An_Email_Specific_Phishing_Page
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- An_Email_Specific_Phishing_Page
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- ASEC researchers have identified multiple phishing emails that are distributed with a changing icon to reflect the mail account service entered by the user and send a warning that their account will be shut down, prompting them to click the ‘Reactivate Now’ link if they need their account kept active.
New_Version_of_Nevada_Ransomware
MEDIUM
+
—
- Intel Source:
- Resecurity
- Intel Name:
- New_Version_of_Nevada_Ransomware
- Date of Scan:
- 2023-02-01
- Impact:
- MEDIUM
- Summary:
- Resecurity researchers have identified a new version of Nevada Ransomware which recently emerged on the Dark Web right before the start of 2023. The actors behind this new project have an affiliate platform first introduced on the RAMP underground community, which is known for initial access brokers (IABs) and other cybercriminal actors and ransomware groups.
Google_Ads_Targeting_Password_Manager
LOW
+
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Google_Ads_Targeting_Password_Manager
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- Researchers from Malwarebytes have identified a new malvertising campaign that makes use of Google Ads to target users looking for password managers.
TZW_Ransomware_Distributing_in_Korea
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- TZW_Ransomware_Distributing_in_Korea
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered the distribution of the TZW ransomware, which encrypts files before adding the “TZW” file extension to the original extension.
Malware_Packer_TrickGate_Using_by_Several_Malware_to_Evade_Detection
LOW
+
—
- Intel Source:
- Checkpoint
- Intel Name:
- Malware_Packer_TrickGate_Using_by_Several_Malware_to_Evade_Detection
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- Researchers from Checkpoint have identified a shellcode-based packer dubbed TrickGate has been successfully operating without attracting notice for over six years, while enabling threat actors to deploy a wide range of malware such as TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze, and REvil over the years.
An_ongoing_phishing_campaign_that_impersonates_Southwest_Airlines
LOW
+
—
- Intel Source:
- Inky
- Intel Name:
- An_ongoing_phishing_campaign_that_impersonates_Southwest_Airlines
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- Last December, INKY observed and detected an ongoing phishing campaign that impersonates Southwest Airlines. Phishing emails are being sent from newly created domains, set up explicitly for these attacks.
The_Analysis_of_Cryptojacks_System_to_Mine_for_Monero_Crypto
LOW
+
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Analysis_of_Cryptojacks_System_to_Mine_for_Monero_Crypto
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- Fortinet researchers have analyzed the crypto miner software that is delivering via the Excel document and executing it on the victim device.
NikoWiper_Malware_Targeting_Ukraine_Energy_Sector
LOW
+
—
- Intel Source:
- Welivesecurity
- Intel Name:
- NikoWiper_Malware_Targeting_Ukraine_Energy_Sector
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- ESET researchers have analyzed the activities of selected APT groups and identified the Russia-affiliated Sandworm using another wiper malware strain dubbed NikoWiper as part of an attack that took place in October 2022 targeting an energy sector company in Ukraine.
The_Similarities_Between_Abraham_s_Ax_and_Moses_Staff_Group
LOW
+
—
- Intel Source:
- Secureworks
- Intel Name:
- The_Similarities_Between_Abraham_s_Ax_and_Moses_Staff_Group
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- Researchers from SecureWorks have analyzed the similarities between the Moses Staff hacktivist group persona that emerged in September 2021 and the Abraham's Ax persona that emerged in November 2022.
Phishing_Emails_Circulating_With_Requests_for_Product_Quotation
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Phishing_Emails_Circulating_With_Requests_for_Product_Quotation
- Date of Scan:
- 2023-02-01
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified phishing emails with content related to requests for product quotations. These phishing emails are all disguised to seem as if they were sent by a manager with a high position, such as the team leader or department director of production companies or foundries, and were also .html and .htm attachments.
The_Magniber_ransomware_spotlight
MEDIUM
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- The_Magniber_ransomware_spotlight
- Date of Scan:
- 2023-01-31
- Impact:
- MEDIUM
- Summary:
- After it was originally discovered in 2017, Magniber came back in 2021. It is aiming some Asian countries and TrendMicro found out about the exploitation of new vulnerabilities for initial access, including CVE-2021-26411, CVE-2021-40444, and most notably the PrintNightmare vulnerability, CVE-2021-34527
ASEC_Weekly_Malware_samples_January_16_22nd_2023
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_samples_January_16_22nd_2023
- Date of Scan:
- 2023-01-31
- Impact:
- LOW
- Summary:
- The ASEC analysis team keep monitoring weekly malware collection samples for January 16-22nd, 2023. They shared their analyses of the cases of distribution of phishing emails during this week and provide statistical information on each type.
Hackers_From_BlueBravo_Deploying_GraphicalNeutrino_Malware
LOW
+
—
- Intel Source:
- Recorded Future
- Intel Name:
- Hackers_From_BlueBravo_Deploying_GraphicalNeutrino_Malware
- Date of Scan:
- 2023-01-31
- Impact:
- LOW
- Summary:
- Recorded Future researchers have identified the new malware used by BlueBravo threat group, which overlaps with Russian APT activity tracked as APT29 and NOBELIUM, which Western governments and researchers have linked to the Russian Foreign Intelligence Service (SVR).
Database_Injection_Attacks_Compromise_WordPress_Sites
LOW
+
—
- Intel Source:
- Sucuri
- Intel Name:
- Database_Injection_Attacks_Compromise_WordPress_Sites
- Date of Scan:
- 2023-01-30
- Impact:
- LOW
- Summary:
- Sucuri researchers have identified a massive campaign that infects over 4,500 WordPress websites as part of a long-running operation. According to GoDaddy-owned Sucuri, the infections involve the injection of obfuscated JavaScript hosted on a malicious domain that's designed to redirect visitors to undesirable sites.
Sandworm_APT_Targeting_Ukraine
LOW
+
—
- Intel Source:
- ESET
- Intel Name:
- Sandworm_APT_Targeting_Ukraine
- Date of Scan:
- 2023-01-30
- Impact:
- LOW
- Summary:
- ESET researchers have discovered a new Golang-based wiper, dubbed SwiftSlicer, that is used in attacks aimed at Ukraine. Also, they believe that the Russia-linked APT group Sandwork (aka BlackEnergy and TeleBots) is behind the wiper attacks.
The_Deep_Examination_of_Venom_Spider
LOW
+
—
- Intel Source:
- Esentire
- Intel Name:
- The_Deep_Examination_of_Venom_Spider
- Date of Scan:
- 2023-01-30
- Impact:
- LOW
- Summary:
- Esentire researchers have discovered the real-world identity of the threat actor behind Golden Chickens malware-as-a-service, who goes by the online persona badbullzvenom.
Gootkit_Malware_Updating_With_New_Components_and_Obfuscations
LOW
+
—
- Intel Source:
- Mandiant
- Intel Name:
- Gootkit_Malware_Updating_With_New_Components_and_Obfuscations
- Date of Scan:
- 2023-01-30
- Impact:
- LOW
- Summary:
- Mandiant researchers have identified that the threat actors associated with the Gootkit malware have made notable changes to their toolset, adding new components and obfuscations to their infection chains.
Realtek_SDK_Vulnerability_Attempting_to_Hack_IoT_Devices
LOW
+
—
- Intel Source:
- PaloAlto
- Intel Name:
- Realtek_SDK_Vulnerability_Attempting_to_Hack_IoT_Devices
- Date of Scan:
- 2023-01-30
- Impact:
- LOW
- Summary:
- Researchers from PaloAlto have observed the spike in exploitation attempts weaponizing a critical remote code execution flaw in Realtek Jungle SDK, the ongoing campaign is said to have recorded 134 million exploit attempts as of December 2022, with 97% of the attacks occurring in the past four months.
Hackers_From_Sandworm_Group_Targeting_News_Agencies
LOW
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- Hackers_From_Sandworm_Group_Targeting_News_Agencies
- Date of Scan:
- 2023-01-30
- Impact:
- LOW
- Summary:
- Researchers from CERT-UA have identified the five different data-wiping malware strains deploying on the network of the country's national news agency (Ukrinform) on January 17th.
ASEC_Weekly_Malware_samples_January_8_14th_2023
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_samples_January_8_14th_2023
- Date of Scan:
- 2023-01-28
- Impact:
- LOW
- Summary:
- The ASEC analysis team keep monitoring weekly malware collection samples for January 8-14th, 2023. They shared their analyses of thee cases of distribution of phishing emails during this week and provide statistical information on each type.
Mimic_Ransomware_Targeting_Russian_and_English_Speaking_Users
LOW
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- Mimic_Ransomware_Targeting_Russian_and_English_Speaking_Users
- Date of Scan:
- 2023-01-27
- Impact:
- LOW
- Summary:
- Researchers from TrendMicro have discovered a new ransomware that abuses the APIs of a legitimate tool called Everything, a Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for minimal resource usage.
Cybercriminals_Leveraging_Legitimate_RMM_software
MEDIUM
+
—
- Intel Source:
- CISA
- Intel Name:
- Cybercriminals_Leveraging_Legitimate_RMM_software
- Date of Scan:
- 2023-01-27
- Impact:
- MEDIUM
- Summary:
- CISA researchers have identified a widespread cyber campaign involving the malicious use of legitimate RMM software. Specifically, cyber-criminal actors send phishing emails to the target to download legitimate RMM software—ScreenConnect (now ConnectWise Control) and AnyDesk—which the actors use in a refund scam to steal money from victim bank accounts.
Hackers_Targeting_Tech_Layoff_Employees_With_Job_Scams
MEDIUM
+
—
- Intel Source:
- Zscaler
- Intel Name:
- Hackers_Targeting_Tech_Layoff_Employees_With_Job_Scams
- Date of Scan:
- 2023-01-27
- Impact:
- MEDIUM
- Summary:
- Zscaler Threatlabz researchers have observed multiple suspicious job portals and surveys used by attackers to solicit information from job seekers under the guise of employment application forms. The attackers may advertise jobs online, sometimes setting up fake websites, or look for targets on social media to steal money and personal information.
Kronos_Malware_Increasing_its_Functionality
LOW
+
—
- Intel Source:
- IBM Security Intelligence
- Intel Name:
- Kronos_Malware_Increasing_its_Functionality
- Date of Scan:
- 2023-01-27
- Impact:
- LOW
- Summary:
- Researchers from IBM Security Intelligence have identified that Kronos Malware is back with new functionality. It is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims.
Chinese_PlugX_Malware_Hidden_in_USB_Devices
MEDIUM
+
—
- Intel Source:
- PaloAlto
- Intel Name:
- Chinese_PlugX_Malware_Hidden_in_USB_Devices
- Date of Scan:
- 2023-01-27
- Impact:
- MEDIUM
- Summary:
- Researchers from PaloAlto have discovered a similar variant of PlugX in VirusTotal that infects USB devices and copies all Adobe PDF and Microsoft Word files from the host. It places these copies in a hidden folder on the USB device that is created by the malware.
The_Deep_Examination_of_GuLoader
LOW
+
—
- Intel Source:
- Trellix
- Intel Name:
- The_Deep_Examination_of_GuLoader
- Date of Scan:
- 2023-01-27
- Impact:
- LOW
- Summary:
- Trellix researchers have analyzed the multiple archive types used by threat actors to trick users into opening an email attachment and the progression of its distribution inside NSIS (Nullsoft Scriptable Install System) executable files by showing the obfuscation and string encryption updates through the year 2022.
Titan_Stealer_Leveraging_GoLang
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Titan_Stealer_Leveraging_GoLang
- Date of Scan:
- 2023-01-27
- Impact:
- LOW
- Summary:
- Cyble researchers have observed that threat actors use Golang for their information stealer malware. Additionally, it is spotted, Titan stealer using multiple Command and Control (C&C) infrastructures targeting new victims.
Vice_Society_Ransomware_Group_Targeting_Manufacturing_Companies
MEDIUM
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- Vice_Society_Ransomware_Group_Targeting_Manufacturing_Companies
- Date of Scan:
- 2023-01-26
- Impact:
- MEDIUM
- Summary:
- TrendMicro researchers have highlighted the findings of Vice Society, which includes an end-to-end infection diagram.
Active_IOCs_of_Ursnif_Banking_Trojan_aka_Gozi
LOW
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Ursnif_Banking_Trojan_aka_Gozi
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Ursnif Banking Trojan aka Gozi. It is also known as Gozi and Dreambot has been around for more than 10 years. It gained popularity in 2015 when its source code was published on Github and since then the moderators have always tweaked some changes to make use of their arsenal according to their gains.
Active_IOCs_of_Remcos_RAT
LOW
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Remcos_RAT
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Remcos RAT. It is operating since 2016. This RAT was originally promoted as genuine software for remote control of Microsoft Windows from XP onwards, and is frequently found in phishing attempts due to its capacity to completely infect an afflicted machine.
Active_IOCs_of_APT_Group_Gamaredon
LOW
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_APT_Group_Gamaredon
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of APT Group Gamaredon. It is a Russia-backed advanced persistent threat (APT) that has been operating since at least 2013. The group is believed to be operating out of Ukraine, and is thought to be focused on targeting Ukrainian government and military organizations, as well as individuals and organizations in the energy sector.
Cybercriminals_Using_JQuery_to_Spread_Malware
LOW
+
—
- Intel Source:
- SocInvestigation
- Intel Name:
- Cybercriminals_Using_JQuery_to_Spread_Malware
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- Researchers from SocInvestigation have identified that the popular javascript library "JQuery" is used by hackers for distributing malware.
The_rised_concern_of_Amadey_Bot
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- The_rised_concern_of_Amadey_Bot
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- Recently, Cyble Research and Intelligence Labs (CRIL) has observed a huge spike of Amadey bot samples. It proved that threat actors are actively using this bot to infect victims’ systems with another malware.
Critical_ManageEngine_Vulnerability_Observed
MEDIUM
+
—
- Intel Source:
- Rapid 7
- Intel Name:
- Critical_ManageEngine_Vulnerability_Observed
- Date of Scan:
- 2023-01-26
- Impact:
- MEDIUM
- Summary:
- Rapid7 is taking precausios steps from the vulnerability exploitation of CVE-2022-47966. Several of the affected products are extremely popular with organizations and attackers, including ADSelfService Plus and ServiceDesk Plus. Rapid7 provided a detailed analysis of CVE-2022-47966 in AttackerKB. Rapid7 vulnerability research team discovered during testing that some products may be more exploitable than others: ServiceDesk Plus and ADSelfService.
Active_IOCs_of_Raccoon_Infostealer
LOW
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Raccoon_Infostealer
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Raccoon Infostealer. It gathers private data such as credit card numbers, cryptocurrency wallet addresses, login passwords, and browser information like cookies and history.
Hackers_Leveraging_ProxyNotShell_For_Attacks
LOW
+
—
- Intel Source:
- Bitdefender
- Intel Name:
- Hackers_Leveraging_ProxyNotShell_For_Attacks
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- BitDefender researchers have started observing an increase in attacks using ProxyNotShell/OWASSRF exploits chains to target on-premises Microsoft Exchange deployments.
The_ConnectWise_Control_vulnerabilities_and_exploitation
LOW
+
—
- Intel Source:
- Huntress
- Intel Name:
- The_ConnectWise_Control_vulnerabilities_and_exploitation
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- During the month of December, the Huntress team has caught the talks surrounding supposed ConnectWise Control vulnerabilities and possibly in-the-wild exploitation. The Huntress team has been in contact with both the ConnectWise CISO and security team and did their own research on it and explained their opinions in the details.
North_Korean_Hackers_Moving_With_Credential_Harvesting
LOW
+
—
- Intel Source:
- Proofpoint
- Intel Name:
- North_Korean_Hackers_Moving_With_Credential_Harvesting
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- Researchers from Proofpoint have identified a well known North Korean threat group for crypto heists has been attributed to a new wave of malicious email attacks as part of a "sprawling" credential harvesting activity targeting a number of industry verticals, marking a significant shift in its strategy.
Hackers_From_DragonSpark_Using_Golang_Malware_to_Avoid_Detection
MEDIUM
+
—
- Intel Source:
- Sentinelone
- Intel Name:
- Hackers_From_DragonSpark_Using_Golang_Malware_to_Avoid_Detection
- Date of Scan:
- 2023-01-26
- Impact:
- MEDIUM
- Summary:
- Researchers from SentinelOne have identified that companies in East Asia are being targeted by a Chinese-speaking threat actor named DragonSpark. The attacks are characterized by the use of the little-known open-source SparkRAT and malware that attempts to evade detection through Golang source code interpretation.
New_Evasion_Methods_For_Emotet
LOW
+
—
- Intel Source:
- Blackberry
- Intel Name:
- New_Evasion_Methods_For_Emotet
- Date of Scan:
- 2023-01-26
- Impact:
- LOW
- Summary:
- BlackBerry researchers have observed that Emotet returns with new techniques. It is continued to steadily evolve, adding new techniques for evasion and increasing its likelihood of successful infections. It is also able to host an array of modules, each used for different aspects of information theft that report back to their command-and-control (C2) servers.
A_Deep_Examination_of_Raspberry_Robin
LOW
+
—
- Intel Source:
- Esentire
- Intel Name:
- A_Deep_Examination_of_Raspberry_Robin
- Date of Scan:
- 2023-01-25
- Impact:
- LOW
- Summary:
- Esentire researchers have observed 11 cases of Raspberry Robin infections since May 2022 and analyzed them.
Black_Friday_Day_Makes_Big_For_Malvertising
LOW
+
—
- Intel Source:
- Confiant
- Intel Name:
- Black_Friday_Day_Makes_Big_For_Malvertising
- Date of Scan:
- 2023-01-25
- Impact:
- LOW
- Summary:
- Confiant researchers have observed a cookie-stuffing campaign running across multiple programmatic ad platforms with a specific uptick in Q4 around Black Friday.
Titan_Stealer_Malware_Distributing_via_Telegram_Channel
LOW
+
—
- Intel Source:
- Uptycs
- Intel Name:
- Titan_Stealer_Malware_Distributing_via_Telegram_Channel
- Date of Scan:
- 2023-01-25
- Impact:
- LOW
- Summary:
- Researchers from Uptycs have discovered a campaign involving the Titan Stealer malware, which is being marketed and sold by a threat actor (TA) through a Telegram channel for cybercrime purposes.
8220_Gang_Targeting_Vulnerable_Cloud_Providers
LOW
+
—
- Intel Source:
- Radware
- Intel Name:
- 8220_Gang_Targeting_Vulnerable_Cloud_Providers
- Date of Scan:
- 2023-01-24
- Impact:
- LOW
- Summary:
- Radware researchers have identified that the Chinese threat group a.k.a 8220 Gang is targeting cloud providers and poorly secured applications with a custom-built crypto miner and IRC bot.
Advertisement_Fraud_Scheme_VASTFLUX_Targeted_Over_11_Million_Devices
LOW
+
—
- Intel Source:
- Human Blog
- Intel Name:
- Advertisement_Fraud_Scheme_VASTFLUX_Targeted_Over_11_Million_Devices
- Date of Scan:
- 2023-01-24
- Impact:
- LOW
- Summary:
- Researchers from HUMAN’s Satori Threat Intelligence team have identified a sophisticated ad fraud scheme, dubbed VASTFLUX, that targeted more than 11 million devices.
Remcos_RAT_Deployment_by_GuLoader
LOW
+
—
- Intel Source:
- Cyfirma
- Intel Name:
- Remcos_RAT_Deployment_by_GuLoader
- Date of Scan:
- 2023-01-24
- Impact:
- LOW
- Summary:
- CYFIRMA researchers have identified the distribution of a malicious PDF file through email. It redirects the user to a cloud-based platform where they are prompted to download a ZIP file.
Diving_Deep_into_LockBit_Ransomware
MEDIUM
+
—
- Intel Source:
- Analyst1
- Intel Name:
- Diving_Deep_into_LockBit_Ransomware
- Date of Scan:
- 2023-01-23
- Impact:
- MEDIUM
- Summary:
- Researchers from Analyst1 have analyzed the LockBit ransomware operations. It is one of the most notorious organized cybercrime syndicates that exists today.
The_Vidar_operators_expanding_their_infrastructure
MEDIUM
+
—
- Intel Source:
- Team Cymru
- Intel Name:
- The_Vidar_operators_expanding_their_infrastructure
- Date of Scan:
- 2023-01-20
- Impact:
- MEDIUM
- Summary:
- Team Cymru researchers analyzed on Darth Vidar infrastructure. Vidar operators appear to be expanding their infrastructure. Vidar is an info-stealer malware, which was first spotted in the wild in late 2018 by the security researcher Fumik0. The name itself (Vidar) is derived from a string found in the malware’s code. Vidar is considered to be a distinct fork of the Arkei malware family.
Exploitation_of_FortiOS_Vulnerability_CVE_2022_42475
HIGH
+
—
- Intel Source:
- Mandiant
- Intel Name:
- Exploitation_of_FortiOS_Vulnerability_CVE_2022_42475
- Date of Scan:
- 2023-01-20
- Impact:
- HIGH
- Summary:
- Mandiant is monitoring a suspected China-nexus campaign that exploited a recently discovered vulnerability in Fortinet's FortiOS SSL-VPN, CVE-2022-42475, as a zero-day. Mandiant discovered a new malware called “BOLDMOVE” during the investigation. They found a Windows variant of BOLDMOVE and a Linux variant, which is specifically designed to run on FortiGate Firewalls.
Fortinet_Firewall_Vulnerability_Exploited_by_New_Chinese_Malware
MEDIUM
+
—
- Intel Source:
- Mandiant
- Intel Name:
- Fortinet_Firewall_Vulnerability_Exploited_by_New_Chinese_Malware
- Date of Scan:
- 2023-01-20
- Impact:
- MEDIUM
- Summary:
- Researchers from Mandiant have identified a China-nexus threat actor who exploited a recently patched vulnerability in Fortinet FortiOS SSL-VPN as a zero-day in attacks targeting a European government entity and a managed service provider (MSP) located in Africa.
New_CrySIS_or_Dharma_Ransomware_Variants
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- New_CrySIS_or_Dharma_Ransomware_Variants
- Date of Scan:
- 2023-01-20
- Impact:
- MEDIUM
- Summary:
- Fortinet Labs researchers have analyzed the variants of the CrySIS/Dharma ransomware family.
Database_Infections_That_Compromise_Vulnerable_WordPress_Sites
LOW
+
—
- Intel Source:
- Sucuri
- Intel Name:
- Database_Infections_That_Compromise_Vulnerable_WordPress_Sites
- Date of Scan:
- 2023-01-20
- Impact:
- LOW
- Summary:
- Sucuri researchers have identified a database injection that has two different pieces of malware accomplishing two unrelated goals. The first injection redirects users to a spammy sports website and the second injection boosts authority of a spammy casino website within search engines.
ASEC_Weekly_Malware_samples_January_9_15th_2023
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Malware_samples_January_9_15th_2023
- Date of Scan:
- 2023-01-20
- Impact:
- LOW
- Summary:
- The ASEC analysis team keep monitoring weekly malware collection samples for January 9-15th, 2023. The top malwares for this week is SmokeLoader, BeamWinHTTP, Formbook, AgentTesla and Lokibot.
Batloader_Malware_Attacks_in_Q4_2022_Used_Obfuscated_JavaScript_Files_and_Legitimate_Tools
LOW
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- Batloader_Malware_Attacks_in_Q4_2022_Used_Obfuscated_JavaScript_Files_and_Legitimate_Tools
- Date of Scan:
- 2023-01-19
- Impact:
- LOW
- Summary:
- Researchers from TrendMicro have identified notable Batloader campaigns that they observed in the last quarter of 2022, including the abuse of custom action scripts from the Advanced Installer software and Windows Installer XML (WiX) toolset, the use of obfuscated JavaScript files as a first-stage payload, and the use of PyArmor tool to obfuscate Batloader Python scripts.
The_SEO_Poisoning_attack
LOW
+
—
- Intel Source:
- Sentilone
- Intel Name:
- The_SEO_Poisoning_attack
- Date of Scan:
- 2023-01-19
- Impact:
- LOW
- Summary:
- A lot of researchers have observed increase in malicious search engine advertisements found in the wild – known as SEO Poisoning, which is malvertising (malicious advertising) activity. There is an increasing variety in the specifics of the malware delivery method, such as which searches produce the malicious advertisements and which malware being delivered.
Active_IOCs_of_STRRAT_Malware
LOW
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_STRRAT_Malware
- Date of Scan:
- 2023-01-19
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of STRRAT Malware. It is a Java-based Remote-Access Trojan (RAT) with a slew of malicious features, notably information theft and backdoor capabilities.
The_LNK_metadata_trail
LOW
+
—
- Intel Source:
- Talos
- Intel Name:
- The_LNK_metadata_trail
- Date of Scan:
- 2023-01-19
- Impact:
- LOW
- Summary:
- Cisco Talos reserachers analyzed metadata in LNK files that lined to threat actors tactics techniques and procedures, to identify their activity. The researchers report shares their analyses on Qakbot and Gamaredon as examples.
Active_IOCs_of_Gh0st_RAT
LOW
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Gh0st_RAT
- Date of Scan:
- 2023-01-19
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Gh0st RAT. It is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information and data. This type of malware enables cybercriminals to gain complete access to infected computers and attempt to hijack the user’s banking account.
Cybersecurity_incident_on_website_of_Liquor_Control_Board_of_Ontario
LOW
+
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Cybersecurity_incident_on_website_of_Liquor_Control_Board_of_Ontario
- Date of Scan:
- 2023-01-19
- Impact:
- LOW
- Summary:
- This month, the Liquor Control Board of Ontario (LCBO) shared the news about a cybersecurity incident, affecting online sales. The cybersecurity incident was a web skimmer, which is designed to retrieve customer payment information.
Abusing_Google_Ads_platform_by_various_campaigns
LOW
+
—
- Intel Source:
- Cyfirma
- Intel Name:
- Abusing_Google_Ads_platform_by_various_campaigns
- Date of Scan:
- 2023-01-18
- Impact:
- LOW
- Summary:
- CYFIRMA researchers observed the campaigns closely and they provided preliminary analysis of a new RAT known as “VagusRAT” and its possible attribution to Iranian Threat actors. The VagusRAT is also delivered to the victims by exploiting Google Ads.
Attacks_on_Iranian_Government_Entities_Through_Backdoor_Diplomacy
MEDIUM
+
—
- Intel Source:
- PaloAlto
- Intel Name:
- Attacks_on_Iranian_Government_Entities_Through_Backdoor_Diplomacy
- Date of Scan:
- 2023-01-18
- Impact:
- MEDIUM
- Summary:
- PaloAlto researchers have identified that the threat actor known as Backdoor Diplomacy has been linked to a new wave of attacks targeting Iranian government entities between July and late December 2022.
Malicious_Google_Ads
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Malicious_Google_Ads
- Date of Scan:
- 2023-01-18
- Impact:
- LOW
- Summary:
- Researchers from SANS have identified that Google ads are a common vector for malware distribution. These ads frequently lead to fake sites impersonating web pages for legitimate software.
Active_IOCs_of_NJRAT
LOW
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_NJRAT
- Date of Scan:
- 2023-01-18
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of NJRAT. It is a Remote Access Trojan, which is found leveraging Pastebin to deliver a second-stage payload after initial infection.
Document_Type_Malware_Targeting_Security_Field_Workers
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Document_Type_Malware_Targeting_Security_Field_Workers
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- ASEC researchers have observed document-type malware distributing and targeting workers in the security field. The obtained malware uses an external object within a Word document to execute an additional malicious macro.
The_observation_of_the_numerous_attacks_by_NetSupport_RAT_campaign
LOW
+
—
- Intel Source:
- Sentilone
- Intel Name:
- The_observation_of_the_numerous_attacks_by_NetSupport_RAT_campaign
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- Researchers from ASEC reported on a NetSupport RAT campaign that uses a Pokemon as the social engineering lure. Threat actors is hosting a Pokemon-based NFT gameat the malicious sites offering both a fun and financially rewards.
Three_PyPI_Package_Spreading_Malware_to_Developer_Systems
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Three_PyPI_Package_Spreading_Malware_to_Developer_Systems
- Date of Scan:
- 2023-01-17
- Impact:
- MEDIUM
- Summary:
- Fortinet researchers have identified that a threat actor named Lolip0p has uploaded three rogue packages to the Python Package Index (PyPI) repository that is designed to drop malware on compromised developer systems.
Exploitation_by_attackers_to_deliver_malware_with_Microsoft_Office_macros
LOW
+
—
- Intel Source:
- Perception-Point
- Intel Name:
- Exploitation_by_attackers_to_deliver_malware_with_Microsoft_Office_macros
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- The Perception-Point researchers discussed in their blog on similarity of Microsoft Office macros, which are widely exploited by attackers and used to delivering malware. They discussed the tactics of similarity based on real-world samples that was detected in the wild.
Other_Threat_Actor_Can_Use_Raspberry_Robin
LOW
+
—
- Intel Source:
- Sekoia
- Intel Name:
- Other_Threat_Actor_Can_Use_Raspberry_Robin
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- Sekoia researchers have identified that Raspberry Robin's attack infrastructure, that possible for other threat actors to repurpose the infections for their own malicious activities which makes it an even more potent threat.
Active_IOCs_of_Bitter_APT_Group
LOW
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Bitter_APT_Group
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- The Rewterz analysts team did an analysis summary on Bitter APT Group. APT-17 group aka BITTER APT group has been recently active and targeting sectors in South Asia for information theft and espionage. This group has a history of targeting Energy, Engineering, and Government in South Asia.
Phishing_Email_Targeting_National_Tax_Service
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Phishing_Email_Targeting_National_Tax_Service
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered that a phishing email impersonating the National Tax Service is distributing.
A_Deep_Analysis_of_CircleCI_Security_Alert
LOW
+
—
- Intel Source:
- CircleCI
- Intel Name:
- A_Deep_Analysis_of_CircleCI_Security_Alert
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- Researchers from CircleCI have received an alert and analyzed the suspicious GitHub OAuth activity.
Hackers_Using_Middle_Eastern_Geopolitical_Themed_to_Distribute_NjRAT
LOW
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- Hackers_Using_Middle_Eastern_Geopolitical_Themed_to_Distribute_NjRAT
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- Researchers from TrendMicro have identified an active campaign that is using Middle Eastern geopolitical themes as a lure to target potential victims in the Middle East and Africa. In this campaign, Earth Bogle, the threat actor uses public cloud storage services such as files.fm and failiem.lv to host malware, while compromised web servers distribute NjRAT.
Decryption_Tool_For_BianLian_Ransomware_Released_by_Avast
LOW
+
—
- Intel Source:
- Avast
- Intel Name:
- Decryption_Tool_For_BianLian_Ransomware_Released_by_Avast
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- Avast researchers have released a free decryptor for the BianLian ransomware strain to help victims of the malware recover locked files without paying the hackers.
A_manuscript_Solicitation_Letter_was_disguised_by_malware
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- A_manuscript_Solicitation_Letter_was_disguised_by_malware
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- On January 8th, the ASEC analysis team discovered a document-type malware targeting workers in the security field. The obtained malware uses an external object within a Word document to execute an additional malicious macro.
ASEC_Weekly_Phishing_Email_Threats_analyses_January_1_7_2023
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Phishing_Email_Threats_analyses_January_1_7_2023
- Date of Scan:
- 2023-01-17
- Impact:
- LOW
- Summary:
- The ASEC analysis team keep monitoring phishing email threats with their automatic sample analysis system (RAPIT) and honeypot. Their post explained the samples of distribution of phishing emails during the week from January 1st, 2023 to January 7th, 2022. The most prevalent threat type was observed in phishing email attachments was FakePage, taking up 58%. FakePages are web pages where the threat actor has duplicated the screen layout, logo, and font of the real login pages or advertising pages, leading users to enter their account and password information.
Vidar_Stealer_Attack_Campaign_impersonating_AnyDesk
LOW
+
—
- Intel Source:
- Crep1x
- Intel Name:
- Vidar_Stealer_Attack_Campaign_impersonating_AnyDesk
- Date of Scan:
- 2023-01-15
- Impact:
- LOW
- Summary:
- Typosquatting attack campaign found in the wild impersonating multiple legitimate RMM tools and redirecting users to fake AnyDesk websites triggering Vidar Stealer Payload download through dropbox.
Rhadamanthys_Stealer_Leverages_Google_Ads_in_the_wild
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Rhadamanthys_Stealer_Leverages_Google_Ads_in_the_wild
- Date of Scan:
- 2023-01-14
- Impact:
- LOW
- Summary:
- Researchers from Cyble found a new malware strain, Rhadamanthys Stealer, leveraging Spam and Phishing campaigns through Google Ads and redirecting users to fake phishing websites of popular software. The Malware downloaded in the background of legitimate files or through obfuscated images steals sensitive information to further aid in unauthorized access.
PurpleUrchin_Campaign_Bypass_CAPTCHA_and_Steals_Cloud_Platform_Resources
LOW
+
—
- Intel Source:
- PaloAlto
- Intel Name:
- PurpleUrchin_Campaign_Bypass_CAPTCHA_and_Steals_Cloud_Platform_Resources
- Date of Scan:
- 2023-01-14
- Impact:
- LOW
- Summary:
- Researchers from PaloAlto have analyzed Automated Libra, the cloud threat actor group behind the freejacking campaign PurpleUrchin. Automated Libra is a South African-based freejacking group that primarily targets cloud platforms offering limited-time trials of cloud resources in order to perform their cryptomining operations.
Gootloader_Malware_returns_with_revamped_infection_technique
LOW
+
—
- Intel Source:
- Esentire
- Intel Name:
- Gootloader_Malware_returns_with_revamped_infection_technique
- Date of Scan:
- 2023-01-14
- Impact:
- LOW
- Summary:
- Researchers from Esentire found Gootloader malware activity with a new infection technique, further leading to Cobalt Strike leveraging existing PowerShell process beaconed to various malicious domains. The attacker seems to be hands-on, dropping multiple payloads, including BloodHound and PsExec, while being persistent and targeting different areas for further compromise.
