. This loader employs an innovative method to deliver the malicious payload to the user system.


Source:
https://blog.cyble.com/2023/02/02/new-batloader-disseminates-rats-and-stealers/

2023-02-05
The_Details_Examination_of_Malware_Technique
LOW
+

Intel Source:
Quickheal
Intel Name:
The_Details_Examination_of_Malware_Technique
Date of Scan:
2023-02-05
Impact:
LOW
Summary:
QuickHeal researchers have observed crucial steps in the attack chain, like, how is the malware able to achieve administrative privileges to perform changes in the system.


Source:
https://blogs.quickheal.com/uac-bypass-using-cmstp/

2023-02-04
DotNET_Malware_Loaders_aka_MalVirt_Distributing_Through_Malvertising_Attack
LOW
+

Intel Source:
Sentinelone
Intel Name:
DotNET_Malware_Loaders_aka_MalVirt_Distributing_Through_Malvertising_Attack
Date of Scan:
2023-02-04
Impact:
LOW
Summary:
SentinelOne researchers have observed a cluster of virtualized .NET malware loaders distributing through malvertising attacks and the loader dubbed MalVirt, uses obfuscated virtualization for anti-analysis and evasion along with the Windows Process Explorer driver for terminating processes.


Source:
https://www.sentinelone.com/labs/malvirt-net-virtualization-thrives-in-malvertising-attacks/

2023-02-04
Qakbot_Rising_with_New_Strategies
LOW
+

Intel Source:
Cyble
Intel Name:
Qakbot_Rising_with_New_Strategies
Date of Scan:
2023-02-04
Impact:
LOW
Summary:
Cyble researchers have identified that threat actors leveraging Microsoft OneNote to infect users.


Source:
https://blog.cyble.com/2023/02/01/qakbots-evolution-continues-with-new-strategies/

2023-02-04
Hackers_From_Korea_Exploiting_Unpatched_Zimbra_Devices
LOW
+

Intel Source:
WithSecure
Intel Name:
Hackers_From_Korea_Exploiting_Unpatched_Zimbra_Devices
Date of Scan:
2023-02-04
Impact:
LOW
Summary:
Researchers from WithSecurity have identified a new intelligence-gathering campaign linked to the prolific North Korean state-sponsored Lazarus Group leveraged known security flaws in unpatched Zimbra devices to compromise victim systems.


Source:
https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf

2023-02-04
Mustang_Panda_APT_Group_Targeting_Europe_With_Spearphishing_Campaign
LOW
+

Intel Source:
Eclecticiq
Intel Name:
Mustang_Panda_APT_Group_Targeting_Europe_With_Spearphishing_Campaign
Date of Scan:
2023-02-04
Impact:
LOW
Summary:
EclecticIQ researchers have identified that the Mustang Panda APT group started targeting Europe with a new spearphishing campaign using a customized variant of the PlugX backdoor.


Source:
https://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware

2023-02-03
Hackers_From_APT34_Targeting_The_Middle_East
LOW
+

Intel Source:
TrendMicro
Intel Name:
Hackers_From_APT34_Targeting_The_Middle_East
Date of Scan:
2023-02-03
Impact:
LOW
Summary:
TrendMicro researchers have identified a suspicious executable that was dropped and executed on multiple machines. Upon investigation, It is inked with APT34, and the main goal is to steal users’ credentials. Even in case of a password reset or change, the malware is capable of sending the new credentials to the threat actors.


Source:
https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html

2023-02-03
HeadCrab_Malware_Compromising_Redis_Servers
LOW
+

Intel Source:
Aqua Blog
Intel Name:
HeadCrab_Malware_Compromising_Redis_Servers
Date of Scan:
2023-02-03
Impact:
LOW
Summary:
Aqua security researchers have identified that around 1,200 Redis database servers worldwide have been corralled into a botnet using an elusive and severe threat dubbed HeadCrab since early September 2021.


Source:
https://blog.aquasec.com/headcrab-attacks-servers-worldwide-with-novel-state-of-art-redis-malware

2023-02-03
Malicious_LNK_File_Disguising_as_a_Normal_HWP_Document
LOW
+

Intel Source:
ASEC
Intel Name:
Malicious_LNK_File_Disguising_as_a_Normal_HWP_Document
Date of Scan:
2023-02-03
Impact:
LOW
Summary:
ASEC researchers have discovered the distribution of a malicious LNK file disguised as a normal HWP document, Along with a text file impersonating the National Tax Service.


Source:
https://asec.ahnlab.com/en/46865/

2023-02-02
The_track_of_tactics_of_the_threat_actor_PYTA27
LOW
+

Intel Source:
Checkmarx
Intel Name:
The_track_of_tactics_of_the_threat_actor_PYTA27
Date of Scan:
2023-02-02
Impact:
LOW
Summary:
The Checkmarx threat reserachers analyzed In this blog the tactics of one attacker who has been distributing their packages for at least four months and shows no signs of stopping. This actor is tracked as PYTA27.


Source:
https://checkmarx.com/blog/evolution-of-a-software-supply-chain-attacker/

2023-02-02
The_Ministry_of_Foreign_Affairs_official_of_Ukraine_Web_Resource_Imitated
MEDIUM
+

Intel Source:
CERT-UA
Intel Name:
The_Ministry_of_Foreign_Affairs_official_of_Ukraine_Web_Resource_Imitated
Date of Scan:
2023-02-02
Impact:
MEDIUM
Summary:
CERT-UA researchers have discovered a web page imitating the official web resource of the Ministry of Foreign Affairs of Ukraine, which offers to download software for the detection of infected computers.


Source:
https://cert.gov.ua/article/3761023

2023-02-02
Remote_Desktop_Files_targeted_by_evasive_malware
MEDIUM
+

Intel Source:
Cyble
Intel Name:
Remote_Desktop_Files_targeted_by_evasive_malware
Date of Scan:
2023-02-02
Impact:
MEDIUM
Summary:
Cyble Research and Intelligence Labs (CRIL) discovered a new malware named ‘Vector Stealer’, which can steal .rdp files. By stealing these RDP files it can enableThreat Actors to do RDP hijacking as these files have details about the RDP session, including information needed for remote access.


Source:
https://blog.cyble.com/2023/02/01/vector-stealer-a-gateway-for-rdp-hijacking/

2023-02-02
CoinMiners_Mining_Ethereum_Classic_Coins_attack_cases
LOW
+

Intel Source:
ASEC
Intel Name:
CoinMiners_Mining_Ethereum_Classic_Coins_attack_cases
Date of Scan:
2023-02-02
Impact:
LOW
Summary:
The ASEC analysis team is observing CoinMiners that are targeting Korean and overseas users. The ASEC analysis team studied cases of various types of CoinMiner attacks over multiple blog posts in the past. They shared information to introduce the recently discovered malware that mine Ethereum Classic coins.


Source:
https://asec.ahnlab.com/en/46774/

2023-02-02
The_spread_of_Redline_Infostealer_Malware
MEDIUM
+

Intel Source:
Rapid7
Intel Name:
The_spread_of_Redline_Infostealer_Malware
Date of Scan:
2023-02-02
Impact:
MEDIUM
Summary:
Recently, Rapid7 discovered the activity of malicious actors using OneNote files to deliver malicious code. Rapid 7 found a specific technique that used OneNote files containing batch scripts, which upon execution started an instance of a renamed PowerShell process to decrypt and execute a base64 encoded binary.


Source:
https://www.rapid7.com/blog/post/2023/01/31/rapid7-observes-use-of-microsoft-onenote-to-spread-redline-infostealer-malware/

2023-02-02
Active_IOCs_of_LockBit_Green
MEDIUM
+

Intel Source:
PRODAFT
Intel Name:
Active_IOCs_of_LockBit_Green
Date of Scan:
2023-02-02
Impact:
MEDIUM
Summary:
Researchers from Prodaft have identified that the LockBit ransomware team made a so-called “LockBit Green” version of their ransomware available.


