Securonix Threat Labs

Intel Source:

McAfee

Intel Name:

Investigation_into_WinRAR_Vulnerability

Date of Scan:

2023-09-22

Impact:

LOW

Summary:

McAfee researchers examined a sample that exploited the major RCE vulnerability CVE-2023-38831. It has to do with an RCE flaw in WinRAR prior to version 6.23. The problem arises because a ZIP archive could contain a harmless file (such a regular.JPG file) as well as a folder with the same name as the innocent file, and when you try to access just the harmless file, the contents of the folder (which might have executable information) are processed.

Source:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/exploring-winrar-vulnerability-cve-2023-38831/

Intel Source:

Cyble

Intel Name:

Drinik_Malware_Returns_to_Threaten_Indian_Taxpayers

Date of Scan:

2023-09-22

Impact:

LOW

Summary:

Researchers from Cyble have noticed that the Drinik malware showed increased activity levels that were timed to coincide with the deadline for filing Indian income tax returns. Drinik malware’s most recent version includes a number of recently introduced features.

Source:
https://cyble.com/blog/indian-taxpayers-face-a-multifaceted-threat-with-drinik-malwares-return/

Intel Source:

Checkpoint

Intel Name:

A_Banker_Server_Side_Components_Analysis

Date of Scan:

2023-09-22

Impact:

LOW

Summary:

A recent campaign utilizing a new form of the BBTok banker and operating in Latin America was recently uncovered by Check Point researchers. In the study, we focus on recently identified infection chains that employ a special mix of Living off the Land Binaries (LOLBins).

Source:
https://research.checkpoint.com/2023/behind-the-scenes-of-bbtok-analyzing-a-bankers-server-side-components/

Intel Source:

Sentilone

Intel Name:

Targeting_Telcos_with_a_LuaJIT_Toolkit

Date of Scan:

2023-09-22

Impact:

LOW

Summary:

A series of cyberattacks against telecommunicator providers in the Middle East, Western Europe, and the South Asian subcontinent have been linked to a hitherto unknown threat actor known as Sandman. It is noteworthy that the incursions use the just-in-time (JIT) LuaJIT compiler to deliver the unique LuaDream implant.

Source:
https://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/

Intel Source:

Bitsight

Intel Name:

Analysis_of_SmokeLoaders_Plugins

Date of Scan:

2023-09-22

Impact:

LOW

Summary:

A well-known malware family with a history spanning more than ten years is called SmokeLoader. The primary function of this malware is to download and drop additional malware families. However, the owners of SmokeLoader also market plugins that give the primary module new features. These plugins give an affiliate the ability to gather a variety of information from compromised PCs, including emails, cookies, passwords, and browser data.

Source:
https://www.bitsight.com/blog/smokeloaders-plugins

Intel Source:

Checkpoint

Intel Name:

The_Evil_Alliance_Between_GuLoader_And_Remcos

Date of Scan:

2023-09-22

Impact:

LOW

Summary:

Remcos and GuLoader have a close relationship, according to Checkpoint researchers. Remcos is hard to employ for nefarious reasons because antivirus programs may quickly detect it. However, Remcos can get around antivirus defense by using GuLoader. During this investigation, they found that GuLoader is now marketed as a crypter that renders its payload completely immune to antivirus software on the same platform as Remcos and is implicitly sold under a different name.

Source:
https://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/

Intel Source:

CISA

Intel Name:

Advisory_on_Snatch_Ransomware

Date of Scan:

2023-09-21

Impact:

MEDIUM

Summary:

FBI and CISA released joint Cybersecurity Advisory about Snatch Ransomware which shared IOCs, tactics, techniques, and procedures linked with the Snatch ransomware variant. Snatch threat actors are acting as a ransomware-as-a-service (RaaS) model and change their tactics according to current cybercriminal trends and successes of other ransomware operations.

Source:
https://www.cisa.gov/sites/default/files/2023-09/joint-cybersecurity-advisory-stopransomware-snatch-ransomware_0.pdf

Intel Source:

PaloAlto

Intel Name:

Fake_WinRAR_PoC_Exploit_Drops_VenomRAT

Date of Scan:

2023-09-21

Impact:

LOW

Summary:

Researchers from Palo Alto have discovered a hacker attempting to infect downloaders with the VenomRAT malware by disseminating a phony proof-of-concept (PoC) exploit for a newly patched WinRAR vulnerability on GitHub.

Source:
https://unit42.paloaltonetworks.com/fake-cve-2023-40477-poc-hides-venomrat/

Intel Source:

ASEC

Intel Name:

Attack_on_MS_SQL_Servers_by_HiddenGh0st_Malware

Date of Scan:

2023-09-21

Impact:

LOW

Summary:

Recently, ASEC researchers verified the spread of a Gh0st RAT variant that targets poorly managed MS-SQL servers and installs the Hidden rootkit. An open-source rootkit called Hidden, which is available to everyone on GitHub, has the capacity to protect processes and hide files, registry entries, and even itself.

Source:
https://asec.ahnlab.com/en/57185/

Intel Source:

Cado Security

Intel Name:

P2Pinfect_Botnet_Targeting_Redis_and_SSH_Services

Date of Scan:

2023-09-21

Impact:

LOW

Summary:

According to Cado Security researchers, P2Pinfect compromises have been seen in China, the United States, Germany, the UK, Singapore, Hong Kong, and Japan. Since August 28, a new peer-to-peer botnet named P2Pinfect that targets the free source Redis and SSH services has apparently seen a remarkable 600-times rise in traffic, including a 12.3% increase over the previous week.

Source:
https://www.cadosecurity.com/cado-security-labs-researchers-witness-a-600x-increase-in-p2pinfect-traffic/