Research_on_HIVE_Ransomware_attacks
MEDIUM
+
—
- Intel Source:
- Rapid7
- Intel Name:
- Research_on_HIVE_Ransomware_attacks
- Date of Scan:
- 2023-01-13
- Impact:
- MEDIUM
- Summary:
- Rapid7 monitors and research on the range of techniques that threat actors use to conduct malicious activity. Recently, Rapid7 observed a malicious activity performed by threat actor performing several known techniques for distributing ransomware across many systems within a victim’s environment. In addition to those techniques, the actor employed a number of previously unseen techniques designed to to drop the defenses of the victim, inhibit monitoring, disable networking and allow time for the ransomware to finish encrypting files.
Spike_in_Holiday_Attacks_Targeting_Ancient_Vulnerabilities_and_Hidden_Webshells
LOW
+
—
- Intel Source:
- Wordfence
- Intel Name:
- Spike_in_Holiday_Attacks_Targeting_Ancient_Vulnerabilities_and_Hidden_Webshells
- Date of Scan:
- 2023-01-13
- Impact:
- LOW
- Summary:
- Researchers from Wordfence have observed spikes in attack traffic over the Christmas and New Year holidays, which is specifically targeting the Downloads Manager plugin by Giulio Ganci.
The_Deep_Investigation_of_FortiOS_Zero_Day_Attack
LOW
+
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Deep_Investigation_of_FortiOS_Zero_Day_Attack
- Date of Scan:
- 2023-01-13
- Impact:
- LOW
- Summary:
- Researchers from Fortinet have analyzed the zero-day vulnerability in FortiOS SSL-VPN that Fortinet addressed last month was exploited by unknown actors in attacks targeting the government and other large organizations.
Unpatched_Vulnerability_to_Bypass_Windows_OS_Security_Feature
MEDIUM
+
—
- Intel Source:
- Eclecticiq
- Intel Name:
- Unpatched_Vulnerability_to_Bypass_Windows_OS_Security_Feature
- Date of Scan:
- 2023-01-13
- Impact:
- MEDIUM
- Summary:
- EclecticIQ analysts researched on QakBot phishing campaigns who can turn it to a Zero-Day Vulnerability to evade Windows Mark of the Web (MoTW). QakBot may be able to increase its infection success rate as a result of the switch to a zero-day exploit.
RAT_Malware_Campaign_Using_Polyglot_Files_to_Evade_Detection
LOW
+
—
- Intel Source:
- Deep Instinct
- Intel Name:
- RAT_Malware_Campaign_Using_Polyglot_Files_to_Evade_Detection
- Date of Scan:
- 2023-01-13
- Impact:
- LOW
- Summary:
- Deep Instinct researchers have identified that operators of the StrRAT and Ratty remote access trojans (RAT) are running a new campaign using polyglot MSI/JAR and CAB/JAR files to evade detection from security tools.
Orcus_RAT_being_distributed_on_file_sharing_sites
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Orcus_RAT_being_distributed_on_file_sharing_sites
- Date of Scan:
- 2023-01-13
- Impact:
- LOW
- Summary:
- The ASEC analysis team recently identified Orcus RAT being distributed on file-sharing sites disguised as a cracked version of Hangul Word Processor.
Dark_Pink_APT_Group_Targeting_Asia_Pacific_Region
MEDIUM
+
—
- Intel Source:
- Group-IB
- Intel Name:
- Dark_Pink_APT_Group_Targeting_Asia_Pacific_Region
- Date of Scan:
- 2023-01-12
- Impact:
- MEDIUM
- Summary:
- Group-IB researchers have identified a new wave of attacks that have struck the Asia-Pacific (APAC) region by the Dark Pink APT group.
Gootkit_Loader_Campaign_Targeting_Australian_Healthcare_Industry
MEDIUM
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- Gootkit_Loader_Campaign_Targeting_Australian_Healthcare_Industry
- Date of Scan:
- 2023-01-12
- Impact:
- MEDIUM
- Summary:
- Researchers from TrendMicro have analyzed a series of attacks and discovered that Gootkit leveraging SEO poisoning for its initial access and abusing legitimate tools like VLC Media Player.
Diving_Deep_into_IcedID_Malware
LOW
+
—
- Intel Source:
- Cybereason
- Intel Name:
- Diving_Deep_into_IcedID_Malware
- Date of Scan:
- 2023-01-12
- Impact:
- LOW
- Summary:
- Cybereason researchers have analyzed IcedID infection that illustrates the tactics, techniques, and procedures (TTPs) used in a recent campaign. It is also known as BokBot, which is traditionally known as a banking trojan used to steal financial information from its victims.
Active_IOCs_of_Mirai_Botnet_aka_Katana
LOW
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Mirai_Botnet_aka_Katana
- Date of Scan:
- 2023-01-12
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Mirai Botnet aka Katana. Mirai is one of the first major botnets to target Linux-based vulnerable networking devices. It was discovered in August 2016 and its name means “future” in Japanese.
A_Deep_Dive_into_EyeSpy_Spyware
LOW
+
—
- Intel Source:
- Bitdefender
- Intel Name:
- A_Deep_Dive_into_EyeSpy_Spyware
- Date of Scan:
- 2023-01-12
- Impact:
- LOW
- Summary:
- Researchers from Bitdefender have analyzed spyware named EyeSpy which is marketed as a legitimate monitoring application that arrives on the system via Trojanized installers and it is targeting t Iranian users trying to download VPN solutions to bypass Internet restrictions in their country.
Hackers_From_Scattered_Spider_Using_Old_Intel_Driver_to_Bypass_Security
MEDIUM
+
—
- Intel Source:
- CrowdStrike
- Intel Name:
- Hackers_From_Scattered_Spider_Using_Old_Intel_Driver_to_Bypass_Security
- Date of Scan:
- 2023-01-12
- Impact:
- MEDIUM
- Summary:
- CrowdStrick researchers have identified a financially motivated threat actor named Scattered Spider and observed attempting to deploy Intel Ethernet diagnostics drivers in a BYOVD (Bring Your Own Vulnerable Driver) attack to evade detection from EDR (Endpoint Detection and Response) security products.
ASEC_Weekly_Phishing_Email_sample_analyses
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Phishing_Email_sample_analyses
- Date of Scan:
- 2023-01-12
- Impact:
- LOW
- Summary:
- The ASEC analysis team keep monitoring phishing email threats with their system and honeypot. This article explains the distribution of phishing emails during the week from December 18th, 2022 to December 24th, 2022 and provide statistical information on each type.
The_Examine_of_NeedleDropper_Malware
LOW
+
—
- Intel Source:
- Avast
- Intel Name:
- The_Examine_of_NeedleDropper_Malware
- Date of Scan:
- 2023-01-12
- Impact:
- LOW
- Summary:
- Avast researchers have analyzed the NeedleDropper malware and it is a self-extracting archive that contains a modified AutoIt interpreter, obfuscated AutoIt script, and Visual Basic script, which is used for initial execution.
Ransomware_variants_across_the_OSINT_community
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Ransomware_variants_across_the_OSINT_community
- Date of Scan:
- 2023-01-12
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs monitors and gathers data on ransomware variants weekly that have been catching on in their datasets and across the OSINT community. They shared their ransomware report provides the insights into the ransomware landscape and the Fortinet solutions that protect against those variants.
ASEC_Weekly_Phishing_Email_sample_analyses_Dec_24_31_2022
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- ASEC_Weekly_Phishing_Email_sample_analyses_Dec_24_31_2022
- Date of Scan:
- 2023-01-12
- Impact:
- LOW
- Summary:
- The ASEC analysis team keep monitoring phishing email threats with their system and honeypot. This article explains the distribution of phishing emails during the week from December 24th, 2022 to December 31st, 2022 and provide statistical information on each type.
NoName057_16_Hacking_Group_Targeting_NATO
MEDIUM
+
—
- Intel Source:
- SentinelOne
- Intel Name:
- NoName057_16_Hacking_Group_Targeting_NATO
- Date of Scan:
- 2023-01-12
- Impact:
- MEDIUM
- Summary:
- Researchers from SentinelOne have observed that the Pro-Russian hacking group named NoName057(16) targeting Czech presidential election candidates' websites.
Active_IOCs_of_DanaBot_Trojan
LOW
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_DanaBot_Trojan
- Date of Scan:
- 2023-01-12
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of DanaBot Trojan. DanaBot is a persistent and ever-evolving threat that has been circulating in the wild since 2018 and it was originally marketed as a Malware-as-a-Service (MaaS) offering primarily targeted banking fraud and data theft.
Emotet_Malware_resurfaces_deploying_loaders_through_Spear_Phishing
MEDIUM
+
—
- Intel Source:
- Intrinsec
- Intel Name:
- Emotet_Malware_resurfaces_deploying_loaders_through_Spear_Phishing
- Date of Scan:
- 2023-01-11
- Impact:
- MEDIUM
- Summary:
- Researchers from Intrinsic uncovered Emotet's latest Spam campaign spreading malicious documents in the wild, in addition to targeted spear-phishing emails. The malware returns with new obfuscation techniques and revamped loader capabilities.
Magecart_Skimmer_Using_MRSNIFFA_Toolkit
LOW
+
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Magecart_Skimmer_Using_MRSNIFFA_Toolkit
- Date of Scan:
- 2023-01-11
- Impact:
- LOW
- Summary:
- Malwarebytes Labs researchers have identified a Magecart skimmer using the mr.SNIFFA toolkit and infrastructure from DDoS-Guard. The domain names used to serve the skimmer referenced public figures or names well-known in the cryptocurrency world.
A_Novel_Info_Stealer_RAT_leveraging_PYPI
LOW
+
—
- Intel Source:
- Phylum
- Intel Name:
- A_Novel_Info_Stealer_RAT_leveraging_PYPI
- Date of Scan:
- 2023-01-11
- Impact:
- LOW
- Summary:
- Phylum researchers have identified a novel malware campaign targeting the Python Package Index (PyPI), a combination of RAT and Stealer, to exfiltrate various data while being persistent and opening tunnels. The RAT being spread has Web GUI projecting the continuous focus on supply chain attacks.
Dridex_Malware_Returns_and_Targeting_MacOS
LOW
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- Dridex_Malware_Returns_and_Targeting_MacOS
- Date of Scan:
- 2023-01-11
- Impact:
- LOW
- Summary:
- TrendMicro researchers have analyzed Dridex, an online banking malware variant targeting MacOS platforms with a new technique to deliver documents embedded with malicious macros to users.
LummaC2_Stealer_Targeting_Chromium_and_Mozilla_Based_Browsers
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- LummaC2_Stealer_Targeting_Chromium_and_Mozilla_Based_Browsers
- Date of Scan:
- 2023-01-10
- Impact:
- LOW
- Summary:
- Cyble researchers have discovered a post on the cybercrime forum about an information stealer named LummaC2 Stealer targeting both Chromium and Mozilla-based browsers.
Drug_trafficking_and_illegal_pharmacies_compete_on_the_dark_web
MEDIUM
+
—
- Intel Source:
- Resecurity
- Intel Name:
- Drug_trafficking_and_illegal_pharmacies_compete_on_the_dark_web
- Date of Scan:
- 2023-01-10
- Impact:
- MEDIUM
- Summary:
- Researchers from Resecurity have identified that the top 10 marketplaces are currently representing the core ecosystem of drug trafficking in the Dark Web, which is split between actors from multiple regions and influence groups.
The_modified_CIA_attack_kit_Hive_enters_the_field_of_black_and_gray_production
LOW
+
—
- Intel Source:
- 360Netlab
- Intel Name:
- The_modified_CIA_attack_kit_Hive_enters_the_field_of_black_and_gray_production
- Date of Scan:
- 2023-01-10
- Impact:
- LOW
- Summary:
- 360Netlab researchers have observed that xdr33 is a backdoor and born out of the CIA Hive project. The main purpose is to collect sensitive information and provide a foothold for subsequent intrusions.
Bluebottle_Campaign_Hits_Banks_With_Signed_Malware
LOW
+
—
- Intel Source:
- Symantec
- Intel Name:
- Bluebottle_Campaign_Hits_Banks_With_Signed_Malware
- Date of Scan:
- 2023-01-10
- Impact:
- LOW
- Summary:
- Researchers from Symantec have identified Bluebottle campaign hits banks in French speaking countries in Africa with the activity that leverages new TTPs.
Active_IOCs_of_Agent_Tesla_Malware
MEDIUM
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Agent_Tesla_Malware
- Date of Scan:
- 2023-01-10
- Impact:
- MEDIUM
- Summary:
- Researchers from Rewterz have identified the active IOCs of Agent Tesla Malware. Agent Tesla is a very popular spyware Trojan built for the.NET framework. Agent Tesla grabs data from the victim’s clipboard, logs keystrokes, captures screenshots, and gains access to the victim’s webcam. It has the ability to terminate running analytic programs and anti-virus applications.
Russian_Turla_Cyberspies_via_USB_Delivered_Malware
LOW
+
—
- Intel Source:
- Mandient
- Intel Name:
- Russian_Turla_Cyberspies_via_USB_Delivered_Malware
- Date of Scan:
- 2023-01-10
- Impact:
- LOW
- Summary:
- Recently Russian state-sponsored threat actor Turla lunched attackes against Ukraine and it was leveraged by Andromeda malware most likely deployed by other hackers via an infected USB drive, Mandiant reported. Mandiant researchers analyzed a Turla-suspected operation tUNC4210 and discovered that at least three expired Andromeda command and control (C&C) domains have been reregistered and used for victim profiling.
The_Details_Exianition_of_Ursnif_Malware
LOW
+
—
- Intel Source:
- DFIR Report
- Intel Name:
- The_Details_Exianition_of_Ursnif_Malware
- Date of Scan:
- 2023-01-10
- Impact:
- LOW
- Summary:
- Researchers from DFIR have analyzed the Ursnif malware. It delivers malicious ISO to users.
InfoStealer_Targeting_Italian_Region
LOW
+
—
- Intel Source:
- Uptycs
- Intel Name:
- InfoStealer_Targeting_Italian_Region
- Date of Scan:
- 2023-01-10
- Impact:
- LOW
- Summary:
- Researchers from Uptycs have observed a new infostealer malware attack campaign. In that the threat actors delivered emails through spam or phishing mail with the subject as “Invoice”, targeting the specific geo of Italy.
DShield_Sensor_JSON_Log_Analysis
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- DShield_Sensor_JSON_Log_Analysis
- Date of Scan:
- 2023-01-10
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed json DShield logs for a 9-day period.
Brazil_Malspam_Pushing_Astaroth
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Brazil_Malspam_Pushing_Astaroth
- Date of Scan:
- 2023-01-09
- Impact:
- LOW
- Summary:
- Researchers from SANS have identified four Portuguese language emails targeting Brazil. These messages are pushing the same type of Astaroth (Guildma) malware.
Diving_Deep_into_PyTorch_Dependency_Confusion_Administered_Malware
LOW
+
—
- Intel Source:
- Aqua Blog
- Intel Name:
- Diving_Deep_into_PyTorch_Dependency_Confusion_Administered_Malware
- Date of Scan:
- 2023-01-09
- Impact:
- LOW
- Summary:
- Aquasec researchers have identified the dependency of the widely used PyTorch-nightly Python package targeting in a dependency confusion attack, resulting in thousands of individuals downloading a malicious binary that exfiltrated data through DNS.
Hackers_Targeting_Zoom_Appliation
MEDIUM
+
—
- Intel Source:
- Cyble
- Intel Name:
- Hackers_Targeting_Zoom_Appliation
- Date of Scan:
- 2023-01-09
- Impact:
- MEDIUM
- Summary:
- Cyble researchers have identified a phishing campaign targeting Zoom application software to deliver the IcedID malware. This malware primarily targeting businesses and can be used to steal payment information.
PatchWork_APT_Group_Targeting_Pakistan
MEDIUM
+
—
- Intel Source:
- Rewterz
- Intel Name:
- PatchWork_APT_Group_Targeting_Pakistan
- Date of Scan:
- 2023-01-06
- Impact:
- MEDIUM
- Summary:
- Researchers from Rewterz have identified the active IOCs of PatchWork APT Group. This Indian threat actor Patchwork has been active since December 2015 and recently using spear phishing to strike Pakistan. PatchWork, (also known as Mahabusa, White Elephant, hangOver, VICEROY TIGER, The Dropping Elephant) is an APT that mainly conducts cyber-espionage activities against its targets.
Blindeagle_Targeting_Ecuador_Based_Organizations
LOW
+
—
- Intel Source:
- Checkpoint
- Intel Name:
- Blindeagle_Targeting_Ecuador_Based_Organizations
- Date of Scan:
- 2023-01-06
- Impact:
- LOW
- Summary:
- Researchers from Checkpoint have identified a campaign that is targeting Ecuador based organizations, CPR detected a new infection chain that involves a more advanced toolset.
Active_IOCs_of_Amadey_Botnet
MEDIUM
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Amadey_Botnet
- Date of Scan:
- 2023-01-06
- Impact:
- MEDIUM
- Summary:
- Researchers from Rewterz have identified the active IOCs of Amadey Botnet. Amadey infects a victim’s computer and incorporates it into a. botnet. The Amadey trojan can also download additional malware. and exfiltrate user information to a command and control (C2) server.
Installing_CoinMiner_by_malware
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Installing_CoinMiner_by_malware
- Date of Scan:
- 2023-01-05
- Impact:
- LOW
- Summary:
- The ASEC analysis team observed a new Linux malware developed with Shell Script Compiler that has been installing a CoinMiner. It believes that after successful verification through a dictionary attack on inadequately managed Linux SSH servers, different malwares were installed on the target system. Among those installed were the Shc downloader, XMRig CoinMiner installed through the former, and DDoS IRC Bot, developed with Perl.
Active_IOCs_of_Ursnif_Banking_Trojan
LOW
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Ursnif_Banking_Trojan
- Date of Scan:
- 2023-01-05
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Ursnif Banking Trojan. The attackers have switched to using Trojans such as Ursnif to steal other types of data, including email configurations, as well as credentials and passwords stored in the web browsers and even digital wallets. Threat actors use different techniques to make a victim fall into their trap like a phishing email.
Active_IOCs_of_SmokeLoader_Malware
LOW
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_SmokeLoader_Malware
- Date of Scan:
- 2023-01-05
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of SmokeLoader Malware. This malware is mostly used to load additional malicious software, which is often obtained from a third-party source. Smoke Loader can load its modules allowing it to do several activities without the use of additional components
Active_IOCs_of_DarkCrystal_RAT_(DCRat)
LOW
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_DarkCrystal_RAT_(DCRat)
- Date of Scan:
- 2023-01-05
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of DarkCrystal RAT. DCRat is a Russian backdoor, was initially introduced in 2018. The malware’s modular architecture allows it to be extended for a variety of nefarious objectives, including surveillance, reconnaissance, data theft, DDoS attacks, and arbitrary code execution.
Active_IOCs_of_CrySIS_aka_Dharma_Ransomware
MEDIUM
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_CrySIS_aka_Dharma_Ransomware
- Date of Scan:
- 2023-01-05
- Impact:
- MEDIUM
- Summary:
- Researchers from Rewterz have identified the active IOCs of CrySIS aka Dharma Ransomware. CrySIS, also known as Dharma, is a group of ransomware that has been active since 2016. Researchers indicate the spam emails attempt to disguise themselves as invoice emails. In reality, the spam is being used to infect users with the Ursnif keylogger or the Dharma ransomware.
Active_IOCs_of_DarkCrystal_Agent_Tesla_Malware
MEDIUM
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_DarkCrystal_Agent_Tesla_Malware
- Date of Scan:
- 2023-01-05
- Impact:
- MEDIUM
- Summary:
- Researchers from Rewterz have identified the active IOCs of Agent Tesla Malware. Agent Tesla is a very popular spyware Trojan built for the.NET framework. Agent Tesla grabs data from the victim’s clipboard, logs keystrokes, captures screenshots, and gains access to the victim’s webcam. It has the ability to terminate running analytic programs and anti-virus applications.
Active_IOCs_of_Cobalt_Strike_Malware
LOW
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Cobalt_Strike_Malware
- Date of Scan:
- 2023-01-04
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Cobalt Strike Malware. Cobalt Strike lets the attacker install a ‘Beacon’ agent on the target PC which provides the attacker with a plethora of capabilities, including command execution, file transfer, keylogging, mimikatz, port scanning, and privilege escalation.
Active_IOCs_of_LockBit_Ransomware
MEDIUM
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_LockBit_Ransomware
- Date of Scan:
- 2023-01-04
- Impact:
- MEDIUM
- Summary:
- Researchers from Rewterz have identified the active IOCs of LockBit Ransomware. LockBit attacks leave few traces for forensic analysis as the malware loads into the system memory, with logs and supporting files removed upon execution.
The_infection_of_WordPress_based_websites
LOW
+
—
- Intel Source:
- DrWeb
- Intel Name:
- The_infection_of_WordPress_based_websites
- Date of Scan:
- 2023-01-04
- Impact:
- LOW
- Summary:
- Researchers from Doctor Web found a malicious Linux program that is capable of hacking websites based on a WordPress CMS. It can exploits 30 vulnerabilities in a number of plugins and themes for this platform. It can inject with malicious JavaScripts these websites if they have outdated versions of such add-ons, lacking crucial fixes.
Active_IOCs_of_DarkyLock_Ransomware
MEDIUM
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_DarkyLock_Ransomware
- Date of Scan:
- 2023-01-04
- Impact:
- MEDIUM
- Summary:
- Researchers from Rewterz have identified the active IOCs of DarkyLock Ransomware. The ransomware attacks all commonly used file formats, including media, documents, databases, and archive files.
Active_IOCs_of_Qakbot_(Qbot)_Malware
MEDIUM
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Qakbot_(Qbot)_Malware
- Date of Scan:
- 2023-01-04
- Impact:
- MEDIUM
- Summary:
- Researchers from Rewterz have identified the active IOCs of Qakbot (Qbot) Malware. This banking Trojan, QakBot steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.
The_Insurance_&_Financial_Institutes_In_Europe_are_targeted_by_Raspberry_Robin
LOW
+
—
- Intel Source:
- Security Joes
- Intel Name:
- The_Insurance_&_Financial_Institutes_In_Europe_are_targeted_by_Raspberry_Robin
- Date of Scan:
- 2023-01-04
- Impact:
- LOW
- Summary:
- Threat researchers from SecurIty Joes company observed and responded to hackers attacks twice this month that was using a framework called Raspberry Robin.
Active_IOCs_of_RedLine_Stealer_Ransomware
MEDIUM
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_RedLine_Stealer_Ransomware
- Date of Scan:
- 2023-01-04
- Impact:
- MEDIUM
- Summary:
- Researchers from Rewterz have identified the active IOCs of RedLine Stealer. This malware first appeared in March 2020. Redline expanded throughout several nations during the COVID-19 epidemic and is still active today.
The_European_Government_Organizations_targeted_by_RedDelta_threat_group
MEDIUM
+
—
- Intel Source:
- Recorded Future
- Intel Name:
- The_European_Government_Organizations_targeted_by_RedDelta_threat_group
- Date of Scan:
- 2022-12-30
- Impact:
- MEDIUM
- Summary:
- Reserachers from Recorded Future are tracking activity of this RedDelta team which they think is attributed to the likely Chinese state-sponsored threat activity group which is targeting organizations within Europe and Southeast Asia using a customized variant of the PlugX backdoor.
Hackers_Abusing_Google_AdWords
LOW
+
—
- Intel Source:
- Guardio
- Intel Name:
- Hackers_Abusing_Google_AdWords
- Date of Scan:
- 2022-12-30
- Impact:
- LOW
- Summary:
- Researchers from Gradio have identified a new technique to abuse Google’s ad-words powerful advertisement platform is spreading rogue promoted search results in mass.
Lazarus_Threat_Group_Using_Phishing_Domains_to_Target_NFT_Investors
MEDIUM
+
—
- Intel Source:
- SlowMist
- Intel Name:
- Lazarus_Threat_Group_Using_Phishing_Domains_to_Target_NFT_Investors
- Date of Scan:
- 2022-12-30
- Impact:
- MEDIUM
- Summary:
- Researchers from SlowMist have identified a massive phishing campaign targeting NFT investors. It observed that the attackers set up nearly 500 decoy sites with malicious Mints.
The_WildFire_malware_team_monitoring_malware_techniques
LOW
+
—
- Intel Source:
- PaloAlto
- Intel Name:
- The_WildFire_malware_team_monitoring_malware_techniques
- Date of Scan:
- 2022-12-30
- Impact:
- LOW
- Summary:
- Palo Alto researchers did deep analyses on malware authors and malware variations if they detect they were running in a sandbox. They shared and discussed a lot of sandboxing approaches out there with pros and cons to each and many of the evasion types.
BlueNoroff_bypassing_MoTW
LOW
+
—
- Intel Source:
- Securelist
- Intel Name:
- BlueNoroff_bypassing_MoTW
- Date of Scan:
- 2022-12-28
- Impact:
- LOW
- Summary:
- Researchers from securelist discovered new method the group adopted is aimed at evading the Mark-of-the-Web (MOTW) flag, the security measure whereby Windows displays a warning message when the user tries to open a file downloaded from the internet.
ArkeiStealer_masquerade_as_a_trading_application
LOW
+
—
- Intel Source:
- Zscaler
- Intel Name:
- ArkeiStealer_masquerade_as_a_trading_application
- Date of Scan:
- 2022-12-28
- Impact:
- LOW
- Summary:
- Researchers from ThreatLabz discovered that threat actors are now distributing ArkeiStealer through Windows Installer binaries which masquerade as a trading application. The trading application is backdoored with the SmokeLoader downloader which further downloads an information stealer.
Sandbox_Evasions_Navigating_the_Vast_Ocean
LOW
+
—
- Intel Source:
- Palo Alto Networks
- Intel Name:
- Sandbox_Evasions_Navigating_the_Vast_Ocean
- Date of Scan:
- 2022-12-28
- Impact:
- LOW
- Summary:
- Palo Alto Networks customers receive improved detection for the evasions through Advanced WildFire.
Vulnerability_in_YITH_WooCommerce_Gift_Cards
LOW
+
—
- Intel Source:
- Wordfence
- Intel Name:
- Vulnerability_in_YITH_WooCommerce_Gift_Cards
- Date of Scan:
- 2022-12-28
- Impact:
- LOW
- Summary:
- The Wordfence Threat Intelligence team has been tracking exploits targeting a Critical Severity Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards Premium, a plugin with over 50,000 installations according to the vendor.
PureLogs_Stealer_Through_Spam_Campaigns
MEDIUM
+
—
- Intel Source:
- Cyble
- Intel Name:
- PureLogs_Stealer_Through_Spam_Campaigns
- Date of Scan:
- 2022-12-28
- Impact:
- MEDIUM
- Summary:
- Cyble Research and Intelligence Labs (CRIL) came across a tweet about PureLogs information stealer by TG Soft. This tool is used by the Threat Actor (TA) “Alibaba2044” to launch a malicious spam campaign at targets based in Italy
Google_Ads_Traffic_Led_to_Multiple_Malware
MEDIUM
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Google_Ads_Traffic_Led_to_Multiple_Malware
- Date of Scan:
- 2022-12-27
- Impact:
- MEDIUM
- Summary:
- Researchers from SANS have identified google ad traffic that led to a fake TeamViewer page, and that page led to a different type of malware.
The_Details_of_IcedID_BackConnect_Protocol
LOW
+
—
- Intel Source:
- Team Cymru
- Intel Name:
- The_Details_of_IcedID_BackConnect_Protocol
- Date of Scan:
- 2022-12-27
- Impact:
- LOW
- Summary:
- Team-Cymru researchers have continued monitoring the IcedID / BokBot activity and identified some insights derived from infrastructure associated with IcedID’s BackConnect (BC) protocol.
The_Details_About_Shadow_IT
MEDIUM
+
—
- Intel Source:
- IBM Security Intelligence
- Intel Name:
- The_Details_About_Shadow_IT
- Date of Scan:
- 2022-12-27
- Impact:
- MEDIUM
- Summary:
- IBM Security Intelligence researchers have highlighted three incidents where Shadow IT was leveraged during the attack to help organizations realize how Shadow IT can quickly transform from a threat to an incident.
Qakbot_Distributing_via_Virtual_Disk_Files
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Qakbot_Distributing_via_Virtual_Disk_Files
- Date of Scan:
- 2022-12-23
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified that Qakbot malware has been distributed in ISO and IMG file formats and discovered that it has recently changed its distribution to the use of VHD files.
IcedID_Botnet_Leveraging_Google_PPC_to_Distribute_Malware
LOW
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- IcedID_Botnet_Leveraging_Google_PPC_to_Distribute_Malware
- Date of Scan:
- 2022-12-23
- Impact:
- LOW
- Summary:
- Researchers from TrendMicro have analyzed the latest changes in IcedID botnet from a campaign that abuses Google pay-per-click (PPC) ads to distribute IcedID via malvertising attacks.
Ursnif_Banking_Trojan_Active_IOCs
LOW
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Ursnif_Banking_Trojan_Active_IOCs
- Date of Scan:
- 2022-12-23
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Ursnif Banking Trojan. It is also known as Gozi and Dreambot has been around for more than 10 years. It gained popularity in 2015 when its source code was published on Github and since then the moderators have always tweaked some changes to make use of their arsenal according to their gains. Mainly attacking banks and other financial institutions.
Diving_Deep_into_Ekipa_RAT
LOW
+
—
- Intel Source:
- Spider Labs
- Intel Name:
- Diving_Deep_into_Ekipa_RAT
- Date of Scan:
- 2022-12-23
- Impact:
- LOW
- Summary:
- SpiderLabs researchers have analyzed samples of an Ekipa Remote Access Trojan (RAT) in the wild and found interesting techniques for the use of malicious Office documents. The Ekipa RAT was added to a sophisticated threat actors’ cyber arsenal and used in the Russian – Ukraine war.
Hackers_Using_Phishing_Emails_to_Target_Tax_Forms
LOW
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Hackers_Using_Phishing_Emails_to_Target_Tax_Forms
- Date of Scan:
- 2022-12-23
- Impact:
- LOW
- Summary:
- Researchers from Fortinet have discovered the malicious emails and that it had been sent by the recently resurgent Emotet group. It is claiming to be from “IRS.gov,” this phishing e-mail originated from an organization’s compromised e-mail account in Pakistan. The subject and body claim that the recipient’s IRS K-1 forms are attached in a Zip archive encrypted with the password “0440”.
Nitol_DDoS_Malware_Installing_Amadey_Bot
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Nitol_DDoS_Malware_Installing_Amadey_Bot
- Date of Scan:
- 2022-12-23
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered that a threat actor has been using Nitol DDoS Bot to install Amadey. It is a downloader that has been in circulation since 2018, and besides extorting user credentials, it can also be used for the purpose of installing additional malware.
The_Examine_of_Albanian_Government_E_service_Attack
LOW
+
—
- Intel Source:
- Securelist
- Intel Name:
- The_Examine_of_Albanian_Government_E_service_Attack
- Date of Scan:
- 2022-12-23
- Impact:
- LOW
- Summary:
- Researchers from Securelist have compared the first and second waves of ransomware and wiper malware used to target Albanian entities and detail connections with previously known ROADSWEEP ransomware and ZEROCLEARE variants.
Vice_Society_Ransomware_Attackers_Adopt_Robust_Encryption_Methods
MEDIUM
+
—
- Intel Source:
- SentinelOne
- Intel Name:
- Vice_Society_Ransomware_Attackers_Adopt_Robust_Encryption_Methods
- Date of Scan:
- 2022-12-23
- Impact:
- MEDIUM
- Summary:
- Researchers from SentinelLabs have identified Vice Society group is adopting a new custom-branded ransomware payload in recent intrusions and it is dubbed “PolyVice”, implements a robust encryption scheme, using NTRUEncrypt and ChaCha20-Poly1305 algorithms.
The_exploitation_of_OWASSRF_in_MS_Exchange_Server_for_RCE
LOW
+
—
- Intel Source:
- Rapid7
- Intel Name:
- The_exploitation_of_OWASSRF_in_MS_Exchange_Server_for_RCE
- Date of Scan:
- 2022-12-23
- Impact:
- LOW
- Summary:
- Rapid7 researchers have observed the exploitation of OWASSRF in Microsoft exchange servers for remote code execution.
New_Variant_of_Kiss_a_Dog_Cryptojacking_Campaign
LOW
+
—
- Intel Source:
- CADO Security
- Intel Name:
- New_Variant_of_Kiss_a_Dog_Cryptojacking_Campaign
- Date of Scan:
- 2022-12-23
- Impact:
- LOW
- Summary:
- Researchers from CADO security have uncovered a newer variant of Kiss-a-Dog campaign and observed leveraging at there Redis honeypot suggesting a broadening of scope from Docker and Kubernetes.
New_Zerobot_1_1_adds_new_exploits
HIGH
+
—
- Intel Source:
- Microsoft
- Intel Name:
- New_Zerobot_1_1_adds_new_exploits
- Date of Scan:
- 2022-12-22
- Impact:
- HIGH
- Summary:
- The new version of the malware, Zerobot 1.1, adds new exploits and distributed denial-of-service attack capabilities, expanding the malware’s reach to different types of Internet of Things (IoT) devices, according to a report released by Microsoft on Wednesday. Zerobot was first discovered by researchers in November. The malware spreads primarily through unpatched and improperly secured IoT devices, such as firewalls, routers, and cameras, according to Microsoft. Hackers constantly modify the botnet to scale and target as many of the devices as possible.