Source:
https://twitter.com/PRODAFT/status/1620066347073019905?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1620066347073019905%7Ctwgr%5E7ac44bdc778d9ee19e6e0bd4fc793c84a30904c8%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fsecurityaffairs.com%2F141666%2Fcyber-crime%2Flockbit-green-ransomware-variant.html

2023-02-02
Microsoft_OneNote_Documents_Delivering_Malware_via_Email
MEDIUM
+

Intel Source:
Proofpoint
Intel Name:
Microsoft_OneNote_Documents_Delivering_Malware_via_Email
Date of Scan:
2023-02-02
Impact:
MEDIUM
Summary:
Proofpoint researchers have identified an increase in threat actor use of OneNote documents to deliver malware via email to unsuspecting end-users in December 2022 and January 2023.


Source:
https://www.proofpoint.com/us/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware

2023-02-02
GuLoader_Encrypted_With_NSIS_Crypter
LOW
+

Intel Source:
PaloAlto
Intel Name:
GuLoader_Encrypted_With_NSIS_Crypter
Date of Scan:
2023-02-02
Impact:
LOW
Summary:
In their post post, the Unit 42 researchers discussed a machine learning pipeline and analyses of one GuLoader downloader that has been encrypted with an Nullsoft Scriptable Install System (NSIS) crypter. NSIS is an open source system to create Windows installers.


Source:
https://unit42.paloaltonetworks.com/malware-detection-accuracy/

2023-02-01
NikoWiper_Malware_Targeting_Ukraine_Energy_Sector
LOW
+

Intel Source:
Welivesecurity
Intel Name:
NikoWiper_Malware_Targeting_Ukraine_Energy_Sector
Date of Scan:
2023-02-01
Impact:
LOW
Summary:
ESET researchers have analyzed the activities of selected APT groups and identified the Russia-affiliated Sandworm using another wiper malware strain dubbed NikoWiper as part of an attack that took place in October 2022 targeting an energy sector company in Ukraine.


Source:
https://www.welivesecurity.com/wp-content/uploads/2023/01/eset_apt_activity_report_t32022.pdf

2023-02-01
The_Analysis_of_Cryptojacks_System_to_Mine_for_Monero_Crypto
LOW
+

Intel Source:
Fortinet
Intel Name:
The_Analysis_of_Cryptojacks_System_to_Mine_for_Monero_Crypto
Date of Scan:
2023-02-01
Impact:
LOW
Summary:
Fortinet researchers have analyzed the crypto miner software that is delivering via the Excel document and executing it on the victim device.


Source:
https://www.fortinet.com/blog/threat-research/malicious-code-cryptojacks-device-to-mine-for-monero-crypto?&web_view=true

2023-02-01
An_ongoing_phishing_campaign_that_impersonates_Southwest_Airlines
LOW
+

Intel Source:
Inky
Intel Name:
An_ongoing_phishing_campaign_that_impersonates_Southwest_Airlines
Date of Scan:
2023-02-01
Impact:
LOW
Summary:
Last December, INKY observed and detected an ongoing phishing campaign that impersonates Southwest Airlines. Phishing emails are being sent from newly created domains, set up explicitly for these attacks.


Source:
https://www.inky.com/en/blog/fresh-phish-southwests-flying-phish-takes-off-with-your-credentials

2023-02-01
LockBit_s_new_Black_variant_attack
MEDIUM
+

Intel Source:
Quickheal
Intel Name:
LockBit_s_new_Black_variant_attack
Date of Scan:
2023-02-01
Impact:
MEDIUM
Summary:
The Quickheak team investigated and analyzed about the LockBit’s new Black variant attack. They have determined that the new LockBit 3.0 variant has a high infection vector and attack chain exhibiting substantial anti-forensic activity. This variant showed that is capable of clearing the event logs, killing multiple tasks, and deleting services simultaneously. It also can obtain initial access to the victim’s network via SMB brute forcing from various IPs.


Source:
https://blogs.quickheal.com/uncovering-lockbit-blacks-attack-chain-and-anti-forensic-activity/

2023-02-01
The_Similarities_Between_Abraham_s_Ax_and_Moses_Staff_Group
LOW
+

Intel Source:
Secureworks
Intel Name:
The_Similarities_Between_Abraham_s_Ax_and_Moses_Staff_Group
Date of Scan:
2023-02-01
Impact:
LOW
Summary:
Researchers from SecureWorks have analyzed the similarities between the Moses Staff hacktivist group persona that emerged in September 2021 and the Abraham’s Ax persona that emerged in November 2022.


Source:
https://www.secureworks.com/blog/abrahams-ax-likely-linked-to-moses-staff

2023-02-01
New_Version_of_Nevada_Ransomware
MEDIUM
+

Intel Source:
Resecurity
Intel Name:
New_Version_of_Nevada_Ransomware
Date of Scan:
2023-02-01
Impact:
MEDIUM
Summary:
Resecurity researchers have identified a new version of Nevada Ransomware which recently emerged on the Dark Web right before the start of 2023. The actors behind this new project have an affiliate platform first introduced on the RAMP underground community, which is known for initial access brokers (IABs) and other cybercriminal actors and ransomware groups.


Source:
https://resecurity.com/blog/article/nevada-ransomware-waiting-for-the-next-dark-web-jackpot

2023-02-01
An_Email_Specific_Phishing_Page
LOW
+

Intel Source:
ASEC
Intel Name:
An_Email_Specific_Phishing_Page
Date of Scan:
2023-02-01
Impact:
LOW
Summary:
ASEC researchers have identified multiple phishing emails that are distributed with a changing icon to reflect the mail account service entered by the user and send a warning that their account will be shut down, prompting them to click the ‘Reactivate Now’ link if they need their account kept active.


Source:
https://asec.ahnlab.com/en/46786/

2023-02-01
Malware_Packer_TrickGate_Using_by_Several_Malware_to_Evade_Detection
LOW
+

Intel Source:
Checkpoint
Intel Name:
Malware_Packer_TrickGate_Using_by_Several_Malware_to_Evade_Detection
Date of Scan:
2023-02-01
Impact:
LOW
Summary:
Researchers from Checkpoint have identified a shellcode-based packer dubbed TrickGate has been successfully operating without attracting notice for over six years, while enabling threat actors to deploy a wide range of malware such as TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze, and REvil over the years.


Source:
https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/

2023-02-01
TZW_Ransomware_Distributing_in_Korea
LOW
+

Intel Source:
ASEC
Intel Name:
TZW_Ransomware_Distributing_in_Korea
Date of Scan:
2023-02-01
Impact:
LOW
Summary:
ASEC researchers have discovered the distribution of the TZW ransomware, which encrypts files before adding the “TZW” file extension to the original extension.


Source:
https://asec.ahnlab.com/en/46812/

2023-02-01
Phishing_Emails_Circulating_With_Requests_for_Product_Quotation
LOW
+

Intel Source:
ASEC
Intel Name:
Phishing_Emails_Circulating_With_Requests_for_Product_Quotation
Date of Scan:
2023-02-01
Impact:
LOW
Summary:
Researchers from ASEC have identified phishing emails with content related to requests for product quotations. These phishing emails are all disguised to seem as if they were sent by a manager with a high position, such as the team leader or department director of production companies or foundries, and were also .html and .htm attachments.


