Securonix Threat Labs

Intel Source:

Hunt.io

Intel Name:

Examination_of_new_ShadowPad_infrastructure_new_threat_actor

Date of Scan:

2024-02-12

Impact:

LOW

Summary:

This post will examine ShadowPad infrastructure linked to a yet-to-be-identified threat actor. What makes this activity different is a slight change in the HTTP response headers and the use of a certificate attempting to spoof American technology company, Dell. Within this group of IPs, there are additional subsets of activity utilizing different port configurations and some interesting domains, discussed later in this article.

Source:
https://hunt.io/blog/tracking-shadowpad-infrastructure-via-non-standard-certificates

Intel Source:

SOCRadar

Intel Name:

LuaJIT_based_modular_backdoor_LuaDream_activity_by_Sandman_APT

Date of Scan:

2024-02-12

Impact:

LOW

Summary:

SOCRadar wrote in their article that research provided by SentinelOne and QGroup, the Sandman APT group gained highly sophisticated and stealthy attack methods, with an accent focus on a new modular backdoor known as LuaDream, which is built on the LuaJIT platform. LuaDream’s strategy is targeted to minimize detection risks and showcases a continuous development approach.

Source:
https://socradar.io/dark-web-profile-sandman-apt/

Intel Source:

SOCRadar

Intel Name:

A_new_Ivanti_critical_Remote_Code_Execution_vulnerability_in_FortiOS

Date of Scan:

2024-02-12

Impact:

HIGH

Summary:

Fortinet has revealed a new critical Remote Code Execution vulnerability in FortiOS SSL VPN, cautioning about potential exploitation in ongoing attacks. Latest Ivanti Flaw Possibly Exploited (CVE-2024-21762, CVE-2023-40547, CVE-2024-22024).

Source:
https://socradar.io/rces-in-fortios-ssl-vpn-shim-latest-ivanti-flaw-possibly-exploited-cve-2024-21762-cve-2023-40547-cve-2024-22024/

Intel Source:

Eclecticiq

Intel Name:

Increased_delivery_of_the_DarkGate_loader

Date of Scan:

2024-02-12

Impact:

LOW

Summary:

EclecticIQ analysts observed increased delivery of the DarkGate loader which was takedown of Qakbot infrastructure last year. EclecticIQ analysts are sure that financially motivated threat actors, including groups like TA577 and Ducktail, along with Ransomware-as-a-Service (RaaS) organizations such as BianLian and Black Basta, primarily use DarkGate. These threat actors target financial institutions in Europe and the USA, focusing mainly on double extortion tactics

Source:
https://blog.eclecticiq.com/darkgate-opening-gates-for-financially-motivated-threat-actors

Intel Source:

ISC.SANS

Intel Name:

A_malicious_PowerShell_payload_Rabby_Wallet

Date of Scan:

2024-02-12

Impact:

LOW

Summary:

ISC.Sans researcher Xavier Mertens in his research, YARA rule triggered a new sample called “Rabby-Wallet.msix”, the file has a VT score of 8/58. After his analysis, the file appears to implement the same technique to execute a malicious PowerShell payload.

Source:
https://isc.sans.edu/diary/rss/30636

Intel Source:

Habr

Intel Name:

Cyber_spies_Sticky_Werewolf_activity_in_Belarus

Date of Scan:

2024-02-12

Impact:

LOW

Summary:

The cyberspyware APT group Sticky Werewolf probably tried to attack Belarusian companies by distributing the Ozone RAT remote access Trojan under the guise of computer cleaning and optimization software CCleaner.

Source:
https://habr.com/ru/companies/f_a_c_c_t/news/792672/

Intel Source:

Fortinet

Intel Name:

Attacks_on_Critical_Infrastructure_Exploiting_FortiOS_Vulnerabilities

Date of Scan:

2024-02-09

Impact:

LOW

Summary:

Researchers from Fortinet alerted companies on Wednesday that attacks targeting vital infrastructure and other sectors have been made possible by APTs associated with China and other nations, which have been taking use of two known FortiOS vulnerabilities.

Source:
https://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities

Intel Source:

Esentire

Intel Name:

SolarMarker_infections

Date of Scan:

2024-02-09

Impact:

LOW

Summary:

The article discusses the increasing prevalence of SolarMarker infections and the evolving tactics of the threat actor behind it. The eSentire Threat Response Unit (TRU) has been tracking SolarMarker since 2021 and has observed a significant increase in infections since November 2023. The threat actor has been using Inno Setup and PS2EXE tools to generate payloads, with recent payloads being modified using string replacements. The article also includes details on the PowerShell script used by SolarMarker, the loading of second-stage payloads, and the addition of junk instructions and byte arrays to evade detection. The TRU team recommends implementing controls such as Endpoint Detection and Response (EDR) solutions and security awareness training to protect against SolarMarker. The article also provides indicators of compromise and decrypted payloads for reference.

Source:
https://www.esentire.com/blog/the-oncoming-wave-of-solarmarker

Intel Source:

Crowdstrike

Intel Name:

The_HijackLoader_Expands_Its_Evasion_Techniques

Date of Scan:

2024-02-09

Impact:

LOW

Summary:

Researchers at CrowdStrike have discovered that, as other threat actors use the loader malware known as HijackLoader more frequently to deliver more payloads and tooling, the threat actors behind it have developed new security evasion strategies.

Source:
https://www.crowdstrike.com/blog/hijackloader-expands-techniques/

Intel Source:

Esentire

Intel Name:

The_injection_of_RemcosRAT_into_the_winhlp32_exe_file_process

Date of Scan:

2024-02-09

Impact:

MEDIUM

Summary:

The article discusses a recent threat investigation conducted by eSentire’s Threat Response Unit (TRU). The investigation involved a suspicious ZIP archive containing an AnyDesk executable and a VBS file, delivered via a Discord CDN link. Further investigation revealed that the VBS file executed another VBS file hosted on paste[.]ee, which contained the DcRat malware. The DcRat malware had encrypted configuration and supported dynamic loading and execution of plugins. The final payload retrieved via the plugin was a VBS file containing the RemcosRAT malware and dynwrapx.dll. The RemcosRAT malware was injected into the winhlp32.exe process and allowed for remote control of the infected machine. The TRU team isolated the system and provided recommendations for protection against similar threats, such as user training and using Next-Gen AV or Endpoint Detection and Response tools. The section also includes indicators of compromise and references for further information.

Source:
https://www.esentire.com/blog/from-onlydcratfans-to-remcosrat