Shuckworm_APT_Group_aka_Armageddon_Active_IOCs
MEDIUM
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Shuckworm_APT_Group_aka_Armageddon_Active_IOCs
- Date of Scan:
- 2022-12-22
- Impact:
- MEDIUM
- Summary:
- Researchers from Rewterz have identified the active IOCs of Shuckworm APT Group. It is a Russia-backed advanced persistent threat (APT) that has been operating since at least 2013. The main goal of this APT is to use the malicious document to gain control of the target machine.
Windows_AMSI_Bypass_Techniques
MEDIUM
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- Windows_AMSI_Bypass_Techniques
- Date of Scan:
- 2022-12-22
- Impact:
- MEDIUM
- Summary:
- TrendMicro researchers have analyzed the implementations that cybercriminals use to bypass the Windows Antimalware Scan Interface (AMSI).
North_Korean_APT_Kimsuky_Aka_Black_Banshee_Active_IOCs
LOW
+
—
- Intel Source:
- Rewterz
- Intel Name:
- North_Korean_APT_Kimsuky_Aka_Black_Banshee_Active_IOCs
- Date of Scan:
- 2022-12-22
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of North Korean APT Kimsuky Aka Black Banshee. It is a North Korean nation-state actor that has been active since 2012. It primarily targets South Korean government agencies and conducts espionage activities against targets in the United States and Japan.
New_Supply_Chain_Attack_Using_Python_Package_Index
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- New_Supply_Chain_Attack_Using_Python_Package_Index
- Date of Scan:
- 2022-12-22
- Impact:
- MEDIUM
- Summary:
- Researchers from Fortinet have discovered a 0-day attack embedded in a PyPI package (Python Package Index) and it is called “aioconsol.”
Meddler_in_the_Middle_Phishing_Attacks
LOW
+
—
- Intel Source:
- PaloAlto
- Intel Name:
- Meddler_in_the_Middle_Phishing_Attacks
- Date of Scan:
- 2022-12-22
- Impact:
- LOW
- Summary:
- Palo Alto Unit 42 researches expained the phishing techniques for Meddler in the Middle (MitM) phishing attacks. Meddler in the Middle (MitM) phishing attacks show how threat actors find ways to get around traditional defenses and advice. MitM phishing attacks are a state-of-the-art type of phishing attack capable of breaking two-factor authentication (2FA) while avoiding many content-based phishing detection engines. Rather than showing a spoofed version of a target login page, a MitM attack uses a reverse-proxy server to relay the original login page directly to the user’s browser.
Hackers_Using_Microsoft_Excel_Malicious_Addins
LOW
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Hackers_Using_Microsoft_Excel_Malicious_Addins
- Date of Scan:
- 2022-12-22
- Impact:
- LOW
- Summary:
- Researchers from Cisco Talos have investigated another vector for the introduction of malicious code to Microsoft Excel malicious add-ins, specifically XLL files.
AsyncRAT_Active_IOCs
LOW
+
—
- Intel Source:
- Rewterz
- Intel Name:
- AsyncRAT_Active_IOCs
- Date of Scan:
- 2022-12-22
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of AsyncRAT. It is an open-source tool designed for remote monitoring via encrypted connections. However, it could be utilized by threat actors as it provides keylogging, remote access, and other functionality that could damage a victim’s computer or system.
Wanna_Cryptor_aka_WannaCry_Ransomware_Active_IOCs
HIGH
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Wanna_Cryptor_aka_WannaCry_Ransomware_Active_IOCs
- Date of Scan:
- 2022-12-22
- Impact:
- HIGH
- Summary:
- The Rewterz analysts team did analysis summary on Wanna Cryptor aka WannaCry Ransomware and have identified the active IOCs of it. WannaCry is also called WCry or WanaCrptor ransomware malware was discovered in May 2017, it infected networks running Microsoft Windows as part of a massive cyberattack. This ransomware can encrypt all your data files and demands payment to restore the stolen information, usually in bitcoin with a ransom amount. WannaCry is one of the most dangerous malware ever used for cyberattacks.
Spotted_multiple_ransomware_strains
MEDIUM
+
—
- Intel Source:
- Cyble
- Intel Name:
- Spotted_multiple_ransomware_strains
- Date of Scan:
- 2022-12-22
- Impact:
- MEDIUM
- Summary:
- Cyble Research and Intelligence Labs (CRIL) have spotted multiple ransomware strains created based on the source of other ransomware families. Recently, CRIL observed new ransomware families, such as Putin Team, ScareCrow, BlueSky Meow, etc., created from the leaked source code of Conti Ransomware.
FakejQuery_Domain_Redirects_Site_Visitors_to_Scam_Pages
LOW
+
—
- Intel Source:
- Sucuri
- Intel Name:
- FakejQuery_Domain_Redirects_Site_Visitors_to_Scam_Pages
- Date of Scan:
- 2022-12-22
- Impact:
- LOW
- Summary:
- Sucuri researchers have identified an infection that makes its round across vulnerable WordPress sites, detected on over 160 websites. The infection is injected at the top of legitimate JavaScript files and executes a script from the malicious domain.
Hive_Ransomware_Active_IOCs
LOW
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Hive_Ransomware_Active_IOCs
- Date of Scan:
- 2022-12-22
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Hive Ransomware. It is one of the quickest evolving ransomware families which was first observed in June 2021 and likely operates as affiliate-based ransomware, employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation.
Diving_Deep_into_Nokoyawa_Ransomware
LOW
+
—
- Intel Source:
- Zscaler
- Intel Name:
- Diving_Deep_into_Nokoyawa_Ransomware
- Date of Scan:
- 2022-12-22
- Impact:
- LOW
- Summary:
- Researchers from Zscaler have analyzed the Nokoyawa ransomware 2.0 including its new configuration, encryption algorithms, and data leak site.
APT_SideWinder_Group_Active_IOCs
MEDIUM
+
—
- Intel Source:
- Rewterz
- Intel Name:
- APT_SideWinder_Group_Active_IOCs
- Date of Scan:
- 2022-12-22
- Impact:
- MEDIUM
- Summary:
- The Rewterz analysts team have identified the active IOCs of APT SideWinder Group which is a suspected Indian threat actor group that has been active since 2012. It has been detected targeting Pakistani government officials with a decoy file related to COVID-19 in its most recent effort.
The_Examine_of_Royal_Ransomware_and_Tools_Using_by_Threat_Actors
LOW
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- The_Examine_of_Royal_Ransomware_and_Tools_Using_by_Threat_Actors
- Date of Scan:
- 2022-12-22
- Impact:
- LOW
- Summary:
- Researchers from Trendmicro have detected multiple attacks from the Royal ransomware group and they have investigated the tools that Royal ransomware actors used to carry out their attacks.
Qakbot_aka_Qbot_Malware_Active_IOCs
MEDIUM
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Qakbot_aka_Qbot_Malware_Active_IOCs
- Date of Scan:
- 2022-12-22
- Impact:
- MEDIUM
- Summary:
- The Rewterz analysts team have observed last couple months that attackers are employing a number of strategies to avoid detection, using Excel (XLM) 4.0 and ZIP file extensions. hreat actors are disguising attachments intended to spread malware using a variety of different common file names with typical keywords for finance and business operations
Russian_Hackers_Targeting_Petroleum_Refinery_in_NATO
MEDIUM
+
—
- Intel Source:
- PaloAlto
- Intel Name:
- Russian_Hackers_Targeting_Petroleum_Refinery_in_NATO
- Date of Scan:
- 2022-12-21
- Impact:
- MEDIUM
- Summary:
- PaloAlto researchers have discovered the Russia-linked Gamaredon group attempting to unsuccessfully break into a large petroleum refining company within a NATO member state earlier this year amid the ongoing Russo-Ukrainian war. Also, seen more than 500 new domains and 200 malware samples attributed to Gamaredon APT since the beginning of the invasion.
Posing_of_SentinelOne_SDK_as_Malicious_PyPI_package
LOW
+
—
- Intel Source:
- Reversing Labs
- Intel Name:
- Posing_of_SentinelOne_SDK_as_Malicious_PyPI_package
- Date of Scan:
- 2022-12-20
- Impact:
- LOW
- Summary:
- Researchers from Reversing Labs have identified a new malicious package, named ‘SentinelOne,’ on the Python Package Index (PyPI) repository that impersonates a legitimate software development kit (SDK) for SentinelOne.
GuLoader_Dissection_Malware_Analysis
LOW
+
—
- Intel Source:
- CrowdStrike
- Intel Name:
- GuLoader_Dissection_Malware_Analysis
- Date of Scan:
- 2022-12-20
- Impact:
- LOW
- Summary:
- CrowdStrike researchers expose complete GuLoader behavior by mapping all embedded DJB2 hash values for every API used by the malware
LockBit_3_0_Ransomware_active_IOCs
HIGH
+
—
- Intel Source:
- Rewterz
- Intel Name:
- LockBit_3_0_Ransomware_active_IOCs
- Date of Scan:
- 2022-12-20
- Impact:
- HIGH
- Summary:
- The Rewterz analysts team did analyses summary on LockBit 3.0 ransomware that has recently been distributed without restriction to version or identical filename. Users must examine the file extensions of document files, update apps and V3 to the newest version, and be very cautious when opening files from unidentified sources.
BumbleBee_Malware_active_IOCs
MEDIUM
+
—
- Intel Source:
- Rewterz
- Intel Name:
- BumbleBee_Malware_active_IOCs
- Date of Scan:
- 2022-12-20
- Impact:
- MEDIUM
- Summary:
- The rewterz analysts team did analyses summery on BumbleBee Malware. This malware loader is used to download Cobalt Strike and other malware such as ransomware. It can replaces the BazarLoader backdoor, which is previously used to transmit ransomware payloads. This new malware is linked to a number of threat actors, including several well-known ransomware.
SystemBC_Malware_active_IOCs
MEDIUM
+
—
- Intel Source:
- Rewterz
- Intel Name:
- SystemBC_Malware_active_IOCs
- Date of Scan:
- 2022-12-20
- Impact:
- MEDIUM
- Summary:
- The Rewterz analysts team did analyses summary on SystemBC malware is recently being distributed through Emotet and SmokeLoader. The malware has been used in multiple ransomware attacks over the past few years. SystemBC acts as a Proxy Bot and if an infected system has SystemBC on it, then the system can be used as a passage to access the victim’s address.
Snake_Keylogger_s_Malware_active_IOCs
MEDIUM
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Snake_Keylogger_s_Malware_active_IOCs
- Date of Scan:
- 2022-12-20
- Impact:
- MEDIUM
- Summary:
- The Rewterz analysts team did analysis summary on Snake Keylogger’s Malware. Snake malware’s main feature is keylogging, but it also has additional capabilities such as taking screenshots and extracting data from the clipboard. Snake can also extract and exfiltrate data from browsers and email clients.
RisePro_Stealer_Malware_Presence_on_Russian_Market
LOW
+
—
- Intel Source:
- FlashPoint
- Intel Name:
- RisePro_Stealer_Malware_Presence_on_Russian_Market
- Date of Scan:
- 2022-12-20
- Impact:
- LOW
- Summary:
- Researchers from Flashpoint have observed RisePro stealer malware logs on Russian market and the appearance of the stealer as a payload for a pay-per-install service, may indicate its growing popularity and viability within the threat actor community.
STOP_DJVU_Ransomware_active_IOCs
HIGH
+
—
- Intel Source:
- Rewterz
- Intel Name:
- STOP_DJVU_Ransomware_active_IOCs
- Date of Scan:
- 2022-12-20
- Impact:
- HIGH
- Summary:
- The Rewterz analysts team did analysis summary on STOP (DJVU) Ransomware. The STOP/DJVU ransomware is a Trojan that encrypts files. It infiltrates your computer invisibly and encrypts all of your data, making them unavailable to you. It leaves a ransom letter warning which demands money in exchange for decrypting your data and making them available to you again. Malware is delivered via cracked applications, fake set-up apps keygens, activators, and Windows updates.
Telecom_and_Governments_are_targeted_by_Raspberry_Robin_Malware
MEDIUM
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- Telecom_and_Governments_are_targeted_by_Raspberry_Robin_Malware
- Date of Scan:
- 2022-12-20
- Impact:
- MEDIUM
- Summary:
- TrendMicro reserachers discovered some new samples of the Raspberry Robin malware spreading in telecommunications and government office systems. The main payload itself is packed with more than 10 layers for obfuscation and is capable of delivering a fake payload once it detects sandboxing and security analytics tools.
GandCrab_Ransomware_active_IOCs
HIGH
+
—
- Intel Source:
- Rewterz
- Intel Name:
- GandCrab_Ransomware_active_IOCs
- Date of Scan:
- 2022-12-20
- Impact:
- HIGH
- Summary:
- The Rewterz analysts team did analyses summary on GandCrab which is a ransomware-as-a-service variant – was discovered in early 2018. As of today it had five versions of GandCrab have been created since its discovery. GandCrab ransomware encrypts victim’s files and demands ransom money in exchange for decryption keys. GandCrab targets organisations and individuals that use Microsoft Windows-powered PCs. This ransomware has attacked a huge number of systems in India, Chile, Peru, the United States, and the Philippines.
Infostealer_Malware_with_Double_Extension
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Infostealer_Malware_with_Double_Extension
- Date of Scan:
- 2022-12-19
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed the file attachment which is pretending to be from HSBC global payment and cash management and named payment_copy.pdf.z is a RAR archive. It comes out as a double extension with pdf.exe. The file is a trojan infostealer and is detected by multiple scanning engines.
Hackers_Leveraging_DELTA_System_Users_Using_FateGrab_or_StealDeal_Malware
LOW
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- Hackers_Leveraging_DELTA_System_Users_Using_FateGrab_or_StealDeal_Malware
- Date of Scan:
- 2022-12-19
- Impact:
- LOW
- Summary:
- CERT-UA researchers have identified the distribution of e-mail, using a compromised e-mail address of one of the employees of the Ministry of Defense. The attachments in the form of PDF documents imitate legitimate digests of the ISTAR unit of the Zaporizhzhia Police Department but contain a link to a malicious ZIP archive.
Malicious_Glupteba_Activity
MEDIUM
+
—
- Intel Source:
- Nozomi Networks
- Intel Name:
- Malicious_Glupteba_Activity
- Date of Scan:
- 2022-12-19
- Impact:
- MEDIUM
- Summary:
- Nozomi Networks Lab shared their latest dicoveries on the Glupteba trojan which is an example of a threat actor leveraging blockchain-based technologies to carry out their malicious activity.
Russian_Threat_Groups_Launching_Multiple_Campaigns
LOW
+
—
- Intel Source:
- Cyfirma
- Intel Name:
- Russian_Threat_Groups_Launching_Multiple_Campaigns
- Date of Scan:
- 2022-12-16
- Impact:
- LOW
- Summary:
- Cyfirma researchers have observed three campaigns named Evian, UNC064, and Siberian bear that are potentially operated by Russian-speaking threat groups on behalf of their Russian Masters.
New_Malicious_Python_Package_Shaderz_Distributing_via_Supply_Chain_Attack
LOW
+
—
- Intel Source:
- Fortinet
- Intel Name:
- New_Malicious_Python_Package_Shaderz_Distributing_via_Supply_Chain_Attack
- Date of Scan:
- 2022-12-16
- Impact:
- LOW
- Summary:
- Researchers from Fortinet have analyzed Shaderz zero-day and closely monitored its downloaded executables.
Ukrainian_Government_Networks_Breached_via_Trojanized_Windows_10_Installers
LOW
+
—
- Intel Source:
- Mandiant
- Intel Name:
- Ukrainian_Government_Networks_Breached_via_Trojanized_Windows_10_Installers
- Date of Scan:
- 2022-12-16
- Impact:
- LOW
- Summary:
- Researchers from Mandiant have observed that Ukrainian government entities are hacked in targeted attacks after their networks are first compromised via trojanized ISO files posing as legitimate Windows 10 installers.
DarkTortilla_Malware_Spreading_Via_Phishing_Sites
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- DarkTortilla_Malware_Spreading_Via_Phishing_Sites
- Date of Scan:
- 2022-12-16
- Impact:
- LOW
- Summary:
- Cyble researchers have identified a malicious campaign where they observed hackers dropping DarkTortilla malware. It is a complex .NET-based malware that has been active since 2015 and the malware is known to drop multiple stealers and Remote Access Trojans (RATs) such as AgentTesla, AsyncRAT, NanoCore, etc.
Agenda_Ransomware_Using_Rust_language
LOW
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- Agenda_Ransomware_Using_Rust_language
- Date of Scan:
- 2022-12-16
- Impact:
- LOW
- Summary:
- Researchers from Trendmicro have analyzed a sample of the Agenda ransomware written in Rust language and detected it as Ransom.Win32.AGENDA.THIAFBB. It is recently targeting critical sectors such as the healthcare and education industries.
MCCrash_Botnet_Targeting_Private_Minecraft_Servers
MEDIUM
+
—
- Intel Source:
- Microsoft
- Intel Name:
- MCCrash_Botnet_Targeting_Private_Minecraft_Servers
- Date of Scan:
- 2022-12-16
- Impact:
- MEDIUM
- Summary:
- Microsoft researchers have identified a cross-platform botnet named MCCrash that's primarily designed to launch distributed denial-of-service (DDoS) attacks against private Minecraft servers. It is characterized by a unique spreading mechanism that allows it to propagate to Linux-based devices despite originating from malicious software downloads on Windows hosts.
CSC_Bank_Mitra_fraudulent_operation
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- CSC_Bank_Mitra_fraudulent_operation
- Date of Scan:
- 2022-12-16
- Impact:
- LOW
- Summary:
- Cyble Research & Intelligence Labs studied a fraud scheme operation done by impostors posing as Village Level Entrepreneurs (VLEs) to dupe and scam Indian rural subscribers registering for Customer Service Point (Bank Mitra), an initiative under the Common Services Center (CSC) Scheme of the Ministry of Electronics and Information Technology (MEITY), India.
Spearphishing_Campaign_Targeting_Japanese_Political_Entities
LOW
+
—
- Intel Source:
- ESET Research
- Intel Name:
- Spearphishing_Campaign_Targeting_Japanese_Political_Entities
- Date of Scan:
- 2022-12-15
- Impact:
- LOW
- Summary:
- Researchers from ESET have discovered a spearphishing campaign targeting Japanese political entities a few weeks before the House of Councillors elections, and in the process uncovered a previously undescribed MirrorFace credential stealer.
Magniber_Ransomware_distribution_again
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Magniber_Ransomware_distribution_again
- Date of Scan:
- 2022-12-15
- Impact:
- LOW
- Summary:
- The ASEC analysis team has discovered that Magniber Ransomware is being distributed again with COVID-19 related filenames, while the threat actor has changed the infection vector and is using social engineering techniques.
Iran_linked_cyberspies_expand_targeting_to_medical_researchers_and_travel_agencies
LOW
+
—
- Intel Source:
- Proofpoint
- Intel Name:
- Iran_linked_cyberspies_expand_targeting_to_medical_researchers_and_travel_agencies
- Date of Scan:
- 2022-12-15
- Impact:
- LOW
- Summary:
- Researchers from Proofpoint have analyzed the threat group TA453 and observed outlier campaigns are likely to continue and reflect IRGC intelligence collection requirements, including possible support for hostile, and even kinetic, operations.
STOP_Ransomware_Distributing_in_Korea
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- STOP_Ransomware_Distributing_in_Korea
- Date of Scan:
- 2022-12-15
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered that the STOP ransomware is distributed in Korea and the files that are currently distributed are in the form of MalPe just like SmokeLoader and Vidar, and the filenames include a random 4-byte string.
Hackers_Blast_Open_Source_Repositories_with_Over_144000_Malicious_Packages
LOW
+
—
- Intel Source:
- Checkmarx Security
- Intel Name:
- Hackers_Blast_Open_Source_Repositories_with_Over_144000_Malicious_Packages
- Date of Scan:
- 2022-12-15
- Impact:
- LOW
- Summary:
- Checkmarx researchers have identified that unknown threat actors have uploaded a massive 144,294 phishing-related packages on open-source package repositories, inluding NPM, PyPi, and NuGet.
Hackers_Leveraging_Google_Ads_to_Distribute_IcedID
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Hackers_Leveraging_Google_Ads_to_Distribute_IcedID
- Date of Scan:
- 2022-12-15
- Impact:
- LOW
- Summary:
- Researchers from SANS have identified that campaigns pushing IcedID malware (also known as Bokbot) via google ads.
GoTrim_Botnet_Brute_Forces_WordPress_Site_Admin_Accounts
LOW
+
—
- Intel Source:
- Fortinet
- Intel Name:
- GoTrim_Botnet_Brute_Forces_WordPress_Site_Admin_Accounts
- Date of Scan:
- 2022-12-14
- Impact:
- LOW
- Summary:
- Researchers from Fortinet have observed a new Go-based botnet malware named 'GoTrim' is scanning the web for self-hosted WordPress websites and attempting to brute force the administrator's password and take control of the site.
Hackers_Leveraging_LiveHelp100_For_Supply_Chain_Attacks
LOW
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- Hackers_Leveraging_LiveHelp100_For_Supply_Chain_Attacks
- Date of Scan:
- 2022-12-14
- Impact:
- LOW
- Summary:
- Researchers from Trendmicro have analyzed the infection chain and the pieces of malware used by malicious actors in supply-chain attacks that leveraged trojanized installers of chat-based customer engagement platforms.
Malware_Strains_Targeting_Python_and_JavaScript_Developers
LOW
+
—
- Intel Source:
- Phylum
- Intel Name:
- Malware_Strains_Targeting_Python_and_JavaScript_Developers
- Date of Scan:
- 2022-12-14
- Impact:
- LOW
- Summary:
- Phylum researchers have identified an active malware campaign targeting the Python Package Index (PyPI) and npm repositories for Python and JavaScript with typosquatting and fake modules that deploy a ransomware strain, marking the latest security issue to affect software supply chains.
Targeted_Attacks_Leverage_Signed_Malicious_Microsoft_Drivers
LOW
+
—
- Intel Source:
- Mandient, Sentilone
- Intel Name:
- Targeted_Attacks_Leverage_Signed_Malicious_Microsoft_Drivers
- Date of Scan:
- 2022-12-14
- Impact:
- LOW
- Summary:
- SentinelOne discovered active threat actors abusing legitimately signed Microsoft drivers in active intrusions into telecommunication, BPO, MSSP, and financial services businesses. Investigations into these intrusions led to the discovery of POORTRY and STONESTOP malware, part of a small toolkit designed to terminate AV and EDR processes.
Thre_increased_Activity_of_Mallox_Ransomware
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Thre_increased_Activity_of_Mallox_Ransomware
- Date of Scan:
- 2022-12-14
- Impact:
- LOW
- Summary:
- Cyble Research and Intelligence Labs (CRIL) recently observed a spike in Mallox ransomware samples. The researchers named it TargetCompany ransomware because it adds the targeted company name as a file extension to the encrypted files. In September 2022, researchers identified a TargetCompany ransomware variant targeting Microsoft SQL servers and adding the “Fargo” extension to the encrypted files. TargetCompany ransomware is also known to add a “Mallox” extension after encrypting the files.
MS_Signed_Malicious_Drivers_Used_in_Ransomware_Attacks
MEDIUM
+
—
- Intel Source:
- SentinelOne, Mandiant and Sophos
- Intel Name:
- MS_Signed_Malicious_Drivers_Used_in_Ransomware_Attacks
- Date of Scan:
- 2022-12-14
- Impact:
- MEDIUM
- Summary:
- Microsoft revoked several hardware developer accounts after drivers signed through their profiles were used in cyberattacks, including ransomware incidents. Multiple researchers explain that threat actors are utilizing malicious kernel-mode hardware drivers whose trust is verified with Authenticode signatures from Microsoft's Windows Hardware Developer Program.
The_new_Go_language_botnet_RedGoBot
LOW
+
—
- Intel Source:
- Weixin
- Intel Name:
- The_new_Go_language_botnet_RedGoBot
- Date of Scan:
- 2022-12-14
- Impact:
- LOW
- Summary:
- Last month QiAnXin Threat Intelligence Center had an incident where a malicious sample from an unknown family exploited the Vacron NVR RCE vulnerability to spread. They did the detailed analysis, this series of samples does not belong to known malicious families. The malicious sample will print the string "GoBot" when it runs, and refer to the author's output "@redbot on top" on his property website, we named it RedGoBot.
Expendtion_of_Venom_RAT_operations
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Expendtion_of_Venom_RAT_operations
- Date of Scan:
- 2022-12-14
- Impact:
- LOW
- Summary:
- CRIL has uncovered a new version of the Venom RAT (Remote Access Trojan), which can steal sensitive data from a victim’s computer. Venom RAT is an effective malware that works stealthily, giving attackers unauthorized access to the victim’s machine. Threat Actors can then use the victim’s computer to perform various malicious activities such as installing and removing additional malware, manipulating files, reading data from the keyboard, harvesting login credentials, monitoring the clipboard.
COALT_MIRAGE_Hackers_Leveraging_Drokbk_Malware
LOW
+
—
- Intel Source:
- Secureworks
- Intel Name:
- COALT_MIRAGE_Hackers_Leveraging_Drokbk_Malware
- Date of Scan:
- 2022-12-14
- Impact:
- LOW
- Summary:
- Researchers from Secureworks have investigated the Drokbk malware, which is operated by a subgroup of the Iranian government-sponsored COBALT MIRAGE threat group. This subgroup is known as Cluster B. Drokbk is written in .NET and is made up of a dropper and a payload.
Cloud_Atlas_Targeting_Entities_in_Russia_and_Belarus
LOW
+
—
- Intel Source:
- Checkpoint
- Intel Name:
- Cloud_Atlas_Targeting_Entities_in_Russia_and_Belarus
- Date of Scan:
- 2022-12-14
- Impact:
- LOW
- Summary:
- Checkpoint researchers have identified Cloud Atlas continuously and persistently targeting entities of interest. With the escalation of the conflict between Russia and Ukraine, their focus for the past year has been on Russia and Belarus and their diplomatic, government, energy, and technology sectors, and on the annexed regions of Ukraine.
Analysis_of_Royal_Ransomware
MEDIUM
+
—
- Intel Source:
- Cyber
- Intel Name:
- Analysis_of_Royal_Ransomware
- Date of Scan:
- 2022-12-14
- Impact:
- MEDIUM
- Summary:
- The Royal ransomware group emerged in early 2022 and has gained momentum since the middle of the year. Its ransomware, which the group deploys through different TTPs, has impacted multiple organizations across the globe. The group itself is suspected of consisting of former members of other ransomware groups, based on similarities researchers have observed between Royal ransomware and other ransomware operators.
Vulnerabilities_Found_in_Adning_and_Kaswara_Plugin
MEDIUM
+
—
- Intel Source:
- Wordfence
- Intel Name:
- Vulnerabilities_Found_in_Adning_and_Kaswara_Plugin
- Date of Scan:
- 2022-12-14
- Impact:
- MEDIUM
- Summary:
- Researchers from Wordfence have observed that spikes in attacks serve as a reminder to update plugins.
Continuation_of_Iranian_Exploitation_Activities
MEDIUM
+
—
- Intel Source:
- Cymru
- Intel Name:
- Continuation_of_Iranian_Exploitation_Activities
- Date of Scan:
- 2022-12-13
- Impact:
- MEDIUM
- Summary:
- Cymru shared an update on ongoing tracking of PHOSPHORUS threat actor group associated with Iran. PHOSPHORUS is an Iranian threat group known to target organizations in energy, government, and technology sectors based in Europe, the Middle East, the United States, and other countries/regions.
Microsoft_Account_Stealing_Phishing_Page
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Microsoft_Account_Stealing_Phishing_Page
- Date of Scan:
- 2022-12-13
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified a large portion of phishing emails with the purpose of stealing login credentials to target Microsoft accounts.
Analysis_of_the_infamous_Azov_Ransomware
LOW
+
—
- Intel Source:
- Checkpoint
- Intel Name:
- Analysis_of_the_infamous_Azov_Ransomware
- Date of Scan:
- 2022-12-13
- Impact:
- LOW
- Summary:
- Chepoint have shared report goes with more details regarding the internal workings of Azov ransomware and its technical features.
Formbook_malware_deployed_using_OneNote_Documents
LOW
+
—
- Intel Source:
- Trustwave
- Intel Name:
- Formbook_malware_deployed_using_OneNote_Documents
- Date of Scan:
- 2022-12-13
- Impact:
- LOW
- Summary:
- Trustwave uncovered threat actors using a OneNote document to move Formbook malware, an information stealing trojan sold on an underground hacking forum since mid-2016 as malware-as-a-service.
New_Python_Backdoor_Targeting_VMware_ESXi_Servers
LOW
+
—
- Intel Source:
- Juniper Network
- Intel Name:
- New_Python_Backdoor_Targeting_VMware_ESXi_Servers
- Date of Scan:
- 2022-12-13
- Impact:
- LOW
- Summary:
- Juniper Network researchers have identified a previously undocumented Python backdoor targeting VMware ESXi servers has been spotted, enabling hackers to execute commands remotely on a compromised system.
The_Cloud_Atlas_group_activity
LOW
+
—
- Intel Source:
- Ptsecurity
- Intel Name:
- The_Cloud_Atlas_group_activity
- Date of Scan:
- 2022-12-13
- Impact:
- LOW
- Summary:
- Ptsecurity discussed the main techniques of the Cloud Atlas group, and took an in-depth look at the tools they use and posted the detailed analysis and description of the functionality of these tools.
FortiOS_SSL_VPN_bug
MEDIUM
+
—
- Intel Source:
- Fortiguard
- Intel Name:
- FortiOS_SSL_VPN_bug
- Date of Scan:
- 2022-12-13
- Impact:
- MEDIUM
- Summary:
- Fortinet urges customers to update their installs to address an actively exploited FortiOS SSL-VPN vulnerability, tracked as CVE-2022-42475, that could be exploited by an unauthenticated, remote attacker to execute arbitrary code on devices.
MuddyWater_APT_group_is_back_with_updated_TTPs
LOW
+
—
- Intel Source:
- Deep Instinct
- Intel Name:
- MuddyWater_APT_group_is_back_with_updated_TTPs
- Date of Scan:
- 2022-12-12
- Impact:
- LOW
- Summary:
- Researchers from Deep Instinct have identified a new campaign conducted by the MuddyWater APT (aka SeedWorm, TEMP.Zagros, and Static Kitten) that was targeting Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and United Arab Emirates.
Linux_Cryptocurrency_Mining_Attacks_Increasing_via_CHAOS_RAT
LOW
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- Linux_Cryptocurrency_Mining_Attacks_Increasing_via_CHAOS_RAT
- Date of Scan:
- 2022-12-12
- Impact:
- LOW
- Summary:
- Researchers from Trendmicro have observed a cryptocurrency mining attack that incorporated an advanced remote access trojan (RAT) named the CHAOS Remote Administrative Tool.
World_Cup_Keywords_targeted_by_Chinese_Gambling_Spam
LOW
+
—
- Intel Source:
- Sucuri
- Intel Name:
- World_Cup_Keywords_targeted_by_Chinese_Gambling_Spam
- Date of Scan:
- 2022-12-12
- Impact:
- LOW
- Summary:
- Many of the compromised websites have been recently updated to include modified titles for keywords related to the Qatar 2022 FIFA World Cup. Recently the researchers team has observed a pivot for the campaign to leverage search traffic for the popular World Cup soccer championship.
A_new_batch_of_Web_Skimming_attacks
LOW
+
—
- Intel Source:
- Jscrambler
- Intel Name:
- A_new_batch_of_Web_Skimming_attacks
- Date of Scan:
- 2022-12-12
- Impact:
- LOW
- Summary:
- Jscrambler analysts observed a new modus operandi evident in three threat groups. The analysts shared their analyses about their findings in detail about it.
The_Redline_Stealer_distribution_via_fake_software_AnyDesk
MEDIUM
+
—
- Intel Source:
- Esentire
- Intel Name:
- The_Redline_Stealer_distribution_via_fake_software_AnyDesk
- Date of Scan:
- 2022-12-10
- Impact:
- MEDIUM
- Summary:
- ESentire SOC Cyber Analysts did deeper malware analysis into the technical details of how the Redline Stealer malware operates and concluded that Redline Stealer is mostly being distributed via fake software. Attacker(s) also use YouTube and/or other third-party advertising platforms to spread the stealer. Attacker(s) use an AutoIt wrapper and various crypting services to obfuscate the stealer binary. Redline comes with loader tasks that allow an attacker to perform various actions on the infected host including file download, process injection and command execution.
The_various_scams_exploiting_the_popularity_of_the_FIFA_World_Cup
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- The_various_scams_exploiting_the_popularity_of_the_FIFA_World_Cup
- Date of Scan:
- 2022-12-10
- Impact:
- LOW
- Summary:
- While monitoring phishing activity, Cyble Research & Intelligence Labs identified a few crypto phishing schemes involving the use of the FIFA World Cup theme to lure the victims. The phishing site “football-blnance[.]com” was pretending to be the Binance cryptocurrency website attempting to trick users into giving sensitive information by offering free Non-Fungible Tokens (NFTs).
Cloud_compute_credentials_attack_examples
LOW
+
—
- Intel Source:
- PaloAlto
- Intel Name:
- Cloud_compute_credentials_attack_examples
- Date of Scan:
- 2022-12-09
- Impact:
- LOW
- Summary:
- Unit 42 PaloAlto shared in their blog two examples of cloud compute credentials attacks in the wild. They de3scribed in it the post-breach actions executed during the attack, and share the flow of these two attacks against the cloud infrastructure. The attack flows show how threat actors abuse stolen compute credentials to pursue a variety of attack vectors and abuse cloud services in unexpected ways. This emphasizes how important it is to follow Amazon Web Services and Google Cloud logging and monitoring best practices.
Internet_Explorer_0day_exploited_by_North_Korean_actor_APT37
LOW
+
—
- Intel Source:
- Intel Name:
- Internet_Explorer_0day_exploited_by_North_Korean_actor_APT37
- Date of Scan:
- 2022-12-09
- Impact:
- LOW
- Summary:
- Google’s Threat Analysis Group (TAG) routinely hunts for 0-day vulnerabilities exploited in-the-wild. This blog will describe a 0-day vulnerability, discovered by TAG in late October 2022, embedded in malicious documents and used to target users in South Korea.