Source:
https://asec.ahnlab.com/en/46199/

2023-02-01
Google_Ads_Targeting_Password_Manager
LOW
+

Intel Source:
Malwarebytes
Intel Name:
Google_Ads_Targeting_Password_Manager
Date of Scan:
2023-02-01
Impact:
LOW
Summary:
Researchers from Malwarebytes have identified a new malvertising campaign that makes use of Google Ads to target users looking for password managers.


Source:
https://www.malwarebytes.com/blog/threat-intelligence/2023/01/google-sponsored-ads-malvertising-targets-password-manager

2023-02-01
Changes_in_the_IcedID_malware_strategy
MEDIUM
+

Intel Source:
Esentire
Intel Name:
Changes_in_the_IcedID_malware_strategy
Date of Scan:
2023-02-01
Impact:
MEDIUM
Summary:
Last December 2022, Esentire threat intel team observed IcedID infections that were traced to payloads downloaded by users from the Internet. This observation matched with a general uptick in successful IcedID infections in Q4 of 2022, which saw 35% percent of IcedID incidents for the period between January 2022 and January 2023. The observed IcedID infections have originated exclusively via drive-by attacks, specifically Google Search Ads targeting common applications.


Source:
https://www.esentire.com/blog/icedid-malware-shifts-its-delivery-strategy

2023-01-31
The_Magniber_ransomware_spotlight
MEDIUM
+

Intel Source:
TrendMicro
Intel Name:
The_Magniber_ransomware_spotlight
Date of Scan:
2023-01-31
Impact:
MEDIUM
Summary:
After it was originally discovered in 2017, Magniber came back in 2021. It is aiming some Asian countries and TrendMicro found out about the exploitation of new vulnerabilities for initial access, including CVE-2021-26411, CVE-2021-40444, and most notably the PrintNightmare vulnerability, CVE-2021-34527


Source:
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-magniber

2023-01-31
ASEC_Weekly_Malware_samples_January_16_22nd_2023
LOW
+

Intel Source:
ASEC
Intel Name:
ASEC_Weekly_Malware_samples_January_16_22nd_2023
Date of Scan:
2023-01-31
Impact:
LOW
Summary:
The ASEC analysis team keep monitoring weekly malware collection samples for January 16-22nd, 2023. They shared their analyses of the cases of distribution of phishing emails during this week and provide statistical information on each type.


Source:
https://asec.ahnlab.com/en/46464/

2023-01-31
Hackers_From_BlueBravo_Deploying_GraphicalNeutrino_Malware
LOW
+

Intel Source:
Recorded Future
Intel Name:
Hackers_From_BlueBravo_Deploying_GraphicalNeutrino_Malware
Date of Scan:
2023-01-31
Impact:
LOW
Summary:
Recorded Future researchers have identified the new malware used by BlueBravo threat group, which overlaps with Russian APT activity tracked as APT29 and NOBELIUM, which Western governments and researchers have linked to the Russian Foreign Intelligence Service (SVR).


Source:
https://www.recordedfuture.com/bluebravo-uses-ambassador-lure-deploy-graphicalneutrino-malware

2023-01-30
Gootkit_Malware_Updating_With_New_Components_and_Obfuscations
LOW
+

Intel Source:
Mandiant
Intel Name:
Gootkit_Malware_Updating_With_New_Components_and_Obfuscations
Date of Scan:
2023-01-30
Impact:
LOW
Summary:
Mandiant researchers have identified that the threat actors associated with the Gootkit malware have made notable changes to their toolset, adding new components and obfuscations to their infection chains.


Source:
https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations

2023-01-30
Sandworm_APT_Targeting_Ukraine
LOW
+

Intel Source:
ESET
Intel Name:
Sandworm_APT_Targeting_Ukraine
Date of Scan:
2023-01-30
Impact:
LOW
Summary:
ESET researchers have discovered a new Golang-based wiper, dubbed SwiftSlicer, that is used in attacks aimed at Ukraine. Also, they believe that the Russia-linked APT group Sandwork (aka BlackEnergy and TeleBots) is behind the wiper attacks.


Source:
https://twitter.com/ESETresearch/status/1618960022150729728?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1618960022150729728%7Ctwgr%5E9a31baf0903025b52670da9078fb3da0c09ff285%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fsecurityaffairs.com%2F141473%2Fapt%2Fsandworm-targets-ukraine-swiftslicer.html

2023-01-30
Database_Injection_Attacks_Compromise_WordPress_Sites
LOW
+

Intel Source:
Sucuri
Intel Name:
Database_Injection_Attacks_Compromise_WordPress_Sites
Date of Scan:
2023-01-30
Impact:
LOW
Summary:
Sucuri researchers have identified a massive campaign that infects over 4,500 WordPress websites as part of a long-running operation. According to GoDaddy-owned Sucuri, the infections involve the injection of obfuscated JavaScript hosted on a malicious domain that’s designed to redirect visitors to undesirable sites.


Source:
https://blog.sucuri.net/2023/01/massive-campaign-uses-hacked-wordpress-sites-as-platform-for-black-hat-ad-network.html

2023-01-30
The_Deep_Examination_of_Venom_Spider
LOW
+

Intel Source:
Esentire
Intel Name:
The_Deep_Examination_of_Venom_Spider
Date of Scan:
2023-01-30
Impact:
LOW
Summary:
Esentire researchers have discovered the real-world identity of the threat actor behind Golden Chickens malware-as-a-service, who goes by the online persona badbullzvenom.


Source:
https://www.esentire.com/web-native-pages/unmasking-venom-spider

2023-01-30
Realtek_SDK_Vulnerability_Attempting_to_Hack_IoT_Devices
LOW
+

Intel Source:
PaloAlto
Intel Name:
Realtek_SDK_Vulnerability_Attempting_to_Hack_IoT_Devices
Date of Scan:
2023-01-30
Impact:
LOW
Summary:
Researchers from PaloAlto have observed the spike in exploitation attempts weaponizing a critical remote code execution flaw in Realtek Jungle SDK, the ongoing campaign is said to have recorded 134 million exploit attempts as of December 2022, with 97% of the attacks occurring in the past four months.


Source:
https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/#post-126726-_f37quwequ6r

2023-01-30
Hackers_From_Sandworm_Group_Targeting_News_Agencies
LOW
+

Intel Source:
CERT-UA
Intel Name:
Hackers_From_Sandworm_Group_Targeting_News_Agencies
Date of Scan:
2023-01-30
Impact:
LOW
Summary:
Researchers from CERT-UA have identified the five different data-wiping malware strains deploying on the network of the country’s national news agency (Ukrinform) on January 17th.


Source:
https://cert.gov.ua/article/3718487

2023-01-28
ASEC_Weekly_Malware_samples_January_8_14th_2023
LOW
+

Intel Source:
ASEC
Intel Name:
ASEC_Weekly_Malware_samples_January_8_14th_2023
Date of Scan:
2023-01-28
Impact:
LOW
Summary:
The ASEC analysis team keep monitoring weekly malware collection samples for January 8-14th, 2023. They shared their analyses of thee cases of distribution of phishing emails during this week and provide statistical information on each type.


Source:
https://asec.ahnlab.com/en/46276/

2023-01-27
Mimic_Ransomware_Targeting_Russian_and_English_Speaking_Users
LOW
+

Intel Source:
TrendMicro
Intel Name:
Mimic_Ransomware_Targeting_Russian_and_English_Speaking_Users
Date of Scan:
2023-01-27
Impact:
LOW
Summary:
Researchers from TrendMicro have discovered a new ransomware that abuses the APIs of a legitimate tool called Everything, a Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for minimal resource usage.


Source:
https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html

2023-01-27
Titan_Stealer_Leveraging_GoLang
LOW
+

Intel Source:
Cyble
Intel Name:
Titan_Stealer_Leveraging_GoLang
Date of Scan:
2023-01-27
Impact:
LOW
Summary:
Cyble researchers have observed that threat actors use Golang for their information stealer malware. Additionally, it is spotted, Titan stealer using multiple Command and Control (C&C) infrastructures targeting new victims.


Source:
https://blog.cyble.com/2023/01/25/titan-stealer-the-growing-use-of-golang-among-threat-actors/

2023-01-27
Cybercriminals_Leveraging_Legitimate_RMM_software
MEDIUM
+

Intel Source:
CISA
Intel Name:
Cybercriminals_Leveraging_Legitimate_RMM_software
Date of Scan:
2023-01-27
Impact:
MEDIUM
Summary:
CISA researchers have identified a widespread cyber campaign involving the malicious use of legitimate RMM software. Specifically, cyber-criminal actors send phishing emails to the target to download legitimate RMM software—ScreenConnect (now ConnectWise Control) and AnyDesk—which the actors use in a refund scam to steal money from victim bank accounts.


Source:
https://www.cisa.gov/uscert/ncas/alerts/aa23-025a

2023-01-27
Chinese_PlugX_Malware_Hidden_in_USB_Devices
MEDIUM
+

Intel Source:
PaloAlto
Intel Name:
Chinese_PlugX_Malware_Hidden_in_USB_Devices
Date of Scan:
2023-01-27
Impact:
MEDIUM
Summary:
Researchers from PaloAlto have discovered a similar variant of PlugX in VirusTotal that infects USB devices and copies all Adobe PDF and Microsoft Word files from the host. It places these copies in a hidden folder on the USB device that is created by the malware.


Source:
https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/

2023-01-27
Kronos_Malware_Increasing_its_Functionality
LOW
+

Intel Source:
IBM Security Intelligence
Intel Name:
Kronos_Malware_Increasing_its_Functionality
Date of Scan:
2023-01-27
Impact:
LOW
Summary:
Researchers from IBM Security Intelligence have identified that Kronos Malware is back with new functionality. It is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims.


Source:
https://securityintelligence.com/kronos-malware-reemerges-increased-functionality/?c=Threat%20Research

2023-01-27
Hackers_Targeting_Tech_Layoff_Employees_With_Job_Scams
MEDIUM
+

Intel Source:
Zscaler
Intel Name:
Hackers_Targeting_Tech_Layoff_Employees_With_Job_Scams
Date of Scan:
2023-01-27
Impact:
MEDIUM
Summary:
Zscaler Threatlabz researchers have observed multiple suspicious job portals and surveys used by attackers to solicit information from job seekers under the guise of employment application forms. The attackers may advertise jobs online, sometimes setting up fake websites, or look for targets on social media to steal money and personal information.


Source:
https://www.zscaler.com/blogs/security-research/job-scams-impersonate-companies-still-hiring-following-tech-layoffs

2023-01-27
The_Deep_Examination_of_GuLoader
LOW
+

Intel Source:
Trellix
Intel Name:
The_Deep_Examination_of_GuLoader
Date of Scan:
2023-01-27
Impact:
LOW
Summary:
Trellix researchers have analyzed the multiple archive types used by threat actors to trick users into opening an email attachment and the progression of its distribution inside NSIS (Nullsoft Scriptable Install System) executable files by showing the obfuscation and string encryption updates through the year 2022.


Source:
https://www.trellix.com/en-us/about/newsroom/stories/research/guloader-the-nsis-vantage-point.html

2023-01-26
New_Evasion_Methods_For_Emotet
LOW
+

Intel Source:
Blackberry
Intel Name:
New_Evasion_Methods_For_Emotet
Date of Scan:
2023-01-26
Impact:
LOW
Summary:
BlackBerry researchers have observed that Emotet returns with new techniques. It is continued to steadily evolve, adding new techniques for evasion and increasing its likelihood of successful infections. It is also able to host an array of modules, each used for different aspects of information theft that report back to their command-and-control (C2) servers.


Source:
https://blogs.blackberry.com/en/2023/01/emotet-returns-with-new-methods-of-evasion

2023-01-26
The_ConnectWise_Control_vulnerabilities_and_exploitation
LOW
+

Intel Source:
Huntress
Intel Name:
The_ConnectWise_Control_vulnerabilities_and_exploitation
Date of Scan:
2023-01-26
Impact:
LOW
Summary:
During the month of December, the Huntress team has caught the talks surrounding supposed ConnectWise Control vulnerabilities and possibly in-the-wild exploitation. The Huntress team has been in contact with both the ConnectWise CISO and security team and did their own research on it and explained their opinions in the details.


Source:
https://www.huntress.com/blog/clearing-the-air-overblown-claims-of-vulnerabilities-exploits-severity

2023-01-26
North_Korean_Hackers_Moving_With_Credential_Harvesting
LOW
+

Intel Source:
Proofpoint
Intel Name:
North_Korean_Hackers_Moving_With_Credential_Harvesting
Date of Scan:
2023-01-26
Impact:
LOW
Summary:
Researchers from Proofpoint have identified a well known North Korean threat group for crypto heists has been attributed to a new wave of malicious email attacks as part of a “sprawling” credential harvesting activity targeting a number of industry verticals, marking a significant shift in its strategy.


Source:
https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds

2023-01-26
Hackers_Leveraging_ProxyNotShell_For_Attacks
LOW
+

Intel Source:
Bitdefender
Intel Name:
Hackers_Leveraging_ProxyNotShell_For_Attacks
Date of Scan:
2023-01-26
Impact:
LOW
Summary:
BitDefender researchers have started observing an increase in attacks using ProxyNotShell/OWASSRF exploits chains to target on-premises Microsoft Exchange deployments.


Source:
https://businessinsights.bitdefender.com/technical-advisory-proxyhell-exploit-chains-in-the-wild

2023-01-26
Active_IOCs_of_APT_Group_Gamaredon
LOW
+

Intel Source:
Rewterz
Intel Name:
Active_IOCs_of_APT_Group_Gamaredon
Date of Scan:
2023-01-26
Impact:
LOW
Summary:
Researchers from Rewterz have identified the active IOCs of APT Group Gamaredon. It is a Russia-backed advanced persistent threat (APT) that has been operating since at least 2013. The group is believed to be operating out of Ukraine, and is thought to be focused on targeting Ukrainian government and military organizations, as well as individuals and organizations in the energy sector.


Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-apt-group-gamaredon-active-iocs-31

2023-01-26
Active_IOCs_of_Remcos_RAT
LOW
+

Intel Source:
Rewterz
Intel Name:
Active_IOCs_of_Remcos_RAT
Date of Scan:
2023-01-26
Impact:
LOW
Summary:
Researchers from Rewterz have identified the active IOCs of Remcos RAT. It is operating since 2016. This RAT was originally promoted as genuine software for remote control of Microsoft Windows from XP onwards, and is frequently found in phishing attempts due to its capacity to completely infect an afflicted machine.


Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-remcos-rat-active-iocs-86

2023-01-26
Active_IOCs_of_Raccoon_Infostealer
LOW
+

Intel Source:
Rewterz
Intel Name:
Active_IOCs_of_Raccoon_Infostealer
Date of Scan:
2023-01-26
Impact:
LOW
Summary:
Researchers from Rewterz have identified the active IOCs of Raccoon Infostealer. It gathers private data such as credit card numbers, cryptocurrency wallet addresses, login passwords, and browser information like cookies and history.


Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-raccoon-infostealer-active-iocs-39

2023-01-26
The_rised_concern_of_Amadey_Bot
LOW
+

Intel Source:
Cyble
Intel Name:
The_rised_concern_of_Amadey_Bot
Date of Scan:
2023-01-26
Impact:
LOW
Summary:
Recently, Cyble Research and Intelligence Labs (CRIL) has observed a huge spike of Amadey bot samples. It proved that threat actors are actively using this bot to infect victims’ systems with another malware.