The_identified_TAG53_infrastructure_features_common_traits
LOW
+
—
- Intel Source:
- Recorded Future
- Intel Name:
- The_identified_TAG53_infrastructure_features_common_traits
- Date of Scan:
- 2022-12-09
- Impact:
- LOW
- Summary:
- Recorded Future's Insikt Group has identified new infrastructure used by TAG-53, a group likely linked to suspected Russian threat activity groups Callisto Group, COLDRIVER, and SEABORGIUM.
kamikaze_drones_and_DolphinCape_malware
MEDIUM
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- kamikaze_drones_and_DolphinCape_malware
- Date of Scan:
- 2022-12-09
- Impact:
- MEDIUM
- Summary:
- Government Computer Emergency Response Team of Ukraine CERT-UA received information from specialists of the cyber security division of JSC "Ukrzaliznytsia" regarding the sending of e-mails with the topic "How to recognize a kamikaze drone." from the address "[email protected][.]ua", apparently, on behalf of the State Emergency Service of Ukraine.
New_Infection_Technique_of_GootLoader_malware
MEDIUM
+
—
- Intel Source:
- Esentire
- Intel Name:
- New_Infection_Technique_of_GootLoader_malware
- Date of Scan:
- 2022-12-09
- Impact:
- MEDIUM
- Summary:
- On December 2, 2022, one of ESentire SOC Cyber Analysts raised their incident involving the GootLoader malware at a pharmaceutical company. eSentire’s Threat Response Unit proceeded with an in-depth threat investigation of GootLoader.
Breaking_the_silence_Truebot_activity
MEDIUM
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Breaking_the_silence_Truebot_activity
- Date of Scan:
- 2022-12-09
- Impact:
- MEDIUM
- Summary:
- Cisco Talos researchers that one of the new follow-on payloads that Truebot drops is Grace (aka FlawedGrace and GraceWire) malware, which is attributed to TA505, further supporting these claims.
Phishing_Email_Impersonating_Quasi_governmental_Organization_Being_Distributed
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Phishing_Email_Impersonating_Quasi_governmental_Organization_Being_Distributed
- Date of Scan:
- 2022-12-08
- Impact:
- LOW
- Summary:
- ASEC analysis team has recently detected the distribution of a phishing email impersonating a non-profit quasi-governmental organization. Since the email is using a webpage disguised as a login page of GobizKOREA serviced by Korea SMEs and Startups Agency (KOSME), users who are working in the trading industry should take extra caution.
New_obfuscation_service_used_by_Ermac_when_distributed_together_with_desktop_stealers
LOW
+
—
- Intel Source:
- Threat Fabric
- Intel Name:
- New_obfuscation_service_used_by_Ermac_when_distributed_together_with_desktop_stealers
- Date of Scan:
- 2022-12-08
- Impact:
- LOW
- Summary:
- ThreatFabric’s analysts discovered a campaign employing several Trojans, and targeting both Android and Windows users at the same time, in order to reach as much victims as possible. Besides Ermac Android banking Trojan, the campaign involved desktop malware in the form of Erbium, Aurora stealer, and Laplas “clipper”.
Cuba_Ransomware_TTPs
MEDIUM
+
—
- Intel Source:
- Picus Security
- Intel Name:
- Cuba_Ransomware_TTPs
- Date of Scan:
- 2022-12-08
- Impact:
- MEDIUM
- Summary:
- Security researchers from Picus Security have track downed a new variant of the Cuba ransomware as Tropical Scorpius. This Cuba ransomware group mainly targets manufacturing, professional and legal services, financial services, construction, high technology, and healthcare sectors
DeathStalker_targets_legal_entities_with_new_Janicab_variant
LOW
+
—
- Intel Source:
- Securelist
- Intel Name:
- DeathStalker_targets_legal_entities_with_new_Janicab_variant
- Date of Scan:
- 2022-12-08
- Impact:
- LOW
- Summary:
- Securelist's reserachers Deathstalker intrusions that use the Janicab malware family, we identified a new Janicab variant used in targeting legal entities in the Middle East throughout 2020, possibly active during 2021 and potentially extending an extensive campaign that has been traced back to early 2015 and targeted legal, financial, and travel agencies in the Middle East and Europe.
Phishing_Email_Disguised_as_a_WellKnown_Korean_Airline
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Phishing_Email_Disguised_as_a_WellKnown_Korean_Airline
- Date of Scan:
- 2022-12-07
- Impact:
- LOW
- Summary:
- ASEC analysis team has recently discovered a phishing email that impersonates a well-known Korean airline to collect user credentials. The phishing email contains a notice on airline ticket payment, inducing the reader to connect to the disguised phishing page with specific ticket prices and details that implies that the sender has background information of the reader.
Zerobot_New_Go_Based_Botnet
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Zerobot_New_Go_Based_Botnet
- Date of Scan:
- 2022-12-07
- Impact:
- MEDIUM
- Summary:
- Recently FortiGuard Labsteam observed a new botnet written in the Go language being distributed through IoT vulnerabilities and categorized it as critical. This botnet, known as Zerobot, contains several modules, including self-replication, attacks for different protocols, and self-propagation. It also communicates with its command-and-control server using the WebSocket protocol. The reserachers detailed in the article how this malware leverages vulnerabilities and examines its behavior once inside an infected device.
A_New_BackdoorDiplomacy_Threat_Actor_Campaign_Investigation
LOW
+
—
- Intel Source:
- Bitdefender
- Intel Name:
- A_New_BackdoorDiplomacy_Threat_Actor_Campaign_Investigation
- Date of Scan:
- 2022-12-07
- Impact:
- LOW
- Summary:
- Bitdefender researchers did some discoveres for a malicious campaign involving the abuse of binaries vulnerable to sideloading, targeting the Middle East. The reserachers analyzed the evidence for the traces linked to a cyber-espionage operation performed most likely by Chinese threat actor BackdoorDiplomacy against victims that they have linked to activity in the telecom industry in the Middle East.
A_new_Agrius_threat_group_wiper_Fantasy
MEDIUM
+
—
- Intel Source:
- WeliveSecurity
- Intel Name:
- A_new_Agrius_threat_group_wiper_Fantasy
- Date of Scan:
- 2022-12-07
- Impact:
- MEDIUM
- Summary:
- Agrius is a new Iranian group targeting victims in Israel and the United Arab Emirates since 2020. The group initially deployed a wiper. Recently group deployed a new wiper named Fantasy. Most of its code base comes from Apostle, Agrius’s previous wiper. Recently FortiGuard Labsteam observed a new botnet written in the Go language being distributed through IoT vulnerabilities and categorized it as critical. This botnet, known as Zerobot, contains several modules, including self-replication, attacks for different protocols, and self-propagation. It also communicates with its command-and-control server using the WebSocket protocol. The reserachers detailed in the article how this malware leverages vulnerabilities and examines its behavior once inside an infected device.
CrowdStrike_Investigations_Reveal_Intrusion_Campaign_Targeting_Telco_and_BPO_Companies
LOW
+
—
- Intel Source:
- CrowdStrike
- Intel Name:
- CrowdStrike_Investigations_Reveal_Intrusion_Campaign_Targeting_Telco_and_BPO_Companies
- Date of Scan:
- 2022-12-07
- Impact:
- LOW
- Summary:
- CrowdStrike Services reviews a recent, extremely persistent intrusion campaign targeting telecommunications and business process outsourcing (BPO) companies and outlines how organizations can defend and secure their environments.
Targeted_attacks_by_DEV_0139_against_the_cryptocurrency_industry
LOW
+
—
- Intel Source:
- Microsoft
- Intel Name:
- Targeted_attacks_by_DEV_0139_against_the_cryptocurrency_industry
- Date of Scan:
- 2022-12-07
- Impact:
- LOW
- Summary:
- Microsoft shared that cryptocurrency companies have been targeted by a threat group DEV-0139 via Telegram groups used to communicate with the firms' VIP customers.
Resumexll_File_Being_Distributed_in_Korea
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Resumexll_File_Being_Distributed_in_Korea
- Date of Scan:
- 2022-12-07
- Impact:
- LOW
- Summary:
- ASEC analysis team shared that malware with the XLL file format (file extension: .xll) was being distributed via email. The XLL file has a DLL form of a PE (Portable Executable) file but is executed with Microsoft Excel.
Malware_Distributed_with_Disguised_Filenames
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Malware_Distributed_with_Disguised_Filenames
- Date of Scan:
- 2022-12-07
- Impact:
- LOW
- Summary:
- ASEC analysis team made a post on the malware being distributed with filenames that utilize RTLO (Right-To-Left Override). RTLO is a unicode that makes an override from right to left. This type of malware induces users to execute its files by mixing filenames with extensions
Ransomware_Turning_into_an_Accidental_Wiper
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Ransomware_Turning_into_an_Accidental_Wiper
- Date of Scan:
- 2022-12-06
- Impact:
- MEDIUM
- Summary:
- Researchers from FortiGate have observed Cryptonite sample in the wild that never offers the decryption window, instead acting as a wiper. We recently saw an increase in ransomware intentionally turned into wiper malware, primarily as part of a political campaign.
Masquerading_as_a_Software_Installer
LOW
+
—
- Intel Source:
- Cybereason
- Intel Name:
- Masquerading_as_a_Software_Installer
- Date of Scan:
- 2022-12-05
- Impact:
- LOW
- Summary:
- Cybereason GSOC team analyzes a technique that utilizes Microsoft’s Windows Installation file (.msi) to compromise victims’ machines. MSI, formerly known as Microsoft Installer, is a Windows installer package format.
Lazarus_APT_uses_fake_cryptocurrency_apps_to_spread_AppleJeus_Malware
LOW
+
—
- Intel Source:
- Security Affairs
- Intel Name:
- Lazarus_APT_uses_fake_cryptocurrency_apps_to_spread_AppleJeus_Malware
- Date of Scan:
- 2022-12-05
- Impact:
- LOW
- Summary:
- The North Korea-linked Lazarus APT spreads fake cryptocurrency apps under the fake brand BloxHolder to install the AppleJeus malware.
The_delivery_of_YIPPHB_dropper
LOW
+
—
- Intel Source:
- Elastic
- Intel Name:
- The_delivery_of_YIPPHB_dropper
- Date of Scan:
- 2022-12-02
- Impact:
- LOW
- Summary:
- Elastic Security Labs identified 12 clusters of activity using a similar TTP of threading Base64 encoded strings with Unicode icons to load the YIPPHB dropper. YIPPHB is an unsophisticated, but effective, dropper used to deliver RAT implants going back at least May of 2022.
The_analyses_of_Erbium_Stealer_Malware
MEDIUM
+
—
- Intel Source:
- Cyfirma
- Intel Name:
- The_analyses_of_Erbium_Stealer_Malware
- Date of Scan:
- 2022-12-02
- Impact:
- MEDIUM
- Summary:
- CYFIRMA research team observed and analyzed the malware sample. The team has also observed the stealer malware being advertised on Russian-speaking hacker forums. The malware sample is a 32-bit executable binary. It contains obfuscated contents to evade detection by security products and firewalls.
Mizuho_Bank_of_Japan_as_bait_for_Lazarus_attack
LOW
+
—
- Intel Source:
- Weixin
- Intel Name:
- Mizuho_Bank_of_Japan_as_bait_for_Lazarus_attack
- Date of Scan:
- 2022-12-02
- Impact:
- LOW
- Summary:
- Recently, the Red Raindrop team of QiAnXin Threat Intelligence Center found the latest 0 - kill soft-check attack sample of Lazarus organization in daily threat hunting. Information is used as bait to attack.
A_released_joint_Cybersecurity_Advisory_for_Cuba_Ransomware
MEDIUM
+
—
- Intel Source:
- CISA
- Intel Name:
- A_released_joint_Cybersecurity_Advisory_for_Cuba_Ransomware
- Date of Scan:
- 2022-12-02
- Impact:
- MEDIUM
- Summary:
- The FBI and CISA released a joint Cybersecurity Advisory (CSA) to provide network defenders tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Cuba ransomware
New_CryWiper_Trojan
MEDIUM
+
—
- Intel Source:
- Securelist
- Intel Name:
- New_CryWiper_Trojan
- Date of Scan:
- 2022-12-02
- Impact:
- MEDIUM
- Summary:
- Russian reserachers from Securelist caught some attempts by a previously unknown Trojan, which was named CryWiper, to attack the organization's network in the Russian Federation. After studying a sample of malware, they found out that this Trojan, although it disguises itself as a ransomware and extorts money from the victim for "decrypting" data, in fact does not encrypt, but purposefully destroys data in the affected system. Moreover, the analysis of the Trojan's program code showed that this was not the developer's mistake, but his original intention.
A_deep_dive_into_ZetaNile
LOW
+
—
- Intel Source:
- Reversing Labs
- Intel Name:
- A_deep_dive_into_ZetaNile
- Date of Scan:
- 2022-12-02
- Impact:
- LOW
- Summary:
- ZetaNile is a set of open-source software trojans being used by Lazarus/ZINC. This set of trojanized, open-source software implants has been dubbed ZetaNile by Microsoft and BLINDINCAN by CISA. After some investigation, this campaign presented an opportunity for deep study by the ReversingLabs Research Team.
The_cyber_espionage_activity_with_USB_devices
MEDIUM
+
—
- Intel Source:
- Mandiant
- Intel Name:
- The_cyber_espionage_activity_with_USB_devices
- Date of Scan:
- 2022-12-02
- Impact:
- MEDIUM
- Summary:
- Mandiant Managed Defense team recently identified cyber espionage activity that heavily leverages USB devices as an initial infection vector and concentrates on the Philippines and tracked this activity as UNC4191 and pissible linked to a China nexus.
Phishing_and_Scams_to_Be_Aware_of_this_Season
LOW
+
—
- Intel Source:
- Trustwave
- Intel Name:
- Phishing_and_Scams_to_Be_Aware_of_this_Season
- Date of Scan:
- 2022-12-02
- Impact:
- LOW
- Summary:
- Trustwave team has warned to be one the lookout this holiday shopping season for phishing and scams specifically designed to blend in with holiday online shopping activities. Trustwave SpiderLabs has compiled a list of the most prevalent shopping-related scams expected this year. These samples were recently observed from Trustwave’s spam traps and other Trustwave monitoring systems.
New_Malware_Strain_DuckLogs
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- New_Malware_Strain_DuckLogs
- Date of Scan:
- 2022-12-01
- Impact:
- LOW
- Summary:
- Recently, Cyble researchers bserved a new malware strain named DuckLogs, which performs multiple malicious activities such as Stealer, Keylogger, Clipper, Remote access, etc. DuckLogs is MaaS (Malware-as-a-Service). It steals users’ sensitive information, such as passwords, cookies, login data, histories, crypto wallet details, etc., and exfiltrates the stolen data from the victim’s machine to its C&C server.
The_distribution_of_Redline_Stealer
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- The_distribution_of_Redline_Stealer
- Date of Scan:
- 2022-12-01
- Impact:
- LOW
- Summary:
- Recently Cyble rsearchers identified 6 phishing sites impersonating Express VPN that was distributing Windows malware. The threat actorstried to use phishing emails, online ads, SEO attacks, and various other means to propagate links over the internet.
Arechclient2_remote_access_trojan
LOW
+
—
- Intel Source:
- Cyber Florida
- Intel Name:
- Arechclient2_remote_access_trojan
- Date of Scan:
- 2022-12-01
- Impact:
- LOW
- Summary:
- Cyber Florida has observed network payload data obfuscated via Base64 encoding and sent to what appears to be a command control server. The command and control server appears to be utilizing Google cloud services
Phishing_Website_Disguised_as_a_Famous_Korean_Email_Login_Website_Being_Distributed
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Phishing_Website_Disguised_as_a_Famous_Korean_Email_Login_Website_Being_Distributed
- Date of Scan:
- 2022-11-30
- Impact:
- LOW
- Summary:
- The ASEC analysis team has identified the distribution of a malicious website in Korea that aims to steal account credentials from a famous Korean email service website.
The_ransomware_impact_on_Aviation_Industry
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- The_ransomware_impact_on_Aviation_Industry
- Date of Scan:
- 2022-11-30
- Impact:
- LOW
- Summary:
- This month the ‘Daixin Team’ ransomware group claimed to infiltrate the networks of a Malaysia-based airline. The group allegedly stole 5 million passengers’ data, and airline employees’ personal and corporate information. ‘Daixin Team’ ransomware group came into existence in June 2022 and has claimed responsibility for targeting 5 organizations so far. In the US, the group has primarily affected Healthcare organizations.
Improved_LockBit_3_0_Black_attacks_with_more_capabilities
MEDIUM
+
—
- Intel Source:
- Sophos
- Intel Name:
- Improved_LockBit_3_0_Black_attacks_with_more_capabilities
- Date of Scan:
- 2022-11-30
- Impact:
- MEDIUM
- Summary:
- A Sophos team did some analysis of multiple incidents where attackers used the latest version of LockBit ransomware (known variously as LockBit 3.0 or ‘LockBit Black’) and they discovered the latest tooling used by threat actors. The threat actors have begun experimenting with the use of scripting that would allow the malware to “self-spread” using Windows Group Policy Objects (GPO) or the tool PSExec, potentially making it easier for the malware to laterally move and infect computers without the need for affiliates to know how to take advantage of these features for themselves.
Domains_Used_for_Magniber_Distribution_in_Korea
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Domains_Used_for_Magniber_Distribution_in_Korea
- Date of Scan:
- 2022-11-30
- Impact:
- LOW
- Summary:
- The ASEC analysis team introduced through a blog post the Magniber ransomware which attempted MOTW (Mark of the Web) bypassing. Afterward, using the data left in Zone.Identifier, we conducted an investigation on the sources used for the distribution of Magniber.
IoT_Botnets_Evade_Detection_and_Analysis_Part_2
LOW
+
—
- Intel Source:
- Nozomi Networks
- Intel Name:
- IoT_Botnets_Evade_Detection_and_Analysis_Part_2
- Date of Scan:
- 2022-11-30
- Impact:
- LOW
- Summary:
- Nozomi reserachers team analyzed the malware samples and discovered new modification techniques malware authors are using to evade detection. They are also adopting new methods for crafting malicious files, exploiting a variety of vulnerabilities in IoT devices, and using command-and-control (C&C) servers to maintain control of compromised devices.
A_technical_analysis_of_the_Dolphin_backdoor
LOW
+
—
- Intel Source:
- WeliveSecurity
- Intel Name:
- A_technical_analysis_of_the_Dolphin_backdoor
- Date of Scan:
- 2022-11-30
- Impact:
- LOW
- Summary:
- ESET researchers have analyzed a previously unreported backdoor used by the ScarCruft APT group. The backdoor, which was named Dolphin, has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing credentials from browsers.
LNK_File_Leads_to_Domain_Wide_Ransomware
MEDIUM
+
—
- Intel Source:
- DFIR Report
- Intel Name:
- LNK_File_Leads_to_Domain_Wide_Ransomware
- Date of Scan:
- 2022-11-29
- Impact:
- MEDIUM
- Summary:
- Researchers from DFIR report have identified threat actor gaining access to an environment via Emotet and operating over a eight day period. During this time period, multiple rounds of enumeration and lateral movement occurred using Cobalt Strike. Remote access tools were used for command and control, such as Tactical RMM and Anydesk.
Massive_malvertising_campaign_capitalize_on_Black_Friday
MEDIUM
+
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Massive_malvertising_campaign_capitalize_on_Black_Friday
- Date of Scan:
- 2022-11-29
- Impact:
- MEDIUM
- Summary:
- Researchers from Malwarebytes have identified an ongoing malvertising campaign has been ramping up a fraudulent campaign via Google ads for the popular Walmart brand. Perhaps due to the upcoming Black Friday shopping deals, we are seeing a dramatic increase in traffic towards a number of malicious sites registered for the purpose of serving tech support scams.
Word_Document_Attack_Distributed_in_Disguise_of_a_News_Survey
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Word_Document_Attack_Distributed_in_Disguise_of_a_News_Survey
- Date of Scan:
- 2022-11-29
- Impact:
- LOW
- Summary:
- The ASEC analysis team discovered that the Word document type identified in the blog, ‘Malicious Word Files Targeting Specific Individuals Related to North Korea,’ has recently been using FTP to leak user credentials. The filename of the identified Word document is ‘CNA[Q].doc’, disguised as a CNA Singaporean TV program interview.
China_Based_Fangxiao_Group_Running_Long_Phishing_Campaign
MEDIUM
+
—
- Intel Source:
- CYJAX
- Intel Name:
- China_Based_Fangxiao_Group_Running_Long_Phishing_Campaign
- Date of Scan:
- 2022-11-29
- Impact:
- MEDIUM
- Summary:
- Researchers from CYJAX have observed that a China-based financially motivated group, dubbed Fangxiao, orchestrated a large-scale phishing campaign since 2017. The phishing campaign exploits the reputation of international brands and targets businesses in multiple industries, including retail, banking, travel, and energy. Attackers imitated over 400 organisations, including Emirates, Singapore’s Shopee, Unilever, Indonesia’s Indomie, Coca-Cola, McDonald’s, and Knorr.
Word_Document_Attack_Distributed_as_Normal_MS_Office_URLs
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Word_Document_Attack_Distributed_as_Normal_MS_Office_URLs
- Date of Scan:
- 2022-11-29
- Impact:
- LOW
- Summary:
- The ASEC analysis team has discovered during our additional monitoring process that the URL used in the fake Word document is becoming very cleverly disguised to closely resemble the normal URL, and we wish to advise caution on the part of users.
New_Variant_Of_Ransomware_Targeting_Chile
MEDIUM
+
—
- Intel Source:
- Cyble
- Intel Name:
- New_Variant_Of_Ransomware_Targeting_Chile
- Date of Scan:
- 2022-11-29
- Impact:
- MEDIUM
- Summary:
- Researchers from Cyble have identified a new variant of Punisher ransomware that was spreading through a COVID-19 theme-based phishing website. This Ransomware strain uses a common ransom note which is downloaded from the remote server, and then appends content to the ransom note to make it specific to each of its victims. The figure below shows the HTML file used as a ransom note.
The_New_Wave_of_RansomBoggs_Ransomware
LOW
+
—
- Intel Source:
- ESET Research
- Intel Name:
- The_New_Wave_of_RansomBoggs_Ransomware
- Date of Scan:
- 2022-11-28
- Impact:
- LOW
- Summary:
- Researchers from ESET have identified new ransomware attacks targeting organizations in Ukraine that have been linked to the notorious Russian military threat group Sandworm.
LockBit_Ransomware_Being_distributed_With_Similar_Filenames
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- LockBit_Ransomware_Being_distributed_With_Similar_Filenames
- Date of Scan:
- 2022-11-28
- Impact:
- LOW
- Summary:
- Researchers from ASEC have observed LockBit 2.0 and LockBit 3.0 are being distributed again with only a change to their filenames.
New_Wave_of_SocGholish_Malware
LOW
+
—
- Intel Source:
- Sucuri
- Intel Name:
- New_Wave_of_SocGholish_Malware
- Date of Scan:
- 2022-11-28
- Impact:
- LOW
- Summary:
- Researchers from Sucuri have observed a new type of WordPress infection where threat actors used a distinguished feature to inject SocGholish malware.
Diving_Deep_into_Eternity_Stealer
LOW
+
—
- Intel Source:
- Cloudsek
- Intel Name:
- Diving_Deep_into_Eternity_Stealer
- Date of Scan:
- 2022-11-28
- Impact:
- LOW
- Summary:
- Researchers from CloudSEK have deeply analyzed the workings of Eternity stealer and provided a basic explanation of its techniques and methods.
Koxic_Ransomware_Distributing_in_Korea
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Koxic_Ransomware_Distributing_in_Korea
- Date of Scan:
- 2022-11-25
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered that Koxic ransomware is being distributed in Korea. Recently, they found that a file with a modified appearance and internal ransom note had been detected.
Hackers_Targeting_Online_Shoppers_on_Black_Friday
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Hackers_Targeting_Online_Shoppers_on_Black_Friday
- Date of Scan:
- 2022-11-25
- Impact:
- MEDIUM
- Summary:
- Researchers from FortiGate have observed two Black Friday-oriented cyber-attacks that are gaining traction, one using an old PDF file and another exploiting typosquatting.
Wiki_Ransomware_Distributing_in_Korea
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Wiki_Ransomware_Distributing_in_Korea
- Date of Scan:
- 2022-11-25
- Impact:
- LOW
- Summary:
- ASEC researchers have identified the distribution of Wiki ransomware, which has been determined to be a variant of Crysis ransomware, is disguised as a normal program.
WannaRen_Ransomware_Targeting_Indian_Organization
LOW
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- WannaRen_Ransomware_Targeting_Indian_Organization
- Date of Scan:
- 2022-11-24
- Impact:
- LOW
- Summary:
- Trendmicro researchers have observed the new variant of WannaRen ransomware named Life ransomware and this new variant uses a batch file to download and execute WINWORD.exe to perform DLL side-loading and load the ransomware in memory.
The_Examination_of_Cryptonite_Ransomware
LOW
+
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Examination_of_Cryptonite_Ransomware
- Date of Scan:
- 2022-11-24
- Impact:
- LOW
- Summary:
- Researchers from Fortinet have analyzed the Cryptonite ransomware kit that exists as free and open-source software.
Phishing_Attack_Targeting_Microsoft_Users
LOW
+
—
- Intel Source:
- Cofense
- Intel Name:
- Phishing_Attack_Targeting_Microsoft_Users
- Date of Scan:
- 2022-11-24
- Impact:
- LOW
- Summary:
- Researchers from Cofense have analyzed a phishing campaign that is targeted to steal an employee’s Microsoft credentials via a malicious HTML attachment. The attached file includes spliced code when it’s executed it scrapes for the employee’s credentials.
New_Variant_of_RansomExx_Ransomware
LOW
+
—
- Intel Source:
- IBM Security Intelligence
- Intel Name:
- New_Variant_of_RansomExx_Ransomware
- Date of Scan:
- 2022-11-23
- Impact:
- LOW
- Summary:
- IBM security intelligence researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language. Malware written in Rust often benefits from lower AV detection rates and this may have been the primary reason to use of the language.
Black_Basta_Ransomware_Usin_Qakbot_Malware_to_Target_US_Companies
LOW
+
—
- Intel Source:
- Cybereason
- Intel Name:
- Black_Basta_Ransomware_Usin_Qakbot_Malware_to_Target_US_Companies
- Date of Scan:
- 2022-11-23
- Impact:
- LOW
- Summary:
- Researchers from Cybereason have identified the Black Basta ransomware gang is using QakBot malware to create an initial point of entry and move laterally within an organization’s network.
Fake_Shopping_Websites_Running_For_Black_Friday_Sales
MEDIUM
+
—
- Intel Source:
- Checkpoint
- Intel Name:
- Fake_Shopping_Websites_Running_For_Black_Friday_Sales
- Date of Scan:
- 2022-11-23
- Impact:
- MEDIUM
- Summary:
- Checkpoint researchers have found a sharp increase in fake shopping-related websites in the run-up to Black Friday sales. Also, warns shoppers to stay alert this Black Friday as hackers launch their own holiday specials.
Hackers_Exploiting_Unused_Boa_Web_Servers
MEDIUM
+
—
- Intel Source:
- Microsoft
- Intel Name:
- Hackers_Exploiting_Unused_Boa_Web_Servers
- Date of Scan:
- 2022-11-23
- Impact:
- MEDIUM
- Summary:
- Microsoft researchers have observed that the intrusion activity aimed at Indian power grid entities earlier this year probably exploited security flaws in the now-discontinued web server Boa.
Fake_FIFA_World_Cup_Streaming_Sites_Targeting_Virtual_Fans
HIGH
+
—
- Intel Source:
- Zscaler
- Intel Name:
- Fake_FIFA_World_Cup_Streaming_Sites_Targeting_Virtual_Fans
- Date of Scan:
- 2022-11-23
- Impact:
- HIGH
- Summary:
- Researchers from Zscaler have identified the FIFA World Cup 2022 has brought with it a spike in cyber attacks targeting football fans through fake streaming sites and lottery scams, leveraging the rush and excitement around these uncommon events to infect users with malware.
Hackers_Leveraging_Adobe_Acrobat_For_Phishing_Attack
LOW
+
—
- Intel Source:
- Netskope
- Intel Name:
- Hackers_Leveraging_Adobe_Acrobat_For_Phishing_Attack
- Date of Scan:
- 2022-11-22
- Impact:
- LOW
- Summary:
- Researchers from Netskope have discovered a phishing campaign that is abusing Adobe Acrobat to host a Microsoft Office phishing page.
Hackers_Are_Active_Again_For_Festival_Season
MEDIUM
+
—
- Intel Source:
- Zscaler
- Intel Name:
- Hackers_Are_Active_Again_For_Festival_Season
- Date of Scan:
- 2022-11-22
- Impact:
- MEDIUM
- Summary:
- Researchers from Zscaler have observed four emerging skimming attacks targeting e-commerce stores. These skimming campaigns have a long shelf life and manage to keep their malicious activities under the radar for several months.
The_browser_hijacking_by_multiple_Chrome_extensions
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- The_browser_hijacking_by_multiple_Chrome_extensions
- Date of Scan:
- 2022-11-22
- Impact:
- LOW
- Summary:
- Cyble Research and Intelligence Labs (CRIL) discovered multiple Chrome extensions that compromised over two million users with Browser Hijackers. All the extensions that they found were present on the Chrome web store. After installation, it was observed that the browsers hijackers were also changing the browser’s default search engine without the users’ knowledge.
QakBot_Malware_New_Initial_Execution
MEDIUM
+
—
- Intel Source:
- Securonix
- Intel Name:
- QakBot_Malware_New_Initial_Execution
- Date of Scan:
- 2022-11-22
- Impact:
- MEDIUM
- Summary:
- Reseacherers from Securonix shared their observation of recent version of the QakBot, aka Qbot, malware where calls to the Windows binary Regsvr32 are obfuscated in creative ways.
Hackers_Leveraging_Chrome_Extension_to_Steal_Cryptocurrency_and_Passwords
LOW
+
—
- Intel Source:
- Avast
- Intel Name:
- Hackers_Leveraging_Chrome_Extension_to_Steal_Cryptocurrency_and_Passwords
- Date of Scan:
- 2022-11-22
- Impact:
- LOW
- Summary:
- Researchers from Avast have identified an information-stealing Google Chrome browser extension named 'VenomSoftX' which is being deployed by Windows malware to steal cryptocurrency and clipboard contents as users browse the web.
Rapidly_Increasing_Aurora_InfoStealer_Malware
LOW
+
—
- Intel Source:
- Sekoia
- Intel Name:
- Rapidly_Increasing_Aurora_InfoStealer_Malware
- Date of Scan:
- 2022-11-22
- Impact:
- LOW
- Summary:
- Researchers from Sekoia have identified cybergangs are increasingly turning to a new Go-based information stealer named ‘Aurora’ to steal sensitive information from browsers and cryptocurrency apps, exfiltrate data directly from disks, and load additional payloads.
DoubleZero_Wiper
LOW
+
—
- Intel Source:
- PaloAlto
- Intel Name:
- DoubleZero_Wiper
- Date of Scan:
- 2022-11-22
- Impact:
- LOW
- Summary:
- Researchers from PaloAlto have introduce a machine learning model that predicts the maliciousness of .NET samples based on specific structures in the file, by analyzing a .NET wiper named DoubleZero.
Active_IoCs_of_Donot_APT_group
LOW
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IoCs_of_Donot_APT_group
- Date of Scan:
- 2022-11-22
- Impact:
- LOW
- Summary:
- Researchers from Rewterz Identified various attack campaigns from Donot APT group targetting Pakistan and other Asian countries. The most recent campaign leverages RTF documents spread through Phishing.
Hackers_Leveraging_FIFA_World_Cup_For_Phishing_Attack
HIGH
+
—
- Intel Source:
- Trellix
- Intel Name:
- Hackers_Leveraging_FIFA_World_Cup_For_Phishing_Attack
- Date of Scan:
- 2022-11-21
- Impact:
- HIGH
- Summary:
- Researchers from Trellix have observed attackers leveraging FIFA and football-based campaigns to target organizations in Arab countries.
New_Wave_of_Ransomware_Campaigns
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- New_Wave_of_Ransomware_Campaigns
- Date of Scan:
- 2022-11-21
- Impact:
- LOW
- Summary:
- Researchers from Cyble have identified three new ransomware families: AXLocker, Octocrypt, and Alice Ransomware. They are not only encrypting victims files and demanding a ransom payment but also stealing the Discord accounts of infected users.
Fake_Antivirus_Phishing_Campaign
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Fake_Antivirus_Phishing_Campaign
- Date of Scan:
- 2022-11-21
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed the phishing email which looks a like McAfee antivirus subscription.
New_Improved_Versions_of_LodaRAT
LOW
+
—
- Intel Source:
- Talos
- Intel Name:
- New_Improved_Versions_of_LodaRAT
- Date of Scan:
- 2022-11-21
- Impact:
- LOW
- Summary:
- Researchers from Cisco Talos have identified several variants and altered versions of LodaRAT with updated functionality and including new functionality allowing proliferation to attached removable storage, a new string encoding algorithm, and the removal of “dead” functions.
The_Analysis_of_2022_FIFA_World_Cup_Threat
MEDIUM
+
—
- Intel Source:
- Recorded Future
- Intel Name:
- The_Analysis_of_2022_FIFA_World_Cup_Threat
- Date of Scan:
- 2022-11-18
- Impact:
- MEDIUM
- Summary:
- Researchers from Recorded Future have analyzed the threat landscape ahead of the 2022 FIFA World Cup hosted in Qatar that begins on November 20, 2022.