Source:
https://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/

2023-01-26
Cybercriminals_Using_JQuery_to_Spread_Malware
LOW
+

Intel Source:
SocInvestigation
Intel Name:
Cybercriminals_Using_JQuery_to_Spread_Malware
Date of Scan:
2023-01-26
Impact:
LOW
Summary:
Researchers from SocInvestigation have identified that the popular javascript library “JQuery” is used by hackers for distributing malware.


Source:
https://www.socinvestigation.com/malicious-jquery-javascript-threat-detection-incident-response/

2023-01-26
Critical_ManageEngine_Vulnerability_Observed
MEDIUM
+

Intel Source:
Rapid 7
Intel Name:
Critical_ManageEngine_Vulnerability_Observed
Date of Scan:
2023-01-26
Impact:
MEDIUM
Summary:
Rapid7 is taking precausios steps from the vulnerability exploitation of CVE-2022-47966. Several of the affected products are extremely popular with organizations and attackers, including ADSelfService Plus and ServiceDesk Plus. Rapid7 provided a detailed analysis of CVE-2022-47966 in AttackerKB. Rapid7 vulnerability research team discovered during testing that some products may be more exploitable than others: ServiceDesk Plus and ADSelfService.


Source:
https://www.rapid7.com/blog/post/2023/01/19/etr-cve-2022-47966-rapid7-observed-exploitation-of-critical-manageengine-vulnerability/

2023-01-26
Hackers_From_DragonSpark_Using_Golang_Malware_to_Avoid_Detection
MEDIUM
+

Intel Source:
Sentinelone
Intel Name:
Hackers_From_DragonSpark_Using_Golang_Malware_to_Avoid_Detection
Date of Scan:
2023-01-26
Impact:
MEDIUM
Summary:
Researchers from SentinelOne have identified that companies in East Asia are being targeted by a Chinese-speaking threat actor named DragonSpark. The attacks are characterized by the use of the little-known open-source SparkRAT and malware that attempts to evade detection through Golang source code interpretation.


Source:
https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/

2023-01-26
Active_IOCs_of_Ursnif_Banking_Trojan_aka_Gozi
LOW
+

Intel Source:
Rewterz
Intel Name:
Active_IOCs_of_Ursnif_Banking_Trojan_aka_Gozi
Date of Scan:
2023-01-26
Impact:
LOW
Summary:
Researchers from Rewterz have identified the active IOCs of Ursnif Banking Trojan aka Gozi. It is also known as Gozi and Dreambot has been around for more than 10 years. It gained popularity in 2015 when its source code was published on Github and since then the moderators have always tweaked some changes to make use of their arsenal according to their gains.


Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-ursnif-banking-trojan-aka-gozi-active-iocs-2

2023-01-26
Vice_Society_Ransomware_Group_Targeting_Manufacturing_Companies
MEDIUM
+

Intel Source:
TrendMicro
Intel Name:
Vice_Society_Ransomware_Group_Targeting_Manufacturing_Companies
Date of Scan:
2023-01-26
Impact:
MEDIUM
Summary:
TrendMicro researchers have highlighted the findings of Vice Society, which includes an end-to-end infection diagram.


Source:
https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html

2023-01-25
A_Deep_Examination_of_Raspberry_Robin
LOW
+

Intel Source:
Esentire
Intel Name:
A_Deep_Examination_of_Raspberry_Robin
Date of Scan:
2023-01-25
Impact:
LOW
Summary:
Esentire researchers have observed 11 cases of Raspberry Robin infections since May 2022 and analyzed them.


Source:
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-raspberry-robin

2023-01-25
Titan_Stealer_Malware_Distributing_via_Telegram_Channel
LOW
+

Intel Source:
Uptycs
Intel Name:
Titan_Stealer_Malware_Distributing_via_Telegram_Channel
Date of Scan:
2023-01-25
Impact:
LOW
Summary:
Researchers from Uptycs have discovered a campaign involving the Titan Stealer malware, which is being marketed and sold by a threat actor (TA) through a Telegram channel for cybercrime purposes.


Source:
https://www.uptycs.com/blog/titan-stealer-telegram-malware-campaign

2023-01-25
Black_Friday_Day_Makes_Big_For_Malvertising
LOW
+

Intel Source:
Confiant
Intel Name:
Black_Friday_Day_Makes_Big_For_Malvertising
Date of Scan:
2023-01-25
Impact:
LOW
Summary:
Confiant researchers have observed a cookie-stuffing campaign running across multiple programmatic ad platforms with a specific uptick in Q4 around Black Friday.


Source:
https://blog.confiant.com/malvertiser-makes-the-big-bucks-on-black-friday-637922cd5865

2023-01-24
8220_Gang_Targeting_Vulnerable_Cloud_Providers
LOW
+

Intel Source:
Radware
Intel Name:
8220_Gang_Targeting_Vulnerable_Cloud_Providers
Date of Scan:
2023-01-24
Impact:
LOW
Summary:
Radware researchers have identified that the Chinese threat group a.k.a 8220 Gang is targeting cloud providers and poorly secured applications with a custom-built crypto miner and IRC bot.


Source:
https://www.radware.com/getattachment/7f0b519f-b292-49f4-9319-746218961cc6/Advisory-8220-Gang-Targeting-Cloud-Providers-012023.pdf.aspx

2023-01-24
Advertisement_Fraud_Scheme_VASTFLUX_Targeted_Over_11_Million_Devices
LOW
+

Intel Source:
Human Blog
Intel Name:
Advertisement_Fraud_Scheme_VASTFLUX_Targeted_Over_11_Million_Devices
Date of Scan:
2023-01-24
Impact:
LOW
Summary:
Researchers from HUMAN’s Satori Threat Intelligence team have identified a sophisticated ad fraud scheme, dubbed VASTFLUX, that targeted more than 11 million devices.


Source:
https://www.humansecurity.com/learn/blog/traffic-signals-the-vastflux-takedown

2023-01-24
Remcos_RAT_Deployment_by_GuLoader
LOW
+

Intel Source:
Cyfirma
Intel Name:
Remcos_RAT_Deployment_by_GuLoader
Date of Scan:
2023-01-24
Impact:
LOW
Summary:
CYFIRMA researchers have identified the distribution of a malicious PDF file through email. It redirects the user to a cloud-based platform where they are prompted to download a ZIP file.


Source:
https://www.cyfirma.com/outofband/guloader-deploying-remcos-rat/

2023-01-23
Diving_Deep_into_LockBit_Ransomware
MEDIUM
+

Intel Source:
Analyst1
Intel Name:
Diving_Deep_into_LockBit_Ransomware
Date of Scan:
2023-01-23
Impact:
MEDIUM
Summary:
Researchers from Analyst1 have analyzed the LockBit ransomware operations. It is one of the most notorious organized cybercrime syndicates that exists today.


Source:
https://analyst1.com/ransomware-diaries-volume-1/

2023-01-20
Database_Infections_That_Compromise_Vulnerable_WordPress_Sites
LOW
+

Intel Source:
Sucuri
Intel Name:
Database_Infections_That_Compromise_Vulnerable_WordPress_Sites
Date of Scan:
2023-01-20
Impact:
LOW
Summary:
Sucuri researchers have identified a database injection that has two different pieces of malware accomplishing two unrelated goals. The first injection redirects users to a spammy sports website and the second injection boosts authority of a spammy casino website within search engines.