Hive_ransomware_extorted_100M_from_over_1300_victims
MEDIUM
+
—
- Intel Source:
- CISA
- Intel Name:
- Hive_ransomware_extorted_100M_from_over_1300_victims
- Date of Scan:
- 2022-11-18
- Impact:
- MEDIUM
- Summary:
- Researchers from FBI have identified that the notorious Hive ransomware gang has successfully extorted roughly $100 million from over a thousand companies since June 2021. Also, the FBI says that the Hive gang will deploy additional ransomware payloads on the networks of victims who refuse to pay the ransom.
Phishing_Attack_Leveraging_Famous_Brands_to_Targeting_US_shoppers
MEDIUM
+
—
- Intel Source:
- Akamai
- Intel Name:
- Phishing_Attack_Leveraging_Famous_Brands_to_Targeting_US_shoppers
- Date of Scan:
- 2022-11-18
- Impact:
- MEDIUM
- Summary:
- Akamai researchers have identified a sophisticated phishing kit that is targeting North Americans since mid-September, using lures focused on holidays like Labor Day and Halloween.
Earth_Preta_Hackers_Targeting_Governments_Worldwide
MEDIUM
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- Earth_Preta_Hackers_Targeting_Governments_Worldwide
- Date of Scan:
- 2022-11-18
- Impact:
- MEDIUM
- Summary:
- Researchers from Trendmicro have observed that the Threat group Earth Preta targets worldwide Governments via a Spear-phishing attack. They abused fake Google accounts to distribute the malware via spear-phishing emails, initially stored in an archive file (such as rar/zip/jar) and distributed through Google Drive links.
W4SP_Stealer_Targeting_Python_Developers
LOW
+
—
- Intel Source:
- Checkmarx Security
- Intel Name:
- W4SP_Stealer_Targeting_Python_Developers
- Date of Scan:
- 2022-11-18
- Impact:
- LOW
- Summary:
- Researchers from Checkmarx Security have identified an ongoing supply chain attack that is leveraging malicious Python packages to distribute malware called W4SP Stealer, with over hundreds of victims ensnared to date.
Debugging_DotNET_Malware
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Debugging_DotNET_Malware
- Date of Scan:
- 2022-11-17
- Impact:
- MEDIUM
- Summary:
- Researchers from Fortinet have described how we can create a custom .NET program to help debug a DLL loaded and invoked directly in memory.
The_Disneyland_Malware_Team_activity
LOW
+
—
- Intel Source:
- Krebon Security
- Intel Name:
- The_Disneyland_Malware_Team_activity
- Date of Scan:
- 2022-11-17
- Impact:
- LOW
- Summary:
- A cybercrime group calling itself the Disneyland Team has been operating dozens of phishing domains that spoof popular bank brands since March 2022. the Disneyland Team has been making liberal use of visually confusing phishing domains that spoof popular bank brands using Punycode, an Internet standard that allows web browsers to render domain names with non-Latin alphabets like Cyrillic.
Diving_Deep_into_Venus_Ransomware
LOW
+
—
- Intel Source:
- SentinelOne
- Intel Name:
- Diving_Deep_into_Venus_Ransomware
- Date of Scan:
- 2022-11-17
- Impact:
- LOW
- Summary:
- Researchers from SentinelOne have analyzed the Venus ransomware and provided further analysis, indicators of compromise, and TTPs.
An_Examination_of_Wiper_Families
LOW
+
—
- Intel Source:
- Trellix
- Intel Name:
- An_Examination_of_Wiper_Families
- Date of Scan:
- 2022-11-17
- Impact:
- LOW
- Summary:
- Researchers from Trellix have analyzed more than twenty recent wiper families, their trends, techniques, and their overlap with other wipers.
Advantage_of_FTX_Bankruptcy_by_threat_actors
LOW
+
—
- Intel Source:
- McAfee
- Intel Name:
- Advantage_of_FTX_Bankruptcy_by_threat_actors
- Date of Scan:
- 2022-11-17
- Impact:
- LOW
- Summary:
- McAfee has discovered several phishing sites targeting FTX users. One of the sites discovered was registered on the 15th of November and asks users to submit their crypto wallet phrase to receive a refund. After entering this phrase, the creators of the site would gain access to the victim’s crypto wallet and they would likely transfer all the funds out of it.
ARCrypter_Ransomware_Spreading_From_Latin_America_to_the_World
MEDIUM
+
—
- Intel Source:
- Blackberry
- Intel Name:
- ARCrypter_Ransomware_Spreading_From_Latin_America_to_the_World
- Date of Scan:
- 2022-11-17
- Impact:
- MEDIUM
- Summary:
- Researchers from BlackBerry have identified additional samples of interest for ARCrypter ransomware and expanded its operations from Latin America to the World. Based on the unique strings identified during the analysis, they have named this unknown ransomware variant “ARCrypter".
WatchDog_Continues_to_Targeting_East_Asian_CSPs
LOW
+
—
- Intel Source:
- CADO Security
- Intel Name:
- WatchDog_Continues_to_Targeting_East_Asian_CSPs
- Date of Scan:
- 2022-11-17
- Impact:
- LOW
- Summary:
- Researchers from Cado Labs have discovered the re-emergence of the threat actor WatchDog. This is an opportunistic and prominent threat actor, who is known for routinely carrying out cryptojacking attacks against resources hosted by various Cloud Service Providers.
Phishing_Campaign_Abusing_MS_Customer_Voice_URLs
MEDIUM
+
—
- Intel Source:
- Cofense
- Intel Name:
- Phishing_Campaign_Abusing_MS_Customer_Voice_URLs
- Date of Scan:
- 2022-11-17
- Impact:
- MEDIUM
- Summary:
- Researchers from Cofense have observed phishing campaigns abusing Microsoft Customer Voice URLs. Microsoft Customer Voice is a customer engagement/survey service that is used for plenty of benign and useful reasons.
Iranian_hackers_breached_federal_agency_using_Log4Shell_exploit
HIGH
+
—
- Intel Source:
- CISA
- Intel Name:
- Iranian_hackers_breached_federal_agency_using_Log4Shell_exploit
- Date of Scan:
- 2022-11-16
- Impact:
- HIGH
- Summary:
- The FBI and CISA revealed in a joint advisory published today that an unnamed Iranian-backed threat group hacked a Federal Civilian Executive Branch (FCEB) organization to deploy XMRig cryptomining malware.
Emotet_Delivering_via_Malicious_Email
MEDIUM
+
—
- Intel Source:
- Proofpoint
- Intel Name:
- Emotet_Delivering_via_Malicious_Email
- Date of Scan:
- 2022-11-16
- Impact:
- MEDIUM
- Summary:
- Researchers from Proofpoint have observed multiple changes to Emotet and its payloads including the lures used, and changes to the Emotet modules, loader, and packer.
Active_IOCs_of_Heodo_Malware
LOW
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Heodo_Malware
- Date of Scan:
- 2022-11-16
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Heodo Malware. It is a malicious program that is a variant of Emotet.
North_Korean_hackers_target_European_organization
LOW
+
—
- Intel Source:
- Securelist
- Intel Name:
- North_Korean_hackers_target_European_organization
- Date of Scan:
- 2022-11-16
- Impact:
- LOW
- Summary:
- Researchers from Securelist have identified North Korean hackers are using a new version of the DTrack backdoor to attack organizations in Europe and Latin America.
Typhon_Stealer_Back_With_New_Capabilities
LOW
+
—
- Intel Source:
- PaloAlto
- Intel Name:
- Typhon_Stealer_Back_With_New_Capabilities
- Date of Scan:
- 2022-11-16
- Impact:
- LOW
- Summary:
- Researchers from PaloAlto have identified that Typhon Stealer provides threat actors with an easy-to-use, configurable builder for hire. They are continuing to update their code to enhance their tools and techniques to evade security systems and exfiltrate data smoothly.
The_HTTP_CONNECT_malicious_requests
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- The_HTTP_CONNECT_malicious_requests
- Date of Scan:
- 2022-11-16
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed and identified the HTTP CONNECT requests may have been an attempt to relay traffic through the honeypot and hide the original source of the request. It is also possible that the traffic may have been funneled through multiple proxy endpoints to make identification of the source difficult to identify. Allowing HTTP CONNECT on internet facing resources can potentially expose internal network resources or assist in the forwarding of malicious traffic.
Dagon_Locker_Ransomware_Distributing_in_Korea
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Dagon_Locker_Ransomware_Distributing_in_Korea
- Date of Scan:
- 2022-11-16
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered that the DAGON LOCKER ransomware is being distributed in Korea. It is commonly distributed through phishing mails or as an attachment to emails, but because it is a ransomware-as-a-service, the distribution route and target can vary according to the threat actor.
New_RapperBot_Campaign
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- New_RapperBot_Campaign
- Date of Scan:
- 2022-11-16
- Impact:
- MEDIUM
- Summary:
- Fortinet reserachers observed new samples with the same distinctive C2 protocol used by RapperBot were detected. in August 2022, there was a significant drop in the number of samples collected in the wild. It is quickly evident that these samples are part of a separate campaign to launch Distributed Denial of Service (DDoS) attacks against game servers. With the several similarities between previous and present it is believed that either the same threat actor might be behind both campaigns or each campaign might have branched from the same privately-shared source code.
Diving_Deep_into_Downloader_Malware
LOW
+
—
- Intel Source:
- Vmware
- Intel Name:
- Diving_Deep_into_Downloader_Malware
- Date of Scan:
- 2022-11-16
- Impact:
- LOW
- Summary:
- Researchers from VMware have analyzed the evasive downloader malware campaigns, addressing the history of BatLoader, its attributes, how it is delivered, the infection chain, and Carbon Black’s detection of the malware.
Indonesian_BRI_Bank_targeted_by_phishing_campaigns
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Indonesian_BRI_Bank_targeted_by_phishing_campaigns
- Date of Scan:
- 2022-11-15
- Impact:
- LOW
- Summary:
- VMware Carbon Black Managed Detection and Response (MDR) analysts have identified a threat that has been circuling over the last couple of months BatLoader. BatLoader is an initial access malware that heavily uses batch and PowerShell scripts to gain a foothold on a victim machine and deliver other malware. The analysts sharing their analyses about this malware campaign, addressing the history of BatLoader, its attributes, how it is delivered, the infection chain, and Carbon Black’s detection of the malware.
Active_IOCs_of_SharpPanda_APT_Group
MEDIUM
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_SharpPanda_APT_Group
- Date of Scan:
- 2022-11-15
- Impact:
- MEDIUM
- Summary:
- Researchers from Rewterz have identified the active IOCs of SharpPanda APT Group. SharpPanda APT attacks and targets Southeast Asian government users with template injection of malicious documents. The attackers use spear-phishing to gain initial access and leverage old Microsoft Office vulnerabilities together with the chain of in-memory loaders to attempt and install a previously unknown backdoor on the victim’s machines.
Active_IOCs_of_Phobos_Ransomware
LOW
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Phobos_Ransomware
- Date of Scan:
- 2022-11-15
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Phobos ransomware. It is based on the Dharma malware that first appeared at the beginning of 2019.
Active_IOCs_of_REvil_Ransomware
LOW
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_REvil_Ransomware
- Date of Scan:
- 2022-11-15
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of REvil Ransomware. It is (also known as Sodinokibi) a Ransomware-as-a-Service (RaaS).
A_Deep_Examination_of_Prestige_Ransomware
LOW
+
—
- Intel Source:
- Cyfirma
- Intel Name:
- A_Deep_Examination_of_Prestige_Ransomware
- Date of Scan:
- 2022-11-15
- Impact:
- LOW
- Summary:
- Researchers from Cyfirma have analyzed the Prestige Ransomware.
Active_IOCs_of_Black_Basta_Ransomware
LOW
+
—
- Intel Source:
- Rewterz
- Intel Name:
- Active_IOCs_of_Black_Basta_Ransomware
- Date of Scan:
- 2022-11-15
- Impact:
- LOW
- Summary:
- Researchers from Rewterz have identified the active IOCs of Black Basta Ransomware. It is a new ransomware that encrypts data stored on clients’ hard drives.
Hackers_Abusing_LNK_Files
LOW
+
—
- Intel Source:
- Intezer
- Intel Name:
- Hackers_Abusing_LNK_Files
- Date of Scan:
- 2022-11-15
- Impact:
- LOW
- Summary:
- Intezer researchers have described how threat actors use LNK files in the different stages of attacks.
Hackers_Leveraging_BumbleBee_to_Load_Meterpreter_and_CobaltStrike
LOW
+
—
- Intel Source:
- DFIR Report
- Intel Name:
- Hackers_Leveraging_BumbleBee_to_Load_Meterpreter_and_CobaltStrike
- Date of Scan:
- 2022-11-15
- Impact:
- LOW
- Summary:
- Researchers from DFIR report have identified threat actors leveraged BumbleBee to load a Meterpreter agent and Cobalt Strike Beacons.
New_Earth_Longzhi_APT_Targeting_Ukraine_and_Asian_Countries
LOW
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- New_Earth_Longzhi_APT_Targeting_Ukraine_and_Asian_Countries
- Date of Scan:
- 2022-11-15
- Impact:
- LOW
- Summary:
- Researchers from Trendmicro have observed that threat group Earth Longzhi targeting Ukraine and Asian countries with custom Cobalt Strike loaders.
Chinese_Hackers_Targeting_Government_Agencies
MEDIUM
+
—
- Intel Source:
- Symantec
- Intel Name:
- Chinese_Hackers_Targeting_Government_Agencies
- Date of Scan:
- 2022-11-15
- Impact:
- MEDIUM
- Summary:
- Researchers from Symantec have identified a cyberespionage threat actor tracked as Billbug (a.k.a. Thrip, Lotus Blossom, Spring Dragon) has been running a campaign targeting a certificate authority, government agencies, and defense organizations in several countries in Asia.
StrelaStealer_and_IceXLoader_Drive_InfoStealing_Campaigns
LOW
+
—
- Intel Source:
- DCSO CyTec Blog
- Intel Name:
- StrelaStealer_and_IceXLoader_Drive_InfoStealing_Campaigns
- Date of Scan:
- 2022-11-14
- Impact:
- LOW
- Summary:
- Researchers from DCSO CyTec have discovered new waves of malware campaigns, with two information-stealing malware making rounds in the wild. Named StrelaStealer and IceXLoader, both malware leverage malicious email attachments to lure their targets.
Cyber_adoption_of_IPFS_for_different_malware_campaigns
LOW
+
—
- Intel Source:
- Talos
- Intel Name:
- Cyber_adoption_of_IPFS_for_different_malware_campaigns
- Date of Scan:
- 2022-11-14
- Impact:
- LOW
- Summary:
- Cisco Talos has observed multiple ongoing campaigns that leverage the IPFS network to host their malware payloads and phishing kit infrastructure while facilitating other attacks.
QBOT_Leveraging_HTML_Smuggling_Technique
LOW
+
—
- Intel Source:
- QuickHeal
- Intel Name:
- QBOT_Leveraging_HTML_Smuggling_Technique
- Date of Scan:
- 2022-11-14
- Impact:
- LOW
- Summary:
- Researchers from QuickHeal have observed a new technique that QBot leverages for its attack. It is called an “HTML Smuggling attack.”
Dropper_Type_Malware_Bomb_Back_Again
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Dropper_Type_Malware_Bomb_Back_Again
- Date of Scan:
- 2022-11-14
- Impact:
- LOW
- Summary:
- ASEC researchers found that dropper malware, which disguised itself as a crack, is being actively distributed again. Once the malware is executed, the affected system becomes infected with numerous malware programs.
Massive_oisDOTis_Black_Hat_Redirect_Malware_Campaign
LOW
+
—
- Intel Source:
- Sucuri
- Intel Name:
- Massive_oisDOTis_Black_Hat_Redirect_Malware_Campaign
- Date of Scan:
- 2022-11-14
- Impact:
- LOW
- Summary:
- Researchers from Sucuri have identified that ois[.]is Black Hat redirecting to the malware campaign. These malicious redirects appear to be designed to increase the authority of the attacker’s sites for search engines.
New_KmsdBot_Malware_Hijacking_Systems
LOW
+
—
- Intel Source:
- Akamai
- Intel Name:
- New_KmsdBot_Malware_Hijacking_Systems
- Date of Scan:
- 2022-11-14
- Impact:
- LOW
- Summary:
- Researchers from Akamai have identified a newly discovered evasive malware that leverages the Secure Shell (SSH) cryptographic protocol to gain entry into targeted systems with the goal of mining cryptocurrency and carrying out distributed denial-of-service (DDoS) attacks.
UAC-0118_Group_Using_Somnia_Malware
MEDIUM
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- UAC-0118_Group_Using_Somnia_Malware
- Date of Scan:
- 2022-11-11
- Impact:
- MEDIUM
- Summary:
- Researchers from CERT-UA have investigated threat group FRwL (aka Z-Team) and found that the initial compromise occurred as a result of downloading and running a file that mimicked the "Advanced IP Scanner" software, but actually contained the Vidar malware.
Magniber_Ransomware_Bypassing_MOTW
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Magniber_Ransomware_Bypassing_MOTW
- Date of Scan:
- 2022-11-11
- Impact:
- LOW
- Summary:
- ASEC researchers have observed that the script format found from September 8th to September 29th, 2022, bypassed Mark of the Web (MOTW), a feature offered by Microsoft that identifies the source of files.
The_deep_details_of_Cloud9_Chrome_Botnet
LOW
+
—
- Intel Source:
- Zimperium
- Intel Name:
- The_deep_details_of_Cloud9_Chrome_Botnet
- Date of Scan:
- 2022-11-10
- Impact:
- LOW
- Summary:
- The Zimperium Labs reserachers recently discovered a malicious browser extension that steals the information available during the browser session and also installs malware on a user’s device and subsequently assume control of the entire device. The team provided the deeper analyses into the architecture and modus operandi of this malicious browser extension, originally called Cloud9, by the malware author.
Another_malicious_VisualBasic_script
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Another_malicious_VisualBasic_script
- Date of Scan:
- 2022-11-10
- Impact:
- LOW
- Summary:
- Researchers from SANS have identified a malicious VVisualBasic script that attracted their attention. It's no flagged as malicious but, even more, it’s reported as a simple mallicious script.
The_return_of_Emotet_targeting_users_worldwide
HIGH
+
—
- Intel Source:
- Cyble
- Intel Name:
- The_return_of_Emotet_targeting_users_worldwide
- Date of Scan:
- 2022-11-10
- Impact:
- HIGH
- Summary:
- Cyble Research and Intelligence Labs (CRIL) observed the recent Emotet spam campaign spreading malicious xls, xlsm, and password-protected zip files as an attachment to infect users. These office documents contain malicious macro code which downloads the actual Emotet binary from the remote server. Cyble intelligence shows that the recent Emotet campaign is widespread worldwide, targeting 40 countries. And this latest strain is spreading Bumblebee and IcedID malware.
The_distribution_of_LockBit_3.0_Being_Distributed_by_Amadey_Bot
MEDIUM
+
—
- Intel Source:
- ASEC
- Intel Name:
- The_distribution_of_LockBit_3.0_Being_Distributed_by_Amadey_Bot
- Date of Scan:
- 2022-11-09
- Impact:
- MEDIUM
- Summary:
- The ASEC analysis team has observed and confirmed that attackers are using Amadey Bot to install LockBit. Amadey Bot, a malware that was first discovered in 2018, is capable of stealing information and installing additional malware by receiving commands from the attacker.
The_analyses_of_malicious_use_of_multiple_intermittent_.NET_binaries
LOW
+
—
- Intel Source:
- Fortinet
- Intel Name:
- The_analyses_of_malicious_use_of_multiple_intermittent_.NET_binaries
- Date of Scan:
- 2022-11-09
- Impact:
- LOW
- Summary:
- FortiGuard Labs recently analyzed a fake phishing email that drops the Warzone RAT and showed that it does using multiple intermittent .NET binaries that are increasingly obfuscated.
FormBook_stealer
LOW
+
—
- Intel Source:
- Any.Run
- Intel Name:
- FormBook_stealer
- Date of Scan:
- 2022-11-09
- Impact:
- LOW
- Summary:
- The Any.Run analysts recorded a of malware analysis service allows us to take an in-depth look at the behavior of this clever virus and other malware such as Dridex and Lokibot with their elaborate anti-evasion techniques.
The_analyses_of_Black_Hat_redirect_campaign
LOW
+
—
- Intel Source:
- Sucuri
- Intel Name:
- The_analyses_of_Black_Hat_redirect_campaign
- Date of Scan:
- 2022-11-09
- Impact:
- LOW
- Summary:
- Sucuri research team has tracked a surge in WordPress malware redirecting website visitors to fake sites attackers.They showed their analyses what this infection does, how the malicious redirects work.
A_new_updated_IceXLoader_malware
MEDIUM
+
—
- Intel Source:
- Minerva-labs
- Intel Name:
- A_new_updated_IceXLoader_malware
- Date of Scan:
- 2022-11-09
- Impact:
- MEDIUM
- Summary:
- IceXLoader was discovered earlier this year.It is a commercial malware used to download and deploy additional malware on infected machines. While the version discovered in June (v3.0) Minerva-lab researchers recently observed a newer v3.3.3 loader which looks to be fully functionable and includes a multi-stage delivery chain.
Modified_Chaos_Ransomware_Killnet_in_the_wild
MEDIUM
+
—
- Intel Source:
- Cyble
- Intel Name:
- Modified_Chaos_Ransomware_Killnet_in_the_wild
- Date of Scan:
- 2022-11-09
- Impact:
- MEDIUM
- Summary:
- Researchers from Cyble discovered Data-destructive ransomware related to the pro-Russian Threat Actors (TA) organization "Killnet" The ransomware drops a note directed to a Telegram page for supporting Russian hacktivists. The ransomware is seen targeting multiple adversaries across the globe.
The_repeated_use_of_DLL-hijack_execution
LOW
+
—
- Intel Source:
- Sophos
- Intel Name:
- The_repeated_use_of_DLL-hijack_execution
- Date of Scan:
- 2022-11-09
- Impact:
- LOW
- Summary:
- The Sophos researchers have observed multiple attacks targeting government organizations in Asia, involving DLL sideloading – on of the most comon technique of China-based APT groups and shared the evidence og the connection of the inidents and how threat actors base their attacks on well-known, effective techniques, adding complexity and variation over time.
Diving_Deep_into_DeimosC2_C&C_Framework
LOW
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- Diving_Deep_into_DeimosC2_C&C_Framework
- Date of Scan:
- 2022-11-09
- Impact:
- LOW
- Summary:
- Researchers from TrendMicro have analyzed the technical details of DeimosC2 C&C framework.
Raccoon_stealer_2.0_malware_analysis
LOW
+
—
- Intel Source:
- Any.Run
- Intel Name:
- Raccoon_stealer_2.0_malware_analysis
- Date of Scan:
- 2022-11-09
- Impact:
- LOW
- Summary:
- The Any.Run analysts triaged multiple Raccoon stealer V2 samples, collected typical behavior activities, and briefly described its execution process. They also provided more deeper and more detailed Raccoon stealer 2.0 malware analysis to follow all steps and get a complete picture of the info stealer's behavior.
Crimson_Kingsnake_threat_impersonation
LOW
+
—
- Intel Source:
- AbnormalSecurity
- Intel Name:
- Crimson_Kingsnake_threat_impersonation
- Date of Scan:
- 2022-11-08
- Impact:
- LOW
- Summary:
- The researchers discovered a new BEC group that impersonating tactics to swindle companies around the world. The group is called Crimson Kingsnake, impersonates real attorneys, law firms, and debt recovery services to deceive accounting professionals into quickly paying bogus invoices. Also they observed Crimson Kingsnake target companies throughout the United States, Europe, the Middle East, and Australia.
The_expansion_of_SocGholish_malware
LOW
+
—
- Intel Source:
- SentinelOne
- Intel Name:
- The_expansion_of_SocGholish_malware
- Date of Scan:
- 2022-11-08
- Impact:
- LOW
- Summary:
- Researchers from SentinelOne discovered the expanding their infrastructure for staging malware with new servers. This helps the operators to counter defensive operations against known servers and scale up their operation.
Robin_Banks_Phishing_Service_Back_to_Steal_Banking_Accounts
LOW
+
—
- Intel Source:
- IronNet
- Intel Name:
- Robin_Banks_Phishing_Service_Back_to_Steal_Banking_Accounts
- Date of Scan:
- 2022-11-07
- Impact:
- LOW
- Summary:
- Researchers from IronNet have identified that the Robin Banks phishing-as-a-service (PhaaS) platform is back in action with infrastructure hosted by a Russian internet company that offers protection against distributed denial-of-service (DDoS) attacks.
WindowMalware_with_VHD_Extension
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- WindowMalware_with_VHD_Extension
- Date of Scan:
- 2022-11-07
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed a phishing email including an attachment and found the email as a PDF but is in fact a VHD file.
APT36_Targeting_Indian_Governmental_Organizations
MEDIUM
+
—
- Intel Source:
- Zscaler
- Intel Name:
- APT36_Targeting_Indian_Governmental_Organizations
- Date of Scan:
- 2022-11-07
- Impact:
- MEDIUM
- Summary:
- According to Zscaler researchers, APT-36 (also known as Transparent Tribe) targets users working at Indian government organizations with updated TTPs and tools.
Windows_Malware_with_VHD_Extension
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Windows_Malware_with_VHD_Extension
- Date of Scan:
- 2022-11-07
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed a phishing email including an attachment and found the email as a PDF but is in fact a VHD file.
Remcos_Downloader_with_Unicode_Obfuscation
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Remcos_Downloader_with_Unicode_Obfuscation
- Date of Scan:
- 2022-11-07
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed a malicious RAR archive containing a VBS script. It was called “Unidad judicial citacion pendiente Fiscalia.rar” and protected with a simple 4-numbers password to defeat automatic scanning. The same name appears inside the VBS script.
The_threat_actor_RomCom_new_attacks
LOW
+
—
- Intel Source:
- Blackberry
- Intel Name:
- The_threat_actor_RomCom_new_attacks
- Date of Scan:
- 2022-11-04
- Impact:
- LOW
- Summary:
- The BlackBerry Threat Research and Intelligence team shed light on RomCom's new attack campaigns spoofing legitimate network scanning tools through phishing and spoofed domains targetting Ukraine and other English-speaking countries delivering RomComs RAT.
New_Laplas_Clipper_Malware_distributed_through_SmokeLoader
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- New_Laplas_Clipper_Malware_distributed_through_SmokeLoader
- Date of Scan:
- 2022-11-04
- Impact:
- LOW
- Summary:
- Researchers from Cyble Identified a new attack technique leveraging SmokeLoader to load various malware into the target system, compromised through spam emails. The campaign seems to be highly active in the wild, using Laplas Clipper targetting Cryptocurrency users.
New_Black_Basta_Ransomware_Tools_and_tactics
LOW
+
—
- Intel Source:
- SentinelOne
- Intel Name:
- New_Black_Basta_Ransomware_Tools_and_tactics
- Date of Scan:
- 2022-11-04
- Impact:
- LOW
- Summary:
- Sentinel Labs researchers shed light on the highly evasive Black Basta Ransomware, which they link to FIN7 or one of their developer's operational TTPs in depth, exposing previously undiscovered tools and tactics.
OPERA1ER_APT_Hackers_attacks
LOW
+
—
- Intel Source:
- Group-IB
- Intel Name:
- OPERA1ER_APT_Hackers_attacks
- Date of Scan:
- 2022-11-04
- Impact:
- LOW
- Summary:
- Researchers from Group-IB have identified that a French-speaking threat actor named OPERA1ER has been linked to a series of more than 30 successful cyber attacks aimed at banks, financial services, and telecom companies across Africa, Asia, and Latin America between 2018 and 2022.
Apache_Commons_Text4Shell_Vulnerability
MEDIUM
+
—
- Intel Source:
- Securonix
- Intel Name:
- Apache_Commons_Text4Shell_Vulnerability
- Date of Scan:
- 2022-11-04
- Impact:
- MEDIUM
- Summary:
- Securonix researchers have analyzed the Apache Commons Text library vulnerability that is currently being exploited. On October 13, Apache Software Foundation was notified of a Text4shell vulnerability affecting versions 1.5 to 1.9. It has been patched in version 1.10.0.
Raise_in_Chromeloader_Malware_attacks
LOW
+
—
- Intel Source:
- ESentire
- Intel Name:
- Raise_in_Chromeloader_Malware_attacks
- Date of Scan:
- 2022-11-04
- Impact:
- LOW
- Summary:
- Researchers from ESentire discovered the latest traces of Chromeloader Malware being spread in the wild. The malware seems more persistent, promising higher permissions on the target's system.
Ransomware_targeting_ESXi
LOW
+
—
- Intel Source:
- VMware
- Intel Name:
- Ransomware_targeting_ESXi
- Date of Scan:
- 2022-11-04
- Impact:
- LOW
- Summary:
- Researchers from VMware's Threat Analysis Team shed details about various ransomware families targetting Enterprises leveraging VMware ESXi, their techniques, and tactics.
Appleseed_Malware_Spreading_to_Nuclear_Power_Plant_Companies
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Appleseed_Malware_Spreading_to_Nuclear_Power_Plant_Companies
- Date of Scan:
- 2022-11-03
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered that AppleSeed has been distributed to nuclear power plants. Kimsuky, a North Korean affiliated organization, is actively distributing AppleSeed, a backdoor malware, to many companies.
Cranefly_Hackers_Installing_Undocumented_Malware
LOW
+
—
- Intel Source:
- Symantec
- Intel Name:
- Cranefly_Hackers_Installing_Undocumented_Malware
- Date of Scan:
- 2022-11-03
- Impact:
- LOW
- Summary:
- A Symantec researcher have discovered that an unknown dropper is being used to install a new backdoor and other tools by reading commands from seemingly innocuous Internet Information Services (IIS) logs.
The_observation_of_public_cloud_services_attacks
MEDIUM
+
—
- Intel Source:
- Securelist
- Intel Name:
- The_observation_of_public_cloud_services_attacks
- Date of Scan:
- 2022-11-03
- Impact:
- MEDIUM
- Summary:
- Kaspersky has reported several incidents where attackers used cloud services for C&C. They described in their report several interesting incidents for server-side attacks, C&C in public clouds and other MDR cases
Ignoring_of_old_Wannacry_ransomware
MEDIUM
+
—
- Intel Source:
- SecurityAffairs
- Intel Name:
- Ignoring_of_old_Wannacry_ransomware
- Date of Scan:
- 2022-11-03
- Impact:
- MEDIUM
- Summary:
- In May 2017, the world learned about a global security attack, the Wannacry ransomware carried out through a malicious code capable of encrypting data residing in information systems and demanding a ransom in cryptocurrency to restore them, the Wannacry ransomware. That attack was considered to be the worst cyber attack in terms of contamination rate and scope, putting public offices and companies (especially healthcare facilities) out of operation. By this happening, some companies still didn't learn the lesson and still ignoring it.
Elbie_Ransomware_Distributing_in_Korea
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Elbie_Ransomware_Distributing_in_Korea
- Date of Scan:
- 2022-11-03
- Impact:
- LOW
- Summary:
- Using internal monitoring, ASEC researchers have discovered that ieinstal.exe is being used in the distribution of Elbie ransomware.
Techniques_used_by_notorious_banking_Trojans
LOW
+
—
- Intel Source:
- PaloAlto
- Intel Name:
- Techniques_used_by_notorious_banking_Trojans
- Date of Scan:
- 2022-11-03
- Impact:
- LOW
- Summary:
- Palo Alto ranalysts summarized techniques used by notorious banking Trojan families to evade detection, steal sensitive data and manipulate data. We’ll also describe how those techniques can be blocked. These families include Zeus, Kronos, Trickbot, IcedID, Emotet and Dridex.
The_Fox_Hack_malicious_functions
LOW
+
—
- Intel Source:
- Wordsfence
- Intel Name:
- The_Fox_Hack_malicious_functions
- Date of Scan:
- 2022-11-03
- Impact:
- LOW
- Summary:
- The Wordfence threat analysts recently discovered the latest version of a Command and Control (C2) script, which is referred to as F-Automatical within the script’s code and was commonly known as FoxAuto in older versions. This version of this automatic C2 script that is developed and distributed by a threat group called Anonymous Fox. This script allows for anything from simple information stealing attacks, up to full site takeover, and more.
A_Guloader_variant_techniques
LOW
+
—
- Intel Source:
- PaloAlto
- Intel Name:
- A_Guloader_variant_techniques
- Date of Scan:
- 2022-11-03
- Impact:
- LOW
- Summary:
- Unit 42 researchers observed a new Guloader variant that contains a shellcode payload protected by anti-analysis techniques. Their purpose is to slow human analysts and sandboxes processing this sample.
Surtr_Ransomware_Distributing_in_Korea
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Surtr_Ransomware_Distributing_in_Korea
- Date of Scan:
- 2022-11-03
- Impact:
- LOW
- Summary:
-
Researchers from ASEC have discovered that Surtr ransomware is being distributed. This ransomware encrypts files, then adds a “[[email protected]].[
].Surtr” file extension to the original file extension name.
Vulnerable_Docker_and_Kubernetes_Infrastructure_targeted_by_a_Kiss-a-Dog_Cryptojacking_Campaign
LOW
+
—
- Intel Source:
- Crowdstrike
- Intel Name:
- Vulnerable_Docker_and_Kubernetes_Infrastructure_targeted_by_a_Kiss-a-Dog_Cryptojacking_Campaign
- Date of Scan:
- 2022-11-02
- Impact:
- LOW
- Summary:
- The CrowdStrike team have identified a new cryptojacking campaign called "Kiss-a-dog" that targets vulnerable Docker and Kubernetes infrastructures. The campaign uses an obscure domain from the payload, container escape attempts, and anonymized dog mining pools to target Docker and Kubernetes infrastructures.