Source:
https://blog.sucuri.net/2023/01/vulnerable-wordpress-sites-compromised-with-different-database-infections.html?web_view=true

2023-01-20
ASEC_Weekly_Malware_samples_January_9_15th_2023
LOW
+

Intel Source:
ASEC
Intel Name:
ASEC_Weekly_Malware_samples_January_9_15th_2023
Date of Scan:
2023-01-20
Impact:
LOW
Summary:
The ASEC analysis team keep monitoring weekly malware collection samples for January 9-15th, 2023. The top malwares for this week is SmokeLoader, BeamWinHTTP, Formbook, AgentTesla and Lokibot.


Source:
https://asec.ahnlab.com/en/46169/

2023-01-20
The_Vidar_operators_expanding_their_infrastructure
MEDIUM
+

Intel Source:
Team Cymru
Intel Name:
The_Vidar_operators_expanding_their_infrastructure
Date of Scan:
2023-01-20
Impact:
MEDIUM
Summary:
Team Cymru researchers analyzed on Darth Vidar infrastructure. Vidar operators appear to be expanding their infrastructure. Vidar is an info-stealer malware, which was first spotted in the wild in late 2018 by the security researcher Fumik0. The name itself (Vidar) is derived from a string found in the malware’s code. Vidar is considered to be a distinct fork of the Arkei malware family.


Source:
https://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure

2023-01-20
New_CrySIS_or_Dharma_Ransomware_Variants
MEDIUM
+

Intel Source:
Fortinet
Intel Name:
New_CrySIS_or_Dharma_Ransomware_Variants
Date of Scan:
2023-01-20
Impact:
MEDIUM
Summary:
Fortinet Labs researchers have analyzed the variants of the CrySIS/Dharma ransomware family.


Source:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-playing-whack-a-mole-with-new-crysis-dharma-variants

2023-01-20
Exploitation_of_FortiOS_Vulnerability_CVE_2022_42475
HIGH
+

Intel Source:
Mandiant
Intel Name:
Exploitation_of_FortiOS_Vulnerability_CVE_2022_42475
Date of Scan:
2023-01-20
Impact:
HIGH
Summary:
Mandiant is monitoring a suspected China-nexus campaign that exploited a recently discovered vulnerability in Fortinet’s FortiOS SSL-VPN, CVE-2022-42475, as a zero-day. Mandiant discovered a new malware called “BOLDMOVE” during the investigation. They found a Windows variant of BOLDMOVE and a Linux variant, which is specifically designed to run on FortiGate Firewalls.


Source:
https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw

2023-01-20
Fortinet_Firewall_Vulnerability_Exploited_by_New_Chinese_Malware
MEDIUM
+

Intel Source:
Mandiant
Intel Name:
Fortinet_Firewall_Vulnerability_Exploited_by_New_Chinese_Malware
Date of Scan:
2023-01-20
Impact:
MEDIUM
Summary:
Researchers from Mandiant have identified a China-nexus threat actor who exploited a recently patched vulnerability in Fortinet FortiOS SSL-VPN as a zero-day in attacks targeting a European government entity and a managed service provider (MSP) located in Africa.


Source:
https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw

2023-01-19
Active_IOCs_of_Gh0st_RAT
LOW
+

Intel Source:
Rewterz
Intel Name:
Active_IOCs_of_Gh0st_RAT
Date of Scan:
2023-01-19
Impact:
LOW
Summary:
Researchers from Rewterz have identified the active IOCs of Gh0st RAT. It is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information and data. This type of malware enables cybercriminals to gain complete access to infected computers and attempt to hijack the user’s banking account.


Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-gh0st-rat-active-iocs-4

2023-01-19
Cybersecurity_incident_on_website_of_Liquor_Control_Board_of_Ontario
LOW
+

Intel Source:
Malwarebytes
Intel Name:
Cybersecurity_incident_on_website_of_Liquor_Control_Board_of_Ontario
Date of Scan:
2023-01-19
Impact:
LOW
Summary:
This month, the Liquor Control Board of Ontario (LCBO) shared the news about a cybersecurity incident, affecting online sales. The cybersecurity incident was a web skimmer, which is designed to retrieve customer payment information.


Source:
https://www.malwarebytes.com/blog/news/2023/01/web-skimmer-found-on-website-of-liquor-control-board-of-ontario

2023-01-19
The_SEO_Poisoning_attack
LOW
+

Intel Source:
Sentilone
Intel Name:
The_SEO_Poisoning_attack
Date of Scan:
2023-01-19
Impact:
LOW
Summary:
A lot of researchers have observed increase in malicious search engine advertisements found in the wild – known as SEO Poisoning, which is malvertising (malicious advertising) activity. There is an increasing variety in the specifics of the malware delivery method, such as which searches produce the malicious advertisements and which malware being delivered.


Source:
https://www.sentinelone.com/blog/breaking-down-the-seo-poisoning-attack-how-attackers-are-hijacking-search-results/

2023-01-19
Active_IOCs_of_STRRAT_Malware
LOW
+

Intel Source:
Rewterz
Intel Name:
Active_IOCs_of_STRRAT_Malware
Date of Scan:
2023-01-19
Impact:
LOW
Summary:
Researchers from Rewterz have identified the active IOCs of STRRAT Malware. It is a Java-based Remote-Access Trojan (RAT) with a slew of malicious features, notably information theft and backdoor capabilities.


Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-strrat-malware-active-iocs-7

2023-01-19
The_LNK_metadata_trail
LOW
+

Intel Source:
Talos
Intel Name:
The_LNK_metadata_trail
Date of Scan:
2023-01-19
Impact:
LOW
Summary:
Cisco Talos reserachers analyzed metadata in LNK files that lined to threat actors tactics techniques and procedures, to identify their activity. The researchers report shares their analyses on Qakbot and Gamaredon as examples.


Source:
https://blog.talosintelligence.com/following-the-lnk-metadata-trail/

2023-01-19
Batloader_Malware_Attacks_in_Q4_2022_Used_Obfuscated_JavaScript_Files_and_Legitimate_Tools
LOW
+

Intel Source:
TrendMicro
Intel Name:
Batloader_Malware_Attacks_in_Q4_2022_Used_Obfuscated_JavaScript_Files_and_Legitimate_Tools
Date of Scan:
2023-01-19
Impact:
LOW
Summary:
Researchers from TrendMicro have identified notable Batloader campaigns that they observed in the last quarter of 2022, including the abuse of custom action scripts from the Advanced Installer software and Windows Installer XML (WiX) toolset, the use of obfuscated JavaScript files as a first-stage payload, and the use of PyArmor tool to obfuscate Batloader Python scripts.


Source:
https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html

2023-01-18
Active_IOCs_of_NJRAT
LOW
+

Intel Source:
Rewterz
Intel Name:
Active_IOCs_of_NJRAT
Date of Scan:
2023-01-18
Impact:
LOW
Summary:
Researchers from Rewterz have identified the active IOCs of NJRAT. It is a Remote Access Trojan, which is found leveraging Pastebin to deliver a second-stage payload after initial infection.


Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-njrat-active-iocs-49

2023-01-18
Malicious_Google_Ads
LOW
+

Intel Source:
ISC.SANS
Intel Name:
Malicious_Google_Ads
Date of Scan:
2023-01-18
Impact:
LOW
Summary:
Researchers from SANS have identified that Google ads are a common vector for malware distribution. These ads frequently lead to fake sites impersonating web pages for legitimate software.


Source:
https://isc.sans.edu/diary/rss/29448

2023-01-18
Abusing_Google_Ads_platform_by_various_campaigns
LOW
+

Intel Source:
Cyfirma
Intel Name:
Abusing_Google_Ads_platform_by_various_campaigns
Date of Scan:
2023-01-18
Impact:
LOW
Summary:
CYFIRMA researchers observed the campaigns closely and they provided preliminary analysis of a new RAT known as “VagusRAT” and its possible attribution to Iranian Threat actors. The VagusRAT is also delivered to the victims by exploiting Google Ads.


Source:
https://www.cyfirma.com/outofband/vagusrat-a-new-entrant-in-the-external-threat-landscape/

2023-01-18
Attacks_on_Iranian_Government_Entities_Through_Backdoor_Diplomacy
MEDIUM
+

Intel Source:
PaloAlto
Intel Name:
Attacks_on_Iranian_Government_Entities_Through_Backdoor_Diplomacy
Date of Scan:
2023-01-18
Impact:
MEDIUM
Summary:
PaloAlto researchers have identified that the threat actor known as Backdoor Diplomacy has been linked to a new wave of attacks targeting Iranian government entities between July and late December 2022.


Source:
https://unit42.paloaltonetworks.com/playful-taurus/

2023-01-17
The_observation_of_the_numerous_attacks_by_NetSupport_RAT_campaign
LOW
+

Intel Source:
Sentilone
Intel Name:
The_observation_of_the_numerous_attacks_by_NetSupport_RAT_campaign
Date of Scan:
2023-01-17
Impact:
LOW
Summary:
Researchers from ASEC reported on a NetSupport RAT campaign that uses a Pokemon as the social engineering lure. Threat actors is hosting a Pokemon-based NFT gameat the malicious sites offering both a fun and financially rewards.


Source:
https://www.sentinelone.com/blog/gotta-catch-em-all-understanding-the-netsupport-rat-campaigns-hiding-behind-pokemon-lures/

2023-01-17
Decryption_Tool_For_BianLian_Ransomware_Released_by_Avast
LOW
+

Intel Source:
Avast
Intel Name:
Decryption_Tool_For_BianLian_Ransomware_Released_by_Avast
Date of Scan:
2023-01-17
Impact:
LOW
Summary:
Avast researchers have released a free decryptor for the BianLian ransomware strain to help victims of the malware recover locked files without paying the hackers.


Source:
https://decoded.avast.io/threatresearch/decrypted-bianlian-ransomware/

2023-01-17
Active_IOCs_of_Bitter_APT_Group
LOW
+

Intel Source:
Rewterz
Intel Name:
Active_IOCs_of_Bitter_APT_Group
Date of Scan:
2023-01-17
Impact:
LOW
Summary:
The Rewterz analysts team did an analysis summary on Bitter APT Group. APT-17 group aka BITTER APT group has been recently active and targeting sectors in South Asia for information theft and espionage. This group has a history of targeting Energy, Engineering, and Government in South Asia.


Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-bitter-apt-group-active-iocs-22

2023-01-17
Other_Threat_Actor_Can_Use_Raspberry_Robin
LOW
+

Intel Source:
Sekoia
Intel Name:
Other_Threat_Actor_Can_Use_Raspberry_Robin
Date of Scan:
2023-01-17
Impact:
LOW
Summary:
Sekoia researchers have identified that Raspberry Robin’s attack infrastructure, that possible for other threat actors to repurpose the infections for their own malicious activities which makes it an even more potent threat.


Source:
https://blog.sekoia.io/raspberry-robins-botnet-second-life/

2023-01-17
A_manuscript_Solicitation_Letter_was_disguised_by_malware
LOW
+

Intel Source:
ASEC
Intel Name:
A_manuscript_Solicitation_Letter_was_disguised_by_malware
Date of Scan:
2023-01-17
Impact:
LOW
Summary:
On January 8th, the ASEC analysis team discovered a document-type malware targeting workers in the security field. The obtained malware uses an external object within a Word document to execute an additional malicious macro.


Source:
https://asec.ahnlab.com/en/45658/

2023-01-17
Exploitation_by_attackers_to_deliver_malware_with_Microsoft_Office_macros
LOW
+

Intel Source:
Perception-Point
Intel Name:
Exploitation_by_attackers_to_deliver_malware_with_Microsoft_Office_macros
Date of Scan:
2023-01-17
Impact:
LOW
Summary:
The Perception-Point researchers discussed in their blog on similarity of Microsoft Office macros, which are widely exploited by attackers and used to delivering malware. They discussed the tactics of similarity based on real-world samples that was detected in the wild.


Source:
https://perception-point.io/blog/malicious-office-macros-detecting-similarity-in-the-wild-2/

2023-01-17
Document_Type_Malware_Targeting_Security_Field_Workers
LOW
+

Intel Source:
ASEC
Intel Name:
Document_Type_Malware_Targeting_Security_Field_Workers
Date of Scan:
2023-01-17
Impact:
LOW
Summary:
ASEC researchers have observed document-type malware distributing and targeting workers in the security field. The obtained malware uses an external object within a Word document to execute an additional malicious macro.


Source:
https://asec.ahnlab.com/en/45658/

2023-01-17
A_Deep_Analysis_of_CircleCI_Security_Alert
LOW
+

Intel Source:
CircleCI
Intel Name:
A_Deep_Analysis_of_CircleCI_Security_Alert
Date of Scan:
2023-01-17
Impact:
LOW
Summary:
Researchers from CircleCI have received an alert and analyzed the suspicious GitHub OAuth activity.


Source:
https://circleci.com/blog/jan-4-2023-incident-report/

2023-01-17
Three_PyPI_Package_Spreading_Malware_to_Developer_Systems
MEDIUM
+

Intel Source:
Fortinet
Intel Name:
Three_PyPI_Package_Spreading_Malware_to_Developer_Systems
Date of Scan:
2023-01-17
Impact:
MEDIUM
Summary:
Fortinet researchers have identified that a threat actor named Lolip0p has uploaded three rogue packages to the Python Package Index (PyPI) repository that is designed to drop malware on compromised developer systems.


Source:
https://www.fortinet.com/blog/threat-research/supply-chain-attack-using-identical-pypi-packages-colorslib-httpslib-libhttps

2023-01-17
Phishing_Email_Targeting_National_Tax_Service
LOW
+

Intel Source:
ASEC
Intel Name:
Phishing_Email_Targeting_National_Tax_Service
Date of Scan:
2023-01-17
Impact:
LOW
Summary:
Researchers from ASEC have discovered that a phishing email impersonating the National Tax Service is distributing.


Source:
https://asec.ahnlab.com/en/45669/

2023-01-17
ASEC_Weekly_Phishing_Email_Threats_analyses_January_1_7_2023
LOW
+

Intel Source:
ASEC
Intel Name:
ASEC_Weekly_Phishing_Email_Threats_analyses_January_1_7_2023
Date of Scan:
2023-01-17
Impact:
LOW
Summary:
The ASEC analysis team keep monitoring phishing email threats with their automatic sample analysis system (RAPIT) and honeypot. Their post explained the samples of distribution of phishing emails during the week from January 1st, 2023 to January 7th, 2022. The most prevalent threat type was observed in phishing email attachments was FakePage, taking up 58%. FakePages are web pages where the threat actor has duplicated the screen layout, logo, and font of the real login pages or advertising pages, leading users to enter their account and password information.


Source:
https://asec.ahnlab.com/en/45693/

2023-01-17
Hackers_Using_Middle_Eastern_Geopolitical_Themed_to_Distribute_NjRAT
LOW
+

Intel Source:
TrendMicro
Intel Name:
Hackers_Using_Middle_Eastern_Geopolitical_Themed_to_Distribute_NjRAT
Date of Scan:
2023-01-17
Impact:
LOW
Summary:
Researchers from TrendMicro have identified an active campaign that is using Middle Eastern geopolitical themes as a lure to target potential victims in the Middle East and Africa. In this campaign, Earth Bogle, the threat actor uses public cloud storage services such as files.fm and failiem.lv to host malware, while compromised web servers distribute NjRAT.