Follina_Vulnerability_triggering_Qbot_infection_chain_compromising_Domain
LOW
+
—
- Intel Source:
- DFIRReport
- Intel Name:
- Follina_Vulnerability_triggering_Qbot_infection_chain_compromising_Domain
- Date of Scan:
- 2022-11-02
- Impact:
- LOW
- Summary:
- The DFIR Report researchers discovered an intrusion using the Follina Vulnerability for Initial Access that caused Qbot infection, compromised the entire domain, launched several payloads, and evaded detection.
Transformation_of_DarkVNC_from_VNC
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Transformation_of_DarkVNC_from_VNC
- Date of Scan:
- 2022-11-02
- Impact:
- LOW
- Summary:
- A team of researchers from SANS have analyzed Virtual Network Computing (VNC), which is a method for controlling a computer remotely. In addition, VNC is a cross-platform screen-sharing system that allows full keyboard and visual control of a remote computer as if you were physically present.
ShadowPad_malware_analyses
LOW
+
—
- Intel Source:
- VMware
- Intel Name:
- ShadowPad_malware_analyses
- Date of Scan:
- 2022-11-02
- Impact:
- LOW
- Summary:
- VMware researchers have discovered active ShadowPad C2s on the Internet by analyzing the command and control (C2) protocol.
A_payload_for_NetSupport_RAT_from_the_sczriptzzbn_inject
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- A_payload_for_NetSupport_RAT_from_the_sczriptzzbn_inject
- Date of Scan:
- 2022-11-01
- Impact:
- LOW
- Summary:
- This month reserchers from SANS had seeing a payload for NetSupport RAT from the sczriptzzbn inject. This injected script causes a fake browser update page to appear in the victim's browser.
The_remote_desktop_services_targeted_by_Venus_ransomware
LOW
+
—
- Intel Source:
- MalwareBytes
- Intel Name:
- The_remote_desktop_services_targeted_by_Venus_ransomware
- Date of Scan:
- 2022-11-01
- Impact:
- LOW
- Summary:
- Malwarebytes researchers shared about the threat actors behind the relatively new Venus Ransomware are hacking into publicly-exposed Remote Desktop services to encrypt Windows devices.
An_increase_in_threats_packaged_in_password_protected_archives
LOW
+
—
- Intel Source:
- Trustwave
- Intel Name:
- An_increase_in_threats_packaged_in_password_protected_archives
- Date of Scan:
- 2022-11-01
- Impact:
- LOW
- Summary:
- Trustwave lab discovered a rise of in threats packaged in password-protected archives with about 96% of these being spammed by the Emotet Botnet. The team also noticed an interesting attachment in this spam campaign. Disguised as an invoice, the attachment in either ZIP or ISO format, contained a nested self-extracting (SFX) archive.
The_Growth_of_LODEINFO_backdoor_shellcode
LOW
+
—
- Intel Source:
- Securelist
- Intel Name:
- The_Growth_of_LODEINFO_backdoor_shellcode
- Date of Scan:
- 2022-10-31
- Impact:
- LOW
- Summary:
- Securelist researchers have identified that LODEINFO shellcode was regularly updated for use with each infection vector. The developer of LODEINFO v0.5.6 has implemented three new backdoor commands that enhance evasion techniques for certain security products.
AgentTesla_Being_Distributed_via_VBS
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- AgentTesla_Being_Distributed_via_VBS
- Date of Scan:
- 2022-10-31
- Impact:
- LOW
- Summary:
- The ASEC analysis team has recently identified that AgentTesla is being distributed through malicious VBS. The script file has multiple codes that have been obfuscated multiple times. AgentTesla has been found to be distributed last May through a Windows Help file (*.chm), and it seems that its distribution method is continuously changing.
Lazarus_Attack_Group_Disabling_Anti-Malware_Programs_With_the_BYOVD_Technique
MEDIUM
+
—
- Intel Source:
- ASEC
- Intel Name:
- Lazarus_Attack_Group_Disabling_Anti-Malware_Programs_With_the_BYOVD_Technique
- Date of Scan:
- 2022-10-31
- Impact:
- MEDIUM
- Summary:
- ASEC researchers have identified the Malware Infection by the Lazarus Attack Group Disabling Anti-Malware Programs With the BYOVD Technique
The_Raspberry_Robin_worm_recent_activity
LOW
+
—
- Intel Source:
- Microsoft
- Intel Name:
- The_Raspberry_Robin_worm_recent_activity
- Date of Scan:
- 2022-10-31
- Impact:
- LOW
- Summary:
- The researchers from Microsoft has noted recent activity for the Raspberry Robin worm which links to other malware families and alternate infection methods beyond its original USB drive spread. These infections are taking to the follow-on hands-on-keyboard attacks and human-operated ransomware activity. Microsoft monitoring of Raspberry Robin activity also shows it is very active operation: Microsoft Defender for Endpoint data indicates that nearly 3,000 devices in almost 1,000 organizations have seen at least one Raspberry Robin payload-related alert in the last 30 days.
Qakbot_evolves_intrusion_by_leveraging_valid_code_signing
LOW
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- Qakbot_evolves_intrusion_by_leveraging_valid_code_signing
- Date of Scan:
- 2022-10-31
- Impact:
- LOW
- Summary:
- Researchers from TrendMicro extensively researched Qakbot evolving into more intrusive malware leveraging valid code signing through excel macros and .dll files. Qakbot has been seen enumerating and dumping certificates and private keys since July.
A_rise_of_BlackCat_ransomware
MEDIUM
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- A_rise_of_BlackCat_ransomware
- Date of Scan:
- 2022-10-31
- Impact:
- MEDIUM
- Summary:
- The BlackCat ransomware recently was very successful in the attacks on big-profile companies and it uses the triple extortion to exposing exfiltrated data. Plus ransomware actors that use triple extortion threaten to launch distributed denial-of-service (DDoS) attacks on their victims’ infrastructure to coerce them to pay the ransom.
Warzone_RAT_Delivering_via_Fake_Hungarian_Government_Email
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Warzone_RAT_Delivering_via_Fake_Hungarian_Government_Email
- Date of Scan:
- 2022-10-28
- Impact:
- MEDIUM
- Summary:
- Researchers from FortiGuard have discovered an email pretending to come from the Hungarian government. It includes an attachment that is a zipped executable that, upon execution, extracts the Warzone RAT to memory and runs it.
The_update_of_Brute_Ratel_decryption
LOW
+
—
- Intel Source:
- Medium
- Intel Name:
- The_update_of_Brute_Ratel_decryption
- Date of Scan:
- 2022-10-28
- Impact:
- LOW
- Summary:
- The developer released his notes with the addition of a change to a dynamic key instead of the hardcoded key everyone refers to. The hardcoded key is still used and exists for decrypting some of the strings on board.
Qakbot_Malware_Spreading_Rapidly_in_Korea
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Qakbot_Malware_Spreading_Rapidly_in_Korea
- Date of Scan:
- 2022-10-27
- Impact:
- LOW
- Summary:
- ASEC researchers have identified the Qakbot malware is being distributed to Korean users. It is using ISO files, which is similar to the previous version, but a process to bypass behavior detection was added.
C2_Communications_Through_outlook
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- C2_Communications_Through_outlook
- Date of Scan:
- 2022-10-27
- Impact:
- LOW
- Summary:
- Researchers from SANS have identified a malicious Python script that exchanges information with its C2 server through emails.
CoinMiner_Leveraging_Vulnerable_Apache_Tomcat_Web_Server
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- CoinMiner_Leveraging_Vulnerable_Apache_Tomcat_Web_Server
- Date of Scan:
- 2022-10-27
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified the attacks that are targeting vulnerable Apache Tomcat web servers.
FormBook_InfoStealer_Being_Distributing_as_DotNet
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- FormBook_InfoStealer_Being_Distributing_as_DotNet
- Date of Scan:
- 2022-10-27
- Impact:
- LOW
- Summary:
- ASEC researchers have identified FormBook malware that is downloaded to the system and executed while the user was using a web browser. It is an info-stealer that aims to steal the user’s web browser login information, keyboard input, clipboard, and screenshots.
Fodcha_Botnet_is_Back_With_New_Version
LOW
+
—
- Intel Source:
- 360Netlab
- Intel Name:
- Fodcha_Botnet_is_Back_With_New_Version
- Date of Scan:
- 2022-10-27
- Impact:
- LOW
- Summary:
- Researchers from 360Netlab have observed that Fodcha botnet updated with new version and in it the hacker redesigned the communication protocol, and started to use xxtea and chacha20 algorithms to encrypt sensitive resources and network communication to avoid detection at the file & traffic level.
Malicious_Extension_Dormant_Colors
LOW
+
—
- Intel Source:
- Guardio
- Intel Name:
- Malicious_Extension_Dormant_Colors
- Date of Scan:
- 2022-10-26
- Impact:
- LOW
- Summary:
- Researchers from Guardio Security have identified the Dormant Colors extension malicious campaign with millions of active installations worldwide. There are at least 30 variants of this extension part of a campaign for both Chrome and Edge, available freely in the relevant stores.
LV_Ransomware_Leveraging_ProxyShell_to_Attack
LOW
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- LV_Ransomware_Leveraging_ProxyShell_to_Attack
- Date of Scan:
- 2022-10-26
- Impact:
- LOW
- Summary:
- Researchers from Trend Micro have identified ransomware as a service (RaaS) named LV Ransomware which is exploiting ProxyShell in an attack on a Jordan-based company.
Deep_Analysis_of_Attack_Techniques_and_Cases_Using_RDP
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Deep_Analysis_of_Attack_Techniques_and_Cases_Using_RDP
- Date of Scan:
- 2022-10-26
- Impact:
- LOW
- Summary:
- Researchers from ASEC have analyzed the cases of RDP (Remote Desktop Protocol) attacks using techniques and cases. It is commonly used in most attacks, and this is because it is useful for initial compromise or lateral movement in comparison to remote control tools that require additional installation processes.
A_distribution_of_Amadey_Bot_malware
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- A_distribution_of_Amadey_Bot_malware
- Date of Scan:
- 2022-10-26
- Impact:
- LOW
- Summary:
- The Korean Internet & Security Agency shared a notice “Advising Caution on Cyber Attacks Exploiting the Kakao Service Malfunction Issue’, with the malware details about it pretending it as a KakaoTalk installation file (KakaoTalkUpdate.zip etc.) and being distributed by email. The ASEC analysis team got the relevant samples and discovered that it has same filename and icon as the actual messenger program, which prompts ordinary users to launch it.
Scammers_Impersonating_Multiple_Brands_for_Phishing_Attack
LOW
+
—
- Intel Source:
- Checkpoint
- Intel Name:
- Scammers_Impersonating_Multiple_Brands_for_Phishing_Attack
- Date of Scan:
- 2022-10-26
- Impact:
- LOW
- Summary:
- Researchers from Checkpoint have analyzed the phishing campaigns and found top brands which are most frequently imitated by criminals in their attempts to steal individuals' personal information or payment credentials during July, August, and September.
Evolution_of_Magniber_Ransomware
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Evolution_of_Magniber_Ransomware
- Date of Scan:
- 2022-10-26
- Impact:
- LOW
- Summary:
- Researchers from ASEC have analyzed the Magniber ransomware files distributed in each time period. In the month of September alone, there have been format changes up to four times (cpl -> jse -> js -> wsf -> msi). Frequent changes were also made to the method of injection, UAC bypassing and deactivation of the Windows 10 recovery environment, for the purpose of bypassing detection.
Cuba_Ransomware_Targeting_Ukrainian_Government_Agencies
LOW
+
—
- Intel Source:
- CERT-UA
- Intel Name:
- Cuba_Ransomware_Targeting_Ukrainian_Government_Agencies
- Date of Scan:
- 2022-10-25
- Impact:
- LOW
- Summary:
- CERT-UA researchers have issued an alert about potential Cuba Ransomware attacks against critical networks in the country. They observed a new wave of phishing emails that impersonated the Press Service of the General Staff of the Armed Forces of Ukraine, urging recipients to click on an embedded link.
US_Government_warns_of_Daixin_Team_Targeting_Health_sector_with_Ransomware
MEDIUM
+
—
- Intel Source:
- CISA
- Intel Name:
- US_Government_warns_of_Daixin_Team_Targeting_Health_sector_with_Ransomware
- Date of Scan:
- 2022-10-25
- Impact:
- MEDIUM
- Summary:
- The Daixin Team is a ransomware and data extortion group that has targeted the HPH sector with ransomware and data extortion operations since at least June 2022. Since then, Daixin Team cybercrime actors have caused ransomware incidents at multiple HPH Sector organizations.
Analysis_of_Malicious_RTF_Files
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Analysis_of_Malicious_RTF_Files
- Date of Scan:
- 2022-10-25
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed malicious RTF files.
Web_Skimmers_Still_Active
LOW
+
—
- Intel Source:
- PaloAlto
- Intel Name:
- Web_Skimmers_Still_Active
- Date of Scan:
- 2022-10-25
- Impact:
- LOW
- Summary:
- PaloAlto researchers have analyzed the latest trends of web threats such as host and landing URLs, including where they are hosted, what categories they belong to, and which malware families pose the most threats.
SideWinder_APT_Using_New_WarHawk_Backdoor
LOW
+
—
- Intel Source:
- Zscaler
- Intel Name:
- SideWinder_APT_Using_New_WarHawk_Backdoor
- Date of Scan:
- 2022-10-25
- Impact:
- LOW
- Summary:
- Researchers from Zscaler have identified that SideWinder APT uses WarHawk malware to Target Entities in Pakistan.
Various_Remote_Control_Tools_attacks
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Various_Remote_Control_Tools_attacks
- Date of Scan:
- 2022-10-24
- Impact:
- LOW
- Summary:
- Researchers from ASEC discovered multiple attack campaigns abusing various remote control tools to steal information, install backdoors and deploy malwares.
Infostealer_Distributing_Via_Free_and_Cracked_Software
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Infostealer_Distributing_Via_Free_and_Cracked_Software
- Date of Scan:
- 2022-10-24
- Impact:
- LOW
- Summary:
- Researchers from Cyble have identified the new Temp stealer spreading via free and cracked software.
Zero_Day_Vulnerabilities_in_Microsoft_Exchange_Server
MEDIUM
+
—
- Intel Source:
- Wordsfence
- Intel Name:
- Zero_Day_Vulnerabilities_in_Microsoft_Exchange_Server
- Date of Scan:
- 2022-10-21
- Impact:
- MEDIUM
- Summary:
- Wordfence researchers have observed exploit attempts targeting two zero-day vulnerabilities in Microsoft Exchange Server tracked as CVE-2022-41040 and CVE-2022-41082. A total of 1,658,281 exploit attempts were observed across their network of 4 million protected websites due to these vulnerabilities.
The_multiple_malware_attacks_on_VMware_Vulnerability
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- The_multiple_malware_attacks_on_VMware_Vulnerability
- Date of Scan:
- 2022-10-21
- Impact:
- MEDIUM
- Summary:
- Researchers from Fortinet discovered multiple malware campaigns leveraging CVE-2022-22954 to deploy Mirai, RAR1ransom, GuardMiner.
Hackers_Exploiting_Text4Shell_Vulnerability
HIGH
+
—
- Intel Source:
- Wordsfence
- Intel Name:
- Hackers_Exploiting_Text4Shell_Vulnerability
- Date of Scan:
- 2022-10-21
- Impact:
- HIGH
- Summary:
- Researchers from Wordfence have started detecting exploitation attempts targeting the newly disclosed flaw in Apache Commons Text on October 18, 2022. The vulnerability, tracked as CVE-2022-42889 aka Text4Shell, has been assigned a severity ranking of 9.8 out of a possible 10.0 on the CVSS scale and affects versions 1.5 through 1.9 of the library.
A_New_Variant_of_URSNIF_Malware
LOW
+
—
- Intel Source:
- Mandiant
- Intel Name:
- A_New_Variant_of_URSNIF_Malware
- Date of Scan:
- 2022-10-20
- Impact:
- LOW
- Summary:
- Researchers from Mandiant have observed URSNIF malware shifting its focus to Ransomware and Data Theft from Banking fraud.
WatchDog_Hackers_Possibly_Impersonating_TeamTNT
LOW
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- WatchDog_Hackers_Possibly_Impersonating_TeamTNT
- Date of Scan:
- 2022-10-20
- Impact:
- LOW
- Summary:
- Researchers at TrendMicro have found that the attack patterns are similar to the arsenal used by TeamTNT, but that it is likely a different cryptocurrency mining group, known as WatchDog, is deploying the code.
Black_Basta_and_the_Unnoticed_Delivery
MEDIUM
+
—
- Intel Source:
- Checkpoint
- Intel Name:
- Black_Basta_and_the_Unnoticed_Delivery
- Date of Scan:
- 2022-10-20
- Impact:
- MEDIUM
- Summary:
- Researchers from Checkpoint have observed in a recent Black Basta incident spotted by Incident Response Team, the operators behind this ransomware also have an impressive organizational structure.
New_PowerShell_Backdoor_Fully_Undetectable
MEDIUM
+
—
- Intel Source:
- SafeBreach
- Intel Name:
- New_PowerShell_Backdoor_Fully_Undetectable
- Date of Scan:
- 2022-10-19
- Impact:
- MEDIUM
- Summary:
- Using a novel method of disguising itself as part of the Windows update process, researchers from SafeBreach have detected a new fully undetectable (FUD) PowerShell backdoor.
LAZARUS_attacks_using_spear_phishing_emails
LOW
+
—
- Intel Source:
- WeliveSecurity
- Intel Name:
- LAZARUS_attacks_using_spear_phishing_emails
- Date of Scan:
- 2022-10-19
- Impact:
- LOW
- Summary:
- The Lazarus campaign targeted an aerospace company employee in the Netherlands and a political journalist in Belgium. The campaign started with spear phishing emails. These came in the form of fake Amazon emails. The main goal of the attackers was to steal data.
A_Latest_Edition_of_The_New_Royal_Ransomware
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- A_Latest_Edition_of_The_New_Royal_Ransomware
- Date of Scan:
- 2022-10-18
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs got a data on a new variant that gaining an interest in the OSINT community. Royal is a reasonably new operation, having been around since at least the start of 2022. The target of this malware is Microsoft Windows platforms and Windows users. The aim is to gain access to a victim’s environment, encrypt their data, and extort a ransom to return access to any files touched.
Diving_Deep_into_New_64_Bit_Emotet_Modules
LOW
+
—
- Intel Source:
- Quick Heal
- Intel Name:
- Diving_Deep_into_New_64_Bit_Emotet_Modules
- Date of Scan:
- 2022-10-18
- Impact:
- LOW
- Summary:
- Researchers from QuickHeal have analyzed the new 64 bit Emotet modules and their differences from the previous cosmetic versions.
Python_Obfuscation_for_Dummies
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Python_Obfuscation_for_Dummies
- Date of Scan:
- 2022-10-18
- Impact:
- LOW
- Summary:
- SANS researchers analyzed several malicious Python scripts with the same appearance and end strings. Due to the obfuscation technique, we are unable to figure out what the script is used for without executing it in a sandbox.
Potential_C2_Seeder_Queries_18102022
MEDIUM
+
—
- Intel Source:
- STR
- Intel Name:
- Potential_C2_Seeder_Queries_18102022
- Date of Scan:
- 2022-10-18
- Impact:
- MEDIUM
- Summary:
- This research is part of Securonix Threat Labs - Threat Research Team
CuckooBees_Campaign_Targeting_Organizations_in_Hong_Kong
LOW
+
—
- Intel Source:
- Symantec
- Intel Name:
- CuckooBees_Campaign_Targeting_Organizations_in_Hong_Kong
- Date of Scan:
- 2022-10-18
- Impact:
- LOW
- Summary:
- According to Symantec researchers, CuckooBee is continuing to target Hong Kong-based organizations. As part of this ongoing campaign, Spyder Loader (Trojan.Spyload) malware was installed on the networks of victims.
A_new_adversary_simulation_tool_Brute_Ratel_C4_(BRC4)
LOW
+
—
- Intel Source:
- Splunk
- Intel Name:
- A_new_adversary_simulation_tool_Brute_Ratel_C4_(BRC4)
- Date of Scan:
- 2022-10-17
- Impact:
- LOW
- Summary:
- The Splunk Threat Research Team (STRT) shared their reserach with the capture of Brute Ratel Badgers (agents) to create a Yara rule and help to identify more on VirusTotal. Brute Ratel tool is growing in the ranks of popularity among red teamers and most recently adversaries. Plus, the reserachers reversed a sample to understand its functions and analyzed it to help defenders identify behaviors related to Brute Ratel.
SocGholish_Drive_by_Compromise
LOW
+
—
- Intel Source:
- AT&T
- Intel Name:
- SocGholish_Drive_by_Compromise
- Date of Scan:
- 2022-10-17
- Impact:
- LOW
- Summary:
- AT&T researchers have analyzed an alert related to SocGholish that is providing fake software updates.
Prestige_Ransomware_Targeting_Organizations_in_Ukraine_and_Poland
LOW
+
—
- Intel Source:
- Microsoft
- Intel Name:
- Prestige_Ransomware_Targeting_Organizations_in_Ukraine_and_Poland
- Date of Scan:
- 2022-10-17
- Impact:
- LOW
- Summary:
- Researchers from Microsoft have identified new Prestige ransomware that is being used in attacks aimed at transportation and logistics organizations in Ukraine and Poland.
Diving_Deep_into_BlueSky_Ransomware
LOW
+
—
- Intel Source:
- Cloudsek
- Intel Name:
- Diving_Deep_into_BlueSky_Ransomware
- Date of Scan:
- 2022-10-17
- Impact:
- LOW
- Summary:
- CloudSEK researchers have done a deep analysis of BlueSky Ransomware that covers the technical aspects: Procedure for privilege escalation, Persistence, Encryption mechanism, and Evasion techniques.
A_rise_of_threats_from_newly_observed_domains
LOW
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- A_rise_of_threats_from_newly_observed_domains
- Date of Scan:
- 2022-10-17
- Impact:
- LOW
- Summary:
- Last year, Palo Alto Networks created a proactive detector which recognized malicious domains at that time and identifyed them before they are starting their malicious activities. At Palo Alto Networks detector extract NODs from passive DNS and proactively detect potential cybercriminal activities among them. The system scans and discovered newly registered domains (NRDs) and detected their potential network abuses.
A_new_Powershell_script_dropps_a_malware
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- A_new_Powershell_script_dropps_a_malware
- Date of Scan:
- 2022-10-17
- Impact:
- LOW
- Summary:
- Researchers from SANS have hunted and found a malicious Powershell script that drops a malware on the victim's computer. It is not new one. It is called "autopowershell.ps1". This malware tries to reduce at the minimum interactions with the file system. But, to achieve persistence, it must write something on the disk. Most of the time, it's done through registry keys.
LockBit_3.0_is_in_the_spotlight_again
MEDIUM
+
—
- Intel Source:
- VMware
- Intel Name:
- LockBit_3.0_is_in_the_spotlight_again
- Date of Scan:
- 2022-10-17
- Impact:
- MEDIUM
- Summary:
- VMware searchers observed LockBit continues its rise to the top of the ransomware ecosystem and the most leading ransomware strain. It was announced that the builder for the ransomware was leaked by @ali_qushji and available for download from GitHub. This leaked source allows for complete and unhindered analysis, but meaning also that many new groups are emerging, using the same or modified versions of LockBit 3.0 originating from this builder.
The_Connection_Between_REvil_and_Ransom_Cartel_Ransomware
LOW
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- The_Connection_Between_REvil_and_Ransom_Cartel_Ransomware
- Date of Scan:
- 2022-10-17
- Impact:
- LOW
- Summary:
- Researchers from Palo Alto have done a deep analysis of Ransom Cartel ransomware, as well as our assessment of the possible connections between REvil and Ransom Cartel ransomware.
COVID_Phishing_Campaign
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- COVID_Phishing_Campaign
- Date of Scan:
- 2022-10-17
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed phishing emails about Covid for all suppliers to declare their vaccination status, but the date is almost 1 year old.
Deep_Analysis_of_QBot_HTML_File
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Deep_Analysis_of_QBot_HTML_File
- Date of Scan:
- 2022-10-14
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed a malicious QBot HTML file that contains BASE64 images with malware.
Ransom_Cartel_ransomware_performance_overlaps_with_REvil_ransomware
MEDIUM
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Ransom_Cartel_ransomware_performance_overlaps_with_REvil_ransomware
- Date of Scan:
- 2022-10-14
- Impact:
- MEDIUM
- Summary:
- Palo Alto shared their analysis of Ransom Cartel ransomware. Unit 42 has observed Ransom Cartel encrypting both Windows and Linux VMWare ESXi servers in attacks on corporate networks. Ransom Cartel uses double extortion and some of the same TTPs were observed during ransomware attacks, this type of ransomware uses less common tools – DonPAPI.
BianLian_Ransomware_encrypts_withan_immediate_speed
MEDIUM
+
—
- Intel Source:
- Blackberry
- Intel Name:
- BianLian_Ransomware_encrypts_withan_immediate_speed
- Date of Scan:
- 2022-10-14
- Impact:
- MEDIUM
- Summary:
- The reserachers from Cyble observed BianLian ransomware raises the severity level of encrypting files with exceptional speed. Threat actors created the new BianLian ransomware version in the Go programming language (aka Golang) for a variety of reasons, particularly its robust support for concurrency which gives them the ability for various malicious functions to run independently of each other, which speeds up attack.
The_examination_of_Wiper_Malware_Part_4
MEDIUM
+
—
- Intel Source:
- Crowdstrike
- Intel Name:
- The_examination_of_Wiper_Malware_Part_4
- Date of Scan:
- 2022-10-14
- Impact:
- MEDIUM
- Summary:
- Researchers from CrowdStrike have covered some of the rarely used “helper” techniques implemented by wipers, which achieve secondary goals or facilitate a smaller portion of the wiping process.
InfoStealer_Spreading_via_AnyDesk_Phishing_Site
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- InfoStealer_Spreading_via_AnyDesk_Phishing_Site
- Date of Scan:
- 2022-10-14
- Impact:
- LOW
- Summary:
- Researchers from Cyble have identified a phishing site, that is impersonating a genuine AnyDesk website. The initial infection starts when the user clicks on the “Downloads” button present in the phishing site, which downloads a malware named “Anydesk.exe” file from the remote server.
Ducktail_infostealer_came_back_again
LOW
+
—
- Intel Source:
- Zscaler
- Intel Name:
- Ducktail_infostealer_came_back_again
- Date of Scan:
- 2022-10-14
- Impact:
- LOW
- Summary:
- The Zscaler ThreatLabz research team has come across an new campaign of Ducktail Infostealer with a new PHP version which is vigorously being distributed by mimicking to be a free/cracked application installer for a variety of applications including games, Microsoft Office applications, Telegram, and others.
A_critical_authentication_bypass_vulnerability_CVE_2022_40684
High
+
—
- Intel Source:
- Wordsfence
- Intel Name:
- A_critical_authentication_bypass_vulnerability_CVE_2022_40684
- Date of Scan:
- 2022-10-14
- Impact:
- High
- Summary:
- Wordfence Threat Intelligence team recorded today several exploit attempts and requests originating from the malicious IP addresses. This exploit attempts targeting CVE-2022-40684 on network. CVE-2022-40684 is a critical authentication bypass vulnerability in the administrative interface of Fortinet’s FortiGate firewalls, FortiProxy web proxies, and FortiSwitch Manager, and is being actively exploited in the wild.
Prynt_malware_injection_techniques
LOW
+
—
- Intel Source:
- Cyfirma
- Intel Name:
- Prynt_malware_injection_techniques
- Date of Scan:
- 2022-10-14
- Impact:
- LOW
- Summary:
- CYFIRMA Research team analysed an infostealer “Prynt” sample and that sample was found to be written in C/C++ and is a 32-bit console binary. Infostealer “Prynt” has the capability to steal system information from infected systems, which includes files from the targeted directories and credentials from web browsers.
A_spreading_of_RedLine_Stealer
Medium
+
—
- Intel Source:
- Cyble
- Intel Name:
- A_spreading_of_RedLine_Stealer
- Date of Scan:
- 2022-10-14
- Impact:
- Medium
- Summary:
- Cyble Research team uncovered a phishing site that pretended like a genuine “Convertio” online tool website that converts files into different file formats, including documents, images, spreadsheets, eBooks, archives, presentations, audio, video, etc. The phishing website is well-designed and appears similar to the legitimate Convertio website.
AgentTesla_Malware_Distributing_via_WSHRAT_Malware
LOW
+
—
- Intel Source:
- Uptycs
- Intel Name:
- AgentTesla_Malware_Distributing_via_WSHRAT_Malware
- Date of Scan:
- 2022-10-14
- Impact:
- LOW
- Summary:
- Uptycs researchers have identified a new Agent Tesla malware attack campaign and observed that the threat actors are now trying to drop Agent Tesla malware via WSHRAT malware.
GuLoader_malware_disguised_as_Word
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- GuLoader_malware_disguised_as_Word
- Date of Scan:
- 2022-10-13
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered that the GuLoader malware is being distributed to domestic corporate users.
A_new_ongoing_tech_support_scam
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- A_new_ongoing_tech_support_scam
- Date of Scan:
- 2022-10-13
- Impact:
- LOW
- Summary:
- Cyble Research & Intelligence Labs reserachers identified a new ongoing tech support scam where the Threat Actor has developed various phishing websites that impersonated to be part of of Microsoft support sites that show a fake Windows defender alert.
WIP19_Group_Targeting_Telecommunication_and_IT_Industries
LOW
+
—
- Intel Source:
- SentinelOne
- Intel Name:
- WIP19_Group_Targeting_Telecommunication_and_IT_Industries
- Date of Scan:
- 2022-10-13
- Impact:
- LOW
- Summary:
- SentinelOne researchers have tracked a new Chinese-speaking threat group known as WIP19 that is targeting telecommunications and IT service providers in the Middle East and Asia.
Top_malware_statistics_for_last_two_weeks
MEDIUM
+
—
- Intel Source:
- ASEC
- Intel Name:
- Top_malware_statistics_for_last_two_weeks
- Date of Scan:
- 2022-10-13
- Impact:
- MEDIUM
- Summary:
- The ASEC team did the analyse and collected statistics about Top 5 malwares from September 26th, 2022 (Monday) to October 2nd, 2022 (Sunday).
8220_Gang_continues_to_target_misconfigured_cloud_workloads
MEDIUM
+
—
- Intel Source:
- SentinelOne
- Intel Name:
- 8220_Gang_continues_to_target_misconfigured_cloud_workloads
- Date of Scan:
- 2022-10-13
- Impact:
- MEDIUM
- Summary:
- SentinelOne noted that 8220 Gang had expanded its cloud service botnet and the group has rotated its attack infrastructure and continued to absorb compromised hosts into its botnet and to distribute cryptocurrency mining malware. 8220 Gang identifies targets via scanning for misconfigured or vulnerable hosts on the public internet.
Magniber_Ransomware_continues_targeting_Home_Users_with_Fake_Software_Updates
MEDIUM
+
—
- Intel Source:
- HP Threat Research
- Intel Name:
- Magniber_Ransomware_continues_targeting_Home_Users_with_Fake_Software_Updates
- Date of Scan:
- 2022-10-13
- Impact:
- MEDIUM
- Summary:
- Researchers from HP shared their analysis of a Magniber ransomware campaign that was going since September and targeted home users by masquerading as software updates. The attackers used the evade detection techniques, such as running the ransomware in memory, bypassing User Account Control (UAC) in Windows, and bypassing detection techniques.
New_Attack_Technique_Leveraging_Alchimist_and_Insekt_Malware
MEDIUM
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- New_Attack_Technique_Leveraging_Alchimist_and_Insekt_Malware
- Date of Scan:
- 2022-10-13
- Impact:
- MEDIUM
- Summary:
- Researchers from Cisco have discovered a new attack framework, including a command and control (C2) tool called "Alchimist" and a new malware "Insekt" written in GoLang targetting windows, Mac, and Linux in the wild.
Various_malicious_remote_control_tools
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Various_malicious_remote_control_tools
- Date of Scan:
- 2022-10-13
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified various malicious remote control tools that are generally used by various users are used. This allows attackers to bypass the security product's diagnosis and take control of the infected system in a GUI environment.
Budworm_Hackers_Targeting_US_Organization
LOW
+
—
- Intel Source:
- Symantec
- Intel Name:
- Budworm_Hackers_Targeting_US_Organization
- Date of Scan:
- 2022-10-13
- Impact:
- LOW
- Summary:
- Researchers from Symantec Threat Hunter team have identified APT group named Budworm targeting an unnamed U.S. state legislature for the first time.
Caffeine_Service_Allows_Anyone_Launch_Microsoft_365_Phishing_Attacks
LOW
+
—
- Intel Source:
- Mandiant
- Intel Name:
- Caffeine_Service_Allows_Anyone_Launch_Microsoft_365_Phishing_Attacks
- Date of Scan:
- 2022-10-12
- Impact:
- LOW
- Summary:
- Researchers from Mandiant have discovered and tested the phishing-as-a-service (PhaaS) platform named 'Caffeine' service thoroughly. Post investigation, a large-scale phishing campaign ran through the service, targeting one of Mandiant's clients to steal Microsoft 365 account credentials.
GlobeImposter_Ransomware_Targeting_Vulnerable_MS_SQL_Servers
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- GlobeImposter_Ransomware_Targeting_Vulnerable_MS_SQL_Servers
- Date of Scan:
- 2022-10-12
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified that the GlobeImposter ransomware, which targets vulnerable MS-SQL servers, is being distributed in Korea.
Black_Basta_Ransomware_Using_QAKBOT_Brute_Ratel_and_Cobalt_Strike
MEDIUM
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- Black_Basta_Ransomware_Using_QAKBOT_Brute_Ratel_and_Cobalt_Strike
- Date of Scan:
- 2022-10-12
- Impact:
- MEDIUM
- Summary:
- Researchers from Trendmicro have analyzed QAKBOT related cases that is leading to a Brute Ratel C4 and Cobalt Strike payload and that can be attributed to the threat actors behind the Black Basta ransomware.
Lazarus_Group_Leveraging_DLL_Side-Loading_Technique
MEDIUM
+
—
- Intel Source:
- ASEC
- Intel Name:
- Lazarus_Group_Leveraging_DLL_Side-Loading_Technique
- Date of Scan:
- 2022-10-12
- Impact:
- MEDIUM
- Summary:
- ASEC researchers have discovered that the Lazarus group hackers using the DLL Side-Loading attack technique (T1574.002) by abusing legitimate applications in the initial compromise stage to achieve the next stage of their attack process.
MS_Excel_File_Delivering_Multi_Stage_Cobalt_Strike_Loader
LOW
+
—
- Intel Source:
- Fortinet
- Intel Name:
- MS_Excel_File_Delivering_Multi_Stage_Cobalt_Strike_Loader
- Date of Scan:
- 2022-10-12
- Impact:
- LOW
- Summary:
- FortiGuard Labs researchers have discovered a malicious Excel document masquerading as a salary calculation tool for Ukrainian troops. It executes evasive multi-stage loaders, eventually resulting in the victim's device being infected with Cobalt Strike Beacon malware.
Qakbot_Distribution_Method_Changed_from_Excel_Macro_to_ISO_Files
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Qakbot_Distribution_Method_Changed_from_Excel_Macro_to_ISO_Files
- Date of Scan:
- 2022-10-12
- Impact:
- LOW
- Summary:
- ASEC researchers have identified that Qakbot, an online banking malware, has changed its distribution method from Excel 4.0 Macro to ISO files.
Emotet_Malware_Using_Evasion_Techniques_in_Recent_Attacks
LOW
+
—
- Intel Source:
- VMware
- Intel Name:
- Emotet_Malware_Using_Evasion_Techniques_in_Recent_Attacks
- Date of Scan:
- 2022-10-11
- Impact:
- LOW
- Summary:
- Researchers from VMware have analyzed the Threat actors associated with the notorious Emotet malware and are continually shifting their tactics and command-and-control (C2) infrastructure to escape detection.
A_Detailed_Analysis_of_Malicious_Tools_Used_by_Cyber_Espionage_Group_Earth_Aughisky
LOW
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- A_Detailed_Analysis_of_Malicious_Tools_Used_by_Cyber_Espionage_Group_Earth_Aughisky
- Date of Scan:
- 2022-10-11
- Impact:
- LOW
- Summary:
- Trendmicro researchers have analyzed the Earth Aughisky threat group and tools with components that have yet to be identified, reported, or attributed to the group. The group is known for its ability to abuse legitimate accounts, software, applications, and other weaknesses in the network design and infrastructure for its own ends.
TheSnakeKeyloggermalwareanalyses
LOW
+
—
- Intel Source:
- X-Junior
- Intel Name:
- TheSnakeKeyloggermalwareanalyses
- Date of Scan:
- 2022-10-11
- Impact:
- LOW
- Summary:
- The researcher from X-Junior provided his deep analyses in his post about Snake Keylogger. Snake Keylogger is a malware developed using .NET anf its pupose is on stealing sensitive information from a victim’s device, saved credentials, the victim’s keystrokes, screenshots of the victim’s screen, and clipboard data.
POLONIUM_threat_group_attacks_on_Israel_continue
LOW
+
—
- Intel Source:
- WeliveSecurity
- Intel Name:
- POLONIUM_threat_group_attacks_on_Israel_continue
- Date of Scan:
- 2022-10-11
- Impact:
- LOW
- Summary:
- ESET researchers shared their findings about POLONIUM, APT group which initial compromise vector is unknown. According to ESET telemetry, POLONIUM has custom backdoors and cyberespionage tools targeted more than a dozen organizations in Israel include engineering, information technology, law, communications, branding and marketing, media, insurance, and social services.
Caffeine_Service_Allows_Anyone_Launch_Microsoft_365_Phishing_Attacks
LOW
+
—
- Intel Source:
- Mandiant
- Intel Name:
- Caffeine_Service_Allows_Anyone_Launch_Microsoft_365_Phishing_Attacks
- Date of Scan:
- 2022-10-11
- Impact:
- LOW
- Summary:
- Researchers from Mandiant have discovered and tested the phishing-as-a-service (PhaaS) platform named 'Caffeine' service thoroughly. Post investigation, a large-scale phishing campaign ran through the service, targeting one of Mandiant's clients to steal Microsoft 365 account credentials.
A_close_look_at_an_item_called_CustomXMLParts
LOW
+
—
- Intel Source:
- Inquest
- Intel Name:
- A_close_look_at_an_item_called_CustomXMLParts
- Date of Scan:
- 2022-10-10
- Impact:
- LOW
- Summary:
- In this post the reseracher covered an item called "CustomXMLParts". It is an XML container to store arbitrary data to be used in the document. The intention for it appears to give the developer a way to change the formatting of the Office document that is not already available or add additional functionality.
IcedID_campaign_metrics
LOW
+
—
- Intel Source:
- Team-cymru
- Intel Name:
- IcedID_campaign_metrics
- Date of Scan:
- 2022-10-10
- Impact:
- LOW
- Summary:
- Team Cymru researchers put together details metrics on the curtain on IcedID campaign metrics and Stage 1 C2 infrastructure, to shed light on behaviors and details not often available. These metrics are numbers the threat actors are watching as well, and just like any other business may influence their future actions.
The_installations_of_the_malicious_NPM_packages_by_“LofyGang”_group
LOW
+
—
- Intel Source:
- Chexmax
- Intel Name:
- The_installations_of_the_malicious_NPM_packages_by_“LofyGang”_group
- Date of Scan:
- 2022-10-10
- Impact:
- LOW
- Summary:
- Checkmarx discovered around 200 malicious NPM packages with thousands of installations linked to an attack group called “LofyGang”. This attack has been acting for over a year with multiple goals like getting credit card information, streaming services accounts (e.g. Disney+), Minecraft accounts, and more, discord “Nitro” (premium) upgrades.
The_"China_Chopper"_webshells_deailed_malware_report
LOW
+
—
- Intel Source:
- CISA
- Intel Name:
- The_"China_Chopper"_webshells_deailed_malware_report
- Date of Scan:
- 2022-10-10
- Impact:
- LOW
- Summary:
- The BazarCall campaigns were found to be most active in United States and Canada. BazarCall campaigns forgo malicious links or attachments in email messages in favor of phone numbers that recipients are misled into calling. It’s a technique reminiscent of vishing and tech support scams where potential victims are being cold called by the attacker, except in BazarCall’s case, targeted users must dial the number.
CISA_Malware_Analysis_Report_HyperBro
MEDIUM
+
—
- Intel Source:
- CISA
- Intel Name:
- CISA_Malware_Analysis_Report_HyperBro
- Date of Scan:
- 2022-10-10
- Impact:
- MEDIUM
- Summary:
- Researchers at CISA gathered malware samples from live incident responses loaded with HyperBro, a Remote Access trojan enabling attackers to a backdoor.
CISA_Malware_Analysis_Report_CovalentStealer
MEDIUM
+
—
- Intel Source:
- CISA
- Intel Name:
- CISA_Malware_Analysis_Report_CovalentStealer
- Date of Scan:
- 2022-10-10
- Impact:
- MEDIUM
- Summary:
- Researchers at CISA gathered malware samples from live incident responses loaded with CovalentStealer, which is designed to identify and exfiltrate files to a remote server.
LockBit_3.0_Ransomware_Spreads_again
MEDIUM
+
—
- Intel Source:
- Rewterz
- Intel Name:
- LockBit_3.0_Ransomware_Spreads_again
- Date of Scan:
- 2022-10-10
- Impact:
- MEDIUM
- Summary:
- Researchers discovered that LockBit 3.0 ransomware is being delivered in Word document format while masquerading as job application emails in NSIS format. The particular distribution method has not yet been discovered, but given that the file names include people’s names, such as ‘Lim Gyu Min.docx’ or ‘Jeon Chae Rin.docx,’ it is possible that they were spread disguised as job applications, as in previous occurrences.
CISA_Malware_Analysis_Report:_HyperBro
MEDIUM
+
—
- Intel Source:
- CISA
- Intel Name:
- CISA_Malware_Analysis_Report:_HyperBro
- Date of Scan:
- 2022-10-10
- Impact:
- MEDIUM
- Summary:
- Researchers at CISA gathered malware samples from live incident responses loaded with HyperBro, a Remote Access trojan enabling attackers to a backdoor.
Modified_FiveM_Spoofer_activity
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Modified_FiveM_Spoofer_activity
- Date of Scan:
- 2022-10-10
- Impact:
- LOW
- Summary:
- Cyble Researchers has continuously monitored phishing campaigns that distribute different malware families and recently, they identified a malicious site which redirects the user to a discord channel where the announcement is made by the Threat Actor for selling the spoofer to get unban from FiveM. The FiveM is the mod project that allows gamers to play Grand Theft Auto V (GTA5) with custom multiplayer modes on customized dedicated servers.
Another_look_at_recent_IcedID_campaigns
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Another_look_at_recent_IcedID_campaigns
- Date of Scan:
- 2022-10-10
- Impact:
- LOW
- Summary:
- Researcher from ISAC had another look at recent IcedID campaigns using PNG files to hide their malicious payload.
BazarCall_social_engineering_tactics
LOW
+
—
- Intel Source:
- Trellix
- Intel Name:
- BazarCall_social_engineering_tactics
- Date of Scan:
- 2022-10-07
- Impact:
- LOW
- Summary:
- The BazarCall campaigns were found to be most active in United States and Canada. BazarCall campaigns forgo malicious links or attachments in email messages in favor of phone numbers that recipients are misled into calling. It’s a technique reminiscent of vishing and tech support scams where potential victims are being cold called by the attacker, except in BazarCall’s case, targeted users must dial the number.
Hackers_Exploiting_CVE_2017_11882_and_Delivering_Multiple_Malware
LOW
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Hackers_Exploiting_CVE_2017_11882_and_Delivering_Multiple_Malware
- Date of Scan:
- 2022-10-07
- Impact:
- LOW
- Summary:
- Researchers at FortiGuard have found a malicious file embedded in an Excel document. Embedded files with randomized file names exploit vulnerability CVE-2017-11882 to execute malicious code that delivers and executes malware on victims' devices.
Fake_Ransomware_Spreading_via_Phishing_Emails
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Fake_Ransomware_Spreading_via_Phishing_Emails
- Date of Scan:
- 2022-10-07
- Impact:
- LOW
- Summary:
- Researchers from Cyble have identified a website that is distributing a fake ransomware executable. Instead of encrypting files, the Fake Ransomware changes file names and extensions, drops ransom notes, and threatens victims to pay a ransom as usual.
Mustang_Panda_APT_Group_Leveraging_PlugX_Malware_Family
LOW
+
—
- Intel Source:
- BlackBerry
- Intel Name:
- Mustang_Panda_APT_Group_Leveraging_PlugX_Malware_Family
- Date of Scan:
- 2022-10-07
- Impact:
- LOW
- Summary:
- Researchers from BlackBerry have discovered a campaign by an APT group called Mustang Panda that is leveraging the PlugX malware family to target the Southeast Asian state of Myanmar.
Domain_Generation_Algorithm_tactic_used_by_malware
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Domain_Generation_Algorithm_tactic_used_by_malware
- Date of Scan:
- 2022-10-07
- Impact:
- LOW
- Summary:
- Researcher from ISAC discovered a simple malicious PowerShell script that implements a backdoor with DGA capability. (“Domain Generation Algorithm") is a popular tactic used by malware to make connections with their C2 more stealthy and difficult to block. The idea is to generate domain names periodically and use them during the defined period.
Phishers_Using_HTML_Attachments_to_Steal_Sensitive_Information
LOW
+
—
- Intel Source:
- SpiderLabs
- Intel Name:
- Phishers_Using_HTML_Attachments_to_Steal_Sensitive_Information
- Date of Scan:
- 2022-10-07
- Impact:
- LOW
- Summary:
- According to Trustwave SpiderLabs, HTML file attachments have become a common occurrence in spam traps. As phishing spam is often a vehicle for malware delivery, this is not uncommon.
A_novel_backdoor_malware_targeting_Microsoft_SQL_servers
LOW
+
—
- Intel Source:
- Medium
- Intel Name:
- A_novel_backdoor_malware_targeting_Microsoft_SQL_servers
- Date of Scan:
- 2022-10-07
- Impact:
- LOW
- Summary:
- DCSO CyTec recently found a novel backdoor malware targeting Microsoft SQL servers. The malware comes in form of an “Extended Stored Procedure” DLL, a special type of extension used by Microsoft SQL servers. Once loaded into a server by an attacker, it is controlled solely using SQL queries.
Diving_Deep_into_LilithBot_Malware
LOW
+
—
- Intel Source:
- Zscaler
- Intel Name:
- Diving_Deep_into_LilithBot_Malware
- Date of Scan:
- 2022-10-06
- Impact:
- LOW
- Summary:
- Zscaler researchers have discovered a sample of multi-function malware called "LilithBot" which is associated with the Eternity threat group (a.k.a. EternityTeam; Eternity Project), linked to the Russian “Jester Group,” that has been active since at least January 2022.
A_Deep_Examination_of_PseudoManuscrypt_Malware
LOW
+
—
- Intel Source:
- BitSight
- Intel Name:
- A_Deep_Examination_of_PseudoManuscrypt_Malware
- Date of Scan:
- 2022-10-06
- Impact:
- LOW
- Summary:
- The BitSight researchers have analyzed PseudoManuscrypt malware. They describe how researchers went from unknown DGA-like domains to sinkholes and mimicked a relatively recent botnet that has infected nearly 500,000 machines (2.2M unique IP addresses) across at least 40 countries in the last 8 months, and has an estimated botnet size of around 50,000 machines.
DLL_Side_Loading_Attack_Leveraging_OneDrive_Application
LOW
+
—
- Intel Source:
- BitDefender
- Intel Name:
- DLL_Side_Loading_Attack_Leveraging_OneDrive_Application
- Date of Scan:
- 2022-10-06
- Impact:
- LOW
- Summary:
- Researchers from BitDefender have identified and documented a cryptojacking campaign exploiting known DLL sideloading vulnerabilities in Microsoft OneDrive.
Over_250_Microsoft_SQL_Servers_Infected_By_New_Maggie_Malware
MEDIUM
+
—
- Intel Source:
- DCSO CyTec Blog
- Intel Name:
- Over_250_Microsoft_SQL_Servers_Infected_By_New_Maggie_Malware
- Date of Scan:
- 2022-10-06
- Impact:
- MEDIUM
- Summary:
- DCSO CyTec researchers have identified a new malware, named Maggie, that has already infected over 250 Microsoft SQL servers worldwide. Most of the infected instances are in South Korea, India, Vietnam, China, Russia, Thailand, Germany, and the United States.
Phishing_Campaigns_in_Q3_Delivering_Malware
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Phishing_Campaigns_in_Q3_Delivering_Malware
- Date of Scan:
- 2022-10-06
- Impact:
- MEDIUM
- Summary:
- Researchers from Fortinet have elaborated on multiple phishing campaigns in Q3 delivering malware, targetting windows users.
Highly_evasive_SolarMarker_malware_activity
LOW
+
—
- Intel Source:
- eSentire
- Intel Name:
- Highly_evasive_SolarMarker_malware_activity
- Date of Scan:
- 2022-10-05
- Impact:
- LOW
- Summary:
- Researchers from eSentire have observed a spike in drive-by download malware campaigns delivering SolarMarker disguised as document templates.
Magniber_Ransomware_file_extension_changed_from_js_to_wsf
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Magniber_Ransomware_file_extension_changed_from_js_to_wsf
- Date of Scan:
- 2022-10-05
- Impact:
- LOW
- Summary:
- Researchers from ASEC have analyzed the Magniber ransomware script in the WSF format, changing the extension from *.js to *.wsf.
Hackers_using_Comm100_Desktop_Agent_App_to_Spread_Malware
LOW
+
—
- Intel Source:
- Crowdstrike
- Intel Name:
- Hackers_using_Comm100_Desktop_Agent_App_to_Spread_Malware
- Date of Scan:
- 2022-10-05
- Impact:
- LOW
- Summary:
- Researchers from CrowdStrike have identified a new supply chain attack that involves the use of a trojanized installer for the Comm100 Live Chat application to distribute a JavaScript backdoor.
The_OnionPoison_malicious_campaign
LOW
+
—
- Intel Source:
- Securelist
- Intel Name:
- The_OnionPoison_malicious_campaign
- Date of Scan:
- 2022-10-05
- Impact:
- LOW
- Summary:
- Securelist researchers discovered multiple downloads of previously unclustered malicious Tor Browser installers. According to their measuremant, all the victims targeted by these installers are located in China.
The_utilize_of_Wufoo_phishing_scams
LOW
+
—
- Intel Source:
- Cofense
- Intel Name:
- The_utilize_of_Wufoo_phishing_scams
- Date of Scan:
- 2022-10-05
- Impact:
- LOW
- Summary:
- The Cofense Phishing Defence Center recently observed the phishing scams that utilize the online form builder Wufoo, a tool commonly associated with easily created surveys and online registration forms. Threat actors have used Wufoo to create simplistic but effective credential stealing vectors.
A_MafiaWare666_ransomware_decryption_tool
LOW
+
—
- Intel Source:
- Avast
- Intel Name:
- A_MafiaWare666_ransomware_decryption_tool
- Date of Scan:
- 2022-10-05
- Impact:
- LOW
- Summary:
- Avast researchers release a MafiaWare666 ransomware decryption tool. They discovered a vulnerability in the encryption schema that allows some of the variants to be decrypted without paying the ransom. New or previously unknown samples may encrypt files differently, so they may not be decryptable without further analysis. MafiaWare666 is also known as JCrypt, RIP Lmao, BrutusptCrypt or Hades.
BlackByte_Malware_returns_with_new_tactics
LOW
+
—
- Intel Source:
- Sophos
- Intel Name:
- BlackByte_Malware_returns_with_new_tactics
- Date of Scan:
- 2022-10-05
- Impact:
- LOW
- Summary:
- Researchers from Sophos uncovered BlackByte with new tactics to bypass security products by leveraging the RTCore64.sys vulnerability.
New_Pegasus_Spyware_Abuses
LOW
+
—
- Intel Source:
- Citizenlab
- Intel Name:
- New_Pegasus_Spyware_Abuses
- Date of Scan:
- 2022-10-04
- Impact:
- LOW
- Summary:
- Researchers from Mexican digital rights organization R3D have identified Pegasus infections against journalists and a human rights defender and Citizen Lab provided technical support for R3D’s analysis and validated the infections.
Diving_Deep_into_DeftTorero_Actor
LOW
+
—
- Intel Source:
- Securelist
- Intel Name:
- Diving_Deep_into_DeftTorero_Actor
- Date of Scan:
- 2022-10-04
- Impact:
- LOW
- Summary:
- Researchers from Securelist have deeply analyzed the DeftTorero threat actor (aka Lebanese Cedar, Volatile Cedar) and it is believed to originate from the Middle East.
Bumblebee_malware_continues_to_expand_its_capabilities
LOW
+
—
- Intel Source:
- Checkpoint
- Intel Name:
- Bumblebee_malware_continues_to_expand_its_capabilities
- Date of Scan:
- 2022-10-04
- Impact:
- LOW
- Summary:
- Researchers from Checkpoint have observed the changes in the behavior of Bumblebee’s servers that occurred around June 2022 indicating that the attackers may have shifted their focus from extensive testing of their malware to reaching as many victims as possible.
New_variant_of_ransomware_dubbed_DJVU
MEDIUM
+
—
- Intel Source:
- BlackBerry
- Intel Name:
- New_variant_of_ransomware_dubbed_DJVU
- Date of Scan:
- 2022-10-04
- Impact:
- MEDIUM
- Summary:
- BlackBerry researchers have identified a new DJVU ransomware that includes several layers of obfuscation. The threat group connected with other threats, giving them the option to download and deploy information stealers to exfiltrate data, giving threat actors a second way to benefit at victims’ expense.
Lazarus_group_exploiting_Dell_Driver_Vulnerability_to_Disable_Windows_Security
MEDIUM
+
—
- Intel Source:
- WeliveSecurity
- Intel Name:
- Lazarus_group_exploiting_Dell_Driver_Vulnerability_to_Disable_Windows_Security
- Date of Scan:
- 2022-10-04
- Impact:
- MEDIUM
- Summary:
- ESET researchers have identified the Lazarus group deploying a tool on target systems that exploits the Dell DBUtil flaw to disable the monitoring of all security solutions on compromised machines, using never-before-seen techniques against Windows kernel mechanisms.
Linux_ransomware_Cheerscrypt_linked_with_Chinese_DEV_0401_APT_group
LOW
+
—
- Intel Source:
- Sygnia
- Intel Name:
- Linux_ransomware_Cheerscrypt_linked_with_Chinese_DEV_0401_APT_group
- Date of Scan:
- 2022-10-04
- Impact:
- LOW
- Summary:
- Researchers from Sygnia have investigated the Cheerscrypt ransomware attack which utilized Night Sky ransomware TTPs and, found Linux ransomware Cheerscrypt to the China-linked cyber espionage group Bronze Starlight (aka DEV-0401, APT10).
Hackers_using_Microsoft_Office_Documents_to_Deliver_Agent_Tesla_and_njRat
LOW
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Hackers_using_Microsoft_Office_Documents_to_Deliver_Agent_Tesla_and_njRat
- Date of Scan:
- 2022-10-04
- Impact:
- LOW
- Summary:
- Researchers from Fortinet have analyzed some malicious Microsoft Office documents that attempted to leverage legitimate websites to execute a shell script and then dropped two malware variants of Agent Tesla and njRat.
North_Korean_Hackers_Leveraging_Open_Source_Software
MEDIUM
+
—
- Intel Source:
- Microsoft
- Intel Name:
- North_Korean_Hackers_Leveraging_Open_Source_Software
- Date of Scan:
- 2022-10-04
- Impact:
- MEDIUM
- Summary:
- Researchers from Microsoft have observed that Zinc threat actor leveraging a wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for the attacks.
Hackers_Targeting_Military_and_Weapons_Contractors
MEDIUM
+
—
- Intel Source:
- Securonix
- Intel Name:
- Hackers_Targeting_Military_and_Weapons_Contractors
- Date of Scan:
- 2022-10-03
- Impact:
- MEDIUM
- Summary:
- Researchers from Securonix have identified a new phishing campaign targeting multiple military contractors involved in weapon manufacturing, including an F-35 Lightning II fighter aircraft components supplier.
The_malicious_decentralized_application_websites_abused_by_Water_Labbu
LOW
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- The_malicious_decentralized_application_websites_abused_by_Water_Labbu
- Date of Scan:
- 2022-10-03
- Impact:
- LOW
- Summary:
- TrendMicro discovered a threat actor and named Water Labbu that was targeting cryptocurrency scam website
Media_clones_serving_Russian_propaganda_in_Europe
LOW
+
—
- Intel Source:
- Disinfo Lab
- Intel Name:
- Media_clones_serving_Russian_propaganda_in_Europe
- Date of Scan:
- 2022-10-03
- Impact:
- LOW
- Summary:
- EU DisinfoLab researchers have investigated a large disinformation campaign targeting western audiences with pro-Russian propaganda.
A_deploying_malware_on_the_ESXi_Hypervisors
LOW
+
—
- Intel Source:
- Mandiant
- Intel Name:
- A_deploying_malware_on_the_ESXi_Hypervisors
- Date of Scan:
- 2022-10-03
- Impact:
- LOW
- Summary:
- Mandiant is investigating Novel Malware wich being persistence within ESXi Hypervisors. Mandiant tracked this actvity with the threat actor group UNC3886. Given the highly targeted and evasive nature of this intrusion, Mandiant suspects UNC3886 motivation to be cyber espionage related.
Malware_hidden_in_Windows_logo_in_cyber_attacks_against_Middle_Eastern_governments
MEDIUM
+
—
- Intel Source:
- Symantec
- Intel Name:
- Malware_hidden_in_Windows_logo_in_cyber_attacks_against_Middle_Eastern_governments
- Date of Scan:
- 2022-10-03
- Impact:
- MEDIUM
- Summary:
- Symantec researchers have observed threat actors using a steganographic trick to conceal a previously undocumented backdoor in a Windows logo in its attacks against Middle Eastern governments.
New_Go_Based_Malware_Targeting_Windows_and_Linux_Systems
MEDIUM
+
—
- Intel Source:
- Lumen
- Intel Name:
- New_Go_Based_Malware_Targeting_Windows_and_Linux_Systems
- Date of Scan:
- 2022-10-03
- Impact:
- MEDIUM
- Summary:
- Researchers from Lumen have identified a new multi-functional Go-based malware named Chaos. The malware is rapidly growing in volume in recent months to ensnare a wide range of Windows, Linux, small office/home office (SOHO) routers, and enterprise servers into its botnet.
Unpatched_Microsoft_Exchange_Zero-Day_Under_Active_Exploitation
MEDIUM
+
—
- Intel Source:
- GTSC
- Intel Name:
- Unpatched_Microsoft_Exchange_Zero-Day_Under_Active_Exploitation
- Date of Scan:
- 2022-10-03
- Impact:
- MEDIUM
- Summary:
- Researchers from GTSC have identified the flaws in fully patched Microsoft Exchange servers being exploited by malicious actors in real-world attacks to achieve remote code execution on affected systems.
A_new_ransomware_Bl00dy
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- A_new_ransomware_Bl00dy
- Date of Scan:
- 2022-10-03
- Impact:
- LOW
- Summary:
- Researchers from Cyble have identified a new ransomware named “Bl00dy” that is targeting organizations using double extortion techniques. A ransom note is created on the system to demand payment for the encrypted files. After the ransomware encrypts the files, it appends their extension with ".bl00dy."
North_Korea_Lazarus_Hackers_Targeting_macOS_Users
MEDIUM
+
—
- Intel Source:
- SentinelOne
- Intel Name:
- North_Korea_Lazarus_Hackers_Targeting_macOS_Users
- Date of Scan:
- 2022-10-03
- Impact:
- MEDIUM
- Summary:
- SentinelOne researchers have reviewed the details of Operation In(ter)ception campaign and observed a further variant in the same campaign using lures for open positions at rival exchange Crypto.com
Mozilla_Thunderbird_distributing_Redline_Stealer
LOW
+
—
- Intel Source:
- Esentire
- Intel Name:
- Mozilla_Thunderbird_distributing_Redline_Stealer
- Date of Scan:
- 2022-10-03
- Impact:
- LOW
- Summary:
- Researchers from Esentire have discovered some of the most dangerous threats including the Kaseya MSP breach and the more_eggs malware in the recent analysis.
Finding_APTs_using_Unsigned_DLLs_Loader
MEDIUM
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Finding_APTs_using_Unsigned_DLLs_Loader
- Date of Scan:
- 2022-09-30
- Impact:
- MEDIUM
- Summary:
- PaloAlto researchers have observed a method called "unsigned DLL loading" which is the technique to evade detection and execute more sophisticated attacks.
The_examination_of_Wiper_Malware_Part_3
LOW
+
—
- Intel Source:
- Crowdstrike
- Intel Name:
- The_examination_of_Wiper_Malware_Part_3
- Date of Scan:
- 2022-09-30
- Impact:
- LOW
- Summary:
- Researchers from CrowdStrike have covered various input/output controls (IOCTLs) in more detail and how they are used to achieve different goals — including acquiring information about infected machines and locking/unlocking disk volumes, among others.
LockBit_3_0_aka_LockBit_Black
MEDIUM
+
—
- Intel Source:
- Multiple
- Intel Name:
- LockBit_3_0_aka_LockBit_Black
- Date of Scan:
- 2022-09-30
- Impact:
- MEDIUM
- Summary:
- Researchers have analyzed the LockBit and identified it is back with LockBit 3.0
A_new_Cobalt_Strike_payload_campaign
MEDIUM
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- A_new_Cobalt_Strike_payload_campaign
- Date of Scan:
- 2022-09-30
- Impact:
- MEDIUM
- Summary:
- Researchers from Cisco have discovered a campaign that is delivering Cobalt Strike beacons that could be used in later, follow-on attacks.
New_Malware_Variants_Deliver_Fake_Cloudflare_DDoS_Captcha
LOW
+
—
- Intel Source:
- Sucuri
- Intel Name:
- New_Malware_Variants_Deliver_Fake_Cloudflare_DDoS_Captcha
- Date of Scan:
- 2022-09-30
- Impact:
- LOW
- Summary:
- Researchers from Sucuri have identified the user is prompted with a bogus Cloudflare DDoS protection screen, but in this new wave, they observed a fake CAPTCHA dialog masquerading as the popular Cloudflare service.
Detecting_and_Removing_Malicious_Software_Masquerading_as_Doenerium_Stealer
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Detecting_and_Removing_Malicious_Software_Masquerading_as_Doenerium_Stealer
- Date of Scan:
- 2022-09-30
- Impact:
- LOW
- Summary:
- A spear phishing email campaign targeting Office365 users hve observed by Cyble researchers. The same domain has also been onserved hosting several other malware variants, such as Doenerium stealer.
Polyglot_File_Delivering_IcedID
LOW
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Polyglot_File_Delivering_IcedID
- Date of Scan:
- 2022-09-30
- Impact:
- LOW
- Summary:
- PaloAlto researchers have observed a polyglot Microsoft Compiled HTML Help file being employed in the infection process used by the information stealer IcedID.
Hackers_using_Quantum_Builder_to_deliver_Agent_Tesla_RAT
LOW
+
—
- Intel Source:
- Zscaler
- Intel Name:
- Hackers_using_Quantum_Builder_to_deliver_Agent_Tesla_RAT
- Date of Scan:
- 2022-09-30
- Impact:
- LOW
- Summary:
- Zscaler ThreatLabz researchers have observed a campaign that delivers Agent Tesla, a .NET-based keylogger and remote access trojan (RAT), using a builder named “Quantum Builder” sold on the dark web.
LockBit_3_0_Ransomware_Spreading_via_Word_Documents
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- LockBit_3_0_Ransomware_Spreading_via_Word_Documents
- Date of Scan:
- 2022-09-29
- Impact:
- LOW
- Summary:
- ASEC researchers have identified that LockBit 3.0 ransomware distributed while disguised as job application emails in NSIS format is also being distributed in Word document format.
Void_Balaur_hack_for_hire_campaigns
MEDIUM
+
—
- Intel Source:
- SentinelOne
- Intel Name:
- Void_Balaur_hack_for_hire_campaigns
- Date of Scan:
- 2022-09-29
- Impact:
- MEDIUM
- Summary:
- SentinelOne researchers have observed the cyber mercenary group known as Void Balaur continues to expand its hack-for-hire campaigns and targeting of a wide variety of individuals and organizations across the globe.
A_new_variant_of_Graphite_Malware
MEDIUM
+
—
- Intel Source:
- Cluster25
- Intel Name:
- A_new_variant_of_Graphite_Malware
- Date of Scan:
- 2022-09-28
- Impact:
- MEDIUM
- Summary:
- Cluster25 researchers have analyzed a lure document used to implant a variant of Graphite malware, which is linked to the threat actor known as APT28.
Mass_Emailing_campaign_delivering_Agent_Tesla_malware
LOW
+
—
- Intel Source:
- Securelist
- Intel Name:
- Mass_Emailing_campaign_delivering_Agent_Tesla_malware
- Date of Scan:
- 2022-09-28
- Impact:
- LOW
- Summary:
- Researchers from Securelist have discovered a spam campaign that delivers Agent Tesla malware. After analysis, the email messages were pretended as high-quality imitations of business inquiries by real companies.
A_Trojan_Downloader_Named_NullMixer
LOW
+
—
- Intel Source:
- Securelist
- Intel Name:
- A_Trojan_Downloader_Named_NullMixer
- Date of Scan:
- 2022-09-28
- Impact:
- LOW
- Summary:
- Researchers from Securelist have identified a large proportion of the malware families dropped by NullMixer are classified as Trojan-Downloaders.
Malicious_NPM_package_discovered_in_supply_chain_attack
MEDIUM
+
—
- Intel Source:
- ReversingLab
- Intel Name:
- Malicious_NPM_package_discovered_in_supply_chain_attack
- Date of Scan:
- 2022-09-28
- Impact:
- MEDIUM
- Summary:
- Researchers from ReversingLabs have identified the Material Tailwind library is being impersonated for an apparent supply chain attack targeting developers. The team spotted a look-alike NPM package circulating on repositories, intended to trick unwitting developers into using the package in place of the real library.
Phishing_Campaign_Targeting_GitHub_Accounts
LOW
+
—
- Intel Source:
- GitHub Blog
- Intel Name:
- Phishing_Campaign_Targeting_GitHub_Accounts
- Date of Scan:
- 2022-09-27
- Impact:
- LOW
- Summary:
- Researchers from GitHub security team have identified that the hackers are targeting GitHub users to steal credentials and two-factor authentication (2FA) codes by impersonating the CircleCI DevOps platform.
FARGO_Ransomware_Targeting_Vulnerable_Microsoft_SQL_Servers
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- FARGO_Ransomware_Targeting_Vulnerable_Microsoft_SQL_Servers
- Date of Scan:
- 2022-09-27
- Impact:
- LOW
- Summary:
- Researchers from ASEC have discovered the distribution of FARGO ransomware that is targeting vulnerable MS-SQL servers. Along with GlobeImposter, FARGO is one of the prominent ransomware that targets vulnerable MS-SQL servers.