Source:
https://www.trendmicro.com/en_us/research/23/a/earth-bogle-campaigns-target-middle-east-with-geopolitical-lures.html

2023-01-15
Vidar_Stealer_Attack_Campaign_impersonating_AnyDesk
LOW
+

Intel Source:
Crep1x
Intel Name:
Vidar_Stealer_Attack_Campaign_impersonating_AnyDesk
Date of Scan:
2023-01-15
Impact:
LOW
Summary:
Typosquatting attack campaign found in the wild impersonating multiple legitimate RMM tools and redirecting users to fake AnyDesk websites triggering Vidar Stealer Payload download through dropbox.


Source:
https://twitter.com/crep1x/status/1612199364805660673

2023-01-14
Rhadamanthys_Stealer_Leverages_Google_Ads_in_the_wild
LOW
+

Intel Source:
Cyble
Intel Name:
Rhadamanthys_Stealer_Leverages_Google_Ads_in_the_wild
Date of Scan:
2023-01-14
Impact:
LOW
Summary:
Researchers from Cyble found a new malware strain, Rhadamanthys Stealer, leveraging Spam and Phishing campaigns through Google Ads and redirecting users to fake phishing websites of popular software. The Malware downloaded in the background of legitimate files or through obfuscated images steals sensitive information to further aid in unauthorized access.


Source:
https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/

2023-01-14
PurpleUrchin_Campaign_Bypass_CAPTCHA_and_Steals_Cloud_Platform_Resources
LOW
+

Intel Source:
PaloAlto
Intel Name:
PurpleUrchin_Campaign_Bypass_CAPTCHA_and_Steals_Cloud_Platform_Resources
Date of Scan:
2023-01-14
Impact:
LOW
Summary:
Researchers from PaloAlto have analyzed Automated Libra, the cloud threat actor group behind the freejacking campaign PurpleUrchin. Automated Libra is a South African-based freejacking group that primarily targets cloud platforms offering limited-time trials of cloud resources in order to perform their cryptomining operations.


Source:
https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/

2023-01-14
Gootloader_Malware_returns_with_revamped_infection_technique
LOW
+

Intel Source:
Esentire
Intel Name:
Gootloader_Malware_returns_with_revamped_infection_technique
Date of Scan:
2023-01-14
Impact:
LOW
Summary:
Researchers from Esentire found Gootloader malware activity with a new infection technique, further leading to Cobalt Strike leveraging existing PowerShell process beaconed to various malicious domains. The attacker seems to be hands-on, dropping multiple payloads, including BloodHound and PsExec, while being persistent and targeting different areas for further compromise.


Source:
https://www.esentire.com/blog/gootloader-leads-to-cobalt-strike-and-hand-on-keyboard-activity

2023-01-13
Unpatched_Vulnerability_to_Bypass_Windows_OS_Security_Feature
MEDIUM
+

Intel Source:
Eclecticiq
Intel Name:
Unpatched_Vulnerability_to_Bypass_Windows_OS_Security_Feature
Date of Scan:
2023-01-13
Impact:
MEDIUM
Summary:
EclecticIQ analysts researched on QakBot phishing campaigns who can turn it to a Zero-Day Vulnerability to evade Windows Mark of the Web (MoTW). QakBot may be able to increase its infection success rate as a result of the switch to a zero-day exploit.


Source:
https://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature

2023-01-13
The_Deep_Investigation_of_FortiOS_Zero_Day_Attack
LOW
+

Intel Source:
Fortinet
Intel Name:
The_Deep_Investigation_of_FortiOS_Zero_Day_Attack
Date of Scan:
2023-01-13
Impact:
LOW
Summary:
Researchers from Fortinet have analyzed the zero-day vulnerability in FortiOS SSL-VPN that Fortinet addressed last month was exploited by unknown actors in attacks targeting the government and other large organizations.


Source:
https://www.fortinet.com/blog/psirt-blogs/analysis-of-fg-ir-22-398-fortios-heap-based-buffer-overflow-in-sslvpnd

2023-01-13
RAT_Malware_Campaign_Using_Polyglot_Files_to_Evade_Detection
LOW
+

Intel Source:
Deep Instinct
Intel Name:
RAT_Malware_Campaign_Using_Polyglot_Files_to_Evade_Detection
Date of Scan:
2023-01-13
Impact:
LOW
Summary:
Deep Instinct researchers have identified that operators of the StrRAT and Ratty remote access trojans (RAT) are running a new campaign using polyglot MSI/JAR and CAB/JAR files to evade detection from security tools.


Source:
https://www.deepinstinct.com/blog/malicious-jars-and-polyglot-files-who-do-you-think-you-jar

2023-01-13
Research_on_HIVE_Ransomware_attacks
MEDIUM
+

Intel Source:
Rapid7
Intel Name:
Research_on_HIVE_Ransomware_attacks
Date of Scan:
2023-01-13
Impact:
MEDIUM
Summary:
Rapid7 monitors and research on the range of techniques that threat actors use to conduct malicious activity. Recently, Rapid7 observed a malicious activity performed by threat actor performing several known techniques for distributing ransomware across many systems within a victim’s environment. In addition to those techniques, the actor employed a number of previously unseen techniques designed to to drop the defenses of the victim, inhibit monitoring, disable networking and allow time for the ransomware to finish encrypting files.


Source:
https://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/

2023-01-13
Orcus_RAT_being_distributed_on_file_sharing_sites
LOW
+

Intel Source:
ASEC
Intel Name:
Orcus_RAT_being_distributed_on_file_sharing_sites
Date of Scan:
2023-01-13
Impact:
LOW
Summary:
The ASEC analysis team recently identified Orcus RAT being distributed on file-sharing sites disguised as a cracked version of Hangul Word Processor.


Source:
https://asec.ahnlab.com/en/45462/

2023-01-13
Spike_in_Holiday_Attacks_Targeting_Ancient_Vulnerabilities_and_Hidden_Webshells
LOW
+

Intel Source:
Wordfence
Intel Name:
Spike_in_Holiday_Attacks_Targeting_Ancient_Vulnerabilities_and_Hidden_Webshells
Date of Scan:
2023-01-13
Impact:
LOW
Summary:
Researchers from Wordfence have observed spikes in attack traffic over the Christmas and New Year holidays, which is specifically targeting the Downloads Manager plugin by Giulio Ganci.


Source:
https://www.wordfence.com/blog/2023/01/holiday-attack-spikes-target-ancient-vulnerabilities-and-hidden-webshells/

2023-01-12
Hackers_From_Scattered_Spider_Using_Old_Intel_Driver_to_Bypass_Security
MEDIUM
+

Intel Source:
CrowdStrike
Intel Name:
Hackers_From_Scattered_Spider_Using_Old_Intel_Driver_to_Bypass_Security
Date of Scan:
2023-01-12
Impact:
MEDIUM
Summary:
CrowdStrick researchers have identified a financially motivated threat actor named Scattered Spider and observed attempting to deploy Intel Ethernet diagnostics drivers in a BYOVD (Bring Your Own Vulnerable Driver) attack to evade detection from EDR (Endpoint Detection and Response) security products.


Source:
https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/

2023-01-12
Active_IOCs_of_Mirai_Botnet_aka_Katana
LOW
+

Intel Source:
Rewterz
Intel Name:
Active_IOCs_of_Mirai_Botnet_aka_Katana
Date of Scan:
2023-01-12
Impact:
LOW
Summary:
Researchers from Rewterz have identified the active IOCs of Mirai Botnet aka Katana. Mirai is one of the first major botnets to target Linux-based vulnerable networking devices. It was discovered in August 2016 and its name means “future” in Japanese.


Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-mirai-botnet-aka-katana-active-iocs-4

2023-01-12
The_Examine_of_NeedleDropper_Malware
LOW
+

Intel Source:
Avast
Intel Name:
The_Examine_of_NeedleDropper_Mal