BumbleBee_Malware_Deploying_Cobalt_Strike_and_Meterpreter
LOW
+
—
- Intel Source:
- DFIR Report
- Intel Name:
- BumbleBee_Malware_Deploying_Cobalt_Strike_and_Meterpreter
- Date of Scan:
- 2022-09-27
- Impact:
- LOW
- Summary:
- Researchers from DFIR have identified threat actors using BumbleBee malware to deploy Cobalt Strike and Meterpreter. They used RDP and SMB to move around the network looking at backup systems and file shares before being evicted from the network.
Floxif_Malware_Family_Leveraging_Cookies
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Floxif_Malware_Family_Leveraging_Cookies
- Date of Scan:
- 2022-09-27
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed a recently disclosed vulnerability by Vectra that affects Microsoft Teams.
Chinese_Hacker_Group_TA413_Evolves_Capabilities_to_Targeting_Tibetan
LOW
+
—
- Intel Source:
- Recorded Future
- Intel Name:
- Chinese_Hacker_Group_TA413_Evolves_Capabilities_to_Targeting_Tibetan
- Date of Scan:
- 2022-09-26
- Impact:
- LOW
- Summary:
- RecordedFuture researchers have observed the targeting of ethnic and religious minority communities by Chinese state-sponsored groups for surveillance and intelligence-gathering purposes.
A_Technical_Analysis_of_Lockbit_3_0_Builder
LOW
+
—
- Intel Source:
- Cybergeeks
- Intel Name:
- A_Technical_Analysis_of_Lockbit_3_0_Builder
- Date of Scan:
- 2022-09-26
- Impact:
- LOW
- Summary:
- Researchers from Cybergeeks have analyzed LockBit 3.0 builder that was leaked online on 21st September 2022.
Noberus_Ransomware_Continues_to_Develop_its_TTPs
LOW
+
—
- Intel Source:
- Symantec
- Intel Name:
- Noberus_Ransomware_Continues_to_Develop_its_TTPs
- Date of Scan:
- 2022-09-26
- Impact:
- LOW
- Summary:
- Symantec researchers have identified that the Noberus (aka BlackCat, ALPHV) ransomware is using new tactics, tools, and procedures in recent months which making the threat more dangerous than ever.
Cybercriminals_target_Magento_vulnerability_in_new_wave_of_attacks
LOW
+
—
- Intel Source:
- Sansec
- Intel Name:
- Cybercriminals_target_Magento_vulnerability_in_new_wave_of_attacks
- Date of Scan:
- 2022-09-26
- Impact:
- LOW
- Summary:
- Researchers from Sansec have observed a surge in hacking attempts targeting CVE-2022-24086, a critical Magento 2 vulnerability allowing unauthenticated attackers to execute code on unpatched sites.
New_Hacking_Group_Metador_Targeting_Telecommunications_ISPs_and_Universities
MEDIUM
+
—
- Intel Source:
- SentinelOne
- Intel Name:
- New_Hacking_Group_Metador_Targeting_Telecommunications_ISPs_and_Universities
- Date of Scan:
- 2022-09-26
- Impact:
- MEDIUM
- Summary:
- Researchers from SentinelOne have discovered a new threat actor named Matador and targeting telecommunications, internet service providers, and universities in several countries in the Middle East and Africa.
NFT_Malware_Gets_New_Evasion_Abilities
LOW
+
—
- Intel Source:
- Morphisec
- Intel Name:
- NFT_Malware_Gets_New_Evasion_Abilities
- Date of Scan:
- 2022-09-26
- Impact:
- LOW
- Summary:
- Researchers from Morphisec have tracked several waves of the NFT malware delivering the Remcos RAT. In June 2022 they found a shift in the crypter used to deliver the Remcos RAT. The Babadeda crypter has now been discarded for a newly staged downloader.
Cybercriminals_are_Increasingly_Using_Domain_Shadowing
MEDIUM
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Cybercriminals_are_Increasingly_Using_Domain_Shadowing
- Date of Scan:
- 2022-09-23
- Impact:
- MEDIUM
- Summary:
- PaloAlto researchers have discovered that domain shadowing is more widespread than previously thought, discovering 12,197 cases between April and June 2022.
FODHelper_Delivering_Remcos_RAT
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- FODHelper_Delivering_Remcos_RAT
- Date of Scan:
- 2022-09-23
- Impact:
- LOW
- Summary:
- Researchers from SANS have identified a simple batch file that drops a Remcos RAT through an old UAC Bypass technique.
A_Deep_Analysis_of_Lazarus_Group_Rootkit_Attack_Using_BYOVD
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- A_Deep_Analysis_of_Lazarus_Group_Rootkit_Attack_Using_BYOVD
- Date of Scan:
- 2022-09-23
- Impact:
- LOW
- Summary:
- Researchers from ASEC have done a deep analysis of Lazarus Group Rootkit Attack using BYOVD. They are known to be hackers from North Korea, who have attacked various countries in America, Asia, and Europe.
SystemBC_Malware_Turns_Infected_Computers_into_SOCKS5_Proxies
LOW
+
—
- Intel Source:
- BitSight
- Intel Name:
- SystemBC_Malware_Turns_Infected_Computers_into_SOCKS5_Proxies
- Date of Scan:
- 2022-09-23
- Impact:
- LOW
- Summary:
- BitSight researchers have observed that SystemBC malware still turns infected computers into SOCKS5 proxy servers. Most bots cannot be reached from the internet, so this malware uses a backconnect architecture that allows clients to access proxy servers without having to interact directly with them.
Iranian_hackers_Conduct_Cyber_Operations_Against_the_Government_of_Albania
MEDIUM
+
—
- Intel Source:
- CISA
- Intel Name:
- Iranian_hackers_Conduct_Cyber_Operations_Against_the_Government_of_Albania
- Date of Scan:
- 2022-09-22
- Impact:
- MEDIUM
- Summary:
- Researchers from CISA have identified one of the Iranian threat groups behind the destructive attack on the Albanian government's network in July lurking inside its systems for roughly 14 months.
Active_Exploitation_of_Atlassian_Confluence_Vulnerability
LOW
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- Active_Exploitation_of_Atlassian_Confluence_Vulnerability
- Date of Scan:
- 2022-09-22
- Impact:
- LOW
- Summary:
- Researchers from Trendmicro have observed the active exploitation samples abusing the Atlassian Confluence vulnerability (CVE-2022-26134) in the wild for malicious cryptocurrency mining.
Hackers_Abusing_LinkedIn_Slink_to_Bypass_Secure_Email_Gateway
LOW
+
—
- Intel Source:
- Cofense
- Intel Name:
- Hackers_Abusing_LinkedIn_Slink_to_Bypass_Secure_Email_Gateway
- Date of Scan:
- 2022-09-22
- Impact:
- LOW
- Summary:
- Cofense researchers have observed a phishing campaign that abuses LinkedIn smart links. While exploiting a well-known postal brand is nothing out of the ordinary, these phishing emails continue to pass undetected by popular email gateways.
Diving_Deep_into_Crytox_Ransomware
LOW
+
—
- Intel Source:
- Zscaler
- Intel Name:
- Diving_Deep_into_Crytox_Ransomware
- Date of Scan:
- 2022-09-22
- Impact:
- LOW
- Summary:
- Researchers from Zscaler have done technical analysis of Crytox Ransomware which is multi-stage ransomware with a weak key generation algorithm.
Distribution_of_NetSupport_RAT_via_SocGholish
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Distribution_of_NetSupport_RAT_via_SocGholish
- Date of Scan:
- 2022-09-22
- Impact:
- LOW
- Summary:
- Researchers from Cyble have observed that hackers are using fake browser update (SocGholish) to deliver the NetSupport RAT.
Zoom_Users_Targeted_by_Vidar_Stealer
MEDIUM
+
—
- Intel Source:
- Cyble
- Intel Name:
- Zoom_Users_Targeted_by_Vidar_Stealer
- Date of Scan:
- 2022-09-21
- Impact:
- MEDIUM
- Summary:
- The researchers from Cyble have observed numerous fake Zoom sites that look exactly like the real Zoom sites. The purpose of these sites is to distribute malware disguised as the legitimate Zoom application.
Attackers_Leveraging_Free_Online_Resources_for_Phishing_Campaigns
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Attackers_Leveraging_Free_Online_Resources_for_Phishing_Campaigns
- Date of Scan:
- 2022-09-21
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed phishing campaigns using free online resources.
Attackers_Abusing_Google_Tag_Manager_Payment_Card_E-Skimming
LOW
+
—
- Intel Source:
- Recorded Future
- Intel Name:
- Attackers_Abusing_Google_Tag_Manager_Payment_Card_E-Skimming
- Date of Scan:
- 2022-09-21
- Impact:
- LOW
- Summary:
- According to Recorded Future researchers, 569 e-commerce domains have been infected by Magecart e-skimmers that exfiltrate stolen payment card information to GTM-based e-skimmer domains.
Hackers_Leveraging_Browser_Extensions
LOW
+
—
- Intel Source:
- MalwareBytes
- Intel Name:
- Hackers_Leveraging_Browser_Extensions
- Date of Scan:
- 2022-09-21
- Impact:
- LOW
- Summary:
- Malwarebytes researchers have detected a browser extension named PUP.Optional.AdMax. They have claimed to be adblockers and do have some, limited, functionality.
Konni_(RAT)_phishing_activity
LOW
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Konni_(RAT)_phishing_activity
- Date of Scan:
- 2022-09-21
- Impact:
- LOW
- Summary:
- Researchers at Fortinet recently caught a sophisticated phishing attempt deploying malware which they tied to APT 37 group's arsenal related to Konni and other RAT.
Magniber_Ransomware_file_extension_changed_from_jse_to_js
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Magniber_Ransomware_file_extension_changed_from_jse_to_js
- Date of Scan:
- 2022-09-21
- Impact:
- LOW
- Summary:
- Researchers from ASEC have analyzed the Magniber ransomware script and found that is still a javascript but its file extension changed from *.jse to *.js.
Monster_RaaS_campaign_returned_as_a_new_variant
MEDIUM
+
—
- Intel Source:
- BlackBerry
- Intel Name:
- Monster_RaaS_campaign_returned_as_a_new_variant
- Date of Scan:
- 2022-09-20
- Impact:
- MEDIUM
- Summary:
- BlackBerry Research & Intelligence team examined all samples about Monster ransomware which is delivered as a 32-bit binary. A hidden user interface gives threat actors control of multiple features of the ransomware on a victim’s machine, including selective encryption, self-deletion, and control over services and processes. Monster is also highly configurable, so threat actors can set their own custom extension and personalized ransom note.
The_Growth_of_Chromeloader_Malware
LOW
+
—
- Intel Source:
- VMware
- Intel Name:
- The_Growth_of_Chromeloader_Malware
- Date of Scan:
- 2022-09-20
- Impact:
- LOW
- Summary:
- Researchers from VMware have analyzed Chromeloader malware and warned of an ongoing campaign, In the campaign, malicious browser extensions, malware based on node-WebKit, and ransomware are being distributed.
The_Ragnar_Locker_ransomware_roundup_cover
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- The_Ragnar_Locker_ransomware_roundup_cover
- Date of Scan:
- 2022-09-20
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs gathered data on ransomware variants of interest that have been gaining traction within the OSINT community and our datasets. The Ransomware Roundup report aimed the Ragnar Locker ransomware to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against this variant.
Microsoft_365_Phishing_Attacks_Targeting_US_Government_Agencies
MEDIUM
+
—
- Intel Source:
- Cofense
- Intel Name:
- Microsoft_365_Phishing_Attacks_Targeting_US_Government_Agencies
- Date of Scan:
- 2022-09-20
- Impact:
- MEDIUM
- Summary:
- Cofense researchers have identified an ongoing phishing campaign targeting U.S. government contractors. In these phishing emails, scammers ask for bids for lucrative government projects, leading users to cloned versions of legitimate government websites.
Fake_Telegram_Site_Delivering_RAT
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Fake_Telegram_Site_Delivering_RAT
- Date of Scan:
- 2022-09-20
- Impact:
- LOW
- Summary:
- Cyble Research and Intelligence Labs team identified a fake Telegram website masquerading as a legitimate website that downloads a malicious installer. This installer abuses the Windows Defender application to perform RAT operations.
Multiple_Malwares_delivered_by_Excel_Document
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Multiple_Malwares_delivered_by_Excel_Document
- Date of Scan:
- 2022-09-20
- Impact:
- MEDIUM
- Summary:
- FortiGuard Labs recently caught captured an Excel document with an embedded malicious file in the wild. After some research on the file, Fortinet reserachers learned that it exploits a particular vulnerability —CVE-2017-11882—to execute malicious code which affecting Microoft Windows platforms and Windows users. Researchers picked the “lsbjqoyofgkmqbuleooykdekgopmtglvjl.exe” file (being saved as “C:\Users\{UserName}\AppData\Roaming\word.exe”) as an example to analyze. It is the latest Formbook sample in the malware sample logs.
Russia-Nexus_UAC-0113_Emulating_Telecommunication_Providers_in_Ukraine
LOW
+
—
- Intel Source:
- Recorded Future
- Intel Name:
- Russia-Nexus_UAC-0113_Emulating_Telecommunication_Providers_in_Ukraine
- Date of Scan:
- 2022-09-19
- Impact:
- LOW
- Summary:
- Researchers at Insikt Group while monitoring UAC-0113 infrastructure, including the recurring use of dynamic DNS domains masquerading as telecommunication providers operating in Ukraine, which shows that the group's efforts to target entities in Ukraine remains ongoing. Domain masquerades can enable spearphishing campaigns or redirects that pose a threat to victim networks.
TeamTNT_threat_actors_targeting_cloud_environments
LOW
+
—
- Intel Source:
- Aquasec
- Intel Name:
- TeamTNT_threat_actors_targeting_cloud_environments
- Date of Scan:
- 2022-09-19
- Impact:
- LOW
- Summary:
- Aquasec analysts observed and analyzed three different attacks on their honeypots past week. The scripts and malware that were used bear a striking resemblance to none other than the threat actor TeamTNT.
PreventingISOMalware
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- PreventingISOMalware
- Date of Scan:
- 2022-09-19
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed Chromeloader malware. This malware is a malicious extension for your browser, redirecting it to ad sites and hijacking searches. But with the success of this technique recently, I would not be surprised if others will take notice and switch to using it for other things.
The_widespread_of_RedLine_stealer
LOW
+
—
- Intel Source:
- Securelist
- Intel Name:
- The_widespread_of_RedLine_stealer
- Date of Scan:
- 2022-09-19
- Impact:
- LOW
- Summary:
- Securelist's reserachers recently caught a suspicious activity which was a part of collection of malicious programs distributed in the form of a single installation file, self-extracting archive or other file with installer-type functionality.
The_details_of_a_Publicly_Available_Slam_Ransomware_Builder
LOW
+
—
- Intel Source:
- SentinelOne
- Intel Name:
- The_details_of_a_Publicly_Available_Slam_Ransomware_Builder
- Date of Scan:
- 2022-09-19
- Impact:
- LOW
- Summary:
- SentinelOne analysts detailed out thoroughly about Slam Ransomware Builder and how free ransomware builders like Slam offer an easy route into cybercrime and yet present a credible threat to organizations and enterprises. Plus they provided a detailed list of indicators to help security teams detect and protect against Slam ransomware payloads.
Preventing_ISO_Malware
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Preventing_ISO_Malware
- Date of Scan:
- 2022-09-19
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed Chromeloader malware. This malware is a malicious extension for your browser, redirecting it to ad sites and hijacking searches. But with the success of this technique recently, I would not be surprised if others will take notice and switch to using it for other things.
Scammers_Abuse_Microsoft_Edge's_News_Feed_Ads
LOW
+
—
- Intel Source:
- MalwareBytes
- Intel Name:
- Scammers_Abuse_Microsoft_Edge's_News_Feed_Ads
- Date of Scan:
- 2022-09-16
- Impact:
- LOW
- Summary:
- Researchers from Malwarebytes have identified an ongoing malvertising campaign that is injecting ads in the Microsoft Edge News Feed to redirect potential victims to websites pushing tech support scams.
Revived_Version_of_Raccoon_Stealer
LOW
+
—
- Intel Source:
- Cloudsek
- Intel Name:
- Revived_Version_of_Raccoon_Stealer
- Date of Scan:
- 2022-09-16
- Impact:
- LOW
- Summary:
- CloudSEK researchers analyzed a Raccoon malware sample and found it to be an updated version of Raccoon stealer. In underground forums, the developer of Raccoon stealer is very active, regularly updating the malware and posting about new feature builds.
PrivateLoader_the_most_widely_used_loader_in_2022
LOW
+
—
- Intel Source:
- Sekoia
- Intel Name:
- PrivateLoader_the_most_widely_used_loader_in_2022
- Date of Scan:
- 2022-09-16
- Impact:
- LOW
- Summary:
- PrivateLoader became one of the most widespread loaders used for a PPI service in 2022. SEKOIA analysts tracked PrivateLoader’s network infrastructure for several months and recently conducted an in-depth analysis of the malware. In parallel, we also monitored activities related to the ruzki PPI malware service.
Trojanized_Putty_through_Phishing
LOW
+
—
- Intel Source:
- Mandiant
- Intel Name:
- Trojanized_Putty_through_Phishing
- Date of Scan:
- 2022-09-16
- Impact:
- LOW
- Summary:
- Researchers from Mandiant identified a Trojanized Putty ISO payload being delivered through a fabricated job lure spear employed by the threat cluster tracked as UNC4034, suspected to be a part of "Operation Dream Job" campaigns.
Hackers_Continue_to_Abuse_Google_Sites_and_Microsoft_Azure
LOW
+
—
- Intel Source:
- Netscope
- Intel Name:
- Hackers_Continue_to_Abuse_Google_Sites_and_Microsoft_Azure
- Date of Scan:
- 2022-09-16
- Impact:
- LOW
- Summary:
- Netskope researchers discovered a phishing campaign where attackers are abusing Google Sites and Microsoft Azure Web Apps to steal cryptocurrency wallets and accounts from Coinbase, MetaMask, Kraken, and Gemini.
Word_Maldoc_With_CustomXML_and_Renamed_VBAProject
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Word_Maldoc_With_CustomXML_and_Renamed_VBAProject
- Date of Scan:
- 2022-09-16
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed samples and found one of them is that the VBA project file (ole file) is named FIzzyWAbnj.bin instead of the usual VBAProject.bin.
Russia_linked_Gamaredon_APT_Targeting_Ukraine_Using_InfoStealer_Malware
LOW
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Russia_linked_Gamaredon_APT_Targeting_Ukraine_Using_InfoStealer_Malware
- Date of Scan:
- 2022-09-16
- Impact:
- LOW
- Summary:
- Researchers at CiscoTalos have observed that Russian-linked Gamaredon has been targeting Ukrainian government, defense, and law enforcement agencies with a piece of a custom-made information stealer implant.
BlackTech_Threat_Group_ExploitsF5_BIG-IP_Vulnerability
MEDIUM
+
—
- Intel Source:
- JPCERT
- Intel Name:
- BlackTech_Threat_Group_ExploitsF5_BIG-IP_Vulnerability
- Date of Scan:
- 2022-09-16
- Impact:
- MEDIUM
- Summary:
- The JPCERT have identified an attack activity exploiting the F5 BIG-IP vulnerability (CVE-2022-1388) against Japanese organizations. It has been confirmed by the targeted organizations that data in BIG-IP has been compromised.
One_of_the_most_used_infostealer_Erbium
LOW
+
—
- Intel Source:
- Cluster25
- Intel Name:
- One_of_the_most_used_infostealer_Erbium
- Date of Scan:
- 2022-09-15
- Impact:
- LOW
- Summary:
- Cluster25' analysts observed that Erbium can become one of the most used infostealer by cyber criminals due to its wide range of capabilities and due to the growing demand for M-a-a-S.
Japanese_Taxpayers_Targeted_in_Phishing_Campaign
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Japanese_Taxpayers_Targeted_in_Phishing_Campaign
- Date of Scan:
- 2022-09-15
- Impact:
- LOW
- Summary:
- Researchers from Cyble Research & Intelligence Labs discovered a new phishing campaign imitating the National Tax Agency, which targets Japanese users by tricking them into sharing sensitive information.
Webworm_hackers_modify_old_malware_in_new_attacks
LOW
+
—
- Intel Source:
- Symantec
- Intel Name:
- Webworm_hackers_modify_old_malware_in_new_attacks
- Date of Scan:
- 2022-09-15
- Impact:
- LOW
- Summary:
- Researcher from Symantec have observed that the Chinese 'Webworm' hacking group is experimenting with customizing old malware in new attacks, likely to evade attribution and reduce operations costs.
Malicious_Word_Document_With_a_Frameset
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Malicious_Word_Document_With_a_Frameset
- Date of Scan:
- 2022-09-15
- Impact:
- LOW
- Summary:
- SANS researchers have discovered a malicious Word OOXML document (the new ".docx" format) that is a simple downloader. No malicious code is contained in this document, but merely a reference to a second stage which will be delivered when the document is opened.
Exploiting_Notepad++_Plugins_for_Evasion_and_Persistence
LOW
+
—
- Intel Source:
- Cybereason
- Intel Name:
- Exploiting_Notepad++_Plugins_for_Evasion_and_Persistence
- Date of Scan:
- 2022-09-15
- Impact:
- LOW
- Summary:
- Researchers from Cybereason have analyzed a specific technique that leverages Notepad++ plugins to persist and evade security mechanisms on a machine.
Greek_Banking_Users_Targeted_in_Phishing_Campaign
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Greek_Banking_Users_Targeted_in_Phishing_Campaign
- Date of Scan:
- 2022-09-15
- Impact:
- LOW
- Summary:
- Researchers from Cyble discovered multiple URLs hosting pages pretending to be Greece's tax refund website. In order to transfer funds, users must confirm their current account number and the amount of their tax refund.
Iranian_Cyber_Actors_Exploiting_Known_Vulnerabilities
MEDIUM
+
—
- Intel Source:
- CISA
- Intel Name:
- Iranian_Cyber_Actors_Exploiting_Known_Vulnerabilities
- Date of Scan:
- 2022-09-15
- Impact:
- MEDIUM
- Summary:
- Researchers from CISA have identified Iranian Islamic revolutionary guard corps-affiliated cyber actors exploiting vulnerabilities for data extortion and disk encryption for ransom operations.
Hackers_Are_Using_Name_of_Queen_Elizabeth_II_in_Phishing_Attacks
LOW
+
—
- Intel Source:
- ProofPoint
- Intel Name:
- Hackers_Are_Using_Name_of_Queen_Elizabeth_II_in_Phishing_Attacks
- Date of Scan:
- 2022-09-15
- Impact:
- LOW
- Summary:
- Researchers at Proofpoint have identified threat actors exploiting the death of Queen Elizabeth II in phishing attacks to steal their targets' Microsoft accounts.
New_Linux_SideWalk_backdoor_Variant_used_by_SparklingGoblin_APT_Hackers
LOW
+
—
- Intel Source:
- WeliveSecurity
- Intel Name:
- New_Linux_SideWalk_backdoor_Variant_used_by_SparklingGoblin_APT_Hackers
- Date of Scan:
- 2022-09-14
- Impact:
- LOW
- Summary:
- ESET researchers have discovered a Linux variant of the SideWalk backdoor used by SparklingGoblin. This is a group of APTs that partially overlaps with APT41 and BARIUM in terms of its tactics, techniques, and procedures.
Hackers_Exploiting_Oracle_WebLogic_Server_Vulnerabilities
MEDIUM
+
—
- Intel Source:
- TrendMicro
- Intel Name:
- Hackers_Exploiting_Oracle_WebLogic_Server_Vulnerabilities
- Date of Scan:
- 2022-09-14
- Impact:
- MEDIUM
- Summary:
- Trendmicro researchers have observed malicious actors exploiting both newly disclosed and older Oracle WebLogic Server vulnerabilities to deliver cryptocurrency-mining malware.
A_new_variant_of_Agent_Tesla
LOW
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- A_new_variant_of_Agent_Tesla
- Date of Scan:
- 2022-09-14
- Impact:
- LOW
- Summary:
- The Agent Tesla keylogger’s developers announced and posted on the Agent Tesla Discord server that people should switch over to a new keylogger OriginLogger, a powerful software like Agent Tesla. OriginLogger is an AT-based software and has all the features. OriginLogger is a variant of Agent Tesla. As such, the majority of tools and detections for Agent Tesla will still trigger on OriginLogger samples.
A_distribution_of_masking_phishing_websites
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- A_distribution_of_masking_phishing_websites
- Date of Scan:
- 2022-09-14
- Impact:
- LOW
- Summary:
- During the collecting of various malware strains the ASEC analysts caught one targeting Korean users, which was being distributed continuously to Korean email accounts only since August. This phishing website’s URL is not only distributed through email but is also exposed among the top search results of the Google search engine.
A_detailed_Analysis_of_Iranian_COBALT_MIRAGE_Threat_Group
LOW
+
—
- Intel Source:
- Secureworks
- Intel Name:
- A_detailed_Analysis_of_Iranian_COBALT_MIRAGE_Threat_Group
- Date of Scan:
- 2022-09-14
- Impact:
- LOW
- Summary:
- Researchers at Secureworks have analyzed ransomware incidents and uncovered details about Iranian COBALT MIRAGE operations. During this incident, COBALT MIRAGE exploited ProxyShell vulnerabilities (CVE-2021-34473, 2021-34523, and 2021-30207).
Easy_Process_Injection_within_Python
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Easy_Process_Injection_within_Python
- Date of Scan:
- 2022-09-14
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed malicious Python scripts. It can call any Microsoft API and perform process injection using the classic VirtualAlloc, CreateRemoteThreat, etc.
Ransomware_Campaigns_Linked_to_Iranian_Govt's_DEV_0270_Hackers
LOW
+
—
- Intel Source:
- Microsoft
- Intel Name:
- Ransomware_Campaigns_Linked_to_Iranian_Govt's_DEV_0270_Hackers
- Date of Scan:
- 2022-09-13
- Impact:
- LOW
- Summary:
- Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS.
Iranian_Hackers_Targeting_Nuclear_Security_and_Genomic_Research
LOW
+
—
- Intel Source:
- ProofPoint
- Intel Name:
- Iranian_Hackers_Targeting_Nuclear_Security_and_Genomic_Research
- Date of Scan:
- 2022-09-13
- Impact:
- LOW
- Summary:
- Proofpoint researchers have discovered a cyberespionage campaign conducted by TA453 threat actors linked to Iran. It targeted individuals specializing in nuclear security, Middle Eastern affairs, and genome research. To target their victims, threat actors used at least two actor-controlled personas.
New_Espionage_Activity_Targeting_Asian_Governments
LOW
+
—
- Intel Source:
- Symantec
- Intel Name:
- New_Espionage_Activity_Targeting_Asian_Governments
- Date of Scan:
- 2022-09-13
- Impact:
- LOW
- Summary:
- Researchers from Symantec have identified a campaign that targets government and state-owned organizations in several Asian countries, including the offices of multiple prime ministers or heads of government.
Mitel_VoIP_Appliance_Vulnerability_Exploited_by_Lorenz_Ransomware_Group
LOW
+
—
- Intel Source:
- Arcticwolf
- Intel Name:
- Mitel_VoIP_Appliance_Vulnerability_Exploited_by_Lorenz_Ransomware_Group
- Date of Scan:
- 2022-09-13
- Impact:
- LOW
- Summary:
- The Lorenz ransomware group was seen exploiting a critical-severity vulnerability in Mitel MiVoice VoIP appliance for initial access into a victim’s network, Arctic Wolf cybersecurity firm researchers reported.
Diving_Deep_into_Emotet_Malware
LOW
+
—
- Intel Source:
- DFIR Report
- Intel Name:
- Diving_Deep_into_Emotet_Malware
- Date of Scan:
- 2022-09-12
- Impact:
- LOW
- Summary:
- Researchers from DFIR have done a deep analysis of Emotet Malware
A_new_form_of_delivery_of_the_Lampion_banking_trojan
LOW
+
—
- Intel Source:
- Cofense
- Intel Name:
- A_new_form_of_delivery_of_the_Lampion_banking_trojan
- Date of Scan:
- 2022-09-12
- Impact:
- LOW
- Summary:
- Threat actors have been spotted by PDC analyst using a new form of Lampion malware thru using of a VBS loader. Using the trusted cloud platform used for payments, WeTransfer, threat actors are attempting to gain the trust of users while taking advantage of the service provided by the popular site.
Phishing_Word_Documents_with_Suspicious_URL
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Phishing_Word_Documents_with_Suspicious_URL
- Date of Scan:
- 2022-09-12
- Impact:
- LOW
- Summary:
- Researchers from SANS have analyzed a quarantined email that is marked as phishing by Defender with the Subject: Urgent Payment Issue.
A_Deep_Investigation_of_Albanian_Government_Cyberattacks
LOW
+
—
- Intel Source:
- Microsoft
- Intel Name:
- A_Deep_Investigation_of_Albanian_Government_Cyberattacks
- Date of Scan:
- 2022-09-09
- Impact:
- LOW
- Summary:
- Microsoft researchers investigated Albanian government cyberattacks which disrupt public services and government websites. Besides the destructive cyberattack, MSTIC reports that an Iranian state-sponsored actor released sensitive information that had already been exfiltrated.
Collecting_Credentials_Through_Third-Party_Software
LOW
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Collecting_Credentials_Through_Third-Party_Software
- Date of Scan:
- 2022-09-09
- Impact:
- LOW
- Summary:
- PaloAlto researchers explored some common third-party software scenarios related to credential gathering, examining how passwords are stored, retrieved, and monitored based on real-world attack scenarios.
Bronze_President_Group_Targeting_Government_Officials
LOW
+
—
- Intel Source:
- Secureworks
- Intel Name:
- Bronze_President_Group_Targeting_Government_Officials
- Date of Scan:
- 2022-09-09
- Impact:
- LOW
- Summary:
- Researchers from Secureworks have identified a PlugX malware campaign targeting computers belonging to government officials of several countries in Europe, the Middle East, and South America.
Ransomware_Developers_Leveraging_Intermittent_Encryption_to_Avoid_Detection
LOW
+
—
- Intel Source:
- SentinelOne
- Intel Name:
- Ransomware_Developers_Leveraging_Intermittent_Encryption_to_Avoid_Detection
- Date of Scan:
- 2022-09-09
- Impact:
- LOW
- Summary:
- SentinelOne researchers have observed that ransomware developers use intermittent encryption to evade detection. As a result of this encryption method, ransomware operators are able to evade detection systems and encrypt victims' files more quickly.
Lazarus_Hackers_Targeting_Energy_Providers_Around_the_World
MEDIUM
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Lazarus_Hackers_Targeting_Energy_Providers_Around_the_World
- Date of Scan:
- 2022-09-09
- Impact:
- MEDIUM
- Summary:
- A CiscoTalos study discovered that North Korea-linked Lazarus Group targeted energy providers around the world from February through July 2022, including U.S., Canadian, and Japanese companies.
Moobot_Botnet_Targeting_Unpatched_D-Link_Routers
LOW
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Moobot_Botnet_Targeting_Unpatched_D-Link_Routers
- Date of Scan:
- 2022-09-08
- Impact:
- LOW
- Summary:
- Researchers from PaloAlto have discovered attacks leveraging several vulnerabilities in D-Link routers and the vulnerabilities exploited include CVE-2015-2051, CVE-2018-6530, CVE-2022-26258, and CVE-2022-28958.
In-depth_exploration_of_APT42
LOW
+
—
- Intel Source:
- Mandiant
- Intel Name:
- In-depth_exploration_of_APT42
- Date of Scan:
- 2022-09-08
- Impact:
- LOW
- Summary:
- Mandiant researchers have conducted a deep analysis of APT42 and published a report. This report examines APT42's recent and historical activities, its tactics, techniques, and procedures, targeting patterns, and historical connections to APT35.
An_Unusual_Case_of_Monti_Ransomware
LOW
+
—
- Intel Source:
- BlackBerry
- Intel Name:
- An_Unusual_Case_of_Monti_Ransomware
- Date of Scan:
- 2022-09-08
- Impact:
- LOW
- Summary:
- The BlackBerry Incident Response team have investigated an attack by a previously unknown group, calling itself "MONTI," which encrypted nearly 20 user hosts as well as a multi-host VMware ESXi cluster that brought down over 20 servers.
Conti_Cybercrime_Hackers_Targeting_Ukraine
LOW
+
—
- Intel Source:
- Google blog
- Intel Name:
- Conti_Cybercrime_Hackers_Targeting_Ukraine
- Date of Scan:
- 2022-09-08
- Impact:
- LOW
- Summary:
- Researchers from Google Threat Analysis Group have identified some former Conti ransomware gang members are now part of a threat group tracked as UAC-0098, which is targeting Ukrainian organizations and European non-governmental organizations.
Bumblebee_Malware_Back_With_New_Technique
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Bumblebee_Malware_Back_With_New_Technique
- Date of Scan:
- 2022-09-08
- Impact:
- LOW
- Summary:
- Researchers from Cyble have came across a Twitter post wherein a researcher mentioned an interesting infection chain of the Bumblebee loader malware being distributed via spam campaigns.
A_new_remote_access_trojan_MagicRAT
LOW
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- A_new_remote_access_trojan_MagicRAT
- Date of Scan:
- 2022-09-08
- Impact:
- LOW
- Summary:
- Researchers at Cisco Talos have observed a new Remote Access Trojan from the Lazarus APT group being exploited in the wild for arbitrary command execution.
Zero-Day_Vulnerability_Exploited_in_BackupBuddy_Plugin
LOW
+
—
- Intel Source:
- Wordsfence
- Intel Name:
- Zero-Day_Vulnerability_Exploited_in_BackupBuddy_Plugin
- Date of Scan:
- 2022-09-08
- Impact:
- LOW
- Summary:
- Wordfence's Threat Intelligence team have discovered a zero-day vulnerability being actively exploited in BackupBuddy. It is a WordPress plugin with approximately 140,000 installa